omnipkg v2.0.4 — Filelock CVE-2025-68146 Closed · ARM32 + ARM64 Verified · 23+ Platforms
Latest
This is a landmark release for omnipkg, focused on hardening security, achieving near-universal platform verification, and implementing a robust, automated CI/CD pipeline. Version 2.0.4 introduces critical security patches, adds complete ARM64 and ARM32 test coverage, and brings native support for Apple Silicon.
🌟 Major Highlights
- 🔒 Security Hardening (CVE-2025-68146): Patched a critical file-locking vulnerability by vendoring a patched version of
filelock, ensuring users on all Python versions are protected out-of-the-box. - 🚀 Complete ARM Architecture Verification: Introduced an exhaustive testing suite for both ARM64 and ARM32 architectures.
- ARM64 (aarch64): Now verified across 6 major Linux distributions using a powerful QEMU emulation pipeline.
- ARM32 (armv7): Now automatically verified by scraping build results from the trusted
piwheels.orgrepository.
- 🍏 Native Apple Silicon (macOS ARM64) CI: Added a dedicated job using GitHub's
macos-14native M-series runners, ensuring flawless performance on modern Macs. - 🤖 Bulletproof Release Pipeline: The PyPI publishing process is now gated, and will not run until all critical cross-platform and ARM64 verification tests have passed successfully.
- 📝 Major Documentation Overhaul: The
README.mdhas been massively updated with detailed, auto-generated platform support matrices, reflecting the live results of our new CI pipelines.
Detailed Changes
1. Security Enhancements
- Vendored
filelockfor CVE-2025-68146: To protect users on older Python versions (< 3.10) from a symlink-based vulnerability infilelock, we have vendored a patched version of the library directly intoomnipkg. This provides an immediate, seamless fix without requiring users to manage complex dependencies. Python 3.10+ will continue to use the latest secure version from PyPI. - Upgraded Security Scanners: The dependency logic in
pyproject.tomlhas been refined to use the latestsafetyfor supported Python versions andpip-auditas a fallback, ensuring continuous security scanning across our entire Python version range (3.7-3.14).
2. Massive CI/CD Expansion
- ARM64 Verification via QEMU: A new workflow (
arm64-verification.yml) now runs on every tag and release, testingomnipkginside Podman containers on emulated ARM64 environments for Debian, Ubuntu, Fedora, Rocky Linux, and Alpine. - Native Apple Silicon Testing: The primary build verification workflow now includes a
macos-14runner, adding native ARM64 testing on Apple's M-series hardware to our matrix. - Automated ARM32 (Raspberry Pi) Verification: A new workflow (
piwheels-arm32-verification.yml) runs on a schedule and after releases to scrape piwheels.org, confirming that builds for Raspberry Pi are available and updating the README with the results. - Gated PyPI Publishing: The
publish.ymlworkflow now explicitly waits for the main cross-platform and ARM64 tests to complete successfully before allowing a package to be published. This prevents accidental releases of broken code. - Automated Branch Syncing: New workflows (
sync-main.yml,auto-merge-to-main.yml) have been implemented to keep thedevelopmentandmainbranches synchronized, improving development velocity and stability. - Multi-Arch Docker Builds: The Docker build process (
docker-ci-ghcr.yml) is now more robust, building and pushing multi-architecture images (amd64, arm64) to both Docker Hub and GitHub Container Registry.
3. Bug Fixes and Refinements
- Fixed KB Initialization Deadlock: Resolved a
NoneTypeerror in thepackage_meta_builderthat could occur during the very first knowledge base build when trying to run a security scan before the bubble manager was fully initialized. - Dockerfile Simplification: Removed the Redis server from the official Docker image.
omnipkg's automatic fallback to a built-in SQLite database makes this unnecessary for most users and results in a lighter, more secure container.
This release represents a huge leap forward in the reliability, security, and professional-grade quality assurance of omnipkg.