chore(deps-dev): bump claude-flow from 3.0.0-alpha.83 to 3.5.14

[dependabot]

Bumps claude-flow from 3.0.0-alpha.83 to 3.5.14.

Release notes

Sourced from claude-flow's releases.

v3.5.14 — Security Fixes + Cross-Platform Windows Hooks

v3.5.14 (2026-03-06)

Security Fixes (ADR-061)

• S-1: Replace execSync with execFileSync to prevent command injection in GCS storage
• S-2: Add MAX_BUFFER constant (10MB) to prevent unbounded stdout capture
• S-3: Add validatePackageName() to sanitize plugin names before shell use
• S-4: Add IPFS CID format validation before network requests
• S-5: Add buffer size limits to all execSync calls

Correctness Fixes (ADR-061)

• D-1: Fix CFP magic-number check (use subarray, not slice)
• D-2: Fix unsupported format error (throw instead of silent fallback)
• D-3: Fix MCP partial-JSON accumulator (per-session buffering)
• D-4: Fix duplicate provider registration guard
• D-5: Fix memory namespace parameter passthrough
• D-6: Fix process command error handler (use err.message)
• D-7: Fix GCS credential loading (resolve path, validate fields)

Cross-Platform Windows Hooks (ADR-062)

• Hook commands use node script subcommand (no shell quoting issues)
• cmd /c prefix on Windows bypasses PowerShell stdin pipe hanging
• StatusLine uses plain node (no cmd /c) for proper stdin forwarding
• 500ms stdin timeout prevents Windows hanging
• process.exitCode = 0 guaranteed in all hook scripts
• Fix invalid SubagentEnd → SubagentStop hook event name
• Restore valid SubagentStart hook event

Testing

• 1600 tests passed across 23 test suites
• 10 new deep test suites covering security, plugins, MCP tools, memory, CLI parsing

Packages

Package	Version	Install
@claude-flow/cli	3.5.14	npx @claude-flow/cli@latest
claude-flow	3.5.14	npx claude-flow@latest
ruflo	3.5.14	npx ruflo@latest

Upgrade

npx ruflo@latest init
# or
npx claude-flow@latest init

This regenerates .claude/settings.json with cross-platform hook commands.

v3.5.7 — Platform Parity, Branding, Stdin Timeout

What's New in v3.5.5–v3.5.7

... (truncated)

Changelog

Sourced from claude-flow's changelog.

Changelog

All notable changes to the Ruflo project (formerly Claude Flow) are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[3.5.0] - 2026-02-27

Ruflo v3.5 — First Major Stable Release

This release marks the official rebranding from Claude Flow to Ruflo and represents the first major stable release after 5,800+ commits, 55 alpha iterations, and 10 months of development.

Highlights

• Rebranding: Claude Flow → Ruflo across all packages (@claude-flow/cli, claude-flow, ruflo)
• agentic-flow v3.0.0-alpha.1 Integration: Full deep integration with 10 subpath exports (ReasoningBank, Router, Orchestration, Agent Booster, SDK, Security, QUIC transport)
• AgentDB v3.0.0-alpha.9: 8 new controllers (HierarchicalMemory, MemoryConsolidation, SemanticRouter, GNNService, RVFOptimizer, MutationGuard, AttestationLog, GuardedVectorBackend) + 6 MCP tools
• 215 MCP Tools: Full Model Context Protocol server with vector memory, neural training, swarm coordination
• Security Hardening: Command injection fix, TOCTOU race fix, eliminated hardcoded HMAC keys, timing attack fixes
• Doctor Health Check: New agentic-flow diagnostic (filesystem-based, ESM-compatible)
• 0 Production Vulnerabilities: Clean npm audit across all packages

Added

• agentic-flow-bridge.ts — Unified lazy-loading bridge for all agentic-flow v3 modules
• Tiered embedding resolution: ReasoningBank WASM (Tier 1) → @​claude-flow/embeddings (Tier 2) → mock fallback (Tier 3)
• Agent Booster local import with npx fallback
• checkAgenticFlow() doctor health check
• 7 TypeScript module declarations for agentic-flow subpath exports
• ADR-056: agentic-flow v3 Integration Architecture

Fixed

• Command injection vulnerability in enhanced-model-router.ts (SAFE_LANGUAGES whitelist)
• TOCTOU race condition in bridge singleton initialization (Promise-based caching)
• 22 agent/skill files updated from stale v1.5.11/v2.0.0-alpha to v3.0.0-alpha.1
• ESM compatibility for doctor checks (filesystem-based instead of require.resolve)
• @​ruvector/gnn pinned to 0.1.25 to fix fatal process crash (issue #216)

Changed

• All 3 packages bumped from 3.1.0-alpha.55 to 3.5.0
• Publish tags changed from alpha/v3alpha to latest
• agentic-flow minimum version: 0.1.0 → 3.0.0-alpha.1
• agentdb minimum version: 2.0.0-alpha.3.4 → 3.0.0-alpha.10

---

[3.1.0-alpha.55] - 2026-02-27

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.