Releases: civic-source/us-code-tracker
Releases · civic-source/us-code-tracker
Release list
v0.6.1
0.6.1 (2026-06-30)
Bug Fixes
- annotator,types: bound untrusted strings flowing into the YAML sidecar (#232) (#243) (66b7e3b)
- annotator: correct rate-limiter to 5000/hr and drop redundant bucket (#230) (#248) (8d21c41)
- annotator: escape all string fields in sidecar YAML serialization (#224) (765340c)
- annotator: pin sourceUrl to CourtListener origin (#223, finding 1) (#225) (1b99e32)
- annotator: validate CourtListener result elements before use (#237) (#244) (b9dbaa2)
- ci: decode+unzip OLRC archive before transforming in sync (#204) (e7712cd), closes #199
- ci: make @civic-source/* resolvable for sync-law.yml inline scripts (#198) (c3e1938), closes #194
- ci: pass OLRC-derived values via env to prevent shell injection in sync-law (#229) (#240) (bfe2a25)
- fetcher: decouple decompressed-size cap from download cap (#226) (#227) (1d21fb3)
- fetcher: guard HashStore.load against non-object stores (#238) (#247) (75c727d)
- fetcher: harden against SSRF and oversized downloads (#205) (f4fbd50), closes #201
- fetcher: harden ZIP extraction, title padding, and HTML body cap (#220) (cea57b7)
- fetcher: parse redesigned OLRC page (relative releasepoints hrefs) (#217) (c0f523f), closes #216
- fetcher: stream-cap fetchXml body instead of buffering the whole ZIP (#231) (#245) (c450e50)
- scripts: distinguish absent vs failed title fetches; gate resume cursor (#236) (#246) (73c87c9)
- scripts: drop shell from generate-diffs git calls + anchor tag validation (#235) (#241) (6d30b77)
- shared: harden fetchWithRetry (backoff cap, 429, Retry-After, aborts) (#212) (6e632a1)
- shared: serialize TokenBucket.waitAndConsume to prevent over-issue (#213) (7f92425), closes #209
- transformer: escape < and > in extracted text (XSS defense-in-depth) (#207) (301e598)
- transformer: escape YAML frontmatter strings (closes #221) (#222) (e1f7d40)
- types: constrain rendered/fetched URLs to http(s) scheme (#211) (63d4375), closes #210
- uncited-case dedupe collapse and appendix-title path collision (#206) (c7193dd), closes #202
- web: escape JSON-LD to prevent </script> breakout XSS (#203) (0af8e74)
- web: sanitize rendered statute Markdown with rehype-sanitize (#200) (#215) (2fb5ef8)
v0.6.0
Features
- Full release flow migrated to release-please (#185)
- Node 24 LTS + pnpm 11 + TypeScript 6 across the stack (#175, #184)
- CodeQL SAST + Token-Permissions hardening (#166)
- HTML sanitization library swap (sanitize-html) replacing regex (#171)
- Tailwind unpinned to ^4.3 after upstream ESM bug fixed (#181)
- Astro 6.3.1 + @astrojs/svelte 8.1.0 (#169)
Bug fixes
- 7 transitive Dependabot security alerts (#165)
- 6 CodeQL real-bug fixes incl. ReDoS, YAML escape, temp-file races (#170)
- Scorecard codeql-action SHA pinned to commit (#164)
- Token-permission and CI workflow updates (#163)
See CHANGELOG.md for the full conventional-commit history.