Release Notes — v0.6.0¶
Release Date: 2026-07-01
TaipanStack v0.6.0 focuses on extensive security hardening, type validation boundary checks, resilience against resource and lock exhaustion, significant code complexity reductions, and verification of the test suite. The test suite has been fully standardized and expanded to 1,430 passing tests with 100% genuine code and branch coverage.
🛡️ Security¶
- Type Validation & Boundary Hardening: Enforced strict type validation for
max_lengthinsanitize_string(PR #957) and hardenedsanitize_pathtype validation (PR #959). - Negative Bounds & Fuzzing: Hardened
sanitize_filenameandsanitize_pathagainst negative limits via Hypothesis property fuzz testing (PR #951, PR #955). - DoS Protection on Env Variables: Added strict bounds check DoS protection to
guard_env_variable(PR #924). - URL validation & SSRF guards: Hardened URL parsing and SSRF guards against request smuggling, parser differentials, and control characters (PR #871, PR #900, PR #908).
- Timeout & Subprocess Type Validation: Hardened timeout validation and added type checking for subprocess timeout parameters to prevent type confusion (PR #885, PR #889).
- Lock Exhaustion Resilience: Hardened Circuit Breaker against lock acquisition failures in concurrent environments (PR #916) and rate limiter against lock exhaustion (PR #884).
🌊 Resilience & Watchdogs¶
- Retry Decorator Hardening: Hardened the retry decorator against type mutations for
max_attempts(PR #960). - Preventing Loops in Health Pinger: Fixed a potential infinite loop in the Health Pinger when operating in a corrupted internal state (PR #940).
- Concurrency & Timeout Hardening: Hardened the timeout decorator against task cancellation (
CancelledError) and arithmetic overflows (OverflowError) under extreme loads (PR #948), and hardened the bulkhead concurrency limiting mechanism with chaos testing (PR #874, PR #879). - Concurrency Permit Leak Fixes: Resolved semaphore permit leaks under TimeoutError, CancelledError, and task cancellation in Bulkhead execution (PR #932, PR #937).
- Race Condition Sync: Synchronized
InMemoryUserRepositorywith a threading Lock to prevent race conditions (PR #947).
⚡ Refactoring, Typing & Clean Code¶
- Proactive Cyclomatic Complexity Reductions: Proactively refactored hot paths to reduce cyclomatic and cognitive complexity in core security functions (PR #914), sanitizers (PR #957, PR #965), database bridges and orchestrators (PR #919), filesystem operations (PR #929), concurrency control modules (PR #946), HTTP bridges (PR #950), and generators (PR #952).
- Static Typing Enhancements: Enhanced strict static typing using
TypeAlias,Literal,TypeGuard, and protocols to resolve strict mypy checks and remove unreachable code false positives (PR #887, PR #901, PR #918, PR #964). - Standardizing API Reference: Cleaned up unused protocols and deprecated references in resilience and utility modules (PR #873, PR #895, PR #922).
✅ QA & Testing¶
- Test Suite Standardization: Renamed and standardized the naming convention across the entire test suite to resolve bypass methods and enforce strict validation rules (PR #886, PR #891, PR #894, PR #909, PR #912, PR #926, PR #930, PR #944, PR #954).
- Test Coverage & Chaos Testing: Expanded the test suite to 1,430 passing tests verifying 100% genuine code and branch coverage with zero bypasses (PR #882) and integrated comprehensive chaos testing for watchdogs, cache concurrency, and subprocess environment filtering (PR #890, PR #898, PR #902, PR #905, PR #913, PR #921, PR #941).
📚 Documentation & CI/CD¶
- API Guidelines & Examples: Updated API guides, architecture mappings, environment templates, and ConfigWatcher examples to include validation error callback handling (PR #881, PR #888, PR #899, PR #920, PR #928).
- Compare Link Repairs: Restored compare links and resolved build warning regressions across all release notes (PR #877).
🔧 Dependencies & Infrastructure¶
- Dependency Upgrades: Bumped the actions group and updated development requirements (including upgrading
cryptographyto<50.0.0,>=46.0.7to remedy security scan alerts) (PR #907, PR #933, PR #953).