Skip to content

chore(main): release 0.2.28#647

Open
github-actions[bot] wants to merge 3 commits intomainfrom
release-please--branches--main--components--modelaudit
Open

chore(main): release 0.2.28#647
github-actions[bot] wants to merge 3 commits intomainfrom
release-please--branches--main--components--modelaudit

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 5, 2026
edited
Loading

🤖 I have created a release beep boop

0.2.28 (2026-03-14)

Features

  • add rule codes to all security checks (#255) (330e7df)

Bug Fixes

  • block legacy httplib pickle aliases (#703) (24b789a)
  • bound skops zip entry reads and enforce uncompressed size limit (#702) (a91577d)
  • bound zlib wrapper decompression output (#681) (8bb9cc2)
  • ci: reorder provenance job steps to prevent SBOM generation failure (#646) (d4ab381)
  • handle Windows backslashes in XGBoost subprocess loader (#656) (ba30b81)
  • harden archive path sanitization (#666) (9d77d50)
  • harden cloud download async/cache safety and cleanup (#655) (e14ea61)
  • harden keras custom object detection (#694) (7651298)
  • harden rule config parsing and debug path privacy (#648) (a073187)
  • harden xgboost subprocess import isolation (#701) (2df2d78)
  • include streamed artifacts in SBOM output for --stream scans (#672) (48d8d54)
  • keras attack-vector fixes for coverage gaps in h5 and keras zip scanning (#689) (863c884)
  • mark flaky timing test as performance to skip in CI (#670) (9c47f7e)
  • preserve duplicate paths with spaces (#690) (ea7c6d9)
  • preserve Hugging Face artifacts in SBOM output (#673) (49c7eca)
  • preserve rule codes through scan aggregation (#650) (d71a219)
  • prevent jfrog folder download path traversal (#679) (6f226a4)
  • prevent unbounded tensor proto allocations in TF weight extraction (#685) (ae2b01c)
  • refresh telemetry client state (#658) (7b6ea2f)
  • reject absolute OCI layer references (#659) (722131a)
  • resolve bare torchserve handler modules (#664) (3ae3535)
  • restore raw telemetry fields and harden model_name extraction (#649) (275f087)
  • restrict trusted jfrog hosts for auth (#661) (d959a0d)
  • route oci layer members via extracted paths (#663) (1395af0)
  • scan TensorFlow SavedModel function definitions for dangerous ops (#677) (31f4715)
  • security: detect nested kwargs URLs in CVE-2025-8747 check (#682) (9431fae)
  • security: use conservative PyTorch version selection for CVE checks (#684) (ef5c5e6)
  • stop importing dotenv in jfrog helper (#662) (d20fda3)
  • stream tar member extraction during scan (#665) (3de3048)
  • tighten llamafile runtime allowlist matching (#683) (8592a80)
  • use major GitHub Action refs (#680) (7965314)

This PR was generated with Release Please. See documentation.

@github-actions github-actions bot force-pushed the release-please--branches--main--components--modelaudit branch 17 times, most recently from aeebe6c to 8411b7d Compare March 12, 2026 05:09
@github-actions github-actions bot force-pushed the release-please--branches--main--components--modelaudit branch 12 times, most recently from 7e666a9 to 39d1fee Compare March 13, 2026 23:39
@github-actions github-actions bot force-pushed the release-please--branches--main--components--modelaudit branch from 01a42e7 to d6bd646 Compare March 13, 2026 23:41
@github-actions github-actions bot force-pushed the release-please--branches--main--components--modelaudit branch from 581e80a to 5593c90 Compare March 14, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autorelease: pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants