This release includes 1 security fix for security teams reviewing exposed deployments.
Published 17d
Developer Productivity
✓ No known CVEs patched
This release patches 1 known CVE
Topics
cli
code-quality
code-review
developer-tools
linter
noqa
+4 more
pre-commit
rust
static-analysis
technical-debt
Affected surfaces
rce_ssrf
Summary
AI summaryUpdates Other, main, and deps across a mixed release.
Full changelog
Fixed
- (main) render shame next snippet from registry, not disk (#80)
Other
- bump ruff from 0.15.12 to 0.15.13 (#77)
- bump taiki-e/install-action from 2.77.3 to 2.78.2 (#76)
- bump release-plz/action from 0.5.128 to 0.5.129 (#75)
- (deps) bump mako from 1.3.11 to 1.3.12 (#81)
- bump github/codeql-action from 4.35.4 to 4.35.5 (#78)
Security
- Fix path traversal in
shame nextthat allowed a crafted
shamefile.yamlentry to disclose one line of any file readable by the
current user. The snippet renderer no longer reads from disk; output is
rendered from the registry's cachedcontentfield instead. CWE-22.
Security Fixes
- CVE‑2025‑XXXXX — Fix path traversal in `shame next` (CWE-22) by rendering snippets from registry's cached content field
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Shamefile
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]