blank3rs/heso](https:

v0.1.7 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 6d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Summary

AI summary

Added SSRF protection flag, JS timeout option, and DOM‑element serialization change.

Changes in this release

Type	Severity	Summary	CVE
Security	High	`verify --trusted-keys` (and HESO_TRUSTED_KEYS) now fails closed when the allowlist is empty. `verify --trusted-keys` (and HESO_TRUSTED_KEYS) now fails closed when the allowlist is empty. Source: llm_adapter@2026-05-28 Confidence: high	—
Security	Medium	Blocks requests to loopback, RFC1918 private, link‑local, unspecified, CGNAT, IPv6 unique‑local, and IPv4‑mapped IPs when `--no-private-networks` is enabled. Blocks requests to loopback, RFC1918 private, link‑local, unspecified, CGNAT, IPv6 unique‑local, and IPv4‑mapped IPs when `--no-private-networks` is enabled. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature
Feature	Medium	Adds `--no-private-networks` flag and HESO_BLOCK_PRIVATE_NETWORKS env var for SSRF protection. Adds `--no-private-networks` flag and HESO_BLOCK_PRIVATE_NETWORKS env var for SSRF protection. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds `--js-timeout <duration>` flag to cap script execution time on eval-js/eval-dom. Adds `--js-timeout <duration>` flag to cap script execution time on eval-js/eval-dom. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Changes `eval-js` / `eval-dom` to serialize DOM-element results as {tag, outerHTML, attrs}. Changes `eval-js` / `eval-dom` to serialize DOM-element results as {tag, outerHTML, attrs}. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Caps serialized eval results at 10 MB, returning a structured error on overflow. Caps serialized eval results at 10 MB, returning a structured error on overflow. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Extends `--best-effort` partial_reason with bot_challenge, non_html_content_type, and http_<code> values. Extends `--best-effort` partial_reason with bot_challenge, non_html_content_type, and http_<code> values. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Runs `eval-js` / `eval-dom` on a dedicated 8 MB‑stack thread, limiting recursion depth. Runs `eval-js` / `eval-dom` on a dedicated 8 MB‑stack thread, limiting recursion depth. Source: llm_adapter@2026-05-28 Confidence: low	—
Bugfix
Bugfix	Medium	Fixes broken‑pipe handling on Windows (OS errors 109/232) for clean exit. Fixes broken‑pipe handling on Windows (OS errors 109/232) for clean exit. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Emits structured `{ok:false,error:{code,message}}` for argument errors on eval and read paths. Emits structured `{ok:false,error:{code,message}}` for argument errors on eval and read paths. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Reports actionable error when `stamp`/`run` plan actions use CLI‑only locators instead of stable refs. Reports actionable error when `stamp`/`run` plan actions use CLI‑only locators instead of stable refs. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

Release Notes

Added

--no-private-networks flag (and the HESO_BLOCK_PRIVATE_NETWORKS
environment variable) opt into SSRF protection. heso resolves each
target and refuses the request if any resolved IP is loopback,
RFC1918 private, link-local (including the 169.254.169.254
cloud-metadata address), unspecified, CGNAT (100.64.0.0/10), IPv6
unique-local, or an IPv4-mapped form of any of those. The check runs
on the resolved address, so an inward-pointing hostname is caught as
well as a literal IP, and a redirect to a literal private IP is
refused mid-chain. Off by default so localhost stays reachable;
enable it per call with the flag or process-wide with the env var. A
blocked request emits {ok: false, error: {code: "private_network_blocked", url}} and exits 1.
--js-timeout <duration> on eval-js and eval-dom caps script
wall-clock time via an interrupt-handler watchdog and returns a
structured timeout error on expiry. Default: no cap.
eval-js / eval-dom serialize a DOM-element result as
{tag, outerHTML, attrs} instead of an empty object.

Changed

--best-effort partial_reason gains three values: bot_challenge
now also covers Reddit-style "please wait for verification"
interstitials; non_html_content_type flags a 200 OK carrying a
non-HTML body (PDF, JSON, octet-stream, images) instead of treating
an empty extraction as a clean page; and http_<code> reports a
non-2xx status.
eval-js / eval-dom run on a dedicated 8 MB-stack thread, so deep
recursion trips QuickJS's own guard and returns a structured engine
error instead of overflowing the OS stack. Serialized eval results
are capped at 10 MB with a structured error.

Fixed

The broken-pipe hook recognizes Windows pipe-closed errors (OS error
109 / 232) alongside the Unix "Broken pipe" string, so piping a
verb's output into a reader that closes early (heso ... | head)
exits cleanly on every platform instead of aborting with a panic.
verify --trusted-keys (and HESO_TRUSTED_KEYS) fail closed on an
empty allowlist: zero entries is an error (exit 1), not a
trust-anyone wildcard.
Argument errors on the eval and read paths (malformed URL, ASCII
control characters in a URL, unknown --include key, empty search
query, ref/locator misses) emit a structured {ok: false, error: {code, message}} envelope on stdout alongside the stderr line. URLs
containing control characters are rejected rather than silently
rewritten.
stamp / run report an actionable error when a plan action carries
a CLI-only --text / --selector / --aria-label locator instead
of a stable ref, pointing at heso find / heso read rather than
a terse "unknown field" message.

Install heso-cli 0.1.7

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/blank3rs/heso/releases/download/v0.1.7/heso-cli-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/blank3rs/heso/releases/download/v0.1.7/heso-cli-installer.ps1 | iex"

Download heso-cli 0.1.7

| File | Platform | Checksum |
|--------|----------|----------|
| heso-cli-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-cli-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-cli-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-cli-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-cli-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track blank3rs/heso](https:

Get notified when new releases ship.

About blank3rs/heso](https:

All releases →

Related context

Related tools

Earlier breaking changes

v0.3.0 `heso search` defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.
v0.2.0 Removes the plat registry, `publish`, `pull`, and `list` verbs.
v0.1.8 `run` now verifies input platform integrity before replaying and exits on mismatch (exit 1).
v0.1.8 `read` no longer fetches external `<script src=...>` by default; opt‑in with `--js-fetch`.