chore(main): release 0.2.29

[github-actions]

🤖 I have created a release beep boop

0.2.29 (2026-03-29)

Features

• cli: add --no-whitelist and --strict flags for CI pipelines (636b813)
• detect pickle expansion attack heuristics (8e074fd)
• whitelist: warn when HuggingFace whitelist snapshot is stale (5a60871)

Bug Fixes

• add guarded CRC fallback for PyTorch ZIP scanning (5db1e71)
• cache: harden invalidation and skip operational failures (6492598)
• cli: propagate cache settings to registry downloads (d6cf508)
• core: count stream scans in files_scanned (#749) (50326bb)
• core: route misnamed archives by trusted file structure (cad90c3)
• deps: include py7zr in all extras (#759) (16cfae1)
• detection: tighten safetensors magic detection to prevent misrouting (109bca2)
• fail closed on pickle unknown opcode parse errors (#747) (a63979a)
• filtering: preserve disguised model files during directory scans (27058f5)
• generate release sbom from uv lock (#733) (a1019a8)
• harden pickle setitem target detection (#756) (877669c)
• huggingface: fail closed on listing errors and timeouts (f22ebbe)
• jfrog: fail closed on partial folder downloads (14e2ddd)
• keep json stdout clean for skipped files (#768) (0857b98)
• keras-zip: harden documentation padding bypass for CVE-2025-9906 (6e73043)
• keras: anchor safe Lambda pattern regexes to prevent code injection bypass (73fa571)
• keras: prevent spoofed built-in registered_name from hiding non-allowlisted modules (#736) (6d8350e)
• large-files: fail closed without bounded scanner coverage (a2317eb)
• make pickle operational errors explicit (2d75778)
• manifest: trust regional S3 manifest URLs (#763) (f43af54)
• mar: analyze all Python files in TorchServe MAR archives (dd2cf32)
• mar: analyze requirements.txt for supply chain attacks (5365583)
• metadata: harden metadata scanner userinfo URLs (#767) (07bf5a5)
• normalize streamed source path reporting (#765) (09431e0)
• onnx: add ai.onnx.ml to standard domain allowlist (c94f804)
• pickle: add budget-independent global/import byte scanner for large files (512dd18)
• pickle: add catch-all for unhandled opcodes in stack simulator (445b204)
• pickle: allow uppercase module segments in import checks (#757) (c1aeb55)
• pickle: detect nested pickle BINBYTES8 and BYTEARRAY8 payloads (#754) (814c7f2)
• pickle: harden blocklist — copyreg, _pickle.Unpickler, functools.reduce (fe04d9a)
• pickle: surface large-file raw pattern coverage limits (#769) (d9904f2)
• pickle: track BUILD opcode setstate exploitation (7e8c370)
• pickle: treat scan timeouts as unsuccessful without regressing tail scans (075adcd)
• preserve exit code 1 for zero-file findings (#764) (34d25e7)
• preserve scanner execution for chunked large files (#745) (8d93f1d)
• preserve validated PE detections in pickle scans (#746) (017202c)
• prevent ExecuTorch polyglot ZIP bypass (#743) (e06d0e8)
• route zip-backed pytorch containers in pickle scanner (0390a00)
• routing: complete format_to_scanner primary routing map (de69f71)
• safetensors: add missing BF16/BOOL/FP8 dtypes for size validation (f2f2574)
• safetensors: apply MAX_HEADER_BYTES limit in scan() to prevent DoS (7a847a7)
• savedmodel: scan assets/ directory for executable content (04d2a0c)
• scan padded follow-on pickle streams (#755) (8727d03)
• security: block streamed symlink traversal outside scan roots (#751) (aee6656)
• security: bound embedded .keras weight extraction to prevent zip-bomb DoS (#737) (1cc0e46)
• security: bound MAR fallback python handler reads (#735) (88e42b9)
• security: harden manifest URL trust checks and timeout handling (#760) (9ccc5f3)
• security: preserve scannable artifacts in directory filtering (#758) (7666930)
• security: preserve shared depth across nested archive types (#753) (607b506)
• security: recurse into extensionless nested ZIP members (#752) (a2dfea9)
• security: recurse into nested sevenzip archives by content (#761) (3b0e3dc)
• security: require explicit HuggingFace provenance for whitelist downgrades (#750) (582e361)
• security: route nested sevenzip members through core scanning (#762) (92ffdf7)
• sevenzip: recurse into misnamed nested archives (2cc5423)
• streaming: avoid materializing file iterators (7a9ae37)
• tflite: stop after excessive subgraph counts (64b08fa)
• whitelist: preserve explicit HF download provenance (#766) (7e187cb)

Documentation

• agents: tighten validation and routing guidance (335b656)
• normalize unreleased changelog section (#741) (5e66490)

---

This PR was generated with Release Please. See documentation.

[github-actions]

🤖 Created releases:

• v0.2.29

🌻