v2.11.1

Release v2.11.1

Release type: stable
Release line: 2.11.x
Branch: release/2.11.x

Published Packages

• @enclave-vm/core@2.11.1
• @enclave-vm/types@2.11.1
• @enclave-vm/stream@2.11.1
• @enclave-vm/broker@2.11.1
• @enclave-vm/client@2.11.1
• @enclave-vm/react@2.11.1
• @enclave-vm/runtime@2.11.1
• @enclave-vm/ast@2.11.1

[2.11.1] - 2026-02-22

Added

• Introduced coercion-utils.ts in @enclave-vm/ast, which provides utilities for detecting JavaScript coercion patterns in AST nodes.

Changed

• Enhanced disallowed-identifier.rule.ts and no-global-access.rule.ts to leverage new static key coercion detection from coercion-utils.
• Improved detection of computed property key expressions that resolve to disallowed identifiers.

Fixed

• Fixed potential issues where certain coercion patterns were not detected, improving the security guard against CVE vulnerabilities.

v2.11.0

Release v2.11.0

Release type: stable
Release line: 2.11.x
Branch: release/2.11.x

Published Packages

• @enclave-vm/core@2.11.0
• @enclave-vm/types@2.11.0
• @enclave-vm/stream@2.11.0
• @enclave-vm/broker@2.11.0
• @enclave-vm/client@2.11.0
• @enclave-vm/react@2.11.0
• @enclave-vm/runtime@2.11.0
• @enclave-vm/ast@2.11.0

[2.11.0] - 2026-02-20

Added

• Introduced additionalDisallowedIdentifiers in @enclave-vm/ast for additional code safety.
• Implemented a function to handle array-coered strings in disallowed-identifier.rule.ts.

Changed

• Updated @enclave-vm/* package dependencies to version 2.11.0.
• Improved handling of configuration scripts and object neutralization in VmAdapter and ParentVmBootstrap.

Fixed

• Resolved configuration and enumeration issues in memory tracking and sandbox adapter properties.

Security

• Enhanced security by neutralizing dangerous static methods on the intrinsic Object constructor to avoid prototype pollution.
• Defense-in-depth improvements: Removed host callbacks after capturing within sandbox scripts.

v2.10.1

Release v2.10.1

Release type: stable
Release line: 2.10.x
Branch: release/2.10.x

Published Packages

• @enclave-vm/core@2.10.1
• @enclave-vm/types@2.10.1
• @enclave-vm/stream@2.10.1
• @enclave-vm/broker@2.10.1
• @enclave-vm/client@2.10.1
• @enclave-vm/react@2.10.1
• @enclave-vm/runtime@2.10.1
• @enclave-vm/ast@2.10.1

[2.10.1] - 2026-02-03

Security

• Introduced hardening against CVE-2023-29017 by implementing enhanced prototype freezing and error encapsulation within parent-vm-bootstrap.ts.
• Added resource exhaustion rule to @enclave-vm/ast to prevent computed access via dangerous string coercion.

Acknowledgments

• Thanks to @cristianstaicu (Endor Labs Security Research Team) for responsibly disclosing GHSA-x39w-8vm5-5m3p.

Changed

• Replaced template literals with string concatenation in vm-adapter.ts and worker-script.ts to mitigate potential code injection risks.
• Updated minimatch, zod, and @babel/standalone dependencies to newer versions for better compatibility.

Fixed

• Addressed potential memory leaks by ensuring proper event handler binding and detachment in worker-pool-adapter.ts.

Added

• New build-worker-script target to libs/core/project.json for optimized worker script builds using esbuild.
• Added runtime prototype verification before user code execution to further enhance security validation.

v2.10.0

Release v2.10.0

Release type: stable
Release line: 2.10.x
Branch: release/2.10.x

Published Packages

• @enclave-vm/core@2.10.0
• @enclave-vm/types@2.10.0
• @enclave-vm/stream@2.10.0
• @enclave-vm/broker@2.10.0
• @enclave-vm/client@2.10.0
• @enclave-vm/react@2.10.0
• @enclave-vm/runtime@2.10.0
• @enclave-vm/ast@2.10.0

[2.10.0] - 2026-02-01

Changed

• Reorganized library structure by renaming libraries for better consistency:
  • ast-guard is now @enclave-vm/ast
  • enclavejs-broker is now @enclave-vm/broker
  • enclavejs-client is now @enclave-vm/client
  • Other corresponding paths and references have been updated accordingly.

v2.9.2

Release v2.9.2

Release type: stable
Release line: 2.9.x
Branch: release/2.9.x

Published Packages

• @enclave-vm/core@2.9.2
• @enclave-vm/types@2.9.2
• @enclave-vm/stream@2.9.2
• @enclave-vm/broker@2.9.2
• @enclave-vm/client@2.9.2
• @enclave-vm/react@2.9.2
• @enclave-vm/runtime@2.9.2
• @enclave-vm/ast@2.9.2

[2.9.2] - 2026-01-30

Added

• Introduced support for NDJSON streaming with encryption via @enclave-vm/stream.
• Added React hooks and components in @enclave-vm/react for enhanced integration.

Fixed

• Resolved bugs in the @enclave-vm/client SDK for improved browser and Node.js compatibility.

Security

• Enhanced CVE protection within ast-guard for better threat detection.

v2.9.1

Release v2.9.1

Release type: stable
Release line: 2.9.x
Branch: release/2.9.x

Published Packages

• @enclave-vm/core@2.9.1
• @enclave-vm/types@2.9.1
• @enclave-vm/stream@2.9.1
• @enclave-vm/broker@2.9.1
• @enclave-vm/client@2.9.1
• @enclave-vm/react@2.9.1
• @enclave-vm/runtime@2.9.1
• @enclave-vm/ast@2.9.1

[2.9.1] - 2026-01-30

Changed

• No specific changes detailed in this release cycle.

Fixed

• General stability improvements and minor bug fixes.

v2.9.0

Release v2.9.0

Release type: stable
Release line: 2.9.x
Branch: release/2.9.x

Published Packages

• @enclave-vm/core@2.9.0
• @enclave-vm/types@2.9.0
• @enclave-vm/stream@2.9.0
• @enclave-vm/broker@2.9.0
• @enclave-vm/client@2.9.0
• @enclave-vm/react@2.9.0
• @enclave-vm/runtime@2.9.0
• @enclave-vm/ast@2.9.0

[2.9.0] - 2026-01-29

Added

• Introduced a new 3-server streaming-demo that showcases EnclaveJS streaming architecture, including nodes for broker, client, and runtime servers.
• Added new AST and Babel presets to ast-guard for enhanced code validation and security.
• Implemented new WebSocket-based execution architecture in streaming-demo, demonstrating multiple execution modes.
• Support for NDJSON streaming responses in broker-server for embedded and lambda execution modes.

Changed

• Refactored the package structure, migrating existing components to a new naming scheme prefixed with 'enclavejs-', including clients, streams, and brokers.
• Updated utility functions in EnclaveVM and ast-guard to improve performance and handle complex code structures.

Fixed

• Addressed various bug fixes in tool execution and error handling across the broker and lambda modes.

enclave-vm@2.7.0

enclave-vm v2.7.0

📦 npm: enclave-vm@2.7.0

---

Added

• Introduced a JSON-based tool bridge with configurable modes and payload limits, exposed via the new toolBridge option on EnclaveConfig.
• Added serialized size estimators (estimateSerializedSize/checkSerializedSize) and enforce them before returning sandbox values when a memory limit is configured.

Changed

• Enclave construction now normalizes toolBridge settings and requires explicit acknowledgement before enabling insecure direct bridging.

Security

• Array.prototype.fill is now memory-tracked inside both VM adapters to block sparse-array exhaustion attacks.
• Return paths reject values whose serialized size would exceed the configured memory limit, preventing Vector 340 serialization amplification.
• All host-generated errors now go through centralized createSafeError, severing prototype chains and stripping host stack details.
• String-mode tool bridge validates JSON payloads, enforces payload caps, sanitizes arguments/results, and updates tool-call stats before invoking host handlers.

ast-guard@2.4.0

ast-guard v2.4.0

📦 npm: ast-guard@2.4.0

---

Added

• Resource exhaustion rule and AgentScript preset now accept allowDynamicArrayFill, letting environments with runtime memory patches permit computed Array.fill sizes.

enclave-vm@2.6.0

enclave-vm v2.6.0

📦 npm: enclave-vm@2.6.0

---

Added

• Stack-trace hardening scripts now run in both the single-VM adapter and worker pool so sandboxed errors only return redacted frames, and a new sanitizeStackTraces option is propagated through the double-VM bootstrap (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
• STRICT/SECURE executions now record code-generation attempts via policy-violation reporters and return SecurityViolationError payloads when user code suppresses the original throw (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/adapters/worker-pool/worker-script.ts, libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).
• Local LLM scoring exposes the DISABLE_MODEL_LOAD_ENV constant, honors ENCLAVE_DISABLE_LOCAL_LLM_MODEL=1, and defaults its cache under ~/.enclave/models for better operator control (libs/enclave-vm/src/scoring/scorers/index.ts, libs/enclave-vm/src/scoring/scorers/local-llm.scorer.ts).

Changed

• User-provided globals, safe runtime helpers, and console bridges are now installed as non-enumerable, non-configurable descriptors to block Object.assign/Object.values reconnaissance in the sandbox (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
• Safe runtime utilities and tool bridge errors are wrapped with prototype-severing helpers so attacker code cannot reach Function via error.constructor.constructor (libs/enclave-vm/src/double-vm/double-vm-wrapper.ts, libs/enclave-vm/src/safe-runtime.ts).

Fixed

• DoubleVmWrapper now surfaces MemoryLimitError data emitted from sandbox-side tracking so callers receive accurate used/limit bytes even when the sandbox throws its own payload (libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).

Security

• MemoryTracker enforcement now tracks cumulative allocations made through patched repeat/join/pad helpers by delegating to a host-side callback, preventing incremental heap exhaustion (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
• Sandbox stack traces have their formatters locked and frames redacted to avoid leaking host file paths or line numbers (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/double-vm/parent-vm-bootstrap.ts).
• STRICT/SECURE modes fail closed whenever the sandbox attempts code generation or other blocked operations, even if user code catches the initial exception (libs/enclave-vm/src/adapters/vm-adapter.ts, libs/enclave-vm/src/adapters/worker-pool/worker-script.ts, libs/enclave-vm/src/double-vm/double-vm-wrapper.ts).