release: prep v0.18.1#136
Merged
Merged
Conversation
Bumps the version pins from v0.18.0 to v0.18.1 across all release-tracked sites (init.go workflow template, action.yml DEFAULT_REF, Makefile INSTALL_SH_TEST_VERSION, README install snippets and Docker tag references) and adds the CHANGELOG entry for the patch release. The patch release ships the manual threat-intel additions for the May 2026 @AntV supply-chain incident landed earlier on main: 12 packages, 22 confirmed compromised versions, all verified against the npm registry's `deprecated` field. The `t.m-kosche.com` exfiltration endpoint is recorded as IOC metadata on the advisory carrier entry. Pin scope (v0.18.0 -> v0.18.1): - cmd/aguara/commands/init.go: comment, uses, version lines. - action.yml: DEFAULT_REF. - Makefile: INSTALL_SH_TEST_VERSION. - README.md: install.sh VERSION snippets, Docker tag references, GitHub Action uses+version blocks, Aguara Watch surface line. check-version-pins.sh agrees on v0.18.1.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patch release prep for v0.18.1. Bumps the version pins from v0.18.0 to v0.18.1 across all release-tracked sites and adds the CHANGELOG entry.
The patch ships the manual threat-intel additions for the May 2026 @AntV supply-chain incident already landed on main (PR #134 + PR #135): 12 packages, 22 confirmed compromised versions, all verified against the npm registry's
deprecatedfield. Thet.m-kosche.comexfiltration endpoint is recorded as IOC metadata on the advisory carrier entry.CHANGELOG highlights
KnownCompromisedentries for the @AntV wave (npm):@antv/g2,@antv/g6,@antv/x6,@antv/l7,@antv/f2,@antv/data-set,@antv/g-image-exporter,@antv/infographic,echarts-for-react,timeago.js,size-sensor,canvas-nest.js.t.m-kosche.com,/api/public/otel/v1/traces) on the advisory carrier entry.TestKnownCompromisedSnapshotGeneratedAtCoversFreshestEntrythat enforcessnap.GeneratedAt >= max(KnownCompromised[*].Date).MAL-2026-3432and adjacentMAL-2026-*records) and is not duplicated.Pin scope (v0.18.0 → v0.18.1)
cmd/aguara/commands/init.gouses:line,version:inputaction.ymlDEFAULT_REFMakefileINSTALL_SH_TEST_VERSIONREADME.mdVERSION=snippets, Docker tag references (:0.18.1), GitHub Actionuses:+version:blocks, Aguara Watch surface lineVERSION=v0.18.1 .github/scripts/check-version-pins.shclean.Compatibility
Drop-in for v0.18.0. No schema changes, no flag renames, no rule ID changes. Consumers reading
verdict.statusandecosystems[]continue to see the same field shapes; the @antv-affected projects now produce CRITICAL findings where v0.18.0 was silent.Test plan
go test -race -count=1 ./...cleango vet ./...cleangolangci-lint run ./...0 issuesVERSION=v0.18.1 .github/scripts/check-version-pins.shcleanaguara init --cion a temp dir scaffolds a workflow withgaragon/aguara@v0.18.1andversion: v0.18.1