|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## v0.6.2 (2026-04-14) |
| 4 | + |
| 5 | +Scanner correctness fixes. Your repo score may change — it is now what scanner says it is. |
| 6 | + |
| 7 | +### Fixed — six silent-failure bugs in scanner |
| 8 | + |
| 9 | +All of these made scanner report higher scores than reality: |
| 10 | + |
| 11 | +- **S2 (SHA pinning)** now actually checks standard workflow syntax. The grep only matched bare `uses:` keys; the `- uses:` list-item form used by every normal workflow slipped through, so wf_total stayed at 0 and S2 always scored 1 regardless of pinning. |
| 12 | +- **W6 (pre-commit hook speed)** now emits score 0 when a slow command (tsc / eslint --fix / jest / pytest / etc.) is detected. Both branches previously returned 1. |
| 13 | +- **F5 (broken references)** no longer follows `../` paths out of the project. A CLAUDE.md that linked to `../../../etc/passwd` used to resolve against the real filesystem and score as "valid." The check also stopped resolving against the shell's CWD, which let bare references match wherever the user happened to run scanner from. |
| 14 | +- **emit_result** now validates jq output. Unknown check_ids used to emit the literal string `"null"` as dimension, poisoning scorer/plan-generator/reporter downstream. A broken jq returning exit 0 with empty stdout used to produce an empty JSONL line. |
| 15 | +- **F5 reference extraction** no longer crashes on markdown links. Helper functions reset `BASH_REMATCH`, and the tail of the while-loop then hit an unbound variable under `set -u` — F5 emitted 0 broken references regardless of content. Matches are now cached into locals before the helper call. |
| 16 | + |
| 17 | +### Fixed — accuracy benchmark |
| 18 | + |
| 19 | +Rebuilt against v0.6.2 scanner + all fixes. The tarball now also packages `.claude/settings.json` (1,574 of 4,533 corpus repos have it) so H1-H6 harness checks see real config: |
| 20 | + |
| 21 | +- Overall precision 95.2% → **97.8%** (+2.6) |
| 22 | +- Overall recall 94.3% → **95.9%** (+1.6) |
| 23 | +- Overall F1 94.7% → **96.8%** (+2.1) |
| 24 | +- Overall accuracy 93.9% → **96.4%** (+2.5) |
| 25 | + |
| 26 | +### Added |
| 27 | + |
| 28 | +- **`tests/robustness/malicious-fixtures.sh`** — 10-fixture robustness harness (paths with spaces/newlines, `../` traversal, symlink loops, files > 256 KB, non-UTF-8 CLAUDE.md, corrupt `.git/HEAD`, emoji filenames). |
| 29 | +- **`tests/fixer-safety/test-traversal.js`** — 7 path-traversal guard assertions against `fixer.js`. |
| 30 | +- **`tests/accuracy/run-full-baseline.sh`** — one-shot orchestrator for rebuilding accuracy baselines. Extract → reconstruct → parallel scan → compare. |
| 31 | +- +99 scanner / JS test assertions (94 → 193). Four previously-orphan test files now run in CI: `test-e2e.sh`, `test-install-script.sh`, `test-session-analyzer.sh`, `test-deep-analyzer.sh`. |
| 32 | + |
| 33 | +### Security |
| 34 | + |
| 35 | +- npm `postinstall.js` now fetches `install.sh` from the git tag matching the published package version, not `main`. Before, any commit to `main` silently changed install behavior for every prior version. |
| 36 | +- `.husky/pre-commit` moved private patterns out of the public repo. Load from `~/.agentlint-private-patterns` (opt-in per-user file), missing file means scan is skipped. |
| 37 | +- `release.yml` now declares top-level least-privilege `permissions: contents: read`. The release job still elevates locally for creating the GitHub Release. |
| 38 | + |
| 39 | +### Quality |
| 40 | + |
| 41 | +- `reporter.js` validates `--format` and exits non-zero on unknown values (previously silently exited 0 with no output). |
| 42 | +- `reporter.js` `esc()` now also escapes single quotes (defense-in-depth). |
| 43 | +- `scorer.js` warns to stderr when a JSONL line fails to parse (was silent skip). |
| 44 | +- Dead code removed across `reporter.js`, `scorer.js`, and `session-analyzer.js`. |
| 45 | + |
3 | 46 | ## v0.6.1 (2026-04-14) |
4 | 47 |
|
5 | 48 | Docs patch. No functional changes. |
|
0 commit comments