I4cTime/quantum_ring

v0.9.6 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 2mo Secrets & Credentials

✓ No known CVEs patched

This release patches 3 known CVEs

Topics

ai-agents claude-code cursor keyring mcp mcp-server

+2 more

secrets-management security

Affected surfaces

rce_ssrf deps

Summary

AI summary

Double-escaping fix in parseDotenv() and picomatch upgrade to >=4.0.4 close security vulnerabilities.

Full changelog

Double-escaping fix — parseDotenv() escape-sequence chain replaced with single-pass regex to prevent double-unescape of backslash sequences (CodeQL js/double-escaping alert #14, severity: high)
picomatch >=4.0.4 (web) — pnpm override added to web/package.json resolving ReDoS (GHSA-c2c7-rcm5-vvqj) and method injection (GHSA-3v7f-55p6-f55p)
Stale package-lock.json removed — eliminated false-positive Dependabot alerts from unused npm lockfile

8 parseDotenv unit tests covering escape sequences, double-backslash handling, and edge cases (133 total tests)

Full Changelog: https://github.com/I4cTime/quantum_ring/compare/v0.9.5...v0.9.6

CodeQL js/double-escaping alert #14 – fixed double-unescaped backslash sequences in parseDotenv() (high severity)
GHSA-c2c7-rcm5-vvqj – resolved ReDoS vulnerability by upgrading picomatch to >=4.0.4
GHSA-3v7f-55p6-f55p – fixed method injection vulnerability in picomatch

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track I4cTime/quantum_ring

Get notified when new releases ship.

About I4cTime/quantum_ring

Quantum-inspired keyring for AI coding agents. Secure secrets with superposition, entanglement, tunneling, and teleportation.