Skip to content

v0.37.2

Latest

Choose a tag to compare

@github-actions github-actions released this 04 Jul 15:26

Fixed

  • Supply-chain hygiene (closes #1144). Removed stale cargo audit ignores for advisories whose crates are no longer in Cargo.lock, realigned the audit and cargo-deny advisory policies with docs/RUSTSEC-ADVISORIES.md, and moved agnix's direct YAML/frontmatter parser dependency to the maintained serde_norway fork while keeping the internal serde_yaml crate alias stable. Added regression coverage so the advisory lists and YAML parser package cannot drift silently.
  • Docs website deployment payload. Reduced the GitHub Pages deploy window from six to three docs versions while keeping all versioned snapshots in the repository, so release docs publish with a smaller Pages artifact and avoid repeated syncing_files deployment failures.
  • Security: MCP path confinement and panic hardening. The MCP validate_file and validate_project tools now reject client-supplied paths that canonicalize outside the server working directory. Completion helpers clamp raw byte offsets to UTF-8 character boundaries before slicing, project validation converts per-file validator panics into diagnostics, and release builds keep unwinding enabled so one bad file cannot abort an entire scan.
  • Release download integrity and publish gating. The GitHub Action installer, VS Code extension, JetBrains plugin, and Zed extension now verify release SHA-256 sidecars before using downloaded agnix/agnix-lsp artifacts. Release tags now run fmt, clippy, and workspace tests before GitHub releases, crates.io publish, or VS Code Marketplace publish can proceed.