Releases: faraa2m/tokenometer
v2.0.4
What's Changed
- Fix public surface drift by @faraa2m in #51
- Use PNG status bar image for VS Code README by @faraa2m in #52
- Add canonical prompt cost gate tutorial by @faraa2m in #53
- fix: add Tokenometer icons by @faraa2m in #55
- chore(release): version packages by @github-actions[bot] in #56
- chore(release): version packages by @github-actions[bot] in #57
Full Changelog: v2.0.3...v2.0.4
Contributors
Assets 2
v2.0.3
What's Changed
- Polish web UI and SEO metadata by @faraa2m in #49
- chore(release): version packages by @github-actions[bot] in #50
Full Changelog: v2.0.2...v2.0.3
Contributors
Assets 2
v2.0.2
What's Changed
- docs: refresh v2 project status by @faraa2m in #44
- chore(release): version packages by @github-actions[bot] in #45
- ci: use npm trusted publishing by @faraa2m in #46
- docs: remove npm token release guidance by @faraa2m in #47
- chore(release): version packages by @github-actions[bot] in #48
Full Changelog: v2.0.0...v2.0.2
Contributors
Assets 2
v2.0.0
What's Changed
- Auto-move major tag on release (no more manual
git tag -f v1) by @faraa2m in #38 - docs: trivial lede edit + verify changesets + auto-major-tag-mover by @faraa2m in #39
- docs: add adoption playbooks by @faraa2m in #40
- chore!: require Node 26 by @faraa2m in #41
- chore(release): version packages by @github-actions[bot] in #42
- fix: align tokenometer runtime with Vercel by @faraa2m in #43
Full Changelog: v1...v2.0.0
Contributors
Assets 2
v1.1.0
What's Changed
- Patch undici CVEs in bundled Action runtime (v1.0.2) by @faraa2m in #35
- feat: expansion — MCP server, React lib, Action inline-prompt detection (+undici CVE) by @faraa2m in #36
- chore(release): version packages by @github-actions[bot] in #37
Full Changelog: https://github.com/faraa2m/tokenometer/commits/v1.1.0
Contributors
Assets 2
v1.0.2 — undici CVE patch
Security
Patches 5 CVEs in the bundled GitHub Action runtime by upgrading bundled undici from 5.29.0 → 6.25.0 via root-level overrides field.
| Severity | GHSA | Description |
|---|---|---|
| HIGH 7.5 | GHSA-vrm6-8vpv-qv8q | WebSocket memory exhaustion |
| HIGH 7.5 | GHSA-v9p9-hfj2-hcw8 | WebSocket unhandled exception |
| MODERATE | GHSA-g9mf-h72j-4rw9 | Fetch decompression chain |
| MODERATE | GHSA-2mjp-6q6p-2qxm | HTTP request/response smuggling |
| MODERATE | GHSA-4992-7rv2-5pvq | CRLF injection |
`undici` is transitive via `@actions/github@6.0.1` → `@actions/http-client@2.2.3`. The 5.x line has no fix release; only path is the 6.x upgrade via `overrides`.
Affected surface
The vulnerable bundle was distributed via the GitHub Action Marketplace at `v1` and `v1.0.1` tags. Both tags previously pointed at commit `54f9f90` which bundled `undici@5.29.0`.
Action required for consumers
Marketplace consumers using `uses: faraa2m/tokenometer@v1` automatically receive the patch — the `v1` major tag has been force-moved to commit `6b23bd1` (the v1.1.0 release commit) which bundles `undici@6.25.0`.
Consumers who want the surgical CVE-only patch (no new features from v1.1.0) can pin to `uses: faraa2m/tokenometer@v1.0.2`.
Verification
229/229 workspace tests pass post-upgrade. `npm audit` clean for undici in the action workspace. Bundle smoke test: `dist/index.cjs` parses + loads + initializes undici 6.x cleanly.
Companion versions
- `tokenometer@1.1.0` on npm (CLI + library, already published with the same patch + new features)
- `@tokenometer/core@1.1.0` on npm (already published)
v1.0.1
Contributors
Assets 2
v1.0.0
What's Changed
- chore(release): cut v1.0.0 by @faraa2m in #29
- chore(release): version packages by @github-actions[bot] in #30
Full Changelog: v0.1.3...v1.0.0
Contributors
Assets 2
v0.1.3
What's Changed
- fix(cli): read version from package.json; harden smoke-test invocation by @faraa2m in #27
- chore(release): version packages by @github-actions[bot] in #28
Full Changelog: v0.1.2...v0.1.3
Contributors
Assets 2
v0.1.2
What's Changed
- fix(cli): add prepack hook so chmod +x runs at publish time in CI by @faraa2m in #25
- chore(release): version packages by @github-actions[bot] in #26
Full Changelog: v0.1.1...v0.1.2