chore: release v1.5.0

[miccy]

Pull Request

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context.

Changelog

[1.5.0] - 2025-12-02

Added

• ROADMAP.md - Comprehensive project roadmap with nested checkboxes based on multi-model AI security audits (Claude Opus 4.5, GPT-5.1-Pro, Grok-4.1, Perplexity, Proton-Lumo, Gemini-3-Pro)
• cs/ROADMAP.md - Czech translation of the roadmap
• Roadmap section in README.md (EN) with link to ROADMAP.md
• Roadmapa section in cs/README.md (CZ) with link to ROADMAP.md
• Multi-model security audit documentation in AGENTS.md
• Critical security context section in AGENTS.md (Dead Man's Switch warning, attack characteristics)
• Research findings reference in AGENTS.md (.agents/research/ directory)
• scripts/suspend-malware.sh - Safe process suspension using SIGSTOP (prevents wiper trigger)
  • Auto-detection of malicious processes by known signatures
  • --dry-run mode for safe testing
  • --resume mode to unfreeze processes after backup
  • State file tracking of suspended PIDs
  • Interactive and auto modes
• ioc/network.json - Network Indicators of Compromise
  • C2 domain monitoring (suspected domains)
  • Exfiltration webhook patterns (webhook.site, pipedream, requestbin)
  • GitHub API abuse patterns and endpoints
  • Cloud metadata service abuse detection (169.254.169.254)
  • Firewall rule recommendations for CI/CD
  • SIEM/IDS detection queries
• .github/workflows/socket-security.yml - Socket.dev GitHub Actions integration
• socket.yml - Root-level Socket.dev configuration for GitHub App

Changed

• Updated attack metrics: 796 → 800+ packages, added 1,200+ organizations impacted
• Updated Contributing/Priority Areas section in both READMEs to reference ROADMAP.md
• Updated repository structure in AGENTS.md to reflect current layout
• Updated task priorities in AGENTS.md to include roadmap items
• Updated project status in AGENTS.md to "public release, seeking contributors"
• ioc/malicious-packages.json - Updated statistics with credential exfiltration counts (775+ GitHub, 373+ AWS, 300+ GCP, 115+ Azure)
• Updated ROADMAP progress: Core Detection 70%→75%, IOC Database 30%→45%

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Summary by CodeRabbit

• New Features

  • Roadmap, timeline and milestone updates; translations and docs expanded.

• Bug Fixes

  • Security scan now skips gracefully with a clear warning when an API key is missing.
  • Improved detection messaging and less noisy warnings.
  • Safer suspend/resume flows with clearer feedback; removed verbose CLI option.

• Documentation

  • README, ROADMAP, AGENTS and localized docs updated.

• Chores

  • Release bumped to 1.5.0 and changelog updated.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Release 1.5.0: package and script VERSION bumps and changelog update; scripts/detect.sh expands include/exclude grep filters and adjusts messaging; scripts/suspend-malware.sh removes --verbose, appends frozen PIDs to state file and improves freeze/resume edge handling; socket-security workflow skips scan when API key missing; workflow detector invocation simplified; docs and roadmap/status updated.

Changes

Cohort / File(s)	Summary
Release metadata CHANGELOG.md, package.json	Updated release from Unreleased to 1.5.0 (2025-12-02); bumped package version 1.4.1 → 1.5.0.
Script version bumps scripts/check-github-repos.sh, scripts/full-audit.sh, scripts/harden-npm.sh, scripts/quick-audit.sh, scripts/set-language.sh	Updated VERSION constants from 1.4.1 → 1.5.0 (no behavioral changes).
Detection script enhancements scripts/detect.sh	Version bump; replaced hard-coded grep with reusable GREP_FILTERS include/exclude list (adds common source/config globs, excludes network.json and detect.sh), consolidated grep usage, prints no-findings messaging, and reduces Bun logging to info.
Malware suspension logic scripts/suspend-malware.sh	Removed global VERBOSE and `--verbose
Socket security workflow .github/workflows/socket-security.yml	Added guard: if SOCKET_SECURITY_API_KEY is empty, emit a warning and exit 0 to skip Socket Security scan.
Workflow detector invocation .github/workflows/supply-chain-security.yml	Simplified steps: make scripts/detect.sh executable and call scripts/detect.sh (removed explicit download/permission steps).
Docs / Roadmap / Readme updates ROADMAP.md, AGENTS.md, README.md, cs/README.md	Status/progress updates (several items marked complete, dates/metrics adjusted), minor formatting and milestone additions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review behavioral changes in scripts/suspend-malware.sh (state file append, resume fallback, removed CLI flag).
• Validate scripts/detect.sh grep include/exclude patterns to ensure no false negatives.
• Verify .github/workflows/socket-security.yml early-exit won’t break downstream expectations.

Possibly related PRs

• chore: release v1.4.0 #9 — Overlapping release metadata and version-constant updates across CHANGELOG and scripts.
• chore: release v1.3.3 #7 — Prior changes touching scripts/detect.sh and version bumps.
• Preview/v1.3.1 #5 — Related edits to detection logic and workflow invocation steps.

✨ Version lifted to one-five-oh,

Scans bow out when keys don't show;
Frozen PIDs in state now dwell,
Detect gets broader — fewer bells;
Docs updated, the changelog glows 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: release v1.5.0' directly and clearly summarizes the main change—a version release bump. It aligns with the changeset's comprehensive updates to version 1.5.0 across multiple files, changelog, and documentation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch preview/v1.5.0

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a94b1e and 6e5e5bb.

📒 Files selected for processing (3)

• CHANGELOG.md (4 hunks)
• ROADMAP.md (6 hunks)
• scripts/detect.sh (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in shell scripts (.sh files) for code clarity and consistency

Files:

• scripts/detect.sh

🧠 Learnings (1)

📚 Learning: 2025-11-30T20:33:47.273Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Do not make breaking changes to the public API/interface of detection scripts

Applied to files:

• scripts/detect.sh

🧬 Code graph analysis (1)

scripts/detect.sh (2)

scripts/suspend-malware.sh (1)

• log_info (77-79)

scripts/full-audit.sh (1)

• log_info (79-81)

🔇 Additional comments (6)

CHANGELOG.md (1)

39-43: ✅ Consistent roadmap progress documentation.

Lines 40–41 correctly reflect the final 1.5.0 release state (85% Core Detection, 60% IOC Database), matching ROADMAP.md. The past review's concern about conflicting intermediate values appears resolved.

ROADMAP.md (1)

17-18: ✅ Roadmap milestones correctly mark v1.5.0 deliverables.

Progress values (85%, 60%) align with CHANGELOG.md, and the v1.5.0 milestone section accurately reflects completed work (SIGSTOP, IOC database expansion, network IOCs, hash verification).

Also applies to: 448-452

scripts/detect.sh (4)

458-466: ✅ GREP_FILTERS refactor improves maintainability.

The new array-based whitelist approach (lines 458–464) reduces grep duplication and centralizes filter logic. The pattern–include/exclude balance looks solid, and existing .git/node_modules exclusions are preserved in the grep invocations.

---

508-510: Bun detection level change: INFO instead of WARN.

Line 508 now logs Bun detection as log_info rather than log_warn, so it no longer increments FOUND_ISSUES. This aligns with the CHANGELOG note (line 48: "Downgraded 'Bun detected' warning to INFO") and reflects that Bun presence alone is informational, not an error.

However, confirm this doesn't break downstream CI expectations—if callers were relying on this exit-code signal, the behavior change could be breaking.

Is the Bun detection level downgrade intentional, and do downstream CI workflows account for this behavioral shift? Based learnings, ensure no breaking API changes to the detection script's public interface.

---

70-99: ✅ Trap-based output file handling is robust.

The _trap_write_summary() function (lines 84–98) safely pre-creates the output file (line 80) so artifact upload won't fail, and appends a summary on all exits (normal or error). The FOUND_ISSUES counter check (line 88) correctly writes NO_FINDINGS when no issues are detected—good safeguard for CI workflows.

---

26-26: ✅ Version bump to 1.5.0 is correct.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Unit test generation is an Early Access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

scripts/detect.sh (1)

500-502: Inconsistent logging in Bun detection section.

Line 500 downgraded "Bun detected" from log_warn to log_info, so it no longer increments the issue counter—but lines 501–502 emit warnings using plain echo instead of log_warn. This mixes logging conventions and could confuse users about whether Bun presence is a concern.

Consider either keeping it as a warning (if Bun in the project is noteworthy) or making all related output use log_info for consistency.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 288727b and e306aad.

📒 Files selected for processing (10)

• .github/workflows/socket-security.yml (2 hunks)
• CHANGELOG.md (3 hunks)
• package.json (1 hunks)
• scripts/check-github-repos.sh (1 hunks)
• scripts/detect.sh (4 hunks)
• scripts/full-audit.sh (1 hunks)
• scripts/harden-npm.sh (1 hunks)
• scripts/quick-audit.sh (1 hunks)
• scripts/set-language.sh (1 hunks)
• scripts/suspend-malware.sh (15 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in shell scripts (.sh files) for code clarity and consistency

Files:

• scripts/check-github-repos.sh
• scripts/set-language.sh
• scripts/harden-npm.sh
• scripts/full-audit.sh
• scripts/detect.sh
• scripts/quick-audit.sh
• scripts/suspend-malware.sh

**/*.{json,yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in configuration files (.json, .yml) for consistency across the security tooling

Files:

• package.json

🧠 Learnings (3)

📚 Learning: 2025-11-30T20:33:47.273Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.273Z
Learning: Do not make breaking changes to the public API/interface of detection scripts

Applied to files:

• scripts/detect.sh

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Verify IOCs from official sources before adding to ioc/malicious-packages.json and update documentation if needed

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-11-30T20:33:47.272Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:47.272Z
Learning: Applies to cs/ioc/**/*.json : Verify IOC (Indicators of Compromise) data from official sources before adding to ioc/malicious-packages.json

Applied to files:

• CHANGELOG.md

🧬 Code graph analysis (2)

scripts/detect.sh (2)

scripts/suspend-malware.sh (1)

• log_info (77-79)

scripts/full-audit.sh (1)

• log_info (79-81)

scripts/suspend-malware.sh (1)

scripts/detect.sh (1)

• log_info (102-104)

🔇 Additional comments (16)

scripts/full-audit.sh (1)

20-20: Version bump looks good.

Consistent with coordinated 1.5.0 release across all scripts.

scripts/check-github-repos.sh (1)

2-2: Version update is correct.

Aligns with the 1.5.0 release across the repository.

package.json (1)

3-3: Version bump to 1.5.0 is correct.

Minor version increment is appropriate for the feature additions and fixes in this release.

scripts/harden-npm.sh (1)

2-2: Version bump is aligned with release.

Consistent with the coordinated 1.5.0 release.

scripts/quick-audit.sh (1)

2-2: Version bump is correct.

Maintains consistency with the 1.5.0 release series.

CHANGELOG.md (2)

8-48: Changelog entry for 1.5.0 is well-structured and complete.

The Added, Changed, and Fixed sections accurately reflect the PR objectives:

• Comprehensive documentation of new features (ROADMAP, network IOCs, suspend-malware.sh)
• Clear tracking of updates (attack metrics, credentials stats, progress percentages)
• All major fixes are documented (detect.sh false positives, socket-security.yml API key guard, suspend-malware.sh VERBOSE removal)

The format follows Keep a Changelog standards correctly.

---

224-224: Version comparison link is properly formatted.

The 1.5.0 comparison link follows the same format as existing version entries and correctly positions at the top of the links list.

.github/workflows/socket-security.yml (2)

57-61: API key guard is well-implemented.

The check correctly prevents the scan from running when SOCKET_SECURITY_API_KEY is missing, while gracefully skipping without failing the workflow. Using exit 0 rather than exit 1 is the right choice to avoid blocking deployments in development environments.

---

28-28: Formatting and structure are clean.

The added blank line improves readability between the permissions and steps sections.

scripts/set-language.sh (1)

2-2: Version bump to 1.5.0 is consistent.

Aligns with the coordinated release across all repository scripts.

scripts/detect.sh (2)

26-26: Solid infrastructure for artifact handling in CI pipelines.

The version bump is correct, and the new OUTPUT_FILE handling ensures GitHub Actions artifact upload doesn't fail even on early script exit. The trap logic elegantly handles both successful and error paths while preserving existing functionality.

Also applies to: 70-99

---

458-458: Network IOC database properly excluded from detection checks.

These exclusions prevent the scanner from generating false positives when ioc/network.json contains IOC reference patterns (like the metadata service IP). The exclusion is applied consistently across both related grep operations.

Also applies to: 476-476

scripts/suspend-malware.sh (4)

40-45: Breaking change: --verbose flag removal not compatible with 1.x minor version bump.

Removing the --verbose flag breaks existing user scripts and automation that depend on this option. Per the project learning, detection scripts should maintain their public interface. For a version 1.5.0 (minor bump), this warrants either:

1. Keep the flag and silently accept it (treat as no-op for backwards compatibility), or
2. Bump to version 2.0.0 to signal breaking changes.

Consider restoring the flag as a no-op or updating the version scheme.

Also applies to: 313-323

---

129-156: Well-designed process freezing with proper state tracking.

The function correctly checks process validity, handles already-stopped processes, respects dry-run mode, and crucially appends the PID to STATE_FILE for later resumption. Error handling is clear with logged failures and proper exit codes.

---

188-245: Improved user experience with signature feedback and clear next steps.

When no suspicious processes are found, the function now lists the signatures that were checked—helpful for users to understand what the script looked for. The process display table, user confirmation flow, and post-freeze next-steps guidance are all well-structured and user-friendly.

---

248-295: Enhanced resume resilience with fallback process detection.

The improved do_resume now has a recovery path: if the state file is missing, it scans for and reports any stopped processes matching known signatures. This makes the script more forgiving of edge cases (e.g., state file accidentally deleted) while maintaining the same freeze/resume semantics. Good defensive coding.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ROADMAP.md (1)

520-520: Fix date inconsistency in footer.

Header (line 4) says "Last Updated: 2025-12-02" but footer says "2025-12-01". Update footer to match the release date.

Apply this diff:

-  <i>This roadmap is a living document. Last updated: 2025-12-01</i>
+  <i>This roadmap is a living document. Last updated: 2025-12-02</i>

🧹 Nitpick comments (1)

scripts/detect.sh (1)

458-464: Consider extracting the grep pattern scaffolding to reduce duplication.

The long grep commands on lines 458 and 476 are identical except for the search term. If you maintain this script, a helper function or variable could reduce duplication and make future filter updates simpler.

For example:

GREP_FILTERS=(--include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx" --include="*.mjs" --include="*.cjs" --include="*.json" --include="*.yml" --include="*.yaml" --include="*.sh" --exclude="network.json" --exclude="malicious-packages.json" --exclude="detect.sh")

# Then reuse:
metadata_abuse=$(grep -r "${GREP_FILTERS[@]}" "169\.254\.169\.254" "$SCAN_PATH" 2>/dev/null | grep -v ".git" | grep -v "node_modules" | head -5 || true)

This keeps the logic DRY and makes bulk edits easier in the future.

Also applies to: 475-486

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9142c2f and 1b75d92.

📒 Files selected for processing (6)

• AGENTS.md (1 hunks)
• CHANGELOG.md (3 hunks)
• README.md (2 hunks)
• ROADMAP.md (5 hunks)
• cs/README.md (2 hunks)
• scripts/detect.sh (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

Use English-only comments in shell scripts (.sh files) for code clarity and consistency

Files:

• scripts/detect.sh

cs/**/*.md

📄 CodeRabbit inference engine (cs/AGENTS.md)

cs/**/*.md: Link to official vendor documentation when updating documentation files
Include code examples in documentation where appropriate
Follow existing markdown style conventions in the repository

Files:

• cs/README.md

🧠 Learnings (1)

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Verify IOCs from official sources before adding to ioc/malicious-packages.json and update documentation if needed

Applied to files:

• README.md

🧬 Code graph analysis (1)

scripts/detect.sh (2)

scripts/suspend-malware.sh (1)

• log_info (77-79)

scripts/full-audit.sh (1)

• log_info (79-81)

🔇 Additional comments (13)

AGENTS.md (1)

27-34: Release metadata updated correctly.

Status bump to stable, date refresh, and new metric all align with the v1.5.0 release timing and impact data referenced in README and roadmap.

README.md (2)

112-112: Timeline entry aligns with v1.5.0 release.

The new entry captures the maturation of community tooling and matches the PR release date. Good addition to the attack narrative.

---

449-452: Priority items reflect completed v1.5.0 milestones.

Checkmark updates correctly map to shipped features: SIGSTOP script, IOC expansion (800+), and network IOC detection. Roadmap consistency looks solid.

cs/README.md (2)

103-105: Czech timeline synchronized with EN version.

The Czech entries accurately translate the community tool release and token deadline milestones. Translation maintains meaning and technical accuracy.

---

297-300: Priority section correctly reflects bilingual parity with README.md.

Czech terminology ("Rozšířená IOC databáze", "Nástroje pro detekci") maintains consistency with English section while using appropriate language conventions.

ROADMAP.md (3)

3-22: Header and progress metrics align with v1.5.0 release.

Blockquote style is cleaner than bullets. Progress bumps (Core Detection 85%, IOC 60%) and new Community ecosystem row reflect release scope and future priorities.

---

37-37: Feature checkmarks for SIGSTOP and network detection are accurate.

Both correspond to delivered features in v1.5.0 (suspend-malware.sh and ioc/network.json) referenced elsewhere in the PR.

Also applies to: 82-82

---

448-452: v1.5.0 milestone section correctly marks release completion.

SIGSTOP script, IOC expansion (100+), and network IOCs are all shipped. Verify "File hash verification" claim has corresponding code/config in PR scope.

scripts/detect.sh (5)

26-26: Version bump looks good.

Release 1.5.0 is correctly set.

---

70-99: Solid defensive output file handling for CI workflows.

The trap ensures the summary is written to OUTPUT_FILE on any exit path (normal or error). Pre-creating the file and using GITHUB_WORKSPACE for CI mode is the right pattern for artifact collection pipelines.

---

458-464: Targeted grep filters reduce false positives nicely.

Including specific code file types and excluding IOC database files (network.json, malicious-packages.json) and the script itself prevents the scanner from flagging its own IOC references. Good design.

---

475-486: Secondary phase grep patterns are well-tuned.

The same targeted file type filtering + exclude list prevents noise from IOC documentation and maintains consistency with the cloud metadata check above.

---

499-502: Bun detection level change makes sense.

Changing from log_warn to log_info is appropriate—Bun presence alone isn't a security issue; the subsequent guidance messages provide the actual warnings about ignore-scripts behavior. This keeps the tone calibrated.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b75d92 and 0a94b1e.

📒 Files selected for processing (2)

• .github/workflows/supply-chain-security.yml (2 hunks)
• CHANGELOG.md (4 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Verify IOCs from official sources before adding to ioc/malicious-packages.json and update documentation if needed

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-11-30T20:33:32.637Z

Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T20:33:32.637Z
Learning: Do not remove safety checks from detection scripts

Applied to files:

• .github/workflows/supply-chain-security.yml

🔇 Additional comments (4)

.github/workflows/supply-chain-security.yml (1)

37-38: No safety concerns identified; scripts/detect.sh exists with all detection logic intact.

The workflow correctly uses scripts/detect.sh with supported flags --ci and --output=results.txt. The script contains comprehensive safety checks (line 9: set -euo pipefail, error handling trap, IOC detection for malicious files/hashes/workflows/packages) and intentionally excludes network.json and detect.sh from pattern searches to avoid false positives, not to weaken detection. The chmod +x step is appropriate and ensures executable permissions in the workflow environment.

CHANGELOG.md (3)

8-33: Added section is comprehensive and well-documented.

The Added section clearly lists all new features, scripts, configurations, and documentation. Each entry provides helpful context about functionality. 👍

---

45-51: Fixed section is clear and well-documented.

The fixes address real issues with scripts and CI workflows. Each entry explains what was fixed and why (e.g., preventing CI failures, fixing ShellCheck warnings). The section is complete and adds valuable context for users reviewing the release. ✨

---

228-238: Version comparison links are properly structured.

The new [1.5.0] comparison link is correctly formatted and positioned. The chronological ordering of all version links is maintained.