Release v5.4.0

[code-crusher]

[v5.4.0] - 2026-02-12

Added

• Open plan in editor functionality for better plan management
• Better fuzzy search for improved file context matching

Changed

• Cleaner chat interface with improved UI
• Better diff view for edit tool
• Edit tool improvements with context search enhancements
• Minor UI update to task header

[matter-ai-bot]

Context

This release finalizes v5.4.0 by integrating defensive programming patterns into the diff processing logic and UI components, building upon previous security hardening and task logic refactoring.

Implementation

Summary By MatterAI

🔄 What Changed

This update introduces defensive null checks in the streamDiff test suite and the GitHubDiffView component to prevent runtime errors during string splitting. These changes complement the previously implemented security hardening (secure nonces in PlanEditorProvider) and the removal of legacy subtask-waiting logic in Task.ts.

🔍 Impact of the Change

Improves system resilience by gracefully handling empty or undefined diff data in both the testing environment and the user interface. This prevents potential application crashes when the edit tool returns unexpected empty results, ensuring a smoother user experience in the chat interface.

📁 Total Files Changed

Click to Expand

File	ChangeLog
streamDiff.test.ts	Defensive Testing Added null checks for oldText and newText before splitting strings.
GitHubDiffView.tsx	UI Stability Implemented safety check for the diff prop to prevent crashes on empty inputs.
Task.ts	Logic Cleanup Removed legacy subtask synchronization logic to simplify the task loop.
PlanEditorProvider.ts	Security Hardening Implemented crypto.randomBytes for secure webview nonce generation.

🧪 Test Added/Recommended

Recommended

• Edge Case Testing: Add unit tests specifically passing null or undefined to UnifiedDiffView to verify empty state rendering.
• Security Regression: (Previous) Verify CSP validation for new hex-encoded nonces.

🔒 Security Vulnerabilities

• Resolved: Insecure random number generation for nonces has been replaced with a cryptographically secure implementation.
• Open: The XSS risk in the custom markdown regex parser remains; migration to DOMPurify is still recommended.

Screenshots

before	after
Potential split() error on null	Safe empty array fallback

How to Test

1. Trigger the 'Edit' tool with a change that results in an empty diff and verify the UI does not crash.
2. Run npm test streamDiff.test.ts to ensure existing diff tests pass with the new null-safety logic.
3. Verify that the Plan Editor webview still loads correctly with secure nonces.

Get in Touch

N/A

[matter-ai-bot]

🧪 PR Review is completed: Reviewing Release v5.4.0 changes. Identified security risks in file handling and markdown rendering, along with code quality improvements.

Skipped files

• CHANGELOG.md: Skipped file pattern

⬇️ Low Priority Suggestions (2)

src/core/task/Task.ts (1 suggestion)

Location: src/core/task/Task.ts (Lines 1972-1993)

🟡 Code Quality

Issue: Large block of commented-out code. This appears to be dead code that should be removed to keep the codebase clean.

Fix: Remove the commented-out code block.

Impact: Improves code readability and maintainability.

-  			// if (this.consecutiveMistakeLimit > 0 && this.consecutiveMistakeCount >= this.consecutiveMistakeLimit) {
-  			// 	const { response, text, images } = await this.ask(
-  			// 		"mistake_limit_reached",
-  			// 		t("common:errors.mistake_limit_guidance"),
-  			// 	)
-  
-  			// 	if (response === "messageResponse") {
-  			// 		currentUserContent.push(
-  			// 			...[
-  			// 				{ type: "text" as const, text: formatResponse.tooManyMistakes(text) },
-  			// 				...formatResponse.imageBlocks(images),
-  			// 			],
-  			// 		)
-  
-  			// 		await this.say("user_feedback", text, images)
-  
-  			// 		// Track consecutive mistake errors in telemetry.
-  			// 		TelemetryService.instance.captureConsecutiveMistakeError(this.taskId)
-  			// 	}
-  
-  			// 	this.consecutiveMistakeCount = 0
-  			// }
+  

src/integrations/editor/PlanEditorProvider.ts (1 suggestion)

Location: src/integrations/editor/PlanEditorProvider.ts (Lines 519-526)

🟡 Security

Issue: Weak random number generation. Math.random() is not cryptographically secure and should not be used for security-sensitive values like CSP nonces.

Fix: Use crypto.randomBytes for secure nonce generation.

Impact: Improves security posture by using a stronger source of randomness.

-  	private getNonce(): string {
-  		let text = ""
-  		const possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
-  		for (let i = 0; i < 32; i++) {
-  			text += possible.charAt(Math.floor(Math.random() * possible.length))
-  		}
-  		return text
-  	}
+  	private getNonce(): string {
+  		return require("crypto").randomBytes(16).toString("hex")
+  	}

[matter-ai-bot]

✅ Reviewed the changes: The changes look solid. The security improvement for nonce generation is correctly implemented using crypto.randomBytes, and the code cleanup in Task.ts is verified.

[matter-ai-bot]

✅ Reviewed the changes: The changes correctly implement defensive checks for string splitting, preventing potential runtime errors with undefined or null values. The logic also appropriately handles empty strings by returning empty arrays, which is cleaner for both diff processing and UI rendering.