v0.4.3
Highlights
Crafted log lines can't hijack your terminal or your reports
lessence is meant to be pointed at logs you don't control — kubectl logs, CI output, third-party services — so a single hostile line should never be able to do anything to you. Three ways it could, before v0.4.3:
- Terminal escapes. Only ANSI color codes were stripped, so a line carrying an OSC 8 hyperlink, a window-title rewrite, or carriage-return/backspace overwrites reached your terminal verbatim — enough to render a fake clickable link or quietly repaint what you saw.
- A crash on
--summary. A multibyte character (emoji, CJK, accented text) landing exactly on the truncation boundary panicked the whole run. - Markdown report injection.
--format markdownwrapped untrusted content in a plain code fence a crafted line could break out of, injecting headings, links, or images into a report you might render on GitHub or feed to an agent.
v0.4.3 closes all three: the default strip now removes the full terminal-escape grammar (OSC, DCS, lone ESC, CR/BS — not just colors), --summary truncation is UTF-8-safe, and markdown content is always fenced so it can't escape. lessence stays a transparent, lossless filter — it just no longer lets the log drive your terminal or your tooling.
No CPU blow-ups on pathological lines
A single ~1 MB line packed with timestamp-like tokens used to trigger quadratic (O(n²)) work while resolving overlapping matches — seconds to minutes of CPU on one line. Overlap resolution is now sub-quadratic (O(n log n)), so adversarial or just unusually dense lines compress in bounded time.
--min-collapse minimum is now 3
--min-collapse 2 never actually made sense — a two-line group expands to three output lines instead of compressing — and it produced wrong compression statistics. The minimum is now 3 (the default is unchanged).
0.4.3 (2026-05-31)
Bug Fixes
- prevent crashes and injection from crafted log lines (da1800b)
Full changelog: v0.4.2...v0.4.3