Jovancoding/Network-AI

v5.8.7 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

ReleasePort's take

Light signal

editorial:auto 4d

Version v5.8.7 fixes a TOCTOU race condition in test helpers by replacing `writeFileSync` calls with fd‑based writes and removes an unused variable assignment.

Why it matters: Addresses a file‑system race (severity 40) that could cause inconsistent test results; eliminates dead code (severity 20).

Summary

AI summary

Fixed file‑system race conditions and removed an unused variable.

Changes in this release

Type	Severity	Summary	CVE
Bugfix
Bugfix	Medium	Replaced three `writeFileSync` calls with fd-based writes to fix TOCTOU race conditions in test helpers. Replaced three `writeFileSync` calls with fd-based writes to fix TOCTOU race conditions in test helpers. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Low	Removed unused variable assignment to `staleRelease` in test helper. Removed unused variable assignment to `staleRelease` in test helper. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Low	Corrected header comment in `scripts/blackboard.py` to accurately describe `--path` scope, preventing operator confusion. Corrected header comment in `scripts/blackboard.py` to accurately describe `--path` scope, preventing operator confusion. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

What's changed

Fixed — CodeQL alerts #165–#168

#165, #166, #167 — CWE-367 TOCTOU (test-phase11.ts)
Three writeFileSync(path, data) calls in the new testLockOwnership() and testAtomicSnapshot() test helpers were flagged as potential file-system race conditions (js/file-system-race). The path-then-write pattern has a window where the file could change between resolution and the write. Replaced all three with fd-based writes (openSync → writeSync → closeSync), consistent with how production code in lib/locked-blackboard.ts handles the same pattern.

#168 — Unused variable staleRelease (test-phase11.ts)
The return value of lock2.release() was assigned to staleRelease but never read. Removed the assignment; the existsSync assertion that follows is the actual correctness check.

Fixed — SkillSpector Intent-Code Divergence (94% confidence)

scripts/blackboard.py — --path scope comment
The header comment described --path as "accepted for environment routing" and "validated against the project root", which SkillSpector flagged because it implies full state isolation. In reality, only the main blackboard file path is derived from --path; lock files and pending-change files always resolve from the global data/ directory. The comment has been rewritten to accurately state the actual scope, preventing operator confusion in multi-project environments.

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

Security Fixes

Fixed TOCTOU file‑system race conditions in test helpers (CWE-367) by using fd‑based writes

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →