Skip to content

v2026.6.8.22

Choose a tag to compare

View all tags
@github-actions github-actions released this 08 Jun 13:39
v2026.6.8.22
5157948
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

  • Docs: sync config skill + rule counts to current behavior by @twschiller in #175
  • Fix: scrub instead of detach for framework-rendered DOM by @twschiller in #176
  • Fix: re-scrub meta content rewrites and noscript re-renders by @twschiller in #180
  • Feat: hidden-fee-annotate rule for drip-pricing fees (#119) by @twschiller in #181
  • Docs: note accepted gap for enabled input value inside hidden wrapper by @twschiller in #184
  • Feat: scrub value on input[type=hidden] in attribute-injection-sanitize by @twschiller in #185
  • Fix: cover aria-roledescription/-placeholder/-valuetext/-keyshortcuts in attribute-injection-sanitize by @twschiller in #186
  • Bump marocchino/sticky-pull-request-comment from 2 to 3 by @dependabot[bot] in #195
  • Bump astral-sh/setup-uv from 7 to 8.1.0 by @dependabot[bot] in #193
  • Bump actions/checkout from 6 to 6.0.2 by @dependabot[bot] in #189
  • Feat: form-prefill-annotate rule for preselected form controls (#121) by @twschiller in #187
  • Chore: switch Dependabot ecosystem from npm to bun by @twschiller in #196
  • Chore: bump dev-deps (biome, eslint, typescript-eslint, astro) by @twschiller in #202
  • Chore(deps): Bump react-router-dom from 7.15.1 to 7.16.0 in /demo-site by @dependabot[bot] in #199
  • Fix: resolve modern CSS color syntaxes in hidden-text-strip by @twschiller in #205
  • Fix: extend unicode-invisibles-strip to cover bypass code points by @twschiller in #204
  • Feat: hidden-affiliate-sanitize rule for affiliate/UTM/referral metadata (#121) by @twschiller in #188
  • Fix: narrow hidden-text-strip landmark + aria-hidden allowlists by @twschiller in #207
  • Fix: extend hidden-text-strip with six additional CSS hide paths by @twschiller in #206
  • Fix: extend cross-origin-frame-redact to and by @twschiller in #208
  • Fix: schema-trust Person annotation + broader disguised-ad coverage (#203) by @twschiller in #209
  • Fix: detect PII / encoded payloads split across sibling text nodes (#203) by @twschiller in #210
  • Fix: cover open declarative shadow DOM via setHTMLUnsafe (#203) by @twschiller in #211
  • Fix: narrow hidden-text-strip display:none carve-out for live regions by @twschiller in #212
  • Fix: scarcity/countdown synonym evasion (#203) by @twschiller in #213
  • Fix: catch single-script IDN homograph links (#203) by @twschiller in #215
  • Fix: defend cleared checkout checkboxes against programmatic re-checks (#203) by @twschiller in #214
  • Fix: extend encoded-payload-redact with text-cipher encodings (#203) by @twschiller in #216
  • Fix: main-world shadow-root probe for definitive closed-shadow detection (#203) by @twschiller in #217
  • Refactor: extract chrome.scripting registry mock into shared helper by @twschiller in #218
  • Docs: list remaining bypass gaps as known limitations (#203) by @twschiller in #219

    • Full Changelog: v2026.6.5.21...v2026.6.8.22

Contributors

twschiller and dependabot
Assets 3
Loading