promptfoo · github-actions · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.2.27"
+  ".": "0.2.28"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,61 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.28](https://github.com/promptfoo/modelaudit/compare/v0.2.27...v0.2.28) (2026-03-18)
+
+### Features
+
+- add rule codes to all security checks ([#255](https://github.com/promptfoo/modelaudit/issues/255)) ([330e7df](https://github.com/promptfoo/modelaudit/commit/330e7df66407de9c8717d2c1d2ae33075c195d8b))
+
+### Bug Fixes
+
+- add torch and numpy helper primitive coverage ([#706](https://github.com/promptfoo/modelaudit/issues/706)) ([b0a6a11](https://github.com/promptfoo/modelaudit/commit/b0a6a11b4d392e17214673362d218f1a44ac1396))
+- block dill recursive loader globals ([#695](https://github.com/promptfoo/modelaudit/issues/695)) ([0d88a4b](https://github.com/promptfoo/modelaudit/commit/0d88a4b8b2a7727297a5d742b27816b5599b7a28))
+- block legacy httplib pickle aliases ([#703](https://github.com/promptfoo/modelaudit/issues/703)) ([24b789a](https://github.com/promptfoo/modelaudit/commit/24b789a5a4c6ead716933171730f26a6abd118eb))
+- bound advanced pickle global extraction ([#700](https://github.com/promptfoo/modelaudit/issues/700)) ([d9fe283](https://github.com/promptfoo/modelaudit/commit/d9fe2834d3518ab412d05a52e5d191dcf6028df7))
+- bound skops zip entry reads and enforce uncompressed size limit ([#702](https://github.com/promptfoo/modelaudit/issues/702)) ([a91577d](https://github.com/promptfoo/modelaudit/commit/a91577d49fbe943c2e2e108deec06e63938bb499))
+- bound XZ decompression memory in r_serialized scanner ([26d5b44](https://github.com/promptfoo/modelaudit/commit/26d5b446e5de9a8726e21edb2d9e8f37898e0cf1))
+- bound zlib wrapper decompression output ([#681](https://github.com/promptfoo/modelaudit/issues/681)) ([8bb9cc2](https://github.com/promptfoo/modelaudit/commit/8bb9cc2cc88faa34108d9d273237d40b53bf9e5f))
+- **ci:** reorder provenance job steps to prevent SBOM generation failure ([#646](https://github.com/promptfoo/modelaudit/issues/646)) ([d4ab381](https://github.com/promptfoo/modelaudit/commit/d4ab38162ed82f1aa13b1c8cef6892c764b386a8))
+- detect pickle proto structural tampering ([#697](https://github.com/promptfoo/modelaudit/issues/697)) ([0a8a737](https://github.com/promptfoo/modelaudit/commit/0a8a737af280d4e085e2945c190e5f4012ad17bc))
+- detect risky import-only pickle ML surfaces ([#696](https://github.com/promptfoo/modelaudit/issues/696)) ([a272307](https://github.com/promptfoo/modelaudit/commit/a272307ad73b8a2e508d73dcab5eaaaed21a38af))
+- expand dangerous pickle primitive coverage ([#705](https://github.com/promptfoo/modelaudit/issues/705)) ([40e45ac](https://github.com/promptfoo/modelaudit/commit/40e45acbdfabe4fb68ecb4a70b858635dd20aa73))
+- fail closed on malformed STACK_GLOBAL operands ([#704](https://github.com/promptfoo/modelaudit/issues/704)) ([9a1b9a1](https://github.com/promptfoo/modelaudit/commit/9a1b9a1b2dd899d8d510e9ec6bcd45cc3144a7d3))
+- handle Windows backslashes in XGBoost subprocess loader ([#656](https://github.com/promptfoo/modelaudit/issues/656)) ([ba30b81](https://github.com/promptfoo/modelaudit/commit/ba30b8111f0f31e4b235eb250120d9875cf522f5))
+- harden archive path sanitization ([#666](https://github.com/promptfoo/modelaudit/issues/666)) ([9d77d50](https://github.com/promptfoo/modelaudit/commit/9d77d50f4bc3b1ddc3d9f686edfbe04994481a82))
+- harden cloud download async/cache safety and cleanup ([#655](https://github.com/promptfoo/modelaudit/issues/655)) ([e14ea61](https://github.com/promptfoo/modelaudit/commit/e14ea61ce9a97dabe8992faa3b6f1b9a268ed757))
+- harden import-only pickle global detection ([#691](https://github.com/promptfoo/modelaudit/issues/691)) ([d27d90d](https://github.com/promptfoo/modelaudit/commit/d27d90da844fe79ab8b2fa107440bf6f188fcd44))
+- harden keras custom object detection ([#694](https://github.com/promptfoo/modelaudit/issues/694)) ([7651298](https://github.com/promptfoo/modelaudit/commit/765129807f51b8338e2d5cf8a23c94ae90a04dca))
+- harden rule config parsing and debug path privacy ([#648](https://github.com/promptfoo/modelaudit/issues/648)) ([a073187](https://github.com/promptfoo/modelaudit/commit/a073187c9d84b57b6422f8ec0b00fc9ecf5e4080))
+- harden shared config writes and archive path sanitization ([#660](https://github.com/promptfoo/modelaudit/issues/660)) ([60de400](https://github.com/promptfoo/modelaudit/commit/60de400f6eaefa7dfc5cced95def8a731a5a643e))
+- harden xgboost subprocess import isolation ([#701](https://github.com/promptfoo/modelaudit/issues/701)) ([2df2d78](https://github.com/promptfoo/modelaudit/commit/2df2d78a6c61d79d39ce8a7148a63a0b9aa2b624))
+- include streamed artifacts in SBOM output for --stream scans ([#672](https://github.com/promptfoo/modelaudit/issues/672)) ([48d8d54](https://github.com/promptfoo/modelaudit/commit/48d8d540bfacd4e67409cdc24083320c937be790))
+- keras attack-vector fixes for coverage gaps in h5 and keras zip scanning ([#689](https://github.com/promptfoo/modelaudit/issues/689)) ([863c884](https://github.com/promptfoo/modelaudit/commit/863c8849f5c4baa654035a0f1df518d984d41624))
+- mark flaky timing test as performance to skip in CI ([#670](https://github.com/promptfoo/modelaudit/issues/670)) ([9c47f7e](https://github.com/promptfoo/modelaudit/commit/9c47f7eb3a84bb4bbe7d3bce94c0ba1c1330bace))
+- preserve duplicate paths with spaces ([#690](https://github.com/promptfoo/modelaudit/issues/690)) ([ea7c6d9](https://github.com/promptfoo/modelaudit/commit/ea7c6d98c4edea8c2bb14216951c8a61d8f46619))
+- preserve Hugging Face artifacts in SBOM output ([#673](https://github.com/promptfoo/modelaudit/issues/673)) ([49c7eca](https://github.com/promptfoo/modelaudit/commit/49c7ecadc83f125d04ac2c80151c6d04d4ed77db))
+- preserve rule codes through scan aggregation ([#650](https://github.com/promptfoo/modelaudit/issues/650)) ([d71a219](https://github.com/promptfoo/modelaudit/commit/d71a219d02ec1e82302efa5bd5990707e7d10231))
+- prevent jfrog folder download path traversal ([#679](https://github.com/promptfoo/modelaudit/issues/679)) ([6f226a4](https://github.com/promptfoo/modelaudit/commit/6f226a419e41a41a7d091d7c39cd07b0c8d21010))
+- prevent unbounded tensor proto allocations in TF weight extraction ([#685](https://github.com/promptfoo/modelaudit/issues/685)) ([ae2b01c](https://github.com/promptfoo/modelaudit/commit/ae2b01cd6f761c907116099b8d3e2d75b9306c8e))
+- reduce Keras ZIP custom-object false positives ([#716](https://github.com/promptfoo/modelaudit/issues/716)) ([165b238](https://github.com/promptfoo/modelaudit/commit/165b238625c54432ba54f86fafc32743ea903a85))
+- refresh telemetry client state ([#658](https://github.com/promptfoo/modelaudit/issues/658)) ([7b6ea2f](https://github.com/promptfoo/modelaudit/commit/7b6ea2f3a90749ec8e21b2d47b1d0b2e644502d4))
+- reject absolute OCI layer references ([#659](https://github.com/promptfoo/modelaudit/issues/659)) ([722131a](https://github.com/promptfoo/modelaudit/commit/722131a554e1e149c1a996a43acdafbb0fce66f1))
+- remove pickle hasattr allowlist entries ([#692](https://github.com/promptfoo/modelaudit/issues/692)) ([4d64cc8](https://github.com/promptfoo/modelaudit/commit/4d64cc80da940ccb9deb6f1d9f716010eba981e9))
+- resolve bare torchserve handler modules ([#664](https://github.com/promptfoo/modelaudit/issues/664)) ([3ae3535](https://github.com/promptfoo/modelaudit/commit/3ae3535b0b69408b939b7e9e2586823949fba56b))
+- restore raw telemetry fields and harden model_name extraction ([#649](https://github.com/promptfoo/modelaudit/issues/649)) ([275f087](https://github.com/promptfoo/modelaudit/commit/275f087eb28860b88b8494fa11fcea9472121d9e))
+- restrict trusted jfrog hosts for auth ([#661](https://github.com/promptfoo/modelaudit/issues/661)) ([d959a0d](https://github.com/promptfoo/modelaudit/commit/d959a0d49f0a463ec4ea8165a8e434c89c4222b8))
+- route compound tar wrappers to tar scanner ([#707](https://github.com/promptfoo/modelaudit/issues/707)) ([79c0772](https://github.com/promptfoo/modelaudit/commit/79c0772cd87ec92c867a0208db66c4d82650baf7))
+- route oci layer members via extracted paths ([#663](https://github.com/promptfoo/modelaudit/issues/663)) ([1395af0](https://github.com/promptfoo/modelaudit/commit/1395af091d04b206f7253d540f176df5f5f210c0))
+- scan TensorFlow SavedModel function definitions for dangerous ops ([#677](https://github.com/promptfoo/modelaudit/issues/677)) ([31f4715](https://github.com/promptfoo/modelaudit/commit/31f471514426196c4ca47cf4b2b82d73680b6b07))
+- **security:** detect nested kwargs URLs in CVE-2025-8747 check ([#682](https://github.com/promptfoo/modelaudit/issues/682)) ([9431fae](https://github.com/promptfoo/modelaudit/commit/9431fae04fa6341f7dade9a454f8dce8bbf640d2))
+- **security:** restore ZIP fallback scanning for invalid .mar archives ([#711](https://github.com/promptfoo/modelaudit/issues/711)) ([55de730](https://github.com/promptfoo/modelaudit/commit/55de730c16c0acd09cf1faa788685f792c94d00a))
+- **security:** use conservative PyTorch version selection for CVE checks ([#684](https://github.com/promptfoo/modelaudit/issues/684)) ([ef5c5e6](https://github.com/promptfoo/modelaudit/commit/ef5c5e639218c4d67de3898b710a4e041f3032ea))
+- stop importing dotenv in jfrog helper ([#662](https://github.com/promptfoo/modelaudit/issues/662)) ([d20fda3](https://github.com/promptfoo/modelaudit/commit/d20fda315a8e05106d25d212d026b2b602b4a586))
+- stream tar member extraction during scan ([#665](https://github.com/promptfoo/modelaudit/issues/665)) ([3de3048](https://github.com/promptfoo/modelaudit/commit/3de30487328738b2d8c62f203576d52b3c20409a))
+- tighten dill MemoryError downgrade gating ([5eefa15](https://github.com/promptfoo/modelaudit/commit/5eefa15dad4e0b407c235da2eed3278c1f056bf1))
+- tighten llamafile runtime allowlist matching ([#683](https://github.com/promptfoo/modelaudit/issues/683)) ([8592a80](https://github.com/promptfoo/modelaudit/commit/8592a8075d9633bbbf6e32da5f5f9a250fe0479a))
+- use major GitHub Action refs ([#680](https://github.com/promptfoo/modelaudit/issues/680)) ([7965314](https://github.com/promptfoo/modelaudit/commit/7965314d2d0533795bd403fd32b591a2cb00a77a))
+
 ## [0.2.27](https://github.com/promptfoo/modelaudit/compare/v0.2.26...v0.2.27) (2026-03-05)
 
 ### Features

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "modelaudit"
-version = "0.2.27"
+version = "0.2.28"
 description = "Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files"
 authors = [
     { name = "Ian Webster", email = "ian@promptfoo.dev" },

diff --git a/uv.lock b/uv.lock