Skip to content

TT-Wang/forge

v0.5.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

agent anthropic claude claude-code claude-code-plugin git-worktree
+9 more
mcp mcp-server nodejs orchestrator parallel-execution planning plugin validation workflow

Affected surfaces

breaking_upgrade rce_ssrf

Summary

AI summary

Plugin loader now builds from source on first run, fixing stale bundle drift.

Full changelog

First public launch-ready release of forge.

What's new

🚀 Launch release. Forge is now OSS-polish-complete with strict CI, security policy, architecture docs, and a full test suite.

Critical fix

The previous plugin loader pointed at a stale esbuild bundle (dist/index.mjs) that had drifted from source since around v0.2.x. Every marketplace install was running pre-v0.4.0 code. v0.5.0 replaces the bundle with a start.sh bootstrap shim that does a first-run npm install --omit=dev and then execs node index.mjs. No more bundle drift — users get the current source every time.

Code-review fixes (P0 + P1)

A post-release code review surfaced 3 P0 bugs and 7 P1 quality issues. All fixed:

  • Path-traversal guards on runId in handleForgeLogs, handleSessionState, handleIterationState
  • Shell injection fix in validate_planexecFileSync replaces shell-interpolated execSync
  • Test coverage added for handleValidate (happy path, nonexistent cwd escalation, missing file)
  • Per-run progress filewriteProgressFile now scans v0.4.0 per-run iteration subdirectories
  • MCP Server version drift corrected
  • mastermain across CONTRIBUTING, SECURITY, llms.txt
  • Strict lint in CI (was advisory)
  • npm ci || npm install fallback removed

OSS polish

  • SECURITY.md, CONTRIBUTING.md, docs/architecture.md, docs/mcp-tools.md, llms.txt
  • .github/workflows/ci.yml — blocking lint + node --test matrix on Node 20/22 + smoke tests
  • .github/dependabot.yml, issue/PR templates
  • README badges (CI, license, Node)
  • 21 tests covering all 7 MCP tools and the v0.4.0 per-run regression
  • ESLint flat config
  • Cross-linked with memem — the recommended pairing

Launch-week materials

Checked into docs/launch/ for transparency and reuse:

  • blog-post.md — the launch post
  • show-hn.md — Show HN draft + prepared Q&A
  • social-thread.md — Twitter/X thread + r/ClaudeAI post

Install

claude plugin marketplace add TT-Wang/forge
claude plugin install forge@tt-wang-plugins

Then /forge <objective> in any project.

Full changelog

https://github.com/TT-Wang/forge/blob/main/CHANGELOG.md

Security Fixes

  • Path‑traversal guards added to `handleForgeLogs`, `handleSessionState`, and `handleIterationState`
  • Shell injection vulnerability fixed in `validate_plan` by replacing `execSync` with `execFileSync`
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track TT-Wang/forge

Get notified when new releases ship.

Sign up free

About TT-Wang/forge

Structured planning, parallel execution in git worktrees, and deep validation for Claude Code. Turns a one-line objective into a validated DAG of modules executed by worker agents, each self-checked and cross-module-reviewed before merge-back. 7 MCP tools: `validate`, `validate_plan`, `memory_recall`, `memory_save`, `iteration_state` (per-run scoped, with stagnation/velocity/oscillation detection)

All releases →

Related context

Beta — feedback welcome: [email protected]