v1.28.3
Seguridad github.com/Gentleman-Programming/gentle-ai →
v1.28.3 — Hardening de comandos npm generados + OpenCode skills del workspace
Patch con foco en seguridad de supply chain y un fix puntual del skill-registry.
- Comandos npm endurecidos (
fix(security): pin and harden generated npm commands): los comandos que Gentle AI emite ahora vienen con versiones pineadas y flags seguros por defecto — menos sorpresas de unnpm installtrayendo algo nuevo. - Versiones centralizadas: nuevo
refactor(versions): centralize pinned npm package versions— todos los pins viven en un solo lugar, más fácil de auditar. - Renovate custom manager: ahora Renovate trackea los pins manuales vía un custom manager, así no te quedás con paquetes congelados sin querer.
- Docs de quickstart actualizadas con las recomendaciones de hardening npm — léelas si recién arrancás.
- OpenCode skill-registry (
fix(skillregistry): discover workspace OpenCode skills): ahora descubre los skills declarados en el workspace, no sólo los globales. - Housekeeping: el
package.jsonraíz quedó marcado comoprivatepara evitar publicaciones accidentales.
Si dependés de comandos npm generados por Gentle AI o estás usando OpenCode con skills del workspace, este patch es directo a tu carpeta.
v1.28.3
Security github.com/Gentleman-Programming/gentle-ai →
v1.28.3 — Hardened generated npm commands + OpenCode workspace skill discovery
Patch focused on supply-chain hardening and a targeted skill-registry fix.
- Hardened generated npm commands (
fix(security): pin and harden generated npm commands): Gentle AI now emits npm commands with pinned versions and safe-default flags — fewer surprises from annpm installpulling in something unexpected. - Centralized pinned versions: new
refactor(versions): centralize pinned npm package versions— every pin lives in one place, easier to audit. - Renovate custom manager: Renovate now tracks the manual pins via a custom manager, so packages don't get accidentally frozen.
- Quickstart docs updated with the npm hardening recommendations — read them if you're onboarding.
- OpenCode skill-registry (
fix(skillregistry): discover workspace OpenCode skills): now discovers skills declared in the workspace, not only the global ones. - Housekeeping: the root
package.jsonis markedprivateto prevent accidental publishes.
If you depend on Gentle AI's generated npm commands or use OpenCode with workspace skills, this patch lands right in your folder.
v1.28.3
Sécurité github.com/Gentleman-Programming/gentle-ai →
v1.28.3 — Commandes npm durcies + découverte des skills OpenCode du workspace
Patch centré sur le durcissement de la supply chain et un fix ciblé du skill-registry.
- Commandes npm durcies (
fix(security): pin and harden generated npm commands) : versions pinées et flags sûrs par défaut. - Versions centralisées : un seul endroit pour tous les pins, plus simple à auditer.
- Renovate custom manager : Renovate suit désormais les pins manuels via un custom manager.
- Docs quickstart mises à jour avec les recommandations de hardening npm.
- Skill-registry OpenCode : découvre désormais les skills déclarés dans le workspace.
- Housekeeping : le
package.jsonracine est marquéprivate.
Si vous dépendez des commandes npm générées par Gentle AI ou utilisez OpenCode avec des skills du workspace, ce patch tombe à pic.