worclaude 2.6.1 → 2.6.3

package/CHANGELOG.md

@@ -4,6 +4,30 @@ All notable changes to worclaude are documented in this file. Format loosely fol
 
 ## [Unreleased]
 
+## [2.6.3] — 2026-04-22
+
+Second supply-chain scanner mirrored after Socket. Adds a `.snyk` policy file at the repo root with `exclude.global: [tests/fixtures/**]` so Snyk Open Source — whether invoked via the Snyk CLI, the `snyk/actions/node` GitHub Action, or any future integration — skips the intentionally-outdated fixture manifests under `tests/fixtures/scanner/**` that exist solely as deterministic inputs to the Part A project-scanner detectors (`next@14.2.3`, `vitest@1.4.0`, `prisma@5.10.0`, etc.). The fixtures are never installed (not referenced from root `package.json`), never shipped (excluded from the npm tarball by the `files` whitelist), and never executed. `SECURITY.md` is updated to name `.snyk` alongside `socket.yml` in the fixture-exclusion paragraph. The installed Snyk GitHub App only imports root `package.json` today, so the most immediate effect is keeping local `snyk test` runs honest; the file is also load-bearing for any future workflow that fails the build on high-severity findings. No runtime change for worclaude consumers.
+
+### Added
+
+- **`.snyk` policy file at repo root** (PR #112) — `version: v1.25.0` schema with `exclude.global: [tests/fixtures/**]` plus empty `ignore` and `patch` blocks. Mirrors the `socket.yml` pattern committed in v2.6.1 so Snyk Open Source treats the scanner fixtures the same way Socket does.
+
+### Docs
+
+- **`SECURITY.md` "Test fixture manifests are not real dependencies"** (PR #112) now names `.snyk` alongside `socket.yml` as the equivalent ignore directive for Snyk. The catch-all "Other SCA tools may need an equivalent `ignore` directive" sentence is preserved for any future scanner.
+
+## [2.6.2] — 2026-04-22
+
+Dev-dependency security bump. Adds an npm `overrides` entry pinning `brace-expansion` to `^1.1.13` to clear [GHSA-f886-m6hf-6m8v](https://github.com/advisories/GHSA-f886-m6hf-6m8v) — a moderate regex-DoS advisory against the 1.1.12 pulled transitively by `eslint → minimatch`. Post-override the lockfile resolves `brace-expansion@1.1.14` and `npm audit` drops from four moderate advisories to three. `SECURITY.md` is extended with a "Dev-only transitive advisories pending upstream fixes" section documenting the two remaining alerts ([GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9) vite path traversal, [GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99) esbuild dev-server CORS) as upstream-blocked by the vitepress `1.6.4 → vite ^5 → esbuild ^0.21.3` chain — `npm overrides` cannot force esbuild past the vite peer contract, and no `vitepress@2.x` is on npm yet. Both advisories are dev-only (excluded from the published tarball by the `files` whitelist) and only reachable while a local dev server is running; tracked for upgrade in [issue #109](https://github.com/sefaertunc/Worclaude/issues/109). No runtime change for worclaude consumers.
+
+### Fixed
+
+- **`brace-expansion` regex DoS** (PR #110) — `"overrides": { "brace-expansion": "^1.1.13" }` added to `package.json`; lockfile now resolves `brace-expansion@1.1.14` under `eslint 9.39.4 → minimatch 3.1.5`. Clears GHSA-f886-m6hf-6m8v.
+
+### Docs
+
+- **SECURITY.md — "Dev-only transitive advisories pending upstream fixes"** (PR #110) documents GHSA-4w7w-66w2-5vf9 and GHSA-67mh-4wv8-2f99 as accepted risk pending a `vitepress` release on `vite >=6.4.2`. Rationale: both are devDeps only, excluded from the npm tarball, and only reachable while `npm run docs:dev` is running. Tracking issue #109.
+
 ## [2.6.1] — 2026-04-22
 
 Supply-chain scanner hygiene. Adds a `socket.yml` at the repo root so Socket (and any tool honoring the same schema) stops treating `tests/fixtures/scanner/**` manifests as real worclaude dependencies. The fixtures pin intentionally-outdated packages (`next@14.2.3`, `vitest@1.4.0`, `prisma@5.10.0`, etc.) as deterministic inputs to the Part A detectors — they are never installed (not referenced from root `package.json`), never shipped (`tests/` is excluded by the npm `files` whitelist), and never executed. Without the ignore, fixture deps surface on PR reviews as critical CVEs (CVE-2025-29927 Next.js middleware auth bypass, Vitest 1.4.0 RCE) that do not apply to worclaude. `SECURITY.md` is expanded with a "Supply Chain Scanner Findings" section documenting the fixture rationale, the real seven-package runtime dependency list, and the by-design `filesystemAccess` capability disclosure on `fs-extra`-heavy scaffolding code.

package/SECURITY.md

@@ -42,7 +42,9 @@ These fixtures are:
   dependency lists; it never imports or runs the packages named inside.
 
 Worclaude's repo includes `socket.yml` to stop Socket from scanning this
-directory. Other SCA tools may need an equivalent `ignore` directive.
+directory, and a `.snyk` policy file with an equivalent `exclude.global`
+entry for Snyk Open Source. Other SCA tools may need an equivalent
+`ignore` directive.
 
 ### Real runtime dependencies
 
@@ -66,3 +68,44 @@ settings.json merges, timestamped backups under `.claude-backup-*/`, and
 an opt-in `workflow-meta.json`. The `fs-extra`-based filesystem capability
 flag is a disclosure, not a vulnerability — removing it would delete the
 tool's core function.
+
+### Dev-only transitive advisories pending upstream fixes
+
+Two advisories sit deep in the dev-dependency tree and cannot currently be
+resolved without either forking `vitepress` or waiting for its next release:
+
+- **[GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9)** —
+  `vite@5.4.21` path traversal in optimized-deps handling. Fixed in
+  `vite@>=6.4.2`.
+- **[GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99)** —
+  `esbuild@0.21.5` dev-server CORS misconfiguration. Fixed in
+  `esbuild@>=0.25.0`.
+
+Both are pulled through `vitepress@1.6.4` (the current latest on npm),
+which pins `vite` at `^5.0.0`, which in turn pins `esbuild` at `^0.21.3`.
+`npm overrides` cannot force newer major versions without breaking the
+vite peer contract.
+
+Why these do not block a release:
+
+- Both packages are in `devDependencies` only. The `files` whitelist in
+  `package.json` does not include `tests/` or any dev tooling; end users
+  installing `worclaude` via npm do not get these packages.
+- Both advisories require an **active local dev server** to exploit. The
+  vite/vitest attack surface only exists while `npm run docs:dev` is
+  running and the operator browses to a hostile origin in the same
+  session. `npm test`, `npm run lint`, `npm run docs:build`, and CI
+  runs do not start a server.
+- Worclaude's CI does not run `docs:dev`; it runs `test`, `lint`, and
+  `docs:build` only.
+
+Tracking: a GitHub issue is opened to bump `vitepress` once a release
+using `vite@>=6.4.2` lands upstream. Until then the scanner will continue
+to flag these, and we accept the dev-only risk.
+
+### brace-expansion DoS (fixed via override)
+
+[GHSA-f886-m6hf-6m8v](https://github.com/advisories/GHSA-f886-m6hf-6m8v) —
+`brace-expansion@<1.1.13` zero-step sequence. Fixed in 1.1.13; enforced
+via `"overrides": { "brace-expansion": "^1.1.13" }` in `package.json`
+since v2.6.2. Pulled by `eslint@9.x → minimatch@3.x`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "worclaude",
-  "version": "2.6.1",
+  "version": "2.6.3",
   "description": "The Workflow Layer for Claude Code — scaffold agents, commands, skills, hooks, and memory into any project",
   "type": "module",
   "bin": {
@@ -77,5 +77,8 @@
     "prettier": "^3.5.3",
     "vitepress": "^1.6.4",
     "vitest": "^3.0.9"
+  },
+  "overrides": {
+    "brace-expansion": "^1.1.13"
   }
 }