Skip to content

Tapflow

v0.8.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

android android-emulator app-testing appetize-alternative browserstack-alternative developer-tools
+13 more
emulator flutter ios ios-simulator macos mcp mobile-qa mobile-testing qa-tools react-native self-hosted simulator testing

Affected surfaces

deps

ReleasePort's take

Moderate signal
editorial:auto 2d

The release patches CVE-2026-9277 by upgrading the shell-quote dependency to ^1.8.4 and adds several CLI enhancements for setup workflows.

Why it matters: CVE‑2026‑9277 severity is rated 90; upgrade the shell-quote dependency to ^1.8.4 immediately. New `doctor --json` and guided Android/iOS setup commands improve automation reliability.

Summary

AI summary

Updated readme for iOS/Android H.264 streaming, added Korean blocking hooks, improved Android agent tests, enhanced cli setup commands, and fixed a dependency CVE.

Changes in this release

Security Critical

Overrides shell-quote dependency to ^1.8.4, patching CVE-2026-9277.

Overrides shell-quote dependency to ^1.8.4, patching CVE-2026-9277.

Source: llm_adapter@2026-06-10

Confidence: high
Feature Medium

Adds `doctor --json` flag to CLI for JSON output.

Adds `doctor --json` flag to CLI for JSON output.

Source: llm_adapter@2026-06-10

Confidence: high
Feature Medium

Adds guided Android environment setup command `tapflow setup android`.

Adds guided Android environment setup command `tapflow setup android`.

Source: llm_adapter@2026-06-10

Confidence: high
Feature Medium

Adds `tapflow setup ios` and unifies the setup command.

Adds `tapflow setup ios` and unifies the setup command.

Source: llm_adapter@2026-06-10

Confidence: high
Feature Medium

Installs Homebrew after confirmation in `tapflow setup`.

Installs Homebrew after confirmation in `tapflow setup`.

Source: llm_adapter@2026-06-10

Confidence: high
Bugfix Medium

Improves `doctor` and setup consistency from testing of v0.8.0‑next.0.

Improves `doctor` and setup consistency from testing of v0.8.0‑next.0.

Source: llm_adapter@2026-06-10

Confidence: high
Bugfix Medium

Enhances `doctor`/setup with self‑contained Android SDK bootstrap.

Enhances `doctor`/setup with self‑contained Android SDK bootstrap.

Source: llm_adapter@2026-06-10

Confidence: high
Bugfix Medium

Makes `doctor` AVD consistency and adds new‑terminal hint in setup.

Makes `doctor` AVD consistency and adds new‑terminal hint in setup.

Source: llm_adapter@2026-06-10

Confidence: high
Bugfix Medium

Prevents macOS Command Line Tools install popup during `doctor` execution.

Prevents macOS Command Line Tools install popup during `doctor` execution.

Source: llm_adapter@2026-06-10

Confidence: high
Bugfix Medium

Fixes flaky auto‑restart isolation test and expands coverage for Android agent.

Fixes flaky auto‑restart isolation test and expands coverage for Android agent.

Source: llm_adapter@2026-06-10

Confidence: high
Full changelog

What's Changed

  • docs(readme): both iOS and Android stream H.264; note resolution adaptation by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/229
  • chore(hooks): block Korean in gh pr/issue create/edit by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/230
  • docs: streaming quality profiles, team handoff, and cross-page consistency by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/233
  • test(android-agent): fix flaky auto-restart isolation, expand coverage by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/234
  • docs(reference): add Performance & Latency page (EN/KO) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/235
  • docs(requirements): pin iOS support to the Xcode/macOS 26 line by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/236
  • docs(performance): stable cross-language anchors + tighten intro by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/237
  • chore(claude): add /ai-tells writing-gate for docs and marketing by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/238
  • chore: English rule for GitHub artifacts + ai-tells A-3 false-positive fix by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/239
  • feat(cli): add doctor --json flag and adb installed-but-not-in-PATH diagnosis by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/240
  • feat(cli): add tapflow setup android — guided Android environment setup by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/241
  • feat(cli): install Homebrew after confirmation in tapflow setup by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/242
  • feat(cli): add tapflow setup ios and unify the setup command by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/243
  • chore: release v0.8.0-next.0 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/244
  • fix(cli): doctor/setup improvements from 0.8.0-next.0 testing by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/245
  • chore: release v0.8.0-next.1 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/246
  • fix(deps): override shell-quote to ^1.8.4 (CVE-2026-9277) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/247
  • fix(cli): doctor/setup consistency + self-contained Android SDK bootstrap by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/248
  • chore: release v0.8.0-next.2 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/249
  • fix(cli): doctor AVD consistency + setup new-terminal hint by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/250
  • chore: release v0.8.0-next.3 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/251
  • fix(cli): doctor avoids the macOS Command Line Tools install popup by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/252
  • chore: release v0.8.0-next.4 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/253
  • docs: add Environment Setup guide (doctor/setup) + sync CLI reference by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/254
  • ci(release): mark prerelease tags as GitHub pre-releases by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/255
  • chore: release v0.8.0 by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/256

Full Changelog: https://github.com/jo-duchan/tapflow/compare/v0.7.0...v0.8.0

Security Fixes

  • fix(deps): override shell-quote to ^1.8.4 (CVE-2026-9277)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Tapflow

Get notified when new releases ship.

Sign up free

About Tapflow

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]