Skip to content

blank3rs/heso](https:

v0.3.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 3d CLI & Terminal
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

crypto_tls rbac

ReleasePort's take

Light signal
editorial:auto 3d

The JS engine now uses an in‑tree hesojs determinism fork from rquickjs. The `heso search` command defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.

Why it matters: Engine change may affect deterministic behavior; new default search providers alter query results for users relying on prior settings.

Summary

AI summary

Updates Release Notes, Install heso-cli 0.3.0, and Install heso-verify 0.3.0 across a mixed release.

Changes in this release

Breaking High

`heso search` defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.

`heso search` defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.

Source: llm_adapter@2026-05-31

Confidence: high
Feature Low

README now publishes macOS arm64 release‑binary stats (size, cold‑start latency, engine‑only latency).

README now publishes macOS arm64 release‑binary stats (size, cold‑start latency, engine‑only latency).

Source: llm_adapter@2026-05-31

Confidence: high
Deprecation Low

`disable-assertions` (`-DNDEBUG`) workaround and the four‑step `Drop` GC dance removed.

`disable-assertions` (`-DNDEBUG`) workaround and the four‑step `Drop` GC dance removed.

Source: llm_adapter@2026-05-31

Confidence: high
Bugfix Medium

`eval-dom` no longer aborts runtime teardown on iterator‑helper shutdown‑GC cycles.

`eval-dom` no longer aborts runtime teardown on iterator‑helper shutdown‑GC cycles.

Source: llm_adapter@2026-05-31

Confidence: high
Bugfix Medium

First‑run signing‑identity creation is now atomic, preventing half‑written key failures.

First‑run signing‑identity creation is now atomic, preventing half‑written key failures.

Source: llm_adapter@2026-05-31

Confidence: high
Refactor High

JS engine switched to in‑tree hesojs determinism fork from rquickjs.

JS engine switched to in‑tree hesojs determinism fork from rquickjs.

Source: llm_adapter@2026-05-31

Confidence: high
Full changelog

Release Notes

Changed

  • The JS engine is now built from the in-tree hesojs determinism
    fork (a QuickJS-NG fork) instead of stock rquickjs's vendored tree
    (ADR 0030). Determinism is injected at the C layer —
    JS_SetClockSource / JS_SetRandomSource / JS_SetRuntimeTimezone
    replace the JS-side monkey-patches (the WrappedDate shim, the
    Math.random / performance.now closures, and the process-global
    TZ=UTC pin). crypto is now a pure-JS shim over the seeded engine
    RNG rather than a Rust closure.
  • heso search no longer queries the DuckDuckGo endpoints by default —
    they 202/403-throttle scripted callers per IP and only added a
    blocked row from a normal egress IP. They remain available opt-in
    via --engines ddg,ddg-lite. The default pool is now Mojeek + Brave +
    Marginalia + Wikipedia (plus SearXNG when --searx-url is set).
  • Repository and homepage links updated to github.com/heso-inc/heso
    across the Cargo, npm, and PyPI package metadata, the CLI banner, and
    the docs.

Added

  • The README publishes measured macOS arm64 release-binary stats
    (binary size, cold-start latency over the network, and engine-only
    latency).

Removed

  • The disable-assertions (-DNDEBUG) workaround and the four-step
    Drop GC dance. heso now ships with C assertions ON: the
    ES2025 iterator-helper shutdown-GC reference cycle that aborted
    eval-dom on some pages is fixed at the engine (hesojs F1), with
    JS_FreeRuntimeForce as the safety net.

Fixed

  • eval-dom no longer aborts tearing down the runtime on pages that
    exercise the iterator-helper shutdown-GC cycle (e.g. astro.build,
    vercel.com).
  • First-run signing-identity creation is now atomic: the 32-byte key is
    written to a temp file and hard-linked into place, so concurrent heso
    invocations on a fresh machine can no longer observe a half-written key
    and fail with identity key file ... has wrong length: expected 32, got 0.

Note: plat_hash shifts for pages that read the date or RNG.
Native Date.toString() and Math.random produce different bytes
than the old JS shims (determinism still holds: same seed + same
engine version → identical bytes). Re-stamp cassettes recorded
against the old engine. Plats over static content (no date/RNG) are
unaffected and replay byte-identically across the swap.

heso-cli 0.3.0

Install heso-cli 0.3.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/heso-inc/heso/releases/download/v0.3.0/heso-cli-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/heso-inc/heso/releases/download/v0.3.0/heso-cli-installer.ps1 | iex"

Download heso-cli 0.3.0

| File | Platform | Checksum |
|--------|----------|----------|
| heso-cli-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-cli-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-cli-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-cli-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-cli-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |

heso-verify 0.3.0

Install heso-verify 0.3.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/heso-inc/heso/releases/download/v0.3.0/heso-verify-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/heso-inc/heso/releases/download/v0.3.0/heso-verify-installer.ps1 | iex"

Download heso-verify 0.3.0

| File | Platform | Checksum |
|--------|----------|----------|
| heso-verify-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-verify-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-verify-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-verify-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-verify-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |

Breaking Changes

  • JS engine switched from stock rquickjs to in‑tree hesojs fork; behavior of Date, Math.random, and crypto changes accordingly.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track blank3rs/heso](https:

Get notified when new releases ship.

Sign up free

About blank3rs/heso](https:

All releases →

Related context

Earlier breaking changes

  • v0.2.0 Removes the plat registry, `publish`, `pull`, and `list` verbs.
  • v0.1.8 `run` now verifies input platform integrity before replaying and exits on mismatch (exit 1).
  • v0.1.8 `read` no longer fetches external `<script src=...>` by default; opt‑in with `--js-fetch`.

Beta — feedback welcome: [email protected]