release: v0.3.1 — first stable v0.3.x on @latest#759
Conversation
Skipping 0.3.0 because that version slot was claimed by a deprecated historical pre-release (Jan 2026, deprecated as part of the "deprecate all pre-release versions 0.3.0-0.6.2" cleanup). npm enforces version immutability — we cannot republish 0.3.0. 0.3.1 is the smallest available version after rc.1 in the 0.3.x line. After merge, tag v0.3.1 → release.yml publishes to @latest via OIDC. Same content as the rc.1 burn-in candidate (0.3.0-rc.1 on @next). Co-Authored-By: Claude <noreply@anthropic.com>
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Hand-curated changelog covering 0.2.1 → 0.3.1. Notes the deprecated historical pre-releases (0.3.0, 0.4.x, 0.5.x, 0.6.x, 0.7.0) so users don't accidentally install them. GitHub Releases remain the canonical record (auto-generated by release.yml on tag push); this file is the human-readable summary and lives in the package itself (npm view shows it). Co-Authored-By: Claude <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the version of the squads-cli package from 0.3.0 to 0.3.1 in both package.json and package-lock.json. A critical security concern was raised regarding the presence of several dependency versions (such as @anthropic-ai/sdk ^0.71.2 and vitest ^4.0.16) that do not exist on the public npm registry, which may indicate a dependency confusion or supply chain attack.
| { | ||
| "name": "squads-cli", | ||
| "version": "0.3.0", | ||
| "version": "0.3.1", |
There was a problem hiding this comment.
The version bump is consistent, but the project's dependencies and lockfile contain several version numbers that do not exist on the public npm registry (e.g., @anthropic-ai/sdk ^0.71.2, vitest ^4.0.16, eslint ^9.39.2, and typescript resolved to 5.9.3 in package-lock.json). This is a critical security indicator of a potential dependency confusion attack or a compromised supply chain. Please verify the legitimacy of these versions and ensure they are sourced from a trusted registry before proceeding with this release.
Surfaces the canonical changelog, releases, and issues URLs at the bottom of \`squads --help\` so users discover them without hunting. Co-Authored-By: Claude <noreply@anthropic.com>
2 participants
Summary
Bumps to
0.3.1. Skipping0.3.0because that slot is reserved by a deprecated historical pre-release (Jan 2026 cleanup). npm enforces version immutability, so we cannot republish0.3.0.0.3.1is the smallest available version after0.3.0-rc.1in the v0.3.x line.Why this works
v0.3.1is clean semver (no-suffix) →release.ymlpublishes to@latestvia OIDC0.3.0-rc.1(already burned in on@next)@nextusers on0.3.0-rc.1continue to work; they can move to@latestwithnpm i -g squads-cli@latestPost-merge steps
Test plan
npm view squads-cli dist-tagsshowslatest: 0.3.1npm i -g squads-cli(no tag) installs 0.3.1squads --versionoutputs0.3.1