Network-AI
Repository
Release

v5.4.1 — Security patch (CodeQL TOCTOU + dead code)

Published 2026-05-10 | Release notes

Patch release resolving 4 CodeQL alerts surfaced after v5.4.0.

Read the release here or open the original release on GitHub.
Open release on GitHub Open changelog Open quick start Release RSS

Network-AI v5.4.1 — Security Patch

Patch release resolving 4 CodeQL alerts surfaced after v5.4.0.

Security

  • TOCTOU race condition fix (lib/env-manager.ts) — _touchJson() and _touchFile() now use openSync(O_CREAT | O_EXCL | O_WRONLY, 0o600) instead of existsSync + writeFileSync. Eliminates the window between the existence check and the write where another process could create the same file. CWE-367. (CodeQL #149, #150)

Fixed

  • Removed unused basename import from lib/env-manager.ts (CodeQL #152)
  • Removed unused SourceProtectionError import from test-env-manager.ts (CodeQL #153)
  • Removed unused resolveEnvData function from bin/cli.ts (CodeQL #151)
  • Fixed README comparison table: adapter count 28 -> 29
  • Fixed QUICKSTART.md: garbled nemoclaw / aps table rows (literal \n in source)
  • Bumped version string to v5.4.1 across all docs and metadata files

Stats

  • 29 test suites, 2,976 passing assertions (unchanged)
  • Zero TypeScript compile errors (npx tsc --noEmit)

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

Release FAQ

Fast answers for operators and answer engines.

What changed in v5.4.1?

Patch release resolving 4 CodeQL alerts surfaced after v5.4.0.

When was v5.4.1 published?

v5.4.1 was published on May 10, 2026.

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security