Security Fixes

• Patched CVE vulnerabilities in transitive dependencies:
  • brace-expansion (GHSA-f886-m6hf-6m8v) - infinite loop / memory exhaustion
  • picomatch (GHSA-3v7f-55p6-f55p) - method injection in POSIX character classes
  • picomatch (GHSA-c2c7-rcm5-vvqj) - ReDoS via extglob quantifiers
• Pinned all dependency versions to exact (removed ^ ranges) to prevent auto-upgrading to compromised releases
• Added overrides for brace-expansion, picomatch, and minimatch across the dependency tree
• Verified project is not affected by the Axios supply chain attack (March 31, 2026), chalk v5.6.1 compromise, or eslint-config-prettier compromise

Node.js Version Bump

• Minimum Node.js raised from >=18.0.0 to >=20.0.0 (Node 18 reached EOL April 2025)
• CI test matrix updated: Node 20, 22, 24 (dropped 18)
• All dependencies verified compatible with Node 20+
• Zero deprecation warnings on Node 22

Upgrading from 2.1.x? If you need to stay on Node 18, pin to [email protected].

Test Suite (20 -> 89 tests)

Comprehensive test coverage added across all CLI commands and code paths:

• All CLI commands: init, checkup, backup, upgrade, restore
• All flags: --full, --force, --yes, --deepscan, --no-analyze
• Template integrity (all 14 templates exist, valid markdown, no secrets)
• Package.json integrity (pinned versions, overrides, engine constraints)
• Security configuration (.npmrc, .gitignore, SECURITY.md, CI audit job)
• File operation safety (no writes outside target, backup containment)
• Edge cases (paths with spaces, double init, read-only files)
• Node.js compatibility (dependency loading, engine satisfaction)
• Codebase analysis (tech stack detection, framework detection, line counting)

npm Hardening

• .npmrc: save-exact=true, audit=true, package-lock=true
• CI: dedicated security audit job with npm audit and audit-ci
• Dependabot: daily npm checks, grouped PRs
• CI workflow: least-privilege permissions: contents: read

Full Changelog: e62737a...v2.2.0

Added

• ESLint 9 with flat config for code linting
• Prettier 3 for consistent code formatting
• Husky 9 pre-commit hooks with lint-staged
• GitHub Actions CI pipeline (Node 18, 20, 22 test matrix)
• Dependabot for automated dependency updates
• Jest coverage config, .editorconfig, .npmrc
• New scripts: lint, lint:fix, format, format:check, test:coverage

See CHANGELOG.md for full details.

Changed

• Updated .gitignore with additional coverage for security-sensitive patterns
• Removed example PII from documentation
• General repository hygiene

See CHANGELOG.md for full details.

v2.0.0 — Node 18 minimum

Quick follow-up to this morning's 1.3.0 release. This one's short:

The only change is the minimum Node.js version — from 16 to 18.

No features were added. No APIs changed. No commands work differently. Your existing setup, templates, journals, and customizations are all completely untouched. If you're on Node 18 or higher (which most of you are), this upgrade is invisible.

Why this is a major version

Dropping support for a Node version is technically a breaking change, even when the dropped version has been dead for two years. Following semver conventions means bumping the major version so nobody gets surprised. That's all this is.

Will this break anything?

Probably not. Here's the honest breakdown:

• If you're on Node 18, 20, 22, or higher — nothing changes. Just update normally. You won't notice a difference.
• If you're on Node 16 — npm install will show a warning (or fail if you use Yarn or have engine-strict=true). You have two options:
  1. Upgrade Node. Version 16 has been end-of-life since September 2023 and gets zero security patches. Seriously, upgrade.
  2. Pin to 1.3.x: npm install [email protected] — you'll still get the security fixes from this morning, just not future updates.

How to check your Node version

node --version

If it says v18 or higher, you're good. If it says v16, time to upgrade.

Staying on 1.3.x

If you need to stay on Node 16 for now:

npm install [email protected]

Or in your package.json:

"claude-conductor": "^1.3.0"

1.3.x will continue to receive critical security fixes.

What's actually in 2.0.0

That's it. Boring release on purpose. The interesting stuff was in 1.3.0.

Hey Conductor users — it's been a while!

Pushed a v1.3.0 stable release this morning with security fixes, a fully backfilled changelog, and a new security policy. This is a non-breaking stability release — safe to update from any 1.x version.

What's in this release

Security fixes:

• Resolved a HIGH severity command injection vulnerability in glob (10.4.5 → 10.5.0)
• Resolved a MODERATE prototype pollution issue in a js-yaml transitive dependency
• npm audit now reports 0 vulnerabilities

New files:

• SECURITY.md — How to report vulnerabilities, supported versions, response timelines
• RESPONSE_STYLE_CONFIG.md — Optional confidence indicators and tone controls for Claude responses

Docs & housekeeping:

• Backfilled CHANGELOG.md covering all versions from 1.0.2 through 1.3.0 (was previously only up to 1.0.1)
• Added a Requirements section to README with Node.js version guidance
• Added links to CHANGELOG and SECURITY policy in README
• Updated fs-extra dependency range from ^11.0.0 to ^11.1.0
• Promoted from 1.3.0-beta.1 to stable

Heads up: v2.0.0 coming soon

The next release will bump the minimum Node.js requirement from >=16.0.0 to >=18.0.0. Node 16 has been end-of-life since September 2023.

• If you're already on Node 18+, the upgrade will be seamless — no code changes
• If you need to stay on Node 16, pin to [email protected]

Upgrade

npx claude-conductor@latest

Or if you have it installed globally:

npm install -g claude-conductor@latest

Full changelog: CHANGELOG.md

Documentation Note

📝 System Date Clarification

If you see incorrect dates in your JOURNAL.md (like dates in 2025 when it's still 2024), please check your system date:

# Check your system date
date

# If incorrect, you may need to fix it
# Example: sudo date -s "2024-12-18 23:57:22"

The JOURNAL.md timestamps use your system's current date/time. This is working as designed.

📦 No Code Changes

This release contains no code changes from v1.1.2. It's created to document the system date clarification for users who may encounter future-dated journal entries.

Previous Release (v1.1.2)

For full v1.1.2 release notes including the new TASKS.md feature, see: https://github.com/superbasicstudio/claude-conductor/releases/tag/v1.1.2

What's New

✨ Features

• TASKS.md: New task management system for tracking active work and preserving context between sessions
  • Prevents task loss when switching projects or reinstalling Claude Code
  • Tracks task status (PENDING, IN_PROGRESS, BLOCKED, COMPLETED)
  • Preserves full context including file paths, code snippets, and blockers
  • Integrates with JOURNAL.md for complete task history

🐛 Bug Fixes

• Fixed version number in test expectations

📚 Documentation

• Added comprehensive TASKS.md template with examples
• Updated CLAUDE.md template to include task management integration
• Added session startup checklist for resuming work

🙏 Acknowledgments

• Thanks to @niledatabase (Philip Dubois) for the TASKS.md feature request (#3)
• Thanks to all our contributors! See THANKS.md

Installation

npm install -g [email protected]

Upgrading

npx claude-conductor backup
npx claude-conductor upgrade --clean
npx claude-conductor restore

What's Changed

Features

• Add TASKS.md documentation module for active task management
• Add THANKS.md to acknowledge community contributions

Documentation

• Enhanced documentation framework with new modules
• Improved project organization

Contributors

• @superbasicstudio

Full Changelog: v1.1.0...v1.1.1