Skip to content

v2.4.1

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 15 Jun 01:22
· 18 commits to main since this release
v2.4.1
6628208
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
  • 2026-06-14

Security hardening patch — OAuth2 iss/aud validation, fail-closed identity
binding, web app SSRF/redirect fixes, and dependency bumps. Wire protocol and
manifest schemas are unchanged from v2.4.0.

Security

  • OAuth2 middleware: Validate JWT iss and aud when ASAP_AUTH_ISSUER / ASAP_AUTH_AUDIENCE (or OAuth2Config.expected_issuer / expected_audience) are set; refactored validation through validate_jwt() in asap.auth.jwks.
  • Identity binding: Fail-closed when manifest_id is configured but neither custom claim nor ASAP_AUTH_SUBJECT_MAP allowlist matches (403 instead of warn-and-pass).
  • Web app (apps/web): Block open redirects on E2E fixture login routes via resolveRedirectUrl; harden SSRF on /api/health-check (127.0.0.0/8, DNS resolve4/6); Zod strict validation on public API query params (unknown keys return 400); rate-limit unit tests.

Fixed

  • CI security (pip-audit): Bumped transitive pins (langchain-core, langsmith, python-multipart, urllib3, pip, smolagents) and adjusted documented --ignore-vuln flags (pygments + smolagents CVEs with no PyPI fix yet; pip ≥26.1 clears prior pip ignore). See SECURITY.md.
  • FastAPI / Starlette: Raised fastapi floor to >=0.136.1 so starlette>=1.0.1 resolves PYSEC-2026-161 (Host header path injection) without a pip-audit ignore.

Migration

  • v2.4.0 → v2.4.1: Security patch — bump dependencies; verify OAuth2 issuer/audience and identity binding if already configured. See
    migration guide.

Full Changelog: v0.1.0...v2.4.1

Assets 7
Loading