Skip to content

v0.4.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Apr 02:21
· 188 commits to main since this release
v0.4.1
This tag was signed with the committer’s verified signature.
tmatens Todd Matens
SSH Key Fingerprint: rXwV6kh4InD248G0NM3tcK2kJPaX3GqTj/Zdwm+F5Oo
Verified
Learn about vigilant mode.
c7fd206
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • Container image no longer ships pip or its dist-info. pip was
    only used at build time against --require-hashes lockfiles and was
    unreachable at runtime (distroless, no shell, nonroot entrypoint),
    but its presence in the runtime layer surfaced ongoing Docker Scout
    alerts (CVE-2025-8869, CVE-2026-1703 against pip 25.1.1) and would
    have generated more on every future pip CVE. The runtime venv now
    contains only PyYAML, compose_lint, and the Python interpreter
    symlinks; image drops ~17 MB. (#116)

Fixed

  • parser.load_compose now wraps RecursionError as ComposeError.
    PyYAML's composer is recursive; deeply-nested flow input like
    [[[[...]]]] exhausted the interpreter stack from inside yaml.load
    and raised RecursionError — a RuntimeError, not a YAMLError
    bypassing the existing wrapper and crashing the CLI with an unhandled
    exception instead of returning exit code 2. Surfaced by ClusterFuzzLite
    (#114). (#115)

Added

  • SLSA build provenance attestations on PyPI sdist + wheel and the
    Docker image, providing verifiable supply-chain proof that release
    artifacts were built from this repository's tagged source. (#107)
Assets 9
Loading