graphify

v0.8.31 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3h RAG & Retrieval

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

antigravity claude-code codex gemini graphrag knowledge-graph

+5 more

leiden openclaw llm skills tree-sitter

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 1h

Hook scripts now embed the current interpreter and include hardened quoting to prevent shell injection.

Why it matters: The security fix (severity 95) blocks shell‑injection attacks via proper quoting in hook script execution, critical for any environment using graphify hooks.

Summary

AI summary

Hook scripts now embed the current interpreter and are hardened against shell injection.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Hardened hook script to prevent shell injection via proper quoting and diagnostic output. Hardened hook script to prevent shell injection via proper quoting and diagnostic output. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature	Low	Added query logging: all graphify queries are appended to `~/.cache/graphify-queries.log` in JSON Lines format. Added query logging: all graphify queries are appended to `~/.cache/graphify-queries.log` in JSON Lines format. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix
Bugfix	Medium	`graphify hook install` now embeds current interpreter into generated scripts, fixing no-op on PATH issues. `graphify hook install` now embeds current interpreter into generated scripts, fixing no-op on PATH issues. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Hook scripts probe `graphify-out/.graphify_python` as fallback interpreter source for Windows/Git Bash installs. Hook scripts probe `graphify-out/.graphify_python` as fallback interpreter source for Windows/Git Bash installs. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Manifest JSON keys, `.graphify_root`, and cache AST source_file fields are stored as relative paths to avoid forced rebuilds on CI. Manifest JSON keys, `.graphify_root`, and cache AST source_file fields are stored as relative paths to avoid forced rebuilds on CI. Source: llm_adapter@2026-06-04 Confidence: high	—

Full changelog

Fix: graphify hook install now embeds the current interpreter (sys.executable) directly into the generated hook scripts. Previously, uv tool and pipx installs silently no-oped on git commit in GUI clients and CI runners where ~/.local/bin is not on PATH — the hook could not find the graphify launcher, fell through all detection probes, and exited 0 without rebuilding. If you already have hooks installed, re-run graphify hook install to pick up the fix (#1127).
Fix: hook scripts also probe graphify-out/.graphify_python as a fallback interpreter source, covering Windows/Git Bash installs where the launcher is a binary with no parseable shebang, and the case where the pinned path goes stale after a reinstall.
Security: hook script hardening — _PINNED= uses single quotes to prevent shell injection; nohup "$GRAPHIFY_PYTHON" -c is properly quoted; the fallback emits a loud stderr diagnostic instead of a bare silent exit 0.
Fix: manifest.json keys, .graphify_root, and cache/ast/*.json source_file fields are now stored as relative paths and re-anchored on load. Teams committing graphify-out/ no longer see forced full rebuilds on every CI checkout or clone (#777, #1125).
Feat: query logging. Every graphify query, graphify path, graphify explain, and MCP query_graph call is appended to ~/.cache/graphify-queries.log in JSON Lines format (timestamp, question, corpus, nodes returned, duration). Control with GRAPHIFY_QUERY_LOG, GRAPHIFY_QUERY_LOG_DISABLE=1, or GRAPHIFY_QUERY_LOG_RESPONSES=1 (#1128).

Security Fixes

Hook script hardening: `_PINNED=` quoted with single quotes, `nohup "$GRAPHIFY_PYTHON" -c` properly quoted, fallback emits loud stderr diagnostic to prevent shell injection

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track graphify

Get notified when new releases ship.

About graphify

AI coding assistant skill (Claude Code, Codex, OpenCode, Cursor, Gemini CLI, OpenClaw, Factory Droid, Trae). Turn any folder of code, docs, papers, images, videos, or YouTube links into a queryable knowledge graph

All releases →

Related context

Related tools

Earlier breaking changes

v0.8.18 Breaks Java `extends` edges; they are renamed to `inherits`. Update queries filtering on `relation="extends"` for Java nodes.