docs: capture tar-xz v6 redesign in CHANGELOGs + TODO.md

oorabona · oorabona · commit 9abd0a261ad1 · 2026-04-27T15:56:06.000+02:00
- packages/tar-xz/CHANGELOG.md: detailed v6.0.0 entry covering API
  redesign (universal stream API, file helpers, AsyncIterable shape)
  + security hardening summary (18 vectors closed) + breaking changes
  list + migration pointer
- packages/nxz/CHANGELOG.md: v6.0.0 entry — internal rewiring to
  tar-xz/file, no CLI behavior change
- TODO.md: completed entries for v6 redesign, security hardening,
  independent versioning infra, CodeQL paths-ignore, anti-flake
  pattern; updated Last release / Last audit / Last story footer
  with the npm version matrix proving cross-package independence
diff --git a/TODO.md b/TODO.md
@@ -18,6 +18,13 @@ _None_
 
 ## Completed
 
+- [x] ✅ [tar-xz v6] Universal stream-first redesign: `create()`/`extract()`/`list()` with `AsyncIterable<Uint8Array>`, identical Node/Browser signatures, `tar-xz/file` subpath for fs helpers — published as `tar-xz@6.0.0` + `nxz-cli@6.0.0` (2026-04-27)
+- [x] ✅ [tar-xz v6] Security hardening: 18 path/symlink TOCTOU vectors audited and closed (leaf check, ENOENT walk, hardlink linkSource, NUL/empty rejection, setuid mask, fd-based fs ops with O_NOFOLLOW, pipeline error propagation) — 8 Copilot review rounds + 1 consolidated audit (2026-04-27)
+- [x] ✅ [Infra] Independent versioning per workspace package: `release.yml`/`publish.yml` accept `target_package` input, no cross-package version sync; proven in prod — `tar-xz@6.0.0` published without bumping `node-liblzma` (still at 5.0.0) (2026-04-27)
+- [x] ✅ [Infra] Custom CodeQL workflow with `paths-ignore` for dep-only PRs — Dependabot fire-and-forget unblocked (CodeQL no longer NEUTRAL-blocks dep bumps) (2026-04-24)
+- [x] ✅ [Test] Anti-flake pattern (track + afterEach destroy + timer cleanup) propagated to 4 high-risk integration tests (error_recovery, callbacks, parameter_parsing, constructor_and_sync_processing) (2026-04-26)
+- [x] ✅ [CI] `pnpm/action-setup@v6.0.1+` validated for refresh-lockfile (upstream fix for 2-document YAML corruption); `dependabot-auto-merge.yml` with `--squash` (linear history) (2026-04-19)
+- [x] ✅ [Release] node-liblzma v5.0.0 — Node 22 minimum, TypeScript 6, XZ 5.8.3 (2026-04-09)
 - [x] ✅ [API] Remove deprecated `messages` array — definition, default export, index.d.ts, and 4 test refs removed (2026-03-06)
 - [x] ✅ [Refactor] processBuffer CC reduction: 54→8 (extract), 34→6 (list) via shared tar-parser.ts (2026-03-06)
 - [x] ✅ [CLI] nxz.ts CC reduction: 6 helpers extracted (createTarFile -49%, main -24%) (2026-03-06)
@@ -61,6 +68,14 @@ _None_
 
 **Backlog vide.**
 
-**Last release:** v4.0.1 + v3.2.1 (2026-03-13) — macOS ARM64 native prebuilds, type dedup, API cleanup
-**Last audit:** code-health full audit + cleanup (2026-03-06)
-**Last story:** v4.0.0 release — breaking: `messages` removed, types consolidated, macOS ARM64 prebuilds (2026-03-13)
+**Last release:** `tar-xz@6.0.0` + `nxz-cli@6.0.0` (2026-04-27) — stream-first universal API redesign, security hardening
+**Last audit:** symlink/path TOCTOU exhaustive audit (18 vectors closed in single commit) (2026-04-27)
+**Last story:** tar-xz v6 redesign — independent versioning proven in prod (`node-liblzma` still at 5.0.0) (2026-04-27)
+
+**Independent versioning matrix (npm):**
+
+| Package | Version |
+|---------|---------|
+| `node-liblzma` | 5.0.0 |
+| `tar-xz` | 6.0.0 |
+| `nxz-cli` | 6.0.0 |
diff --git a/packages/nxz/CHANGELOG.md b/packages/nxz/CHANGELOG.md
@@ -7,3 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.0.0] - 2026-04-27
+
+### BREAKING CHANGES
+
+Internal rewiring to consume the new `tar-xz` v6 API. **No CLI behavior
+change** — flags, output, and exit codes are unchanged. The major bump
+is required because the `tar-xz` peer dependency moved to v6.0.0
+(breaking redesign).
+
+### Changed
+- Migrated to `tar-xz/file` helpers (`createFile`, `extractFile`,
+  `listFile`) for path-based archive operations.
+- Inline `TarEntry`/`TarXzModule` interfaces removed — types now
+  imported directly from `tar-xz`.
+
+### Dependencies
+- `tar-xz`: `^5.0.0` → `^6.0.0`
+
diff --git a/packages/tar-xz/CHANGELOG.md b/packages/tar-xz/CHANGELOG.md
@@ -7,6 +7,66 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.0.0] - 2026-04-27
+
+### BREAKING CHANGES
+
+Complete API redesign. Universal stream-first design — same signatures
+in Node and Browser, built around `AsyncIterable<Uint8Array>`.
+
+### Added
+- **Universal API** — `create()`, `extract()`, `list()` with identical
+  signatures across Node and Browser.
+- **`tar-xz/file` subpath export** (Node only) — opt-in path-based
+  helpers `createFile()`, `extractFile()`, `listFile()` for filesystem
+  I/O. Keeps the core SRP-clean (no fs deps in the core).
+- **`AsyncIterable<TarEntryWithData>`** from `extract()` — entries are
+  yielded lazily; each carries a streaming `data` AsyncIterable plus
+  `bytes()` and `text()` collector helpers.
+- **`TarInput` union type** — accepts `AsyncIterable<Uint8Array>`,
+  `Iterable<Uint8Array>`, `Uint8Array`, `ArrayBuffer`,
+  `ReadableStream<Uint8Array>` (Web), or `NodeJS.ReadableStream`.
+  Normalized internally to a single shape.
+
+### Security
+Comprehensive symlink/path TOCTOU hardening (18 vectors audited and
+closed in a single consolidated commit, after 7 rounds of Copilot review):
+- Leaf symlink check (`target` itself, not just ancestors).
+- Ancestor symlink walk extended to FILE/DIRECTORY/SYMLINK/HARDLINK.
+- ENOENT correctly continues the ancestor walk instead of stopping.
+- Hardlink `linkSource` validated for symlink-leaf and symlink-ancestor.
+- `strip` option applied to both `name` and `linkname`.
+- Empty / NUL-bearing names and linknames rejected.
+- Dot-segment placeholder names (`.`, `./`, `..`) rejected.
+- Setuid/setgid/sticky bits stripped from extracted modes by default
+  (mirrors GNU tar `--no-same-permissions`).
+- File extraction uses `fs.open(O_NOFOLLOW)` + fd-based `chmod`/`utimes`
+  on POSIX — eliminates by-path TOCTOU window for permissions/timestamps.
+- `pipeline()` instead of `pipe()` so source errors propagate properly.
+- Threat-model documentation: concurrent attacker process is explicitly
+  out of scope (POSIX `openat2(RESOLVE_BENEATH)` not exposed by Node).
+
+### Removed
+- `extractToMemory()` — replaced by `extract()` + `entry.bytes()`.
+- `createTarXz()` / `extractTarXz()` / `listTarXz()` (browser-prefixed
+  names) — replaced by unified `create()` / `extract()` / `list()`.
+- `BrowserCreateOptions` / `BrowserExtractOptions` — unified into
+  single `CreateOptions` / `ExtractOptions`.
+- `ExtractedFile` — replaced by `TarEntryWithData`.
+
+### Changed
+- Source files for `create()` use the new `TarSourceFile` shape:
+  `{ name, source, mode?, mtime?, linkname? }`. `source` accepts
+  `AsyncIterable<Uint8Array> | Uint8Array | ArrayBuffer | string`
+  (string is a Node-only fs path).
+- `TarPack` / `TarUnpack` Transform classes are now internal; not
+  exported from the package root. Use the high-level API.
+- Default compression preset is uniform: `6` (Node and Browser).
+
+### Migration v5 → v6
+See [README.md § Migration v5 → v6](./README.md#migration-v5--v6) for
+full code examples.
+
 ## [5.0.1] - 2026-04-27
 
 ### Fixed
