Skip to content

chore(release): 0.2.2 - store-check polish#70

Merged
vreshch merged 1 commit into
masterfrom
chore/store-check-polish
Jun 21, 2026
Merged

chore(release): 0.2.2 - store-check polish#70
vreshch merged 1 commit into
masterfrom
chore/store-check-polish

Conversation

@vreshch

@vreshch vreshch commented Jun 21, 2026

Copy link
Copy Markdown
Member

Clears the safe findings from the pre-submission Obsidian plugin checker. None were blockers (all Warning/Recommendation), but two are worth removing before review sees them.

Fixed

  • js-yaml ^4.1.0 -> ^4.2.0 - patches GHSA-h67p-54hq-rp68 (moderate: quadratic-complexity DoS via repeated aliases in YAML merge keys; affected <=4.1.1). npm audit is now clean. Stays within 4.x (5.0.0 is a major), merge-engine tests green.
  • README - reword the Manual-install path so it no longer contains the <your-vault> token the checker flags as "placeholder text".
  • release.yml - attest build provenance for main.js / styles.css / manifest.json (adds id-token: write + attestations: write), so published assets are cryptographically verifiable.

Deliberately NOT changed

  • setWarning -> setDestructive and display -> getSettingDefinitions: both new APIs are ~1.13.0; minAppVersion is 1.11.4, so adopting them would crash on 1.11-1.12. Deferred until a minAppVersion bump. Old APIs still work (not removed).
  • "Replace js-yaml" (source rule): kept js-yaml over Obsidian's parseYaml so the 3-way merge engine stays pure / no-obsidian-import / unit-testable.
  • builtin-modules (devDependency, esbuild externals): not shipped; the dynamic list is more correct than a hardcoded one, and check-bundle.mjs already guards the bundle.
  • Direct filesystem access: intentional, isDesktop-guarded ~/.agentage/auth.json (0600) + vaults.json mirror shared with the agentage CLI; disclosed in README.

Verify

npm run verify green locally (68 tests, type-check + lint + format + build + check:hosts/docs/bundle). Release 0.2.2 (manifest + versions.json bumped).

@vreshch
chore(release): 0.2.2 - store-check polish
0477370 
Clears the safe Obsidian store-check findings:

- js-yaml ^4.1.0 -> ^4.2.0: patches GHSA-h67p-54hq-rp68 (moderate quadratic-complexity DoS in YAML merge-key alias handling); npm audit now clean. Stays on 4.x; merge engine tests green.

- README: reword the Manual-install path to drop the <your-vault> token the checker flags as placeholder text.

- release.yml: attest build provenance for main.js/styles.css/manifest.json (id-token + attestations perms) so release assets are verifiable.

Deferred (minAppVersion 1.11.4 gated): setWarning->setDestructive, display->getSettingDefinitions. Kept js-yaml over Obsidian parseYaml to preserve the pure/unit-testable merge engine.
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown

🎉 PR Validation ✅ PASSED

Commit: 0477370a6fd9af7a7134271b9680640d4cb0a1fa
Branch: chore/store-check-polish

Checks:

  • ✅ Dependencies installed
  • ✅ Type check passed
  • ✅ Linting passed
  • ✅ Format check passed
  • ✅ Tests + coverage passed
  • ✅ Build successful
  • ✅ Store-compliance checks passed
  • ✅ Bundle is mobile-safe

Ready to merge!

🔗 View workflow run

@vreshch vreshch marked this pull request as ready for review June 21, 2026 11:59
@vreshch vreshch merged commit a9db6de into master Jun 21, 2026
1 check passed
@vreshch vreshch deleted the chore/store-check-polish branch June 21, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vreshch