What's Changed
Breaking changes
- Drop Python 3.9 support, minimum is now 3.10 and we started supporting 3.14 (#175)
- CLI exit codes now follow ClamAV conventions: 0 for clean, 1 for unsafe, 2 for error (#216)
- Malformed pickles raise
InterpretationErrorinstead ofValueError(#207) - We added many new modules to the unsafe imports blocklist (#210, #215, #217, #233, #236), while trying to reduce false positives on builtins (#206)
Security
- Fixed a generic bypass via
OBJ(GHSA-mxhj-88fx-4pcv)- Fixed in #235. Thank you @yash2998chhabria!
- Expanded the blocklist of unsafe imports with various modules (GHSA-mhc9-48gj-9gp3)
- Fixed in #236. Thank you @yash2998chhabria!
- Expanded the blocklist to catch outbound network connections (GHSA-83pf-v6qq-pwmr)
- Integrate recent PickleScan bypasses into unsafe imports detection (#210)
- Expand dangerous imports blocklist for better coverage (#215)
- Expand ML-specific unsafe import detection (#217)
- Add safe builtins allowlist to prevent false positives (#206)
- Fix cyclic AST recursion DoS (issue #196) (#213)
General
- Add AGENTS.md with vulnerability reporting guidelines (#234)
- Add 7z archive support for model scanning (#220)
- Implement EXT1, EXT2, and EXT4 pickle opcode support (#172)
- Fix ast.Import handling in unsafe_imports and MLAllowlist (#209)
- Fix ValueError crash on malformed pickle files (issue #188) (#207)
- Migrate to ty type checker and fix type errors (#208)
- Bump minimum numpy to 2.2.6 (#201)
- Migrate tests to use BytesIO and temporary paths (#181)
- Address Zip slips in tests (#204)
- Fix flaky random ZIP creation in TestPolyglotModule (#179)
- Various @dependabot[bot] updates (#197, #199, #200, #202, #203, #214, #222, #223, #224, #225, #227, #228, #229, #230, #232)
Full Changelog: v0.1.7...v0.1.8