career-ops

vcareer-ops-v1.8.0 scope: career-ops Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 19d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-agent anthropic automation career careerops claude

+6 more

claude-code cli go interview-prep job-search resume

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 9d

The scan component now validates Greenhouse URL hostnames against an allowlist to prevent SSRF. Additionally, dotenv has been updated to version 17.

Why it matters: Prevents server‑side request forgery by restricting allowed Greenhouse URLs; upgrades the dotenv dependency to version 17 mitigates known issues in earlier releases.

Summary

AI summary

Scan validates Greenhouse URL hostnames against an allowlist to prevent SSRF.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	redact API key from error logs, harden summary parsing redact API key from error logs, harden summary parsing Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	scan: optional location_filter in portals.yml and persist location to scan-history scan: optional location_filter in portals.yml and persist location to scan-history Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	gemini-eval includes profile.yml and _profile.md in evaluation gemini-eval includes profile.yml and _profile.md in evaluation Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	merge-tracker preserves short specialty acronyms, requires non-baseline overlap merge-tracker preserves short specialty acronyms, requires non-baseline overlap Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	portals update Weights & Biases entry to CoreWeave acquisition portals update Weights & Biases entry to CoreWeave acquisition Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	templates align CV certification rows on a 3-column grid templates align CV certification rows on a 3-column grid Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	update-system allows writing-samples/README.md as system-owned file update-system allows writing-samples/README.md as system-owned file Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	update dotenv to v17 update dotenv to v17 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Low	updates dotenv dependency to version 17 updates dotenv dependency to version 17 Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix
Bugfix	Medium	batch workers read modes/_profile.md and config/profile.yml batch workers read modes/_profile.md and config/profile.yml Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	modes /career-ops respects user language, not JD language modes /career-ops respects user language, not JD language Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	update-system bootstraps .agents/ for v1.6→v1.7 migration update-system bootstraps .agents/ for v1.6→v1.7 migration Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	scan validates Greenhouse URL hostname against allowlist to prevent SSRF scan validates Greenhouse URL hostname against allowlist to prevent SSRF Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

1.8.0 (2026-05-15)

Features

scan: optional location_filter in portals.yml + persist location to scan-history (#570) (d692647)

Bug Fixes

batch: workers read modes/_profile.md and config/profile.yml (#537) (150e223), closes #534
deps: update dotenv to v17 (#499) (ce1330e)
gemini-eval: include profile.yml and _profile.md in evaluation (#618) (73dc603), closes #617
gemini-eval: redact API key from error logs, harden summary parsing (#582) (fdca4de)
gemini-eval: switch default model to non-deprecated endpoint, surface 429 guidance (#615) (dd3e036), closes #614
manifest: align plugin.json skills field with Claude Code plugin schema (#612) (a77d3f6)
merge-tracker: preserve short specialty acronyms, require non-baseline overlap (#634) (5ed3b3d), closes #633
modes: make /career-ops deep respect user language, not JD language (#568) (e5f0508)
portals: update Weights & Biases entry to CoreWeave acquisition (#493) (1411cdc)
release: sync VERSION file to 1.7.1 (2ebfcab)
scan: validate Greenhouse URL hostname against allowlist to prevent SSRF (#602) (988f7bb)
templates: align CV certification rows on a 3-column grid (#638) (082cd11)
update-system: allow writing-samples/README.md as system-owned file (#562) (207fd07)
update-system: bootstrap .agents/ for v1.6→v1.7 migration (#654) (4714504)
update-system: defensive VERSION parsing for release-please marker (#547) (bf84886)

Security Fixes

Scan validates Greenhouse URL hostname against an allowlist — prevents SSRF

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track career-ops

Get notified when new releases ship.

About career-ops

AI-powered job search system built on Claude Code. 14 skill modes, Go dashboard, PDF generation, batch processing.

All releases →