diff --git a/CHANGELOG.md b/CHANGELOG.md index 3230e65..fe263bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,16 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [1.8.3] - 2026-04-07 + +### Security +- Fix SurrealDB injection via unsanitized `order_by` query parameter in `GET /api/notebooks` (CVSS 8.7 High) +- Add allowlist validation for sorting parameters in notebooks endpoint +- Replace f-string query interpolation with parameterized `$variable` binding in source chat and migration queries +- Add defensive validation in `get_all()` base method to prevent injection via `order_by` parameter + ## [1.8.2] - 2026-04-06 ### Added -- DashScope (Qwen) provider support — Alibaba Cloud's Qwen models (qwen-turbo, qwen-plus, qwen-max) -- MiniMax provider support — MiniMax models with 204K context (MiniMax-M2.5, MiniMax-M2.5-highspeed) -- Model discovery, connection testing, and credential management for both new providers -- Documentation for DashScope and MiniMax in AI providers guide, environment reference, and provider comparison +- DashScope (Qwen) and MiniMax provider support via Esperanto v2.20.0 (#725) +- Source list auto-refresh after adding a new source via URL, file upload, or text (#721) + +### Fixed +- Source asset persistence — failed sources now persist their asset (URL/file path), making them identifiable and retryable (#722) +- Source title preservation — user-set custom titles are no longer overwritten after background processing (#722) +- Credential cascade delete — deleting a credential now removes linked models instead of returning a 409 error (#722) +- Podcast directory names — uses UUID for episode directories, fixing filesystem errors with special characters (#666) +- Tiktoken offline handling — API no longer crashes in air-gapped environments (#622) +- SurrealDB healthcheck — removed incompatible healthcheck from Docker Compose (#656) +- Esperanto embedding fixes — base_url/api_key config issues across multiple embedding providers (#664, #665) + +### Docs +- Deprecated single-container Docker image in favor of Docker Compose (#723) ### Dependencies -- Bump esperanto to >= 2.20.0 +- Bump esperanto to >=2.20.0 ## [1.8.1] - 2026-03-10 diff --git a/pyproject.toml b/pyproject.toml index b45be49..f526a90 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "open-notebook" -version = "1.8.2" +version = "1.8.3" description = "An open source implementation of a research assistant, inspired by Google Notebook LM" authors = [ {name = "Luis Novo", email = "lfnovo@gmail.com"} diff --git a/uv.lock b/uv.lock index 0b7ef74..10608e2 100644 --- a/uv.lock +++ b/uv.lock @@ -2072,7 +2072,7 @@ wheels = [ [[package]] name = "open-notebook" -version = "1.8.1" +version = "1.8.3" source = { editable = "." } dependencies = [ { name = "ai-prompter" },