Skip to content

chore: Prepare Release v10.0.1 (auto-deploy)#8796

Merged
Jason3S merged 1 commit into
mainfrom
release-draft
May 31, 2026
Merged

chore: Prepare Release v10.0.1 (auto-deploy)#8796
Jason3S merged 1 commit into
mainfrom
release-draft

Conversation

@github-actions

@github-actions github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

Release v10.0.1

Release Notes

Details

Fixes

fix(cli): ignore closed readline after stdin (#8862)

fix(cli): ignore closed readline after stdin (#8862)

What changed

Wrap the stdin readline async iterator so CSpell ignores the terminal readline was closed error that can occur after stdin has already yielded its file list.

Other readline errors are still rethrown.

Why

Fixes #8778. On Node 24, cspell lint --file-list stdin can finish processing a large stdin file list and then report Linter Error: readline was closed instead of completing cleanly.

Tests

Added unit coverage for:

  • preserving all yielded stdin lines when readline throws readline was closed after reading
  • continuing to throw unrelated readline errors

I could not run the package test command locally in this sandbox because the checkout has no node_modules, and Corepack is blocked from creating its user cache directory (EPERM under ~/.cache/node/corepack).


fix(docs): replace `.json` with `package.json` in configuration docs (#8861)

fix(docs): replace .json with package.json in configuration docs (#8861)

Fix

In the package.json configuration section, the sentence referred to
"the .json file" instead of "the package.json file".

Before: "CSpell looks for the configuration in the cspell field of the .json file."
After: "CSpell looks for the configuration in the cspell field of the package.json file."


fix: substitution display and ranges for output checking (#8838)

fix: substitution display and ranges for output checking (#8838)

Added a French dictionary and fixed the positioning logic for error reporting of replacement words.


fix: use env vars for GitHub context expressions in run steps to prevent injection (#8852)

fix: use env vars for GitHub context expressions in run steps to prevent injection (#8852)

Summary

This PR fixes script injection and secret exposure security issues found in GitHub Actions workflows and composite actions. In each case, a GitHub expression (${{ ... }}) was used directly inside a run: shell command instead of being passed through an environment variable — the recommended approach per GitHub's security hardening guide.

Issues Fixed

🔴 Secrets exposed in process arguments (visible via ps aux)

File Issue
update-readme.yml pnpm update-contributors ${{ secrets.GITHUB_TOKEN }} — token as CLI arg
reuseable-load-integrations-repo-list.yml ./tester.js list --json $DIRTY -t ${{ secrets.GITHUB_TOKEN }} — token as CLI arg
build-version-release.yml "https://${{ secrets.GITHUB_TOKEN }}@github.com/..." — token inline in URL

🔴 GITHUB_ENV injection (allows setting arbitrary environment variables)

File Issue
set-env/action.yaml echo "${{ inputs.name }}<<delimiter" >> $GITHUB_ENV — name injected directly

🟠 Shell script injection via unsanitised expressions in run: steps

File Expression
build-version-release.yml ${{ steps.version.outputs.version }} in lerna/gh commands
publish.yml ${{ steps.dist_tag.outputs.value }} in lerna publish command
integration-test.yml ${{ matrix.repo }} in shell run and jq selector
update-dictionaries.yml ${{ matrix.repo }} in shell run and jq selector
update-integration-repositories.yml ${{ matrix.repo }} and ${{ github.event.inputs.ref }} in run steps
reuseable-pr-from-artifact.yml ${{ inputs.patch_path }} in git apply command
update-dependencies-old.yml ${{ toJson(github.event.inputs) }} in echo command

Fix Pattern

For each issue, the expression is moved to an env: block and referenced via shell variable:

# Before (unsafe)
run: some-command ${{ github.event.inputs.ref }}

# After (safe)
env:
  REF: ${{ github.event.inputs.ref }}
run: some-command "$REF"

For jq queries using matrix.repo, the injection-safe --arg flag is used:

# Before (jq injection risk)
run: jq '.[] | select(.path == "${{ matrix.repo }}")'

# After (safe)
env:
  REPO: ${{ matrix.repo }}
run: jq --arg repo "$REPO" '.[] | select(.path == $repo)'

Version Information

  • Tag: v10.0.1
  • Version: 10.0.1

Summary

 .release.json                                    |   6 +-
 CHANGELOG.md                                     | 127 +++++++++++++++++++++++
 packages/cspell-bundled-dicts/CHANGELOG.md       |  10 ++
 packages/cspell-config-lib/CHANGELOG.md          |  10 ++
 packages/cspell-dictionary/CHANGELOG.md          |  10 ++
 packages/cspell-eslint-plugin/CHANGELOG.md       |  10 ++
 packages/cspell-filetypes/CHANGELOG.md           |  10 ++
 packages/cspell-gitignore/CHANGELOG.md           |  10 ++
 packages/cspell-glob/CHANGELOG.md                |  10 ++
 packages/cspell-grammar/CHANGELOG.md             |  10 ++
 packages/cspell-io/CHANGELOG.md                  |  10 ++
 packages/cspell-json-reporter/CHANGELOG.md       |  10 ++
 packages/cspell-lib/CHANGELOG.md                 |  10 ++
 packages/cspell-normalize-json/CHANGELOG.md      |  10 ++
 packages/cspell-performance-monitor/CHANGELOG.md |  10 ++
 packages/cspell-pipe/CHANGELOG.md                |  10 ++
 packages/cspell-resolver/CHANGELOG.md            |  10 ++
 packages/cspell-service-bus/CHANGELOG.md         |  10 ++
 packages/cspell-strong-weak-map/CHANGELOG.md     |  10 ++
 packages/cspell-tools-alias/CHANGELOG.md         |  10 ++
 packages/cspell-tools/CHANGELOG.md               |  10 ++
 packages/cspell-trie-lib/CHANGELOG.md            |  10 ++
 packages/cspell-trie/CHANGELOG.md                |  10 ++
 packages/cspell-types/CHANGELOG.md               |  10 ++
 packages/cspell-url/CHANGELOG.md                 |  10 ++
 packages/cspell-worker/CHANGELOG.md              |  10 ++
 packages/cspell/CHANGELOG.md                     | 127 +++++++++++++++++++++++
 packages/dynamic-import/CHANGELOG.md             |  10 ++
 packages/flatpack-json/CHANGELOG.md              |  10 ++
 packages/hunspell-reader/CHANGELOG.md            |  10 ++
 packages/rpc/CHANGELOG.md                        |  10 ++
 31 files changed, 537 insertions(+), 3 deletions(-)

@github-actions github-actions Bot force-pushed the release-draft branch 8 times, most recently from bc8d2a6 to f7682d8 Compare April 13, 2026 13:55
@github-actions github-actions Bot force-pushed the release-draft branch 2 times, most recently from 1aa26ad to e928c53 Compare April 29, 2026 21:15
@github-actions github-actions Bot force-pushed the release-draft branch 3 times, most recently from 6ae1612 to b588734 Compare May 5, 2026 14:29
@github-actions github-actions Bot force-pushed the release-draft branch 16 times, most recently from eb6d2a2 to 182fd52 Compare May 24, 2026 07:30
@github-actions github-actions Bot force-pushed the release-draft branch 17 times, most recently from 45ef4a4 to 50922a5 Compare May 30, 2026 16:17
@Jason3S Jason3S merged commit 39e5ccd into main May 31, 2026
1 check passed
@Jason3S Jason3S deleted the release-draft branch May 31, 2026 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Linter Error: readline was closed on Node 24

1 participant