This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+8 more
Summary
AI summaryFull R language support added to Depwire.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
8 R-specific safety patterns added for database query concatenation, system command execution, dynamic code evaluation, deserialization, file path handling, Shiny input validation, HTML rendering, and reticulate boundaries. 8 R-specific safety patterns added for database query concatenation, system command execution, dynamic code evaluation, deserialization, file path handling, Shiny input validation, HTML rendering, and reticulate boundaries. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
7 R-specific crypto patterns added for weak hashing, insecure PRNG, hardcoded credentials, SSL verification disabled, insecure HTTP, plain RDS storage of sensitive data. 7 R-specific crypto patterns added for weak hashing, insecure PRNG, hardcoded credentials, SSL verification disabled, insecure HTTP, plain RDS storage of sensitive data. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Full R parser added for .R, .r, and .Rmd files. Full R parser added for .R, .r, and .Rmd files. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Project markers DESCRIPTION, NAMESPACE, renv.lock recognized. Project markers DESCRIPTION, NAMESPACE, renv.lock recognized. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Support for S3 generics (e.g., print.myclass). Support for S3 generics (e.g., print.myclass). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Support for S4 class definitions (setClass, setMethod). Support for S4 class definitions (setClass, setMethod). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Support for R6 class definitions (R6::R6Class()). Support for R6 class definitions (R6::R6Class()). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Both assignment operators <-, =, and -> supported. Both assignment operators <-, =, and -> supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Functions can be assigned to variables (myfunc <- function(x) {...}). Functions can be assigned to variables (myfunc <- function(x) {...}). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Anonymous functions and v4.1+ shorthand ⟨x⟩ x + 1 supported. Anonymous functions and v4.1+ shorthand ⟨x⟩ x + 1 supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Namespace access via dplyr::filter, package:::internal_fn. Namespace access via dplyr::filter, package:::internal_fn. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
R Markdown code chunks inside ```{r}``` blocks parsed. R Markdown code chunks inside ```{r}``` blocks parsed. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Operator overloading functions named +.classname, -.classname supported. Operator overloading functions named +.classname, -.classname supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
.Rproj.user/ and packrat/ directories ignored. .Rproj.user/ and packrat/ directories ignored. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
plumber API annotations #* @get, @post, @put, @delete supported. plumber API annotations #* @get, @post, @put, @delete supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Shiny apps with server functions and reactive observers supported. Shiny apps with server functions and reactive observers supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
RestRserve and Beakr routes integrated. RestRserve and Beakr routes integrated. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
HTTP clients httr::GET(), httr2::request(), curl_fetch_memory() supported. HTTP clients httr::GET(), httr2::request(), curl_fetch_memory() supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Database connections via DBI::dbConnect(), dbGetQuery(), dbExecute() supported. Database connections via DBI::dbConnect(), dbGetQuery(), dbExecute() supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Reticulate Python interop as cross-language edge supported. Reticulate Python interop as cross-language edge supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Supported languages list includes R (16 total languages). Supported languages list includes R (16 total languages). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Dead code exclusions added for Shiny, plumber, R6 lifecycle methods, S3/S4 methods, testthat tests, package hooks, and operator overloading methods. Dead code exclusions added for Shiny, plumber, R6 lifecycle methods, S3/S4 methods, testthat tests, package hooks, and operator overloading methods. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
What's new
This release adds full R language support to Depwire, bringing the data science, bioinformatics, and statistical computing audiences into the deterministic context layer for AI coding agents.
R support
- Full R parser for
.R,.r, and.Rmd(R Markdown) files - Project markers: DESCRIPTION, NAMESPACE, renv.lock recognized
- OOP systems: S3 generics (
print.myclass), S4 class definitions (setClass,setMethod), R6 class definitions (R6::R6Class()) - Both assignment operators:
<-,=, and right-arrow-> - Functions as variables:
myfunc <- function(x) {...} - Anonymous functions:
function(x) x + 1and v4.1+ shorthand\(x) x + 1 - Namespace access:
dplyr::filter,package:::internal_fn - R Markdown code chunks: parsed inside
{r}blocks - Operator overloading: functions named
+.classname,-.classname, etc. - Ignored directories:
.Rproj.user/,packrat/
Cross-language edges
- plumber API annotations:
#* @get,#* @post,#* @put,#* @delete - Shiny apps: server functions, reactive observers
- RestRserve and Beakr routes
- HTTP clients:
httr::GET(),httr2::request(),curl_fetch_memory() - Database connections:
DBI::dbConnect(),dbGetQuery(),dbExecute() - reticulate Python interop as cross-language edges
Dead code exclusions
- Shiny entry points (
ui,server,shinyApp()) - plumber entry points (files containing
#* @plumber) - R6 lifecycle methods (
initialize,finalize,print,clone) - S3 generic dispatch methods
- S4 methods registered via
setMethod() - testthat test files and test functions
- Package hooks (
.onLoad,.onAttach,.onUnload) - Operator overloading methods
Security patterns
8 R-specific safety patterns covering database query concatenation, system command execution, dynamic code evaluation (eval(parse(text=...))), deserialization (readRDS, unserialize), file path handling, Shiny input validation, HTML rendering, and reticulate boundaries.
Crypto patterns
7 R-specific patterns covering weak hashing (digest with md5/sha1), insecure PRNG, hardcoded credentials, SSL verification disabled, insecure HTTP, and plain RDS storage of sensitive data.
Tested on
- rstudio/plumber — 197 files, 1,194 symbols, 219 edges, 0.58s parse time, health score 87/B
Supported languages (16)
TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++ · Kotlin · PHP · Swift · Mojo · Ruby · Dart · R
Install
npm install -g [email protected]
Or for MCP:
mcp install io.github.atef-ataya/depwire
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Earlier breaking changes
- v1.6.1 Health scores from v1.6.1+ are not directly comparable to earlier versions.
Beta — feedback welcome: [email protected]