Skip to content

Local Deep Research

v1.6.12 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 10d LLM Frameworks
βœ“ No known CVEs patched
Read the diff β†’ Tool health β†’ What is this tool? β†’
This release patches 3 known CVEs

Topics

academia anthropic arxiv brave deep-research encryption
+14 more
home-automation homeserver local local-deep-research local-llm mistral ollama openai pubmed research research-tool retrieval-augmented-generation searxng self-hosted

Affected surfaces

breaking_upgrade deps

Summary

AI summary

Broad release touches ⬆️ Dependencies, πŸ› Bug Fixes, test, and tests.

Full changelog

Richer reports, larger uploads, and safer RAG indexing

Reporting improvements

Research reports now render LaTeX math inline ($...$) and in display blocks ($$...$$) using KaTeX, so equations appear as typeset formulas instead of raw markup. (#3799)

A new source-tagged citation format is available under report.citation_format β†’ "Source-tagged with global numbering". Citations appear as [arxiv-1], [openai.com-2], or [my-papers-4], where the tag shows the source type and the number matches the global bibliography order. (#4012)

Upload and storage limits

The default per-file upload cap has been raised to 3 GB (from 50 MB), and the PDF library storage default is now also 3 GB (from 100 MB). Large academic datasets and scanned PDFs no longer hit silent truncation. Self-hosted deployments can still tighten these bounds via the LDR_SECURITY_UPLOAD_MAX_FILE_SIZE_MB environment variable (or the security.upload_max_file_size_mb setting) and the UI library setting, respectively. (#4196, #4198)

RAG indexing reliability

A critical data-loss bug in the library RAG indexer has been fixed: when integrity verification failed during concurrent auto-indexing, the FAISS index file was previously deleted outright. Now corrupted indexes are quarantined (<path>.corrupt-<ns>) so they remain recoverable, and concurrent indexers are serialized by a per-user, per-path lock to prevent the race that caused the corruption. A related follow-up raceβ€”where two concurrent workers could overwrite each other’s embeddingsβ€”has also been closed by reloading the index from disk under lock before merging new chunks. (#4200)

To prevent unbounded disk growth on systems that see recurring corruption, old quarantined files are now pruned automatically, keeping only the 5 most recent per collection. (#4203)

Security

The RAG collection upload endpoint now validates per-file size (50 MB) and per-request file count (200 files), matching the research upload endpoint. An oversized request is rejected before its bytes are read into memory. (#3938)

Bug fixes

  • Windows: Fixed UnicodeDecodeError errors when loading settings, security configs, benchmark results, and Vite manifests on Windows. All text-mode reads now use explicit UTF-8 encoding. (#3797)
  • Embedding models: The embedding-model dropdown no longer shows "No models available" for LM Studio and other OpenAI-compatible local servers when a model’s name doesn’t contain the word "embedding" (for example, nomic-embed-text-v1.5). The OpenAI and Ollama providers now list every model the endpoint reports and let you pick the one you actually loaded. (#4195)
  • Research history: Loading logs for a long research run no longer fetches every ResearchLog row into a 50 MB JSON response. The /history/logs/<id> endpoint now paginates at 500 entries by default (clamped to 5,000 maximum). (#4037)
  • Error hints: The friendly proxy/shim hint for model_dump errors now only appears for the canonical object has no attribute 'model_dump' AttributeError, reducing false positives on unrelated traces. (#3953)

πŸ”’ Security

  • RAG collection upload endpoint now validates per-file size (50MB limit) and per-request file count (200 limit), matching the research upload endpoint. Previously only the request-level MAX_CONTENT_LENGTH (10GB) was enforced, allowing a single oversized file or a request with thousands of zero-byte files to reach the per-file processing loop. Pre-flight Content-Length check rejects oversized files before reading bytes into memory.

✨ New Features

  • New citation format: source-tagged with global numbering. Reports can now render citations as [arxiv-1], [openai.com-2], [arxiv-3] β€” the source tag identifies what kind of source each citation is (short URLClassifier tag for known academic sources, cleaned domain for generic web URLs, or the collection name for local RAG/library hits, e.g. [my-papers-4]), while the number stays the original global counter so labels never collide and inline citations match the bibliography order. Opt in via report.citation_format β†’ "Source-tagged with global numbering"; the existing default remains Numbers with hyperlinks [1]. (#4012)
  • Add LaTeX math rendering support. Mathematical formulas written with $...$ (inline) and $$...$$ (display) notation are now rendered using KaTeX in research reports.
  • Per-PDF library storage cap (research_library.max_pdf_size_mb) default raised from 100 MB to 3 GB so it no longer silently truncates large academic PDFs after the recent upload-validator bump. The setting's UI ceiling is also raised from 500 MB to 10 GB, and the PDFStorageManager / download_service fallback defaults are updated to match. Deployments that want a tighter bound can still lower the setting via the UI.
  • Per-file upload cap (FileUploadValidator.MAX_FILE_SIZE) is now configurable and defaults to 3 GB (was 50 MB) so large academic datasets and PDFs fit out of the box. Deployments that want a tighter bound can lower it via the LDR_SECURITY_UPLOAD_MAX_FILE_SIZE_MB environment variable or the security.upload_max_file_size_mb setting. Memory usage stays bounded by the existing 5 MB spool-to-disk threshold on multipart requests.
  • The library RAG indexer now prunes old quarantined FAISS index files (<hash>.faiss.corrupt-* and matching .pkl.corrupt-*) at quarantine time, keeping only the 5 most recent per base path. Prevents the rag_indices/ cache directory from filling up on systems that experience recurring corruption, while preserving recent diagnostic artefacts. Follow-up to #4197 / #4200.

πŸ› Bug Fixes

  • Fixed UnicodeDecodeError on Windows when loading settings, security config, benchmark results, and Vite manifest files. All text-mode open() calls now use explicit UTF-8 encoding, and JSON config files use utf-8-sig to handle BOM-prefixed files from Windows editors. Fixes #3743. (#3797)
  • Fixed embedding-model dropdown showing "No models available" with LM Studio (and other OpenAI-compatible local servers) when an embedding model whose name didn't include the literal embedding token was loaded (e.g. nomic-embed-text-v1.5). The OpenAI and Ollama embedding providers no longer guess from the model name β€” every model the endpoint reports is shown so the user can pick the one they actually loaded. Ollama still tags models when its /api/show capabilities response is available. Fixes #4195. (#4195)
  • Closed a follow-up race condition in the library RAG indexer where two concurrent workers indexing different documents into the same collection could lose each other's embeddings from the FAISS file β€” last writer's save_local overwrote the earlier writer's chunks (the chunks survived in the DB, but the index file was missing them until a force-reindex rebuilt it). The save path now reloads from disk under the per-(user, index_path) lock before adding, so concurrent writers' chunks are merged instead of overwriting each other. Follow-up to #4197/#4200.
  • Fixed a data-loss bug where the library RAG index file (.faiss) was silently deleted when integrity verification failed during concurrent auto-indexing β€” destroying hundreds of previously-indexed documents in one go. Corrupted index files are now quarantined to <path>.corrupt-<ns> so they remain recoverable, and concurrent indexers are serialised by a per-(user, index_path) lock so the race that produced the checksum mismatch no longer occurs. Also drops the per-document PRAGMA wal_checkpoint(FULL) that contributed to database is locked errors under bulk-download concurrency. Fixes #4197.
  • Paginate the /history/logs/<id> endpoint (default 500, clamped to 5000) so loading a long research's history no longer materialises every ResearchLog row server-side or pushes a 50+ MB JSON response that the browser ultimately prunes to 500 entries anyway. Complements the live-socket truncation in PR #4004.
  • Three module-level per-user lock dicts (_user_init_locks in database/library_init.py, _user_locks in database/backup/backup_service.py, _user_critical_locks on QueueProcessorV2) previously accumulated one threading.Lock entry per username over the process lifetime with no removal hook on user-close. Bounded by total user count (~900 bytes/user across all three), so not visible on typical self-hosted instances β€” but long-lived multi-user deployments with user-account churn would see slow memory creep. The three modules now expose pop_user_*_lock(username) helpers and a shared _pop_per_user_locks call in the connection-cleanup module fires them from both the idle-cleanup sweeper and the logout / password-change paths, matching the cleanup already done for scheduler-job registrations and session-password store.
  • Tighten the model_dump error-pattern regex introduced in #3926 so the rich proxy/shim hint only fires for the canonical object has no attribute 'model_dump' AttributeError, not for unrelated traces that happen to contain the substring model_dump.

What's Changed

πŸ”’ Security Updates

  • security: refine redact_secrets after AI code review by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4073
  • fix(security): validate file size and count in RAG upload endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3938
  • feat(security): bump default upload size cap to 3GB and make it configurable by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4196
  • fix(security): bump transitive ws to >= 8.20.1 (GHSA-58qx-3vcg-4xpx) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4204
  • fix(security): bump transitive qs to >= 6.15.2 (GHSA-q8mj-m7cp-5q26) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4211
  • ci(release): build-once-promote refactor for Docker pipeline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3977
  • fix(security): clear prerelease-docker.yml scan alerts (#7774, #7775, #7776) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4223
  • fix(tests): narrow broad status-code tautologies in 3 security test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4160
  • test: verify security headers fire across all response paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4150
  • test(security): mark 10 placeholder tests as skipped instead of silently passing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4233

πŸ’₯ Breaking Changes

  • fix(library): stop deleting user FAISS index on integrity mismatch; serialise concurrent indexers (#4197) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4200

✨ New Features

  • fix(benchmark): remove artificial sample count caps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4080
  • feat(ui): add LaTeX math rendering via KaTeX by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3799
  • test(ui): cover KaTeX edge cases β€” code blocks, multi-line display, PDF substitution by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4090
  • fix(settings): specify UTF-8 encoding for all file reads by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3797
  • fix(scheduler): remove misleading news_aggregation defaults from subscription research by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4084
  • feat(library): prune old quarantined FAISS indexes to cap disk growth by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4203
  • feat(settings): JSON defaults for the nine local_search_* settings (#4208 follow-up) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4222

πŸ› Bug Fixes

  • docs(resource-cleanup) + fix: Round 9 audit results + per-user lock-dict cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4077
  • fix(errors): add missing OpenAI-compatible providers to friendly error guard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4088
  • fix(tests): replace conditional asserts in auth rate-limit tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4097
  • fix(encoding): add encoding="utf-8" to examples/ and scripts/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4118
  • fix: add ldr- prefix to tooltip and loading class violations in HTML inline scripts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3149
  • fix: add search debounce and remove dead caching code in settings.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3177
  • fix(downloader): pass --no-sandbox to plain-Playwright fallback by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3841
  • fix(error-handling): tighten model_dump pattern to canonical AttributeError shape by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3953
  • fix(errors): dispatch RateLimitError to RATE_LIMIT_ERROR category by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4086
  • fix(library): rollback session in RAG service exception handlers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3980
  • fix(embeddings): list every model the endpoint returns; drop name guessing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4199
  • feat(library): raise PDF storage cap default to 3 GB to match upload validator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4198
  • fix(settings): persist Embeddings page changes and unblock OpenAI test (#4208) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4212
  • fix(modular_strategy): drop dead constraint-decomposition LLM call by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4217
  • test(close_base_llm): scale FD-growth test for Py 3.14 asyncio drift by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4224
  • fix(memory): paginate /history/logs/ endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4037
  • fix(tests): unblock Create Release β€” UA assertions + Mobile Safari budget by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4232
  • fix(tests): narrow broad status-code tautologies in test_rag_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4133
  • fix(tests): narrow broad status-code tautologies in news/test_flask_api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4136
  • fix(ci): make LDR research workflow honestly fail on Python crash by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4226
  • fix(ui-tests): point collection + mobile tests at the real flow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4127
  • test: tighten 2 broad-status-list tautologies in context_overflow_api routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4273
  • ci+test: retry transient network installs, fix patch.object race by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4302

⚑ Performance Improvements

  • test(utilities): replace time.sleep with freezegun in 3 TTL tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4101
  • test(database): migrate 2 credential_store TTL tests to freezegun by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4235
  • test(auth): migrate test_inmemory_storage.test_expiration to freezegun by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4236

πŸ“š Documentation

  • docs(changelog): add missing fragment for source-tagged citations (#4012) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4093
  • docs(ui-tests): note local rate-limit gotcha in README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4119
  • refactor: delete 3 dead strategy files and 4 orphaned test files (~3,200 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3147
  • docs: clarify VALID_EMBEDDING_PROVIDERS is internal by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4156
  • docs(ui-tests): document findActionButton + test_lib helpers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4166

πŸ”§ CI/CD & Maintenance

  • chore: clear changelog fragments for 1.6.11 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4079
  • chore(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4115
  • chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4114
  • chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4111
  • ci(labels): add test:ui-full-shards label + wrapper workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4067
  • test: remove 3 shadow metrics_routes test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4123
  • πŸ€– Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4193
  • chore: bump patch version to 1.6.12 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4052
  • chore: delete unused BaseFailure methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4173
  • chore: delete unused convert_debug_to_markdown helper by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4149
  • test: delete 4 'assert True' placeholder tests across 3 files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4290
  • test: delete 5 ui_tests/test_uuid* / trace_error / mixed_id diagnostic scripts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4274

⬆️ Dependencies

  • chore(deps-dev): bump eslint from 10.3.0 to 10.4.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4113
  • chore(deps-dev): bump eslint from 10.3.0 to 10.4.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4106
  • chore(deps): bump puppeteer from 24.43.1 to 25.0.2 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4103
  • chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4117
  • chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4116
  • chore(deps-dev): bump vite from 8.0.12 to 8.0.13 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4112
  • chore(deps): bump katex from 0.16.45 to 0.16.47 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4109
  • chore(deps): bump dompurify from 3.4.3 to 3.4.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4108
  • chore(deps): bump puppeteer from 24.43.1 to 25.0.4 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4105
  • chore(deps): bump puppeteer from 24.43.1 to 25.0.4 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4104
  • chore(deps-dev): bump puppeteer from 24.43.1 to 25.0.2 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4102
  • chore(deps): bump puppeteer from 25.0.2 to 25.0.4 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4140
  • chore(deps-dev): bump puppeteer from 25.0.2 to 25.0.4 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4139
  • chore(deps): bump python from 7a50012 to a7185a8 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4192
  • chore(deps): bump mocha from 11.7.5 to 11.7.6 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4206
  • chore(deps-dev): bump mocha from 11.7.5 to 11.7.6 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4207
  • chore(deps): bump mocha from 11.7.5 to 11.7.6 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/4205

🧹 Code Quality & Refactoring

  • test: remove shadow test file test_arxiv_downloader_extended.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4094
  • test: remove shadow test file test_iterative_reasoning_strategy.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4095
  • refactor(ui-tests): migrate remaining create-button matchers to helper by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4091
  • refactor(citation): pass collections explicitly to source-tagged formatter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4096
  • test: remove 6 shadow test files in advanced_search_system/strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4120
  • test: remove 2 shadow files in advanced_search_system/answer_decoding by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4121
  • test: remove 2 shadow files in tests/core/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4122
  • test: remove 2 shadow files in database/ and security/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4124
  • test: remove 14 shadow files in tests/news/ (6,788 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4125
  • fix(tests): narrow broad status-code tautologies in test_settings_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4134
  • refactor(tests): consolidate 70 status-tautology tests into one parametrized test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4126
  • refactor(routes): extract parse_bool_arg helper for query-string booleans by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3842
  • refactor(security): move web middleware classes into security module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3967
  • fix(tests): narrow broad status-code tautologies in test_library_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4135
  • chore(library): drop dead _save_and_record_locked helper by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4202
  • chore: delete no-op _apply_legacy_file_check and check_files param by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4169
  • chore(library): remove dead create-collection modal by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4155
  • chore: delete dead pricing fetcher methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4176
  • fix(tests): narrow broad status-code tautologies in test_api_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4171
  • chore: delete unused UserQueueService task-count accessors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4157
  • fix(tests): narrow broad status-code tautologies in test_history_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4154
  • fix(tests): narrow broad status-code tautologies in 3 misc test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4165
  • chore: delete unused get_retry_statistics monitoring method by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4172
  • chore: delete unused get_default_param_space() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4152
  • chore(engines): centralize User-Agent across 9 search engines (#4130 follow-up) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4179
  • chore: delete unused FollowUpResponse dataclass by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4167
  • fix(tests): narrow broad status-code tautologies in test_benchmark_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4137
  • test: remove two misleading *WithMocks tests in test_flask_api_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4190
  • test: remove shadow file test_delete_routes.py (709 lines, 42 fake tests) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4237
  • test: delete shadow test_evidence_evaluator.py (27 tests, 0 SUT imports) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4272
  • test: delete shadow tests/domain_classifier/test_models.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4253

πŸ§ͺ Tests

  • test(metadata_extractor): pin field-preference and empty-@type branches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4092
  • fix(tests): narrow broad status-code tautologies in test_flask_api_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4098
  • test(langgraph): pin search.fetch.mode and engine-name guard branches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4089
  • test(close_base_llm): warm up FD-growth tests to absorb init drift by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4214
  • test(ui): cap defensive waitForLoadState with 3s timeout by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4215
  • fix(tests): narrow broad status-code tautologies in test_metrics_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4147
  • fix(tests): narrow broad status-code tautologies in 2 small web/routes files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4177
  • fix(tests): narrow broad status-code tautologies in test_research_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4138
  • test: skip 4 more placeholder tests in database/ + security/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4234
  • test: delete mock-roundtrip test_configure_openrouter_api_key by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4276

Other Changes

  • fix(security): resolve scanner alerts (ws CVE, Bearer XSS FPs, Scorecard token-perms) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4209
  • fix(security): bump brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4216
  • test: remove two diversity_explorer tests for fictional methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4191
  • chore(settings): cleanup after #4222 β€” drop stale defaults exemption, align index_type casing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/4227

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.11...v1.6.12

Security Fixes

  • dep: ws bumped >=8.20.1 (GHSA-58qx-3vcg-4xpx)
  • dep: qs bumped >=6.15.2 (GHSA-q8mj-m7cp-5q26)
  • RAG collection upload endpoint now validates per‑file size (50β€―MB) and file count (200 files)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Local Deep Research

Get notified when new releases ship.

Sign up free

About Local Deep Research

AI-powered deep research tool with multi-source search (arXiv, PubMed, web)

All releases β†’

Related context

Earlier breaking changes

  • v1.6.11 JavaScript rendering disabled by default in production Docker image; new web.enable_javascript_rendering setting (default false).

Beta — feedback welcome: [email protected]