worclaude 2.6.0 → 2.6.2

package/CHANGELOG.md

@@ -4,6 +4,34 @@ All notable changes to worclaude are documented in this file. Format loosely fol
 
 ## [Unreleased]
 
+## [2.6.2] — 2026-04-22
+
+Dev-dependency security bump. Adds an npm `overrides` entry pinning `brace-expansion` to `^1.1.13` to clear [GHSA-f886-m6hf-6m8v](https://github.com/advisories/GHSA-f886-m6hf-6m8v) — a moderate regex-DoS advisory against the 1.1.12 pulled transitively by `eslint → minimatch`. Post-override the lockfile resolves `brace-expansion@1.1.14` and `npm audit` drops from four moderate advisories to three. `SECURITY.md` is extended with a "Dev-only transitive advisories pending upstream fixes" section documenting the two remaining alerts ([GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9) vite path traversal, [GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99) esbuild dev-server CORS) as upstream-blocked by the vitepress `1.6.4 → vite ^5 → esbuild ^0.21.3` chain — `npm overrides` cannot force esbuild past the vite peer contract, and no `vitepress@2.x` is on npm yet. Both advisories are dev-only (excluded from the published tarball by the `files` whitelist) and only reachable while a local dev server is running; tracked for upgrade in [issue #109](https://github.com/sefaertunc/Worclaude/issues/109). No runtime change for worclaude consumers.
+
+### Fixed
+
+- **`brace-expansion` regex DoS** (PR #110) — `"overrides": { "brace-expansion": "^1.1.13" }` added to `package.json`; lockfile now resolves `brace-expansion@1.1.14` under `eslint 9.39.4 → minimatch 3.1.5`. Clears GHSA-f886-m6hf-6m8v.
+
+### Docs
+
+- **SECURITY.md — "Dev-only transitive advisories pending upstream fixes"** (PR #110) documents GHSA-4w7w-66w2-5vf9 and GHSA-67mh-4wv8-2f99 as accepted risk pending a `vitepress` release on `vite >=6.4.2`. Rationale: both are devDeps only, excluded from the npm tarball, and only reachable while `npm run docs:dev` is running. Tracking issue #109.
+
+## [2.6.1] — 2026-04-22
+
+Supply-chain scanner hygiene. Adds a `socket.yml` at the repo root so Socket (and any tool honoring the same schema) stops treating `tests/fixtures/scanner/**` manifests as real worclaude dependencies. The fixtures pin intentionally-outdated packages (`next@14.2.3`, `vitest@1.4.0`, `prisma@5.10.0`, etc.) as deterministic inputs to the Part A detectors — they are never installed (not referenced from root `package.json`), never shipped (`tests/` is excluded by the npm `files` whitelist), and never executed. Without the ignore, fixture deps surface on PR reviews as critical CVEs (CVE-2025-29927 Next.js middleware auth bypass, Vitest 1.4.0 RCE) that do not apply to worclaude. `SECURITY.md` is expanded with a "Supply Chain Scanner Findings" section documenting the fixture rationale, the real seven-package runtime dependency list, and the by-design `filesystemAccess` capability disclosure on `fs-extra`-heavy scaffolding code.
+
+### Added
+
+- **`socket.yml` at repo root** (PR #107) — `version: 2` schema with `projectIgnorePaths: [tests/fixtures/**]`. Respected by Socket's GitHub App on every PR review and by the Socket CLI's `socket scan create` command. Verified locally via `socket scan create --report`: manifests discovered drop from 21 to 6, scan verdict goes from unhealthy (2 critical + many high/medium false positives) to `healthy: true, alerts: 0` at warn level.
+
+### Changed
+
+- **`SECURITY.md` supported-versions row** bumped to `2.6.x` (from `2.4.x`) to reflect the current support window.
+
+### Docs
+
+- **`SECURITY.md` — Supply Chain Scanner Findings section** (PR #107) documents (1) why `tests/fixtures/scanner/**` manifests are not real dependencies, (2) worclaude's real seven-package runtime dep list, and (3) the `filesystemAccess` capability flag as a by-design disclosure for a scaffolding CLI rather than a vulnerability. Intended as a standing reference for any future SCA tool that surfaces the same false positives.
+
 ## [2.6.0] — 2026-04-22
 
 Diagnose-first `/setup`. This release lands both halves of Phase Setup Diagnose in a single version: Part A (PR #103) ships the static project scanner and the new `worclaude scan` subcommand, and Part B (PR #104) rewrites `/setup` on top of it as a deterministic 12-state state machine with on-disk persistence, a tool-call whitelist, and a Claude-rendered selectable UI. Running `/setup` against a mature project now scans first (14 Tier 1 detectors produce a `DetectionReport`), presents the high-confidence facts as a numbered checklist for the user to confirm or uncheck, handles multi-candidate medium-confidence items (e.g., competing lockfiles), and only asks residual questions during the interview — cutting the interview from ~30 questions to whatever detection didn't cover. State survives interruption via `.claude/cache/setup-state.json`, persisted after every mutation through the new `worclaude setup-state` CLI (the sole write path `setup.md` is permitted to use under its tool whitelist). WRITE merges into existing output files conservatively: `CLAUDE.md` replaces `## Tech Stack` and `## Commands` sections by ATX heading; `SPEC.md` and SKILL files are rewritten only when template-only per CRLF-normalized SHA-256 match against `workflow-meta.json`, otherwise append a timestamped section; `PROGRESS.md` is append-only.

package/SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.4.x   | :white_check_mark: |
-| < 2.4   | :x:                |
+| 2.6.x   | :white_check_mark: |
+| < 2.6   | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -19,3 +19,91 @@ Please do **not** open a public issue for security vulnerabilities.
 
 You can expect an initial response within 48 hours.
 If the vulnerability is accepted, a fix will be prioritized and released as a patch version.
+
+## Supply Chain Scanner Findings
+
+Automated SCA tools (Socket, Snyk, GitHub Dependabot) sometimes surface
+alerts that are not real exposures for worclaude. The most common cases:
+
+### Test fixture manifests are not real dependencies
+
+`tests/fixtures/scanner/**` contains static `package.json`, `pnpm-lock.yaml`,
+`package-lock.json`, and `pyproject.toml` files used to exercise the
+project-scanner detectors in `src/core/project-scanner/`. They pin
+intentionally-outdated versions (e.g. `next@14.2.3`, `vitest@1.4.0`,
+`prisma@5.10.0`) so the detectors have realistic inputs to match against.
+
+These fixtures are:
+
+- **Never installed.** They are not referenced from the root `package.json`.
+- **Not shipped to npm.** `package.json`'s `files` whitelist publishes only
+  `src/`, `templates/`, and top-level docs. `tests/` is excluded.
+- **Not executed.** The scanner reads them as JSON/TOML and inspects the
+  dependency lists; it never imports or runs the packages named inside.
+
+Worclaude's repo includes `socket.yml` to stop Socket from scanning this
+directory. Other SCA tools may need an equivalent `ignore` directive.
+
+### Real runtime dependencies
+
+```
+chalk        ^5.4.1
+commander   ^13.1.0
+fs-extra    ^11.3.0
+inquirer    ^12.5.0
+ora          ^8.2.0
+smol-toml    ^1.6.1
+yaml         ^2.8.3
+```
+
+No Next.js, React, Express, Prisma, or Stripe appear at runtime despite
+what a fixture-inclusive scan might suggest.
+
+### Filesystem access flag is by design
+
+Worclaude scaffolds files into the user's project tree: templates → `.claude/`,
+settings.json merges, timestamped backups under `.claude-backup-*/`, and
+an opt-in `workflow-meta.json`. The `fs-extra`-based filesystem capability
+flag is a disclosure, not a vulnerability — removing it would delete the
+tool's core function.
+
+### Dev-only transitive advisories pending upstream fixes
+
+Two advisories sit deep in the dev-dependency tree and cannot currently be
+resolved without either forking `vitepress` or waiting for its next release:
+
+- **[GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9)** —
+  `vite@5.4.21` path traversal in optimized-deps handling. Fixed in
+  `vite@>=6.4.2`.
+- **[GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99)** —
+  `esbuild@0.21.5` dev-server CORS misconfiguration. Fixed in
+  `esbuild@>=0.25.0`.
+
+Both are pulled through `vitepress@1.6.4` (the current latest on npm),
+which pins `vite` at `^5.0.0`, which in turn pins `esbuild` at `^0.21.3`.
+`npm overrides` cannot force newer major versions without breaking the
+vite peer contract.
+
+Why these do not block a release:
+
+- Both packages are in `devDependencies` only. The `files` whitelist in
+  `package.json` does not include `tests/` or any dev tooling; end users
+  installing `worclaude` via npm do not get these packages.
+- Both advisories require an **active local dev server** to exploit. The
+  vite/vitest attack surface only exists while `npm run docs:dev` is
+  running and the operator browses to a hostile origin in the same
+  session. `npm test`, `npm run lint`, `npm run docs:build`, and CI
+  runs do not start a server.
+- Worclaude's CI does not run `docs:dev`; it runs `test`, `lint`, and
+  `docs:build` only.
+
+Tracking: a GitHub issue is opened to bump `vitepress` once a release
+using `vite@>=6.4.2` lands upstream. Until then the scanner will continue
+to flag these, and we accept the dev-only risk.
+
+### brace-expansion DoS (fixed via override)
+
+[GHSA-f886-m6hf-6m8v](https://github.com/advisories/GHSA-f886-m6hf-6m8v) —
+`brace-expansion@<1.1.13` zero-step sequence. Fixed in 1.1.13; enforced
+via `"overrides": { "brace-expansion": "^1.1.13" }` in `package.json`
+since v2.6.2. Pulled by `eslint@9.x → minimatch@3.x`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "worclaude",
-  "version": "2.6.0",
+  "version": "2.6.2",
   "description": "The Workflow Layer for Claude Code — scaffold agents, commands, skills, hooks, and memory into any project",
   "type": "module",
   "bin": {
@@ -77,5 +77,8 @@
     "prettier": "^3.5.3",
     "vitepress": "^1.6.4",
     "vitest": "^3.0.9"
+  },
+  "overrides": {
+    "brace-expansion": "^1.1.13"
   }
 }