Skip to content

v1.2.0 — auth middleware + GHSA closure + truth-in-advertising sweep

Choose a tag to compare

View all tags
@mcp-tool-shop mcp-tool-shop released this 23 May 08:26
· 81 commits to main since this release
v1.2.0
7cd210c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Headline outcomes vs v1.1.1

  • GHSA-pending advisory closed. Real ASGI middleware via rx.App(api_transformer=basic_auth_transformer) — 4 modes (no_auth_local_only / token_auto / explicit_creds / production), HMAC-signed cookie, WS pre-accept validation, Host/Origin allowlists. ENFORCEMENT_AVAILABLE flipped False → True. Plus a 4-layer defense in depth at the cli.py / ui_app/app.py / rxconfig.py / env-strip surfaces.
  • 4 v1.1.0 contract violations fixed. TrainingCallback.on_step/on_epoch/on_save now actually fire; Trainer.train(resume_from=...) actually resumes (was silently restarting from step 0); train_on_responses_only is tokenizer-aware (Llama 3 / Gemma / Phi-3 / Mistral no longer silent no-op); backprop info reports Reflex not Gradio.
  • ERROR_CODES catalog completed. 8 codes promoted from cli.py:_BRIDGE_LOCAL_ERROR_CODES into canonical exceptions.ERROR_CODES. Catalog-drift regression test prevents recurrence.
  • Run-history UI parity. New backprop runs data API + Reflex /runs page.
  • CI gates re-tightened. mypy hard-gated, pip-audit CRITICAL floor, Trivy CRITICAL floor (2 CRITICAL transitive CVEs cleared: authlib 1.7.2, nltk 3.9.4), aggregate gate no longer continue-on-error.
  • Gradio legacy modules removed (v1.1.0 CHANGELOG promised v1.2 removal — kept). Reflex is now the only Web UI surface.
  • [observability] extra removed (was advertised as OpenTelemetry but no module imported it — would have been another doc-lie).

Tests

1957 → 1865 (net): added 27 new tests in v1.2.0 — 23 auth-middleware tests (4 modes + Host/Origin allowlists + WS pre-accept + close codes 4401/4403 + MLflow-CVE default-credential audit), 4 catalog-drift regression tests, plus regression tests for the 4 contract-violation fixes. Final: 1856 passed, 10 skipped, 0 failed.

Security advisory

A GHSA advisory for the v1.1.0 / v1.1.1 auth-bypass false-promise will be filed alongside this release. Affected versions: >=1.1.0, <1.2.0. Patched version: 1.2.0. Mitigation for operators who cannot upgrade immediately: do not pass --auth or --share; use SSH port-forwarding for remote access (ssh -L 7860:localhost:7860 <host>).

Full notes

See CHANGELOG.md for the full release narrative including Known issues / tech debt deferred to v1.3.

Assets 2
Loading