[11.4.1] - 2026-05-20 - "Installer Supply-Chain Hardening"
Patch release for the npm installer used by Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and related AI coding assistants.
This release hardens the npm installer after reviewing Socket.dev's AI-detected code-anomaly warning for tools/bin/install.js.
Improvements
- release-pinned installs - default
npx antigravity-awesome-skillsinstalls now clone the matching package release tag instead of the repository tip, reducing drift between npm package contents and installed skills. - git ref validation -
--tagand--versionrefs are validated before invokinggit clone, while still allowing explicit branch installs such as--tag main. - destination symlink guard - installer copy operations now refuse to write through pre-existing destination symlinks.
- installer docs and regression coverage - documents the release-pinned default and adds installer tests for release-tag resolution and unsafe ref rejection.
Who should care
- npm users get installer behavior that is pinned to the published package version by default.
- security scanners and maintainers get a narrower supply-chain surface for the installer path Socket flagged.