This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
ReleasePort's take
Light signalRelease v5.8.8 fixes a TOCTOU race condition in CodeQL and removes an unused writeFileSync import.
Why it matters: The fix addresses a critical data‑flow race (severity 40) that could lead to inconsistent state; the removal of dead code reduces maintenance overhead.
Summary
AI summaryFixed a TOCTOU data‑flow race condition and removed an unused import.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Fixes TOCTOU data‑flow race in CodeQL #169–#171 by replacing existsSync checks with lock.getStatus().locked and using atomic file creation. Fixes TOCTOU data‑flow race in CodeQL #169–#171 by replacing existsSync checks with lock.getStatus().locked and using atomic file creation. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Low |
Removes unused writeFileSync import in est-phase11.ts; adds constants and unlinkSync instead. Removes unused writeFileSync import in est-phase11.ts; adds constants and unlinkSync instead. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Low |
Reduces test noise by scoping NETWORK_AI_MINIMAL=1 to estAtomicSnapshot/estPriorityEviction only, silencing expected disableWal warnings. Reduces test noise by scoping NETWORK_AI_MINIMAL=1 to estAtomicSnapshot/estPriorityEviction only, silencing expected disableWal warnings. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Low |
Adds scope guard to SkillSpector Natural‑Language Policy, limiting decomposition protocol to genuinely complex, multi‑domain requests (reducing 71% policy violations). Adds scope guard to SkillSpector Natural‑Language Policy, limiting decomposition protocol to genuinely complex, multi‑domain requests (reducing 71% policy violations). Source: llm_adapter@2026-05-30 Confidence: high |
— |
Full changelog
## What's Changed
Fixed
- CodeQL #169–#171 — CWE-367 TOCTOU data-flow break ( est-phase11.ts): openSync(lockPath/tmpPath, 'w') write blocks still triggered js/file-system-race because CodeQL traced the same variables from earlier existsSync assertions. Fixed #169–#170 by replacing existsSync(lockPath) assertions with lock.getStatus().locked (breaks the taint chain at the check side). Fixed #171 by switching the .tmp orphan-simulation write to O_CREAT|O_EXCL|O_WRONLY — atomic-create is the CodeQL-recommended pattern and correct here since the file must not already exist.
- CodeQL #172 — unused writeFileSync import ( est-phase11.ts): All three path-based writes were replaced with fd operations in v5.8.7; the now-unused import is removed. constants and unlinkSync added in its place.
- SkillSpector Natural-Language Policy Violations (71%) (claude-project-prompt.md): "DECOMPOSE every complex request into exactly 3 sub-tasks" was unconditional, forcing sub-agent orchestration for all requests. Added a scope guard so the decomposition protocol only applies to genuinely complex, multi-domain requests.
- Test noise — red stderr warnings: NETWORK_AI_MINIMAL=1 now scoped to estAtomicSnapshot/ estPriorityEviction only (set on entry, deleted in inally), silencing expected disableWal warnings without affecting Feature 2's real WAL replay coverage.
Full Changelog: https://github.com/Jovancoding/Network-AI/compare/v5.8.7...v5.8.8
Security Fixes
- CodeQL #169–#171 — fixed TOCTOU data‑flow race by replacing existsSync checks with lock.getStatus().locked and using O_CREAT|O_EXCL for tmp file creation
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Jovancoding/Network-AI
Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.
Related context
Beta — feedback welcome: [email protected]