Release 0.2.2: ship claudemux --version#8
Merged
Merged
Conversation
Ships `claudemux --version` (PR #7). See CHANGELOG. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both jobs only check out and run build/test — neither writes to the repo, comments, or publishes. Add a top-level `permissions: contents: read` (all other scopes -> none), resolving the CodeQL missing-workflow-permissions alerts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…string
CodeQL flagged `execSync(`bash ${repoRoot}/scripts/${script} .`)` in the
safety-grep meta-test (shell-command-from-environment: process.cwd() flows into
a shell string). Swept the repo for the class and fixed it at the root:
- test/scripts/safety-grep.test.ts: execSync(string) -> execFileSync("bash",
[join(repoRoot,"scripts",script), "."]) — argv, no shell.
- scripts/flows-recovery.mjs: the same pattern with a genuine env source
(CLAUDEMUX_SOCKET interpolated into 5 `tmux …` shell strings) — routed through
one no-shell `tmux(...args)` execFile helper.
Shipped code (src/) was already clean (spawn("tmux", argv)); these are test/dev
scripts. No interpolated-shell exec remains anywhere in the repo.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Resolves three Dependabot alerts, all DEV-only (not in the published tarball, so no consumer impact): the vitest UI arbitrary-file CVE (we never run the UI server) and the transitive vite `.map` path-traversal + esbuild dev-server advisories. vitest 2.x had no patched line and couldn't pull the fixed vite 6+/esbuild 0.25+; vitest 4.1.8 brings vite 8.0.16. `npm audit` is now 0. Migrate the config off `poolOptions.forks.singleFork` (removed in v4) to the top-level `maxWorkers: 1`; `fileParallelism: false` remains the load-bearing serial-execution guard for the shared sentinel file. Full suite green (328), no deprecation warnings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Records the vitest bump, shell-injection hardening, and CI permissions under a Security heading — explicitly flagged dev-only / no consumer impact so it informs without implying the published package was ever vulnerable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patch release to publish the
claudemux --versionflag merged in #7 (which can't reach npm without a version bump —0.2.1is already published).Added
claudemux --versionprints the package version, read frompackage.json. Previously rejected as an unknown option.Changes
package.json→0.2.20.2.2entry + compare link(The feature code itself landed in #7; this is the release wrapper only.)
Test plan
npm run buildgreen;node bin/claudemux --versionprints0.2.2from the built dist.--versiontest).🤖 Generated with Claude Code