agentfront · frontegg-david · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -512,6 +512,17 @@ jobs:
             echo "Skipping: v$VERSION is not the latest (v$LATEST is newer)"
           fi
 
+      - name: Setup Node
+        if: steps.check.outputs.is_latest == 'true'
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: "yarn"
+
+      - name: Install dependencies
+        if: steps.check.outputs.is_latest == 'true'
+        run: yarn install --frozen-lockfile
+
       - name: Configure git
         if: steps.check.outputs.is_latest == 'true'
         run: |
@@ -559,32 +570,46 @@ jobs:
           git push origin --delete "$CHERRY_BRANCH" 2>/dev/null || true
           git checkout -b "$CHERRY_BRANCH"
 
-          # Attempt cherry-pick
-          if git cherry-pick "$VERSION_COMMIT" --no-commit; then
-            # Check if cherry-pick produced any changes (may be empty if already applied via a different commit)
-            if [ -z "$(git diff --cached --name-only)" ]; then
-              echo "Cherry-pick produced no changes — version bump already applied on $DEFAULT_BRANCH"
-              git reset HEAD 2>/dev/null || true
-              exit 0
-            fi
+          # Attempt cherry-pick (may partially apply if main diverged from release branch)
+          git cherry-pick "$VERSION_COMMIT" --no-commit || {
+            echo "Cherry-pick had conflicts — resetting and using sync script instead"
+            git cherry-pick --abort 2>/dev/null || true
+            git checkout -- . 2>/dev/null || true
+          }
 
-            git commit -m "$(cat <<EOF
+          # Force-sync all package versions regardless of cherry-pick result
+          echo "Running version sync to ensure all packages are at $VERSION..."
+          node scripts/sync-versions.mjs "$VERSION"
+
+          # Update yarn.lock to reflect dependency version changes
+          yarn install
+
+          # Stage all version-related changes
+          git add libs/*/package.json apps/*/package.json yarn.lock
+
+          # Check if there are actual changes to commit
+          if [ -z "$(git diff --cached --name-only)" ]; then
+            echo "No version changes needed — $DEFAULT_BRANCH is already at v$VERSION"
+            exit 0
+          fi
+
+          git commit -m "$(cat <<EOF
           chore: sync version to $VERSION
 
           Cherry-picked from $RELEASE_BRANCH (release v$VERSION)
           Original commit: $VERSION_COMMIT
           EOF
           )"
 
-            git push origin "$CHERRY_BRANCH"
+          git push origin "$CHERRY_BRANCH"
 
-            gh pr create \
-              --base "$DEFAULT_BRANCH" \
-              --head "$CHERRY_BRANCH" \
-              --title "chore: sync version to v${VERSION}" \
-              --label "cherry-pick" \
-              --label "auto-cherry-pick" \
-              --body "$(cat <<EOF
+          gh pr create \
+            --base "$DEFAULT_BRANCH" \
+            --head "$CHERRY_BRANCH" \
+            --title "chore: sync version to v${VERSION}" \
+            --label "cherry-pick" \
+            --label "auto-cherry-pick" \
+            --body "$(cat <<EOF
           ## Version sync to main
 
           Updates all \`@enclave-vm/*\` package versions to \`${VERSION}\` on \`${DEFAULT_BRANCH}\`.
@@ -598,42 +623,4 @@ jobs:
           EOF
           )"
 
-            echo "Cherry-pick PR created successfully"
-          else
-            # Check if failure is due to empty cherry-pick (already applied) vs actual conflicts
-            if [ -z "$(git status --porcelain)" ]; then
-              echo "Cherry-pick is empty — version bump already applied on $DEFAULT_BRANCH"
-              git cherry-pick --abort 2>/dev/null || true
-              exit 0
-            fi
-
-            git cherry-pick --abort || true
-            echo "::warning::Cherry-pick had conflicts. Creating issue for manual resolution."
-
-            gh issue create \
-              --title "Manual version sync needed: v${VERSION} to main" \
-              --label "cherry-pick" \
-              --label "conflict" \
-              --label "needs-attention" \
-              --body "$(cat <<EOF
-          ## Manual Version Sync Required
-
-          Auto cherry-pick of version bump to \`v${VERSION}\` failed due to conflicts.
-
-          ### Manual Steps
-
-          \`\`\`bash
-          git checkout $DEFAULT_BRANCH && git pull
-          git checkout -b cherry-pick/v${VERSION}-version-to-main
-          git cherry-pick $VERSION_COMMIT
-          # Resolve conflicts
-          git add . && git cherry-pick --continue
-          git push origin cherry-pick/v${VERSION}-version-to-main
-          gh pr create --base $DEFAULT_BRANCH --title "chore: sync version to v${VERSION}"
-          \`\`\`
-
-          ---
-          _Auto-generated by the publish-release workflow._
-          EOF
-          )"
-          fi
+          echo "Cherry-pick PR created successfully"
diff --git a/apps/streaming-demo/package.json b/apps/streaming-demo/package.json
@@ -11,10 +11,10 @@
     "runtime": "ts-node src/runtime-server.ts"
   },
   "dependencies": {
-    "@enclave-vm/broker": "2.12.0",
-    "@enclave-vm/client": "2.12.0",
-    "@enclave-vm/types": "2.12.0",
-    "@enclave-vm/core": "2.12.0",
+    "@enclave-vm/broker": "2.13.0",
+    "@enclave-vm/client": "2.13.0",
+    "@enclave-vm/types": "2.13.0",
+    "@enclave-vm/core": "2.13.0",
     "express": "^4.21.0",
     "zod": "^3.24.0"
   },

diff --git a/libs/ast/package.json b/libs/ast/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/ast",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "A production-ready AST security guard for JavaScript - validate, protect, and enforce code safety with extensible rules",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave/tree/main/libs/ast-guard",

diff --git a/libs/broker/package.json b/libs/broker/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/broker",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Tool broker and session management for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,9 +35,9 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.11.0",
-    "@enclave-vm/stream": "2.11.0",
-    "@enclave-vm/core": "2.11.0",
+    "@enclave-vm/types": "2.13.0",
+    "@enclave-vm/stream": "2.13.0",
+    "@enclave-vm/core": "2.13.0",
     "minimatch": "^10.2.5",
     "zod": "^4.3.6"
   }

diff --git a/libs/browser/package.json b/libs/browser/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/browser",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Browser sandbox runtime for secure JavaScript code execution using double iframe isolation",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -36,7 +36,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/ast": "2.11.0",
+    "@enclave-vm/ast": "2.13.0",
     "acorn": "8.15.0",
     "astring": "1.9.0",
     "zod": "^4.3.6"

diff --git a/libs/client/package.json b/libs/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/client",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Browser and Node.js client SDK for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.11.0",
-    "@enclave-vm/stream": "2.11.0"
+    "@enclave-vm/types": "2.13.0",
+    "@enclave-vm/stream": "2.13.0"
   }
 }
diff --git a/libs/core/package.json b/libs/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/core",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Sandbox runtime for secure JavaScript code execution",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -39,8 +39,8 @@
   },
   "dependencies": {
     "@babel/standalone": "^7.29.0",
-    "@enclave-vm/types": "2.11.0",
-    "@enclave-vm/ast": "2.11.0",
+    "@enclave-vm/types": "2.13.0",
+    "@enclave-vm/ast": "2.13.0",
     "acorn": "8.15.0",
     "acorn-walk": "8.3.4",
     "astring": "1.9.0",

diff --git a/libs/react/package.json b/libs/react/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/react",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "React hooks and components for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/client": "2.11.0"
+    "@enclave-vm/client": "2.13.0"
   },
   "peerDependencies": {
     "react": ">=18.0.0"

diff --git a/libs/runtime/package.json b/libs/runtime/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/runtime",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Standalone runtime worker for EnclaveJS - deployable execution environment",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -37,9 +37,9 @@
     "enclave-runtime": "./dist/cli.js"
   },
   "dependencies": {
-    "@enclave-vm/types": "2.11.0",
-    "@enclave-vm/stream": "2.11.0",
-    "@enclave-vm/core": "2.11.0"
+    "@enclave-vm/types": "2.13.0",
+    "@enclave-vm/stream": "2.13.0",
+    "@enclave-vm/core": "2.13.0"
   },
   "devDependencies": {
     "ws": "^8.19.0"

diff --git a/libs/stream/package.json b/libs/stream/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/stream",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Streaming protocol implementation for EnclaveJS runtime (NDJSON, encryption, reconnection)",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,6 +35,6 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.11.0"
+    "@enclave-vm/types": "2.13.0"
   }
 }
diff --git a/libs/types/package.json b/libs/types/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/types",
-  "version": "2.11.0",
+  "version": "2.13.0",
   "description": "Type definitions and Zod schemas for the EnclaveJS streaming runtime protocol",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",

diff --git a/scripts/sync-versions.mjs b/scripts/sync-versions.mjs
@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+/**
+ * Sync all @enclave-vm/* package versions across the monorepo.
+ *
+ * Usage:
+ *   node scripts/sync-versions.mjs <version>
+ *
+ * Updates:
+ *   - "version" field in each libs/<name>/package.json
+ *   - All @enclave-vm/<name> dependency references in libs and apps package.json files
+ *
+ * Idempotent: running when versions are already correct produces no changes.
+ */
+
+import { readFileSync, writeFileSync, readdirSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const SCOPE = '@enclave-vm/';
+const DEP_SECTIONS = ['dependencies', 'devDependencies', 'peerDependencies'];
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT = join(__dirname, '..');
+
+function main() {
+  const version = process.argv[2];
+  if (!version) {
+    console.error('Usage: node scripts/sync-versions.mjs <version>');
+    process.exit(1);
+  }
+  if (!/^\d+\.\d+\.\d+/.test(version)) {
+    console.error(`Invalid version format: ${version}`);
+    process.exit(1);
+  }
+
+  const packageJsonPaths = discoverPackageJsons();
+  let totalUpdated = 0;
+
+  for (const { filePath, isLib } of packageJsonPaths) {
+    const updated = syncPackageJson(filePath, version, isLib);
+    if (updated) totalUpdated++;
+  }
+
+  if (totalUpdated === 0) {
+    console.log(`All versions already at ${version} — no changes needed.`);
+  } else {
+    console.log(`\nUpdated ${totalUpdated} file(s) to version ${version}.`);
+    console.log('Run "yarn install" to update yarn.lock.');
+  }
+}
+
+function discoverPackageJsons() {
+  const results = [];
+  for (const dir of ['libs', 'apps']) {
+    const dirPath = join(ROOT, dir);
+    if (!existsSync(dirPath)) continue;
+    for (const entry of readdirSync(dirPath, { withFileTypes: true })) {
+      if (!entry.isDirectory()) continue;
+      const pkgPath = join(dirPath, entry.name, 'package.json');
+      if (existsSync(pkgPath)) {
+        results.push({ filePath: pkgPath, isLib: dir === 'libs' });
+      }
+    }
+  }
+  return results;
+}
+
+function syncPackageJson(filePath, version, isLib) {
+  const raw = readFileSync(filePath, 'utf8');
+  const pkg = JSON.parse(raw);
+  let changed = false;
+
+  // Update version field for lib packages only
+  if (isLib && pkg.version !== version) {
+    console.log(`  ${filePath}: version ${pkg.version} → ${version}`);
+    pkg.version = version;
+    changed = true;
+  }
+
+  // Update all @enclave-vm/* dependency references
+  for (const section of DEP_SECTIONS) {
+    if (!pkg[section]) continue;
+    for (const [name, current] of Object.entries(pkg[section])) {
+      if (name.startsWith(SCOPE) && current !== version) {
+        console.log(`  ${filePath}: ${section}.${name} ${current} → ${version}`);
+        pkg[section][name] = version;
+        changed = true;
+      }
+    }
+  }
+
+  if (changed) {
+    writeFileSync(filePath, JSON.stringify(pkg, null, 2) + '\n');
+  }
+
+  return changed;
+}
+
+main();