From 5bd619b0d5605e5f9bbd51d6eedfdc6c8edf0fd9 Mon Sep 17 00:00:00 2001 From: bumpy-bot <276066384+bumpy-bot@users.noreply.github.com> Date: Thu, 25 Jun 2026 06:25:56 +0000 Subject: [PATCH] Version packages @varlock/bumpy@1.17.0 --- .bumpy/ci-check-cwd-guard.md | 5 ----- .bumpy/cwd-flag.md | 5 ----- packages/bumpy/CHANGELOG.md | 7 +++++++ packages/bumpy/package.json | 2 +- 4 files changed, 8 insertions(+), 11 deletions(-) delete mode 100644 .bumpy/ci-check-cwd-guard.md delete mode 100644 .bumpy/cwd-flag.md diff --git a/.bumpy/ci-check-cwd-guard.md b/.bumpy/ci-check-cwd-guard.md deleted file mode 100644 index d61c516..0000000 --- a/.bumpy/ci-check-cwd-guard.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@varlock/bumpy': none ---- - -`bumpy ci check` now fails when it runs under `pull_request_target` without an explicit `--cwd`, pointing users at the two-checkout workflow. Pass `--cwd .` to acknowledge an already-trusted checkout. Marked `none` because it's part of the `--cwd` feature already shipping in this release. diff --git a/.bumpy/cwd-flag.md b/.bumpy/cwd-flag.md deleted file mode 100644 index d9ed041..0000000 --- a/.bumpy/cwd-flag.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@varlock/bumpy': minor ---- - -Added a global `--cwd ` flag that runs bumpy as if it were started in ``. This makes the `pull_request_target` PR-check workflow safe against a previously-undocumented attack: a fork PR could commit a `bunfig.toml`/`.npmrc` that redirected where `bunx @varlock/bumpy` itself was fetched from (swapping in a malicious package at the pinned version). The recommended workflow now fetches and runs bumpy from a trusted base checkout and points it at the untrusted PR tree with `--cwd ./pr`, so package-manager config in the PR can no longer influence how bumpy is obtained. diff --git a/packages/bumpy/CHANGELOG.md b/packages/bumpy/CHANGELOG.md index 165cae4..e001f67 100644 --- a/packages/bumpy/CHANGELOG.md +++ b/packages/bumpy/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## 1.17.0 + +2026-06-25 + +- [#138](https://github.com/dmno-dev/bumpy/pull/138) _(minor)_ + Added a global `--cwd ` flag that runs bumpy as if it were started in ``. This makes the `pull_request_target` PR-check workflow safe against a previously-undocumented attack: a fork PR could commit a `bunfig.toml`/`.npmrc` that redirected where `bunx @varlock/bumpy` itself was fetched from (swapping in a malicious package at the pinned version). The recommended workflow now fetches and runs bumpy from a trusted base checkout and points it at the untrusted PR tree with `--cwd ./pr`, so package-manager config in the PR can no longer influence how bumpy is obtained. + ## 1.16.1 2026-06-25 diff --git a/packages/bumpy/package.json b/packages/bumpy/package.json index c413d7f..6798b95 100644 --- a/packages/bumpy/package.json +++ b/packages/bumpy/package.json @@ -1,6 +1,6 @@ { "name": "@varlock/bumpy", - "version": "1.16.1", + "version": "1.17.0", "description": "Modern monorepo versioning and changelog tool", "keywords": [ "bump",