Security Patch Release
v5.10.2 resolves CodeQL alert #174 (CWE-377 Insecure Temporary File).
CodeQL #174 — CWE-377 Root Cause Fix ( est-claim-verifier.ts)
The v5.10.1 fix applied path.resolve() in the AuthGuardian constructor, but this does not satisfy CodeQL's taint analysis — the taint chain from os.tmpdir() through
esolve() into writeFile() remains intact.
The actual taint sources were the join(tmpdir(), ...) calls in est-claim-verifier.ts. All 10 occurrences have been replaced with join('.', 'data', ...) paths, eliminating the CWE-377 source entirely. AuthGuardian constructor retains path.resolve() for defense-in-depth.
50/50 claim verifier tests still pass.
Full changelog
See CHANGELOG.md.