Skip to content

Release Notes — v0.5.1

Release Date: 2026-05-22

TaipanStack v0.5.1 focuses on robustness, Denial of Service (DoS) vulnerability prevention via strict parameter and input limits, and standardizing the quality assurance test suite. The release removes PyApp support in favor of pure package distributions and fixes several runtime/chaos test mutations. The consolidated test suite now verified 1,250 passing tests with 100% genuine code and branch coverage.


🛡️ Security

  • Fix (High) — Sanitizer DoS Prevention: Added strict bounds checking on sanitizers to prevent potential Denial of Service (DoS) memory/CPU exhaustion. Limit rules applied: filename length to MAX_PATH_LENGTH (4096), environment values to MAX_ENV_VALUE_LENGTH (65535), and SQL identifiers to MAX_PATH_LENGTH (PR #801).
  • Fix (Medium) — Starlette Security Update: Upgraded transitive dependency starlette to 1.0.1 to remediate known vulnerability (PYSEC-2026-161) (PR #804).
  • Fix (Medium) — Config Watcher DoS Prevention: Enforced strict configuration file size limits (MAX_CONFIG_FILE_SIZE = 1MB) inside config_watcher.py to prevent reading excessively large files into memory during active monitoring (PR #807).

🌊 Resilience

  • Fix — Circuit Breaker Evaluation in Orchestrator: Hardened the resilience flow inside ResilienceOrchestrator by checking the Circuit Breaker status within the retry loop instead of only before execution, ensuring callback attempts are blocked if the breaker trips during execution retries (PR #783).
  • Hardening — Timeout Decorator Chaos Protection: Hardened the @timeout decorator to reject non-finite parameters (like NaN or inf) and type mutations by introducing Look-Before-You-Leap (LBYL) type guards (isinstance(seconds, (int, float))), preventing downstream thread and async handler corruption under micro-chaos testing (PR #800, PR #802, PR #803).
  • Hardening — Concurrency Limit Param Validation: Validated concurrency limit timeouts to ensure they are finite non-negative numbers, preventing state corruption under extreme chaos injections (PR #802).
  • Hardening — Rate Limiter state checks: Refactored the RateLimiter internal state checks (such as time window and capacity validation) using clean LBYL type checks instead of try/except TypeError blocks, avoiding side-effects of type mutations under chaos (PR #798, PR #805).

⚡ Refactoring & Typing

  • Complexity Refactor — Adaptive Components & Guards: Reduced cyclomatic and cognitive complexity in RateLimiter and AdaptiveCircuitBreaker (PR #798, PR #805), and decomposed long validation logic in security guards (guard_path_traversal, guard_env_variable) into smaller, modular private validation helpers (PR #786).
  • Circuit Breaker LBYL Protection: Integrated LBYL state protection to shield the circuit breaker against mutations during state transitions (PR #795).
  • Dependency Cleanups: Cleaned up the CI/CD scripts and standardized the pipelines (PR #784, PR #804).

✅ QA & Testing

  • Test Suite Standardization: Renamed all test files from test_*_operations.py to test_*.py and audited the test suite to enforce strict naming conventions, remove bypasses, and improve isolation (PR #797, PR #808).
  • Flaky Tests Remediation: Fixed flaky circuit breaker chaos tests on Windows runners by adding robust synchronization and validation (PR #805).
  • Test Count Expansion: The verified test suite has expanded to 1,250 passing tests while maintaining absolute 100% genuine code and branch coverage.

🗑️ Exclusions & Removals

  • Removed — PyApp Executable Build Support: Completely removed the standalone executable packaging configuration (pyapp/ directory and related scripts) and deleted the build-exe target from the Makefile (PR #764 / PR #784).
  • Removed — Dead Code: Removed unused has_fstring_improvements compatibility variable from taipanstack/core/compat.py (PR #788).

📚 Documentation & CI/CD

  • Release Automation: Granted write contents permission to the release-publish workflow in GitHub Actions (PR #784).
  • Tooling Migration: Replaced obsolete safety dependency scan command with pip-audit across the codebase and contributing guides (PR #806).
  • Version-Agnostic Release Guide: Standardized the contributing release guidelines to be version-agnostic (PR #787).