release: v2.4.9 — upstream sync (Fable 5 pricing, Mux/Copilot-JB providers, menubar reliability)#8
Merged
Merged
Conversation
Addresses the findings from a full-repo security audit. No behavior change
for normal usage; all 799 tests pass.
- Prototype pollution: model/provider/tool/MCP/bash names from untrusted
transcripts are now bucketed in null-prototype maps across the daily
aggregator, period builders, dashboard, and CSV export (was a plain {} that
a "__proto__"/"constructor" key could use to poison Object.prototype).
Regression test added.
- Terminal-escape injection: new shared stripControlChars() strips ANSI/OSC/BEL
out of transcript-derived names at the TUI dashboard, compare view, and CSV
export sinks (CSI was already handled by Ink; OSC/BEL and the CSV path were
not). Tests added.
- Supply chain: all GitHub Actions SHA-pinned (were @v2 / @stable, including in
the OIDC-privileged npm publish job); CycloneDX SBOM step version-pinned and
run with --ignore-scripts; dependabot.yml configured (was an inert
placeholder) to keep pins and npm/cargo deps current.
- IDE config surface: removed Gemini hooks that ran repo-committed scripts on
session open, stripped hardcoded /Users/pain paths from the Cursor/Kiro/
Qoder/Gemini MCP configs, and untracked .mcp.json / .opencode.json (now
gitignored) so clones no longer ship an auto-start MCP server surface.
…ke fixes) A large macOS menubar pass on top of v2.4.7's security release. tsc clean, 799 tests pass, swift build green. Performance - CLI parses today's transcripts ONCE per --all call (was 3× — each block built its own todayRange with a fresh new Date(), missing the parser cache). - Menubar payload decoupled from the cache dict (stored currentPayload) so a quiet background write no longer re-evaluates the whole popover. - Stats/Findings analytics memoized; shared Calendar/DateFormatter; duplicate all-provider spawn suppressed; 150ms switch debounce; popover-open prefetch; 30s tick honors the 30s TTL. Fixed - Popover no longer closes when clicking the Claude/Codex tabs (nested quota popover tripped .transient) — now .applicationDefined + outside-click monitor. - Refresh button no longer spins forever (native spinner + wedged-loading guard). - Auto-fetches after a long sleep: popover-open recovers a dead loop / wedged loading and refetches if stale. - Provider switch no longer animates the trend bars down-then-up. Visual + motion - Redesigned trend chart (gradient rounded bars, today/peak markers, refined avg line, headroom scaling, empty state, staggered bar-rise), header (FlameMark + monochrome wordmark + palette control), hero (flat fill, accent bloom, rolling numericText), unified sliding selectors with press feedback. - Inline 14-day sparkline; first-run welcome state; live right-click status menu; variable-value menubar flame (macOS 15+); SF Symbol effects; haptics; pointing-hand cursors; insight-tab cross-fade; cost bars grow from 0. - Depth/typography pass; full Reduce-Motion + VoiceOver accessibility pass. All macOS 26-only APIs are #available-gated for the macOS 14 deployment target.
…iders, menubar reliability) Backports 10 upstream PRs: - #463 Fable 5 / Mythos 5 pricing + names (fixes live $0 pricing for claude-fable-5) - #438 Mux (coder) provider - #433/#456 Copilot JetBrains sessions + Windows path fix - #430 Chinese Yuan (CNY) currency - #448 bounded HTTP timeouts (pricing + currency) - #450/#441 tolerate string message content (no more silent history wipe) - #458 content-addressed codex forked-session dedup - #471/#470 count nested workflow sub-agent transcripts - #462 async terminationHandler exit wait + spawn cap (menubar no longer wedges) - #472 macOS 27 right-click status menu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings
mainup to v2.4.9. Includes the v2.4.7, v2.4.8 and v2.4.9 release commits that were tagged on this branch but not yet merged back.v2.4.9 backports 10 upstream PRs:
Verified:
tscclean, 842 vitest tests pass,swift buildclean; the v2.4.9 tag's Release npm + Release macOS Menubar jobs are green.