Skip to content

chore: release v0.12.4#17

Merged
Destynova2 merged 1 commit intodevelopfrom
release-plz-2026-03-03T21-32-38Z
Mar 3, 2026
Merged

chore: release v0.12.4#17
Destynova2 merged 1 commit intodevelopfrom
release-plz-2026-03-03T21-32-38Z

Conversation

@Destynova2
Copy link
Copy Markdown
Contributor

@Destynova2 Destynova2 commented Mar 3, 2026

🤖 New release

  • grob: 0.12.3 -> 0.12.4 (✓ API compatible changes)
Changelog

0.12.4 - 2026-03-03

Fixed

  • use fast-forward for develop→main sync to avoid merge commit pollution

Other

  • fix 11 accuracy issues (stale paths, phantom modules, version bumps)

This PR was generated with release-plz.

@Destynova2 Destynova2 merged commit 45e71ae into develop Mar 3, 2026
14 checks passed
Destynova2 added a commit that referenced this pull request Mar 16, 2026
@Destynova2 @claude
fix(security): resolve 21 CodeQL alerts (2 critical, 18 high, 1 medium)
7035f68 
Critical:
- #9 #10: Replace hard-coded HMAC key with random session key when
  GROB_DLP_SECRET is unset (unpredictable pseudonyms by default)

High:
- #11 #12: Cap Vec::with_capacity to 1024 in OpenAI transform
  (prevents uncontrolled allocation from malicious input)
- #17 #18 #19: Add path traversal check in token_store persist()
  (reject ".." in file path)
- #6 #7 #8: Stop logging full response bodies in OpenAI provider
  (log length instead, truncate to 200 chars on parse error)
- #13 #14: Warn at construction if OAuth token_url uses plaintext HTTP
- #15 #16: Warn at construction if Gemini base_url uses plaintext HTTP
  (new warn_if_cleartext() helper in providers/mod.rs)
- #20 #21 #22: Annotate benchmark TLS cert bypass with lgtm comment
  (intentional: benchmarks use self-signed certs)
- #3: Avoid flowing API key through format string in preset info
- #4 #5: Remove secret values from test assertion messages

Medium:
- #1: Add explicit permissions block to release-plz workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Destynova2 Destynova2 deleted the release-plz-2026-03-03T21-32-38Z branch March 30, 2026 19:52
@Destynova2 Destynova2 mentioned this pull request Apr 1, 2026
Closed
38 tasks
@Destynova2 Destynova2 mentioned this pull request Apr 22, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Destynova2