You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
What's New
Features
Added directory listing support through the new execd directory API. The SDK exposes depth-controlled traversal (depth defaults to 1 for immediate children) and a FileInfo.type field (file, directory, symlink, other). Symlinks are reported as symlinks and are not recursively traversed, and /files/info now reports symlinks as symlinks rather than resolving to the target type. #1001
Added line-based file reads through GET /files/download with offset (1-based line number) and limit (line count) query parameters, enabling callers to read large text files by line range. Mutually exclusive with the existing Range header. #1030
Added detailed replace-content feedback without breaking existing callers. The replace API now returns ContentReplaceResult[] exposing per-file replacedCount, so callers can detect no-match (0) and multi-match (>1) replacements. Callers not using the return value are unaffected. #991
Added Credential Vault support to the JS/TS SDK surface, including models, egress adapter, sandbox creation, unit tests, and E2E coverage. #1023
Added runOnce and withSession isolation convenience helpers. sandbox.isolation.runOnce(code, workspace, opts?) wraps create → run → delete into a single call with guaranteed cleanup, and sandbox.isolation.withSession(req, fn) scopes a multi-run isolated workflow with auto-delete on exit. Both are declared on the IsolationService interface; cleanup is best-effort so it never masks the original error. #1008#1222
Added an LRU + TTL endpoint cache with in-flight request deduplication. The SDK now caches (sandbox_id, port, use_server_proxy) → Endpoint to avoid repeated resolution round-trips. It is enabled by default (TTL 600s, max size 1024) and tunable via ConnectionConfig; killing a sandbox actively invalidates its cached entries. #1133
Sandbox lifecycle responses now surface extensions. The JS/TS SDK response models expose opensandbox.extensions.* data returned by create/get/list so callers can read extension values round-tripped from the server. #1112
Added the optional resourceRequests field to sandbox creation. Kubernetes-backed sandboxes can now set resource requests separately from limits (enabling Burstable QoS). Omitting the field preserves the existing behavior where requests equal limits. #1074
Bug Fixes
Background command log polling now accepts a successful empty GET /command/{id}/logs response as an empty log chunk instead of throwing unexpected response shape, while still parsing the tail cursor header so callers can continue polling from the returned offset. #1013
Clarified deleteOnSandboxTermination semantics in the JS sandbox model: auto-created Kubernetes PVCs are now actually deleted on sandbox termination when opted in (previously the field was documented as Docker-only). Default remains false (opt-in), so existing behavior is unchanged. #880
Security
Patched transitive npm advisories as part of a cross-package Dependabot sweep, bumping undici to 8.5.0 (TLS bypass, DoS, cache poisoning, proxy reuse) and js-yaml to 5.2.0 (quadratic DoS) via pnpm.overrides. #1145
Misc
Deprecated the ports field on credential vault binding matches (CredentialMatch.ports). Port is now derived from the scheme (https → 443, http → 80), matching what the intercept layer actually redirects; values other than 80 or 443 are rejected by the server. The field is retained for backward compatibility but should no longer be set. #1189
Updated the JS SDK package manifest repository/issues metadata to the new opensandbox-group/OpenSandbox org so package pages point to the current repo (published package name unchanged). #1139
Regenerated the lifecycle client after the server dropped its unused PendingSandbox mechanism, and refreshed generated execd clients for the isolated replace-content surface. #1178#1129#1002
Bumped the JS Sandbox SDK package version to 0.1.10 and aligned the default User-Agent string with the released version. #1062#1248