BlazeUp-AI/Observal](https:

v0.2.0 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 1mo AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 8 known CVEs

Topics

agents antigravity claude-code cli-tool cursor cursor-ai

+13 more

evaluation insights kiro large-language-models litellm llm llm-evaluation llm-observability llmops monitoring observability playground self-hosted

Affected surfaces

auth deps

Summary

AI summary

Broad release touches deps, feat, fix, and web.

Full changelog

What's Changed

docs + refactor: READMEs, eval subpackage, repo cleanup by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/322
feat: live session updates via GraphQL subscriptions by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/323
fix(web): protect registry routes with auth guard by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/324
feat: unify telemetry — merge hooks, shims, and OTLP by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/325
feat: robust MCP env var detection, config gen fixes, and submit UX improvements by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/326
chore: add Renovate config for automated dependency updates by @HemalathaMadeswaran18 in https://github.com/BlazeUp-AI/Observal/pull/329
fix: add :gitSignOff preset to Renovate config by @HemalathaMadeswaran18 in https://github.com/BlazeUp-AI/Observal/pull/334
feat(scan): add skill discovery for ~/.kiro/skills in --home scan by @DEVAANSH001 in https://github.com/BlazeUp-AI/Observal/pull/327
fix(deps): update dependency next to v16.2.3 [security] by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/336
fix(deps): update dependency @chenglou/pretext to ^0.0.5 [security] by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/335
chore(deps): update dependency ruff to v0.15.11 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/340
feat(agent): agent review queue, versioning, bundles, archive & draft workflow by @Apoorvgarg-creator in https://github.com/BlazeUp-AI/Observal/pull/338
feat(web): add delete agent functionality to frontend by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/359
feat(auth): add username field to User model (#339) by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/364
fix: prevent CRLF line endings from breaking Docker on Windows by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/365
fix(web): resolve React hydration and DOM nesting errors by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/366
fix(deps): bump python-multipart to >=0.0.26 to fix DoS vulnerability by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/369
fix(deps): bump Mako to >=1.3.11 to fix path traversal by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/370
fix(deps): bump authlib to >=1.6.11 to fix CSRF vulnerability by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/371
fix(deps): bump strawberry-graphql to >=0.314.0 for WS DoS fix by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/373
fix(db): resolve duplicate migration revision 0010 by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/374
feat: add dismissible GitHub star banner to page header by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/372
ci: add auto-deploy workflow for EC2 server by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/375
chore(deps): update docker images (minor/patch) by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/341
fix(deps): update web frontend (minor/patch) by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/342
chore(deps): update actions/checkout action to v6 - autoclosed by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/343
chore(deps): update actions/setup-node action to v6 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/344
chore(deps): update astral-sh/setup-uv action to v7 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/345
chore(deps): update clickhouse/clickhouse-server docker tag to v26 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/346
chore(deps): update dependency typescript to v6 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/357
chore(deps): update dependency node to v24 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/356
chore(deps): update dorny/paths-filter action to v4 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/360
chore(deps): update dependency eslint to v10 by @renovate[bot] in https://github.com/BlazeUp-AI/Observal/pull/347
fix: require admin review before agents are published (#376) by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/379
Kiro agent pull for Windows/Powershell by @naraen-ram in https://github.com/BlazeUp-AI/Observal/pull/368
added windows cleanup to uninstall command by @VishnuM049 in https://github.com/BlazeUp-AI/Observal/pull/355
fix(cli): release changes for pip by @harishankar0301 in https://github.com/BlazeUp-AI/Observal/pull/377
feat: implement remaining PR #338 TODOs by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/381
feat: org-scoped multi-tenancy (#196) by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/382
fix: make host ports configurable to avoid port conflicts by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/383
Feat/mcp command args transport revamp by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/385
Implemented migrate commands for shallow copy by @naraen-ram in https://github.com/BlazeUp-AI/Observal/pull/384
chore: add migration chain validation and generator scripts by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/386
fix(cli/web): fix prompt submit endpoint and add custom prompts to builder by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/390
fix(auth): handle Redis unavailability gracefully in auth endpoints by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/391
fix(web): page reload redirect, draft persistence, and custom prompt save by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/392
feat: add draft workflow and submission forms for all component types by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/393
feat: add delete/withdraw action in review queue by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/394
fix(cli): lazy-import asyncpg to unbreak all CLI commands by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/395
feat: add unarchive action for archived agents by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/415
fix: component validation, owner fallback, agent name resolution, and UI typo by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/416
fix: prevent non-admin deletion of approved/active registry items by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/417
fix: route ordering collision and CLI draft flag bugs by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/422
fix: resolve intermittent 500 errors through Next.js proxy by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/421
fix: persist mcp_server_ids in agent draft and allow bodyless submit by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/420
fix(hooks): stop-hook stdin drain prevents response/thinking capture by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/418
fix: GET /api/v1/review returns empty despite pending agents in queue by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/419
Update LICENSE by @vikeesh in https://github.com/BlazeUp-AI/Observal/pull/424
Update LICENSE by @vikeesh in https://github.com/BlazeUp-AI/Observal/pull/423
fix(sec): escape LIKE wildcards to prevent SQL injection (SOC 2) by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/426
fix: Kiro IDE session detection, event normalization, and grouping by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/397
fix: enable delete/withdraw action in review queue for super_admin users (#408) by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/425
fix(sec): add CSP header, restrict CORS, and harden XSS protections (… by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/428
fix: resolve 5 Kiro telemetry bugs by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/427
feat(sec): add structured security event logging for SIEM integration… by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/429
fix(auth): handle Redis unavailability gracefully in auth endpoints by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/432
fix: Kiro CLI telemetry pipeline — traces now visible in frontend by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/439
feat(skills): generate IDE-specific skill files on agent install (#431) by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/443
Feat/user own traces 431 by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/438
fix(review): validation badge shows 'failed' for validated MCPs by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/440
feat: add post-auth onboarding with IDE detection and component upload by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/444
feat: add Redis-backed caching and gzip compression by @shreem26 in https://github.com/BlazeUp-AI/Observal/pull/441
fix(ci): use git reset --hard instead of pull to avoid divergent bran… by @Lokesh7025 in https://github.com/BlazeUp-AI/Observal/pull/446
add webhook signing and delivery by @VishnuM049 in https://github.com/BlazeUp-AI/Observal/pull/442
feat: add ASCII welcome banner on auth login by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/445
feat: detect dollar-sign input variables during MCP submit by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/447
fix(cli): scan standalone skills from ~/.claude/skills/ by @Haz3-jolt in https://github.com/BlazeUp-AI/Observal/pull/454
fix: correct agent name resolution and 404 error hint by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/461
feat: IDE-specific feature awareness + UI fixes by @ShaanNarendran in https://github.com/BlazeUp-AI/Observal/pull/460
feat: redesign traces list page and add session filtering, user resolution by @Kaushik-Kumar-CEG in https://github.com/BlazeUp-AI/Observal/pull/462
Chore/homebrew pyproject cleanup by @Apoorvgarg-creator in https://github.com/BlazeUp-AI/Observal/pull/464

New Contributors

@DEVAANSH001 made their first contribution in https://github.com/BlazeUp-AI/Observal/pull/327
@renovate[bot] made their first contribution in https://github.com/BlazeUp-AI/Observal/pull/336
@shreem26 made their first contribution in https://github.com/BlazeUp-AI/Observal/pull/365
@naraen-ram made their first contribution in https://github.com/BlazeUp-AI/Observal/pull/368

Full Changelog: https://github.com/BlazeUp-AI/Observal/compare/v0.0.1...v0.2.0

Security Fixes

CVE/DoS fix: update next to v16.2.3 [security]
CVE/DoS fix: update @chenglou/pretext to ^0.0.5 [security]
CVE path traversal fix: bump Mako to >=1.3.11
CVE CSRF fix: bump authlib to >=1.6.11
CVE WS DoS fix: bump strawberry-graphql to >=0.314.0
DoS vulnerability fixed by bumping python-multipart to >=0.0.26
SQL injection prevention by escaping LIKE wildcards (SOC 2)
Hardened XSS protections and added CSP header

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track BlazeUp-AI/Observal](https:

Get notified when new releases ship.

About BlazeUp-AI/Observal](https:

All releases →

Related context

Related tools

Earlier breaking changes

v1.2.0 Removes legacy pre-JSONL modules in insights.
v1.2.0 Removes agent visibility and team access features.
v1.1.0 Replace deployment_mode API field with licensed boolean.
v0.8.0 Removes goal template, replaces with required prompt field in agent configuration.