This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+10 more
Affected surfaces
ReleasePort's take
Light signalv3.39.0 hardens security with CodeQL SAST, Trivy, and dependency analysis workflows, while clearing CVEs in rclone, otel, Go toolchain, and react-router. Also fixes Azure SDK compatibility and CI pipeline issues.
Why it matters: Security scanning and automated dependency analysis detect vulnerabilities earlier. Updates clear CVEs in rclone, otel, Go toolchain. Test in dev with Azure SDK version support; routine upgrade.
Summary
AI summaryMinor fixes and improvements.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
add CodeQL SAST workflow add CodeQL SAST workflow Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Add dependencies analyze and cooldown Add dependencies analyze and cooldown Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
suppress Trivy DS-0002 false positive on root Dockerfile suppress Trivy DS-0002 false positive on root Dockerfile Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Update readme security section Update readme security section Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
add CodeRabbit config tuned for security and CLAUDE.md add CodeRabbit config tuned for security and CLAUDE.md Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
bump rclone, otel, react-router, vite to clear Dependabot alerts bump rclone, otel, react-router, vite to clear Dependabot alerts Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
bump rclone, goose, Go toolchain, otel to clear CVEs bump rclone, goose, Go toolchain, otel to clear CVEs Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
allow newer Azure SDK API versions against Azurite emulator allow newer Azure SDK API versions against Azurite emulator Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
unbreak CodeQL Go scan and bump action v3 → v4 unbreak CodeQL Go scan and bump action v3 → v4 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
make Trivy keyring import non-interactive make Trivy keyring import non-interactive Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Refactor | Medium |
Move backup agent to agent/backup/ subdirectory Move backup agent to agent/backup/ subdirectory Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Changelog
[3.39.0] - 2026-05-13
✨ Features
- readme: Update readme security section (c7aa4d6)
- ci: add CodeRabbit config tuned for security and CLAUDE.md (412321c)
- security: add CodeQL SAST workflow (5d6f8e4)
- security: Add dependencies analyze and cooldown (d675676)
🐛 Bug Fixes
- tests: allow newer Azure SDK API versions against Azurite emulator (fc66ff1)
- deps: bump rclone, otel, react-router, vite to clear Dependabot alerts (9dc4ccb)
- ci: unbreak CodeQL Go scan and bump action v3 → v4 (ef6a576)
- security: suppress Trivy DS-0002 false positive on root Dockerfile (d9dfd64)
- ci: make Trivy keyring import non-interactive (99a6efd)
- deps: bump rclone, goose, Go toolchain, otel to clear CVEs (0d075a3)
🔨 Refactoring
- agent: Move backup agent to agent/backup/ subdirectory (3ba79b4)
🐳 Docker
- Image:
databasus/databasus:v3.39.0 - Platforms: linux/amd64, linux/arm64
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]