fix: resolve npm audit vulnerabilities and Aspire Docker test cleanup#377
Merged
bradygaster merged 2 commits intobradygaster:mainfrom Mar 13, 2026
Merged
Conversation
- Bump minimatch 9.0.6→9.0.9 (ReDoS: GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) - Bump rollup 4.58.0→4.59.0 (path traversal: GHSA-mw96-cpmx-2vgc) - Add --name to squad aspire Docker command to prevent unnamed orphan containers - Align test and CLI on shared container name (squad-aspire-dashboard) - Add SIGINT/SIGTERM/exit handlers to aspire integration test for cleanup Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jsturtevant
force-pushed
the
squad/fix-audit-and-docker-cleanup
branch
2 times, most recently
from
1ab296e to
061f7d1
Compare
Resolve workspace packages to source in vitest so vi.mock intercepts correctly. Without this, npm ci installs a duplicate squad-sdk under squad-cli/node_modules which bypasses the mock.
jsturtevant
force-pushed
the
squad/fix-audit-and-docker-cleanup
branch
from
061f7d1 to
1da2dac
Compare
tamirdresher
pushed a commit
to tamirdresher/squad
that referenced
this pull request
Mar 16, 2026
* chore(squad): Phase 2 launch — thinking feedback, P0 bugs, dual telemetry Phase 1 complete: 5 issues closed (bradygaster#325, bradygaster#326, bradygaster#327, bradygaster#328, bradygaster#329), 5 PRs merged. Phase 2 launched with Cheritto (thinking feedback), Hockney (P0 bugs), Saul (dual telemetry). Decision inbox merged and archived. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(squad): Phase 2 Wave 1 merged, Wave 2 launched Session: 2026-02-23T2145-phase2-wave2 Phase 2 Wave 1 complete (PRs bradygaster#351, bradygaster#352, bradygaster#353 merged). Wave 2 launched: Cheritto on ghost response detection (bradygaster#332), Hockney on error hardening (bradygaster#334). Changes: - Session log created: 2026-02-23T2145-phase2-wave2.md - Merged 3 inbox decisions (Cheritto, Hockney, Saul) - Deleted inbox files post-merge Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(squad): Epic bradygaster#323 complete — all phases shipped 🎉 All 3 phases delivered: - Phase 1 (Testing Wave): 6 issues closed - Phase 2 (Improvement): 6 issues closed - Phase 3 (Breathtaking): 7 issues closed - 17 PRs merged, 19 issues closed total Session log: 2026-02-23T2320-epic-complete.md Decisions merged from inbox: P2 UX Polish, first-run wow moment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * hostile QA: end-to-end quality assessment — 10 findings, 4 HIGH severity Candid assessment requested by Brady. Traced every code path in cli-entry.ts, shell/index.ts, shell/commands.ts, App.tsx, coordinator.ts, spawn.ts, and the SDK adapter client. Key findings: - Dead sessions never evicted from agentSessions Map after connection drop - No React ErrorBoundary — any render throw kills the shell - Nasty-inputs corpus (95 strings) is never imported by any test - No SIGTERM handler in interactive shell - MemoryManager exported but never instantiated (dead code) - Single streaming content slot clobbers multi-agent output - User input silently dropped during processing (no type-ahead buffer) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(squad): quality review findings — 7 issues filed Quality audit complete: 5 agents assessed CLI across testing, coverage, stability, accessibility, UX. Results: 4 P0 blockers (bradygaster#365–bradygaster#368), 3 P1 items (bradygaster#369–bradygaster#371). Blocking: Waingro dead sessions, ErrorBoundary, dropped input; Marquez help text consistency. Changes: - Logged session summary to .squad/log/2026-02-24T0205-quality-review-complete.md - Updated .squad/identity/now.md with quality review findings and new issue numbers Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(squad): merge decision — Marquez UX audit findings Quality assessment merged from inbox (Grade B): 11 improvements (3 P0, 4 P1, 4 P2). help text, stub commands, vocabulary, separators, roster. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(squad): test sprint launch Session: 2026-02-24T0210-test-sprint Changes: - Logged test sprint: 5 agents, 7+ issues - Branches: P0 fixes, stale tests, E2E, hostile/SDK, A11y Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: E2E integration tests for REPL and multi-agent coordination (closes bradygaster#372, closes bradygaster#373) Adds 15 integration tests covering the interactive REPL pipeline and multi-agent session coordination — areas that previously had zero end-to-end coverage. Tests: - Full REPL round-trip: user input -> parseInput -> dispatch -> response render - @agent direct message routing with correct agent targeting - /help and /status slash commands without SDK dispatch - Error recovery: dispatch failure + no-SDK-connected states - Multi-agent session tracking: registration, concurrent status, error cleanup - Fan-out dispatch: concurrent multi-agent with error isolation - Input parsing integration with registered agent lists Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: hostile input, SDK failure, and stress tests (closes bradygaster#376, closes bradygaster#377, closes bradygaster#378) - Wire 67-string nasty-inputs corpus into parseInput, executeCommand, and MessageStream rendering tests - Add SDK failure scenario tests: ghost response, throws, timeouts, error events, malformed data - Add stress/boundary tests: 1000 messages, rapid dispatch, 1MB inputs, concurrent sessions, MemoryManager limits - 62 new tests across 3 files, all passing Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update breedan history with E2E integration test session Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
npm audit fix: bumps minimatch (9.0.6→9.0.9) and rollup (4.58.0→4.59.0) to resolve 2 high-severity vulnerabilities
Aspire Docker cleanup: fixes orphaned containers causing test failures
--name squad-aspire-dashboardtosquad aspirecommand (was unnamed → random Docker names)squad-aspire-dashboard)Why
npm auditreported 2 high-severity vulnerabilities. Aspire integration tests were flaky due to orphaned Docker containers from interrupted test runs orsquad aspiresessions using different (or no) container names.Testing
npm audit→ 0 vulnerabilitiesnpx vitest run test/aspire-integration.test.ts→ 5/5 passingnpx vitest run test/cli/aspire.test.ts→ 16/16 passing