From 346f359dc042d456c5c85dd2a82239be4ea4c2a7 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 12 Jul 2026 05:08:51 +0000 Subject: [PATCH] fix: sync package.json version with published tags, backfill changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit package.json/package-lock.json stayed at 1.0.1 because publish.yml only bumped the version inside its own ephemeral job — the bump was never committed back to main. Tags v1.0.2/v1.0.3 were published to npm with no corresponding CHANGELOG entries, so `--version` and the changelog both misrepresented what was actually shipped (closes #94). - Bump package.json/package-lock.json to 1.0.3 (the latest published tag) - Backfill CHANGELOG.md entries for 1.0.2 and 1.0.3 - auto-tag.yml now bumps package.json itself and commits the release (with [skip ci]) alongside the tag, so this can't drift again Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01GmYTtFbpbcmFtYv7RbJRFL --- .github/workflows/auto-tag.yml | 13 +++++++++++-- CHANGELOG.md | 24 ++++++++++++++++++++++++ package-lock.json | 4 ++-- package.json | 2 +- 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 45d1e39..4f34a3f 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -24,7 +24,7 @@ jobs: with: node-version: '20' - - name: Tag HEAD with next patch version + - name: Bump package.json, tag, and push run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" @@ -38,6 +38,15 @@ jobs: IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT" NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))" + # Keep package.json/package-lock.json in sync with the tag being cut — + # previously only the ephemeral publish job saw the bumped version, so + # main permanently drifted behind what was actually tagged and published. + npm version "$NEW_VERSION" --no-git-tag-version --allow-same-version + git commit -am "chore: release v$NEW_VERSION [skip ci]" git tag "v$NEW_VERSION" + + # [skip ci] keeps this push from re-triggering CI (and therefore this + # workflow) on the release commit itself. + git push origin HEAD:main git push origin "v$NEW_VERSION" - echo "Tagged HEAD as v$NEW_VERSION" + echo "Released v$NEW_VERSION" diff --git a/CHANGELOG.md b/CHANGELOG.md index 5bec473..43a8cdd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,29 @@ # Changelog +## [1.0.3] - 2026-06-11 + +### Fixed +- CSP: bare-scheme sources (e.g. `https:`) in `script-src`, `connect-src`, `form-action`, `frame-src`, `worker-src`, and `default-src` are now flagged as permissive, since they match any host just like a wildcard (#68) + +## [1.0.2] - 2026-05-26 + +### Added +- Dependabot configuration for automated dependency updates +- Full README with badges, quick start, grading scale, and headers-checked table +- npm publish and auto-tag CI workflows, gated on full CI success (#69) +- CLI `--help` and `--version` flags, plus a configurable fetch timeout + +### Changed +- **Grading is stricter and can lower previously-A/A+ scores:** + - Permissions-Policy now requires `camera=()`, `microphone=()`, and `geolocation=()` to score full marks — any other value previously scored "good" regardless of what it restricted (#4) + - CSP and Cross-Origin-* header checks tightened (#50) + - CSP now flags a missing `base-uri` directive (#51) + +### Fixed +- CLI `--version` now loads the package version correctly under ESM (#47) +- Test files are excluded from the build `tsconfig` so they no longer get compiled into `dist` (#48) +- High-severity `vite` vulnerability patched; `npm audit --audit-level=high` is now enforced in CI (#71) + ## [1.0.1] - 2025-05-19 ### Added diff --git a/package-lock.json b/package-lock.json index b5e4a5e..b889b41 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "license": "MIT", "bin": { "security-headers": "dist/cli.js" diff --git a/package.json b/package.json index bd1362e..e6aac5d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "description": "Analyze HTTP security headers for your web application. A-F grading, per-header findings, and remediation steps — as a library or CLI.", "type": "module", "license": "MIT",