Releases: promptfoo/modelaudit
Releases · promptfoo/modelaudit
v0.2.47
v0.2.46
0.2.46 (2026-06-05)
Bug Fixes
- address runpy review edge cases (#1401) (995f978)
- analyze ambiguous protobuf routing candidates (#1302) (411b6ee)
- avoid ambient TensorFlow proto imports (#1406) (601003d)
- avoid duplicate sharded scans and preserve metadata (#1231) (83a0ce5)
- avoid framed process string false positives (#1400) (9aae65a)
- avoid pickle meta-path source probing (#1493) (a31df76)
- block 7z symlinks before extraction (#1462) (73152a0)
- block torch.load on vulnerable prereleases (06125e5)
- bound directory metadata extraction (#1470) (3dd9ceb)
- bound GGUF declared collections (#1316) (3ceb138)
- bound jax and flax metadata scans (#1500) (1f794df)
- bound jinja sandbox render probes (#1419) (6a6534b)
- bound native picklescan state simulation (#1501) (f4c9cdf)
- bound OCI layer decompression (#1443) (fd76fb1)
- bound Orbax directory checkpoint scanning (#1414) (22a9ffa)
- bound PyTorch ZIP version probes (#1512) (196fb46)
- bound SavedModel graph traversal (#1491) (b42fffb)
- bound SavedModel keras metadata parsing (#1466) (b2eddc4)
- cache: key advanced shard allowlists (#1248) (336148a)
- cap PyTorch ZIP entry processing (#1455) (e74da5b)
- ci: avoid performance gating in Windows nightly (#1264) (c01b42a)
- classify incomplete CatBoost analysis correctly (388565b)
- classify incomplete OCI layer scans correctly (#1291) (25aae73)
- classify incomplete pickle analysis and stream coverage (#1310) (e20518f)
- classify incomplete PMML analysis correctly (#1293) (a3b2cfe)
- classify incomplete R serialized analysis correctly (#1312) (9439adc)
- classify incomplete RKNN and Torch7 analysis correctly (#1289) (6d0ad24)
- classify incomplete Skops coverage correctly (#1298) (d618584)
- classify incomplete TAR member coverage correctly (#1299) (0cb11b1)
- classify incomplete TorchServe analysis correctly (#1297) (f443b02)
- classify incomplete weight analysis correctly (#1313) (e4138c1)
- classify incomplete ZIP and Keras coverage correctly (#1300) (c350ab9)
- classify PyTorch binary code patterns as findings (#1497) (e9c6c0a)
- classify sevenzip probe limits as inconclusive (#1296) (d7e1ad1)
- classify unavailable binary artifact reads correctly (#1305) (bc4e6b2)
- classify unavailable CNTK and LightGBM reads correctly (#1303) (26fcf41)
- classify unavailable Joblib reads correctly (#1309) (5b56384)
- classify unavailable manifest and text reads correctly (#1307) (5b50c71)
- classify unavailable metadata reads correctly (#1308) (fa4cdb0)
- classify unavailable MetaGraph reads correctly (#1304) (c00de0b)
- classify unavailable MXNet reads correctly (#1301) (a7b8e27)
- classify unavailable serialized model reads correctly (#1306) (113ba27)
- classify unavailable TFLite analysis correctly (#1311) (c3e1607)
- cloud: enforce size caps on cached downloads (#1507) (8f38004)
- confirm ONNX python_operator findings against the parsed graph (#1254) (#1260) (beb71cd)
- contain SBOM symlink hashing (#1476) (f147ebc)
- core: group HF cache shard symlinks (#1252) (91f833d)
- cover embedded browser and ctypes edges ([#1402](https://github.com/p...
modelaudit-picklescan: v0.1.6
0.1.6 (2026-06-05)
Bug Fixes
- avoid pickle meta-path source probing (#1493) (a31df76)
- bound native picklescan state simulation (#1501) (f4c9cdf)
- detect dynamic picklescan protocol hooks (#1375) (400c132)
- detect newline-separated picklescan calls (#1481) (8dcbbb1)
- fail closed on encoded nested probe cap (6633dac)
- fail closed on pickle import reference truncation (#1449) (5ddac28)
- fail closed on protocol 5 pickle buffers (#1450) (e696a1f)
- flag import-only custom pickle globals (#1499) (ca3a476)
- flag oversized pickle frames as tampered (#1448) (c4758fd)
- redact Keras evidence secrets (#1475) (37eda4e)
- resolve follow-up quality findings (#1222) (2968961)
- routing: preserve Torch7 findings in Llamafile polyglots (#1376) (2e95c88)
- scan raw nested pickles in unicode strings (#1461) (4278da9)
- terminate call-graph alias fixpoint on oscillating rebinds (#1247) (#1259) (89895a4)
Performance Improvements
Documentation
v0.2.45
Manual recovery release for modelaudit 0.2.45.
v0.2.44
0.2.44 (2026-05-03)
Bug Fixes
- address ai quality findings (#1218) (30f4ef2)
- clear remaining security-quality findings (#1219) (259f931)
Performance Improvements
- add opt-in core phase timings (#1170) (75a7f0b)
- bound directory progress pre-counts (#1174) (23dc5d0)
- bound ordinary license header reads (#1197) (113ad34)
- cache call graph call nodes (#1215) (aa52759)
- cache function import aliases (#1214) (d56eef2)
- cache manifest trusted-url lookups (#1186) (09e76cf)
- cache parameter controlled names (#1213) (41b8f45)
- cache scanner selection policies (#1177) (371f480)
- cache split call graph names (#1212) (77ab177)
- dedupe repeated metadata urls (#1166) (b3f1009)
- reuse cache key content hash on store (#1171) (e3981bd)
- reuse call graph controlled names (#1198) (84e6a9b)
- reuse call graph module parses (#1167) (0822b40)
- reuse compiled pmml extension patterns (#1172) (51ddc85)
- reuse default secret regexes (#1185) (b5ba149)
- reuse flax layer keyword text (#1187) (b50947f)
- reuse flax structure analysis (#1188) (c33c566)
- reuse flax suspicious patterns (#1194) (0351de1)
- reuse hashes for hardlinked files (#1175) (aac4367)
- reuse jax probe file handle (#1161) (3e95649)
- reuse jinja scanner patterns (#1184) (bb5a729)
- reuse jit import regexes (#1190) (9f37f5d)
- reuse lowered blacklist payload (#1165) (624a17b)
- reuse lowered c2 payload scan (#1163) (a63efaa)
- reuse lowered flax transform values (#1169) (3d73ad7)
- reuse lowered get_file values (#1211) (3bc7890)
- reuse lowered hex token seed checks (#1202) (8a34db9)
- reuse lowered jax context text (#1164) (d012c09)
- reuse lowered keras metadata text (#1168) (abfe87b)
- reuse lowered layer type names (#1203) (4b94a67)
- reuse lowered license header text (#1162) (447ea66)
- reuse lowered metadata filenames (#1205) (4251df5)
- reuse lowered metadata keys (#1206) (3ea11f0)
- reuse lowered ml operation names (#1201) (c5de398)
- reuse lowered sarif messages (#1209) (fde43a4)
- reuse lowered secret descriptions (#1208) (cb0324b)
- reuse lowered skops member names (#1207) (879c531)
- reuse lowered xgboost legacy headers (#1204) (8bc1e7d)
- reuse manifest text within scans (#1160) (848bc1e)
- reuse metagraph attr lowercase values (#1200) (349751e)
- reuse nearby license discovery (#1155) (301618d)
- reuse network library patterns (#1191) (630bd3d)
- reuse normalized scanner selection policy (#1153) (b8430a0)
- reuse onnx model bytes for parsing (#1193) (a5356a5)
- reuse prefiltered sarif issues (#1210) (d996043)
- reuse savedmodel function patterns (#1183) (c043bcd)
- reuse secrets detector heuristics (#1189) (799e8bf)
- reuse sibling license directory listings (#1157) ([5ec7f21](https:...
modelaudit-picklescan: v0.1.5
0.1.5 (2026-05-03)
Bug Fixes
- address ai quality findings (#1218) (30f4ef2)
- clear remaining security-quality findings (#1219) (259f931)
Performance Improvements
- cache call graph call nodes (#1215) (aa52759)
- cache function import aliases (#1214) (d56eef2)
- cache parameter controlled names (#1213) (41b8f45)
- cache split call graph names (#1212) (77ab177)
- reuse call graph controlled names (#1198) (84e6a9b)
- reuse call graph module parses (#1167) (0822b40)
- share call graph caches within reports (#1156) (b16d37c)
- share getattr assignment candidates (#1199) (5d12903)
- skip call graph enrichment in pickle validation (#1196) (2347d80)
v0.2.43
0.2.43 (2026-05-01)
Bug Fixes
- align manifest scanner routing (#1111) (ad7f253)
- analyze jax-like pickle checkpoints (#1114) (576ac54)
- avoid inert skops cve false positives (7538e58)
- avoid PMML system substring false positives (#1125) (20fdd0c)
- catch suspicious nemo target leaves (#1116) (b8dccfa)
- close pytorch zip coverage gaps (#1095) (a1ca298)
- correct analysis suspiciousness (#1101) (11b1d3e)
- cover eager statistics consumers in picklescan (#1148) (0d5ea8e)
- detect bare torch7 require loads (#1117) (7c77be0)
- detect extensionless archive executables (#1110) (b64a2da)
- detect nested brace-format mapping lookups (#1151) (fc296ad)
- detect Paddle patterns across chunk boundaries (#1120) (d4fedf9)
- fail closed on bounded scanner analysis (#1099) (60973e4)
- fail closed on call graph errors (#1143) (1a08449)
- fail closed on directory size limits (#1093) (47054d7)
- fail closed on header-only streaming scans (#1103) (7b934c0)
- fail closed on incomplete mar scans (#1096) (af31235)
- fail closed on limited llamafile payload scans (ceb3f22)
- fail closed on malformed XGBoost JSON (#1123) (4d4ba28)
- fail closed on nemo archives without config (#1115) (a09f763)
- fail closed on ONNX raw detector failures (#1119) (2963764)
- fail closed on truncated tensor metadata (b267328)
- fail closed on unanalyzable call graphs (#1108) (dcb8bbe)
- fail closed when recognized scanners are unavailable (#1104) (f4866d4)
- fail closed without yaml parser (99ef15a)
- harden detector heuristics (#1100) (bf57b3b)
- ignore inert format placeholders (#1142) (8f728e8)
- ignore inert XGBoost feature labels (f637e1e)
- inspect savedmodel root siblings (#1118) (cf6bf8f)
- keep inert dotted global metadata clean (#1150) (9a76915)
- picklescan: detect hidden-only pytorch zips (#1098) (3e94f70)
- picklescan: detect statistics quantiles iterator consumption (#1152) (b357fdb)
- picklescan: fail closed on late encoded payload probes (#1107) (55b43a5)
- picklescan: model str.format lookups (#1097) (2c87acb)
- preserve exact entropy literals (#1138) (95ba57c)
- preserve hidden model payloads (#1091) (5b11f91)
- preserve incomplete office zip scans (#1094) (9ed81db)
- preserve merged scan failures (#1092) (e7fecc5)
- preserve path-sensitive directory scans (#1102) (ddebc52)
- preserve str.format lookup keys in picklescan (#1149) (feb3e1c)
- reject ajax as a JAX checkpoint hint (#1124) (9f51b2c)
- reject marker-only XGBoost binaries (#1122) (30ec930)
- remove filename-based framework skips (#1137) (7a18b49)
- require startup hook invocations (#1140) (7e0777d)
- require strict zip signatures (93f60af)
- resolve concatenated archive getattr names (#1105) (59a7df6)
- resync post-budget pickle replay (#1141) (e275676)
- route extensionless scanners (18accbd)
- route flax suffixes without msgpack (dca6056)
- route middle-marker llamafiles (f11792c)
- route renamed XML models after long prologs (#1109) (e2f9962)
- scan concaten...
modelaudit-picklescan: v0.1.4
0.1.4 (2026-05-01)
Bug Fixes
- cover eager statistics consumers in picklescan (#1148) (0d5ea8e)
- detect nested brace-format mapping lookups (#1151) (fc296ad)
- fail closed on call graph errors (#1143) (1a08449)
- fail closed on unanalyzable call graphs (#1108) (dcb8bbe)
- ignore inert format placeholders (#1142) (8f728e8)
- keep inert dotted global metadata clean (#1150) (9a76915)
- picklescan: detect hidden-only pytorch zips (#1098) (3e94f70)
- picklescan: detect statistics quantiles iterator consumption (#1152) (b357fdb)
- picklescan: fail closed on late encoded payload probes (#1107) (55b43a5)
- picklescan: model str.format lookups (#1097) (2c87acb)
- preserve str.format lookup keys in picklescan (#1149) (feb3e1c)
- require startup hook invocations (#1140) (7e0777d)
- resync post-budget pickle replay (#1141) (e275676)
- stabilize non-pytorch zip status (7449aae)
Documentation
v0.2.42
Manual recovery release for modelaudit 0.2.42.
v0.2.41
0.2.41 (2026-04-27)
Bug Fixes
- ci: skip POSIX proof cases on Windows (#1072) (bfa17a3)
- docker: add apt-get clean and pinned pip constraints to Dockerfile.tensorflow (#1079) (8d9f9b7)
- harden picklescan call graph RCE detection (#1061) (19c4fc4)
- harden picklescan stdlib callable detection (f0f57b4)
- improve test isolation, reduce duplication, and fix command injection risk in test suite (#1078) (3867c83)
- picklescan: avoid call-graph false positives for PyTorch storage IDs (#1069) (e75ed24)
- silence stale CodeQL generated import alerts (#1080) (9530740)
- telemetry: stabilize modelaudit identity (#1071) (592a656)