UPinar/contrastapi

v1.33.10 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 16d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Affected surfaces

breaking_upgrade

Summary

AI summary

Fixed GHSA delta‑sync freeze by changing stop condition to strict < and moving newest_seen update after the check.

Changes in this release

Type	Severity	Summary	CVE
Performance	Medium	DB maintenance per-unit try/except and PRAGMA busy_timeout prevent whole-run abort on SQLITE_BUSY. DB maintenance per-unit try/except and PRAGMA busy_timeout prevent whole-run abort on SQLITE_BUSY. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	GHSA delta-sync self-pin issue fixed with strict '<' and checkpoint update timing. GHSA delta-sync self-pin issue fixed with strict '<' and checkpoint update timing. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Domain header probe now consumes abandoned request task when HTTPS branch wins, fixing "Task exception was never retrieved". Domain header probe now consumes abandoned request task when HTTPS branch wins, fixing "Task exception was never retrieved". Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Other	Low	affected_surface affected_surface Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—

Full changelog

Patch hotfix on v1.33.9.

GHSA delta-sync self-pin fix

sync_ghsa used updated_at <= checkpoint as the stop test while seeding the
high-water mark from the top (newest) advisory before the stop check. After
any run the checkpoint self-pinned to the newest advisory's updated_at; every
subsequent run stopped at item 0 and processed 0 — the GHSA→cve_leading feed
silently froze.

Fix: strict < (a boundary-equal advisory is reprocessed via idempotent
upsert instead of being the stop trigger) and the newest_seen update moved
after the stop check, so a stop-at-item-0 run holds the checkpoint instead
of pinning it. Forward GHSA delta sync is restored. (One-time reconciliation
of the freeze window is handled operationally; idempotent upserts make it safe.)

S253 resilience batch

DB maintenance: per-unit try/except + PRAGMA busy_timeout — one unit hitting
SQLITE_BUSY no longer aborts the whole run (status: ok | partial w/ markers).
Domain header probe: the abandoned request task is consumed when the HTTPS
branch wins the race (no "Task exception was never retrieved").
tldextract: bundled public-suffix list (suffix_list_urls=(), cache_dir=None)
— no first-request network fetch / cache pollution (seo_audit, target_throttle).

Notes

Cache invalidated by VERSION bump (cache-key prefix carries it).
Tests: 2461 passing, ruff clean, pip-audit clean.
MCP surface unchanged: 53 tools / 7 Resources / 3 Prompts. No schema/contract
change → MCP Registry republish not required.

Follows v1.33.9.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.