Jovancoding/Network-AI

v5.8.9 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Summary

AI summary

Updates lockPath, tmpPath, and false across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Bugfix
Bugfix	Medium	Fixes TOCTOU race condition in test-phase11.ts stale-lock injection. Fixes TOCTOU race condition in test-phase11.ts stale-lock injection. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Fixes TOCTOU race condition in test-phase11.ts orphan-tmp simulation. Fixes TOCTOU race condition in test-phase11.ts orphan-tmp simulation. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Prevents UTF-8 BOM insertion by PowerShell 5.1 in version‑bump scripts, fixing JSON parse failures. Prevents UTF-8 BOM insertion by PowerShell 5.1 in version‑bump scripts, fixing JSON parse failures. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Low	Removes hardcoded reference to "3 sub‑tasks" in claude-project-prompt.md checklist and template. Removes hardcoded reference to "3 sub‑tasks" in claude-project-prompt.md checklist and template. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

What's Changed

Fixed

CodeQL #170 — CWE-367 TOCTOU (test-phase11.ts stale-lock inject): lockPath tainted via new FileLock(lockPath) internal existsSync → openSync(lockPath, 'w'). Fixed with fresh const staleLockPath = join(dir, '.test.lock') inside the write block.
CodeQL #173 — CWE-367 TOCTOU (test-phase11.ts orphan-tmp simulate): tmpPath flowed from assert(!existsSync(tmpPath)) into openSync(tmpPath, O_CREAT|O_EXCL|O_WRONLY). Fixed with fresh const orphanTmpPath inside the write block.
UTF-8 BOM regression: PowerShell 5.1 Set-Content writes BOM, breaking ts-node JSON parse in CI. All version-bump scripts now use System.IO.File::WriteAllText with UTF8Encoding(false).
claude-project-prompt.md residual hardcoded-3 refs: Pre-commit checklist and response-format template still referenced "3 sub-tasks" after v5.8.8 SkillSpector fix. Both updated to be count-agnostic.

Full Changelog: https://github.com/Jovancoding/Network-AI/compare/v5.8.8...v5.8.9

Security Fixes

CodeQL #170 — Fixed TOCTOU vulnerability in `lockPath` handling by using a freshly generated lock file path.
CodeQL #173 — Fixed TOCTOU vulnerability in `tmpPath` handling by using a freshly generated temporary file path.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →