Skip to content

Wmux

v1.1.0 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 2mo CLI & Terminal
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

agentic-ai ai-agent ai-agents ai-coding browser-automation claude
+12 more
claude-code coding-agent developer-tools electron gemini mcp-server multi-agent powershell terminal-multiplexer tmux tmux-alternative windows

Affected surfaces

auth breaking_upgrade

Summary

AI summary

Updates Stability, Installer, and Memory & Reliability across a mixed release.

Full changelog

v1.1.0 — Stability, Security, MCP & Build Fixes

Breaking Changes

  • Pipe name now includes username for multi-user security
  • MCP clients auto-fallback to derived pipe name if cached path is stale

Stability (24/7 Operation)

  • IPC handler registration idempotent (no duplicate listeners on crash/reload)
  • Unresponsive handler with 10s grace period before auto-reload
  • Metadata polling interval cleared on renderer crash
  • Session saved before auto-update quitAndInstall
  • EADDRINUSE recovery creates fresh server instance
  • Sleep/wake handler detects dead PTYs after resume
  • before-quit waits for session save to complete

Security

  • Per-user named pipe prevents cross-user access
  • Auth token file ACL enforced on Windows via icacls
  • Removed bypassable browser.eval regex blocklist
  • URL scheme validation added to browser.open
  • input.send RPC enforces 100KB size limit
  • JSON.parse prototype pollution protection in PipeServer

Memory & Reliability

  • PTY dispose triggers bridge cleanup (OscParser, ActivityMonitor, cwdMap)
  • Single shared ToastManager instance
  • Atomic session backup (renameSync instead of copyFileSync)
  • Schema validation failure falls through to backup recovery
  • OscParser array-based buffer (reduces GC pressure)
  • McpRegistrar.writeJson uses atomic tmp+rename

MCP

  • Auth token reused across dev-mode restarts
  • Token read from file first (env var fallback)
  • Pipe name fallback when WMUX_SOCKET_PATH is stale
  • MCP server bundled with esbuild (single file, no missing dependencies)

Browser Panel

  • surface.list scans ALL panes with surfaceType, browserUrl, paneId
  • browser.open reuses existing browser or splits pane side-by-side

Build Fixes

  • MakerSquirrel name set to 'wmux' (scoped package path fix)
  • Disabled asar integrity validation (conflicts with postPackage repack)
  • MCP server bundled via esbuild — no more MODULE_NOT_FOUND on packaged installs
  • PowerShell and icacls use absolute paths (fixes clean install blank screen)

Installer (install.ps1)

  • ScriptBlock pattern for Invoke-NativeCommand
  • Distinguishes Build Tools missing vs VCTools workload missing
  • setup.exe with --installPath (not vs_installer.exe --instanceId)
  • Waits for VS setup process completion before verification
  • Handles winget already-installed and reboot-required exit codes
  • SpectreMitigation patch in fix-node-pty.js
  • UTF-8 console encoding for Korean Windows
  • return instead of exit (prevents terminal closing via irm | iex)
  • npm run make added for automatic app build

Breaking Changes

  • Pipe name now includes username for multi-user security
  • MCP clients auto-fallback to derived pipe name if cached path is stale

Security Fixes

  • Removed bypassable browser.eval regex blocklist
  • URL scheme validation added to browser.open
  • input.send RPC enforces 100KB size limit
  • JSON.parse prototype pollution protection in PipeServer
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Wmux

Get notified when new releases ship.

Sign up free

About Wmux

All releases →

Related context

Beta — feedback welcome: [email protected]