Skip to content

Jovancoding/Network-AI

v5.7.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture
+14 more
crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Summary

AI summary

Updates Security / Bug Fixes, fd, and High across a mixed release.

Changes in this release

Security High

Fixed race condition in compactWAL() using atomic file operation.

Fixed race condition in compactWAL() using atomic file operation.

Source: granite4.1:30b@2026-05-20-audit

Confidence: low
Security Medium

Fixed race condition in compactWAL() preventing file replacement exploits.

Fixed race condition in compactWAL() preventing file replacement exploits.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Removed unused CircuitOpenError import from test-phase11.ts.

Removed unused CircuitOpenError import from test-phase11.ts.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Deleted redundant existsSync import from test-phase11.ts.

Deleted redundant existsSync import from test-phase11.ts.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Eliminated useless assignment to c in test-phase11.ts line 384.

Eliminated useless assignment to c in test-phase11.ts line 384.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Full changelog

Network-AI v5.7.1 — CodeQL Security Fixes

All 3,136 tests pass. Zero TypeScript errors.

Security / Bug Fixes

compactWAL() race condition — CWE-367 (High)

lib/locked-blackboard.ts — Replaced the existsSync + writeFileSync pattern with a single atomic file-descriptor operation:

// Before (TOCTOU — file could be replaced between check and write):
if (existsSync(this.walPath)) {
  writeFileSync(this.walPath, '', { encoding: 'utf-8', mode: 0o600 });
}

// After (atomic — openSync 'w' = O_WRONLY | O_CREAT | O_TRUNC):
const fd = openSync(this.walPath, 'w', 0o600);
closeSync(fd);

openSync('w') atomically truncates an existing WAL or creates a new empty one — no intermediate existence check that could be exploited in a race. Resolves CodeQL js/file-system-race #160.

Unused imports removed — test-phase11.ts

  • CircuitOpenError import removed (CodeQL js/unused-local-variable #161)
  • existsSync import removed (CodeQL js/unused-local-variable #162)

Both were dead code from Phase 11 development that were never referenced after final test implementation.

Useless assignment removed — test-phase11.ts:384

c = await hookMgr.runAfter(c) reassigned c but the returned context was never read. Changed to await hookMgr.runAfter(c). Resolves CodeQL js/useless-assignment-to-local #163.

Zero functional changes — all 3,136 tests continue to pass unchanged.

Security Fixes

  • Fixed TOCTOU race condition in compactWAL() (CWE-367, High) by replacing existsSync+writeFileSync with atomic openSync('w') truncation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

Sign up free

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →

Related context

Beta — feedback welcome: [email protected]