From b6f0d7fa0ff9d27f8100ddc38a036a714d12fe70 Mon Sep 17 00:00:00 2001 From: intech Date: Sat, 20 Jun 2026 12:14:13 +0400 Subject: [PATCH 1/2] chore(deps): bump pinned toolchain to latest - @anthropic-ai/claude-code 2.1.177 -> 2.1.183 - @agentclientprotocol/claude-agent-acp 0.44.0 -> 0.48.0 - @colbymchenry/codegraph 1.0.0 -> 1.0.1 - pnpm 11.6.0 -> 11.8.0 Regenerated tools/package-lock.json inside node:22 (npm ci verified; all 12 top-level pins remain exact). codegraph 1.0.1 keeps both linux-x64 and linux-arm64 prebuilt optionalDeps (multi-arch parity preserved). claude-agent-acp bin is unchanged (claude-agent-acp), so the CLAUDE_CODE_EXECUTABLE pinning stays intact; its transitive claude-agent-sdk moved 0.3.170 -> 0.3.183 (bundled, unused binary - image size only). No regressions to permission modes or the settings.json keys (advisorModel, tui, statusLine, autoUpdates) across the documented 2.1.x releases (178/179/181/183) between the old and new pins. RTK (v0.42.4), git-delta (0.19.2) and caveman (v1.9.0) are already at their latest releases - no Dockerfile change. Synced version strings in README.md and CLAUDE.md, and documented running npm audit after a lockfile regen. Co-Authored-By: Claude Opus 4.8 --- CLAUDE.md | 9 +- README.md | 8 +- tools/package-lock.json | 230 ++++++++++++++++++++-------------------- tools/package.json | 8 +- 4 files changed, 129 insertions(+), 126 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index ee507cb..59afb10 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -13,7 +13,7 @@ This is a security-hardened Docker container that runs Claude Code with pre-inst The container is built on Node.js 22 (LTS) with the following layers: 1. **Base System** - Debian Trixie (glibc 2.41) with hardened security settings -2. **Toolchain (npm)** - All global npm CLIs installed via `npm ci` from `tools/package.json` + `tools/package-lock.json` (sha512-integrity, exact pinned versions, no `@latest`). Bins exposed via PATH (`/opt/toolchain/node_modules/.bin`). Includes Claude Code (2.1.177), OpenSpec (1.4.1), CodeGraph (1.0.0), caveman-shrink (0.1.0), the MCP servers, and dev tools (pnpm 11.6.0, typescript 6.0.3, ts-node 10.9.2, prettier 3.8.4, eslint 10.5.0) +2. **Toolchain (npm)** - All global npm CLIs installed via `npm ci` from `tools/package.json` + `tools/package-lock.json` (sha512-integrity, exact pinned versions, no `@latest`). Bins exposed via PATH (`/opt/toolchain/node_modules/.bin`). Includes Claude Code (2.1.183), OpenSpec (1.4.1), CodeGraph (1.0.1), caveman-shrink (0.1.0), the MCP servers, and dev tools (pnpm 11.8.0, typescript 6.0.3, ts-node 10.9.2, prettier 3.8.4, eslint 10.5.0) 3. **OpenSpec** - initialized into `/workspace` at build time with telemetry disabled via `OPENSPEC_TELEMETRY=0` 4. **RTK** - Rust Token Killer; static musl binary in `/usr/local/bin` (version via `RTK_VERSION` build arg, sha256-verified); `rtk init -g --auto-patch` installs a Claude Code PreToolUse hook that rewrites Bash commands through `rtk` 5. **Caveman** - Output-compression skill for Claude Code, installed at build time via its plugin mechanism (`claude plugin install`), pinned to tag `v1.9.0` @@ -205,7 +205,10 @@ different `lockfileVersion`): ```bash docker run --rm -v "$PWD/tools:/w" -w /w node:22-trixie-slim npm install --package-lock-only ``` -Pin only Node-22-compatible versions — check `npm view @ engines.node`. The build-time +After regenerating, run `npm audit` in the same `node:22` image — and, when a clean non-breaking +fix is offered, `npm audit fix --package-lock-only` — so transitive security advisories surface and +get patched instead of silently shipping. `npm install` keeps in-range pinned transitive versions, +so an already-applied patch is not downgraded by a later regen. Pin only Node-22-compatible versions — check `npm view @ engines.node`. The build-time gate runs each dev tool's `--version` to catch an incompatible engine (this is how the earlier pnpm 11 vs Node 20 mismatch was caught before the base was bumped to Node 22). @@ -321,7 +324,7 @@ Two extra entrypoints exist beside the autonomous `run_claude.sh`; they share th - Installed with **`--no-mcp-shrink`**: caveman's auto-registration wired `caveman-shrink` as a standalone MCP server with no upstream command, which always `✗ Failed to connect` (it is middleware, not a server). Instead `caveman-shrink` is pre-installed globally and applied as a wrapper around the codegraph MCP server (see CodeGraph / MCP Servers) - Source: https://github.com/JuliusBrussee/caveman - **CodeGraph** - Pre-indexed code knowledge graph (symbols, call graph, impact) served to agents over MCP (`codegraph` binary) - - Installed via `npm ci` from the locked toolchain (`@colbymchenry/codegraph@1.0.0`); also registered as the `codegraph` MCP server, wrapped by `caveman-shrink` to compress its (verbose) tool descriptions — verified `✓ Connected` (see "MCP Servers") + - Installed via `npm ci` from the locked toolchain (`@colbymchenry/codegraph@1.0.1`); also registered as the `codegraph` MCP server, wrapped by `caveman-shrink` to compress its (verbose) tool descriptions — verified `✓ Connected` (see "MCP Servers") - **Not pure JS:** the npm package is a thin shim; the real artifact is a per-platform optionalDependency (`@colbymchenry/codegraph-linux-x64`) bundling a vendored Node 24 runtime + prebuilt binary. `codegraph --help` at build time verifies the binary runs (**verified**: the vendored Node 24 binary runs on `node:22-trixie-slim`) - `CODEGRAPH_NO_DOWNLOAD=1` (baked-in ENV) forbids the shim's runtime fallback that fetches the binary from GitHub Releases — the binary must come from the npm registry only - 100% local: local SQLite index (`.codegraph/codegraph.db`, FTS5), no API keys, no external services diff --git a/README.md b/README.md index 58caf0b..acb9c90 100644 --- a/README.md +++ b/README.md @@ -160,13 +160,13 @@ Base: `node:22-trixie-slim` (Node 22 LTS, Debian 13 / glibc 2.41). Multi-arch (a Toolchain pinned in `tools/package.json`, locked in `tools/package-lock.json` (`npm ci`, sha512 integrity, exact versions): -- `@anthropic-ai/claude-code` (2.1.177), `@fission-ai/openspec` (1.4.1) -- `@agentclientprotocol/claude-agent-acp` (0.44.0) — ACP adapter for IDE use (Zed); reuses +- `@anthropic-ai/claude-code` (2.1.183), `@fission-ai/openspec` (1.4.1) +- `@agentclientprotocol/claude-agent-acp` (0.48.0) — ACP adapter for IDE use (Zed); reuses the pinned `claude` binary via `CLAUDE_CODE_EXECUTABLE` -- `@colbymchenry/codegraph` (1.0.0, MCP) wrapped by `caveman-shrink` (0.1.0) +- `@colbymchenry/codegraph` (1.0.1, MCP) wrapped by `caveman-shrink` (0.1.0) - MCP servers: `sequential-thinking`, `context7` (HTTP), `perplexity` - caveman skill (plugin, tag `v1.9.0`) -- Dev tools: `pnpm` 11.6.0, `typescript` 6.0.3, `ts-node` 10.9.2, `prettier` 3.8.4, `eslint` 10.5.0 +- Dev tools: `pnpm` 11.8.0, `typescript` 6.0.3, `ts-node` 10.9.2, `prettier` 3.8.4, `eslint` 10.5.0 GitHub-release binaries (per-arch, sha256-pinned): `rtk` (v0.42.4), `git-delta` (0.19.2). CLI utilities: `jq`, `ripgrep`, `fd`, `tree`, `fzf`, `mc`, `gnupg`. diff --git a/tools/package-lock.json b/tools/package-lock.json index c80542c..ee4ee22 100644 --- a/tools/package-lock.json +++ b/tools/package-lock.json @@ -8,28 +8,28 @@ "name": "claude-container-toolchain", "version": "1.0.0", "dependencies": { - "@agentclientprotocol/claude-agent-acp": "0.44.0", - "@anthropic-ai/claude-code": "2.1.177", - "@colbymchenry/codegraph": "1.0.0", + "@agentclientprotocol/claude-agent-acp": "0.48.0", + "@anthropic-ai/claude-code": "2.1.183", + "@colbymchenry/codegraph": "1.0.1", "@fission-ai/openspec": "1.4.1", "@modelcontextprotocol/server-sequential-thinking": "2025.12.18", "caveman-shrink": "0.1.0", "eslint": "10.5.0", "perplexity-mcp": "0.2.3", - "pnpm": "11.6.0", + "pnpm": "11.8.0", "prettier": "3.8.4", "ts-node": "10.9.2", "typescript": "6.0.3" } }, "node_modules/@agentclientprotocol/claude-agent-acp": { - "version": "0.44.0", - "resolved": "https://registry.npmjs.org/@agentclientprotocol/claude-agent-acp/-/claude-agent-acp-0.44.0.tgz", - "integrity": "sha512-FWET6TS3XpVgm4xhPtxzPJACNBK+O1rWnZ+6ZDA1vvtxy9KmAu6yGCDSGSsPeArEcouc8u69iuNW4vLaUELNcw==", + "version": "0.48.0", + "resolved": "https://registry.npmjs.org/@agentclientprotocol/claude-agent-acp/-/claude-agent-acp-0.48.0.tgz", + "integrity": "sha512-whQw81kh2LOdroZLlhuT+ZphKm1RtjddAVbad6EXo7yhs4ZTchdDRiVXhEZX5NKEQDngEaPO/HsxXyodNfoYUg==", "license": "Apache-2.0", "dependencies": { - "@agentclientprotocol/sdk": "0.25.0", - "@anthropic-ai/claude-agent-sdk": "0.3.170", + "@agentclientprotocol/sdk": "0.28.1", + "@anthropic-ai/claude-agent-sdk": "0.3.183", "zod": "^3.25.0 || ^4.0.0" }, "bin": { @@ -37,31 +37,31 @@ } }, "node_modules/@agentclientprotocol/sdk": { - "version": "0.25.0", - "resolved": "https://registry.npmjs.org/@agentclientprotocol/sdk/-/sdk-0.25.0.tgz", - "integrity": "sha512-wU1VgXNtMvdVotX49txc3WJUDV+/QbLpsgjMvFhlRmp37osdLbI7L7y+iwAlQATwfjLxcv1r1p3ZxZBcXlGhcQ==", + "version": "0.28.1", + "resolved": "https://registry.npmjs.org/@agentclientprotocol/sdk/-/sdk-0.28.1.tgz", + "integrity": "sha512-Z2Frs6YtPhnZZ+XwFXyQkRDXY0fn8FjCalEs0W4yUhQnY4TztmNq0/RnfzWdFN3vqT3h0jTz5klzYbZHGxCDyQ==", "license": "Apache-2.0", "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" } }, "node_modules/@anthropic-ai/claude-agent-sdk": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk/-/claude-agent-sdk-0.3.170.tgz", - "integrity": "sha512-pAvhfk+iTodXZ6RF18Kz7BEUWFjL7EcR3tKuhUNdPpE1NAYCR3mSHGbafi72JsrNwKEDIs7FU31z3fqhwy8QzA==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk/-/claude-agent-sdk-0.3.183.tgz", + "integrity": "sha512-rAKws76RKdFu+DK5q9wYN0AGLRdPrw0vGd+TMzSFynFdxwUAehYc9vUKJoK27j2xRoHFdNt+JDsih5BzsUzi+Q==", "license": "SEE LICENSE IN README.md", "engines": { "node": ">=18.0.0" }, "optionalDependencies": { - "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.3.170", - "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.3.170", - "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.3.170", - "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.3.170", - "@anthropic-ai/claude-agent-sdk-linux-x64": "0.3.170", - "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.3.170", - "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.3.170", - "@anthropic-ai/claude-agent-sdk-win32-x64": "0.3.170" + "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.3.183", + "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.3.183", + "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.3.183", + "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.3.183", + "@anthropic-ai/claude-agent-sdk-linux-x64": "0.3.183", + "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.3.183", + "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.3.183", + "@anthropic-ai/claude-agent-sdk-win32-x64": "0.3.183" }, "peerDependencies": { "@anthropic-ai/sdk": ">=0.93.0", @@ -70,9 +70,9 @@ } }, "node_modules/@anthropic-ai/claude-agent-sdk-darwin-arm64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-arm64/-/claude-agent-sdk-darwin-arm64-0.3.170.tgz", - "integrity": "sha512-rwfgArIa5WI0QPNqFsRBgvtSI0mrtpynUm0oK6+l6/KX4hcgnYGEzciZR1bOeD9/7sSZlTdIgt+T9alKeZmXcg==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-arm64/-/claude-agent-sdk-darwin-arm64-0.3.183.tgz", + "integrity": "sha512-o/+sxwKgXuw6RG5cERWjvcvL1CDSPe/TaXMhax+dq+V4lDOI5iTqg3y5Wfb6dL3xlWoTA2OhWowDQllKbE04LQ==", "cpu": [ "arm64" ], @@ -83,9 +83,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-darwin-x64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-x64/-/claude-agent-sdk-darwin-x64-0.3.170.tgz", - "integrity": "sha512-0e58h8UQMtsQxLGIv9r4foxfBFWKZ7NeDtoplLhuD7EwQonehomw1sBXCch77t/IfUS+q5vQ5zv+fOGmap5nLQ==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-x64/-/claude-agent-sdk-darwin-x64-0.3.183.tgz", + "integrity": "sha512-V7Cf8JeD5EPf4MPomFUlEblCIQI0wg+aWdOSqvfMsDmCBEHljd52CQ3a7W263oVt6I7QUfRTpX2KNvdma56rDA==", "cpu": [ "x64" ], @@ -96,9 +96,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-linux-arm64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64/-/claude-agent-sdk-linux-arm64-0.3.170.tgz", - "integrity": "sha512-gLbaFqcGppFJQd4DLNV4IXoeahejT/p2/M8bSSvRDbla9GOsBr1AxV5XLRyBn1e7xFGozZIAIQr3+1chp7NJgQ==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64/-/claude-agent-sdk-linux-arm64-0.3.183.tgz", + "integrity": "sha512-qqnSf85D3uBH7kRHLGOMhr7aQrREUZ4hUlCztrkJe/twUT4bmJsO86zamnAf7vOYeCul/sHYwBMmXtOfI+cHZg==", "cpu": [ "arm64" ], @@ -109,9 +109,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-linux-arm64-musl": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64-musl/-/claude-agent-sdk-linux-arm64-musl-0.3.170.tgz", - "integrity": "sha512-SRYfQcsXlOq+CD/FqkQBTSHbaD++w73GnnO+NUV9adLYrca3kfetRwWT1iguY1cNS0l34dCR3rlzCPq78vg1Jg==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64-musl/-/claude-agent-sdk-linux-arm64-musl-0.3.183.tgz", + "integrity": "sha512-ua6XaiCcYYKfd0CY9cjoyYnTQWI2GocpbP7Gwvmr+9taW/lTpQGVQH3FrF2VFKXVSt7AaVE6Z7WN9oPxcxl3VA==", "cpu": [ "arm64" ], @@ -122,9 +122,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-linux-x64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64/-/claude-agent-sdk-linux-x64-0.3.170.tgz", - "integrity": "sha512-Xl/m7TaSC3T5IDBdHrZQ9fCQYyDmPELN34CL+MoyPIf7uSmuZnjE9fUOqDh2Rv26JxWssi1M6X+BBvVuKd6Cpg==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64/-/claude-agent-sdk-linux-x64-0.3.183.tgz", + "integrity": "sha512-GvfNp9XsKWFvr0EH3NgX2pqzHPYhFeqhOmVc4A+2e+GdxBMYUEa0ylfPLJItahQU9FkTJAw2oQNnzTHPPm1GxA==", "cpu": [ "x64" ], @@ -135,9 +135,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-linux-x64-musl": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64-musl/-/claude-agent-sdk-linux-x64-musl-0.3.170.tgz", - "integrity": "sha512-m4+I0qBEk7cxRKS+pL+eoWXbXTFOAo83fQ0tQvap4z/mDMm06IWJtEPoYTaMBwsp32GJWLkHWKbZSBCHZnp2DQ==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64-musl/-/claude-agent-sdk-linux-x64-musl-0.3.183.tgz", + "integrity": "sha512-wp+p+4xeZOW+h4InMKR7nIdGlgYftXyR+ErOVz7i2tMRcKuYMoc5jRIYjdJkuETMSr5nsRj0rDeO5gG7M6MGZQ==", "cpu": [ "x64" ], @@ -148,9 +148,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-win32-arm64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-arm64/-/claude-agent-sdk-win32-arm64-0.3.170.tgz", - "integrity": "sha512-IG+8isJNNJKbnnhO7m+PGhfVCg+XoQ/MDxGde5eigFI0WsEfitjuWSWwx82bT9ghxI1aa6qNvI+UPgPcZuo5Fg==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-arm64/-/claude-agent-sdk-win32-arm64-0.3.183.tgz", + "integrity": "sha512-cGyMC9YDsrCQ4av74dMVa2liOb5oLFX4+1SxwJGRCW7mBVBazcM6rg7ifWbd9XfkDhNPKOIfyiloipyMfoaE4g==", "cpu": [ "arm64" ], @@ -161,9 +161,9 @@ ] }, "node_modules/@anthropic-ai/claude-agent-sdk-win32-x64": { - "version": "0.3.170", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-x64/-/claude-agent-sdk-win32-x64-0.3.170.tgz", - "integrity": "sha512-7cuqSKbHVItPGVwRbd3A0BEJwcNtc7Fhoh6qHN4C6yrmjSrvdYYx3MLvq/VI768/RoG7mAMDxb+j7WfEfoP9BA==", + "version": "0.3.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-x64/-/claude-agent-sdk-win32-x64-0.3.183.tgz", + "integrity": "sha512-h/XzbrSmXGroTk/FYKR6J4/8G9vDb1HUUUeNXeBGqGW1kppIiWPJKLRzjtSe0brVjADOKOT6tE5IHK0mV/1gBw==", "cpu": [ "x64" ], @@ -174,9 +174,9 @@ ] }, "node_modules/@anthropic-ai/claude-code": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.1.177.tgz", - "integrity": "sha512-pbBlT4O36j60k7Zd1aPQlVU1HFFpvFaTTnrsWLAVKdIHK/EcLjVjE/qY8kz9/e62XerK/UhJrZ8GsLaBNQ+6Mw==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.1.183.tgz", + "integrity": "sha512-c+Q9UHie0gaRaioHtEiYTVT2rt/C2ZsxkpMxKAaVFa+x3Fw+XHlv1uKKsqHuuBzEmwRMmelVs+1E3VyQFGv+vw==", "hasInstallScript": true, "license": "SEE LICENSE IN README.md", "bin": { @@ -186,20 +186,20 @@ "node": ">=18.0.0" }, "optionalDependencies": { - "@anthropic-ai/claude-code-darwin-arm64": "2.1.177", - "@anthropic-ai/claude-code-darwin-x64": "2.1.177", - "@anthropic-ai/claude-code-linux-arm64": "2.1.177", - "@anthropic-ai/claude-code-linux-arm64-musl": "2.1.177", - "@anthropic-ai/claude-code-linux-x64": "2.1.177", - "@anthropic-ai/claude-code-linux-x64-musl": "2.1.177", - "@anthropic-ai/claude-code-win32-arm64": "2.1.177", - "@anthropic-ai/claude-code-win32-x64": "2.1.177" + "@anthropic-ai/claude-code-darwin-arm64": "2.1.183", + "@anthropic-ai/claude-code-darwin-x64": "2.1.183", + "@anthropic-ai/claude-code-linux-arm64": "2.1.183", + "@anthropic-ai/claude-code-linux-arm64-musl": "2.1.183", + "@anthropic-ai/claude-code-linux-x64": "2.1.183", + "@anthropic-ai/claude-code-linux-x64-musl": "2.1.183", + "@anthropic-ai/claude-code-win32-arm64": "2.1.183", + "@anthropic-ai/claude-code-win32-x64": "2.1.183" } }, "node_modules/@anthropic-ai/claude-code-darwin-arm64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-darwin-arm64/-/claude-code-darwin-arm64-2.1.177.tgz", - "integrity": "sha512-Fr8x9bK7tPqwdh3ThrxH8k/SNEtBbPp2nuBaeZvqboWx/WJxssYzX4aYMOSKqfPQ9CpV7AfNehF3EhVNgd3KTw==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-darwin-arm64/-/claude-code-darwin-arm64-2.1.183.tgz", + "integrity": "sha512-r0YSa+Ux8FEu2zLCLOuGaSRXxwyif9KF+YK64aso2QwdjCVEpTbJo3IK7P2HcT0NYTlwEYALWlP/Ickrql4wbQ==", "cpu": [ "arm64" ], @@ -210,9 +210,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-darwin-x64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-darwin-x64/-/claude-code-darwin-x64-2.1.177.tgz", - "integrity": "sha512-5XqqrdSdMmOD88Jqla6+Y3GKoun7M1pvfTYAYTUFadvv8guqo895INf6MnUFeADOE+U6v015r4gX443xc02uGw==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-darwin-x64/-/claude-code-darwin-x64-2.1.183.tgz", + "integrity": "sha512-i8cK/h7g902uZFj9ZdmFHPxP7uxuYWgw9hpx7fSPLdxyPcgbhl16+XD9bBSm6vSZ2CRLgKEb92fB1dt7qU5ClQ==", "cpu": [ "x64" ], @@ -223,9 +223,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-linux-arm64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-arm64/-/claude-code-linux-arm64-2.1.177.tgz", - "integrity": "sha512-qb0K+/xwaZFz9spBUcDX3vNgEFTSNdbDze8AOpU4R9weVrwBY9zAO/OPqxC9qNhb5ZIRnJAZLKiICEeEUHowzA==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-arm64/-/claude-code-linux-arm64-2.1.183.tgz", + "integrity": "sha512-TA+ixBwIKOZywNGOdi/q2abW1ibG9aJMwIe+O3BtEvrkcQD62jEyThW1jeC7/8Cdp0uyT5v5ilb63qD0YX59Ig==", "cpu": [ "arm64" ], @@ -236,9 +236,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-linux-arm64-musl": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-arm64-musl/-/claude-code-linux-arm64-musl-2.1.177.tgz", - "integrity": "sha512-cOxWAd0ROXV2RjPjaHrErzDL98Lwfix4Ury567Hm0lh00nw4okXb5WGk+Ak09hkwc2cAOmKlYRL7SAvssG9cDA==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-arm64-musl/-/claude-code-linux-arm64-musl-2.1.183.tgz", + "integrity": "sha512-UZjE6ovn3Na0s0x1eJK6VYave5ztFAXW8/b+N5KVs4wv/i5mUfOf9UwmOCV0iG4IXJKy5wBIZ3gDRkUO/au1wQ==", "cpu": [ "arm64" ], @@ -249,9 +249,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-linux-x64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-x64/-/claude-code-linux-x64-2.1.177.tgz", - "integrity": "sha512-syChhLEXI82sld9V3QN8+IkgQy6dtScWmlMVvV2wSlG5/Zjl8UyB+ARoCcsnFCZ6dK9OzjT9TInQovrkt2ZsYw==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-x64/-/claude-code-linux-x64-2.1.183.tgz", + "integrity": "sha512-Ik4jBKW40pYyheJ+p890DMIPGgeFXuuCwQV4fWGHAyCEuBYoFYmTWiNEJIFZqIhbbX0YxfOhxacQ/xZSp6kvEw==", "cpu": [ "x64" ], @@ -262,9 +262,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-linux-x64-musl": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-x64-musl/-/claude-code-linux-x64-musl-2.1.177.tgz", - "integrity": "sha512-sxP4VyF0mEeMtlnOBicg7fRAv8eljorpQzKEalNu5Q2kLOoOV62GO6A1dgrpVwyfMMweJjea0bBYqIMlR27mmQ==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-linux-x64-musl/-/claude-code-linux-x64-musl-2.1.183.tgz", + "integrity": "sha512-8hBZ8rsHszPwLILIosViMtJUBVjCq6BDCV4IHQcW3Zx1paoY8+GHogUJlyrPZFXuq7QAhwgtT/+YUMHawjNhzA==", "cpu": [ "x64" ], @@ -275,9 +275,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-win32-arm64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-win32-arm64/-/claude-code-win32-arm64-2.1.177.tgz", - "integrity": "sha512-5vZlPcOsDARW9gK1RNZhRUevhCop1K5wFt/SvnXX+QVWC4fMfq/Kpug1SGaRewrvZjOMfstN9jvF+TqvHuHHfQ==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-win32-arm64/-/claude-code-win32-arm64-2.1.183.tgz", + "integrity": "sha512-qqaTFNkvgmSwNVH4IpPRA6gqMD/7zzBHyLIzg0pOOjNLfiyvL5qWoVeBTijCsh8MnDqrhlxGPoC98Q3YFyp7Ww==", "cpu": [ "arm64" ], @@ -288,9 +288,9 @@ ] }, "node_modules/@anthropic-ai/claude-code-win32-x64": { - "version": "2.1.177", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-win32-x64/-/claude-code-win32-x64-2.1.177.tgz", - "integrity": "sha512-tIAQI5OO5pA2SRQaA55CdIKXQpKkoXHZ6ll/xkTpaz+183ZnVuTCTWz6MbT6Yzyf9kwwsr3Ma1dzgZVFl/LNpw==", + "version": "2.1.183", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code-win32-x64/-/claude-code-win32-x64-2.1.183.tgz", + "integrity": "sha512-Ar9sb9QL2rqjRa5YW7LZ7uRL6fQNSbIOgEX+jhxdQyZ4QximRzGgSymxI/sXkcoR9ZxIRx9sBCRsHuyepWwiBA==", "cpu": [ "x64" ], @@ -301,9 +301,9 @@ ] }, "node_modules/@anthropic-ai/sdk": { - "version": "0.104.1", - "resolved": "https://registry.npmjs.org/@anthropic-ai/sdk/-/sdk-0.104.1.tgz", - "integrity": "sha512-gGACa/+IaiXzRRmF96aOhamoBgapKRBiFWbmmTFP8aMkpaEcuStF+Q61bjo4vPxBM7gqWJNZqsngslRdnLHv0Q==", + "version": "0.105.0", + "resolved": "https://registry.npmjs.org/@anthropic-ai/sdk/-/sdk-0.105.0.tgz", + "integrity": "sha512-sDyu+aM9cE6uZE+HgRjjHRb+qqb87GHZOx+8bE0YlWetdL1YcVLxn8h9ltxGOflyChTe6PMEo50kMQV4cw0hfg==", "license": "MIT", "peer": true, "dependencies": { @@ -333,26 +333,26 @@ } }, "node_modules/@colbymchenry/codegraph": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph/-/codegraph-1.0.0.tgz", - "integrity": "sha512-x+74x0VHcPrCujv6GjdEs+s9RzNwYoru3+gx5rn2u7cSKIpqntHzFRY/L/KWYp+M2MsBijGe/ejY1glNinB93A==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph/-/codegraph-1.0.1.tgz", + "integrity": "sha512-Y4ZMk7wxSRI9g2wQTcW21TfLr+fw7td1Dadkll6Udl9Ll8wX3H6qtov7K/VGtHG2AFX2j1e5Lm48PTHi74mImg==", "license": "MIT", "bin": { "codegraph": "npm-shim.js" }, "optionalDependencies": { - "@colbymchenry/codegraph-darwin-arm64": "1.0.0", - "@colbymchenry/codegraph-darwin-x64": "1.0.0", - "@colbymchenry/codegraph-linux-arm64": "1.0.0", - "@colbymchenry/codegraph-linux-x64": "1.0.0", - "@colbymchenry/codegraph-win32-arm64": "1.0.0", - "@colbymchenry/codegraph-win32-x64": "1.0.0" + "@colbymchenry/codegraph-darwin-arm64": "1.0.1", + "@colbymchenry/codegraph-darwin-x64": "1.0.1", + "@colbymchenry/codegraph-linux-arm64": "1.0.1", + "@colbymchenry/codegraph-linux-x64": "1.0.1", + "@colbymchenry/codegraph-win32-arm64": "1.0.1", + "@colbymchenry/codegraph-win32-x64": "1.0.1" } }, "node_modules/@colbymchenry/codegraph-darwin-arm64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-darwin-arm64/-/codegraph-darwin-arm64-1.0.0.tgz", - "integrity": "sha512-aHtwJ+fMQVANNy81ryDRy10iBls8Wh8EnZqq+niQ3/16ABHhoJ05CtSUU+q3b2vEI1fjjV/1oy/gdkvmRSzqLA==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-darwin-arm64/-/codegraph-darwin-arm64-1.0.1.tgz", + "integrity": "sha512-4z3aNzR3Ml31MBVzAvFQm+bk83erdHkjnaJ0PoeM6I9T7xuTIcdAGV36i3qYwgBE4tdrghRdR0mP5MNM+OrGFA==", "cpu": [ "arm64" ], @@ -363,9 +363,9 @@ ] }, "node_modules/@colbymchenry/codegraph-darwin-x64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-darwin-x64/-/codegraph-darwin-x64-1.0.0.tgz", - "integrity": "sha512-9cdIYORYe1wCpf+vZO4SCLLr+zccdHdVYooS38lUPeXcl9g/gyBhhcEBrlQzEmeu83ODp7Xw3kpgfxj/71Jh2A==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-darwin-x64/-/codegraph-darwin-x64-1.0.1.tgz", + "integrity": "sha512-KBSKl+tLCSIgV4iyi21SqYlpXL0P8DPqAnVHvvStdyYsCmkc2Heqf4oQIko+TYyFmuo65m4VpX989JkYZVGIVQ==", "cpu": [ "x64" ], @@ -376,9 +376,9 @@ ] }, "node_modules/@colbymchenry/codegraph-linux-arm64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-linux-arm64/-/codegraph-linux-arm64-1.0.0.tgz", - "integrity": "sha512-55DK/txKGlF6FlPbxVkE21pyUMGV/E0xgyV69iu33TyXbcPb3z9dEFen8w9H4eI23Am1eaca3eoGF2xZSXaJNg==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-linux-arm64/-/codegraph-linux-arm64-1.0.1.tgz", + "integrity": "sha512-2TOeL/Lx3kME+dmv2Q9hbIQFBvT6uKLdZONDRaYto+1Bcl3GrJuIu6bsu3jiJuifPhnYIL2xwUV6y+TZQ8MbTw==", "cpu": [ "arm64" ], @@ -389,9 +389,9 @@ ] }, "node_modules/@colbymchenry/codegraph-linux-x64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-linux-x64/-/codegraph-linux-x64-1.0.0.tgz", - "integrity": "sha512-F3U0H7NUjzTz3kvKTIIJvL9PwBL+An1PXdhuTza3rgSAd0TwCaFVqhFvA4NH232IEl9z46MyeVD9S/ir1ffewA==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-linux-x64/-/codegraph-linux-x64-1.0.1.tgz", + "integrity": "sha512-UENXSURJJUhcvdKoYsB5Wj6Z6O9C2afhYfG0LnL13KFWJhGXugqYKjF4KwkaeE8Po8TFul9k3f+8eXjmJwwwaQ==", "cpu": [ "x64" ], @@ -402,9 +402,9 @@ ] }, "node_modules/@colbymchenry/codegraph-win32-arm64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-win32-arm64/-/codegraph-win32-arm64-1.0.0.tgz", - "integrity": "sha512-r5BXkvo7vQ0WiJg2cTnnApPycTMEQNCOly/mZvhl0J2woMIjHPbQTpj8Gw6rPavfC3ceMx9SiT0HlFGq/Is2Bg==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-win32-arm64/-/codegraph-win32-arm64-1.0.1.tgz", + "integrity": "sha512-ZEG+HOakHiAe1AWMa2LgD52HyIEbWsY2FyNvDmon4Ss2889OghqUyA8BOLu5hNW+EI42JwwSXijVevn2Zn0hlg==", "cpu": [ "arm64" ], @@ -415,9 +415,9 @@ ] }, "node_modules/@colbymchenry/codegraph-win32-x64": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-win32-x64/-/codegraph-win32-x64-1.0.0.tgz", - "integrity": "sha512-+EZebzU08ID/ahY3CV8KvZL+TRc6SDuHki3LXnANq279imbAaADoF5MTGgIEHIj8LWkX4wWmcirf907YKQFLvw==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@colbymchenry/codegraph-win32-x64/-/codegraph-win32-x64-1.0.1.tgz", + "integrity": "sha512-qU6jjyma635qKJ0aaL8XU8QtYUGkWly0Mu4Wm2cSWRcNDL1v6sVoHMElgfUY7E9tK0gnU+/LbZW3MfmtqLG1GA==", "cpu": [ "x64" ], @@ -3098,9 +3098,9 @@ } }, "node_modules/pnpm": { - "version": "11.6.0", - "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.6.0.tgz", - "integrity": "sha512-mjZRgiQIDG/lFlr9z+eb+hGMKb5wPz9GKx4y7+HpjkfodQsUjggoYlCq1BE8x5k8pBPE4s1Ed1JwjC7ldRvJXw==", + "version": "11.8.0", + "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.8.0.tgz", + "integrity": "sha512-wfXnxMskHI8XS3Q4UdgvQrgCMkr8iw8Ra5atsVqgZmSUjd42lgo7oQebpbSyndAUATW5S1tfUmNZIknWjlVfJg==", "license": "MIT", "bin": { "pn": "bin/pnpm.mjs", diff --git a/tools/package.json b/tools/package.json index 829e43c..00b1963 100644 --- a/tools/package.json +++ b/tools/package.json @@ -4,14 +4,14 @@ "private": true, "description": "Pinned, lockfile-controlled global CLI toolchain for the claude-standalone container. Installed via `npm ci` for bit-for-bit reproducible npm tarballs (integrity-verified). Do not add `^`/`~` ranges here — exact versions only; regenerate package-lock.json inside node:22 after any change.", "dependencies": { - "@anthropic-ai/claude-code": "2.1.177", - "@agentclientprotocol/claude-agent-acp": "0.44.0", + "@anthropic-ai/claude-code": "2.1.183", + "@agentclientprotocol/claude-agent-acp": "0.48.0", "@fission-ai/openspec": "1.4.1", - "@colbymchenry/codegraph": "1.0.0", + "@colbymchenry/codegraph": "1.0.1", "caveman-shrink": "0.1.0", "@modelcontextprotocol/server-sequential-thinking": "2025.12.18", "perplexity-mcp": "0.2.3", - "pnpm": "11.6.0", + "pnpm": "11.8.0", "typescript": "6.0.3", "ts-node": "10.9.2", "prettier": "3.8.4", From 9dac331230791bdf4b1261a68c2e68e7feebad36 Mon Sep 17 00:00:00 2001 From: intech Date: Sat, 20 Jun 2026 12:14:45 +0400 Subject: [PATCH 2/2] fix(deps): patch transitive form-data & hono advisories npm audit fix --package-lock-only (no top-level pin drift): - form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx: CRLF injection) - hono 4.12.23 -> 4.12.26 (path traversal / CORS / body-limit advisories) Reduces npm audit from 4 -> 2 high-severity. The remaining two are in @modelcontextprotocol/sdk (<=1.25.1), pulled in transitively by perplexity-mcp 0.2.3 (the latest release, which pins the old SDK) - upstream marks both "no fix available". Documented in SECURITY.md as a deliberately accepted residual: perplexity-mcp runs as a stdio server here, so the DNS-rebinding vector (GHSA-w48q-cv73-mx4w) is not reachable; closing it fully would require dropping perplexity-mcp or an npm overrides pin (user-decided follow-up, may break its SDK API usage). Co-Authored-By: Claude Opus 4.8 --- SECURITY.md | 11 +++++++++++ tools/package-lock.json | 16 ++++++++-------- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index fd58e36..d8e4382 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -145,6 +145,17 @@ compromised and rotate it immediately. - Residual gaps (documented, not yet closed): the caveman installer clones its marketplace repo at default-branch HEAD (build-reproducibility gap, not a runtime hole), and `npm ci` does not neutralize postinstall network fetchers in transitive dependencies. +- Known transitive advisories (`npm audit`): the toolchain ships with `form-data` and `hono` + patched (`npm audit fix --package-lock-only`, no top-level pin drift). Two high-severity + advisories remain in `@modelcontextprotocol/sdk` (≤1.25.1), pulled in transitively by + `perplexity-mcp@0.2.3` (the latest release, which pins the old SDK) — upstream marks both + "no fix available." Applicability in this image is limited: the DNS-rebinding advisory + (GHSA-w48q-cv73-mx4w) targets HTTP servers bound to localhost that accept browser origins, but + `perplexity-mcp` runs as a **stdio** server here (no listening socket); the ReDoS advisory + (GHSA-8r9q-7v3j-jr4g) requires feeding adversarial input through the SDK's parser. This is a + **deliberately accepted residual**. Closing it would mean dropping `perplexity-mcp` or forcing a + patched SDK via an npm `overrides` entry — the latter is a user-decided follow-up because it may + break `perplexity-mcp`'s SDK API usage. - The ACP adapter pulls in `@anthropic-ai/claude-agent-sdk`, which ships its own Claude Code binary as a per-platform optionalDependency. To avoid executing a second, separately-sourced Claude binary, `CLAUDE_CODE_EXECUTABLE` pins the ACP path to the already-audited `claude` from the diff --git a/tools/package-lock.json b/tools/package-lock.json index ee4ee22..a7e25cc 100644 --- a/tools/package-lock.json +++ b/tools/package-lock.json @@ -2254,16 +2254,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" @@ -2439,9 +2439,9 @@ } }, "node_modules/hono": { - "version": "4.12.23", - "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.23.tgz", - "integrity": "sha512-eIaZ9qDgu7XV0pxOCrg7/WhnQ6Ivm22UcxhXx/A3dcbqbbYgBEkc6e/J/s7j2tS96zoB0S9VBdLwQNCWwUo4LA==", + "version": "4.12.26", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.26.tgz", + "integrity": "sha512-uyZtpnYxM9CmQ7QsQknM4zN8EftNqhON1qYeIKM0Se67CCEe2c44xyGURwB0axX2fBDu1dqHrHAc1hmNT8ITkw==", "license": "MIT", "engines": { "node": ">=16.9.0"