Skip to content

TaipanStack v0.4.2 Release Notes

TaipanStack v0.4.2 is a critical security and resilience patch. This release hardens the core security boundary of the project by isolating subprocess execution environments, remediating sensitive data exposure in domain models, and implementing strict resource limits to prevent Denial of Service (DoS) vectors.

See documentation at: TaipanStack Dev Portal.

What's New & Fixed in v0.4.2

🛡️ Core Security & Sentinel Guards

  • [Critical] Subprocess Environment Isolation (PR #403): Implemented a mandatory whitelist approach for environment variables during subprocess execution. This prevents accidental leakage of sensitive credentials (tokens, keys) from the host environment to child processes.
  • [Critical] Command Injection Hardening (PR #385): Injected new security guards against OS command concatenation and shell escape sequences in the subprocess utility suite.
  • [Critical] Sensitive Data Redaction (PR #402): Enhanced UserInDB models to strictly redact password hashes from public serialization schemas, preventing accidental "Sensitive Data Exposure" in API responses.
  • [High] PBKDF2 DoS Mitigation (PR #411): Enforced MAX_LEGACY_ITERATIONS limit on PBKDF2 hash verification to prevent CPU exhaustion attacks via maliciously high iteration counts.
  • [High] Cache Collision Resilience (PR #388): Hardened the @cached decorator against collision vulnerabilities that could lead to unauthorized data retrieval.
  • [Medium] Mandatory Network Timeouts (PR #381): Enforced default timeout values across all db_bridge, http_bridge, and web_bridge components to ensure system availability during upstream latency spikes.

⚡ Performance & Reliability

  • [Perf] Lazy find_files Evaluation (PR #394): Refactored the find_files utility to use lazy evaluation, drastically reducing the memory footprint when crawling massive directory structures.
  • [Fix] Log Redaction Robustness (PR #378): Resolved a potential crash in _redact_dict when processing dictionaries with non-string keys (e.g., integers or booleans).
  • [Resilience] CircuitBreaker Callback Guards (PR #380): Added exception isolation to CircuitBreaker state change callbacks, ensuring that a failing callback does not disrupt the core execution flow.

🧪 QA & Architecture

  • Resource Leak Detection (PR #393): Enabled ResourceWarning in the global pytest configuration. This proactively detects unclosed file handles, sockets, and memory leaks during CI/CD.
  • FileSystem Exception Refactor (PR #401): Standardized all filesystem error classes to use idiomatic dataclass properties, improving code consistency and maintainability.
  • Simplified Sanitizers (PR #384): Reduced cyclomatic complexity in the security sanitizer suite to improve auditability and reduce the potential for logic bugs.

Security Advice

Following the v0.4.2 update, we recommend auditing any custom subprocess implementations to ensure you are utilizing the new allowed_env_vars parameter if your child processes require specific environment variables to function correctly.