Tags: superbasicstudio/claude-conductor
Tags
v2.2.0: Security hardening, Node 20 minimum, comprehensive test suite Security fixes: - Patch CVE brace-expansion (GHSA-f886-m6hf-6m8v) and picomatch (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj) via npm overrides - Pin all dependency versions to exact (remove ^ ranges) to prevent auto-upgrading to compromised minor/patch releases - Add overrides for brace-expansion, picomatch, and minimatch Node.js version bump: - Minimum Node.js raised from 18.0.0 to 20.0.0 (Node 18 EOL Apr 2025) - CI matrix updated: test on Node 20, 22, 24 (dropped 18) - All current dependencies verified compatible with Node 20+ Test suite (20 -> 89 tests): - Add checkup command tests (output, security items, custom path, read-only) - Add --full flag tests (all 14 templates, PLAYBOOKS subdir, content validation) - Add --no-analyze flag tests - Add --deepscan tests (tech stack detection, framework detection, build scripts) - Add template integrity tests (all exist, valid markdown, no secrets, size limits) - Add package.json integrity tests (pinned versions, overrides, engine constraint) - Add security config tests (.npmrc, .gitignore, SECURITY.md, lockfile) - Add CI config tests (Node 20+ matrix, audit job, least-privilege permissions) - Add file safety tests (no writes outside target, backup containment, read-only) - Add edge case tests (double init, spaces in paths, non-conductor files) - Add Node.js compatibility tests (dep loading, syntax check, engine satisfaction) - Make version assertions dynamic (read from package.json, not hardcoded) npm hardening: - .npmrc: save-exact=true, audit=true, package-lock=true - CI: add dedicated security audit job with npm audit and audit-ci - Dependabot: daily npm checks, grouped PRs, increased PR limit - CI workflow: add permissions: contents: read (least privilege) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
release: v2.0.0 — minimum Node.js raised to 18 BREAKING CHANGE: Minimum Node.js requirement raised from >=16.0.0 to >=18.0.0. Node 16 has been EOL since September 2023. Users on Node 16 can pin to [email protected]. No API changes — the only breaking change is the engine requirement. Co-Authored-By: Claude Opus 4.5 <[email protected]>
release: v1.3.0 — security fixes, backfilled changelog, stability Security: - Fix HIGH severity command injection in glob (10.4.5 → 10.5.0) - Fix MODERATE prototype pollution in js-yaml transitive dep - 0 npm audit vulnerabilities remaining Added: - SECURITY.md with vulnerability reporting policy - RESPONSE_STYLE_CONFIG.md for optional confidence indicators - Response Style Configuration section in CLAUDE.md - Requirements section in README with Node.js version guidance - Links to CHANGELOG.md and SECURITY.md in README Changed: - Backfilled CHANGELOG.md for all versions (1.0.2 through 1.3.0) - Updated fs-extra dependency range (^11.0.0 → ^11.1.0) - Promoted from 1.3.0-beta.1 to stable 1.3.0 - Version test expectations updated to 1.3.0 Note: v2.0.0 will raise minimum Node.js from >=16 to >=18. Co-Authored-By: Claude Opus 4.5 <[email protected]>