Skip to content

sayanarijit/cottage

v0.2.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

cli encryption-decryption git gitops secrets-management

Affected surfaces

auth

Summary

AI summary

Removes checksum of plain‑text secrets from metadata files.

Full changelog

This is to be considered the initial release of the project, and is not expected to be stable. The API may change without a major version bump.

Previous releases had a security flaw where it stored the checksum of plain text secrets in the metadata file. While it's difficult, attackers could potentially use this to brute-force the secrets. And hence, the previous releases have been yanked.

This release removes the checksum from the metadata file.

If you are upgrading from a previous version, you will need to force re-encrypt (ctg decrypt --force && ctg encrypt --force) your secrets with this version to remove the checksum from the metadata file.

Breaking Changes

  • Removed the checksum field from metadata files.

Security Fixes

  • CVE-2026-XXXXX — Previous releases stored plain‑text secret checksums in metadata, enabling brute‑force attacks; this release removes the checksum.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track sayanarijit/cottage

Get notified when new releases ship.

Sign up free

About sayanarijit/cottage

All releases →

Related context

Beta — feedback welcome: [email protected]