Local Deep Research

What's Changed

🔒 Security Updates

• fix(security): SSRF parser-differential bypass (GHSA-g23j-2vwm-5c25) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3873
• fix(security): harden SSRF metadata blocks and redact log userinfo by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3882
• test(security): lock in real-world URL fixtures + behavior changes from #3873/#3882 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3889
• chore(deps): bump mako/python-multipart/pip/basic-ftp/ip-address for security advisories by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3894
• fix(security): patch fast-uri & basic-ftp in test lockfiles by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3896
• fix(ui,llm): LM Studio model detection + auto-discovery credential leak (#3800) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3942
• fix(security): make upload rate limits configurable (#3905) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3935
• fix(security): suppress alerts #7743 #7744 #7745 (audited false positives) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3968
• security: block IPv6 transition prefixes in SSRF defense by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3932
• chore(deps): bump urllib3 to 2.7 for CVE-2026-44431 and CVE-2026-44432 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4028

✨ New Features

• feat(metrics): rework context-overflow page + add summary panel to /metrics by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3792
• feat(metrics): wire context-overflow warnings to diagnostic links by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3790
• feat(hooks): add PR description freshness pre-commit hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3798
• feat(ci): declarative label set for PR triage (1/5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3857
• test(logpanel): cover toggle handler, filters, queue draining by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3880
• ci: full docker-compose integration test + drop ollama model pre-pull by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3886
• feat(ci): auto-apply triage labels on PR open and review (2/5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3858
• feat(metrics): structured truncation log + estimation-based detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3791
• feat(lmstudio): add optional API key support for authenticated instances (#3573) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3740
• chore(lmstudio): polish follow-ups from #3740 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3957
• ui(css): improve responsive baseline — touch targets + readable text by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3985
• docs(readme): replace stale benchmark table with current local-LLM results by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3991
• test(ui): add theme-switching behavior spec by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3999
• ci(research): extract reusable LDR-research workflow + add issue-trigger caller by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3987
• ci(prerelease-docker): publish floating :prerelease tag for each RC by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4005
• docs(readme): consolidate duplicated Performance and Install sections by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4013
• feat(hooks): add pre-commit hook to validate settings key namespaces by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4025
• feat(citation): source-tagged citations with global counter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4012

🐛 Bug Fixes

• fix(metrics): align truncation_ratio formula and tests with 80% threshold by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3840
• fix(tests): align missed truncation_ratio assertion in test_token_counter_coverage.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3845
• docs: fix troubleshooting link casing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3854
• fix(ui): preserve current task line breaks by @aqilaziz in https://github.com/LearningCircuit/local-deep-research/pull/3848
• fix(docker): remove cap_drop: ALL from searxng to align with upstream by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3881
• fix(docker): decouple ollama healthcheck from model pull by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3885
• ci: weekly published-image smoke test with auto-issue on failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3890
• fix(llm): close ChatOllama async httpx client to prevent FD exhaustion (#3816) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3855
• fix(settings): add LDR_DISABLE_RATE_LIMITING alias (#3905) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3936
• Feat/context overflow page rework by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3853
• fix(metrics): apply research_mode filter to context-overflow panel aggregation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3887
• fix(embedding-settings): preserve model selection on dropdown rebuilds (#3863) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3940
• fix(ci): grant pull-requests:write to welcome-first-time workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3950
• fix(library): skip user uploads during sync and re-download (#3869) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3948
• fix(langgraph): include exception type and translate model_dump pattern by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3926
• fix(library): stop UNIQUE-collision cascade in Download Manager (#3827) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3941
• test(embedding-settings): regression spec for model dropdown reset (#3863) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3949
• fix(embeddings): expose Ollama num_ctx so indexing fits the model window (#3870) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3958
• fix(auth): set Secure cookie flag based on protocol, not source IP (#3849) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3960
• test(ui): replace flake-prone delays, fix local-DX bug, correct stale CI comment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3972
• fix(ci): scope prerelease-docker jobs to prerelease environment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3978
• ci(workflows): build Vite frontend bundle before UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3989
• test(e2e): tolerate brief research output in deep-functionality test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3995
• hotfix(ui): add flaky Home desktop overflow back to baseline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3996
• test(ui): skip WebKit-closed-context flake in all-pages-mobile by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4003
• fix(logging): cap log message size sent to the frontend by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4004
• fix(ci): grant research job the perms its reusable needs (#3987 follow-up) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4016
• fix(settings): allow local_search_ namespace for embedding settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4024
• fix(db): unblock multi-migration upgrades blocked by FK mismatch + orphan alembic_tmp* tables by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4000

⚡ Performance Improvements

• refactor(metrics): context overflow cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3801
• test(ui): skip diagnostic screenshots in CI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3973
• test: quality cleanup — stop tests passing when the SUT misbehaves by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3970

🗄️ Database Changes

• docs(models): note UploadBatch is currently dormant by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3951

📚 Documentation

• chore(release): convert pending 1.7.0 staging notes to towncrier fragments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3789
• docs(developing): add resource-cleanup.md capturing the FD-leak campaign by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3856
• docs(dockerfile): rationale for unpinned bootstrap pip + dismiss Scorecard alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3914
• docs(processes): migrate security review process to docs/processes/ folder by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3912
• docs(docker): fix Windows/WSL2/Mac networking guidance — drop --network host by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3925
• docs(processes): add review process guide + lifecycle section in CONTRIBUTING (5/5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3861
• docs(ci): cross-link compose-integration-test ↔ compose-published-smoke by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3963
• Remove Gitleaks badge from README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3964
• docs(ci): auto-generated workflow status dashboard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3966
• docs(readme): link doc site + dashboard from Documentation section by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3981
• Remove Gitleaks badge from README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3986
• docs(readme): SimpleQA achievement callout near the top by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3982
• docs(readme): fix stale Performance prose + empty contributors placeholder by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3993
• docs(readme): drop stale "New:" prefix + link the CLI and MCP guides by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3998
• docs(readme): tell pip-install users how to start the web UI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4015

🔧 CI/CD & Maintenance

• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3815
• chore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3811
• chore(release): remove dead alias and ghost label refs from release.yml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3871
• chore(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3812
• chore(deps): bump actions/setup-node from 4.4.0 to 6.4.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3814
• 🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3824
• ci(compose-integration): hardening follow-ups (--no-build + drop curl -f) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3898
• chore(deps): cover audited test dirs in dependabot config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3913
• chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3916
• chore(deps): bump anchore/scan-action from 7.3.2 to 7.4.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3917
• chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3915
• chore(deps): bump anthropics/claude-code-action from 1.0.107 to 1.0.119 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3918
• chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3919
• feat(ci): welcome first-time contributors with a single comment (3/5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3859
• chore: bump patch version to 1.6.10 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3788
• ci(workflows): migrate to LDR_DISABLE_RATE_LIMITING canonical name by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3945
• ci(release): split prerelease docker into its own approval environment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3969
• ci(research): switch E2E research workflow to langgraph-agent strategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3965
• hotfix(ui): realign responsive baseline — unblock release by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3992
• test: tolerate WebKit + Puppeteer late-stage CDP flakes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4001
• chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 2.3.5 to 2.3.8 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4009

⬆️ Dependencies

• chore(deps): bump puppeteer from 24.42.0 to 24.43.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3834
• chore(deps): bump puppeteer from 24.42.0 to 24.43.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3835
• chore(deps-dev): bump puppeteer from 24.42.0 to 24.43.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3833
• chore(deps-dev): bump jest from 30.3.0 to 30.4.0 in /tests/infrastructure_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3862
• chore(deps-dev): bump ip-address from 10.1.0 to 10.2.0 in /tests/api_tests_with_login in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3820
• chore(deps): bump ip-address from 10.1.0 to 10.2.0 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3822
• chore(deps): bump ip-address from 10.1.0 to 10.2.0 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3823
• chore(deps): bump puppeteer from 24.42.0 to 24.43.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3832
• chore(deps-dev): bump eslint from 10.2.1 to 10.3.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3807
• chore(deps): bump marked from 18.0.2 to 18.0.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3808
• chore(deps-dev): bump eslint from 10.2.1 to 10.3.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3809
• chore(deps-dev): bump fast-uri from 3.1.0 to 3.1.2 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3902
• chore(deps): bump basic-ftp from 5.3.0 to 5.3.1 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3903
• chore(deps): bump dompurify from 3.4.1 to 3.4.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3810
• chore(deps-dev): bump vite from 8.0.10 to 8.0.11 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3920
• chore(deps-dev): bump @playwright/test from 1.58.0 to 1.59.1 in /tests/ui_tests/playwright by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3923
• chore(deps-dev): bump jest from 30.4.0 to 30.4.2 in /tests/infrastructure_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3922
• chore(deps): bump @axe-core/playwright from 4.11.2 to 4.11.3 in /tests/accessibility_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3924
• chore(deps-dev): bump @playwright/test from 1.59.1 to 1.60.0 in /tests/ui_tests/playwright by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4023
• chore(deps): bump @playwright/test from 1.59.1 to 1.60.0 in /tests/accessibility_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4022
• chore(deps): bump puppeteer from 24.43.0 to 24.43.1 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4018
• chore(deps-dev): bump puppeteer from 24.43.0 to 24.43.1 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4019
• chore(deps): bump puppeteer from 24.43.0 to 24.43.1 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4020
• chore(deps): bump puppeteer from 24.43.0 to 24.43.1 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4021

🧹 Code Quality & Refactoring

• test(puppeteer): retry flaky navigations in Download Manager tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3794
• chore(metrics): drop dead chart code from context_overflow.html by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3888
• test(ui): make responsive + metrics tests fail on real bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3979
• test: fix flaky rate-limit failures in rag upload coverage tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3943

🧪 Tests

• test(logpanel): cover ordering invariants for #2610 fix by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3872
• test: regression for full Processing(RateLimited(ChatOllama)) close chain by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3933
• test(library): assert download cascade-delete in sync upload regression by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3952
• test(e2e): tolerate stale-handle export-button click failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3997
• test(ui): add Settings filter behavior spec by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4014

🐍 Python Changes

• chore(library): symmetric Library-not-found warning in dedup branch by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3956

🎨 Frontend Changes

• fix(a11y): meet WCAG 2.5.5 touch-target size on metrics buttons by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3928
• ui(css): defensive 44×44 floor for history-item action buttons by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3994

Other Changes

• docs: fix API example links by @aqilaziz in https://github.com/LearningCircuit/local-deep-research/pull/3852
• fix(ui): keep live logs newest first by @aqilaziz in https://github.com/LearningCircuit/local-deep-research/pull/3850
• fix(ui): size progress log panel with CSS by @aqilaziz in https://github.com/LearningCircuit/local-deep-research/pull/3851
• fix: make OpenAI endpoint API key field clearly optional in UI by @forhim007 in https://github.com/LearningCircuit/local-deep-research/pull/3892
• fix(ui): clarify openai_endpoint API key is optional for local servers by @amlyczz in https://github.com/LearningCircuit/local-deep-research/pull/3908
• fix: add Llama.cpp to llm.provider options in default_settings.json by @Abhishek8108 in https://github.com/LearningCircuit/local-deep-research/pull/3927
• Fix View Journals details route by @Bortlesboat in https://github.com/LearningCircuit/local-deep-research/pull/3830
• fix(journals): exclude orphan papers from user-research dashboard by @dashitongzhi in https://github.com/LearningCircuit/local-deep-research/pull/3828
• fix(metrics): exclude orphan Papers from journal-quality dashboard (#3544) by @SuperMarioYL in https://github.com/LearningCircuit/local-deep-research/pull/3831
• fix(ci): use release environment for prerelease-docker secrets by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3983
• docs: expand LM Studio FAQ with API key and provider tips by @ltianyi992 in https://github.com/LearningCircuit/local-deep-research/pull/4008

New Contributors

• @aqilaziz made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3852
• @forhim007 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3892
• @amlyczz made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3908
• @Abhishek8108 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3927
• @Bortlesboat made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3830
• @dashitongzhi made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3828
• @SuperMarioYL made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3831
• @ltianyi992 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/4008

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.9...v1.6.10