v1.1.0
·
61 commits
to main
since this release
v1.1.0
This tag was signed with the committer’s verified signature.
5904b54
This commit was signed with the committer’s verified signature.
What's changed
Security
- Migrated worker from npm to pnpm — strict symlinked store prevents phantom dependency access
- Added explicit 512-char cap on
User-AgentandRefererinlogVisit()to prevent KV bloat from crafted headers
CI/CD
- pnpm/action-setup@v4 added to all workflows;
package-lock.json→pnpm-lock.yaml - SBOM generation migrated from
npm sbomto@cyclonedx/cyclonedx-npm - Fuzz targets updated to use
pnpm exec jazzer
Documentation
- README and SECURITY.md reorganized for logical flow
- Full threat model (including residual risks) moved to private admin repo; public version retains architecture, trust boundaries, and mitigations
- All OSPS Baseline criteria documented
Signing key
Fingerprint: `3F1A A06D A8C5 8ACE F25B C882 3263 D1B8 7AAA FCD4`
Verify: `git tag -v v1.1.0`