Skip to content

Release 0.2.2: ship claudemux --version#8

Merged
isingh merged 5 commits into
mainfrom
release/0.2.2
Jun 8, 2026
Merged

Release 0.2.2: ship claudemux --version#8
isingh merged 5 commits into
mainfrom
release/0.2.2

Conversation

@isingh

@isingh isingh commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Patch release to publish the claudemux --version flag merged in #7 (which can't reach npm without a version bump — 0.2.1 is already published).

Added

  • claudemux --version prints the package version, read from package.json. Previously rejected as an unknown option.

Changes

  • package.json0.2.2
  • CHANGELOG 0.2.2 entry + compare link

(The feature code itself landed in #7; this is the release wrapper only.)

Test plan

  • npm run build green; node bin/claudemux --version prints 0.2.2 from the built dist.
  • Full CLI suite green on fix: add CLI version flag #7 at merge (incl. the --version test).

🤖 Generated with Claude Code

isingh and others added 5 commits June 7, 2026 23:46
Ships `claudemux --version` (PR #7). See CHANGELOG.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both jobs only check out and run build/test — neither writes to the repo,
comments, or publishes. Add a top-level `permissions: contents: read` (all other
scopes -> none), resolving the CodeQL missing-workflow-permissions alerts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…string

CodeQL flagged `execSync(`bash ${repoRoot}/scripts/${script} .`)` in the
safety-grep meta-test (shell-command-from-environment: process.cwd() flows into
a shell string). Swept the repo for the class and fixed it at the root:

- test/scripts/safety-grep.test.ts: execSync(string) -> execFileSync("bash",
  [join(repoRoot,"scripts",script), "."]) — argv, no shell.
- scripts/flows-recovery.mjs: the same pattern with a genuine env source
  (CLAUDEMUX_SOCKET interpolated into 5 `tmux …` shell strings) — routed through
  one no-shell `tmux(...args)` execFile helper.

Shipped code (src/) was already clean (spawn("tmux", argv)); these are test/dev
scripts. No interpolated-shell exec remains anywhere in the repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Resolves three Dependabot alerts, all DEV-only (not in the published tarball, so
no consumer impact): the vitest UI arbitrary-file CVE (we never run the UI
server) and the transitive vite `.map` path-traversal + esbuild dev-server
advisories. vitest 2.x had no patched line and couldn't pull the fixed
vite 6+/esbuild 0.25+; vitest 4.1.8 brings vite 8.0.16. `npm audit` is now 0.

Migrate the config off `poolOptions.forks.singleFork` (removed in v4) to the
top-level `maxWorkers: 1`; `fileParallelism: false` remains the load-bearing
serial-execution guard for the shared sentinel file. Full suite green (328),
no deprecation warnings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Records the vitest bump, shell-injection hardening, and CI permissions under a
Security heading — explicitly flagged dev-only / no consumer impact so it informs
without implying the published package was ever vulnerable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@isingh isingh merged commit a5b7cad into main Jun 8, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant