Skip to content

hindsight

v0.6.2 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 20d AI Agents & Assistants
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

agentic-ai agents ai-memory memory

Affected surfaces

deps

ReleasePort's take

Moderate signal
editorial:auto 9d

This release bumps vulnerable dependencies across npm and pip lockfiles to address high/critical security issues.

Why it matters: All high‑severity dependencies are updated; operators must apply the changes immediately to mitigate risk.

Summary

AI summary

Security dependencies were bumped to address vulnerabilities.

Changes in this release

Security Medium

Vulnerable dependencies across npm and pip are bumped.

Vulnerable dependencies across npm and pip are bumped.

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

urllib3 is upgraded to version 2.7.0 in integration lockfiles.

urllib3 is upgraded to version 2.7.0 in integration lockfiles.

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Remaining high/critical dependencies across all lockfiles are updated.

Remaining high/critical dependencies across all lockfiles are updated.

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

litellm dependency is bumped to >=1.83.14.

litellm dependency is bumped to >=1.83.14.

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Claude-Code now exposes a configurable MCP request timeout.

Claude-Code now exposes a configurable MCP request timeout.

Source: llm_adapter@2026-05-21

Confidence: high
Deprecation Medium

recall max_results renamed to max_tokens in claude-code-mcp.

recall max_results renamed to max_tokens in claude-code-mcp.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Agent SDK's agent_knowledge_recall renames max_results to max_tokens, defaulting to 1024.

Agent SDK's agent_knowledge_recall renames max_results to max_tokens, defaulting to 1024.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixes strands client lifecycle leak for internally-owned clients.

Fixes strands client lifecycle leak for internally-owned clients.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Paperclip payloads are aligned with actual event structures.

Paperclip payloads are aligned with actual event structures.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Handles transient OID errors during embedding dimension migration.

Handles transient OID errors during embedding dimension migration.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Agent SDK's agent_knowledge_get_page request includes detail=content support.

Agent SDK's agent_knowledge_get_page request includes detail=content support.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Retain Event Date/timestamp is ensured to reach the API in CLI and control-plane.

Retain Event Date/timestamp is ensured to reach the API in CLI and control-plane.

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Dependabot updates the uv group across three directories with eight updates.

Dependabot updates the uv group across three directories with eight updates.

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Documentation added for Windows and China deployment guidance for embeddings setup.

Documentation added for Windows and China deployment guidance for embeddings setup.

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

FastAPI lifecycle pattern documented under docs/strands.

FastAPI lifecycle pattern documented under docs/strands.

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Integration guide and README aligned with Paperclip's updated lifecycle.

Integration guide and README aligned with Paperclip's updated lifecycle.

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

RequestTimeoutSeconds option is documented for Claude-Code.

RequestTimeoutSeconds option is documented for Claude-Code.

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

--timestamp flag documentation added for CLI memory retain.

--timestamp flag documentation added for CLI memory retain.

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

What's Changed

  • blog: How Hindsight Scales by @nicoloboschi in https://github.com/vectorize-io/hindsight/pull/1539
  • fix(claude-code): get_page detail=content + handle tool-result spillover by @cdbartholomew in https://github.com/vectorize-io/hindsight/pull/1543
  • docs: add 0.6.1 changelog and release blog post by @nicoloboschi in https://github.com/vectorize-io/hindsight/pull/1542
  • blog: add cover image for How Hindsight Scales by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1545
  • fix(claude-code-mcp): rename recall max_results→max_tokens by @offendingcommit in https://github.com/vectorize-io/hindsight/pull/1544
  • Fix strands client lifecycle leak for internally-owned clients by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1547
  • blog: add category filter to blog landing page by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1580
  • fix(paperclip): align with Paperclip's actual event payloads by @amirhmoradi in https://github.com/vectorize-io/hindsight/pull/1560
  • blog: the case against external vector DBs for agent memory by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1594
  • Docs: add Windows + China deployment guidance for embeddings setup by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1549
  • docs(strands): document FastAPI lifecycle pattern from #1547 by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1581
  • docs(paperclip): align integration guide + README with #1560 lifecycle by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1596
  • fix(agent-sdk): agent_knowledge_recall — rename max_results to max_tokens, default 1024 by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1552
  • fix(ci): paperclip lint formatting + openclaw hook test expectations by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1601
  • security: bump vulnerable dependencies across npm and pip by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1600
  • security: bump urllib3 to 2.7.0 in integration lockfiles by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1603
  • security: bump remaining high/critical deps across all lockfiles by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1609
  • security: bump litellm to >=1.83.14 by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1610
  • feat(claude-code): expose configurable MCP request timeout (#1575) by @rsaulo in https://github.com/vectorize-io/hindsight/pull/1591
  • fix(agent-sdk): agent_knowledge_get_page request detail=content (sister of #1543) by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1557
  • fix: handle transient OID errors in embedding dimension migration by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1612
  • fix(ci): use frozen lockfile in lint.sh during CI by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1618
  • fix(docs): use real GitHub handle for ContextForge integration author by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1621
  • fix(cli, control-plane): make retain Event Date / timestamp actually reach the API by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1622
  • docs(claude-code): document requestTimeoutSeconds option from #1591 by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1626
  • docs(cli): document --timestamp flag on memory retain (#1622) by @r266-tech in https://github.com/vectorize-io/hindsight/pull/1623
  • fix(migrations): repair mental_models.subtype at current head (#1553) by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1627
  • fix(ci): set UV_FROZEN=1 on verify-generated-files job by @dcbouius in https://github.com/vectorize-io/hindsight/pull/1629
  • chore(deps): bump the uv group across 3 directories with 8 updates by @dependabot[bot] in https://github.com/vectorize-io/hindsight/pull/1630
  • blog: onboarding a new engineer onto five months of OpenCode memory by @benfrank241 in https://github.com/vectorize-io/hindsight/pull/1628

New Contributors

  • @offendingcommit made their first contribution in https://github.com/vectorize-io/hindsight/pull/1544
  • @amirhmoradi made their first contribution in https://github.com/vectorize-io/hindsight/pull/1560
  • @rsaulo made their first contribution in https://github.com/vectorize-io/hindsight/pull/1591

Full Changelog: https://github.com/vectorize-io/hindsight/compare/v0.6.1...v0.6.2

Security Fixes

  • Bumped vulnerable npm and pip dependencies across the project
  • Bumped urllib3 to 2.7.0 in integration lockfiles
  • Bumped remaining high/critical dependencies in all lockfiles
  • Bumped litellm to >=1.83.14
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track hindsight

Get notified when new releases ship.

Sign up free

About hindsight

Hindsight: Agent Memory That Learns

All releases →

Related context

Beta — feedback welcome: [email protected]