Skip to content

v0.2.46

Choose a tag to compare

View all tags
@github-actions github-actions released this 05 Jun 18:39
v0.2.46
4a73c06
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

0.2.46 (2026-06-05)

Bug Fixes

  • address runpy review edge cases (#1401) (995f978)
  • analyze ambiguous protobuf routing candidates (#1302) (411b6ee)
  • avoid ambient TensorFlow proto imports (#1406) (601003d)
  • avoid duplicate sharded scans and preserve metadata (#1231) (83a0ce5)
  • avoid framed process string false positives (#1400) (9aae65a)
  • avoid pickle meta-path source probing (#1493) (a31df76)
  • block 7z symlinks before extraction (#1462) (73152a0)
  • block torch.load on vulnerable prereleases (06125e5)
  • bound directory metadata extraction (#1470) (3dd9ceb)
  • bound GGUF declared collections (#1316) (3ceb138)
  • bound jax and flax metadata scans (#1500) (1f794df)
  • bound jinja sandbox render probes (#1419) (6a6534b)
  • bound native picklescan state simulation (#1501) (f4c9cdf)
  • bound OCI layer decompression (#1443) (fd76fb1)
  • bound Orbax directory checkpoint scanning (#1414) (22a9ffa)
  • bound PyTorch ZIP version probes (#1512) (196fb46)
  • bound SavedModel graph traversal (#1491) (b42fffb)
  • bound SavedModel keras metadata parsing (#1466) (b2eddc4)
  • cache: key advanced shard allowlists (#1248) (336148a)
  • cap PyTorch ZIP entry processing (#1455) (e74da5b)
  • ci: avoid performance gating in Windows nightly (#1264) (c01b42a)
  • classify incomplete CatBoost analysis correctly (388565b)
  • classify incomplete OCI layer scans correctly (#1291) (25aae73)
  • classify incomplete pickle analysis and stream coverage (#1310) (e20518f)
  • classify incomplete PMML analysis correctly (#1293) (a3b2cfe)
  • classify incomplete R serialized analysis correctly (#1312) (9439adc)
  • classify incomplete RKNN and Torch7 analysis correctly (#1289) (6d0ad24)
  • classify incomplete Skops coverage correctly (#1298) (d618584)
  • classify incomplete TAR member coverage correctly (#1299) (0cb11b1)
  • classify incomplete TorchServe analysis correctly (#1297) (f443b02)
  • classify incomplete weight analysis correctly (#1313) (e4138c1)
  • classify incomplete ZIP and Keras coverage correctly (#1300) (c350ab9)
  • classify PyTorch binary code patterns as findings (#1497) (e9c6c0a)
  • classify sevenzip probe limits as inconclusive (#1296) (d7e1ad1)
  • classify unavailable binary artifact reads correctly (#1305) (bc4e6b2)
  • classify unavailable CNTK and LightGBM reads correctly (#1303) (26fcf41)
  • classify unavailable Joblib reads correctly (#1309) (5b56384)
  • classify unavailable manifest and text reads correctly (#1307) (5b50c71)
  • classify unavailable metadata reads correctly (#1308) (fa4cdb0)
  • classify unavailable MetaGraph reads correctly (#1304) (c00de0b)
  • classify unavailable MXNet reads correctly (#1301) (a7b8e27)
  • classify unavailable serialized model reads correctly (#1306) (113ba27)
  • classify unavailable TFLite analysis correctly (#1311) (c3e1607)
  • cloud: enforce size caps on cached downloads (#1507) (8f38004)
  • confirm ONNX python_operator findings against the parsed graph (#1254) (#1260) (beb71cd)
  • contain SBOM symlink hashing (#1476) (f147ebc)
  • core: group HF cache shard symlinks (#1252) (91f833d)
  • cover embedded browser and ctypes edges (#1402) (ce31f2f)
  • cover patched PyTorch weight-load versions (#1482) (4c0bdb3)
  • detect asyncio subprocess launches in embedded Python (#1366) (f520c0d)
  • detect disguised PyTorch ZIP executables (#1318) (00bc356)
  • detect dynamic picklescan protocol hooks (#1375) (400c132)
  • detect dynamic TorchServe handler primitives (#1471) (5c28aee)
  • detect embedded runpy execution calls (#1372) (1f9a8d5)
  • detect embedded webbrowser launch calls (#1373) (f1b2df6)
  • detect Keras weights-only external HDF5 refs (69810c2)
  • detect namespace-hidden archive Python calls (#1317) (ae2deb3)
  • detect NeMo torch extension targets (edb642c)
  • detect newline-separated picklescan calls (#1481) (8dcbbb1)
  • detect obscured GGUF chat templates (#1315) (8d184c9)
  • detect os process launches in embedded Python (#1363) (642fd4c)
  • disable sampled large-file scan caching (#1459) (0ddbb93)
  • enforce cloud download size caps (#1407) (10e1342)
  • enforce Hugging Face download budgets (#1413) (1587131)
  • enforce huggingface file size budget (#1410) (7f55f52)
  • enforce JFrog download size budgets (#1416) (9cb392f)
  • enforce PyTorch Hub download budgets (#1452) (d8e74fa)
  • fail closed on embedded Python JIT budget gaps (#1502) (09a4844)
  • fail closed on embedded weights without h5py (#1433) (463bc2c)
  • fail closed on empty Hugging Face repo listings (#1411) (1cbb8aa)
  • fail closed on encoded nested probe cap (6633dac)
  • fail closed on executable ZIP scanner gaps (#1487) (889db72)
  • fail closed on hf streaming extensionless listings (#1492) (d70dec4)
  • fail closed on incomplete Flax traversal (#1295) (335d06c)
  • fail closed on incomplete JAX analysis (#1292) (a3558f1)
  • fail closed on incomplete PyTorch ZIP scans (65faa90)
  • fail closed on malformed SavedModel metadata (#1464) (60d5307)
  • fail closed on NumPy object pickle skips (#1460) (59c52b1)
  • fail closed on oversized standalone Jinja templates (#1283) (76f221e)
  • fail closed on partial cloud metadata (#1404) (70db661)
  • fail closed on pickle import reference truncation (#1449) (5ddac28)
  • fail closed on protocol 5 pickle buffers (#1450) (e696a1f)
  • fail closed on StringLookup external vocab metadata (#1484) (b994dc3)
  • fail closed on truncated CNTK string analysis (#1290) (c6ee60f)
  • fail closed on unavailable Keras ZIP scanner (#1474) (0183a9e)
  • fail unsafe keras h5 lambda ambiguity (#1434) (548d0f2)
  • flag import-only custom pickle globals (#1499) (ca3a476)
  • flag keras fixed-boundary prereleases (#1431) (0f6ea92)
  • flag native keras config modules (#1430) (440fe18)
  • flag oversized pickle frames as tampered (#1448) (c4758fd)
  • harden asyncio subprocess review follow-up (#1398) (31077f3)
  • harden embedded ctypes/browser analysis after #1402 (#1403) (0d37ebc)
  • harden embedded Python builtin alias detection (#1420) (fadceb3)
  • harden Keras ZIP external reference analysis (#1423) (a0e00cf)
  • harden Keras ZIP version attribution (#1424) (57ca7f3)
  • harden Keras ZIP wrapper traversal (#1425) (713eb4d)
  • harden late embedded Python replay analysis (#1446) (6b625ff)
  • harden legacy JAX checkpoint routing (#1397) (4db8d50)
  • harden mixed Keras H5 Lambda analysis (#1422) (6d1ba2e)
  • harden MXNet overlap routing after merge audit (#1378) (4e55dd0)
  • harden NeMo Hydra interpolation analysis (#1427) (099417a)
  • harden PyTorch Hub streaming cleanup (#1454) (2f11b7c)
  • harden standalone Keras H5 external reference analysis (#1421) (64e643f)
  • harden structured Jinja size handling (#1418) (1165a0e)
  • honor compatible header alias routing (#1272) (ee9611e)
  • include supported PyTorch Hub artifacts (#1453) (a3e1616)
  • keep docker digest updates CI-compatible (#1258) (406ed50)
  • keep shard siblings within scan root (a1efccb)
  • keras: redact authorization detail aliases (#1511) (18de054)
  • manifest: fail closed on cloud URL read errors (#1396) (cf1da88)
  • mark compressed partial scans inconclusive (#1286) (39b8f58)
  • mark oversized structured Jinja templates incomplete (6662d3d)
  • mark truncated pickle binary tails incomplete (#1445) (cae15c4)
  • nemo: fail closed on linked load semantics (#1377) (b952e4b)
  • omit SafeTensors custom metadata from security view (#1440) (23e7c44)
  • onnx: scan function default graphs (#1273) (10c57ed)
  • onnx: scan nested Python operators (#1265) (40850e3)
  • preflight 7z extraction budgets (bf7f3de)
  • preserve Flax routing across ambiguous prefixes (#1379) (b3438b8)
  • preserve visible JAX findings in oversized JSON (#1380) (39afcf0)
  • redact code evidence in scanner findings (#1495) (1c2855e)
  • redact compound credential evidence (4a0a364)
  • redact flax msgpack evidence (#1409) (66c55cb)
  • redact Keras evidence secrets (#1475) (37eda4e)
  • redact keras zip finding details (#1436) (b90d08d)
  • redact LightGBM evidence excerpts (#1437) (fed2313)
  • redact metadata secret previews (#1439) (a96f83a)
  • redact network URL path tokens (fa5fd17)
  • redact R serialized executable samples (#1456) (7c3e10c)
  • redact SavedModel decoded previews (ba6eaa1)
  • redact secret detector contexts (923f6af)
  • reject unsafe JFrog credential targets (#1490) (11d8978)
  • repair nightly and docker ci (#1255) (4c8fa7b)
  • report Keras external refs despite metadata (#1478) (0c63514)
  • report Keras H5 external refs despite metadata (#1483) (5997e06)
  • require ETags for cloud cache hits (1a8e39d)
  • resolve follow-up quality findings (#1222) (2968961)
  • restrict auth token API hosts (#1486) (9ccddc5)
  • restrict JFrog credential forwarding (8287edd)
  • retain oversized renamed SafeTensors candidates (#1285) (64efefa)
  • route disguised llamafiles and classify preview read failures (#1267) (ad55249)
  • route disguised torch7 payloads by content (#1268) (9ba9cd1)
  • route extensionless XGBoost and classify incomplete analysis (#1276) (46bffb4)
  • route large and renamed Flax MessagePack checkpoints (#1280) (40766c4)
  • route padded and renamed JAX JSON checkpoints (#1281) (62270b4)
  • route prefixed renamed ONNX payloads by structure (#1287) (b022bbb)
  • route renamed binary formats and classify ExecuTorch read failures (#1271) (c86dd85)
  • route renamed CNTK and LightGBM payloads (#1269) (877aa10)
  • route renamed MXNet symbol graphs by structure (#1278) (1c0b3c5)
  • route renamed NeMo archives by structure (#1274) (bf96228)
  • route renamed R workspace artifacts (#1322) (e004deb)
  • route renamed TensorFlow protobuf models by structure (#1284) (3327c39)
  • routing: avoid false Flax overlap on complete pickles (#1506) (6510430)
  • routing: preserve Torch7 findings in Llamafile polyglots (#1376) (2e95c88)
  • run text sidecar security detectors (#1498) (9e3f581)
  • scan duplicate executorch pickle members (#1408) (5b4c616)
  • scan hidden compressed payload risks (#1320) (77ec76f)
  • scan late PyTorch binary executable signatures (#1451) (bd2782c)
  • scan namespaced OpenVINO layers (#1314) (59794d6)
  • scan nested ONNX external initializers (d3a9130)
  • scan nested ONNX external tensor references (#1399) (5071995)
  • scan padded SavedModel protobuf strings (#1469) (b26c000)
  • scan protocol zero JAX checkpoint pickles (aa580c6)
  • scan raw nested pickles in unicode strings (#1461) (4278da9)
  • scan RKNN safe metadata values (cd833c2)
  • skip hashing files over scan size limit (#1441) (2b46042)
  • sniff cloud content before selective skip (#1405) (90c5627)
  • sniff JFrog folder content before selective skip (#1417) (372a72a)
  • strip jfrog credentials on redirects (#1415) (6869361)
  • terminate call-graph alias fixpoint on oscillating rebinds (#1247) (#1259) (89895a4)
  • torch7: restore ASCII serialized routing (#1263) (a0cf7f0)
  • treat Keras fixed-version prereleases as vulnerable (ae76cb9)

Performance Improvements

  • mmap TFLite files for zero-copy FlatBuffer scanning (#1503) (ce3b4f4)
  • restore realistic benchmark suite (#1223) (9c36efb)
  • reuse call graph analysis in directory scans (#1266) (2f01ddf)

Documentation

Assets 5
Loading