23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
88 lines
7.0 KiB
Markdown
88 lines
7.0 KiB
Markdown
# Socket.dev Alert Baseline — `claude-flow`
|
|
|
|
> Last revised: 2026-06-09 against `claude-flow@3.10.40`
|
|
> Source: <https://socket.dev/npm/package/claude-flow/alerts/3.10.40>
|
|
> Tracking issue: ruvnet/ruflo#2339
|
|
|
|
## TL;DR
|
|
|
|
Most of Socket's alerts on `claude-flow` describe **legitimate behaviour of a CLI agent platform** (network access, filesystem access, env-var reads, shell access, native modules, etc.) and cannot and should not be "fixed" — they are intrinsic to what the package does. This doc separates the inherent-and-expected categories from the small set that's actually actionable, so the next reviewer doesn't go down the same rabbit hole.
|
|
|
|
## What's protected today
|
|
|
|
| Layer | Mechanism | Status |
|
|
|---|---|---|
|
|
| Ruflo dev tree | `overrides` block in root `package.json` (lines 77-107) — pins `protobufjs >=8.2.0`, `uuid >=14.0.0`, plus 25+ other transitive forces | ✅ `npm audit` returns 0 vulnerabilities on the working tree |
|
|
| Ruflo dev tree | `supply-chain-audit` CI job in `.github/workflows/v3-ci.yml` (line 629) — runs `npm audit --audit-level=high`, lockfile integrity, top-level allowlist, typosquat reject, publisher trust snapshot | ✅ Gates every PR + push to main |
|
|
| Dependency review | `dependency-review` CI job (line 675) — GitHub's `dependency-review-action` checks new vulnerable deps in PRs | ⚠️ Gated on Pages-style Dependency Graph being enabled at repo level; currently `continue-on-error: true` |
|
|
|
|
## What's NOT fully fixable from inside `claude-flow`
|
|
|
|
`npm overrides` in our root `package.json` only apply when **we** are the root of the dep tree. When a consumer runs `npm install claude-flow@3.10.40`, *their* root `package.json` is the one whose overrides apply — ours are ignored. This is the same trap documented in CLAUDE.md for the `ruflo` wrapper (#2112).
|
|
|
|
A clean install of `claude-flow@3.10.40` therefore still pulls in:
|
|
|
|
| Severity | Package | CVE summary | Root cause |
|
|
|---|---|---|---|
|
|
| Critical | `protobufjs` | Arbitrary code execution via bytes-field defaults in generated `toObject` code | Transitive of `onnx-proto` → `onnxruntime-web` → `@xenova/transformers` |
|
|
| Moderate | `uuid` | Missing buffer bounds check in v3/v5/v6 when `buf` is provided | Transitive — multiple paths |
|
|
| High (cascade) | `onnx-proto`, `onnxruntime-web`, `@xenova/transformers`, `agentdb`, `agentic-flow`, `@claude-flow/memory`, `@claude-flow/neural`, `@claude-flow/plugin-gastown-bridge`, `claude-flow` itself | All downstream of the protobufjs + uuid root causes | — |
|
|
|
|
**Why this can't be fixed in this PR**: the upstream `@xenova/transformers@2.17.2` (latest) still pins `onnxruntime-web@1.14.0` which carries the bad `onnx-proto` → `protobufjs` chain. No clean upstream version exists today. Resolving consumer-side requires either:
|
|
|
|
1. A patched `@xenova/transformers` release (waiting on upstream), or migrating to `@huggingface/transformers` (the rebranded successor — needs evaluation), OR
|
|
2. Republishing the affected `@claude-flow/*` sub-packages with explicit transitive pins in *their* `dependencies` blocks (multi-PR coordinated effort), OR
|
|
3. Dropping the optional ML stack (`agentic-flow`, `@xenova/transformers`) — would lose ONNX-backed features
|
|
|
|
Tracked in #2339 as separate follow-up work.
|
|
|
|
## Inherent flags — what they mean, why we keep them
|
|
|
|
Socket fires these on every release. They describe normal CLI/agent behaviour and are not signals of a bug.
|
|
|
|
| Alert | Count | Why it's normal here |
|
|
|---|---|---|
|
|
| Network access | 68 pkgs | HTTP clients (Anthropic SDK, MCP transports, `fetch`-based tools) |
|
|
| Filesystem access | 82 pkgs | Universal — anything reading/writing files (memory backend, config, logs) |
|
|
| Environment variable access | 84 pkgs | `process.env.ANTHROPIC_API_KEY`, `CLAUDE_FLOW_*`, etc. — configuration |
|
|
| Shell access | 29 pkgs | `child_process` — used by every native-module installer, hook runners, `npx`-style spawning |
|
|
| Install scripts | 7 pkgs | Native modules: `better-sqlite3`, `hnswlib-node`, `onnxruntime-node`, `@ruvector/*` |
|
|
| Native code | 5 pkgs | Compiled binaries from the install-scripts row |
|
|
| URL strings | 108 pkgs | Every HTTP client embeds endpoint URLs as string literals |
|
|
| Debug access | 14 pkgs | The `debug` package and reflection-based helpers |
|
|
| Dynamic require | 16 pkgs | Plugin system (`mcp`, hooks, agents) + conditional optional-dep loading |
|
|
| Minified code | 10 pkgs | Some libraries ship pre-bundled (`undici`, `axios` internals, etc.) |
|
|
| Unpopular package | 29 pkgs | Long-tail transitives — popularity is not a security signal |
|
|
| Unmaintained | 64 pkgs | Long-tail transitives stale >5 years — checked against CVE/deprecation separately |
|
|
| New author | 20 pkgs | Maintainer changes — informational, not a vuln |
|
|
|
|
## False positives we've explicitly triaged
|
|
|
|
| Alert | What Socket said | Reality |
|
|
|---|---|---|
|
|
| AI-detected possible typosquat → "did you mean `z-schema`?" | Suggested `zod` is a typosquat of `z-schema` | `zod` is a 10M-weekly-download canonical TypeScript schema library, not a typosquat. Socket's AI guess is wrong. |
|
|
| AI-detected potential security risk | 15 instances in 7 packages | Heuristic-only; none corroborated by an actual CVE or code review |
|
|
| AI-detected potential code anomaly | 52 instances in 46 packages | Same — heuristic-only |
|
|
| Obfuscated code | 17 instances in 11 packages | All match the "pre-bundled / minified" pattern (`undici`, `axios` internals); none match the active-obfuscation-malware pattern |
|
|
|
|
## Operational policy
|
|
|
|
1. **Root tree must stay green.** The `supply-chain-audit` job in `v3-ci.yml` enforces `npm audit --audit-level=high` on every PR. Adding a new direct dep that introduces a HIGH/CRITICAL fails CI.
|
|
2. **Overrides are a first-line tool.** If a new transitive CVE lands, add an `overrides` entry pinning to a patched version. The current set (root `package.json` lines 77-107) is the precedent.
|
|
3. **Document gaps before merging.** When a CVE can't be cleanly overridden (e.g., the protobufjs cascade documented above), update this file with the rationale rather than silently ignoring it.
|
|
4. **Re-baseline this doc when claude-flow versions bump.** The alert counts here are tied to `3.10.40` — when the version moves, re-run the audit (`scripts/probe-nested-spawn-depth.mjs` style) and update the tables.
|
|
|
|
## When to revisit
|
|
|
|
- **Quarterly**: re-check upstream for `@xenova/transformers` / `onnxruntime-web` patched versions
|
|
- **On Socket alert change**: if Socket flags something new at *critical* severity for a direct dep, that's a real signal and warrants immediate triage
|
|
- **On new direct dep addition**: the `supply-chain-audit` job will catch this at PR time; no manual checklist needed
|
|
|
|
## Related
|
|
|
|
- ADR-097 — federation budget circuit-breaker (cost-side supply chain)
|
|
- ADR-145 — plugin supply-chain integrity (install-time)
|
|
- ADR-144 — authorization propagation (action-time, ADR-131 is content-time)
|
|
- Issue #2046 — original supply-chain hardening (the source of `supply-chain-audit` job)
|
|
- Issue #2339 — this baseline + Socket alert response
|