Skip to content

OpenSandbox

vsdks/sandbox/go/v1.0.1 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 16d Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai ai-agent ai-infra kubernetes sandbox

Affected surfaces

breaking_upgrade crypto_tls

Summary

AI summary

Sandbox.Close and SandboxManager.Close now return an error to satisfy io.Closer, and TLS 1.2 is the minimum for SDK‑created HTTP clients.

Full changelog

What's New

⚠️ Breaking Changes

  • Sandbox.Close / SandboxManager.Close now return error to satisfy io.Closer. Callers that previously ignored the return value need to update signatures (and ideally check the returned error). Same PR also drains HTTP response bodies after read so the underlying connection is reused, replaces manual url.QueryEscape with url.Values, drops the deprecated crypto/dsa import + DSA public-key branch, and trims unused go.mod dependencies. (#851)
  • TLS 1.2 minimum for SDK-created HTTP clients, enforcing the NIST 2030 minimum certificate key/hash length policy. Environments still serving TLS 1.0/1.1 endpoints must upgrade before adopting this release. Compatibility escape hatches are exposed for legacy weaker certificates. (#790)

✨ Features

  • Multi-file upload: new UploadFiles helper on Sandbox performs multipart uploads against execd's existing /files/upload multi-file contract. The single-file UploadFile is now a thin wrapper over the batch path. /files/download remains single-file streaming, so no DownloadFiles counterpart is added. (#843)
  • User-Agent header (OpenSandbox-Go-SDK/1.0.1) is now set on every outgoing request — doRequestOnce, doStreamRequest, GetCommandLogs, UploadFiles, DownloadFile. (#850)

🐛 Bug Fixes

  • Forward all GetEndpoint headers on subsequent execd/egress requests, matching the Python SDK. The previous code only forwarded X-EXECD-ACCESS-TOKEN / OPENSANDBOX-EGRESS-AUTH and dropped everything else, breaking routing whenever the server added new headers (sticky-session keys, routing hints, etc.). Closes #886. (#900)
  • Empty SSE stream now surfaces an error instead of silently returning a "successful but empty" Execution (stdout=[], stderr=[], results=[], error=nil, complete=nil). streamSSE() now counts dispatched events and returns opensandbox: empty sse stream when the body closes with zero events, so transport/proxy/execd failures stop masquerading as successful executions. (#778)

👥 Contributors

Thanks to these contributors ❤️

  • @Pangjiping
  • @zpzjzj
  • @hittyt
  • @skyler0513
go get github.com/alibaba/OpenSandbox/sdks/sandbox/[email protected]

Breaking Changes

  • `Sandbox.Close` and `SandboxManager.Close` now return an error (previously void). Callers must handle the returned error.
  • Minimum TLS version for SDK‑created HTTP clients is raised to TLS 1.2; environments using TLS 1.0/1.1 must upgrade before adopting this release.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OpenSandbox

Get notified when new releases ship.

Sign up free

About OpenSandbox

Secure, Fast, and Extensible Sandbox runtime for AI agents.

All releases →

Related context

Beta — feedback welcome: [email protected]