This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Affected surfaces
Summary
AI summaryPattern‑B streaming cancel hardening fixes the httpx connection‑pool leak and adds a 13‑second hard timeout for two endpoints.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Route hard timeout implemented for GET /v1/tech/{domain} and GET /v1/domain/{domain}/vulns with 13-second wait_for, returning clean 504 on timeout. Route hard timeout implemented for GET /v1/tech/{domain} and GET /v1/domain/{domain}/vulns with 13-second wait_for, returning clean 504 on timeout. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
pytest test count increased from 2440 to 2446 including new streaming pool leak tests. pytest test count increased from 2440 to 2446 including new streaming pool leak tests. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Pool-acquire timeout increased from 5.0 to 12.0 seconds on shared SSRF-guarded client. Pool-acquire timeout increased from 5.0 to 12.0 seconds on shared SSRF-guarded client. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Pattern-B streaming-cancel hardening closes bounded httpcore pool leak preventing site-wide 504s. Pattern-B streaming-cancel hardening closes bounded httpcore pool leak preventing site-wide 504s. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
Full changelog
PATCH hotfix on top of v1.33.7 (seq-fix; tag-only, no release). Completes the S251 httpx connection-pool leak remediation: v1.33.5 (initial hotfix) → v1.33.7 (parallel→sequential fetch_live_page) → v1.33.8 (pattern-B).
What changed
- Pattern-B streaming-cancel hardening (4 sites).
async with _ssrf_http.stream(...)→build_request+send(stream=True)+try/finally: await asyncio.shield(resp.aclose())infetch_live_page,fetch_robots_txt,fetch_homepage_html,walk_redirect_chain. The pooled connection is now returned even when the awaiting task is cancelled mid-stream — closing the bounded httpcore pool leak that could exhaust the pool and cause site-wide 504s. - Pool-acquire timeout 5.0 → 12.0s on the shared SSRF-guarded client (defense-in-depth; effective now that streaming sites no longer pin a per-request timeout).
- Route hard timeout.
GET /v1/tech/{domain}andGET /v1/domain/{domain}/vulnsnow wrap the live-page fetch inasyncio.wait_for(…, 13.0s)with a clean 504 on timeout (mirrors the canonicaldomain_reportpattern; fixes a 500-on-timeout edge). Operator note: these two endpoints now hard-cap at ~13s for unreachable/slow targets.
Compatibility
- No response shape/content change for the same input. No schema / route / MCP-contract change.
- MCP: 53 tools / 7 Resources / 3 Prompts — unchanged. MCP Registry not republished (no contract change).
Tests
- pytest 2440 → 2446 (+6: new
test_streaming_pool_leak.py— pool-timeout, aclose-on-cancel ×3, routewait_for×2). Full suite green; ruff + pip-audit clean.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About UPinar/contrastapi
Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.
Related context
Related tools
Earlier breaking changes
- v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.
Beta — feedback welcome: [email protected]