Skip to content

v2.4.7

Choose a tag to compare

View all tags
@TSchonleber TSchonleber released this 20 Apr 23:41
· 106 commits to main since this release
v2.4.7
1d758c1

Post-release supply-chain hardening. No functional change; upgrade is
recommended for anyone installing brainctl in CI or multi-tenant
contexts.

Changed

  • Dependency floors tightened. sqlite-vec>=0.1.3 (up from 0.1.0)
    to clear CVE-2024-46488 / GHSA-vrcx-gx3g-j3h8 (heap buffer overflow).
    torch>=2.4 in the [rerank] extra (up from 2.0) so the default
    torch.load(weights_only=True) protection is always in effect for
    HuggingFace cross-encoder checkpoints.

Changed — CI/release supply-chain

  • PyPI publish now gated behind a GitHub Environment (pypi) with
    required-reviewer approval. Maintainer must create the environment
    and re-bind the PyPI trusted publisher before the next tag push.
  • All GitHub Actions SHA-pinned (actions/*, dorny/paths-filter,
    pypa/gh-action-pypi-publish). Tags preserved as trailing comments.
  • ci.yml now declares a workflow-level default permissions: contents: read.
  • Added .github/dependabot.yml (pip + github-actions, weekly).
  • Added .github/CODEOWNERS for supply-chain-sensitive paths.
  • SECURITY.md now names security@brainctl.org and the GitHub
    private-advisory URL explicitly.
  • Removed empty brain.db placeholder from the repo root.
Assets 2
Loading