v0.2.2 #300
fslongjin
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
2026.05.18 Release v0.2.2
🛡️ Security Fixes
hypervisor:vmm-sys-utilbumped 0.11.x → 0.12.1 (CVE-2023-50711, GHSA-875g-mfp6-g7f9):FamStructWrapper::deserializepreviously failed to verify that the header length matched the flexible-array length, allowing out-of-bounds memory access from safe Rust code. Pinned to the workspace version already used by every other hypervisor crate.agent/hypervisor:bytesandenv_loggersecurity bumps — additional dependency refreshes from the same CVE-fix pass (CVE fix #267).timecrate bump (CVE-2026-25727 / GHSA-r6v5-fh4h-64xc) (Revert "deps(rust): bump time to 0.3.47 to fix CVE-2026-25727" #286): Analysis confirmed that CubeSandbox only usestime::format_description::well_known::Rfc3339for outbound timestamp formatting and never invokesRfc2822parsing on untrusted input — the affected attack vector is not reachable. The upgrade was rolled back because it requires an MSRV bump and will be addressed separately when the project is ready.🚀 Critical Fixes
CubeMaster) (fix(template_image): add request_id field to prevent duplicate job creation #227): A newrequest_idcolumn with a unique index on(request_id, operation)makes job submissions idempotent. Migration logic handles existing records with legacy IDs. Eliminates the race where concurrent or retried API calls could enqueue the same build twice.cubecli execnil-deref panic on stdin EOF (fix(cubecli): nil-deref panic in exec StdinCloser on stdin EOF #188):StdinCloser.Readpreviously triggered a nil-pointer dereference when stdin reached EOF, silently aborting the exec lifecycle. The fix correctly handles EOF and switches toerrors.Is(err, io.EOF)for proper error-wrapping compatibility. Shim logs now emit the expected pairedexec req/wait container … exit codeentries.RefreshArtifactRuntimeFiles,validateArtifactRuntimeFilesPresent, andensureArtifactRuntimeFilesare simplified to handle only kernel files;copyKernelFileAtomicallyis renamed toCopyFileAtomicallyfor reuse outside the package. Unit tests are updated and pruned accordingly.✨ Enhancements
CubeMasteris now the single authoritative source of default exposed ports — hardcoded defaults and port-seeding logic are removed fromCubeletandnetwork-agent, preventing silent divergence.cubelet:cmdTimeoutconfigurable via storage plugin config (storage: make cmdTimeout configurable via plugin config #236): A new optionalcmd_timeoutfield in the storage plugin TOML config replaces the hardcoded 3 s default. Multi-GiB ext4 operations on the live-create slow path under concurrent load can exceed 3 s; operators can now raise the limit without recompiling. Default behavior is unchanged when the field is absent.cubelet: richer diagnostics onnewExt4RawByReflinkCopyfailures (cubelet: add diagnostic context to newExt4RawByReflinkCopy errors #237): Error messages now include elapsed time, target/base file stats, and free space in the format[step=N/4 cmd="…" elapsed=…ms target=size=… base=size=… free=…B]. Stat/statfs errors are reported inline. Unit tests are added fordescribeStorageFailure/describeFile/describeFreeBytes..envconfig (feat(deploy): sync cubemaster custom ports with .env config #210):cubemaster.yamlnow uses__CUBE_SANDBOX_MYSQL_PORT__and__CUBE_SANDBOX_REDIS_PORT__placeholders;install.shsubstitutes them from the.envfile, enabling non-default MySQL/Redis ports without manual YAML edits.⚙️ Engineering Improvements
cubecli: removed deadlistmdcommand (fix(cubecli): remove dead listmd command #181): The unreachablelistmdsubcommand and its 128-line implementation (metadata.go) are deleted, reducing dead-code surface.🤖 CI / DevOps
.agents/agents/(code quality, performance, security, test coverage, documentation accuracy). Automated workflows handle PR code review, duplicate issue detection, and issue label triage. A secure GitHub App token flow is wired up for CI actions, and helper scriptsgh.shandedit-issue-labels.share added underscripts/.gh.sh: issue comment support (feat: add issue comment support to gh.sh and restrict workflow tools to scripts #262):gh.shgainscomment-issueto post comments via stdin heredoc, and workflow tool paths are restricted to the new scripts directory for consistency.show_full_outputoption updated for the AI review workflow.📚 Documentation
CONTRIBUTING.md(docs: add Chinese translation of CONTRIBUTING.md #276):CONTRIBUTING_zh.mdadded as a full Chinese translation of the contribution guide.CONTRIBUTING.mdandCONTRIBUTING_zh.mdnow allow single-language submissions; bilingual docs are encouraged but optional, with clear nested requirements.docs/architecture/network.md(EN & ZH) now explicitly documents the three port-range buckets on compute nodes:10000–19999(network-agentip_local_port_range),20000–29999(CubeProxy sandbox access),30000–65535(CubeVS SNAT).CONTRIBUTING.mdand READMEs updated with contribution links.docs.cubesandbox.aitocubesandbox.com(chore: update CNAME domain from docs.cubesandbox.ai to cubesandbox.com #271).browser-sandboxexample: Added missingload_dotenv()call andpython-dotenvdependency so.envvariables are loaded before the script runs.🙏 Contributors
Thanks to everyone who contributed to v0.2.2:
@fslongjin,@foxywang,@cocovs,@WaylandYang,@chenggui53,@luzhixing12345,@turtlemoji,@QingqLin,@chenhengqi,@Dafeigy.Full Changelog: v0.2.1...v0.2.2
This discussion was created from the release v0.2.2.
Beta Was this translation helpful? Give feedback.
All reactions