v0.1.13
v0.1.13 is a patch release that fixes a false positive in the malicious-package check, where a bare, dist-tag, or range install could be wrongly blocked because an older version of the package carried a malicious advisory.
Important
If nub install <pkg> was wrongly blocked on v0.1.12, upgrade to v0.1.13. Installs like nub install axios are no longer blocked when the resolved version is clean. The security property is unchanged: an install that resolves to a malicious version is still blocked.
Package manager
v0.1.12's OSV malicious-package gate matched advisories against the package as a whole, so a bare/dist-tag/range install of a package whose latest is clean was blocked when an older version carried a malicious advisory. v0.1.13 resolves the install to its concrete version first and relies on the version-aware post-resolve OSV gate, so a clean latest installs while the actually-malicious version stays blocked. (#89, Fixes #88, cc71b04)
Testing & internals
- Extract the
nub-cache-keycrate to lock down cache-key invalidation in tests (#87,63f5447). - Isolate
~/.npmrcin the cold-CAS bench harness so a polluted host config can't break runs (e5b808a).
Documentation
- Bump Node version examples to 26 in the README and the
nub nodepin error (84e7b4a). - Set the external-issue acknowledgement convention to exactly "Investigating." with no preamble or diagnosis (
eb892e1).
Commits in this release
- v0.1.13 (
f711a1e) - fix(pm): resolve dist-tag/range to concrete version before the OSV malicious-package check (#88) (#89,
cc71b04) - docs(skill): external-issue ack is exactly "Investigating." — no preamble/diagnosis (
eb892e1) - test(native): extract nub-cache-key crate to lock cache-key invalidation (#87,
63f5447) - test(bench): isolate ~/.npmrc in cold-CAS harness so a polluted host config can't break runs (
e5b808a) - docs: bump Node version examples to 26 in README + nub node pin error (
84e7b4a)
Full Changelog: v0.1.12...v0.1.13