Jovancoding/Network-AI

v5.5.7 Maintenance

This release keeps dependencies and maintenance posture current for teams operating this tool.

Published 16d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Summary

AI summary

Added shellAccess ignore entries for AgentRuntime and McpToolConsumer in socket.json.

Changes in this release

Type	Severity	Summary	CVE
Bugfix	Low	Added shellAccess ignore entries for AgentRuntime and McpToolConsumer in socket.json. Added shellAccess ignore entries for AgentRuntime and McpToolConsumer in socket.json. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

v5.5.7 — socket.json shellAccess False-Positive Fix

Type: Chore / Supply Chain
Date: 2026-05-18

What changed

Added shellAccess ignore entries to socket.json for AgentRuntime and McpToolConsumer.

Root cause: Socket.dev uses two distinct alert type IDs for child_process usage:

shellExec — triggered by shell command execution calls (e.g. execFile, execSync)
shellAccess — triggered by the child_process module import itself

Both files were already documented under shellExec (v5.5.6 and earlier). The shellAccess alert type requires a separate ignore entry.

Why these files use child_process:

AgentRuntime (lib/agent-runtime.ts) — ShellExecutor uses child_process.spawn for sandboxed command execution. Shell access is opt-in only; the caller must explicitly configure and enable the ShellExecutor with a SandboxPolicy.
McpToolConsumer (lib/mcp-tool-consumer.ts) — uses child_process.spawn to launch MCP server subprocesses for stdio-based MCP transport. The MCP stdio protocol requires process spawning; the caller provides the server command.

Files changed

socket.json — four new shellAccess ignore entries added
Version bumped to 5.5.7 in package.json, skill.json, openapi.yaml, README.md, and all 12 doc/config files.

No code changes. All 3,093 tests continue to pass.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →