Skip to content

chore: upstream dependency sync 2026-06-22#31

Merged
impravin22 merged 1 commit into
mainfrom
chore/upstream-sync-2026-06-22
Jun 30, 2026
Merged

chore: upstream dependency sync 2026-06-22#31
impravin22 merged 1 commit into
mainfrom
chore/upstream-sync-2026-06-22

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Upstream Dependency Sync

Upstream changes detected by the daily tracker workflow.

Changes Detected

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 6 docs · 8 feat · 3 fix · 3 other
  • Files touched: code=18 docs=72 ci=4 test=2 other=9
  • 25 new commit(s) since last check
  • Latest: 18e6d47 — chore(release): version packages (#2808)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.3 (was v1.5.1)
  • Release notes:
## ⚠️ Upgrade Notes (existing Milvus deployments)

Due to PR #3228, upgrading an existing Milvus deployment triggers a one-time automatic migration on the next initialize_storages(): the legacy collection is copied into the new model-suffixed collection (schema-upgraded and byte-truncated) before the service becomes ready. Plan for the extra startup time and write throughput on large collections.

* The migration runs only once. After the suffixed collection exists, every subsequent startup validates and loads it directly and does not re-scan or re-migrate the legacy collection.
* The legacy data is never deleted automatically. For safety the old {workspace}_{namespace} collection is kept, not dropped, so vector storage is temporarily duplicated after the upgrade. This is intentional — the migration does not reclaim the space for you.
  * Action required: once you have confirmed the migration succeeded and the new system works correctly against the model-suffixed collection, manually drop the old {workspace}_{namespace} collection yourself to reclaim storage. Until you do, the duplicated vectors remain on disk.
* Legacy collections whose data is incompatible (different vector dimension, or an old simple schema with no vector field) are not migrated; a fresh suffixed collection is created instead and the legacy data is left untouched.

## What's New
* feat(tools): add offline VDB rebuild for vector drift recovery by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3243
* feat(concurrency): make MAX_ASYNC a true cross-worker limit under gunicorn + aggregated queue stats by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3253
* refact(Milvus): Fix Milvus dynamic field overflow + isolate collections by embedding model by @ye-guan-xing in https://github.com/HKUDS/LightRAG/pull/3228

## What's Changed
* fix(pipeline): retry malformed multimodal analysis JSON by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3242
* Add workspace path traversal validation by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3244
* 🐛 fix(mongo): close MongoClient on ClientManager release by @skymacro in https://github.com/HKUDS/LightRAG/pull/3251
* Fix Qdrant/PostgreSQL resurrecting cleared data: clear workspace's legacy rows on drop by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3254
* fix(neo4j): bind APOC labelFilter as parameter to prevent Cypher injection by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3257
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 9 chore · 12 docs · 18 feat · 63 fix · 115 other · 11 refactor · 2 style · 3 test
  • Files touched: code=0 docs=19 ci=1 test=103 other=95
  • 233 new commit(s) since last check
  • Latest: 4e1f952 — Merge pull request #3295 from HKUDS/refactor/docx-parser-no-chunking
  • Recent commits:
  • 83c047d [other] Fix Milvus dynamic field overflow for VDB metadata
  • 4854336 [fix] fix: apply pre-commit formatting fixes
  • a43e95e [other] 🐛 fix(neo4j): sanitize Lucene reserved chars in label search
  • 8306ab0 [other] Merge pull request #3233 from danielaskdd/fix/neo4j-search-labels-lucene-special-chars
  • fa213a8 [other] Bump core version to 1.5.2 and API version to 0380

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 29 feat · 43 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=196 ci=13 test=0 other=93
  • 130 new commit(s) since last check
  • Latest: 71d22d0 — feat(layer4): live messages-table wiring for proximity triggers
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.6.0 (was v2.5.0)
  • Release notes:
## [2.6.0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.5.0...v2.6.0) (2026-06-22)

### Features

* add JavaFX enterprise stack guidance ([#316](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/316)) ([53d670c](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/53d670cd3050dcbfa19acb0cf0d9e631422f7ca2))
* **cli:** sync draft and google-fonts data to CLI assets ([c981b92](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/c981b92b43d608fc21d8d2ef46c6f7323bc27573))
* **nuxt-ui:** update stack data to v4 ([#345](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/345)) ([fb1fc58](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/fb1fc58bf9d67d44b89b45761a81f7420cd7aab4))
* **release:** add semantic release automation ([#375](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/375)) ([c0fca2e](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/c0fca2efdc563b6259aa08081156469a9930c4eb))
* resolve 8 enhancement issues — Angular, Laravel, KiloCode, global install, uninstall, Warp, Augment, add-skill ([2910a74](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/2910a74e57e5a258017f7a00fe5b610862b0d0f2)), closes [#203](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/203) [#105](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/105) [#89](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/89) [#75](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/75) [#185](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/185) [#88](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/88) [#41](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/41) [#95](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/95)
* **threejs:** complete Three.js stack integration ([ddef277](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/ddef277aef3b9ca71ba32c0dc31a25f67f8d6325))

### Bug Fixes

* address Claude review findings ([035df47](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/035df47a56f95a7922bef481284e8acd5c3b75f0))
* **cli:** bump CLI version to 2.5.0 ([f4ad784](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/f4ad7845390dc5e0176c57a618bb45549b20ce4e)), closes [#199](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/199) [#195](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/195) [#172](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/172) [#132](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/132)
* **cli:** check dir existence before reporting removal in uninstall ([0d58617](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/0d58617a4281f441b58f480bf245083e57a8667d))
* **cli:** implement --force flag to protect existing skill files ([#324](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/324)) ([c522197](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/c522197c727ceb15dd855746c9403e651db11a40))
* **cli:** update Antigravity folder mapping to .agents ([8aacc9a](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/8aacc9a64b98636cb01b150c0004160e8e2a9ab8)), closes [#196](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/196)
* **core:** correct threejs STACK_CONFIG format and add missing stacks from main ([acc9c74](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/acc9c74d31b50c7499b3eb817b50b48e6f46c13f))
* correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md ([#365](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/365)) ([fdc0a45](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/fdc0a45c55019be57922fead570d676f466e7d76))
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 2 docs · 3 feat · 7 fix · 2 other
  • Files touched: code=6 docs=8 ci=4 test=0 other=12
  • 15 new commit(s) since last check
  • Latest: 9a863a5 — fix(release): avoid protected main writes
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.59.3 (was v2.57.1)
  • Release notes:
# Release v2.59.3

Generating release notes from v2.59.2 to HEAD
### 📝 Other Changes

- chore(release): v2.59.3 (67fb0d8)
- fix(generators): emit valid IF v2 and AI Agent configs (#374) (c4541c5)
- fix(shutdown): skip stdin.destroy() on Windows to avoid libuv crash (#383, #385) (139fb93)
- docs(railway): add upfront AUTH_TOKEN Before You Deploy callout (#152) (d2c34ce)
- fix(security): require complete tenant context on session restore (#844) (9372e75)

---

**Release Statistics:**
- 5 commits
- 1 contributor
- Contributors: czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 7 chore · 4 docs · 1 feat · 16 fix · 20 other · 2 test
  • Files touched: code=0 docs=5 ci=0 test=0 other=295
  • 50 new commit(s) since last check
  • Latest: f3d96cb — Merge pull request #861 from czlonkowski/chore/release-v2.59.3
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 14 chore · 1 ci · 16 docs · 16 feat · 8 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=52 ci=2 test=56 other=20
  • 68 new commit(s) since last check
  • Latest: 87e4836 — feat(skills): add "what-the" skill for plain-English breakdowns (#3026)
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 chore · 1 ci · 5 docs · 6 feat · 7 fix · 52 other
  • Files touched: code=0 docs=11 ci=4 test=15 other=33
  • 73 new commit(s) since last check
  • Latest: 21e63b4 — Merge tag 'ready/feat/VM-1637-conch-give-to-any-running-session-summon-a-non'
  • Recent commits:
  • 1ed5bf9 [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  • 9798833 [fix] fix: address review feedback on CUDA install UX
  • 7bcc5a1 [feat] feat: add Cartesia TTS provider with SSE streaming
  • 3145d10 [other] Cartesia: address review feedback from PR #368
  • 83302e4 [feat] feat(nix): add whisper.cpp derivation with CUDA support

caveman

  • New release: v1.9.0 (was v1.8.2)
  • Release notes:
## Security

- **Installs now pinned + integrity-checked** (#261, #262)
  `curl|bash` and detached installs no longer fetch hook files from the moving
  `main` branch — they download from the immutable `v1.9.0` tag and verify
  every hook against `src/hooks/checksums.sha256` (SHA-256) before anything
  executes. Mismatch aborts the install. This is the first tag shipping the
  manifest, so enforcement is fully active as of this release.

- **`fix(docs)`: escape user input in the demo terminal** (#438)
  The docs site demo interpolated user input via `innerHTML` — a real
  reflected DOM XSS. Nodes are built with `textContent` now.

## opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both `require()` of on-disk files and `await import()` of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:
  • Impact: 🟡 review (code touched)
  • Commit mix: 4 chore · 1 feat · 8 fix · 2 other · 1 test
  • Files touched: code=9 docs=15 ci=1 test=12 other=10
  • 16 new commit(s) since last check
  • Latest: 25d22f8 — Update README.md
  • Recent commits:
  • e8eae0f [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  • f06348c [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  • f68111a [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  • 46de578 [fix] fix(docs): escape user input in demo terminal (XSS)
  • 6ce47d4 [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

playwright-mcp

  • New release: v0.0.76 (was v0.0.75)
  • Release notes:
## What's New

### New Tools

- **`browser_video_show_actions` / `browser_video_hide_actions`** — Overlay action annotations on the recorded video, or hide them again ([#40914](https://github.com/microsoft/playwright/pull/40914))

### Tool Improvements

- **Remote endpoint** — `remoteEndpoint` now accepts a `ConnectOptions` object, not just a URL string ([#40964](https://github.com/microsoft/playwright/pull/40964))
- **`--output-max-size`** — Cap the size of tool responses, with post-response disk eviction of oversized output ([#41031](https://github.com/microsoft/playwright/pull/41031))
- **`--browser`** — Support `moz-firefox` BiDi channels ([#41126](https://github.com/microsoft/playwright/pull/41126))

## Bug Fixes

- Support `remoteHeaders` for the remote browser endpoint ([#40828](https://github.com/microsoft/playwright/pull/40828), [#41156](https://github.com/microsoft/playwright/pull/41156))
- Use `waitUntil: 'commit'` when navigating back/forward ([#41153](https://github.com/microsoft/playwright/pull/41153))
- Report invalid tool arguments instead of failing opaquely ([#40979](https://github.com/microsoft/playwright/pull/40979))
- Use a writable cache directory for MCP user data instead of the browsers path ([#40961](https://github.com/microsoft/playwright/pull/40961))
- Disconnect the tracked browser when the browser tracker is disposed ([#40967](https://github.com/microsoft/playwright/pull/40967))
- Report a missing `ffmpeg` distinctly from a missing browser ([#40867](https://github.com/microsoft/playwright/pull/40867))
  • Impact: 🟡 review (code touched)
  • Commit mix: 3 chore
  • Files touched: code=0 docs=1 ci=0 test=0 other=4
  • 3 new commit(s) since last check
  • Latest: b301c37 — chore: mark v0.0.76 (#1649)
  • Recent commits:
  • aa55fbb [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  • 40de619 [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  • b301c37 [chore] chore: mark v0.0.76 (#1649)

Review Checklist

  • Check for breaking API changes in updated dependencies
  • Update SKILL.md if upstream capabilities changed
  • Update install.sh if install methods changed
  • Update checklists if needed
  • Bump version in plugin.json if changes made
  • Run install.sh --dry-run to verify

This PR was automatically created by the upstream tracker workflow.

@github-actions github-actions Bot added the upstream-update Automated: upstream dependency has new changes label Jun 22, 2026
@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-23)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 7 docs · 8 feat · 3 fix · 3 other
  • Files touched: code=18 docs=85 ci=4 test=2 other=9
  • 26 new commit(s) since last check
  • Latest: 8a6c029 — docs(enterprise): add on-premise API reference (#2810)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.3 (was v1.5.1)
  • Release notes:
## ⚠️ Upgrade Notes (existing Milvus deployments)

Due to PR #3228, upgrading an existing Milvus deployment triggers a one-time automatic migration on the next initialize_storages(): the legacy collection is copied into the new model-suffixed collection (schema-upgraded and byte-truncated) before the service becomes ready. Plan for the extra startup time and write throughput on large collections.

* The migration runs only once. After the suffixed collection exists, every subsequent startup validates and loads it directly and does not re-scan or re-migrate the legacy collection.
* The legacy data is never deleted automatically. For safety the old {workspace}_{namespace} collection is kept, not dropped, so vector storage is temporarily duplicated after the upgrade. This is intentional — the migration does not reclaim the space for you.
  * Action required: once you have confirmed the migration succeeded and the new system works correctly against the model-suffixed collection, manually drop the old {workspace}_{namespace} collection yourself to reclaim storage. Until you do, the duplicated vectors remain on disk.
* Legacy collections whose data is incompatible (different vector dimension, or an old simple schema with no vector field) are not migrated; a fresh suffixed collection is created instead and the legacy data is left untouched.

## What's New
* feat(tools): add offline VDB rebuild for vector drift recovery by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3243
* feat(concurrency): make MAX_ASYNC a true cross-worker limit under gunicorn + aggregated queue stats by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3253
* refact(Milvus): Fix Milvus dynamic field overflow + isolate collections by embedding model by @ye-guan-xing in https://github.com/HKUDS/LightRAG/pull/3228

## What's Changed
* fix(pipeline): retry malformed multimodal analysis JSON by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3242
* Add workspace path traversal validation by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3244
* 🐛 fix(mongo): close MongoClient on ClientManager release by @skymacro in https://github.com/HKUDS/LightRAG/pull/3251
* Fix Qdrant/PostgreSQL resurrecting cleared data: clear workspace's legacy rows on drop by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3254
* fix(neo4j): bind APOC labelFilter as parameter to prevent Cypher injection by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3257
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 9 chore · 12 docs · 18 feat · 63 fix · 115 other · 11 refactor · 2 style · 3 test
  • Files touched: code=0 docs=19 ci=1 test=103 other=95
  • 233 new commit(s) since last check
  • Latest: 4e1f952 — Merge pull request #3295 from HKUDS/refactor/docx-parser-no-chunking
  • Recent commits:
  • 83c047d [other] Fix Milvus dynamic field overflow for VDB metadata
  • 4854336 [fix] fix: apply pre-commit formatting fixes
  • a43e95e [other] 🐛 fix(neo4j): sanitize Lucene reserved chars in label search
  • 8306ab0 [other] Merge pull request #3233 from danielaskdd/fix/neo4j-search-labels-lucene-special-chars
  • fa213a8 [other] Bump core version to 1.5.2 and API version to 0380

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 29 feat · 43 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=196 ci=13 test=0 other=93
  • 130 new commit(s) since last check
  • Latest: 71d22d0 — feat(layer4): live messages-table wiring for proximity triggers
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.6.2 (was v2.5.0)
  • Release notes:
## [2.6.2](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.6.1...v2.6.2) (2026-06-22)

### Bug Fixes

* HTML-escape all user data in slide generator to prevent XSS ([#274](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/274)) ([d457006](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/d457006301be21d51dc8722ba2a6d143047d4122)), closes [#247](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247)
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 3 docs · 3 feat · 9 fix · 2 other
  • Files touched: code=6 docs=9 ci=4 test=0 other=14
  • 18 new commit(s) since last check
  • Latest: 1518fec — docs: add CONTRIBUTING.md guide for new contributors (#264)
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.59.3 (was v2.57.1)
  • Release notes:
# Release v2.59.3

Generating release notes from v2.59.2 to HEAD
### 📝 Other Changes

- chore(release): v2.59.3 (67fb0d8)
- fix(generators): emit valid IF v2 and AI Agent configs (#374) (c4541c5)
- fix(shutdown): skip stdin.destroy() on Windows to avoid libuv crash (#383, #385) (139fb93)
- docs(railway): add upfront AUTH_TOKEN Before You Deploy callout (#152) (d2c34ce)
- fix(security): require complete tenant context on session restore (#844) (9372e75)

---

**Release Statistics:**
- 5 commits
- 1 contributor
- Contributors: czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 7 chore · 4 docs · 1 feat · 16 fix · 20 other · 2 test
  • Files touched: code=0 docs=5 ci=0 test=0 other=295
  • 50 new commit(s) since last check
  • Latest: f3d96cb — Merge pull request #861 from czlonkowski/chore/release-v2.59.3
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 14 chore · 1 ci · 16 docs · 16 feat · 8 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=52 ci=2 test=56 other=20
  • 68 new commit(s) since last check
  • Latest: 87e4836 — feat(skills): add "what-the" skill for plain-English breakdowns (#3026)
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.8.0 (was v8.7.1)
  • Release notes:

### Added

#### Conch — coordinate the voice channel across multiple agents (epic VM-1610)

The conch is VoiceMode's single-speaker lock. This release turns it into a full multi-agent coordination layer — hold the floor, queue for it, hand it off, and watch it from the CLI or MCP.

- **Hold the floor across turns** — `hold_conch=true` on `converse` keeps the channel between turns so a second agent can't cut in mid-thought; `pause_conversation` holds it across a deliberate pause. Opt-in, and released on your next turn, on process exit, or after a short idle timeout. (VM-1433)
- **Ordered waiter queue** — when the conch is busy, `converse` joins a fair FIFO queue instead of racing for it: choose `wait` (block until it's yours) or `callback` (return now, get pinged when granted). (VM-1619)
- **Notify-on-give** — an agent handed the floor while it's idle gets a "your turn" nudge in its pane instead of missing its turn. (VM-1625)
- **`voicemode conch` CLI** — `status`, `give`, `bump`, `release`, and `wait` to observe and drive the queue from the command line. (VM-1616)
- **MCP parity for remote agents** — a new `conch` MCP tool gives streamable-HTTP agents the same queue control as the CLI, over the same shared state. (VM-1622)
- **`conch give` can summon any running session** — hand the floor to an agent that isn't in line yet, not just one already waiting. (VM-1637)
- **Idle holds expire fast** — a held conch now lapses on a short, refreshed timeout (default 10s) so a quiet agent can't wedge the channel for everyone. (VM-1649)
- **Fair promotion** — the queue skips idle callback-waiters to promote the next agent actually blocking on the floor, so nobody starves behind an idle one. (VM-1625)

#### Other

- **Cartesia as a first-class cloud TTS provider with sub-second streaming ([#368](https://github.com/mbailey/voicemode/pull/368))** — Adds Cartesia alongside OpenAI and Kokoro, with low-latency SSE PCM streaming (audio starts playing within a few hundred milliseconds) and a buffered WAV fallback, plus automatic primary→fallback model retry. It's auto-detected: add an `api.cartesia.ai` entry to `VOICEMODE_TTS_BASE_URLS` and set `CARTESIA_API_KEY` (with optional `VOICEMODE_CARTESIA_VOICE_ID` / `VOICEMODE_CARTESIA_MODEL` / `VOICEMODE_CARTESIA_FALLBACK_MODEL`). When Cartesia isn't configured the TTS path is unchanged. Contributed by [@Sallvainian](https://github.com/Sallvainian).
- **NixOS: build whisper.cpp (with CUDA) via a Nix flake, and clearer NixOS install guidance ([#319](https://github.com/mbailey/voicemode/pull/319))** — Nix flake outputs build whisper.cpp from source (CPU + CUDA) with a `voice-mode-cuda` wrapper, and the whisper/kokoro install tools now detect NixOS and give actionable setup guidance instead of a cryptic FHS build failure. Contributed by [@KaiStarkk](https://github.com/KaiStarkk).
  • Impact: 🟡 review (code touched)
  • Commit mix: 3 chore · 1 ci · 5 docs · 6 feat · 7 fix · 56 other
  • Files touched: code=0 docs=12 ci=4 test=15 other=33
  • 78 new commit(s) since last check
  • Latest: 94ded84 — chore: bump version to 8.8.0 for all packages
  • Recent commits:
  • 1ed5bf9 [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  • 9798833 [fix] fix: address review feedback on CUDA install UX
  • 7bcc5a1 [feat] feat: add Cartesia TTS provider with SSE streaming
  • 3145d10 [other] Cartesia: address review feedback from PR #368
  • 83302e4 [feat] feat(nix): add whisper.cpp derivation with CUDA support

caveman

  • New release: v1.9.0 (was v1.8.2)
  • Release notes:
## Security

- **Installs now pinned + integrity-checked** (#261, #262)
  `curl|bash` and detached installs no longer fetch hook files from the moving
  `main` branch — they download from the immutable `v1.9.0` tag and verify
  every hook against `src/hooks/checksums.sha256` (SHA-256) before anything
  executes. Mismatch aborts the install. This is the first tag shipping the
  manifest, so enforcement is fully active as of this release.

- **`fix(docs)`: escape user input in the demo terminal** (#438)
  The docs site demo interpolated user input via `innerHTML` — a real
  reflected DOM XSS. Nodes are built with `textContent` now.

## opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both `require()` of on-disk files and `await import()` of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:
  • Impact: 🟡 review (code touched)
  • Commit mix: 4 chore · 1 feat · 8 fix · 2 other · 1 test
  • Files touched: code=9 docs=15 ci=1 test=12 other=10
  • 16 new commit(s) since last check
  • Latest: 25d22f8 — Update README.md
  • Recent commits:
  • e8eae0f [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  • f06348c [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  • f68111a [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  • 46de578 [fix] fix(docs): escape user input in demo terminal (XSS)
  • 6ce47d4 [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

playwright-mcp

  • New release: v0.0.76 (was v0.0.75)
  • Release notes:
## What's New

### New Tools

- **`browser_video_show_actions` / `browser_video_hide_actions`** — Overlay action annotations on the recorded video, or hide them again ([#40914](https://github.com/microsoft/playwright/pull/40914))

### Tool Improvements

- **Remote endpoint** — `remoteEndpoint` now accepts a `ConnectOptions` object, not just a URL string ([#40964](https://github.com/microsoft/playwright/pull/40964))
- **`--output-max-size`** — Cap the size of tool responses, with post-response disk eviction of oversized output ([#41031](https://github.com/microsoft/playwright/pull/41031))
- **`--browser`** — Support `moz-firefox` BiDi channels ([#41126](https://github.com/microsoft/playwright/pull/41126))

## Bug Fixes

- Support `remoteHeaders` for the remote browser endpoint ([#40828](https://github.com/microsoft/playwright/pull/40828), [#41156](https://github.com/microsoft/playwright/pull/41156))
- Use `waitUntil: 'commit'` when navigating back/forward ([#41153](https://github.com/microsoft/playwright/pull/41153))
- Report invalid tool arguments instead of failing opaquely ([#40979](https://github.com/microsoft/playwright/pull/40979))
- Use a writable cache directory for MCP user data instead of the browsers path ([#40961](https://github.com/microsoft/playwright/pull/40961))
- Disconnect the tracked browser when the browser tracker is disposed ([#40967](https://github.com/microsoft/playwright/pull/40967))
- Report a missing `ffmpeg` distinctly from a missing browser ([#40867](https://github.com/microsoft/playwright/pull/40867))
  • Impact: 🟡 review (code touched)
  • Commit mix: 4 chore
  • Files touched: code=0 docs=1 ci=0 test=0 other=4
  • 4 new commit(s) since last check
  • Latest: 0f4e6ff — chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  • Recent commits:
  • aa55fbb [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  • 40de619 [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  • b301c37 [chore] chore: mark v0.0.76 (#1649)
  • 0f4e6ff [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)

Updated by the upstream tracker workflow.

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-24)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 9 docs · 8 feat · 3 fix · 4 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 29 new commit(s) since last check
  • Latest: a914a86 — docs: configure GitHub Enterprise Server host from the UI (#2823)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 13 chore · 11 docs · 19 feat · 71 fix · 123 other · 7 refactor · 2 style · 4 test
  • Files touched: code=0 docs=19 ci=8 test=105 other=104
  • 278 new commit(s) since last check
  • Latest: 9a45b64 — Merge branch 'ui-speedup'
  • Recent commits:
  • 0e8564d [other] Merge pull request #3237 from danielaskdd/fix/mm-control-char-graphml-crash
  • 402be8d [fix] fix(multimodal): repair LaTeX escape damage in VLM JSON responses
  • 1667fd2 [fix] fix(extract): repair LaTeX escape damage in JSON entity-extraction results
  • f2c8148 [other] Merge pull request #3238 from danielaskdd/feat/vlm-latex-escape-repair
  • 3fa73ec [other] 📝 docs(ThirdPartyParser): add third-party parser guide

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 29 feat · 43 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=196 ci=13 test=0 other=93
  • 130 new commit(s) since last check
  • Latest: 71d22d0 — feat(layer4): live messages-table wiring for proximity triggers
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.6.3 (was v2.5.0)
  • Release notes:
## [2.6.3](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.6.2...v2.6.3) (2026-06-24)

### Bug Fixes

* bump skill.json version to 2.6.2 ([#382](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/382)) ([a13b2a0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/a13b2a02fd58d8ad325fefd9d146f62708be8456))
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 3 docs · 3 feat · 10 fix · 2 other
  • Files touched: code=6 docs=9 ci=4 test=0 other=15
  • 19 new commit(s) since last check
  • Latest: a13b2a0 — fix: bump skill.json version to 2.6.2 (#382)
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.59.4 (was v2.57.1)
  • Release notes:
# Release v2.59.4

Generating release notes from v2.59.3 to HEAD
### ✨ Features

- Add MCPB bundle with generated manifest and release packaging (9b773be)

### 🐛 Bug Fixes

- Pin uuid to ^11 to restore CommonJS startup (closes #864) (901d3e2)

### 📝 Other Changes

- fix(ci): make CJS runtime smoke test strict on every supported Node (#864 review) (888091e)

---

**Release Statistics:**
- 3 commits
- 1 contributor
  • Impact: 🟡 review (code touched)
  • Commit mix: 7 chore · 4 docs · 2 feat · 18 fix · 22 other · 2 test
  • Files touched: code=0 docs=5 ci=3 test=0 other=292
  • 55 new commit(s) since last check
  • Latest: a58d206 — Merge pull request #865 from czlonkowski/fix/uuid-esm-require-crash
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 14 chore · 1 ci · 16 docs · 16 feat · 8 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=52 ci=2 test=56 other=20
  • 68 new commit(s) since last check
  • Latest: 87e4836 — feat(skills): add "what-the" skill for plain-English breakdowns (#3026)
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.9.0 (was v8.7.1)
  • Release notes:

### Added

- **A minimal voice-only example agent (VM-1658)** — The voicemode plugin now ships a `voice-only` subagent whose *only* tool is `converse` — no file access, shell, or editing, by design. It's the smallest thing that can hold a spoken conversation, so it starts with a tiny context footprint, and works whether voicemode is provided by the plugin or by a project `.mcp.json` (both `converse` tool names are whitelisted). Launch it for a quick voice-only chat, or copy it as a template for your own lean voice agents.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 2 ci · 5 docs · 6 feat · 7 fix · 61 other
  - **Files touched:** code=0 docs=13 ci=4 test=15 other=34
  - **85 new commit(s)** since last check
  - Latest: `bd8c3ad` — Merge pull request #480 from mbailey/dependabot/github_actions/actions-all-640176b5ab
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore
  - **Files touched:** code=0 docs=1 ci=0 test=0 other=4
  - **4 new commit(s)** since last check
  - Latest: `0f4e6ff` — chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)


*Updated by the upstream tracker workflow.*

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-25)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 9 docs · 8 feat · 3 fix · 5 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 30 new commit(s) since last check
  • Latest: 0647bb3 — add new attribute to docs (#2828)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🟡 review (code touched)
  • Commit mix: 13 chore · 10 docs · 18 feat · 69 fix · 131 other · 4 refactor · 2 style · 3 test
  • Files touched: code=0 docs=21 ci=13 test=109 other=108
  • 302 new commit(s) since last check
  • Latest: 40a62c9 — Bump API version to 0315
  • Recent commits:
  • f47d87d [other] Restore safe Milvus legacy migration
  • 9921e67 [fix] fix(merge): close deferred-embedding fail-loud gap + harden rebuild tool
  • e6d4baa [fix] fix(rebuild): rebuild ALL text_chunks keys, not just the chunk- prefix
  • 6532ecb [fix] fix(merge): don't swallow VectorStorageConsistencyError in edit-with-merge
  • e0f977d [fix] fix(merge/rebuild): fail-loud on relation-delete failure; pass vector_storage to rebuild config

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 29 feat · 43 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=196 ci=13 test=0 other=93
  • 130 new commit(s) since last check
  • Latest: 71d22d0 — feat(layer4): live messages-table wiring for proximity triggers
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.7.0 (was v2.5.0)
  • Release notes:
## [2.7.0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.6.5...v2.7.0) (2026-06-25)

### Features

* **cli:** add optional GitHub token support for higher API rate limits ([#294](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/294)) ([efa5137](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/efa51376adc3860fc93b05981c2714def56a2759))
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 3 docs · 5 feat · 17 fix · 3 other
  • Files touched: code=7 docs=73 ci=5 test=0 other=106
  • 29 new commit(s) since last check
  • Latest: ef5f5ba — fix(cli): install all 7 skills via uipro init, not just the orchestrator (#362) (#387)
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.60.0 (was v2.57.1)
  • Release notes:
# Release v2.60.0

Generating release notes from v2.59.4 to HEAD
### 🐛 Bug Fixes

- Keep code node primitive return checks scoped (8ef4de2)

### 📚 Documentation

- Address review — unique cache path per client, keep DISABLE_CONSOLE_OUTPUT (ab4c174)
- Add DISABLED_TOOL_OPERATIONS deployment guidance and env var reference   - Add Read-Only Deployment section to README.md under Available MCP Tools   - Add Read-Only Deployment Recipe section to docs/HTTP_DEPLOYMENT.md under Security Best   Practices for n8n API   - Add DISABLED_TOOL_OPERATIONS block to .env.example after DISABLED_TOOLS with format,   eligible tools, operations, and the read-only recipe example (9a8b35a)
- Scope undefined-as-deletion note to in-process callers (c3a7a2b)
- Note npm_config_cache workaround for multiple npx MCP clients (958660a)

### 🧪 Testing

- Update get-node-unified TTL assertion to seconds (86400) (0ccb931)
- Cover large Code node return validation (47b88b0)
- Cover Code node return scanner edge cases (908e442)
  • Impact: 🟡 review (code touched)
  • Commit mix: 12 chore · 5 ci · 9 docs · 3 feat · 34 fix · 42 other · 5 test
  • Files touched: code=0 docs=5 ci=10 test=0 other=285
  • 110 new commit(s) since last check
  • Latest: 3e76ea4 — Merge pull request #879 from czlonkowski/release/v2.60.0
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 15 chore · 1 ci · 16 docs · 16 feat · 9 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=54 ci=2 test=54 other=20
  • 70 new commit(s) since last check
  • Latest: 3fe0725 — chore: bump version to 13.8.1
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.10.1 (was v8.7.1)
  • Release notes:

### Fixed

- **MCP Registry publishing repaired and made non-blocking; namespace rebranded to `dev.voicemode/voicemode` (VM-1661)** — The release pipeline had silently failed to publish to the official MCP registry for several releases (the upstream `mcp-publisher` build moved its binary output path), so VoiceMode was not listed in the registry at all. The publish step now locates the publisher binary robustly, pins it to a known-good upstream release (`v1.7.9`), and runs as a best-effort **non-blocking** tail — a publisher-tooling regression can no longer fail a PyPI release. The registry namespace is rebranded from `com.failmode/voicemode` to **`dev.voicemode/voicemode`** to match the project's primary domain (verified via a DNS record on `voicemode.dev`). The PyPI/TestPyPI publish steps also now skip already-published versions, so manual re-runs and registry backfills don't fail on a version that's already live. No effect on installs — PyPI is unchanged; this only affects the registry listing consumed by downstream MCP aggregators.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 6 chore · 2 ci · 6 docs · 6 feat · 7 fix · 73 other
  - **Files touched:** code=0 docs=13 ci=4 test=16 other=34
  - **100 new commit(s)** since last check
  - Latest: `7204952` — chore: bump version to 8.10.1 for all packages
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 docs
  - **Files touched:** code=0 docs=2 ci=0 test=0 other=4
  - **5 new commit(s)** since last check
  - Latest: `511320d` — docs: update MCP contribution setup (#1660)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - `511320d` [docs] docs: update MCP contribution setup (#1660)


*Updated by the upstream tracker workflow.*

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-26)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 9 docs · 8 feat · 3 fix · 5 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 30 new commit(s) since last check
  • Latest: 0647bb3 — add new attribute to docs (#2828)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🟡 review (code touched)
  • Commit mix: 16 chore · 9 docs · 18 feat · 63 fix · 135 other · 4 refactor · 2 style · 3 test
  • Files touched: code=0 docs=23 ci=13 test=109 other=108
  • 312 new commit(s) since last check
  • Latest: 5119688 — Merge pull request #3339 from HKUDS/claude/issue-3338-a631eq
  • Recent commits:
  • 28e34f3 [fix] fix(rebuild): exit non-zero on failure so automation can detect it
  • 40257f9 [feat] feat(rebuild): separate per-storage rebuild output with section headers
  • fa146e5 [other] Validate workspace in all storage backends
  • 88a575c [fix] fix(postgres): strip content_vector from vector get_by_id/get_by_ids
  • 9bc5e88 [other] Validate workspace in DocumentManager upload path

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 30 feat · 45 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=194 ci=13 test=0 other=95
  • 133 new commit(s) since last check
  • Latest: 2bc924f — fix(clv2): harden registry writes and project deletion (#2294, #2297) (#2323)
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.8.8 (was v2.5.0)
  • Release notes:
## [2.8.8](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.8.7...v2.8.8) (2026-06-26)

### Bug Fixes

* **cli:** publish under fallback npm package ([#393](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/393)) ([cc3d1be](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/commit/cc3d1be7436443f58cc5087fc90f761410b9ee33))
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 4 docs · 5 feat · 21 fix · 3 other
  • Files touched: code=7 docs=73 ci=5 test=0 other=106
  • 34 new commit(s) since last check
  • Latest: e3a7f27 — docs: make SKILL.md stack-neutral instead of React Native-only (#372)
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.61.0 (was v2.57.1)
  • Release notes:
# Release v2.61.0

Generating release notes from v2.60.0 to HEAD
### 🐛 Bug Fixes

- Sync runtime version (Concieved by Romuald Członkowski - www.aiadvisors.pl/en) (df997d4)

### 🔧 Maintenance

- Update n8n to 2.27.4 and bump version to 2.61.0 (b0e43e3)

---

**Release Statistics:**
- 2 commits
- 2 contributors
- Contributors: copilot-swe-agent[bot], czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 13 chore · 5 ci · 9 docs · 3 feat · 35 fix · 43 other · 5 test
  • Files touched: code=0 docs=5 ci=10 test=0 other=285
  • 113 new commit(s) since last check
  • Latest: f5694cc — Merge pull request #882 from czlonkowski/update/n8n-2.27.4
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 15 chore · 1 ci · 16 docs · 16 feat · 9 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=54 ci=2 test=54 other=20
  • 70 new commit(s) since last check
  • Latest: 3fe0725 — chore: bump version to 13.8.1
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.10.2 (was v8.7.1)
  • Release notes:

### Security

- **Closed an OS command-injection sink in `voicemode config set` / `update_config` (GHSA-h97v-r3jw-cf6f, VM-1679)** — A configuration value written via the config tools was stored in `~/.voicemode/voicemode.env` without shell-escaping, and the Whisper and `serve` start scripts read that file with `source`. Because bash runs command substitution even inside double quotes, a value like `VOICEMODE_VOICES='af_sky$(…)'` would execute on the next service start or reboot, as the service user (CWE-78). This is **opt-in to reach** — the config tools are not in the default MCP tool set, so a stock install is not attacker-reachable — but it is fixed at two layers regardless: (1) the writer now emits **single-quoted, fully escaped** values (single quotes suppress all shell expansion) and rejects control characters, so any value is inert even when sourced; (2) the start scripts no longer `source` the env file — they parse `KEY=VALUE` pairs as inert data and never evaluate them. Existing env files are migrated to the safe quoting on the next `config set`. Reported responsibly via a private advisory; thank you to the reporter.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 7 chore · 2 ci · 6 docs · 6 feat · 8 fix · 74 other
  - **Files touched:** code=0 docs=13 ci=4 test=16 other=36
  - **103 new commit(s)** since last check
  - Latest: `4bf4957` — chore: bump version to 8.10.2 for all packages
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 2 docs
  - **Files touched:** code=0 docs=2 ci=0 test=0 other=5
  - **6 new commit(s)** since last check
  - Latest: `2d446f9` — docs: fix CDP header env name (#1661)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - `511320d` [docs] docs: update MCP contribution setup (#1660)


*Updated by the upstream tracker workflow.*

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-27)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 9 docs · 8 feat · 3 fix · 5 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 30 new commit(s) since last check
  • Latest: 0647bb3 — add new attribute to docs (#2828)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🟡 review (code touched)
  • Commit mix: 16 chore · 9 docs · 18 feat · 63 fix · 135 other · 4 refactor · 2 style · 3 test
  • Files touched: code=0 docs=23 ci=13 test=109 other=108
  • 312 new commit(s) since last check
  • Latest: 5119688 — Merge pull request #3339 from HKUDS/claude/issue-3338-a631eq
  • Recent commits:
  • 28e34f3 [fix] fix(rebuild): exit non-zero on failure so automation can detect it
  • 40257f9 [feat] feat(rebuild): separate per-storage rebuild output with section headers
  • fa146e5 [other] Validate workspace in all storage backends
  • 88a575c [fix] fix(postgres): strip content_vector from vector get_by_id/get_by_ids
  • 9bc5e88 [other] Validate workspace in DocumentManager upload path

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 30 feat · 45 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=194 ci=13 test=0 other=95
  • 133 new commit(s) since last check
  • Latest: 2bc924f — fix(clv2): harden registry writes and project deletion (#2294, #2297) (#2323)
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.9.0 (was v2.5.0)
  • Release notes:
## [2.9.0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.8.8...v2.9.0) (2026-06-26)
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 4 docs · 6 feat · 21 fix · 5 other
  • Files touched: code=29 docs=73 ci=6 test=0 other=152
  • 37 new commit(s) since last check
  • Latest: 65e2319 — Merge pull request #242 from jizc/feature/desktop-apps
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.61.0 (was v2.57.1)
  • Release notes:
# Release v2.61.0

Generating release notes from v2.60.0 to HEAD
### 🐛 Bug Fixes

- Sync runtime version (Concieved by Romuald Członkowski - www.aiadvisors.pl/en) (df997d4)

### 🔧 Maintenance

- Update n8n to 2.27.4 and bump version to 2.61.0 (b0e43e3)

---

**Release Statistics:**
- 2 commits
- 2 contributors
- Contributors: copilot-swe-agent[bot], czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 13 chore · 5 ci · 9 docs · 3 feat · 35 fix · 43 other · 5 test
  • Files touched: code=0 docs=5 ci=10 test=0 other=285
  • 113 new commit(s) since last check
  • Latest: f5694cc — Merge pull request #882 from czlonkowski/update/n8n-2.27.4
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 15 chore · 1 ci · 16 docs · 16 feat · 9 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=54 ci=2 test=54 other=20
  • 70 new commit(s) since last check
  • Latest: 3fe0725 — chore: bump version to 13.8.1
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.10.2 (was v8.7.1)
  • Release notes:

### Security

- **Closed an OS command-injection sink in `voicemode config set` / `update_config` (GHSA-h97v-r3jw-cf6f, VM-1679)** — A configuration value written via the config tools was stored in `~/.voicemode/voicemode.env` without shell-escaping, and the Whisper and `serve` start scripts read that file with `source`. Because bash runs command substitution even inside double quotes, a value like `VOICEMODE_VOICES='af_sky$(…)'` would execute on the next service start or reboot, as the service user (CWE-78). This is **opt-in to reach** — the config tools are not in the default MCP tool set, so a stock install is not attacker-reachable — but it is fixed at two layers regardless: (1) the writer now emits **single-quoted, fully escaped** values (single quotes suppress all shell expansion) and rejects control characters, so any value is inert even when sourced; (2) the start scripts no longer `source` the env file — they parse `KEY=VALUE` pairs as inert data and never evaluate them. Existing env files are migrated to the safe quoting on the next `config set`. Reported responsibly via a private advisory; thank you to the reporter.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 7 chore · 2 ci · 6 docs · 6 feat · 9 fix · 100 other
  - **Files touched:** code=0 docs=17 ci=4 test=23 other=42
  - **130 new commit(s)** since last check
  - Latest: `f08133f` — Merge tag 'ready/refactor/VM-1730-remove-orphaned-default_pronunciationyaml-dead'
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 2 docs
  - **Files touched:** code=0 docs=2 ci=0 test=0 other=5
  - **6 new commit(s)** since last check
  - Latest: `2d446f9` — docs: fix CDP header env name (#1661)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - `511320d` [docs] docs: update MCP contribution setup (#1660)


*Updated by the upstream tracker workflow.*

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-28)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 9 docs · 8 feat · 3 fix · 5 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 30 new commit(s) since last check
  • Latest: 0647bb3 — add new attribute to docs (#2828)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🟡 review (code touched)
  • Commit mix: 16 chore · 9 docs · 18 feat · 63 fix · 135 other · 4 refactor · 2 style · 3 test
  • Files touched: code=0 docs=23 ci=13 test=109 other=108
  • 312 new commit(s) since last check
  • Latest: 5119688 — Merge pull request #3339 from HKUDS/claude/issue-3338-a631eq
  • Recent commits:
  • 28e34f3 [fix] fix(rebuild): exit non-zero on failure so automation can detect it
  • 40257f9 [feat] feat(rebuild): separate per-storage rebuild output with section headers
  • fa146e5 [other] Validate workspace in all storage backends
  • 88a575c [fix] fix(postgres): strip content_vector from vector get_by_id/get_by_ids
  • 9bc5e88 [other] Validate workspace in DocumentManager upload path

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 30 feat · 45 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=194 ci=13 test=0 other=95
  • 133 new commit(s) since last check
  • Latest: 2bc924f — fix(clv2): harden registry writes and project deletion (#2294, #2297) (#2323)
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.9.0 (was v2.5.0)
  • Release notes:
## [2.9.0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.8.8...v2.9.0) (2026-06-26)
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 4 docs · 6 feat · 21 fix · 6 other
  • Files touched: code=31 docs=73 ci=6 test=0 other=152
  • 38 new commit(s) since last check
  • Latest: 8a81ed6 — Merge PR #223: Expand products database with 31 new product types and improved keywords
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.61.0 (was v2.57.1)
  • Release notes:
# Release v2.61.0

Generating release notes from v2.60.0 to HEAD
### 🐛 Bug Fixes

- Sync runtime version (Concieved by Romuald Członkowski - www.aiadvisors.pl/en) (df997d4)

### 🔧 Maintenance

- Update n8n to 2.27.4 and bump version to 2.61.0 (b0e43e3)

---

**Release Statistics:**
- 2 commits
- 2 contributors
- Contributors: copilot-swe-agent[bot], czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 13 chore · 5 ci · 9 docs · 3 feat · 35 fix · 43 other · 5 test
  • Files touched: code=0 docs=5 ci=10 test=0 other=285
  • 113 new commit(s) since last check
  • Latest: f5694cc — Merge pull request #882 from czlonkowski/update/n8n-2.27.4
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 15 chore · 1 ci · 16 docs · 16 feat · 9 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=54 ci=2 test=54 other=20
  • 70 new commit(s) since last check
  • Latest: 3fe0725 — chore: bump version to 13.8.1
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.10.2 (was v8.7.1)
  • Release notes:

### Security

- **Closed an OS command-injection sink in `voicemode config set` / `update_config` (GHSA-h97v-r3jw-cf6f, VM-1679)** — A configuration value written via the config tools was stored in `~/.voicemode/voicemode.env` without shell-escaping, and the Whisper and `serve` start scripts read that file with `source`. Because bash runs command substitution even inside double quotes, a value like `VOICEMODE_VOICES='af_sky$(…)'` would execute on the next service start or reboot, as the service user (CWE-78). This is **opt-in to reach** — the config tools are not in the default MCP tool set, so a stock install is not attacker-reachable — but it is fixed at two layers regardless: (1) the writer now emits **single-quoted, fully escaped** values (single quotes suppress all shell expansion) and rejects control characters, so any value is inert even when sourced; (2) the start scripts no longer `source` the env file — they parse `KEY=VALUE` pairs as inert data and never evaluate them. Existing env files are migrated to the safe quoting on the next `config set`. Reported responsibly via a private advisory; thank you to the reporter.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 7 chore · 2 ci · 6 docs · 6 feat · 9 fix · 100 other
  - **Files touched:** code=0 docs=17 ci=4 test=23 other=42
  - **130 new commit(s)** since last check
  - Latest: `f08133f` — Merge tag 'ready/refactor/VM-1730-remove-orphaned-default_pronunciationyaml-dead'
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 2 docs
  - **Files touched:** code=0 docs=2 ci=0 test=0 other=5
  - **6 new commit(s)** since last check
  - Latest: `2d446f9` — docs: fix CDP header env name (#1661)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - `511320d` [docs] docs: update MCP contribution setup (#1660)


*Updated by the upstream tracker workflow.*

@github-actions

Copy link
Copy Markdown
Contributor Author

New upstream changes detected (2026-06-29)

context7

  • New release: @upstash/context7-mcp@3.2.2 (was ctx7@0.5.1)
  • Release notes:
### Patch Changes

- 2253765: Validate Enterprise-Managed Auth (id-jag) access tokens at the MCP server, so MCP clients can authenticate to Context7 through an enterprise IdP (Okta) via the MCP Enterprise-Managed Authorization extension.
  • Impact: 🟡 review (code touched)
  • Commit mix: 5 chore · 10 docs · 8 feat · 3 fix · 5 other
  • Files touched: code=18 docs=98 ci=4 test=2 other=9
  • 31 new commit(s) since last check
  • Latest: b1fb8b5 — docs: update Docker MCP Toolkit to remote server (fixes #790) (#2839)
  • Recent commits:
  • eb1bc85 [chore] chore: remove changeset check workflow (#2741)
  • cc011a4 [feat] feat: add Codex client documentation and update OAuth flow details for existing clients (#2742)
  • 06843a6 [other] fix copilot cli plugin compatability (#2743)
  • 1f6212b [other] trigger the Test workflow only when they touch packages/** or the root files that affect the toolchain (#2747)
  • c10f116 [feat] feat: add Context7 Codex plugin with installation instructions and documentation (#2748)

lightrag

  • New release: v1.5.4 (was v1.5.1)
  • Release notes:
## What's New
* feat(parser): native engine **support for Markdown parsing**, including **embedded base64 images** and `.textpack` bundle image integration by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3280
* feat(parser): per-file engine parameters via hint/rule (Phase 2 — MinerU + Docling) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3284
* perf(webui): made graph rendering more efficient -> large knowledge graphs now usable by @Xaverrrrr in https://github.com/HKUDS/LightRAG/pull/3304

## What's Changed
* Add parameterized parser hints for chunk strategy tuning by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3282
* feat(chunker): add drop_references option to P chunking strategy by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3285
* feat(webui): reorder query modes and warn on lower-quality modes by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3287
* fix(mineru): drop page_number items from blocks content by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3288
* fix(storage): handle set ids in delete (Issue #3286) by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3289
* Fixed typo (Dokcer -> Docker) by @aleksvujic in https://github.com/HKUDS/LightRAG/pull/3291
* refactor(parser): move all chunking out of the docx parser by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3295
* fix(api): stop guest tokens from bypassing X-API-Key auth by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3319
* fix(api): don't pair wildcard CORS origin with credentials by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3317
* docs(README): add optional HVTracker trust badge by @danielaskdd in https://github.com/HKUDS/LightRAG/pull/3320
* fix(sidecar): prevent path traversal in asset materialization by @VectorPeak in https://github.com/HKUDS/LightRAG/pull/3316

## New Contributors
* @VectorPeak made their first contribution in https://github.com/HKUDS/LightRAG/pull/3316
  • Impact: 🟡 review (code touched)
  • Commit mix: 17 chore · 9 docs · 17 feat · 62 fix · 136 other · 4 refactor · 2 style · 3 test
  • Files touched: code=0 docs=23 ci=13 test=109 other=108
  • 314 new commit(s) since last check
  • Latest: 441a3e4 — Merge pull request #3343 from HKUDS/dependabot/github_actions/github-actions-6d1c06d137
  • Recent commits:
  • fa146e5 [other] Validate workspace in all storage backends
  • 88a575c [fix] fix(postgres): strip content_vector from vector get_by_id/get_by_ids
  • 9bc5e88 [other] Validate workspace in DocumentManager upload path
  • 018b282 [refactor] refactor(graph): build entity/relation mutation responses from graph only
  • bb37bde [docs] docs(lightrag): mark include_vector_data deprecated on get_entity/relation_info

vercel-agent-skills

  • Impact: 🟡 review (code touched)
  • Commit mix: 2 fix · 1 other
  • Files touched: code=1 docs=0 ci=0 test=1 other=1
  • 3 new commit(s) since last check
  • Latest: f8a72b9 — Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn
  • Recent commits:
  • 847de8d [fix] fix(vercel-optimize): run vercel via node entry on Windows (execFile can't spawn .cmd)
  • 190df9e [fix] fix(vercel-optimize): harden Windows CLI resolution
  • f8a72b9 [other] Merge pull request #287 from brunoreinstein-cloud/fix/windows-vercel-spawn

everything-claude-code

  • New release: v2.0.0 (was v1.10.0)
  • Release notes:
ECC 2.0.0 is the stable graduation of the 2.0 line: ECC as a cross-harness operating system for agentic work. Claude Code stays first-class; Codex, OpenCode, Cursor, Gemini, Zed, and terminal-only workflows share the same skills, rules, hooks, MCP conventions, release gates, and operator workflows. This is the months-in-the-making release the rc.1 candidate was building toward.

## The control pane (early build)

![ECC Control Pane — sessions, metrics, and the work-items board](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-1.png)

![Operator column — knowledge recall, connectors, and runnable agent actions](https://github.com/affaan-m/ECC/releases/download/v2.0.0/ecc-pane-2.png)

The ECC 2.0 operating surface, running locally (`node scripts/control-pane.js`): operator recall search, live session metrics, a work-items board with ready/running/blocked/done lanes, and an operator column that drives knowledge sync/recall, graph backfill, and the TUI. The session adapters and MCP inventory below feed this board. Build-in-public continues in the Discord #control-pane channel.

## What is new

- **261 public skills** across coding, research, security, media, enterprise ops, and agent workflows (rc.1 shipped 243) — plus 64 agents and 84 commands.
- **The control-pane substrate** — the foundation of the ECC 2.0 operating surface:
  - harness-neutral session adapters (`ecc.session.v1`) covering Claude Code, Codex, OpenCode, and dmux — one schema for "which agent is where, doing what"
  - MCP inventory (`ecc.mcp.v1`) — one normalized view of every MCP server config across harnesses, with fragmentation/drift detection and secret redaction (it caught a real arg-carried key leak during development)
  - worktree-lifecycle service — deterministic merge-conflict prediction and safe GC for parallel agent worktrees
- **`orch-*` orchestrator skill family** plus dynamic workflow team orchestration — multi-agent fan-out as a first-class surface.
- **Single-connector MCP default policy** — the default set is now exactly one connector (`chrome-devtools`); the other six retired to opt-in after a June 2026 audit. Policy + per-connector rationale: `docs/MCP-CONNECTOR-POLICY.md`.
- **Rollout-derived optimization pack**: `parallel-execution-optimizer`, `benchmark-optimization-loop`, `data-throughput-accelerator`, `latency-critical-systems`, `recursive-decision-ledger`.
  • Impact: 🟡 review (code touched)
  • Commit mix: 15 chore · 3 ci · 18 docs · 30 feat · 45 fix · 20 other · 1 refactor · 1 style
  • Files touched: code=0 docs=194 ci=13 test=0 other=95
  • 133 new commit(s) since last check
  • Latest: 2bc924f — fix(clv2): harden registry writes and project deletion (#2294, #2297) (#2323)
  • Recent commits:
  • 194eeb9 [feat] feat: add taste skill for music-video creative direction
  • d4ed8ba [feat] feat(skills): add ml-adoption-playbook skill
  • 8ee5946 [docs] docs: refresh sponsor and readme surface
  • 3c5bcc2 [other] security: harden advisory intake and dependency coverage
  • 4f69955 [docs] docs: fix README markdownlint spacing

ui-ux-pro-max

  • New release: v2.9.0 (was v2.5.0)
  • Release notes:
## [2.9.0](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/compare/v2.8.8...v2.9.0) (2026-06-26)
  • Impact: 🔴 likely matters (breaking change)
  • Commit mix: 1 ci · 4 docs · 6 feat · 21 fix · 6 other
  • Files touched: code=31 docs=73 ci=6 test=0 other=152
  • 38 new commit(s) since last check
  • Latest: 8a81ed6 — Merge PR #223: Expand products database with 31 new product types and improved keywords
  • Recent commits:
  • fdc0a45 [fix] fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
  • 5e2c0a2 [docs] docs: add Troubleshooting section to README (closes #304 #318 #338) (#350)
  • 03e6afc [ci] ci: add paths-ignore to python-package-conda workflow (#312)
  • 71d02ec [fix] fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
  • c522197 [fix] fix(cli): implement --force flag to protect existing skill files (#324)

superpowers

  • New release: v6.0.3 (was v5.1.0)
  • Release notes:

### Subagent-Driven Development

- **SDD scratch files moved out of `.git/`.** Claude Code treats `.git/` as a protected path and denies agent writes there, so an implementer subagent writing its report into `.git/sdd/` got blocked mid-run. Task briefs, implementer reports, review diffs, and the progress ledger now live in a self-ignoring `.superpowers/sdd/` directory in the working tree — kept out of `git status` and out of commits, and resolved per worktree by a shared `sdd-workspace` helper. One caveat: because the workspace is git-ignored working-tree scratch, `git clean -fdx` will delete the progress ledger; recover from `git log` if that happens. (#1780)
  • Impact: 🟡 review (code touched)
  • Commit mix: 6 chore · 11 docs · 12 feat · 23 fix · 112 other · 4 test
  • Files touched: code=0 docs=67 ci=1 test=49 other=24
  • 168 new commit(s) since last check
  • Latest: 896224c — Release v6.0.3: SDD artifacts move out of the .git/ protected path
  • Recent commits:
  • 8cf3900 [other] Job posting
  • 718cb1d [docs] docs: turned the dash in "- Jesse" into an escape sequence (#1474)
  • bce1267 [other] Spec: lift drill into superpowers as evals/
  • 09d2c1d [other] Spec: address adversarial review findings
  • 1a42ead [other] Plan: lift drill into superpowers as evals/

n8n-mcp

  • New release: v2.61.0 (was v2.57.1)
  • Release notes:
# Release v2.61.0

Generating release notes from v2.60.0 to HEAD
### 🐛 Bug Fixes

- Sync runtime version (Concieved by Romuald Członkowski - www.aiadvisors.pl/en) (df997d4)

### 🔧 Maintenance

- Update n8n to 2.27.4 and bump version to 2.61.0 (b0e43e3)

---

**Release Statistics:**
- 2 commits
- 2 contributors
- Contributors: copilot-swe-agent[bot], czlonkowski

---
  • Impact: 🟡 review (code touched)
  • Commit mix: 13 chore · 5 ci · 9 docs · 3 feat · 35 fix · 43 other · 5 test
  • Files touched: code=0 docs=5 ci=10 test=0 other=285
  • 113 new commit(s) since last check
  • Latest: f5694cc — Merge pull request #882 from czlonkowski/update/n8n-2.27.4
  • Recent commits:
  • 109c483 [fix] fix(workflow): allowlist write payload so n8n 2.x echo-back fields don't break updates
  • 33e3d5b [test] test(workflow): cover nodeGroups echo-back in allowlist (supersedes #835, #839)
  • 0a07f2f [fix] fix(workflow): object-merge settings on full update so partial payloads don't drop keys
  • 75887af [fix] fix(workflow): don't let a null settings payload wipe current settings
  • 7fec791 [other] Merge pull request #840 from czlonkowski/fix/update-workflow-additional-properties

claude-mem

  • New release: v13.8.0 (was v13.4.2)
  • Release notes:
## Telemetry: observation volume on per-session rollups

Carries generation-side observation volume and type mix on the `observer_turn_rollup` event so cache-value KPIs survive the migration off the legacy per-occurrence `session_compressed` / `context_injected` streams.

### What's new
- **`observer_turn_rollup`** now sums `observations_created` and the `obs_type_*` family (bugfix / discovery / decision / refactor / other) across every compression turn in a session. Paired with `total_cost_usd`, this makes **cost-per-observation** and **observation-type-by-model** derivable from the rollup alone.
- **`context_injected_rollup`** carries `total_observations_injected` and `total_tokens_saved_vs_naive` — context-cache value (observations served × cost/obs) is now derivable from the rollup.
- `scrub.ts` whitelist extended for the new aggregate keys; all values are counts/sums only — never names, prompt text, or raw strings.
- Public `telemetry.mdx` docs updated to document the new rollup fields.

### Merge notes
- Merged latest `main` (Ponytail audit, v13.7.1), which removed fabrication tracking; the now-stale `fabrication_count` / `fabricated_count` references were dropped from code and docs accordingly.

Full changes: https://github.com/thedotmack/claude-mem/pull/3017
  • Impact: 🟡 review (code touched)
  • Commit mix: 1 build · 15 chore · 1 ci · 16 docs · 16 feat · 9 fix · 10 other · 1 refactor · 1 test
  • Files touched: code=170 docs=54 ci=2 test=54 other=20
  • 70 new commit(s) since last check
  • Latest: 3fe0725 — chore: bump version to 13.8.1
  • Recent commits:
  • 35fbf91 [fix] fix(settings): keep file defaults from inheriting stale env overrides (#2853)
  • 57b9a39 [fix] fix(installer): require explicit consent before disabling Claude Code auto-memory (closes #2836) (#2859)
  • 3759d99 [other] batch: land five reviewed fixes from @rodboev (#2848 #2850 #2851 #2852 #2860) (#2862)
  • f3fa560 [other] Keep published docs aligned with release metadata (#2756)
  • 7121de4 [fix] fix(openclaw): compact routine feed messages (#2734)

voicemode

  • New release: v8.10.2 (was v8.7.1)
  • Release notes:

### Security

- **Closed an OS command-injection sink in `voicemode config set` / `update_config` (GHSA-h97v-r3jw-cf6f, VM-1679)** — A configuration value written via the config tools was stored in `~/.voicemode/voicemode.env` without shell-escaping, and the Whisper and `serve` start scripts read that file with `source`. Because bash runs command substitution even inside double quotes, a value like `VOICEMODE_VOICES='af_sky$(…)'` would execute on the next service start or reboot, as the service user (CWE-78). This is **opt-in to reach** — the config tools are not in the default MCP tool set, so a stock install is not attacker-reachable — but it is fixed at two layers regardless: (1) the writer now emits **single-quoted, fully escaped** values (single quotes suppress all shell expansion) and rejects control characters, so any value is inert even when sourced; (2) the start scripts no longer `source` the env file — they parse `KEY=VALUE` pairs as inert data and never evaluate them. Existing env files are migrated to the safe quoting on the next `config set`. Reported responsibly via a private advisory; thank you to the reporter.


## Installation

### Quick Start (Recommended)

```bash
# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install VoiceMode and configure services
uvx voice-mode-install

# Add to Claude Code MCP
claude mcp add --scope user voicemode -- uvx --refresh voice-mode
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 7 chore · 2 ci · 6 docs · 6 feat · 9 fix · 125 other
  - **Files touched:** code=0 docs=29 ci=4 test=40 other=44
  - **155 new commit(s)** since last check
  - Latest: `5941626` — Merge tag 'ready/fix/VM-1763-skip_forward-during-playback-is-dropped-after-a'
  - Recent commits:
  - `1ed5bf9` [fix] fix(#249): improve UX when CUDA toolkit is missing during whisper install
  - `9798833` [fix] fix: address review feedback on CUDA install UX
  - `7bcc5a1` [feat] feat: add Cartesia TTS provider with SSE streaming
  - `3145d10` [other] Cartesia: address review feedback from PR #368
  - `83302e4` [feat] feat(nix): add whisper.cpp derivation with CUDA support

### [caveman](https://github.com/JuliusBrussee/caveman)

  - **New release:** `v1.9.0` (was `v1.8.2`)
  - Release notes:

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 1 feat · 8 fix · 2 other · 1 test
  - **Files touched:** code=9 docs=15 ci=1 test=12 other=10
  - **16 new commit(s)** since last check
  - Latest: `25d22f8` — Update README.md
  - Recent commits:
  - `e8eae0f` [fix] fix(compress): utf-8 pin, Windows .cmd resolve, frontmatter + backup-dir
  - `f06348c` [fix] fix(skill): preserve user language, no self-reference, full-mode guardrails
  - `f68111a` [fix] fix(stats): Opus output price $75->$25 for 4.5+ era; Windows statusline UTF-8
  - `46de578` [fix] fix(docs): escape user input in demo terminal (XSS)
  - `6ce47d4` [fix] fix(mcp-shrink): shell:true on Windows so npx/.cmd upstream resolves

### [playwright-mcp](https://github.com/microsoft/playwright-mcp)

  - **New release:** `v0.0.76` (was `v0.0.75`)
  - Release notes:

What's New

New Tools

  • browser_video_show_actions / browser_video_hide_actions — Overlay action annotations on the recorded video, or hide them again (#40914)

Tool Improvements

  • Remote endpointremoteEndpoint now accepts a ConnectOptions object, not just a URL string (#40964)
  • --output-max-size — Cap the size of tool responses, with post-response disk eviction of oversized output (#41031)
  • --browser — Support moz-firefox BiDi channels (#41126)

Bug Fixes

  • Support remoteHeaders for the remote browser endpoint (#40828, #41156)
  • Use waitUntil: 'commit' when navigating back/forward (#41153)
  • Report invalid tool arguments instead of failing opaquely (#40979)
  • Use a writable cache directory for MCP user data instead of the browsers path (#40961)
  • Disconnect the tracked browser when the browser tracker is disposed (#40967)
  • Report a missing ffmpeg distinctly from a missing browser (#40867)
  - **Impact:** 🟡 review (code touched)
  - **Commit mix:** 4 chore · 2 docs
  - **Files touched:** code=0 docs=2 ci=0 test=0 other=5
  - **6 new commit(s)** since last check
  - Latest: `2d446f9` — docs: fix CDP header env name (#1661)
  - Recent commits:
  - `aa55fbb` [chore] chore(deps-dev): bump hono from 4.12.18 to 4.12.23 (#1638)
  - `40de619` [chore] chore: roll Playwright to 1.61.0-alpha-1781023400000 (#1648)
  - `b301c37` [chore] chore: mark v0.0.76 (#1649)
  - `0f4e6ff` [chore] chore(deps-dev): bump hono from 4.12.23 to 4.12.26 (#1658)
  - `511320d` [docs] docs: update MCP contribution setup (#1660)


*Updated by the upstream tracker workflow.*

@impravin22 impravin22 merged commit c5b59e1 into main Jun 30, 2026
@impravin22 impravin22 deleted the chore/upstream-sync-2026-06-22 branch June 30, 2026 02:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

upstream-update Automated: upstream dependency has new changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant