chore: release main

[github-actions]

🤖 I have created a release beep boop

0.2.46

0.2.46 (2026-06-05)

Bug Fixes

• address runpy review edge cases (#1401) (995f978)
• analyze ambiguous protobuf routing candidates (#1302) (411b6ee)
• avoid ambient TensorFlow proto imports (#1406) (601003d)
• avoid duplicate sharded scans and preserve metadata (#1231) (83a0ce5)
• avoid framed process string false positives (#1400) (9aae65a)
• avoid pickle meta-path source probing (#1493) (a31df76)
• block 7z symlinks before extraction (#1462) (73152a0)
• block torch.load on vulnerable prereleases (06125e5)
• bound directory metadata extraction (#1470) (3dd9ceb)
• bound GGUF declared collections (#1316) (3ceb138)
• bound jax and flax metadata scans (#1500) (1f794df)
• bound jinja sandbox render probes (#1419) (6a6534b)
• bound native picklescan state simulation (#1501) (f4c9cdf)
• bound OCI layer decompression (#1443) (fd76fb1)
• bound Orbax directory checkpoint scanning (#1414) (22a9ffa)
• bound PyTorch ZIP version probes (#1512) (196fb46)
• bound SavedModel graph traversal (#1491) (b42fffb)
• bound SavedModel keras metadata parsing (#1466) (b2eddc4)
• cache: key advanced shard allowlists (#1248) (336148a)
• cap PyTorch ZIP entry processing (#1455) (e74da5b)
• ci: avoid performance gating in Windows nightly (#1264) (c01b42a)
• classify incomplete CatBoost analysis correctly (388565b)
• classify incomplete OCI layer scans correctly (#1291) (25aae73)
• classify incomplete pickle analysis and stream coverage (#1310) (e20518f)
• classify incomplete PMML analysis correctly (#1293) (a3b2cfe)
• classify incomplete R serialized analysis correctly (#1312) (9439adc)
• classify incomplete RKNN and Torch7 analysis correctly (#1289) (6d0ad24)
• classify incomplete Skops coverage correctly (#1298) (d618584)
• classify incomplete TAR member coverage correctly (#1299) (0cb11b1)
• classify incomplete TorchServe analysis correctly (#1297) (f443b02)
• classify incomplete weight analysis correctly (#1313) (e4138c1)
• classify incomplete ZIP and Keras coverage correctly (#1300) (c350ab9)
• classify PyTorch binary code patterns as findings (#1497) (e9c6c0a)
• classify sevenzip probe limits as inconclusive (#1296) (d7e1ad1)
• classify unavailable binary artifact reads correctly (#1305) (bc4e6b2)
• classify unavailable CNTK and LightGBM reads correctly (#1303) (26fcf41)
• classify unavailable Joblib reads correctly (#1309) (5b56384)
• classify unavailable manifest and text reads correctly (#1307) (5b50c71)
• classify unavailable metadata reads correctly (#1308) (fa4cdb0)
• classify unavailable MetaGraph reads correctly (#1304) (c00de0b)
• classify unavailable MXNet reads correctly (#1301) (a7b8e27)
• classify unavailable serialized model reads correctly (#1306) (113ba27)
• classify unavailable TFLite analysis correctly (#1311) (c3e1607)
• cloud: enforce size caps on cached downloads (#1507) (8f38004)
• confirm ONNX python_operator findings against the parsed graph (#1254) (#1260) (beb71cd)
• contain SBOM symlink hashing (#1476) (f147ebc)
• core: group HF cache shard symlinks (#1252) (91f833d)
• cover embedded browser and ctypes edges (#1402) (ce31f2f)
• cover patched PyTorch weight-load versions (#1482) (4c0bdb3)
• detect asyncio subprocess launches in embedded Python (#1366) (f520c0d)
• detect disguised PyTorch ZIP executables (#1318) (00bc356)
• detect dynamic picklescan protocol hooks (#1375) (400c132)
• detect dynamic TorchServe handler primitives (#1471) (5c28aee)
• detect embedded runpy execution calls (#1372) (1f9a8d5)
• detect embedded webbrowser launch calls (#1373) (f1b2df6)
• detect Keras weights-only external HDF5 refs (69810c2)
• detect namespace-hidden archive Python calls (#1317) (ae2deb3)
• detect NeMo torch extension targets (edb642c)
• detect newline-separated picklescan calls (#1481) (8dcbbb1)
• detect obscured GGUF chat templates (#1315) (8d184c9)
• detect os process launches in embedded Python (#1363) (642fd4c)
• disable sampled large-file scan caching (#1459) (0ddbb93)
• enforce cloud download size caps (#1407) (10e1342)
• enforce Hugging Face download budgets (#1413) (1587131)
• enforce huggingface file size budget (#1410) (7f55f52)
• enforce JFrog download size budgets (#1416) (9cb392f)
• enforce PyTorch Hub download budgets (#1452) (d8e74fa)
• fail closed on embedded Python JIT budget gaps (#1502) (09a4844)
• fail closed on embedded weights without h5py (#1433) (463bc2c)
• fail closed on empty Hugging Face repo listings (#1411) (1cbb8aa)
• fail closed on encoded nested probe cap (6633dac)
• fail closed on executable ZIP scanner gaps (#1487) (889db72)
• fail closed on hf streaming extensionless listings (#1492) (d70dec4)
• fail closed on incomplete Flax traversal (#1295) (335d06c)
• fail closed on incomplete JAX analysis (#1292) (a3558f1)
• fail closed on incomplete PyTorch ZIP scans (65faa90)
• fail closed on malformed SavedModel metadata (#1464) (60d5307)
• fail closed on NumPy object pickle skips (#1460) (59c52b1)
• fail closed on oversized standalone Jinja templates (#1283) (76f221e)
• fail closed on partial cloud metadata (#1404) (70db661)
• fail closed on pickle import reference truncation (#1449) (5ddac28)
• fail closed on protocol 5 pickle buffers (#1450) (e696a1f)
• fail closed on StringLookup external vocab metadata (#1484) (b994dc3)
• fail closed on truncated CNTK string analysis (#1290) (c6ee60f)
• fail closed on unavailable Keras ZIP scanner (#1474) (0183a9e)
• fail unsafe keras h5 lambda ambiguity (#1434) (548d0f2)
• flag import-only custom pickle globals (#1499) (ca3a476)
• flag keras fixed-boundary prereleases (#1431) (0f6ea92)
• flag native keras config modules (#1430) (440fe18)
• flag oversized pickle frames as tampered (#1448) (c4758fd)
• harden asyncio subprocess review follow-up (#1398) (31077f3)
• harden embedded ctypes/browser analysis after #1402 (#1403) (0d37ebc)
• harden embedded Python builtin alias detection (#1420) (fadceb3)
• harden Keras ZIP external reference analysis (#1423) (a0e00cf)
• harden Keras ZIP version attribution (#1424) (57ca7f3)
• harden Keras ZIP wrapper traversal (#1425) (713eb4d)
• harden late embedded Python replay analysis (#1446) (6b625ff)
• harden legacy JAX checkpoint routing (#1397) (4db8d50)
• harden mixed Keras H5 Lambda analysis (#1422) (6d1ba2e)
• harden MXNet overlap routing after merge audit (#1378) (4e55dd0)
• harden NeMo Hydra interpolation analysis (#1427) (099417a)
• harden PyTorch Hub streaming cleanup (#1454) (2f11b7c)
• harden standalone Keras H5 external reference analysis (#1421) (64e643f)
• harden structured Jinja size handling (#1418) (1165a0e)
• honor compatible header alias routing (#1272) (ee9611e)
• include supported PyTorch Hub artifacts (#1453) (a3e1616)
• keep docker digest updates CI-compatible (#1258) (406ed50)
• keep shard siblings within scan root (a1efccb)
• keras: redact authorization detail aliases (#1511) (18de054)
• manifest: fail closed on cloud URL read errors (#1396) (cf1da88)
• mark compressed partial scans inconclusive (#1286) (39b8f58)
• mark oversized structured Jinja templates incomplete (6662d3d)
• mark truncated pickle binary tails incomplete (#1445) (cae15c4)
• nemo: fail closed on linked load semantics (#1377) (b952e4b)
• omit SafeTensors custom metadata from security view (#1440) (23e7c44)
• onnx: scan function default graphs (#1273) (10c57ed)
• onnx: scan nested Python operators (#1265) (40850e3)
• preflight 7z extraction budgets (bf7f3de)
• preserve Flax routing across ambiguous prefixes (#1379) (b3438b8)
• preserve visible JAX findings in oversized JSON (#1380) (39afcf0)
• redact code evidence in scanner findings (#1495) (1c2855e)
• redact compound credential evidence (4a0a364)
• redact flax msgpack evidence (#1409) (66c55cb)
• redact Keras evidence secrets (#1475) (37eda4e)
• redact keras zip finding details (#1436) (b90d08d)
• redact LightGBM evidence excerpts (#1437) (fed2313)
• redact metadata secret previews (#1439) (a96f83a)
• redact network URL path tokens (fa5fd17)
• redact R serialized executable samples (#1456) (7c3e10c)
• redact SavedModel decoded previews (ba6eaa1)
• redact secret detector contexts (923f6af)
• reject unsafe JFrog credential targets (#1490) (11d8978)
• repair nightly and docker ci (#1255) (4c8fa7b)
• report Keras external refs despite metadata (#1478) (0c63514)
• report Keras H5 external refs despite metadata (#1483) (5997e06)
• require ETags for cloud cache hits (1a8e39d)
• resolve follow-up quality findings (#1222) (2968961)
• restrict auth token API hosts (#1486) (9ccddc5)
• restrict JFrog credential forwarding (8287edd)
• retain oversized renamed SafeTensors candidates (#1285) (64efefa)
• route disguised llamafiles and classify preview read failures (#1267) (ad55249)
• route disguised torch7 payloads by content (#1268) (9ba9cd1)
• route extensionless XGBoost and classify incomplete analysis (#1276) (46bffb4)
• route large and renamed Flax MessagePack checkpoints (#1280) (40766c4)
• route padded and renamed JAX JSON checkpoints (#1281) (62270b4)
• route prefixed renamed ONNX payloads by structure (#1287) (b022bbb)
• route renamed binary formats and classify ExecuTorch read failures (#1271) (c86dd85)
• route renamed CNTK and LightGBM payloads (#1269) (877aa10)
• route renamed MXNet symbol graphs by structure (#1278) (1c0b3c5)
• route renamed NeMo archives by structure (#1274) (bf96228)
• route renamed R workspace artifacts (#1322) (e004deb)
• route renamed TensorFlow protobuf models by structure (#1284) (3327c39)
• routing: avoid false Flax overlap on complete pickles (#1506) (6510430)
• routing: preserve Torch7 findings in Llamafile polyglots (#1376) (2e95c88)
• run text sidecar security detectors (#1498) (9e3f581)
• scan duplicate executorch pickle members (#1408) (5b4c616)
• scan hidden compressed payload risks (#1320) (77ec76f)
• scan late PyTorch binary executable signatures (#1451) (bd2782c)
• scan namespaced OpenVINO layers (#1314) (59794d6)
• scan nested ONNX external initializers (d3a9130)
• scan nested ONNX external tensor references (#1399) (5071995)
• scan padded SavedModel protobuf strings (#1469) (b26c000)
• scan protocol zero JAX checkpoint pickles (aa580c6)
• scan raw nested pickles in unicode strings (#1461) (4278da9)
• scan RKNN safe metadata values (cd833c2)
• skip hashing files over scan size limit (#1441) (2b46042)
• sniff cloud content before selective skip (#1405) (90c5627)
• sniff JFrog folder content before selective skip (#1417) (372a72a)
• strip jfrog credentials on redirects (#1415) (6869361)
• terminate call-graph alias fixpoint on oscillating rebinds (#1247) (#1259) (89895a4)
• torch7: restore ASCII serialized routing (#1263) (a0cf7f0)
• treat Keras fixed-version prereleases as vulnerable (ae76cb9)

Performance Improvements

• mmap TFLite files for zero-copy FlatBuffer scanning (#1503) (ce3b4f4)
• restore realistic benchmark suite (#1223) (9c36efb)
• reuse call graph analysis in directory scans (#1266) (2f01ddf)

Documentation

• align picklescan version guidance (#1279) (a53eb11)

modelaudit-picklescan: 0.1.6

0.1.6 (2026-06-05)

Bug Fixes

• avoid pickle meta-path source probing (#1493) (a31df76)
• bound native picklescan state simulation (#1501) (f4c9cdf)
• detect dynamic picklescan protocol hooks (#1375) (400c132)
• detect newline-separated picklescan calls (#1481) (8dcbbb1)
• fail closed on encoded nested probe cap (6633dac)
• fail closed on pickle import reference truncation (#1449) (5ddac28)
• fail closed on protocol 5 pickle buffers (#1450) (e696a1f)
• flag import-only custom pickle globals (#1499) (ca3a476)
• flag oversized pickle frames as tampered (#1448) (c4758fd)
• redact Keras evidence secrets (#1475) (37eda4e)
• resolve follow-up quality findings (#1222) (2968961)
• routing: preserve Torch7 findings in Llamafile polyglots (#1376) (2e95c88)
• scan raw nested pickles in unicode strings (#1461) (4278da9)
• terminate call-graph alias fixpoint on oscillating rebinds (#1247) (#1259) (89895a4)

Performance Improvements

• reuse call graph analysis in directory scans (#1266) (2f01ddf)

Documentation

• align picklescan version guidance (#1279) (a53eb11)

---

This PR was generated with Release Please. See documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cf608295ac

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e85975af7a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 12 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 986.07ms -> 993.58ms (+0.8%).

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	110.5us	120.7us	+9.2%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	65.2us	70.8us	+8.5%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	90.7us	94.5us	+4.2%	stable
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	77.31ms	78.33ms	+1.3%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	86.0us	84.8us	-1.3%	stable
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	291.49ms	294.62ms	+1.1%	stable
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	54.49ms	55.03ms	+1.0%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	50.25ms	49.78ms	-0.9%	stable
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	340.15ms	342.99ms	+0.8%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	91.3us	91.7us	+0.5%	stable
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	84.68ms	84.90ms	+0.3%	stable
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	87.25ms	87.46ms	+0.2%	stable

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bb79e6cd36

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d97608e485

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[mldangelo-oai]

Release QA follow-up pushed in 2d230b9:

• requires modelaudit-picklescan>=0.1.6,<0.2.0 so root 0.2.46 actually installs the scanner fixes it advertises
• synchronizes Cargo.lock to 0.1.6
• removes stale duplicated [Unreleased] entries already represented by release sections
• teaches Release Please to update root, standalone, and Rust lock versions with targeted TOML selectors (verified against pinned release-please 17.3.0)
• updates the documented dependency bound

Targeted validation passed: root and standalone uv lock --check against PyPI, cargo metadata --locked --no-deps, release metadata/specifier assertions, all four Release Please selector tests, Prettier, and git diff --check. No full test suite was run because this PR changes release metadata only.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d230b95e0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Follow-up pushed in 0e5c087 after CI exposed a release-ordering issue: the temporary root minimum of modelaudit-picklescan>=0.1.6 made Docker/package installation fail because 0.1.6 is not available on PyPI until this release publishes. Restored the existing >=0.1.4,<0.2.0 floor and removed the corresponding changelog/docs claim. The valid Cargo.lock synchronization, targeted Release Please lock selectors, and duplicate Unreleased cleanup remain. Targeted checks: Prettier and git diff --check pass; cargo metadata --locked reports 0.1.6. Local uv 0.11.17 still proposes unrelated resolver churn, while CI's Lock File Consistency check passed on the previous commit; no generated lock rewrite was retained.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e5c0872e4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Follow-up pushed in 9e1b4dd: restored one active top-level [Unreleased] section in each changelog, relabeled legacy note groups so they are not treated as active release sections, and configured the root Release Please component to exclude standalone-package-only commits. This preserves the documented modelaudit-picklescan>=0.1.4,<0.2.0 compatibility floor and prevents future standalone fixes from leaking into root release notes without creating an unpublished-dependency window. Added narrow regression assertions in tests/test_release_workflow.py. Targeted validation: 6 release workflow/config tests passed; Ruff and mypy clean for the modified test; Prettier and git diff --check clean; cargo metadata --locked --no-deps reports 0.1.6. All review threads are resolved.

[mldangelo-oai]

Added one final targeted regression in c11cbd9 to assert every configured root, standalone, and Rust lockfile selector remains present in release-please-config.json. Local targeted validation: 7 tests passed in tests/test_release_workflow.py; Ruff and mypy clean for that file; Prettier clean for both changelogs and the release config; release-please 17.3.0 GenericToml updated exactly one intended entry in each lockfile. No full suite was run.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b3fd6f5aa8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add typing to the modified benchmark test

This edit makes test_large_file_scanning_performance a modified pytest test, but the test still lacks tmp_path: Path and -> None; the repo test-style rule says to apply typing to all new or modified tests and explicitly calls out tmp_path: Path (AGENTS.md lines 120-121). Please update the function signature while touching this test so it stays consistent with the documented test requirements.

Useful? React with 👍 / 👎.

[mldangelo-oai]

Validated release PR for modelaudit 0.2.46 / modelaudit-picklescan 0.1.6. Checked release metadata and dependency constraints, rebuilt both packages, twine-checked artifacts, smoke-installed wheels, stabilized release validation tests, and watched CI to green.

[github-actions]

🤖 Created releases:

• v0.2.46
• modelaudit-picklescan-v0.1.6

🌻