chore(release): v1.3.0#46
Merged
Merged
Conversation
Bump 1.2.1 -> 1.3.0 and fold the unreleased changelog into a [1.3.0] section. Highlights (minor: new behavior + raised floor, no breaking API): - Requires Node 20+ (was 18; Node 18 is EOL). npm engines is a warning, so discouraged-not-blocked for holdouts. - Supply-chain: committed SHA-256 integrity gate for vendored stealth-core, enforced on every CI runner. - SSRF guard coverage locked across all 8 MCP URL tools (regression). - Flagship MCP surface + observer now unit-tested (5-10% -> 20-94%); coverage floor ratcheted to 76/64/77/77. - Honest advisory disclosure (17 low, one root cause) replacing the stale "0 vulnerabilities" CI claim. - Shipped custom-handler example is runnable .js again (was dangling .ts). Pre-publish audit (skill 16) run locally: clean across tracked grep, tarball file list, bundled scenarios/personas URLs, and .env.example. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Playwright integration test `wcag-axe.test.ts` asserts the generated SARIF is byte-identical to docs/integration/fixture-sarif.json, whose driver.version field mirrors package.json. The 1.3.0 bump made the generated report carry "1.3.0" while the golden still pinned "1.2.1" -> required-check failure on the release PR. Update the golden. (The line-3 "2.1.0" is the SARIF schema version, untouched.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v1.3.0 (minor). Bumps 1.2.1 → 1.3.0 + folds the unreleased changelog into a
[1.3.0]section.What's in it
npmengines = warning, so discouraged-not-blocked.stealth-core, enforced on every CI runner (check:vendor-integrity)..jsagain (was dangling.ts).Versioning note
1.2.1 was tagged/published without its own changelog section, so its notes are folded into
[1.3.0](npm delta is 1.2.1 → 1.3.0). Shout if you want them split out.Pre-publish audit (skill 16) — run locally, clean
dist/+ whitelisted assets, no internal-planning files.env.example: all generic placeholdersPublish path (after merge)
This does not publish. To release: set up the npm credential for CI (NPM_TOKEN secret or OIDC trusted-publisher for
xcodethink/pixelcheck), then push tagv1.3.0→release.ymlpublishes with provenance.🤖 Generated with Claude Code