chore(main): release 1.4.0

[varfish-bot]

🤖 I have created a release beep boop

1.4.0 (2026-01-22)

Features

• show diff in filter settings when settings changed after query (#2503) (1edd116)

Bug Fixes

• bamstats now showing in case qc (#2499) (59c40e5)
• bump reev lib for empty clinvar response issue (#2525) (feefa00)
• distinguish mane transcripts borrowed from grch38 (#2530) (#2531) (bc8fe55)
• filtering in the case list does not update the shown cases (#2364) (#2496) (7d7c68f)
• flags filter doesn't filter for flags (#2534) (694eb49)
• further db variant stat computation adaptations (#2536) (a4ab563)
• genomic region filter always prefixes chr (#2498) (c332f04)
• issuing another query might lead to broken results (#2277) (#2495) (7de812c)
• page reload in results table (#2502) (4ca3a65)
• variant stat computation fails if dp missing (#2533) (0f83971)

---

This PR was generated with Release Please. See documentation.

Summary by CodeRabbit

• Release
  • Version 1.4.0 is now available, featuring new functionality and bug fixes to enhance performance and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps the project version from 1.3.2 to 1.4.0 across release manifest, VERSION file, CHANGELOG, and the OpenAPI spec. No functional code or public API changes are included.

Changes

Cohort / File(s)	Change Summary
Version Release Files \.release-please-manifest.json, VERSION	Updated root version string from 1.3.2 to 1.4.0.
Release Documentation CHANGELOG.md	Added a new release block for 1.4.0 (duplicated block present in diff).
API Spec backend/varfish/tests/drf_openapi_schema/varfish_api_schema.yaml	Updated OpenAPI top-level info.version from 1.3.2 to 1.4.0.

Sequence Diagram(s)

(omitted — changes are version metadata updates only)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chore(main): release varfish-server 1.3.0 #2467: Same release-version updates to VERSION, manifest, changelog, and OpenAPI info.version.
• chore(main): release 1.3.2 #2494: Release bump touching the same set of version/metadata files.

Suggested labels

autorelease: tagged

Poem

🐰 Hop forward to 1.4.0, we go!
Changelogs rustle where new notes grow,
A tiny bump, a tidy cheer,
Version set and release near,
Nibbles of progress, soft and slow.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(main): release 1.4.0' directly and clearly describes the primary purpose of the PR - automating the release of version 1.4.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

deps-report 🔍

Commit scanned: 5df9090
ℹ️ Python version 3.11 is used by your project but the latest version is 3.14.

Vulnerable dependencies

4 dependencies have vulnerabilities 😱

Dependency	Advisory	Versions impacted
setuptools (transitive)	Affected versions of Setuptools are vulnerable to Path Traversal via PackageIndex.download(). The impact is Arbitrary File Overwrite: An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.	<78.1.1
social-auth-app-django (transitive)	Affected versions of the social-auth-app-django package are vulnerable to Authentication Bypass due to unintended email-based account association during the authentication pipeline. In social_django.storage.create_user (invoked by social_core.pipeline.user.create_user), an IntegrityError during user creation triggers a fallback that returns an existing User looked up by e-mail, effectively performing social_core.pipeline.social_auth.associate_by_email even when that step is disabled.	<5.6.0
sqlalchemy	Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. sqlalchemy/sqlalchemy#8563	<2.0.0b1
xmltodict (transitive)	Affected versions of the xmltodict package are vulnerable to Improper Input Validation due to insufficient validation of XML element, attribute, and xmlns prefix names. The xmltodict._validate_name function did not reject the ", ', and = characters, allowing unparse to serialize keys into tag or attribute names containing illegal tokens and produce ill-formed XML.	<0.15.1

Outdated dependencies

77 outdated dependencies found (including 28 outdated major versions)😢

Dependency	Installed version	Latest version
aiobotocore (transitive)	2.26.0	3.1.1
alabaster (transitive)	0.7.16	1.0.0
aldjemy	2.6	3.2
argon2-cffi (transitive)	21.3.0	25.1.0
black (dev)	25.12.0	26.1.0
certifi (transitive)	2025.11.12	2026.1.4
crispy-bootstrap4 (transitive)	2024.1	2025.6
django	4.2.27	6.0.1
django-model-utils (transitive)	4.4.0	5.0.0
django-rest-knox (transitive)	4.2.0	5.0.2
drf-spectacular-sidecar (transitive)	2025.10.1	2026.1.1
faker	38.2.0	40.1.2
fsspec (transitive)	2025.12.0	2026.1.0
ipython (dev,transitive)	8.37.0	9.9.0
mypy-protobuf (dev)	3.7.0	5.0.0
packaging (transitive)	23.2	26.0
pandas	2.3.3	3.0.0
pathspec (dev,transitive)	0.12.1	1.0.3
protobuf	5.29.5	6.33.4
pycparser (transitive)	2.23	3.0
regex (transitive)	2025.11.3	2026.1.15
s3fs	2025.12.0	2026.1.0
setuptools (transitive)	70.0.0	80.10.1
sphinx (transitive)	7.2.6	9.1.0
sphinx-rtd-theme (transitive)	2.0.0	3.1.0
sqlalchemy	1.4.54	2.0.46
unidecode (transitive)	0.4.21	1.4.0
xmltodict (transitive)	0.13.0	1.0.2

Dependency	Installed version	Latest version
anyio (transitive)	4.11.0	4.12.1
beautifulsoup4	4.14.2	4.14.3
billiard (transitive)	4.2.3	4.2.4
botocore (transitive)	1.41.5	1.42.32
celery (transitive)	5.3.6	5.6.2
coverage (dev,transitive)	7.12.0	7.13.1
django-autocomplete-light (transitive)	3.11.0	3.12.1
django-coverage-plugin (dev)	3.1.1	3.2.0
django-crispy-forms (transitive)	2.1	2.5
django-debug-toolbar	6.1.0	6.2.0
django-dirtyfields (transitive)	1.9.8	1.9.9
django-environ (transitive)	0.11.2	0.12.0
django-iconify (transitive)	0.3	0.4.1
django-postgres-copy	2.3.7	2.8.0
django-pydantic-field	0.4.0	0.5.1
django-sodar-core	1.0.6	1.3.2
django-test-plus (dev)	2.3.0	2.4.1
djangorestframework	3.15.2	3.16.1
docutils (transitive)	0.20.1	0.22.4
flake8-pyproject (dev)	1.2.3	1.2.4
greenlet (transitive)	3.2.4	3.3.0
intervaltree	3.1.0	3.2.1
jsonschema	4.25.1	4.26.0
kombu (transitive)	5.6.1	5.6.2
markdown (transitive)	3.5.2	3.10.1
mistune (transitive)	3.0.2	3.2.0
numpy	2.2.6	2.4.1
pillow (transitive)	12.0.0	12.1.0
psutil	7.1.3	7.2.1
pydantic	2.12.4	2.12.5
pytokens (dev,transitive)	0.3.0	0.4.0
reportlab	4.4.5	4.4.9
requests-http-signature	0.2.0	0.7.1
rpds-py (transitive)	0.29.0	0.30.0
rules (transitive)	3.3	3.5
selenium (dev)	4.39.0	4.40.0
sentry-sdk	2.46.0	2.50.0
social-auth-app-django (transitive)	5.4.3	5.7.0
social-auth-core (transitive)	4.8.1	4.8.3
soupsieve (transitive)	2.8	2.8.3
termcolor (dev,transitive)	3.2.0	3.3.0
tomli (dev,transitive)	2.3.0	2.4.0
typer (transitive)	0.20.0	0.21.1
types-protobuf (dev)	6.32.1.20251105	6.32.1.20251210
tzdata (transitive)	2025.2	2025.3
universal-pathlib	0.3.6	0.3.8
vcfpy	0.13.8	0.14.2
wcwidth (transitive)	0.2.14	0.3.0
wheel (transitive)	0.42.0	0.46.3

_Logs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89%. Comparing base (694eb49) to head (5df9090).

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #2497   +/-   ##
=====================================
  Coverage     89%     89%           
=====================================
  Files        689     689           
  Lines      40608   40608           
=====================================
  Hits       36466   36466           
  Misses      4142    4142           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/varfish/tests/drf_openapi_schema/varfish_api_schema.yaml (1)

2-5: Prefer quoting info.version to guarantee it’s treated as a string across YAML parsers.

OpenAPI expects info.version to be a string; using quotes avoids any YAML parser edge cases.

Proposed tweak

 info:
   title: VarFish
-  version: 1.4.0
+  version: "1.4.0"
   description: VarFish API

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d82dbb2 and b247ea8.

📒 Files selected for processing (4)

• .release-please-manifest.json
• CHANGELOG.md
• VERSION
• backend/varfish/tests/drf_openapi_schema/varfish_api_schema.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .release-please-manifest.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Python-Lint
• GitHub Check: Python-Test
• GitHub Check: Dependencies report
• GitHub Check: update-schema
• GitHub Check: build-and-push-image
• GitHub Check: Python-Lint
• GitHub Check: Python-Test

🔇 Additional comments (2)

VERSION (1)

1-1: LGTM!

Version string correctly updated to 1.4.0 following semantic versioning format.

CHANGELOG.md (1)

96-112: LGTM!

The changelog entries for version 1.4.0 are well-structured and consistent with the PR objectives:

• One feature entry with proper issue link
• Six bug fix entries, each with issue references and commit hashes
• Release date (2026-01-13) is correct
• Format follows the established convention of previous releases