chore: bump version to 1.8.3 and update changelog
Add 1.8.2 and 1.8.3 entries to CHANGELOG.md. 1.8.3 documents the SurrealDB injection security fix.
This commit is contained in:
parent
e5b253b11d
commit
3d560b4248
3 changed files with 25 additions and 7 deletions
28
CHANGELOG.md
28
CHANGELOG.md
|
|
@ -7,16 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
## [1.8.3] - 2026-04-07
|
||||
|
||||
### Security
|
||||
- Fix SurrealDB injection via unsanitized `order_by` query parameter in `GET /api/notebooks` (CVSS 8.7 High)
|
||||
- Add allowlist validation for sorting parameters in notebooks endpoint
|
||||
- Replace f-string query interpolation with parameterized `$variable` binding in source chat and migration queries
|
||||
- Add defensive validation in `get_all()` base method to prevent injection via `order_by` parameter
|
||||
|
||||
## [1.8.2] - 2026-04-06
|
||||
|
||||
### Added
|
||||
- DashScope (Qwen) provider support — Alibaba Cloud's Qwen models (qwen-turbo, qwen-plus, qwen-max)
|
||||
- MiniMax provider support — MiniMax models with 204K context (MiniMax-M2.5, MiniMax-M2.5-highspeed)
|
||||
- Model discovery, connection testing, and credential management for both new providers
|
||||
- Documentation for DashScope and MiniMax in AI providers guide, environment reference, and provider comparison
|
||||
- DashScope (Qwen) and MiniMax provider support via Esperanto v2.20.0 (#725)
|
||||
- Source list auto-refresh after adding a new source via URL, file upload, or text (#721)
|
||||
|
||||
### Fixed
|
||||
- Source asset persistence — failed sources now persist their asset (URL/file path), making them identifiable and retryable (#722)
|
||||
- Source title preservation — user-set custom titles are no longer overwritten after background processing (#722)
|
||||
- Credential cascade delete — deleting a credential now removes linked models instead of returning a 409 error (#722)
|
||||
- Podcast directory names — uses UUID for episode directories, fixing filesystem errors with special characters (#666)
|
||||
- Tiktoken offline handling — API no longer crashes in air-gapped environments (#622)
|
||||
- SurrealDB healthcheck — removed incompatible healthcheck from Docker Compose (#656)
|
||||
- Esperanto embedding fixes — base_url/api_key config issues across multiple embedding providers (#664, #665)
|
||||
|
||||
### Docs
|
||||
- Deprecated single-container Docker image in favor of Docker Compose (#723)
|
||||
|
||||
### Dependencies
|
||||
- Bump esperanto to >= 2.20.0
|
||||
- Bump esperanto to >=2.20.0
|
||||
|
||||
## [1.8.1] - 2026-03-10
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
[project]
|
||||
name = "open-notebook"
|
||||
version = "1.8.2"
|
||||
version = "1.8.3"
|
||||
description = "An open source implementation of a research assistant, inspired by Google Notebook LM"
|
||||
authors = [
|
||||
{name = "Luis Novo", email = "lfnovo@gmail.com"}
|
||||
|
|
|
|||
2
uv.lock
2
uv.lock
|
|
@ -2072,7 +2072,7 @@ wheels = [
|
|||
|
||||
[[package]]
|
||||
name = "open-notebook"
|
||||
version = "1.8.1"
|
||||
version = "1.8.3"
|
||||
source = { editable = "." }
|
||||
dependencies = [
|
||||
{ name = "ai-prompter" },
|
||||
|
|
|
|||
Loading…
Reference in a new issue