Skip to content

v0.9.0

Choose a tag to compare

View all tags
@DorianZheng DorianZheng released this 03 May 12:44
· 165 commits to main since this release
v0.9.0
6907945
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

This release fixes two Critical vulnerabilities affecting all SDKs at versions < 0.9.0. Upgrade to 0.9.0 or later — there is no workaround.

Advisory CVE Issue
GHSA-g6ww-w5j2-r7x3 CVE-2026-46695 read-only volume remount bypass
GHSA-f396-4rp4-7v2j CVE-2026-46703 OCI layer symlink escape

Dependabot covers consumers using pip boxlite, npm @boxlite-ai/boxlite, go github.com/boxlite-ai/boxlite/sdks/go, cargo boxlite, or cargo boxlite-cli. If you install via the curl | sh installer, the prebuilt C SDK / native library, vendored source, or rely on cargo audit (which reads RustSec, separate from the GitHub Advisory Database), you will not receive a Dependabot alert — please confirm you are on 0.9.0+. See SECURITY.md for the full table.

What's Changed

  • Add allow_net and secrets support across SDKs by @DorianZheng in #426
  • feat(vmm): add HypervisorProbe for post-failure VM diagnostics by @DorianZheng in #430
  • fix(build): remove stale guest dir reference in clean script by @DorianZheng in #431
  • Add built-in host alias for box-to-host access by @DorianZheng in #441
  • Expose runtime image handles across SDKs safely by @DorianZheng in #433
  • fix(lint): replace sort_by with sort_by_key for clippy compliance by @uran0sH in #442
  • feat(images): harden OCI image pull security by @DorianZheng in #429
  • feat(sdk/go): local OCI bundle via WithRootfsPath by @GatewayJ in #443
  • [codex] Auto-use sudo in Linux setup scripts by @DorianZheng in #444
  • docs: add SECURITY.md with private vulnerability reporting process by @DorianZheng in #445
  • refactor(images): split OCI extractor and fix containment bugs by @DorianZheng in #446
  • chore(deps): bump rand from 0.9.2 to 0.9.3 in the cargo group across 1 directory by @dependabot[bot] in #447
  • chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /src/deps/libgvproxy-sys/gvproxy-bridge in the go_modules group across 1 directory by @dependabot[bot] in #448
  • fix(security): enforce read-only virtiofs at hypervisor level by @DorianZheng in #454
  • Drop JSON FFI boundary APIs by @DorianZheng in #456
  • Add interactive execution support to C and Go SDKs by @DorianZheng in #458
  • Add structured image registry configuration by @DorianZheng in #459
  • refactor(images): adopt resolve-once pattern, port upstream security tests by @DorianZheng in #461
  • refactor: replace Rust server with apps workspace by @DorianZheng in #460
  • chore: align app workspace with BoxLite by @DorianZheng in #464
  • chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates by @dependabot[bot] in #462
  • chore(deps): bump the go_modules group across 8 directories with 6 updates by @dependabot[bot] in #463
  • chore(setup): install Node 22 LTS via unified setup_nodejs by @DorianZheng in #466
  • refactor(runner): build runner binary in CI, deploy from GitHub Releases by @DorianZheng in #467
  • chore(deps): bump the go_modules group across 3 directories with 2 updates by @dependabot[bot] in #465

New Contributors

Full Changelog: v0.8.2...v0.9.0

Contributors

DorianZheng, GatewayJ, and 2 other contributors
Assets 34
Loading