You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Improvements
Hardened install-time supply-chain checks: CI and release jobs now install the workspace with npm ci --ignore-scripts and then run an explicit allowlist check for dependency install scripts.
Resolved the active npm audit findings by moving the affected toolchain packages to patched versions and pinning Vite through an override.
Updated GitHub Actions used by CI, docs, release, and resource benchmark workflows.
Applied the safe Cargo dependency updates while keeping parley pinned until the Blitz integration can move without type conflicts.
Repaired the release workflow so publish reruns skip package versions that already exist on npm and publish workspace packages directly.
Verification
Local gates passed: npm run lint, npm run build, npm test, npm run docs:build, npm run compat:check, npm audit, cargo audit, and npm run supply-chain:install-scripts.
Release workflow dry-run passed before publishing.
Release workflow builds prebuilt native artifacts, verifies clean install rendering on supported runners, publishes with npm provenance, and checks provenance visibility.
Compatibility
No intentional public API breaking changes in this patch release.
This supersedes the aborted v0.1.1 publish attempt; use 0.1.2.
