ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity
paperclip/releases/v2026.410.0.md
Dotta 76fe736e8e
chore: add v2026.410.0 release notes for security release 
## Summary

- Adds comprehensive release notes for `v2026.410.0`, the security
release that patches GHSA-68qg-g8mg-6pr7 (unauthenticated RCE via import
authorization bypass)
- Required before triggering the stable release workflow to publish
`2026.410.0` to npm and create the GitHub Release

## Context

The security fix (PR #3315) is already merged to master. The GHSA
advisory references `2026.410.0` as the patched version, but only canary
builds exist on npm. This PR unblocks the stable release.

## Test plan

- [x] Release notes file is valid markdown
- [ ] Merge and trigger `release.yml` workflow with `source_ref=master`,
`stable_date=2026-04-10`
- [ ] Verify `npm view paperclipai version` returns `2026.410.0`
- [ ] Verify GitHub Release `v2026.410.0` exists

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-13 12:43:07 -05:00

4.5 KiB
Raw Blame History

v2026.410.0

Released: 2026-04-13

Security

  • Authorization hardening (GHSA-68qg-g8mg-6pr7) — Scoped import, approval, activity, and heartbeat API routes to enforce proper authorization checks. Previously, certain administrative endpoints were accessible without adequate permission verification. All users are strongly encouraged to upgrade. (#3315)
  • Removed hardcoded JWT secret fallback — The createBetterAuthInstance function no longer falls back to a hardcoded JWT secret, closing a credential-hygiene gap.
  • Redact Bearer tokens in logs — Server log output now redacts Bearer tokens to prevent accidental credential exposure. (#2659)
  • Dependency bumps — Updated multer to 2.1.1 (HIGH CVEs) and rollup to 4.59.0 (path-traversal CVE). (#2819)

Highlights

  • Issue-to-issue navigation — Faster navigation between issues with scroll reset, prefetch, and detail-view optimizations. (#3542)
  • Auto-checkout for scoped wakes — Agent harness now automatically checks out the scoped issue on comment-driven wakes, reducing latency for agent heartbeats. (#3538)
  • Inbox parent-child nesting — Issues in the Mine inbox can now be grouped by parent, with a toggle and keyboard-traversable nested rows.
  • Keyboard shortcut cheatsheet — Press ? to see all available keyboard shortcuts in a dialog.
  • Issue search in inbox — Broadened comment matching for inbox issue search with fallback.
  • Codex fast mode — Added fast mode support for codex_local adapters with env probe safeguards.
  • Backups with retention — Gzip-compressed database backups with tiered daily/weekly/monthly retention and UI controls in Instance Settings.
  • AWS Bedrock auth — Added AWS Bedrock authentication support on claude-local adapters. (#2793)

Improvements

  • Issue detail stability — Faster comment loading, reduced rerenders on interrupted runs, stable transcript rendering for non-succeeded runs.
  • Execution workspaces — Fixed linked worktree reuse, dev runner isolation, workspace import regressions, and workspace preflight through server toolchain.
  • Agent runtime — Hardened heartbeat and adapter runtime workflows, scoped-wake fast path skips full heartbeat on comment wakes, signoff stage access fixes.
  • Execution policy — Fixed non-participant stage mutation rejection, decision persistence, and signoff PR follow-up flows.
  • Chat UX polish — Shimmer animation improvements, image gallery in chat messages, inline comment composer, Working/Worked status tokens.
  • Inbox refinements — Avoid refetching on filter-only changes, archive shortcut fix, badge fixture alignment, nesting column alignment.
  • Typing performance — Fixed typing lag in long comment threads. (#3163)
  • Issue list grouping — Added workspace and parent issue grouping to the issues list view.
  • Worktree tooling — Improved worktree helpers, bind presets for deployment setup, tailnet bind hardening.
  • Plugin SDK — Plugin SDK now prepares before CLI dev boot. (#3343)

Fixes

  • Agent env bindings — Cleared agent env bindings now persist correctly on save.
  • Comment editor sync — Hardened issue comment editor synchronization.
  • Document revisions — Latest issue document revision stays current in the UI. (#3342)
  • Claude instructions — Fixed instruction sibling path hints, gate file I/O to fresh sessions only, skip --append-system-prompt-file on resumed sessions.
  • Codex transcript — Fixed Codex tool-use transcript completion parsing.
  • Backup cleanup — Orphaned .sql files cleaned up on compression failure; stale startup log fixed.
  • Chat layout — Fixed avatar positioning, activity line alignment, comment alignment, and feedback panel closing.

Upgrade Guide

Multiple database migrations will run automatically on startup. All migrations are additive — no existing data is modified.

Security: This release addresses GHSA-68qg-g8mg-6pr7. All deployments should upgrade as soon as possible.