Security Fixes
- Patched CVE vulnerabilities in transitive dependencies:
brace-expansion(GHSA-f886-m6hf-6m8v) - infinite loop / memory exhaustionpicomatch(GHSA-3v7f-55p6-f55p) - method injection in POSIX character classespicomatch(GHSA-c2c7-rcm5-vvqj) - ReDoS via extglob quantifiers
- Pinned all dependency versions to exact (removed
^ranges) to prevent auto-upgrading to compromised releases - Added
overridesforbrace-expansion,picomatch, andminimatchacross the dependency tree - Verified project is not affected by the Axios supply chain attack (March 31, 2026), chalk v5.6.1 compromise, or eslint-config-prettier compromise
Node.js Version Bump
- Minimum Node.js raised from
>=18.0.0to>=20.0.0(Node 18 reached EOL April 2025) - CI test matrix updated: Node 20, 22, 24 (dropped 18)
- All dependencies verified compatible with Node 20+
- Zero deprecation warnings on Node 22
Upgrading from 2.1.x? If you need to stay on Node 18, pin to
claude-conductor@2.1.x.
Test Suite (20 -> 89 tests)
Comprehensive test coverage added across all CLI commands and code paths:
- All CLI commands:
init,checkup,backup,upgrade,restore - All flags:
--full,--force,--yes,--deepscan,--no-analyze - Template integrity (all 14 templates exist, valid markdown, no secrets)
- Package.json integrity (pinned versions, overrides, engine constraints)
- Security configuration (.npmrc, .gitignore, SECURITY.md, CI audit job)
- File operation safety (no writes outside target, backup containment)
- Edge cases (paths with spaces, double init, read-only files)
- Node.js compatibility (dependency loading, engine satisfaction)
- Codebase analysis (tech stack detection, framework detection, line counting)
npm Hardening
.npmrc:save-exact=true,audit=true,package-lock=true- CI: dedicated security audit job with
npm auditandaudit-ci - Dependabot: daily npm checks, grouped PRs
- CI workflow: least-privilege
permissions: contents: read
Full Changelog: e62737a...v2.2.0