You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Version the changelog as 2.1.0 (was [Unreleased]), add Security
section per Keep a Changelog convention, include missing items:
GPT-4o Canvas prompt leak example, custom benchmark cache fix,
release workflow fix. Add 2.0.0 baseline entry.
https://claude.ai/code/session_01CDFqeg5QhB4V7yQ3yVVBc9
Copy file name to clipboardExpand all lines: CHANGELOG.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
4
4
5
5
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
6
6
7
-
## [Unreleased]
7
+
## [2.1.0] - 2026-02-16
8
8
9
9
### Added
10
10
-**RAG Poisoning Attack** ("Hidden Parrot Attack") — new fuzzing test that demonstrates how malicious instructions embedded in vector databases can compromise RAG system behavior
@@ -14,18 +14,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
14
14
- Embedding configuration properties in `AppConfig` (`embedding_provider`, `embedding_model`, `embedding_ollama_base_url`, `embedding_openai_base_url`)
15
15
- Configurable base URLs for Ollama and OpenAI providers (`ollama_base_url`, `openai_base_url`) with proper parameter transformation in chat clients
16
16
-`TestStatus.report_skipped()` method and `skipped_count` tracking for tests that cannot run due to missing configuration or dependencies
17
+
- GPT-4o with Canvas system prompt leak example (`system_prompt.examples/`)
- Dedicated test files: `test_app_config.py`, `test_prompt_injection_fuzzer_helpers.py`, `test_test_status.py`
19
20
20
-
### Fixed
21
+
### Security
21
22
-**[CRITICAL]CVE-2025-68664** — Upgraded langchain ecosystem (langchain, langchain-core, langchain-community) from 0.0.x to 0.3.x to fix serialization injection vulnerability that could allow secret extraction and arbitrary code execution
22
23
-**[HIGH]CVE-2024-34062** — Upgraded tqdm from 4.66.1 to ≥4.66.3 to fix CLI arguments injection via `eval()`
23
-
-**[HIGH]** httpx version pinned to `>=0.24.0,<0.25.0` to fix crashes caused by unpinned dependency (PR #65)
24
+
-**[HIGH]** httpx version pinned to `>=0.24.0,<0.25.0` to fix crashes caused by unpinned dependency
-`register_test` decorator now properly returns the decorated class (was returning `None`)
26
29
- Getter/setter consistency for `embedding_provider` and `embedding_model` — setters now accept empty values matching getter defaults
27
30
- Empty base URL strings are now filtered out instead of being passed through to model constructors
28
31
- Fragile error-message string matching in RAG poisoning replaced with specific exception type handling (`ImportError`, `ConnectionError`, `ValueError`, etc.)
32
+
- Removed stale custom benchmark cache
33
+
- Release workflow no longer overwrites manually written release notes
29
34
30
35
### Changed
31
36
- Minimum Python version raised from 3.7 to 3.9 (required by langchain 0.3.x)
@@ -35,3 +40,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
35
40
- Pydantic v1 field introspection → Pydantic v2 with v1 fallback
36
41
- Test organization: AppConfig, helper function, and TestStatus tests moved from `test_is_response_list.py` into dedicated test files
37
42
- Removed unused variable assignments in test code
0 commit comments