chore(master): release 1.3.4#31

Merged

TPTBusiness merged 1 commit into

release-please--branches--master

Apr 27, 2026

Contributor

github-actions Bot commented Apr 26, 2026 •

edited

Loading

🤖 I have created a release beep boop

1.3.4 (2026-04-27)

Bug Fixes

auto-fixer: add five new factor code fixes for groupby/apply errors (449c8fd)
auto-fixer: add four new factor code fixes for common runtime errors (40484f6)
auto-fixer: add groupby([level=N,'date']) SyntaxError fix (ca77c00)
auto-fixer: disable _fix_min_periods for intraday data (77b0740)
auto-fixer: fix chained groupby(level=N).groupby('date') pattern (7d5fe32)
auto-fixer: fix df.loc[instrument] DateParseError on MultiIndex frames (b7860ea)
auto-fixer: fix df['instrument'] KeyError on MultiIndex frames (aad6bd1)
auto-fixer: preserve date dimension in groupby(['instrument','date']) fix (b58fdd8)
auto-fixer: remove ddof from rolling() args, not only from std()/var() (b0fc328)
backtest: replace broken MC permutation test with binomial win-rate test (c38d894)
factors: detect and correct look-ahead bias in daily-constant factors (eb490a4)
factors: extend look-ahead rules to session factors and add intraday-factor guidance (c24c100)
loop: compress old experiment history in proposal prompt to reduce context size (4bf90a9)
loop: prevent step_idx advance on unhandled exceptions + fix consecutive assistant messages (5ec4ad1)

This PR was generated with Release Please. See documentation.

github-actions Bot added the autorelease: pending label

github-actions Bot force-pushed the release-please--branches--master branch 8 times, most recently from 709b169 to db7c44f Compare

April 27, 2026 13:37


          chore(master): release 1.3.4

751bc8f

github-actions Bot force-pushed the release-please--branches--master branch from db7c44f to 751bc8f Compare

April 27, 2026 13:45

TPTBusiness merged commit 6b49884 into master

5 checks passed

github-actions Bot added autorelease: tagged and removed autorelease: pending labels

TPTBusiness added a commit that referenced this pull request


          fix(security): Patch path injection and stack trace exposure (CodeQL #31

f143e8f

, #27)

- Fix py/path-injection (Alert #31, High severity):
  - Add _validate_job_path() to resolve and canonicalize paths
  - Enforce job_path stays within safe_root via relative_to()
  - Update get_max_loops(), get_job_summary_df(), render_job_summary()
    to accept and validate safe_root parameter
  - Update app.py caller to pass safe_root to render_job_summary()
  - On validation failure: return empty data / show warning

- Fix py/stack-trace-exposure (Alert #27, Medium severity):
  - Remove str(e) from error response in get_live_fx_data()
  - Replace with generic message: 'Internal error while fetching live FX data'
  - Remove unused exception variable to prevent accidental leakage

Files:
  rdagent/app/rl/ui/rl_summary.py
  rdagent/app/rl/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_macro.py

TPTBusiness pushed a commit that referenced this pull request


          chore(master): release 1.3.4 (#31)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

TPTBusiness added a commit that referenced this pull request


          chore: Document transformers CVE-2025-1194 is already fixed

c609318

- Add comment explaining transformers >=4.53.0 is already safe (CVE fixed in >=4.50.0)
- Dependabot alert #31 is false positive due to missing lockfile
- No version change needed - current specification is already secure

Security Status:
- CVE-2025-1194: Fixed in transformers >=4.50.0, current spec >=4.53.0 ✓
- Affects: SubWordJapaneseTokenizer in GPT-NeoX-Japanese model
- Impact: ReDoS via crafted input causing exponential regex backtracking

Note: Without a lockfile (pip-tools/uv/poetry), Dependabot cannot determine
the installed version and raises alerts based on the requirement spec alone.

TPTBusiness added a commit that referenced this pull request


          fix(security): Patch path injection and stack trace exposure (CodeQL #31

510fd11

, #27)

- Fix py/path-injection (Alert #31, High severity):
  - Add _validate_job_path() to resolve and canonicalize paths
  - Enforce job_path stays within safe_root via relative_to()
  - Update get_max_loops(), get_job_summary_df(), render_job_summary()
    to accept and validate safe_root parameter
  - Update app.py caller to pass safe_root to render_job_summary()
  - On validation failure: return empty data / show warning

- Fix py/stack-trace-exposure (Alert #27, Medium severity):
  - Remove str(e) from error response in get_live_fx_data()
  - Replace with generic message: 'Internal error while fetching live FX data'
  - Remove unused exception variable to prevent accidental leakage

Files:
  rdagent/app/rl/ui/rl_summary.py
  rdagent/app/rl/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_macro.py

TPTBusiness pushed a commit that referenced this pull request


          chore(master): release 1.3.4 (#31)

1c4e2d9

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

github-actions Bot mentioned this pull request

chore(master): release 0.8.0 #49

Merged

TPTBusiness added a commit that referenced this pull request


          fix(security): Patch path injection and stack trace exposure (CodeQL #31

2b0525f

, #27)

- Fix py/path-injection (Alert #31, High severity):
  - Add _validate_job_path() to resolve and canonicalize paths
  - Enforce job_path stays within safe_root via relative_to()
  - Update get_max_loops(), get_job_summary_df(), render_job_summary()
    to accept and validate safe_root parameter
  - Update app.py caller to pass safe_root to render_job_summary()
  - On validation failure: return empty data / show warning

- Fix py/stack-trace-exposure (Alert #27, Medium severity):
  - Remove str(e) from error response in get_live_fx_data()
  - Replace with generic message: 'Internal error while fetching live FX data'
  - Remove unused exception variable to prevent accidental leakage

Files:
  rdagent/app/rl/ui/rl_summary.py
  rdagent/app/rl/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_macro.py

TPTBusiness pushed a commit that referenced this pull request


          chore(master): release 1.3.4 (#31)

66099a3

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

This was referenced May 4, 2026

chore(master): release 0.8.0 #54

Closed

chore(master): release 0.8.0 #56

Closed

TPTBusiness added a commit that referenced this pull request


          chore: Document transformers CVE-2025-1194 is already fixed

5cae724

- Add comment explaining transformers >=4.53.0 is already safe (CVE fixed in >=4.50.0)
- Dependabot alert #31 is false positive due to missing lockfile
- No version change needed - current specification is already secure

Security Status:
- CVE-2025-1194: Fixed in transformers >=4.50.0, current spec >=4.53.0 ✓
- Affects: SubWordJapaneseTokenizer in GPT-NeoX-Japanese model
- Impact: ReDoS via crafted input causing exponential regex backtracking

Note: Without a lockfile (pip-tools/uv/poetry), Dependabot cannot determine
the installed version and raises alerts based on the requirement spec alone.

TPTBusiness added a commit that referenced this pull request


          fix(security): Patch path injection and stack trace exposure (CodeQL #31

4b0f5f3

, #27)

- Fix py/path-injection (Alert #31, High severity):
  - Add _validate_job_path() to resolve and canonicalize paths
  - Enforce job_path stays within safe_root via relative_to()
  - Update get_max_loops(), get_job_summary_df(), render_job_summary()
    to accept and validate safe_root parameter
  - Update app.py caller to pass safe_root to render_job_summary()
  - On validation failure: return empty data / show warning

- Fix py/stack-trace-exposure (Alert #27, Medium severity):
  - Remove str(e) from error response in get_live_fx_data()
  - Replace with generic message: 'Internal error while fetching live FX data'
  - Remove unused exception variable to prevent accidental leakage

Files:
  rdagent/app/rl/ui/rl_summary.py
  rdagent/app/rl/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_macro.py

TPTBusiness pushed a commit that referenced this pull request


          chore(master): release 1.3.4 (#31)

6b5c169

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

github-actions Bot mentioned this pull request

chore(master): release 1.6.0 #60

Closed

TPTBusiness added a commit that referenced this pull request


          fix(security): Patch path injection and stack trace exposure (CodeQL #31

308e556

, #27)

- Fix py/path-injection (Alert #31, High severity):
  - Add _validate_job_path() to resolve and canonicalize paths
  - Enforce job_path stays within safe_root via relative_to()
  - Update get_max_loops(), get_job_summary_df(), render_job_summary()
    to accept and validate safe_root parameter
  - Update app.py caller to pass safe_root to render_job_summary()
  - On validation failure: return empty data / show warning

- Fix py/stack-trace-exposure (Alert #27, Medium severity):
  - Remove str(e) from error response in get_live_fx_data()
  - Replace with generic message: 'Internal error while fetching live FX data'
  - Remove unused exception variable to prevent accidental leakage

Files:
  rdagent/app/rl/ui/rl_summary.py
  rdagent/app/rl/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_macro.py

TPTBusiness pushed a commit that referenced this pull request


          chore(master): release 1.3.4 (#31)

9b70cb3

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

github-actions Bot mentioned this pull request

chore(master): release 0.8.0 #61

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

autorelease: tagged