From b299d3882c2efb15f598f701b460ab279f9e2e17 Mon Sep 17 00:00:00 2001 From: wayne Date: Tue, 2 Jun 2026 23:13:02 +0800 Subject: [PATCH] docs(releases): record v1.3.0 publish (npm + provenance + IDs) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per the release-record discipline: docs/releases/2026-06-02-v1.3.0.md with the real IDs — npm pixelcheck@1.3.0 (latest, provenance, published 15:11Z), tag v1.3.0 -> 86405be, GitHub Release, release.yml run 26828955136, production verification, and a fix-forward rollback plan. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/releases/2026-06-02-v1.3.0.md | 80 ++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 docs/releases/2026-06-02-v1.3.0.md diff --git a/docs/releases/2026-06-02-v1.3.0.md b/docs/releases/2026-06-02-v1.3.0.md new file mode 100644 index 0000000..81183d8 --- /dev/null +++ b/docs/releases/2026-06-02-v1.3.0.md @@ -0,0 +1,80 @@ +# Release v1.3.0 — Security hardening, MCP test coverage, Node 20 + +- **Version**: 1.3.0 +- **Date**: 2026-06-02 +- **Previous**: v1.2.1 (2026-05-12) +- **Tag**: `v1.3.0` → commit `86405bef2d5ea73c8cb2551b9442a0cc6c901236` (merge of #46) +- **npm**: [`pixelcheck@1.3.0`](https://www.npmjs.com/package/pixelcheck/v/1.3.0) — `latest`, published 2026-06-02T15:11:02Z **with provenance** +- **Tarball**: 3.74 MB unpacked / 420 files — https://registry.npmjs.org/pixelcheck/-/pixelcheck-1.3.0.tgz +- **GitHub Release**: https://github.com/xcodethink/pixelcheck/releases/tag/v1.3.0 +- **Publish workflow**: `release.yml` run [26828955136](https://github.com/xcodethink/pixelcheck/actions/runs/26828955136) — success (`npm publish --provenance`) + +## Summary + +Production-grade audit (2026-06-02) remediation, shipped. **No public-API +breaking changes**; the one compatibility change is the runtime floor (Node +20+, see below). Full notes in CHANGELOG.md `[1.3.0]`. + +Headlines: +- **Requires Node 20+** (`engines.node` `>=18` → `>=20`). Node 18 is EOL + (2025-04-30) and was never actually exercised (CI is 20/22). `npm` treats + `engines` as a warning, so it is discouraged-not-blocked for Node-18 holdouts. +- **Supply chain**: vendored `stealth-core` now has a committed SHA-256 + integrity manifest enforced on every CI runner (`check:vendor-integrity`). +- **SSRF**: guard coverage locked across all 8 MCP URL tools (regression). +- **Tests**: flagship MCP surface + observer 5–10% → 20–94%; coverage floor + ratcheted 74/62/75/75 → 76/64/77/77 (ADR-017). +- **Honesty**: 17 low advisories disclosed in SECURITY.md (one root cause: + `@ai-sdk/provider-utils`); the false "0 vulnerabilities" CI comment fixed. + +## Code changes (merged to `main`) + +| PR | Title | +|---|---| +| #43 | security+reliability hardening (audit 2026-06-02): supply-chain, MCP, liveness, cost, persona, lint | +| #44 | audit follow-ups: H1 broken init, H2 GHA newline, C2 redaction, E3/E4/E5 cost + D4-D8/E6-E9/H3-H9 + F4-F7 + G3 + G4 | +| #46 | chore(release): v1.3.0 (version bump + CHANGELOG + SARIF golden fixture) | + +Governance applied this cycle: `main` branch protection enabled +(`enforce_admins`, no force-push, no deletions, required checks = +`Test (ubuntu-latest · Node 20/22)` + `Playwright integration (real chromium)` ++ `Coverage gate (ADR-017 ratchet)`, PRs required). + +## Database migrations + +None. Existing `~/.pixelcheck/history.db` is forward-compatible. + +## Production verification + +| Check | Result | +|---|---| +| `npm view pixelcheck version` | ✅ `1.3.0` (`latest`) | +| `npm view pixelcheck dist-tags` | ✅ `latest: 1.3.0` | +| `release.yml` run 26828955136 | ✅ success — `Publish (with provenance)` ✅ | +| Pre-publish audit (skill 16) | ✅ clean — tracked grep / tarball list / bundled assets / `.env.example` | +| Full unit suite (local, pre-tag) | ✅ 2320 passed / 1 skipped | +| Required CI checks on #46 | ✅ all 4 green | + +## Rollback plan + +npm tarballs **cannot be unpublished after 72h**; rollback = publish a fix-forward +patch, not an unpublish. + +- **Code**: `git revert -m 1 86405bef` (the #46 merge) on a branch → PR → merge. + For the deeper audit changes, revert #44 then #43 merges similarly. Do **not** + `reset --hard` (protected branch + shared history). +- **npm (within 72h, emergencies only)**: `npm unpublish pixelcheck@1.3.0` then + re-point `latest`: `npm dist-tag add pixelcheck@1.2.1 latest`. +- **npm (after 72h)**: `npm deprecate pixelcheck@1.3.0 "use 1.3.1"` and ship a + patched 1.3.1; consumers pinned to `latest` move forward. +- **Re-point latest without unpublish**: `npm dist-tag add pixelcheck@1.2.1 latest`. + +## Follow-ups + +- **NPM_TOKEN** is a 90-day granular token (expires ~2026-08-31). Rotate before + expiry, or migrate to npm **Trusted Publishing** (OIDC, no stored secret) — + npm's recommended path; would drop the `NODE_AUTH_TOKEN` dependency in + `release.yml`. +- The SARIF golden fixture (`docs/integration/fixture-sarif.json`) pins the + package version, so it needs a one-line bump each release; consider + normalizing the version field in `wcag-axe.test.ts` to remove that papercut.