Release

v5.1.1 — CodeQL Security Fixes

Published 2026-04-18 | Release notes

Resolved all 23 open CodeQL code scanning alerts:

Read the release here or open the original release on GitHub.

Open release on GitHub Open changelog Open quick start

Security Fixes

Resolved all 23 open CodeQL code scanning alerts:

XSS (7 alerts fixed)

All dynamic values in \control-plane.html\ now pass through \esc()\ sanitizer
All dynamic values in \work-tree-dashboard.html\ now pass through \escapeHtml()\ sanitizer

Remote Property Injection (8 alerts fixed)

State maps (\

odes\, \gentMap\, \bEntries\) use \Object.create(null)\ instead of plain objects

WebSocket data copied via \safeObj()\ which filters \__proto__\, \constructor\, \prototype\ keys

Prototype-Polluting Assignment (5 alerts fixed)

Incoming WebSocket objects sanitized through null-prototype copies
\deriveAgentsFromTree()\ resets to \Object.create(null)\

Unused Variables (2 alerts fixed)

Removed unused \elapsed\ in \orchestrator-adapter.ts\ catch block
Removed unused \gentsFitted\ in \work-tree-dashboard.html\

Other

Security policy updated: 5.1.x is now current supported version
All 2,691 tests passing across 26 suites

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security