chore: bump version to 1.8.3 and update changelog

Add 1.8.2 and 1.8.3 entries to CHANGELOG.md.
1.8.3 documents the SurrealDB injection security fix.
This commit is contained in:
Luis Novo 2026-04-07 07:59:16 -03:00
parent e5b253b11d
commit 3d560b4248
3 changed files with 25 additions and 7 deletions

View file

@ -7,16 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [1.8.3] - 2026-04-07
### Security
- Fix SurrealDB injection via unsanitized `order_by` query parameter in `GET /api/notebooks` (CVSS 8.7 High)
- Add allowlist validation for sorting parameters in notebooks endpoint
- Replace f-string query interpolation with parameterized `$variable` binding in source chat and migration queries
- Add defensive validation in `get_all()` base method to prevent injection via `order_by` parameter
## [1.8.2] - 2026-04-06
### Added
- DashScope (Qwen) provider support — Alibaba Cloud's Qwen models (qwen-turbo, qwen-plus, qwen-max)
- MiniMax provider support — MiniMax models with 204K context (MiniMax-M2.5, MiniMax-M2.5-highspeed)
- Model discovery, connection testing, and credential management for both new providers
- Documentation for DashScope and MiniMax in AI providers guide, environment reference, and provider comparison
- DashScope (Qwen) and MiniMax provider support via Esperanto v2.20.0 (#725)
- Source list auto-refresh after adding a new source via URL, file upload, or text (#721)
### Fixed
- Source asset persistence — failed sources now persist their asset (URL/file path), making them identifiable and retryable (#722)
- Source title preservation — user-set custom titles are no longer overwritten after background processing (#722)
- Credential cascade delete — deleting a credential now removes linked models instead of returning a 409 error (#722)
- Podcast directory names — uses UUID for episode directories, fixing filesystem errors with special characters (#666)
- Tiktoken offline handling — API no longer crashes in air-gapped environments (#622)
- SurrealDB healthcheck — removed incompatible healthcheck from Docker Compose (#656)
- Esperanto embedding fixes — base_url/api_key config issues across multiple embedding providers (#664, #665)
### Docs
- Deprecated single-container Docker image in favor of Docker Compose (#723)
### Dependencies
- Bump esperanto to >= 2.20.0
- Bump esperanto to >=2.20.0
## [1.8.1] - 2026-03-10

View file

@ -1,6 +1,6 @@
[project]
name = "open-notebook"
version = "1.8.2"
version = "1.8.3"
description = "An open source implementation of a research assistant, inspired by Google Notebook LM"
authors = [
{name = "Luis Novo", email = "lfnovo@gmail.com"}

View file

@ -2072,7 +2072,7 @@ wheels = [
[[package]]
name = "open-notebook"
version = "1.8.1"
version = "1.8.3"
source = { editable = "." }
dependencies = [
{ name = "ai-prompter" },