Network-AI
Repository
Release

v5.12.6 — CodeQL security fixes + QA loop

Published 2026-06-21 | Release notes

CodeQL 177 resolved — Indirect command injection (Medium): scripts/socket-check.js used execSync() with a shell template string containing the user-supplied --version argument. Replaced with spawnSync() + explicit arg ar

Read the release here or open the original release on GitHub.
Open release on GitHub Open changelog Open quick start Release RSS

What's Changed

Security

  • CodeQL #177 resolved — Indirect command injection (Medium): scripts/socket-check.js used execSync() with a shell template string containing the user-supplied --version argument. Replaced with spawnSync() + explicit arg array (shell: false) so no shell interpolation occurs. Added SEMVER_RE validation to reject non-semver input early. Windows

px.cmd detection included.

  • CodeQL #176 resolved — Unused import (Note): removed unused \ esolve\ from \import { join, resolve } from 'path'\ in \ est-phase13.ts:11\.
  • CodeQL #175 resolved — Unused import (Note): removed unused \join\ from \import { join, dirname, resolve } from 'path'\ in \lib/phase-pipeline.ts:15\.

Added

  • \scripts/codeql-check.js\ — GitHub Code Scanning alert monitor. Queries the GitHub API via \gh api\, categorises alerts as blocking (\error\/\warning\) or informational (\

ote\), exits 1 if any blocking alert is open. Run via \ pm run codeql:check\.

  • **\

pm run codeql:check\** — wired into \package.json\ scripts.

Changed

  • \SKILL.md\ Security Scan Findings — 3 new SkillSpector by-design entries: McpStreamableServer Description-Behavior Mismatch (Medium 94%), MCP control surface Context-Inappropriate Capability (Medium 90%), \_load_signing_key()\ token minting Context-Inappropriate Capability (Medium 92%). All documented with disclosed controls.
  • \RELEASING.md\ (local-only) — new Step 7: \

pm run codeql:check\ gate before publishing; Step 9 updated with correct \clawhub publish\ syntax + SkillSpector review guidance.

QA loop — how it works now

\\\ Push feature → CI runs CodeQL (~2 min) → npm run codeql:check # exits 1 if any error/warning alert open → npm run socket:check # exits 1 if gptSecurity/debugAccess present → clawhub publish # triggers SkillSpector re-scan (NVIDIA) → check Versions tab # new findings → triage into SKILL.md table \\\

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

Release FAQ

Fast answers for operators and answer engines.

What changed in v5.12.6?

CodeQL 177 resolved — Indirect command injection (Medium): scripts/socket-check.js used execSync() with a shell template string containing the user-supplied --version argument. Replaced with spawnSync() + explicit arg ar

When was v5.12.6 published?

v5.12.6 was published on Jun 21, 2026.

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security