docs(0.2.1): add security + hardening notes to CHANGELOG#30
Merged
Conversation
0.2.1 has not been published to npm yet — folding the post-tag security/hardening work into the same release notes so npm consumers see a single coherent entry when they install @whykusanagi/corrupted-theme@0.2.1. Adds: - **Security** subsection covering the two findings visible to consumers via shipped sources: celeste-widget.js session-ID upgrade (Math.random → crypto.randomUUID) and the two example pages (websocket-manager textContent fix, png-export SRI hash). - **Internal** additions: CI workflow least-privilege permissions, GitHub security feature enablement (secret scanning + push protection + Dependabot security updates + CodeQL default setup), and the one false-positive dismissal. Also bumped the dated header from 2026-05-23 to 2026-05-25 to match actual publish date. The CodeQL workflow permissions change is internal-only (.github/ is not in the npm tarball) but worth noting for repo contributors. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
corrupted-theme | 1ebe6b5 | Commit Preview URL Branch Preview URL |
May 25 2026, 10:38 PM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
0.2.1 has not been published to npm yet, so folding the post-tag security and hardening work into the same release notes — npm consumers will see a single coherent entry on
@whykusanagi/corrupted-theme@0.2.1.CHANGELOG additions
Security (visible to npm consumers via shipped sources):
celeste-widget.jssession-ID upgrade (Math.random()→crypto.randomUUID())examples/components/websocket-manager.html— XSS-safe log viatextContentexamples/components/png-export.html— SRI hash on the pinned html2canvas scriptInternal (not in the npm tarball, but worth noting for repo contributors):
permissions: contents: readjs/tainted-format-stringfalse-positive oncountdown-widget.jsAlso bumped the dated header
2026-05-23→2026-05-25to match actual publish date.After merge
The
v0.2.1git tag currently points atad5b2d0(bundle-fix commit only) — needs to be moved to the post-merge HEAD so it matches what npm will publish. Tag move is a separate manual step:git tag -d v0.2.1 git push origin :refs/tags/v0.2.1 git tag -a v0.2.1 -m "Release v0.2.1 — bundle-fix + security hardening" git push origin v0.2.1This is OK to force-move because:
@0.2.1/dist/theme.min.cssis byte-identical between the old and new commit (security fixes don't touchdist/).Test plan
🤖 Generated with Claude Code