From 231f20a0648ef27accf67c1d6fdec1e0be92c54d Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 15:20:19 +0000
Subject: [PATCH 1/3] chore(main): release 0.2.28

---
 .release-please-manifest.json |  2 +-
 CHANGELOG.md                  | 57 +++++++++++++++++++++++++++++++++++
 pyproject.toml                |  2 +-
 3 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index 4cfe4cbe..764adf70 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.2.27"
+  ".": "0.2.28"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e049a095..40e04207 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,63 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.28](https://github.com/promptfoo/modelaudit/compare/v0.2.27...v0.2.28) (2026-03-18)
+
+
+### Features
+
+* add rule codes to all security checks ([#255](https://github.com/promptfoo/modelaudit/issues/255)) ([330e7df](https://github.com/promptfoo/modelaudit/commit/330e7df66407de9c8717d2c1d2ae33075c195d8b))
+
+
+### Bug Fixes
+
+* add torch and numpy helper primitive coverage ([#706](https://github.com/promptfoo/modelaudit/issues/706)) ([b0a6a11](https://github.com/promptfoo/modelaudit/commit/b0a6a11b4d392e17214673362d218f1a44ac1396))
+* block dill recursive loader globals ([#695](https://github.com/promptfoo/modelaudit/issues/695)) ([0d88a4b](https://github.com/promptfoo/modelaudit/commit/0d88a4b8b2a7727297a5d742b27816b5599b7a28))
+* block legacy httplib pickle aliases ([#703](https://github.com/promptfoo/modelaudit/issues/703)) ([24b789a](https://github.com/promptfoo/modelaudit/commit/24b789a5a4c6ead716933171730f26a6abd118eb))
+* bound advanced pickle global extraction ([#700](https://github.com/promptfoo/modelaudit/issues/700)) ([d9fe283](https://github.com/promptfoo/modelaudit/commit/d9fe2834d3518ab412d05a52e5d191dcf6028df7))
+* bound skops zip entry reads and enforce uncompressed size limit ([#702](https://github.com/promptfoo/modelaudit/issues/702)) ([a91577d](https://github.com/promptfoo/modelaudit/commit/a91577d49fbe943c2e2e108deec06e63938bb499))
+* bound XZ decompression memory in r_serialized scanner ([26d5b44](https://github.com/promptfoo/modelaudit/commit/26d5b446e5de9a8726e21edb2d9e8f37898e0cf1))
+* bound zlib wrapper decompression output ([#681](https://github.com/promptfoo/modelaudit/issues/681)) ([8bb9cc2](https://github.com/promptfoo/modelaudit/commit/8bb9cc2cc88faa34108d9d273237d40b53bf9e5f))
+* **ci:** reorder provenance job steps to prevent SBOM generation failure ([#646](https://github.com/promptfoo/modelaudit/issues/646)) ([d4ab381](https://github.com/promptfoo/modelaudit/commit/d4ab38162ed82f1aa13b1c8cef6892c764b386a8))
+* detect pickle proto structural tampering ([#697](https://github.com/promptfoo/modelaudit/issues/697)) ([0a8a737](https://github.com/promptfoo/modelaudit/commit/0a8a737af280d4e085e2945c190e5f4012ad17bc))
+* detect risky import-only pickle ML surfaces ([#696](https://github.com/promptfoo/modelaudit/issues/696)) ([a272307](https://github.com/promptfoo/modelaudit/commit/a272307ad73b8a2e508d73dcab5eaaaed21a38af))
+* expand dangerous pickle primitive coverage ([#705](https://github.com/promptfoo/modelaudit/issues/705)) ([40e45ac](https://github.com/promptfoo/modelaudit/commit/40e45acbdfabe4fb68ecb4a70b858635dd20aa73))
+* fail closed on malformed STACK_GLOBAL operands ([#704](https://github.com/promptfoo/modelaudit/issues/704)) ([9a1b9a1](https://github.com/promptfoo/modelaudit/commit/9a1b9a1b2dd899d8d510e9ec6bcd45cc3144a7d3))
+* handle Windows backslashes in XGBoost subprocess loader ([#656](https://github.com/promptfoo/modelaudit/issues/656)) ([ba30b81](https://github.com/promptfoo/modelaudit/commit/ba30b8111f0f31e4b235eb250120d9875cf522f5))
+* harden archive path sanitization ([#666](https://github.com/promptfoo/modelaudit/issues/666)) ([9d77d50](https://github.com/promptfoo/modelaudit/commit/9d77d50f4bc3b1ddc3d9f686edfbe04994481a82))
+* harden cloud download async/cache safety and cleanup ([#655](https://github.com/promptfoo/modelaudit/issues/655)) ([e14ea61](https://github.com/promptfoo/modelaudit/commit/e14ea61ce9a97dabe8992faa3b6f1b9a268ed757))
+* harden import-only pickle global detection ([#691](https://github.com/promptfoo/modelaudit/issues/691)) ([d27d90d](https://github.com/promptfoo/modelaudit/commit/d27d90da844fe79ab8b2fa107440bf6f188fcd44))
+* harden keras custom object detection ([#694](https://github.com/promptfoo/modelaudit/issues/694)) ([7651298](https://github.com/promptfoo/modelaudit/commit/765129807f51b8338e2d5cf8a23c94ae90a04dca))
+* harden rule config parsing and debug path privacy ([#648](https://github.com/promptfoo/modelaudit/issues/648)) ([a073187](https://github.com/promptfoo/modelaudit/commit/a073187c9d84b57b6422f8ec0b00fc9ecf5e4080))
+* harden shared config writes and archive path sanitization ([#660](https://github.com/promptfoo/modelaudit/issues/660)) ([60de400](https://github.com/promptfoo/modelaudit/commit/60de400f6eaefa7dfc5cced95def8a731a5a643e))
+* harden xgboost subprocess import isolation ([#701](https://github.com/promptfoo/modelaudit/issues/701)) ([2df2d78](https://github.com/promptfoo/modelaudit/commit/2df2d78a6c61d79d39ce8a7148a63a0b9aa2b624))
+* include streamed artifacts in SBOM output for --stream scans ([#672](https://github.com/promptfoo/modelaudit/issues/672)) ([48d8d54](https://github.com/promptfoo/modelaudit/commit/48d8d540bfacd4e67409cdc24083320c937be790))
+* keras attack-vector fixes for coverage gaps in h5 and keras zip scanning ([#689](https://github.com/promptfoo/modelaudit/issues/689)) ([863c884](https://github.com/promptfoo/modelaudit/commit/863c8849f5c4baa654035a0f1df518d984d41624))
+* mark flaky timing test as performance to skip in CI ([#670](https://github.com/promptfoo/modelaudit/issues/670)) ([9c47f7e](https://github.com/promptfoo/modelaudit/commit/9c47f7eb3a84bb4bbe7d3bce94c0ba1c1330bace))
+* preserve duplicate paths with spaces ([#690](https://github.com/promptfoo/modelaudit/issues/690)) ([ea7c6d9](https://github.com/promptfoo/modelaudit/commit/ea7c6d98c4edea8c2bb14216951c8a61d8f46619))
+* preserve Hugging Face artifacts in SBOM output ([#673](https://github.com/promptfoo/modelaudit/issues/673)) ([49c7eca](https://github.com/promptfoo/modelaudit/commit/49c7ecadc83f125d04ac2c80151c6d04d4ed77db))
+* preserve rule codes through scan aggregation ([#650](https://github.com/promptfoo/modelaudit/issues/650)) ([d71a219](https://github.com/promptfoo/modelaudit/commit/d71a219d02ec1e82302efa5bd5990707e7d10231))
+* prevent jfrog folder download path traversal ([#679](https://github.com/promptfoo/modelaudit/issues/679)) ([6f226a4](https://github.com/promptfoo/modelaudit/commit/6f226a419e41a41a7d091d7c39cd07b0c8d21010))
+* prevent unbounded tensor proto allocations in TF weight extraction ([#685](https://github.com/promptfoo/modelaudit/issues/685)) ([ae2b01c](https://github.com/promptfoo/modelaudit/commit/ae2b01cd6f761c907116099b8d3e2d75b9306c8e))
+* reduce Keras ZIP custom-object false positives ([#716](https://github.com/promptfoo/modelaudit/issues/716)) ([165b238](https://github.com/promptfoo/modelaudit/commit/165b238625c54432ba54f86fafc32743ea903a85))
+* refresh telemetry client state ([#658](https://github.com/promptfoo/modelaudit/issues/658)) ([7b6ea2f](https://github.com/promptfoo/modelaudit/commit/7b6ea2f3a90749ec8e21b2d47b1d0b2e644502d4))
+* reject absolute OCI layer references ([#659](https://github.com/promptfoo/modelaudit/issues/659)) ([722131a](https://github.com/promptfoo/modelaudit/commit/722131a554e1e149c1a996a43acdafbb0fce66f1))
+* remove pickle hasattr allowlist entries ([#692](https://github.com/promptfoo/modelaudit/issues/692)) ([4d64cc8](https://github.com/promptfoo/modelaudit/commit/4d64cc80da940ccb9deb6f1d9f716010eba981e9))
+* resolve bare torchserve handler modules ([#664](https://github.com/promptfoo/modelaudit/issues/664)) ([3ae3535](https://github.com/promptfoo/modelaudit/commit/3ae3535b0b69408b939b7e9e2586823949fba56b))
+* restore raw telemetry fields and harden model_name extraction ([#649](https://github.com/promptfoo/modelaudit/issues/649)) ([275f087](https://github.com/promptfoo/modelaudit/commit/275f087eb28860b88b8494fa11fcea9472121d9e))
+* restrict trusted jfrog hosts for auth ([#661](https://github.com/promptfoo/modelaudit/issues/661)) ([d959a0d](https://github.com/promptfoo/modelaudit/commit/d959a0d49f0a463ec4ea8165a8e434c89c4222b8))
+* route compound tar wrappers to tar scanner ([#707](https://github.com/promptfoo/modelaudit/issues/707)) ([79c0772](https://github.com/promptfoo/modelaudit/commit/79c0772cd87ec92c867a0208db66c4d82650baf7))
+* route oci layer members via extracted paths ([#663](https://github.com/promptfoo/modelaudit/issues/663)) ([1395af0](https://github.com/promptfoo/modelaudit/commit/1395af091d04b206f7253d540f176df5f5f210c0))
+* scan TensorFlow SavedModel function definitions for dangerous ops ([#677](https://github.com/promptfoo/modelaudit/issues/677)) ([31f4715](https://github.com/promptfoo/modelaudit/commit/31f471514426196c4ca47cf4b2b82d73680b6b07))
+* **security:** detect nested kwargs URLs in CVE-2025-8747 check ([#682](https://github.com/promptfoo/modelaudit/issues/682)) ([9431fae](https://github.com/promptfoo/modelaudit/commit/9431fae04fa6341f7dade9a454f8dce8bbf640d2))
+* **security:** restore ZIP fallback scanning for invalid .mar archives ([#711](https://github.com/promptfoo/modelaudit/issues/711)) ([55de730](https://github.com/promptfoo/modelaudit/commit/55de730c16c0acd09cf1faa788685f792c94d00a))
+* **security:** use conservative PyTorch version selection for CVE checks ([#684](https://github.com/promptfoo/modelaudit/issues/684)) ([ef5c5e6](https://github.com/promptfoo/modelaudit/commit/ef5c5e639218c4d67de3898b710a4e041f3032ea))
+* stop importing dotenv in jfrog helper ([#662](https://github.com/promptfoo/modelaudit/issues/662)) ([d20fda3](https://github.com/promptfoo/modelaudit/commit/d20fda315a8e05106d25d212d026b2b602b4a586))
+* stream tar member extraction during scan ([#665](https://github.com/promptfoo/modelaudit/issues/665)) ([3de3048](https://github.com/promptfoo/modelaudit/commit/3de30487328738b2d8c62f203576d52b3c20409a))
+* tighten dill MemoryError downgrade gating ([5eefa15](https://github.com/promptfoo/modelaudit/commit/5eefa15dad4e0b407c235da2eed3278c1f056bf1))
+* tighten llamafile runtime allowlist matching ([#683](https://github.com/promptfoo/modelaudit/issues/683)) ([8592a80](https://github.com/promptfoo/modelaudit/commit/8592a8075d9633bbbf6e32da5f5f9a250fe0479a))
+* use major GitHub Action refs ([#680](https://github.com/promptfoo/modelaudit/issues/680)) ([7965314](https://github.com/promptfoo/modelaudit/commit/7965314d2d0533795bd403fd32b591a2cb00a77a))
+
 ## [0.2.27](https://github.com/promptfoo/modelaudit/compare/v0.2.26...v0.2.27) (2026-03-05)
 
 ### Features
diff --git a/pyproject.toml b/pyproject.toml
index 08b3df77..8aaa1bc5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "modelaudit"
-version = "0.2.27"
+version = "0.2.28"
 description = "Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files"
 authors = [
     { name = "Ian Webster", email = "ian@promptfoo.dev" },

From 5f267796c2987100497086594edbeab6641360ea Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 15:20:51 +0000
Subject: [PATCH 2/3] chore: sync uv.lock with pyproject.toml version bump

---
 uv.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uv.lock b/uv.lock
index 6d373fc8..2e6f41ee 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2749,7 +2749,7 @@ wheels = [
 
 [[package]]
 name = "modelaudit"
-version = "0.2.27"
+version = "0.2.28"
 source = { editable = "." }
 dependencies = [
     { name = "click" },

From 591da53a13089fff6656b315e06dedbd7e5cb05a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 15:20:58 +0000
Subject: [PATCH 3/3] chore: format CHANGELOG.md with prettier

---
 CHANGELOG.md | 96 +++++++++++++++++++++++++---------------------------
 1 file changed, 47 insertions(+), 49 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40e04207..feef3503 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,60 +7,58 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.2.28](https://github.com/promptfoo/modelaudit/compare/v0.2.27...v0.2.28) (2026-03-18)
 
-
 ### Features
 
-* add rule codes to all security checks ([#255](https://github.com/promptfoo/modelaudit/issues/255)) ([330e7df](https://github.com/promptfoo/modelaudit/commit/330e7df66407de9c8717d2c1d2ae33075c195d8b))
-
+- add rule codes to all security checks ([#255](https://github.com/promptfoo/modelaudit/issues/255)) ([330e7df](https://github.com/promptfoo/modelaudit/commit/330e7df66407de9c8717d2c1d2ae33075c195d8b))
 
 ### Bug Fixes
 
-* add torch and numpy helper primitive coverage ([#706](https://github.com/promptfoo/modelaudit/issues/706)) ([b0a6a11](https://github.com/promptfoo/modelaudit/commit/b0a6a11b4d392e17214673362d218f1a44ac1396))
-* block dill recursive loader globals ([#695](https://github.com/promptfoo/modelaudit/issues/695)) ([0d88a4b](https://github.com/promptfoo/modelaudit/commit/0d88a4b8b2a7727297a5d742b27816b5599b7a28))
-* block legacy httplib pickle aliases ([#703](https://github.com/promptfoo/modelaudit/issues/703)) ([24b789a](https://github.com/promptfoo/modelaudit/commit/24b789a5a4c6ead716933171730f26a6abd118eb))
-* bound advanced pickle global extraction ([#700](https://github.com/promptfoo/modelaudit/issues/700)) ([d9fe283](https://github.com/promptfoo/modelaudit/commit/d9fe2834d3518ab412d05a52e5d191dcf6028df7))
-* bound skops zip entry reads and enforce uncompressed size limit ([#702](https://github.com/promptfoo/modelaudit/issues/702)) ([a91577d](https://github.com/promptfoo/modelaudit/commit/a91577d49fbe943c2e2e108deec06e63938bb499))
-* bound XZ decompression memory in r_serialized scanner ([26d5b44](https://github.com/promptfoo/modelaudit/commit/26d5b446e5de9a8726e21edb2d9e8f37898e0cf1))
-* bound zlib wrapper decompression output ([#681](https://github.com/promptfoo/modelaudit/issues/681)) ([8bb9cc2](https://github.com/promptfoo/modelaudit/commit/8bb9cc2cc88faa34108d9d273237d40b53bf9e5f))
-* **ci:** reorder provenance job steps to prevent SBOM generation failure ([#646](https://github.com/promptfoo/modelaudit/issues/646)) ([d4ab381](https://github.com/promptfoo/modelaudit/commit/d4ab38162ed82f1aa13b1c8cef6892c764b386a8))
-* detect pickle proto structural tampering ([#697](https://github.com/promptfoo/modelaudit/issues/697)) ([0a8a737](https://github.com/promptfoo/modelaudit/commit/0a8a737af280d4e085e2945c190e5f4012ad17bc))
-* detect risky import-only pickle ML surfaces ([#696](https://github.com/promptfoo/modelaudit/issues/696)) ([a272307](https://github.com/promptfoo/modelaudit/commit/a272307ad73b8a2e508d73dcab5eaaaed21a38af))
-* expand dangerous pickle primitive coverage ([#705](https://github.com/promptfoo/modelaudit/issues/705)) ([40e45ac](https://github.com/promptfoo/modelaudit/commit/40e45acbdfabe4fb68ecb4a70b858635dd20aa73))
-* fail closed on malformed STACK_GLOBAL operands ([#704](https://github.com/promptfoo/modelaudit/issues/704)) ([9a1b9a1](https://github.com/promptfoo/modelaudit/commit/9a1b9a1b2dd899d8d510e9ec6bcd45cc3144a7d3))
-* handle Windows backslashes in XGBoost subprocess loader ([#656](https://github.com/promptfoo/modelaudit/issues/656)) ([ba30b81](https://github.com/promptfoo/modelaudit/commit/ba30b8111f0f31e4b235eb250120d9875cf522f5))
-* harden archive path sanitization ([#666](https://github.com/promptfoo/modelaudit/issues/666)) ([9d77d50](https://github.com/promptfoo/modelaudit/commit/9d77d50f4bc3b1ddc3d9f686edfbe04994481a82))
-* harden cloud download async/cache safety and cleanup ([#655](https://github.com/promptfoo/modelaudit/issues/655)) ([e14ea61](https://github.com/promptfoo/modelaudit/commit/e14ea61ce9a97dabe8992faa3b6f1b9a268ed757))
-* harden import-only pickle global detection ([#691](https://github.com/promptfoo/modelaudit/issues/691)) ([d27d90d](https://github.com/promptfoo/modelaudit/commit/d27d90da844fe79ab8b2fa107440bf6f188fcd44))
-* harden keras custom object detection ([#694](https://github.com/promptfoo/modelaudit/issues/694)) ([7651298](https://github.com/promptfoo/modelaudit/commit/765129807f51b8338e2d5cf8a23c94ae90a04dca))
-* harden rule config parsing and debug path privacy ([#648](https://github.com/promptfoo/modelaudit/issues/648)) ([a073187](https://github.com/promptfoo/modelaudit/commit/a073187c9d84b57b6422f8ec0b00fc9ecf5e4080))
-* harden shared config writes and archive path sanitization ([#660](https://github.com/promptfoo/modelaudit/issues/660)) ([60de400](https://github.com/promptfoo/modelaudit/commit/60de400f6eaefa7dfc5cced95def8a731a5a643e))
-* harden xgboost subprocess import isolation ([#701](https://github.com/promptfoo/modelaudit/issues/701)) ([2df2d78](https://github.com/promptfoo/modelaudit/commit/2df2d78a6c61d79d39ce8a7148a63a0b9aa2b624))
-* include streamed artifacts in SBOM output for --stream scans ([#672](https://github.com/promptfoo/modelaudit/issues/672)) ([48d8d54](https://github.com/promptfoo/modelaudit/commit/48d8d540bfacd4e67409cdc24083320c937be790))
-* keras attack-vector fixes for coverage gaps in h5 and keras zip scanning ([#689](https://github.com/promptfoo/modelaudit/issues/689)) ([863c884](https://github.com/promptfoo/modelaudit/commit/863c8849f5c4baa654035a0f1df518d984d41624))
-* mark flaky timing test as performance to skip in CI ([#670](https://github.com/promptfoo/modelaudit/issues/670)) ([9c47f7e](https://github.com/promptfoo/modelaudit/commit/9c47f7eb3a84bb4bbe7d3bce94c0ba1c1330bace))
-* preserve duplicate paths with spaces ([#690](https://github.com/promptfoo/modelaudit/issues/690)) ([ea7c6d9](https://github.com/promptfoo/modelaudit/commit/ea7c6d98c4edea8c2bb14216951c8a61d8f46619))
-* preserve Hugging Face artifacts in SBOM output ([#673](https://github.com/promptfoo/modelaudit/issues/673)) ([49c7eca](https://github.com/promptfoo/modelaudit/commit/49c7ecadc83f125d04ac2c80151c6d04d4ed77db))
-* preserve rule codes through scan aggregation ([#650](https://github.com/promptfoo/modelaudit/issues/650)) ([d71a219](https://github.com/promptfoo/modelaudit/commit/d71a219d02ec1e82302efa5bd5990707e7d10231))
-* prevent jfrog folder download path traversal ([#679](https://github.com/promptfoo/modelaudit/issues/679)) ([6f226a4](https://github.com/promptfoo/modelaudit/commit/6f226a419e41a41a7d091d7c39cd07b0c8d21010))
-* prevent unbounded tensor proto allocations in TF weight extraction ([#685](https://github.com/promptfoo/modelaudit/issues/685)) ([ae2b01c](https://github.com/promptfoo/modelaudit/commit/ae2b01cd6f761c907116099b8d3e2d75b9306c8e))
-* reduce Keras ZIP custom-object false positives ([#716](https://github.com/promptfoo/modelaudit/issues/716)) ([165b238](https://github.com/promptfoo/modelaudit/commit/165b238625c54432ba54f86fafc32743ea903a85))
-* refresh telemetry client state ([#658](https://github.com/promptfoo/modelaudit/issues/658)) ([7b6ea2f](https://github.com/promptfoo/modelaudit/commit/7b6ea2f3a90749ec8e21b2d47b1d0b2e644502d4))
-* reject absolute OCI layer references ([#659](https://github.com/promptfoo/modelaudit/issues/659)) ([722131a](https://github.com/promptfoo/modelaudit/commit/722131a554e1e149c1a996a43acdafbb0fce66f1))
-* remove pickle hasattr allowlist entries ([#692](https://github.com/promptfoo/modelaudit/issues/692)) ([4d64cc8](https://github.com/promptfoo/modelaudit/commit/4d64cc80da940ccb9deb6f1d9f716010eba981e9))
-* resolve bare torchserve handler modules ([#664](https://github.com/promptfoo/modelaudit/issues/664)) ([3ae3535](https://github.com/promptfoo/modelaudit/commit/3ae3535b0b69408b939b7e9e2586823949fba56b))
-* restore raw telemetry fields and harden model_name extraction ([#649](https://github.com/promptfoo/modelaudit/issues/649)) ([275f087](https://github.com/promptfoo/modelaudit/commit/275f087eb28860b88b8494fa11fcea9472121d9e))
-* restrict trusted jfrog hosts for auth ([#661](https://github.com/promptfoo/modelaudit/issues/661)) ([d959a0d](https://github.com/promptfoo/modelaudit/commit/d959a0d49f0a463ec4ea8165a8e434c89c4222b8))
-* route compound tar wrappers to tar scanner ([#707](https://github.com/promptfoo/modelaudit/issues/707)) ([79c0772](https://github.com/promptfoo/modelaudit/commit/79c0772cd87ec92c867a0208db66c4d82650baf7))
-* route oci layer members via extracted paths ([#663](https://github.com/promptfoo/modelaudit/issues/663)) ([1395af0](https://github.com/promptfoo/modelaudit/commit/1395af091d04b206f7253d540f176df5f5f210c0))
-* scan TensorFlow SavedModel function definitions for dangerous ops ([#677](https://github.com/promptfoo/modelaudit/issues/677)) ([31f4715](https://github.com/promptfoo/modelaudit/commit/31f471514426196c4ca47cf4b2b82d73680b6b07))
-* **security:** detect nested kwargs URLs in CVE-2025-8747 check ([#682](https://github.com/promptfoo/modelaudit/issues/682)) ([9431fae](https://github.com/promptfoo/modelaudit/commit/9431fae04fa6341f7dade9a454f8dce8bbf640d2))
-* **security:** restore ZIP fallback scanning for invalid .mar archives ([#711](https://github.com/promptfoo/modelaudit/issues/711)) ([55de730](https://github.com/promptfoo/modelaudit/commit/55de730c16c0acd09cf1faa788685f792c94d00a))
-* **security:** use conservative PyTorch version selection for CVE checks ([#684](https://github.com/promptfoo/modelaudit/issues/684)) ([ef5c5e6](https://github.com/promptfoo/modelaudit/commit/ef5c5e639218c4d67de3898b710a4e041f3032ea))
-* stop importing dotenv in jfrog helper ([#662](https://github.com/promptfoo/modelaudit/issues/662)) ([d20fda3](https://github.com/promptfoo/modelaudit/commit/d20fda315a8e05106d25d212d026b2b602b4a586))
-* stream tar member extraction during scan ([#665](https://github.com/promptfoo/modelaudit/issues/665)) ([3de3048](https://github.com/promptfoo/modelaudit/commit/3de30487328738b2d8c62f203576d52b3c20409a))
-* tighten dill MemoryError downgrade gating ([5eefa15](https://github.com/promptfoo/modelaudit/commit/5eefa15dad4e0b407c235da2eed3278c1f056bf1))
-* tighten llamafile runtime allowlist matching ([#683](https://github.com/promptfoo/modelaudit/issues/683)) ([8592a80](https://github.com/promptfoo/modelaudit/commit/8592a8075d9633bbbf6e32da5f5f9a250fe0479a))
-* use major GitHub Action refs ([#680](https://github.com/promptfoo/modelaudit/issues/680)) ([7965314](https://github.com/promptfoo/modelaudit/commit/7965314d2d0533795bd403fd32b591a2cb00a77a))
+- add torch and numpy helper primitive coverage ([#706](https://github.com/promptfoo/modelaudit/issues/706)) ([b0a6a11](https://github.com/promptfoo/modelaudit/commit/b0a6a11b4d392e17214673362d218f1a44ac1396))
+- block dill recursive loader globals ([#695](https://github.com/promptfoo/modelaudit/issues/695)) ([0d88a4b](https://github.com/promptfoo/modelaudit/commit/0d88a4b8b2a7727297a5d742b27816b5599b7a28))
+- block legacy httplib pickle aliases ([#703](https://github.com/promptfoo/modelaudit/issues/703)) ([24b789a](https://github.com/promptfoo/modelaudit/commit/24b789a5a4c6ead716933171730f26a6abd118eb))
+- bound advanced pickle global extraction ([#700](https://github.com/promptfoo/modelaudit/issues/700)) ([d9fe283](https://github.com/promptfoo/modelaudit/commit/d9fe2834d3518ab412d05a52e5d191dcf6028df7))
+- bound skops zip entry reads and enforce uncompressed size limit ([#702](https://github.com/promptfoo/modelaudit/issues/702)) ([a91577d](https://github.com/promptfoo/modelaudit/commit/a91577d49fbe943c2e2e108deec06e63938bb499))
+- bound XZ decompression memory in r_serialized scanner ([26d5b44](https://github.com/promptfoo/modelaudit/commit/26d5b446e5de9a8726e21edb2d9e8f37898e0cf1))
+- bound zlib wrapper decompression output ([#681](https://github.com/promptfoo/modelaudit/issues/681)) ([8bb9cc2](https://github.com/promptfoo/modelaudit/commit/8bb9cc2cc88faa34108d9d273237d40b53bf9e5f))
+- **ci:** reorder provenance job steps to prevent SBOM generation failure ([#646](https://github.com/promptfoo/modelaudit/issues/646)) ([d4ab381](https://github.com/promptfoo/modelaudit/commit/d4ab38162ed82f1aa13b1c8cef6892c764b386a8))
+- detect pickle proto structural tampering ([#697](https://github.com/promptfoo/modelaudit/issues/697)) ([0a8a737](https://github.com/promptfoo/modelaudit/commit/0a8a737af280d4e085e2945c190e5f4012ad17bc))
+- detect risky import-only pickle ML surfaces ([#696](https://github.com/promptfoo/modelaudit/issues/696)) ([a272307](https://github.com/promptfoo/modelaudit/commit/a272307ad73b8a2e508d73dcab5eaaaed21a38af))
+- expand dangerous pickle primitive coverage ([#705](https://github.com/promptfoo/modelaudit/issues/705)) ([40e45ac](https://github.com/promptfoo/modelaudit/commit/40e45acbdfabe4fb68ecb4a70b858635dd20aa73))
+- fail closed on malformed STACK_GLOBAL operands ([#704](https://github.com/promptfoo/modelaudit/issues/704)) ([9a1b9a1](https://github.com/promptfoo/modelaudit/commit/9a1b9a1b2dd899d8d510e9ec6bcd45cc3144a7d3))
+- handle Windows backslashes in XGBoost subprocess loader ([#656](https://github.com/promptfoo/modelaudit/issues/656)) ([ba30b81](https://github.com/promptfoo/modelaudit/commit/ba30b8111f0f31e4b235eb250120d9875cf522f5))
+- harden archive path sanitization ([#666](https://github.com/promptfoo/modelaudit/issues/666)) ([9d77d50](https://github.com/promptfoo/modelaudit/commit/9d77d50f4bc3b1ddc3d9f686edfbe04994481a82))
+- harden cloud download async/cache safety and cleanup ([#655](https://github.com/promptfoo/modelaudit/issues/655)) ([e14ea61](https://github.com/promptfoo/modelaudit/commit/e14ea61ce9a97dabe8992faa3b6f1b9a268ed757))
+- harden import-only pickle global detection ([#691](https://github.com/promptfoo/modelaudit/issues/691)) ([d27d90d](https://github.com/promptfoo/modelaudit/commit/d27d90da844fe79ab8b2fa107440bf6f188fcd44))
+- harden keras custom object detection ([#694](https://github.com/promptfoo/modelaudit/issues/694)) ([7651298](https://github.com/promptfoo/modelaudit/commit/765129807f51b8338e2d5cf8a23c94ae90a04dca))
+- harden rule config parsing and debug path privacy ([#648](https://github.com/promptfoo/modelaudit/issues/648)) ([a073187](https://github.com/promptfoo/modelaudit/commit/a073187c9d84b57b6422f8ec0b00fc9ecf5e4080))
+- harden shared config writes and archive path sanitization ([#660](https://github.com/promptfoo/modelaudit/issues/660)) ([60de400](https://github.com/promptfoo/modelaudit/commit/60de400f6eaefa7dfc5cced95def8a731a5a643e))
+- harden xgboost subprocess import isolation ([#701](https://github.com/promptfoo/modelaudit/issues/701)) ([2df2d78](https://github.com/promptfoo/modelaudit/commit/2df2d78a6c61d79d39ce8a7148a63a0b9aa2b624))
+- include streamed artifacts in SBOM output for --stream scans ([#672](https://github.com/promptfoo/modelaudit/issues/672)) ([48d8d54](https://github.com/promptfoo/modelaudit/commit/48d8d540bfacd4e67409cdc24083320c937be790))
+- keras attack-vector fixes for coverage gaps in h5 and keras zip scanning ([#689](https://github.com/promptfoo/modelaudit/issues/689)) ([863c884](https://github.com/promptfoo/modelaudit/commit/863c8849f5c4baa654035a0f1df518d984d41624))
+- mark flaky timing test as performance to skip in CI ([#670](https://github.com/promptfoo/modelaudit/issues/670)) ([9c47f7e](https://github.com/promptfoo/modelaudit/commit/9c47f7eb3a84bb4bbe7d3bce94c0ba1c1330bace))
+- preserve duplicate paths with spaces ([#690](https://github.com/promptfoo/modelaudit/issues/690)) ([ea7c6d9](https://github.com/promptfoo/modelaudit/commit/ea7c6d98c4edea8c2bb14216951c8a61d8f46619))
+- preserve Hugging Face artifacts in SBOM output ([#673](https://github.com/promptfoo/modelaudit/issues/673)) ([49c7eca](https://github.com/promptfoo/modelaudit/commit/49c7ecadc83f125d04ac2c80151c6d04d4ed77db))
+- preserve rule codes through scan aggregation ([#650](https://github.com/promptfoo/modelaudit/issues/650)) ([d71a219](https://github.com/promptfoo/modelaudit/commit/d71a219d02ec1e82302efa5bd5990707e7d10231))
+- prevent jfrog folder download path traversal ([#679](https://github.com/promptfoo/modelaudit/issues/679)) ([6f226a4](https://github.com/promptfoo/modelaudit/commit/6f226a419e41a41a7d091d7c39cd07b0c8d21010))
+- prevent unbounded tensor proto allocations in TF weight extraction ([#685](https://github.com/promptfoo/modelaudit/issues/685)) ([ae2b01c](https://github.com/promptfoo/modelaudit/commit/ae2b01cd6f761c907116099b8d3e2d75b9306c8e))
+- reduce Keras ZIP custom-object false positives ([#716](https://github.com/promptfoo/modelaudit/issues/716)) ([165b238](https://github.com/promptfoo/modelaudit/commit/165b238625c54432ba54f86fafc32743ea903a85))
+- refresh telemetry client state ([#658](https://github.com/promptfoo/modelaudit/issues/658)) ([7b6ea2f](https://github.com/promptfoo/modelaudit/commit/7b6ea2f3a90749ec8e21b2d47b1d0b2e644502d4))
+- reject absolute OCI layer references ([#659](https://github.com/promptfoo/modelaudit/issues/659)) ([722131a](https://github.com/promptfoo/modelaudit/commit/722131a554e1e149c1a996a43acdafbb0fce66f1))
+- remove pickle hasattr allowlist entries ([#692](https://github.com/promptfoo/modelaudit/issues/692)) ([4d64cc8](https://github.com/promptfoo/modelaudit/commit/4d64cc80da940ccb9deb6f1d9f716010eba981e9))
+- resolve bare torchserve handler modules ([#664](https://github.com/promptfoo/modelaudit/issues/664)) ([3ae3535](https://github.com/promptfoo/modelaudit/commit/3ae3535b0b69408b939b7e9e2586823949fba56b))
+- restore raw telemetry fields and harden model_name extraction ([#649](https://github.com/promptfoo/modelaudit/issues/649)) ([275f087](https://github.com/promptfoo/modelaudit/commit/275f087eb28860b88b8494fa11fcea9472121d9e))
+- restrict trusted jfrog hosts for auth ([#661](https://github.com/promptfoo/modelaudit/issues/661)) ([d959a0d](https://github.com/promptfoo/modelaudit/commit/d959a0d49f0a463ec4ea8165a8e434c89c4222b8))
+- route compound tar wrappers to tar scanner ([#707](https://github.com/promptfoo/modelaudit/issues/707)) ([79c0772](https://github.com/promptfoo/modelaudit/commit/79c0772cd87ec92c867a0208db66c4d82650baf7))
+- route oci layer members via extracted paths ([#663](https://github.com/promptfoo/modelaudit/issues/663)) ([1395af0](https://github.com/promptfoo/modelaudit/commit/1395af091d04b206f7253d540f176df5f5f210c0))
+- scan TensorFlow SavedModel function definitions for dangerous ops ([#677](https://github.com/promptfoo/modelaudit/issues/677)) ([31f4715](https://github.com/promptfoo/modelaudit/commit/31f471514426196c4ca47cf4b2b82d73680b6b07))
+- **security:** detect nested kwargs URLs in CVE-2025-8747 check ([#682](https://github.com/promptfoo/modelaudit/issues/682)) ([9431fae](https://github.com/promptfoo/modelaudit/commit/9431fae04fa6341f7dade9a454f8dce8bbf640d2))
+- **security:** restore ZIP fallback scanning for invalid .mar archives ([#711](https://github.com/promptfoo/modelaudit/issues/711)) ([55de730](https://github.com/promptfoo/modelaudit/commit/55de730c16c0acd09cf1faa788685f792c94d00a))
+- **security:** use conservative PyTorch version selection for CVE checks ([#684](https://github.com/promptfoo/modelaudit/issues/684)) ([ef5c5e6](https://github.com/promptfoo/modelaudit/commit/ef5c5e639218c4d67de3898b710a4e041f3032ea))
+- stop importing dotenv in jfrog helper ([#662](https://github.com/promptfoo/modelaudit/issues/662)) ([d20fda3](https://github.com/promptfoo/modelaudit/commit/d20fda315a8e05106d25d212d026b2b602b4a586))
+- stream tar member extraction during scan ([#665](https://github.com/promptfoo/modelaudit/issues/665)) ([3de3048](https://github.com/promptfoo/modelaudit/commit/3de30487328738b2d8c62f203576d52b3c20409a))
+- tighten dill MemoryError downgrade gating ([5eefa15](https://github.com/promptfoo/modelaudit/commit/5eefa15dad4e0b407c235da2eed3278c1f056bf1))
+- tighten llamafile runtime allowlist matching ([#683](https://github.com/promptfoo/modelaudit/issues/683)) ([8592a80](https://github.com/promptfoo/modelaudit/commit/8592a8075d9633bbbf6e32da5f5f9a250fe0479a))
+- use major GitHub Action refs ([#680](https://github.com/promptfoo/modelaudit/issues/680)) ([7965314](https://github.com/promptfoo/modelaudit/commit/7965314d2d0533795bd403fd32b591a2cb00a77a))
 
 ## [0.2.27](https://github.com/promptfoo/modelaudit/compare/v0.2.26...v0.2.27) (2026-03-05)