This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+5 more
Affected surfaces
ReleasePort's take
Moderate signalThe release disables auto‑loading of project‑local ".graphify/providers.json" and now requires explicit opt‑in via an environment variable.
Why it matters: Disables automatic loading of project‑local ".graphify/providers.json"; require env var opt‑in to enable. Severity score 90 indicates high impact on security posture.
Summary
AI summaryUpdates Feat, Fix, and F1 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Disables automatic loading of project-local ".graphify/providers.json"; opt-in via env var. Disables automatic loading of project-local ".graphify/providers.json"; opt-in via env var. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Security | High |
Screens untrusted office/PDF files with size caps and streaming limits to prevent zip-bomb memory exhaustion. Screens untrusted office/PDF files with size caps and streaming limits to prevent zip-bomb memory exhaustion. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Security | High |
Rejects `OLLAMA_BASE_URL` pointing to link‑local or cloud‑metadata addresses, failing closed with error. Rejects `OLLAMA_BASE_URL` pointing to link‑local or cloud‑metadata addresses, failing closed with error. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Security | High |
Fortran C‑preprocessor step now uses absolute paths to prevent attacker‑named corpus file misuse. Fortran C‑preprocessor step now uses absolute paths to prevent attacker‑named corpus file misuse. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Introduces progressive‑disclosure skill files with lean core and on‑demand sidecar references for most hosts. Introduces progressive‑disclosure skill files with lean core and on‑demand sidecar references for most hosts. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Bugfix | Medium |
Fixes missing references in `graphify install --platform gemini` causing 8 dead pointers. Fixes missing references in `graphify install --platform gemini` causing 8 dead pointers. Source: llm_adapter@2026-06-02 Confidence: high |
— |
Full changelog
- Feat: progressive-disclosure skill files. The per-host
SKILL.mdis now a lean core (~615 lines, down from the ~1156-line monolith, about 47% less always-loaded context) that carries the full default code-build pipeline inline and links to an on-demandreferences/sidecar (extraction-spec, query, update, exports, transcribe, github-and-merge, add-watch, hooks); an agent reads a reference only when that path is actually taken, so a normal build needs none. 18 hosts go progressive (claude, codex, opencode, kilo, copilot, claw, droid, trae, trae-cn, hermes, kiro, pi, antigravity, antigravity-windows, windows, kimi, amp, gemini); aider and devin stay monolithic by design. All 15 skill bodies + sidecars are generated from one source undertools/skillgen/, with CI guards (--check,--audit-coverage,--monolith-roundtrip,--always-on-roundtrip) proving the references are byte-identical slices of the old monolith so nothing is lost (#1121). - Fix:
graphify install --platform geminishipped aSKILL.mdwith 8 deadreferences/pointers. gemini installs claude's lean progressive core but the installer never copied claude's references sidecar; it now does, so every on-demand reference resolves (regression from the progressive-disclosure split). - Security (F1): a project-local
./.graphify/providers.json(which travels with a cloned or shared repo) is no longer loaded automatically, since a custom provider'sbase_urlis where your corpus and API key are sent. SetGRAPHIFY_ALLOW_LOCAL_PROVIDERS=1to opt in; the user's own~/.graphify/providers.jsonis still trusted. Non-http(s)base_urls are rejected on load and onprovider add, and plaintext-http egress warns. Behavior change: if you relied on an auto-loaded project-local providers file, set the opt-in env var. - Security (F2): untrusted office/PDF files are screened before parsing (on-disk size cap, plus a bounded streaming-decompression ceiling for
.docx/.xlsxzip containers) so a zip-bomb in a scanned corpus can no longer exhaust memory. - Security (F3):
OLLAMA_BASE_URLpointing at a link-local or cloud-metadata address (169.254.x,metadata.google.*, or any host that resolves to one) now fails closed with a clean error instead of sending the corpus there. Trusted LAN hosts still warn-and-allow. - Security (F5): the Fortran C-preprocessor step passes an absolute path so an attacker-named corpus file cannot be interpreted as a
cppoption.
Breaking Changes
- Project‑local `./.graphify/providers.json` is no longer loaded automatically; opt‑in with env var `GRAPHIFY_ALLOW_LOCAL_PROVIDERS=1`.
Security Fixes
- Dep: `./.graphify/providers.json` auto‑load disabled for security (opt‑in required).
- Office/PDF files now screened with size caps and bounded streaming decompression to prevent zip‑bomb memory exhaustion.
- Invalid `OLLAMA_BASE_URL` values (link‑local, cloud‑metadata) cause clean failure instead of unintended egress.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About graphify
AI coding assistant skill (Claude Code, Codex, OpenCode, Cursor, Gemini CLI, OpenClaw, Factory Droid, Trae). Turn any folder of code, docs, papers, images, videos, or YouTube links into a queryable knowledge graph
Beta — feedback welcome: [email protected]