No immediate action

v1.6.13 Breaking risk 9d

LLM handling, citations, UI, embeddings, deps, tests

Open

Review required

v1.6.12 Breaking risk 10d

Breaking upgrade Dependencies

Math rendering + citation format + upload limits

Open

Review required

v1.6.11 Security relevant 17d

Auth RCE / SSRF

IMDS block + API key redaction

Open

Upgrade now

v1.6.10 Security relevant 22d

RCE / SSRF Dependencies Breaking upgrade

SSRF parser‑differential bypass fix

Open

v1.6.9 Breaking risk 1mo

Breaking changes

Changed default `local_context_window_size` from 30208 to 20480

Notable features

Migrated release notes generation to towncrier news fragments
Added prerelease Docker image workflow for CI testing

Full changelog

TL;DR

This release smooths out the research UI and tightens default resource limits.

UX: Research queries are now validated only on submit, not on blur (#3785).
Defaults: Reduced the default local_context_window_size from 30208 to 20480 (#3787), and set search.fetch.mode to default to summary_focus_query in LangGraph (#3793).
Fixes: Increased AI summary timeout and added diagnostics for empty content (#3783); underlined help-text links for WCAG compliance (#3784).

What's Changed

✨ New Features

docs: link benchmarks dataset from FAQ and news model pickers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3782
chore(settings): reduce default local_context_window_size 30208 -> 20480 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3787
feat(release): migrate to towncrier news fragments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3773
feat(ci): add prerelease Docker image workflow for pre-release testing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3761

🐛 Bug Fixes

fix(release): bump AI summary timeout + diagnose empty content by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3783
fix(a11y): underline help-text links to satisfy WCAG link-in-text-block by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3784
fix(ui): only validate research query on submit, not on blur by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3785
fix(langgraph): default search.fetch.mode to summary_focus_query by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3793

🔧 CI/CD & Maintenance

chore(css): remove redundant .ldr-input-help duplicates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3786
chore: bump patch version to 1.6.9 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3781

🧪 Tests

test(security): add happy-path coverage to login_required test suite by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3779

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.8...v1.6.9

View release on GitHub

v1.6.8 Bug fix 1mo

Notable features

Prevent accidental routing of auth engine through user‑DB migration runner

Full changelog

1.6.8 — release notes

Bug fixes

(#3747) Restored login for databases created before v1.4.0.
Users whose encrypted user database was created before 2026-03-25
(v1.4.0, when Alembic migrations were introduced) could not log in
after upgrading: their databases lacked the alembic_version row, and
the migration runner attempted to apply migrations from scratch against
a legacy column shape. Migration 0007's index backfill then failed on
missing columns (e.g. settings.category), leaving the database in a
corrupted intermediate state.

This release detects pre-Alembic databases on first launch, stamps them
at the correct baseline (revision 0001), and lets the remaining
migrations apply cleanly. Look for the BUG-3747: log line at startup
to confirm the recovery path engaged.

Affected users just need to update to 1.6.8 (or :latest / :1.6)
and restart — the recovery is automatic on the next launch.

Hardening
- stamp_database() is now race-tolerant: concurrent stampers (e.g. two
  same-user logins arriving simultaneously) no longer trigger
  OperationalError / IntegrityError on the duplicate
  alembic_version insert. The race-tolerance is narrowly scoped to
  alembic_version-related errors, so disk-full / corruption / unrelated
  SQLITE_BUSY errors continue to propagate.
- run_migrations() refuses to operate on what looks like an auth-DB
  shape (only users table, optionally with alembic_version) — defense
  in depth against accidentally routing the auth engine through the
  user-DB migration runner.

What's Changed

🔒 Security Updates

fix(llm): remove silent gemma3:12b fallback for Ollama model by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3670
test(security): add ntfys:// scheme test coverage and update docs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3757
security: validate search_type against allowlist in GitHub search engine by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3085

✨ New Features

feat(hooks): add release notes reminder pre-commit hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3763
feat(release): prepend docs/release_notes/.md to release body by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3768
feat(ui): link sidebar version to its GitHub release by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3771
docs: link LDR benchmarks dataset for local model selection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3780

🐛 Bug Fixes

fix(mcp): thread settings_snapshot to analyze_documents by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3683
fix(research-functions): thread settings_snapshot through analyze_documents by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3759
fix(db): tighten WAL autocheckpoint default 1000 → 250 frames by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3735
fix(tests): retry full source fetch on transient network errors in release-gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3754
fix(tests): add engine.dispose() / db.reset() cleanup to journal quality tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3760
fix(db): stamp pre-Alembic DBs at 0001 to unblock login (#3747) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3770
fix(tests): cover wal_autocheckpoint in db_config registry tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3774

🔧 CI/CD & Maintenance

chore(labels): update GitHub labels for release automation clarity by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3764
chore: bump patch version to 1.6.8 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3753

🧹 Code Quality & Refactoring

refactor(scheduler): inline DocumentSchedulerUtil into routes (PR 2/3) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3750

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.7...v1.6.8

View release on GitHub

v1.6.7 New feature 1mo

Security fixes

Suppress libc CVE alerts and fix bearer false-positive detection (issues #7717‑#7721)

Notable features

HTTPS support added for ntfy.sh notifications

Full changelog

What's Changed

🔒 Security Updates

fix(security): suppress alerts #7717–#7721 (libc CVEs + bearer FP) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3751

🐛 Bug Fixes

fix(ci): give gh CLI repo context in monitor-publish by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3742
fix(safe-logger): require both .name and .message for error-like classification by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3741
fix(progress): show logs and status reliably on first page load by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3737

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3744
fix(ci): use pdm lock instead of pdm update in dependency workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3755

⬆️ Dependencies

chore(deps-dev): bump vite from 7.3.2 to 8.0.10 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3688

⚙️ Configuration

fix(settings): dedupe research_library.* keys in default_settings.json by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3749

🐍 Python Changes

refactor(news): delete unused singleton getters (PR 1/3) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3748

Other Changes

chore: bump patch version to 1.6.7 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3738
add HTTPS support for ntfy.sh notifications by @cdzombak in https://github.com/LearningCircuit/local-deep-research/pull/3700

New Contributors

@cdzombak made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3700

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.6...v1.6.7

View release on GitHub

v1.6.6 Bug fix 1mo

Fixed CSRF token sending and success‑check failure when toggling the auto‑index feature.

Full changelog

What's Changed

🐛 Bug Fixes

fix(collections): send CSRF token + fix success-check on auto-index toggle (#3724) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3732
test(collections): fix tooltip selector in auto-index toggle test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3733

Other Changes

chore: bump patch version to 1.6.6 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3729

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.5...v1.6.6

View release on GitHub

v1.6.5 Breaking risk 1mo

Breaking changes

add WAL checkpoint before engine disposal

Full changelog

What's Changed

💥 Breaking Changes

fix(db): add WAL checkpoint before engine disposal by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3198

🐛 Bug Fixes

fix(db): retarget ResearchStrategy FK to research_history.id by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3725
test(stampede): use per-thread end-time spread, not flaky wall time by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3730
fix(css): stop news-feed grid items overflowing the mobile viewport by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3731

⚡ Performance Improvements

chore(models): drop redundant index=True on primary-key columns by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3727

📚 Documentation

docs: add interpretation guide to BENCHMARKING.md by @ishitta-iyer in https://github.com/LearningCircuit/local-deep-research/pull/3723

Other Changes

chore: bump patch version to 1.6.5 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3726

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.4...v1.6.5

View release on GitHub

v1.6.4 Security relevant 1mo

Security fixes

Notifications default to off; master switch controlled only via environment variable to reduce SSRF rebinding risk.

Full changelog

What's Changed

🔒 Security Updates

ci(nuclei): authenticate DAST scan + seed URLs from Flask url_map by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3698
feat(notifications): default-off + env-only master switch for SSRF rebinding risk by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3675
ci(playwright-webkit): drop checks: write to satisfy Scorecard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3704
ci: temporarily disable nuclei DAST scan from release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3720

🐛 Bug Fixes

fix: detect compound CSS selectors in class prefix hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3103
fix(pre-commit): match path components, not substrings, in CSS hook vendor filter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3705
fix(js): remove duplicate top-level const escapeHtml (#3701) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3706
fix(ws): lazy-open per-user DB at WebSocket connect (#3697) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3707
fix(db): emit CreateIndex for fresh user DBs; repair download_tracker FK targets (#3697) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3708
perf(library): stop calling convert_all_research on every collection GET by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3710
Fix/createindex and download tracker fk by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3717

🔧 CI/CD & Maintenance

chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3690
chore(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3691
chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3692
chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3694
chore(deps): bump anthropics/claude-code-action from 1.0.101 to 1.0.107 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3693

⬆️ Dependencies

chore(deps-dev): bump @vitest/coverage-v8 from 4.1.4 to 4.1.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3689
chore(deps): bump dompurify from 3.4.0 to 3.4.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3687
chore(deps-dev): bump vitest from 4.1.4 to 4.1.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3686

🧪 Tests

test(hooks): cover compound-selector regression in CSS class prefix hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3702

Other Changes

chore(css): remove orphan compound state rules and their keyframes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3703
chore: bump patch version to 1.6.4 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3682

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.3...v1.6.4

View release on GitHub

v1.6.3 Security relevant 1mo

Security fixes

Added @login_required decorator to previously unprotected routes and ensured nested API blueprints return JSON-formatted 401 Unauthorized responses, fixing auth bypass vulnerability.

Notable features

search.fetch.mode setting (full | summary | disabled) in langgraph
disable general.enable_fact_checking by default

Full changelog

What's Changed

🔒 Security Updates

security: add @login_required to unprotected routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3129
fix(auth): return JSON 401 for nested API blueprints + tests for #3129 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3678

✨ New Features

fix(ci): run migration tests on PRs that touch migrations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3552
ci: add publish failure coordination by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2932
config: disable general.enable_fact_checking by default by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3672
ci(release): polish monitor-publish issue creation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3679
feat(langgraph): add search.fetch.mode setting (full | summary | disabled) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3680

🐛 Bug Fixes

test: align route tests with @login_required additions from #3129 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3681
fix(journal-quality): bump retry budget for OpenAlex partition fetches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3685
fix: correct CSS class prefix bugs in news.js and pdf.js, improve hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3080
fix(tests): add try/finally guards for engine disposal in alembic tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3212
fix(tests): dynamically find settings for type-conversion tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3183
fix(tests): align two failing tests with current production behavior by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3695

🔧 CI/CD & Maintenance

fix(ci): build Vite assets in playwright-webkit-tests workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3674
fix(ci): switch e2e LLM to gemini-2.5-flash-lite, tolerate transient errors in markdown export check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3696

🧹 Code Quality & Refactoring

refactor: remove 5 dead functions from utilities and config (-229 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3186
refactor: extract shared ensure_in_collection utility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2978

🐍 Python Changes

chore: delete orphan compare_strategies_visual.py (broken import) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3677

Other Changes

chore: bump patch version to 1.6.3 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3676

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.2...v1.6.3

View release on GitHub

v1.6.2 Breaking risk 1mo

Security fixes

Add WebSocket authentication check — prevents unauthenticated connections.

Notable features

Cache PDM in CI pre-commit step and add missing timeouts
Increase default local_context_window_size from 18432 to 30208

Full changelog

What's Changed

🔒 Security Updates

chore(lint): enable no-console for src/ JS — SafeLogger required by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3653
fix: executor shutdown cancel_futures and SSRF hostname test updates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3311
security: add WebSocket authentication check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3127
chore(lint): add eslint-plugin-regexp + fix 9 regex issues (incl 3 ReDoS) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3662

💥 Breaking Changes

refactor: remove dead benchmark and citation functions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3187

✨ New Features

perf(ci): cache PDM on pre-commit + add missing timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3553
chore(settings): bump default local_context_window_size 18432 -> 30208 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3669

🐛 Bug Fixes

fix(journal-quality): pass consume_body=True from iter_partitions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3652
fix(search): apply programmatic_mode post-construction in factory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3644
fix: add ldr- prefix to innerHTML classes and fix alert-error pattern by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3124
chore(lint): enable no-undef + enumerate project + browser globals by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3657
chore(lint): enable bug-detection trio (consistent-return + no-loop-func + require-atomic-updates) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3655
fix(a11y): use persistent live regions for toast notifications by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3666
fix(encrypted-db): fail loud when create_user_database hits migration error by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3663

📚 Documentation

docs(websocket): document auth requirement for WS handshake by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3658

🔧 CI/CD & Maintenance

ci(a11y): capture ldr-a11y-server logs on failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3651
chore(pyproject): drop stale benchmarks/cli.py comment after #3187 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3667

🧹 Code Quality & Refactoring

chore(js): centralize Bootstrap alert/toast type mapping by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3659

🧪 Tests

fix(tests): update remaining stale paths from PR #3538 rename by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3642

🎨 Frontend Changes

chore(css): drop dead inline-style selectors superseded by ldr- prefixing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3660

Other Changes

test(search): contract test that engines honor programmatic_mode by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3654
chore(css): drop dead .ldr-alert-error selectors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3664
chore: bump patch version to 1.6.2 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3639

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.1...v1.6.2

View release on GitHub

v1.6.1 Breaking risk 1mo

Security fixes

Close settings-key injection bypass on form-POST route and harden namespace gates
Suppress Bearer FP on pre-commit hook path read (#7711)

Notable features

Advisory recommend-performance-tests pre-commit hook

Full changelog

What's Changed

🔒 Security Updates

fix(pdf): migrate WeasyPrint fetcher off deprecated default_url_fetcher by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3622
security: close settings-key injection bypass on form-POST route and harden namespace gates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3528
fix(security): suppress Bearer FP on pre-commit hook path read (#7711) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3648
fix(safe-requests): retry body-stream transients via consume_body opt-in by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3647

✨ New Features

feat(hooks): advisory recommend-performance-tests pre-commit hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3540
ci: bound curl health checks with --connect-timeout/--max-time by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3632
refactor(metrics): drop redundant DB rebuild in /api/journal-data/download by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3574

🐛 Bug Fixes

ci(ui-tests): add per-shard retry with fresh server per attempt by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3628
fix(metrics): propagate research context across LangGraph tool threads by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3631
chore(lint): enable no-shadow + rename 47 inner shadows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3630
fix(migrations): chmod migrations dir in Docker + fail loud on migration error by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3635
fix(relevance-filter): raise wall timeout from 120s to 300s by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3634
fix(auth): distinguish migration failures from credential failures at login by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3637
fix(citations): tell follow-up prompts not to create a bibliography by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3638
fix(strategy): increase LangGraph subagent timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3625
fix(logs): make flush_log_queue non-blocking + add log daemon by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3488
fix(docker): chmod migrations dir in ldr-test stage too by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3650

🔧 CI/CD & Maintenance

fix(ci): update compat workflow to point at relocated test paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3641

⬆️ Dependencies

chore(lint): enable no-unused-expressions via chai-friendly plugin by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3649

🧹 Code Quality & Refactoring

refactor(tests): consolidate live-service tests into tests/performance/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3538
refactor(tests): split @integration classes out of engine/mcp mixed files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3609

🧪 Tests

fix(tests): contain error_handling sub-test failures with timeout + recovery by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3629
chore(lint): enable no-return-assign + no-case-declarations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3636
test(metrics): drop dead build_reference_db / reset_db patches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3646
chore(lint): enable no-else-return + no-lonely-if by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3643

🎨 Frontend Changes

chore(lint): enable no-useless-assignment + fix 14 dead stores by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3627
chore(lint): enable radix + add explicit base to 45 parseInt calls by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3640

Other Changes

chore: bump patch version to 1.6.1 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3585

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.6.0...v1.6.1

View release on GitHub

v1.6.0 Breaking risk 1mo

Security fixes

fix: escape SQL LIKE wildcards in library domain and search filters (SQL injection protection)
fix(security): build journal-data response from structured state (CodeQL #7684)
fix(deps): override uuid to ^14.0.0 in accessibility tests (GHSA-w5hq-g745-h8pq)

Notable features

Redesign of journal quality system with data‑driven scoring and automatic predatory journal removal
Route academic URLs through specialized downloaders in search results

Full changelog

Core Feature

Journal Filter: Highly improves quality of scientific search engines like OpenAlex and allows configurational changes to prefered quality.

What's Changed

🔒 Security Updates

fix: escape SQL LIKE wildcards in library domain and search filters by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3427
fix(ci): expand npm audit to cover all test package.json files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3259
security: patch pypdf/langchain-core/cryptography/pytest; drop PyPDF2 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3479
chore(deps): clean up unused, duplicate, and unbounded dependencies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3229
fix(threads): clear per-worker password cache + remove no-op decorator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3519
fix(examples): make mock LLM example truly offline + reject search.tool='none' by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3520
refactor(security): simplify danger-zone-alert — fewer labels, explicit paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3530
refactor(security): expand danger-zone paths + fix security/** label misnomer by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3534
chore(hooks): add pre-commit hook to detect duplicated test fixtures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3262
fix(hooks): close raw-SQL detection gaps in custom-checks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3543
feat: redesign journal quality system with data-driven scoring and predatory auto-removal by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3081
fix(metrics): rate-limit journals read endpoints + allowlist score_source by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3567
fix(deps): bump brace-expansion to 5.0.5 to resolve npm audit failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3584
fix(security): build journal-data response from structured state (CodeQL #7684) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3572
fix(hooks): use name/segment-based env-var exemptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3550
fix(hooks): close URL-security bypass gaps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3546
fix(security): suppress glibc CVE-2026-5358, CVE-2026-5450, CVE-2026-5928 (#7696-#7701) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3596
fix(deps): override uuid to ^14.0.0 in accessibility tests (GHSA-w5hq-g745-h8pq) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3598
fix(security): replace blanket bearer suppression with inline comments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3601
fix(security): place bearer:disable on preceding line (#7689, #7692, #7704-#7707) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3611
fix(deps): override postcss to ^8.5.10 (GHSA-qx2v-qp2m-jg93) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3615
fix(security): gate PDF WeasyPrint url_fetcher with SSRF validator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3613
chore(security): suppress CVE-2026-6019 in grype (unreachable) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3619

✨ New Features

Fix fetch_content failing on GitHub URLs: replace REMOVE_PATTERNS with justext by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3376
feat: route academic URLs through specialized downloaders in search results by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3409
feat: add is_lexical flag to auto-enable LLM relevance filtering for keyword-based engines by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3403
perf: unblock settings load from provider/engine fetch by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3181
test: comprehensive Vitest JS unit tests (348 tests) + CI integration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3385
ci(ui-tests): capture ldr-server logs on failure for diagnosis by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3431
docs(benchmarks): point community results to HF dataset by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3430
fix: wire up library date filter as server-side filter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3392
fix: canonicalize URLs when deduping Sources section by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3482
fix(pdf): graceful degradation when WeasyPrint system libs are missing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3459
fix(db): race-free prerequisites for dropping IMMEDIATE isolation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3490
fix(relevance_filter): tighter prompt, snippet cap 200->800, cap fallback 5->20, dev eval tooling by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3476
ci(ui-tests): shard Puppeteer tests into 4 parallel matrix cells by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3512
fix(queue): close race + thread-safety gaps in _start_research by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3506
chore(hooks): require UtcDateTime in migrations too by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3523
feat: add strategy-deletion documentation hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3529
feat(ci): add benchmark-needed label on advanced_search_system changes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3531
perf(journals): index Source.score_source; bump schema version by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3568
test(journal_quality): assert PRAGMA user_version on built DB by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3577
chore(lint): enable 38 more zero-cost ESLint safety rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3610
feat(journal_quality): CHECK constraint on Source.score_source by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3578

🐛 Bug Fixes

fix(css): restore display:flex on .ldr-app-container (Safari sidebar regression) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3398
fix: address 5 code-level issues from audit by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3379
fix: switch ESLint pre-commit to local hook with explicit dependency by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3406
fix: treat empty environment variables as unset to fix provider selection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3362
fix: load safe-logger.js in before Vite app.js to prevent undefined error by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3408
fix: wrap APScheduler jobs with Flask app context by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3404
fix: harden scheduler startup and cleanup endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3410
fix: resolve provider selection case mismatch and inconsistent defaults by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3348
feat: make library research filter server-side for cross-page filtering by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3394
fix(benchmark): use completed_examples in YAML export accuracy fraction by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3461
fix(rag): pass db_session to settings manager in rag_service_factory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3458
fix: reorder _start_research to eliminate stuck IN_PROGRESS window by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3481
fix(research-routes): cleanup orphan state on spawn failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3500
fix(spawn-failure): complete cleanup in direct + benchmark paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3501
test(queue): fix broken mock in terminal-failure test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3492
fix(research): dedup guard in start_research_process by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3499
fix(followup): cleanup orphan ResearchHistory on spawn failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3503
fix(queue): handle DuplicateResearchError on direct-mode spawn paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3522
refactor(queue): extract commit/delete helpers + clarify DuplicateResearchError semantics by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3521
fix: register fetch_content results in collector for citation tracking by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3457
test(langgraph-agent): cover fetch_content collector registration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3526
fix(scheduler): over-reach relative import + delete 4 stale test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3537
fix(dashboard): remove dead predatory score_source filter option by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3575
fix(hooks): tighten deprecated-db detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3547
fix(deps): loosen lxml constraint to resolve crawl4ai pip conflict by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3589
fix(test): register llm.deepseek. as dynamic setting prefix by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3595
fix(ci): use playwright JS API to resolve Chrome binary path by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3606
fix(report): skip single-subsection entries in TOC to match body by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3588
fix(tests): restore Playwright fixture names broken by lint rename by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3612
fix(migration): recreate idx_papers_* indexes on rerun with existing table by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3614
fix(tests): patch all middleware db_manager bindings in followup API tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3602
fix(tests): resolve Puppeteer navigation timeouts in settings-save and followup CI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3624
fix(ui): resolve Safari/WebKit sidebar and mobile overflow layout issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3623
fix(hooks): deduplicate deprecated-settings-wrapper errors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3549

⚡ Performance Improvements

Remove redundant Ollama pre-flight HTTP checks from get_llm() code path by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3371
perf(db): short-circuit run_migrations when already at head by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3485
perf(ci): cancel in-progress runs on PR workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3554
refactor(journal): consolidate UNIQUE indexes on journals table by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3571

🗄️ Database Changes

fix(tests): add try/finally guards for sqlite3 and session cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3215

📚 Documentation

docs: add Acknowledgements section to README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3471
fix(journal-reputation): sync stale threshold default 4 → 2 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3524
docs(scheduler): explain why last_run is not in try/finally by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3532
fix(journal_quality): correct build log — decompresses, does not download by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3576
docs(ci): add concurrency-omission rationale to workflow files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3600

🔧 CI/CD & Maintenance

chore: gitignore auto-generated themes.css by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3400
fix: switch ESLint pre-commit from mirrors-eslint to local hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3402
chore(deps): bump pdm-project/setup-pdm from 4.4 to 4.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3423
chore(deps): bump dorny/paths-filter from 3.0.2 to 4.0.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3421
chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3424
chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3426
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 2.3.3 to 2.3.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3425
chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3468
chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3464
chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3467
chore(deps): bump step-security/harden-runner from 2.16.0 to 2.17.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3466
chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3465
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3480
fix(tests): auto-skip integration tests when running with mocks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3261
chore(deps): bump anthropics/claude-code-action from 1.0.76 to 1.0.101 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3565
chore(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3564
chore(deps): bump projectdiscovery/nuclei-action from 3.1.0 to 3.1.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3563
chore(deps): bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3562
chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3566
ci(ui-tests): move keyboard/accessibility test to dedicated shard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3586
Revert "perf(ci): cancel in-progress runs on PR workflows" by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3599
fix(ci): resolve Playwright browser mismatch in accessibility tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3605
refactor(ci): split UI test shards from 5 to 14 for reliability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3607
fix(tests): bump research-results page-load timeout to 30s in CI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3616
chore(deps): update lock file for latest minor/patch versions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3594
test(e2e): tolerate transient upstream LLM errors in research workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3608
fix(tests): dispose SQLAlchemy engines in miscellaneous test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3213

⬆️ Dependencies

chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3433
chore(deps): bump basic-ftp from 5.2.0 to 5.2.1 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3440
chore(deps): bump basic-ftp from 5.2.0 to 5.2.1 in /tests/ui_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3439
chore(deps-dev): bump basic-ftp from 5.2.0 to 5.2.1 in /tests/api_tests_with_login in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3438
chore(deps): bump basic-ftp from 5.2.0 to 5.2.1 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3436
chore(deps): bump marked from 17.0.5 to 17.0.6 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3420
chore(deps): bump basic-ftp from 5.2.1 to 5.2.2 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3450
chore(deps): bump basic-ftp from 5.2.1 to 5.2.2 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3449
chore(deps-dev): bump basic-ftp from 5.2.1 to 5.2.2 in /tests/api_tests_with_login in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3448
chore(deps): bump basic-ftp from 5.2.0 to 5.2.1 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3437
chore(deps-dev): bump eslint from 9.39.4 to 10.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3422
chore(deps-dev): bump eslint from 10.1.0 to 10.2.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3419
chore(deps): bump basic-ftp from 5.2.1 to 5.2.2 in /tests/ui_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3447
chore(deps): bump basic-ftp from 5.2.1 to 5.2.2 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3470
chore(deps): bump puppeteer from 24.40.0 to 24.41.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3497
chore(deps): bump puppeteer from 24.40.0 to 24.41.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3495
chore(deps): bump dompurify from 3.3.3 to 3.4.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3498
chore(deps): bump puppeteer from 24.40.0 to 24.41.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3496
chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3494
chore(deps): bump basic-ftp from 5.2.2 to 5.3.0 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3505
chore(deps-dev): bump eslint from 10.2.0 to 10.2.1 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3558
chore(deps): bump marked from 18.0.0 to 18.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3559
chore(deps-dev): bump happy-dom from 20.8.9 to 20.9.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3561
chore(deps): bump puppeteer from 24.41.0 to 24.42.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3583
chore(deps-dev): bump puppeteer from 24.41.0 to 24.42.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3581
chore(deps): bump puppeteer from 24.41.0 to 24.42.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3580
chore(deps): bump puppeteer from 24.41.0 to 24.42.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3582
chore(deps-dev): bump eslint from 10.2.0 to 10.2.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3560

🧹 Code Quality & Refactoring

refactor: extract shared pagination CSS into reusable component by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3395
refactor: extract IIFE-locked JS helpers to testable utility modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3451
refactor: delete dead entity_aware_source_strategy + clean stale conftest by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3205
refactor: delete 6 dead advanced_search_system files + 17 test files (-12,162 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3184
refactor(hooks): narrow check-fixture-duplication to create_app() redefinitions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3535

🧪 Tests

fix: repair coverage CI test failures on main by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3428
fix(tests): patch db_manager in all before_request handlers to prevent flaky 302 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3472
test: add concurrent QueuePool smoke test for metrics sessions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3473
test: add 20 branch-coverage tests for loader/auth/mcp/playwright guards by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3509
test(auth): fix broken post-login atomicity structural guard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3511
test(hooks): harden raw-SQL hook coverage with branch-level tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3545
test(utils): add unit tests for openalex_enrichment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3569
fix(hooks): skip comments in check-utcnow-parens by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3551
test: add PB, EB, and negative PB coverage for human_size() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3597
fix(test): update report generator tests to expect numbered headings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3604

🎨 Frontend Changes

chore(lint): enable 24 more zero-cost ESLint safety rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3617
chore(lint): enable 19 more zero-cost ESLint safety rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3618
chore(lint): enable 5 more zero-cost ESLint safety rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3620

🔄 Branch Syncs & Automation

Bench/arxiv search performance by @francealip in https://github.com/LearningCircuit/local-deep-research/pull/3469
chore(hooks): add pre-commit hook for get_settings_manager() thread-safety by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3460

Other Changes

test: add boilerplate-absent assertions to extraction tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3407
fix: library domain filter pre-existing issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3418
fix(benchmark): use actual dataset + strategy in YAML export by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3442
fix: return results on LLM exception in check_urls() instead of empty list by @kuishou68 in https://github.com/LearningCircuit/local-deep-research/pull/3475
test: add 134 tests for extraction pipeline and re-export modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3504
chore(security): bump python to 3.14.4-slim, resolve 20 open Grype alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3508
chore(lint): strengthen ESLint rules and fix violations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3214
chore(lint): auto-fix prefer-const warnings in tests/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3533
fix: set search context in scheduler so rate limiting works by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3289
chore(lint): enable no-unused-vars + mechanical cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3536
chore(lint): enable 22 zero-cost ESLint safety rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3541
chore(db): log cleanup errors in journal_quality/db.py instead of silent pass by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3570
chore: bump minor version to 1.6.0 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3399
fix: consistent section and subsection numbering by @ishitta-iyer in https://github.com/LearningCircuit/local-deep-research/pull/3579
fix(security): suppress 8 false-positive scanner alerts (#7684-#7695) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3590
fix: extend human_size() to include TB and PB units by @kuishou68 in https://github.com/LearningCircuit/local-deep-research/pull/3592
chore(lint): enable object-shorthand + autofix 183 sites by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3621
fix(hooks): tighten research_id type-check exemptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3548
fix: lazy DB session creation to prevent QueuePool exhaustion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3381
refactor(db): remove per-thread NullPool engines to fix FD leak by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3441
docs: fix stale pool-size comments and NullPool references after #3441 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3462
docs: update pool-sizing comments, FD calculations, and create ADR-0004 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3477
perf(auth): stop wiping ProviderModel cache on every login by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3484
fix(auth): atomic post-login settings + regression test, supersedes #3487 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3502
fix(observability): log uncaught exceptions on any daemon thread by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3489
fix(db): drop isolation_level=IMMEDIATE — let WAL readers proceed by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3491
chore(python): bump supported floor from 3.11 to 3.12 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3518
refactor: rename NewsScheduler → BackgroundJobScheduler, BackupScheduler → BackupExecutor by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3517
perf(observability): add timing logs for login-path hotspots by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3483

New Contributors

@kuishou68 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3475
@ishitta-iyer made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3579

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.6...v1.6.0

View release on GitHub

v1.5.6 Breaking risk 2mo

Security fixes

Fix notification SSRF bypass via user-writable setting (CVE not specified)
CVE-2026-27456

Notable features

Server‑side pagination added to library page

Full changelog

What's Changed

🔒 Security Updates

fix(security): suppress gitleaks false positive for placeholder API key by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3367
security: fix notification SSRF bypass via user-writable setting by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3143
fix: update v17 token API for link renderer by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3384
chore: suppress CVE-2026-27456 and dismiss Gitleaks #7625 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3391
fix: allowlist historical commit for not-needed API key placeholder by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3397

💥 Breaking Changes

perf: defer PBKDF2 key derivation until engine cache miss by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3378

✨ New Features

fix(ci): add Hadolint PR trigger for Dockerfile changes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3232
chore(hooks): add pre-commit hook to enforce @pytest.mark.slow on sleeping tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3260
perf: move download manager pagination to SQL with batch PDF previews by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3387
feat: add server-side pagination to library page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3388

🐛 Bug Fixes

perf: move library page pagination to SQL with batch blob checks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3291
fix: replace fake 'auto' storage mode with PDFStorageManager.pdf_exists classmethod by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3256
fix: add missing migration for research_resources.document_id column by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3386
fix: update tests broken by pagination and PDF storage changes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3396

⚡ Performance Improvements

perf: replace heavy aggregate query with lightweight dropdown query by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3389

📚 Documentation

Update Docker Compose section in README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3368
Revise README to emphasize agentic research by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3369

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3358
chore(deps): bump github/codeql-action from 4.33.0 to 4.35.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3302
chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3300
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3301
chore(deps): bump anthropics/claude-code-action from 1.0.64 to 1.0.76 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2985

🧪 Tests

fix(tests): rename stale CORS test method to match omission behavior by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3304

Other Changes

Fix #2747: Error when using llama.cpp server without API key by @JiwaniZakir in https://github.com/LearningCircuit/local-deep-research/pull/3359
feat: open research sources in a new tab (#3351) by @francealip in https://github.com/LearningCircuit/local-deep-research/pull/3374
Fix/pdf storage auto mode by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3390
chore: bump patch version to 1.5.6 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3364

New Contributors

@JiwaniZakir made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3359
@francealip made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3374

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.5...v1.5.6

View release on GitHub

v1.5.5 Maintenance 2mo

Minor fixes and improvements.

Full changelog

What's Changed

🔒 Security Updates

fix(deps): add lodash/lodash-es overrides to prevent vulnerable transitive resolution by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3361

Optimizations

fix: increase QueuePool size to 10/20 to prevent connection timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3355

⬆️ Dependencies

chore(deps): bump lodash from 4.17.23 to 4.18.1 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3360

Other Changes

chore: bump patch version to 1.5.5 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3354

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.4...v1.5.5

View release on GitHub

v1.5.4 Breaking risk 2mo

Minor fixes and improvements.

Full changelog

What's Changed

💥 Breaking Changes

fix: increase QueuePool size to prevent connection timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3353
fix(tests): align pool size assertions with source by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3356

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3350
chore: sync pdm.lock with pyproject.toml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3357

Other Changes

chore: bump patch version to 1.5.4 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3352

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.3...v1.5.4

View release on GitHub

v1.5.3 Maintenance 2mo

Minor fixes and improvements.

Full changelog

What's Changed

Other Changes

chore: bump patch version to 1.5.3 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3345
[codex] fix loguru placeholder formatting by @harqian in https://github.com/LearningCircuit/local-deep-research/pull/3343

New Contributors

@harqian made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3343

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.2...v1.5.3

View release on GitHub

v1.5.2 Breaking risk 2mo

Breaking changes

Increased default local context window to 18432 for langgraph-agent

Security fixes

Fixed pygments CVE vulnerability

Notable features

Added langgraph_agent settings section with default iterations set to 50
Moved Token Usage Over Time chart to top of details page and added total tokens display plus VRAM warning reference

Full changelog

What's Changed

🔒 Security Updates

fix: context window default, compat test skip, pygments CVE, pip install gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3334

💥 Breaking Changes

fix: minimal QueuePool with periodic dispose to prevent FD exhaustion (alternative) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3340
fix: increase default local context window to 18432 for langgraph-agent by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3342

✨ New Features

feat: add langgraph_agent settings section and increase default iterations to 50 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3336
fix: move Token Usage Over Time chart to top of details page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3341
fix: add total tokens to chart and mention metrics page in VRAM warning by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3344

🐛 Bug Fixes

fix(test): detect _get_setting() pattern and update warning message assertions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3347
fix: add mcp.servers default setting to fix CI integrity test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3349

🔧 CI/CD & Maintenance

chore(deps): bump actions/checkout from 6.0.0 to 6.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3303

Other Changes

chore: bump patch version to 1.5.2 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3333

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.1...v1.5.2

View release on GitHub

v1.5.1 Bug fix 2mo

Security fixes

pygments CVE

Full changelog

What's Changed

✨ New Features

fix: change local context window default from 10000 to 8192 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3328

🐛 Bug Fixes

fix(ci): skip compat test when previous PyPI version has broken deps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3331
fix(test): prevent flaky rate limiting test failure on temp dir cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3335

🐍 Python Changes

fix: clarify LangGraph agent prompt is for research, not chat by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3329

Other Changes

chore: bump patch version to 1.5.1 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3320
chore: bump patch version to 1.5.1 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3330
fix: context window default 8192, compat test skip, pygments CVE by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3332

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.5.0...v1.5.1

View release on GitHub

v1.5.0 Breaking risk 2mo

Security fixes

fix(security): escape server data in innerHTML to prevent stored XSS
fix(security): restrict logout to POST-only to prevent CSRF
fix(security): eliminate TOCTOU race in secret key creation

Notable features

Add LangGraph autonomous agent research strategy

Full changelog

What's Changed

Core Features

Langgraph Agent

🔒 Security Updates

fix(security): use encodeURI for domain href in link_analytics by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3243
fix(web): use logger.error and remove misleading comment in WebAPIException handler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3249
fix(security): escape server data in innerHTML to prevent stored XSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3220
chore(security): add eslint-plugin-no-unsanitized for innerHTML XSS detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3250
fix(a11y): improve accessibility of auth pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3156
a11y: dropdown ARIA, table scopes, page titles, sidebar labels, external link rels by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3164
fix: use authenticated user ID instead of hardcoded "anonymous" in run_subscription_now by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3117
fix(security): sanitize error messages before storing to database by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3122
fix(security): restrict logout to POST-only to prevent CSRF by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3144
security: sanitize API keys in exception log messages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3132
fix(supply-chain): pin pre-commit hooks to commit SHAs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3101
fix(security): eliminate TOCTOU race in secret key creation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3128
refactor: use tuple instead of colon-delimited string in queue processor and credential store by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3137
security: cap unbounded search_cache and cover logger.exception in hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3148
security: escape HTML in PDF pipeline title and metadata by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3082
security: harden Docker containers with cap_drop and security_opt by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3083
security: fix MCP engine validation fail-open and add collection_name validation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3084
fix: correct data quality issues in default_settings.json by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3175
fix: eliminate reflected XSS in delete route validation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3316
security: fix cross-user session data breach in thread-local cache by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3134
security: fix content validation bypass on upload dedup path by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3145

💥 Breaking Changes

fix(tests): remove incorrect exc_info assertion in cursor close test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3245
refactor: remove dead LLM registry functions and unused base methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3188
fix: use .invoke().content instead of .generate() in dual confidence checker by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3120
fix: remove duplicate delete_collection route that shadowed canonical endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3150
fix(db): correct misleading comments about cleanup rate-limiting by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3174
fix(tests): align tests with tuple keys and POST-only logout by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3278
chore(lint): add ruff rules for logging, performance, exceptions, and print detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3211
fix: LangGraph agent improvements — citation indices, defaults, error UX by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3317

✨ New Features

refactor: extract library.html inline CSS to library.css (804 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3207
fix(a11y): remove outline:none violations and add prefers-reduced-motion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3152
fix(a11y): improve color contrast ratios for WCAG compliance by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3160
a11y: add aria-live regions for dynamic content updates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3172
a11y: upload zone ARIA labels and keyboard access for interactive divs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3163
refactor(js): extract research status constants and predicate helpers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3296
fix: show queue position on research progress page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3283
fix: wire RetryManager into download_as_text with exponential backoff by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3285
feat: add LangGraph autonomous agent research strategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3313
fix: add status_code to DownloadResult and fix failure classifier patterns by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3286
fix(a11y): improve text contrast on all light themes for WCAG AA by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3322

🐛 Bug Fixes

fix(web): add missing Flask error handlers for 401, 413, and WebAPIException by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3223
fix: add ldr- prefix to badge classes and global badge CSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3193
fix: remove silent exception bugs in search strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3190
fix(a11y): increase sidebar nav touch targets to meet WCAG 2.1 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3265
chore(hooks): add layer-import boundary enforcement hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3219
fix(api): make GET /settings/api/ consistent with list endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3264
fix(css): resolve regressions from inline CSS extraction by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3267
fix(a11y): improve form validation accessibility in auth pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3162
fix: use .content instead of .text() on LangChain model responses in journal filter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3118
fix: copy scheduled_jobs set before iteration in cleanup to prevent RuntimeError by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3121
cleanup: remove dead Jinja macros from settings templates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3179
fix: add missing interfaces and methods expected by tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3268
fix(tests): align journal reputation filter mocks with source code by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3269
fix: handle queued research response in frontend submission handler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3282
fix: align socket event names so cancellation/error events reach frontend by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3281
fix: invalidate settings caches after any settings mutation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3297
fix: align 29 failing CI tests with strategy refactor and recent changes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3319
fix: resolve CI failures from show_all_strategies feature merge by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3321
fix: light theme contrast, nav link a11y, and missed strategy test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3324
fix(a11y): use line-height to enforce 24px nav link target size by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3325
fix(docker): copy Vite dist into ldr-test so a11y tests get layout CSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3326
fix(ci): copy Vite dist into ldr-test and fix stale strategy assertion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3327

⚡ Performance Improvements

perf: batch domain breakdown queries in get_research_list_with_stats by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3292

🗄️ Database Changes

docs: clarify that utcnow() parentheses are required in Column defaults by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3244

📚 Documentation

docs: add ADR-0002 documenting pre-commit hook review decisions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3251

🔧 CI/CD & Maintenance

fix(config): sync ruff version between pre-commit and pyproject.toml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3221
chore(tests): set initial coverage fail_under threshold to 50% by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3258

⬆️ Dependencies

fix: relax requests>=2.33 to >=2.32 for arxiv compatibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3271

🧹 Code Quality & Refactoring

refactor: delete dead main.js and detail.js (-1,027 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3185
refactor: extract inline CSS from 20 templates into dedicated CSS files (~5,800 lines) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3248
refactor: cleanup remaining verified dead code across 5 areas by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3263
refactor: delete dead encryption_check.py and orphaned sanitizer.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3153
refactor: extract _validate_document_ids() to deduplicate bulk delete validation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3136
refactor: unify search strategy definitions into single source of truth by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3298
refactor: improve _ValidationError exception hierarchy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3318

🧪 Tests

test: add tests for retry backoff schedule by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3314

🔄 Branch Syncs & Automation

feat: add show_all_strategies setting to toggle advanced strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3315

Other Changes

refactor: remove 3 dead web service methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3189
docs: ADR-0003 reject universal raise-without-from enforcement by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3266
a11y: add aria-hidden to all decorative icons by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3154
fix(a11y): add aria-label to icon-only buttons by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3155
a11y: add proper ARIA roles to notification patterns by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3161
fix(fetcher): add context manager to ContentFetcher for cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3199
chore: bump minor version to 1.5.0 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3071
fix(a11y): improve light theme contrast and enforce nav link min-height by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3323

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.4.0...v1.5.0

View release on GitHub

v1.4.0 Breaking risk 2mo

Security fixes

dep: CVE-2026-33154 — upgrade dynaconf from 3.2.12 to 3.2.13
dep: CVE-2026-25645 — bump requests to >=2.33
CVE-2026-4539

Notable features

Automatic database backup system (full DB snapshot) added
Semantic search for library and history items
ReAct Agent feature

Full changelog

Core Features Added

Important: Added Backup System will double your hard drive consumption due to saving the complete database as backup. This can be significant if you have multiple PDFs stored in your database.

ReAct Agent
Semantic Search for Library and History-Items
Database Backup
Alembic Migrations

What's Changed

🔒 Security Updates

test(security): add whitelist/config consistency tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2848
fix: harden prefix boundary in module path normalization by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2847
fix: SearchTracker singleton removal — test fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2836
fix: remove dead _request_storage code from storage factory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2864
fix: upgrade dynaconf 3.2.12 → 3.2.13 (CVE-2026-33154) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2878
fix: remove rate limit tracker singleton to prevent multi-user state leakage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2863
fix(security): targeted hardening — cache, stale creds, TTL, unsafe logging by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2850
test: add 92 coverage tests for data_sanitizer and log_sanitizer by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2891
fix: targeted security hardening — credential exposure vectors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2886
fix: add per-user isolation to search cache keys by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2866
fix: prevent research failure when encrypted DB password lost after restart by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2816
fix: suppress DevSkim false positives in test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2947
remove: dedicated vLLM provider (use openai_endpoint instead) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2949
refactor: move engine module paths from settings DB to hardcoded registry by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2843
fix: migrate NewsScheduler password storage to CredentialStoreBase by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2868
ci: replace bandit || true with --exit-zero and crash detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2951
ci: propagate image pinning validation failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2952
ci: add crash detection to semgrep scans by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2950
fix: make SSRF test mocks compatible with Python 3.14 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2955
fix: remove PYTEST_CURRENT_TEST bypass from SSRF validate_url() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2956
fix: replace raw console.* calls with SafeLogger in JS components by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2941
ci: add pre-commit hook to detect raw console.* calls in JavaScript by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2963
ci: add timeout-minutes to security scan workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2916
feat: alembic by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2348
security: replace insecure Trivy install in SBOM generation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2915
docs: add Privacy & Data section to README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2973
ci: remove OSSAR scan from release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2911
refactor: consolidate HTTP rate limiting into single Flask-Limiter instance by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2968
fix: add missing list_reports() method to storage classes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2912
fix: increase MAX_RESPONSE_SIZE from 10MB to 500MB by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2997
fix: suppress nltk grype alerts (transitive dep, no fix available) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3004
ci: add license scanning to release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2930
fix(security): replace innerHTML with DOM APIs to resolve XSS alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3037
fix(security): add bearer:disable comment and remove dead fallback by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3042
fix(ci): stop PDM update bot from loosening CVE-pinned constraints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3046
fix(security): suppress glibc DNS spec-violation CVEs in Grype by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3053
fix(security): suppress DevSkim false positives in test fixtures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3054
fix(security): suppress gitleaks false positives on db_password variable by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3055
fix(security): suppress unfixable ncurses and Python CVEs in scanner configs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3056
fix(ci): ignore CVE-2026-4539 (pygments ReDoS) in pip-audit by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3057
test: add coverage for security_headers, server_config, web exceptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3051
fix(ci): prevent template injection in publish workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3062
fix(security): suppress new Grype alerts for unfixable CVEs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3064
ci: pin pip-audit to tagged release v1.1.0 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2927
security: enable strict mode for Bearer, Grype, and Dockle scanners by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2933
feat: add automatic database backup system by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3006
fix(deps): bump requests to >=2.33 for CVE-2026-25645 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3072
fix(ci): use PDM-exported requirements for pip-audit by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3077
security: fix SARIF upload guards and alert check timing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2921
fix(ci): remove pip-audit in favor of OSV-Scanner by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3087
fix: harden code flagged by security scanners by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3109
fix(security): override brace-expansion to v2 in accessibility tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3226
fix(security): override serialize-javascript to >=7.0.5 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3235
fix(security): centralize filename sanitization in security module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3236
fix: add pre-commit checks for exception var leaks and exc_info in logs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3240
fix(security): escape user-controlled values in innerHTML across 4 templates by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3208

💥 Breaking Changes

test: add 14 coverage tests for history_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2839
fix: eliminate database-is-locked SQLCipher errors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2852
test: add 88 coverage tests across 6 files (round 4) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2907
refactor: remove fallback LLM (FakeListChatModel) from all providers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2717
fix: clear all user sessions on password change + visible deprecation warning by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2890
fix: make mypy a blocking CI check with type error fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2910
refactor: consolidate LLM provider boilerplate wrapper functions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2905
fix: skip middleware for health check endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3032
test: increase coverage for MCP validators, route_registry, password_utils, settings_utils by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3049
fix: harden scanner-flagged code and repair 15 pre-existing test failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3110
fix(db): add pool_recycle=3600 to prevent stale connections by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3165
fix(db): reduce pool_recycle from 8h to 4h for better memory hygiene by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3171
fix(db): add dead-thread sweep to connection cleanup scheduler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3166
refactor(db): centralize pool_pre_ping and pool_recycle constants by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3209
fix: add logging to silent except blocks across codebase by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3195

✨ New Features

feat: Add 5 new free search adapters by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1540
feat: add semantic search over research history by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1475
Tests/increase coverage high value by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2991
feat: add semantic search to library and collection details pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2981
Tests/increase coverage round5 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2994
feat: add semantic search to news page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2995
fix: log current alembic revision at INFO level by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3002
fix: remove || true from LLM example tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2913
fix(ui): fix [object Object] error logging and CI test stability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2744
fix: fetch actual book text in Gutenberg search engine by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3045
feat: add backup status UI to settings page and research warnings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3075
fix: add logging to silent exception handlers in settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3191
fix: remove FakeListLLM fallback, log silent exceptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3194

🐛 Bug Fixes

fix(tests): make flaky search favorites tests deterministic by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2867
fix: settings interactions tab navigation CI flake by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2872
fix: search favorites workflow tests flaky in CI with xdist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2873
fix: infer ui_element from value type in set_setting for new and existing keys by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2858
fix: replace hardcoded setTimeout waits with event-driven waits in 5 flaky UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2884
fix(ui): use bulk API for help_dismissed settings to avoid 404s by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2759
fix(tests): reduce KDF iterations in auth route tests for CI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2908
fix: thread-safe rate limiting and silent exception logging by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2946
fix: bypass ensureAuthenticated for post-401 re-auth in error handling test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2888
refactor: extract APIBasedSearchEngine base class by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2906
fix: hardcoded test override, mutable defaults, pdm.lock sync by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2945
fix: prevent max_tokens NameError, propagate Ollama ValueError, fix hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2917
fix: resolve 50 pre-existing test failures on main by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2971
refactor: extract helpers from start_research() god function by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2936
fix: resolve 15 CI test failures from recent refactors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2992
fix: semantic search follow-up fixes from final review by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3001
fix: improve semantic snippet contrast on light/sepia themes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2999
fix: update tests for list_reports ABC, auto-discovered providers, and collection_type by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3013
fix: use correct URLBuilder.historyLogCount method in logpanel.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3015
fix: use global socket manager instead of creating duplicate connection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2925
fix: make API rate limit tests resilient to xdist test pollution by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3022
fix: close leaked DB sessions that exhaust file descriptors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3018
fix(tests): use reliable search term in Gutenberg language filter test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3043
fix(ci): add SARIF fallback to semgrep workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3058
fix(tests): fix 3 flaky tests from CI on main by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3052
fix: correct get_setting_from_snapshot argument order in collection search by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3050
fix: shared engine filtering prevents MCP strategy from trying unconfigured engines by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3065
fix(ui): display synthesis and other missing phases in agent reasoning panel by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3066
fix: log and return uncertain score on LLM constraint scoring failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2944
fix: harden scanner-flagged code, repair 17 test failures, skip flaky integration tests in CI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3111
fix: add ldr- prefix to 61 CSS classes in library page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3079
fix: add ldr- prefix to violations in download_manager and benchmark by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3105
fix: add ldr- prefix to innerHTML classes in ui.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3106
fix: add ldr- prefix to innerHTML classes in news.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3107
fix: use select() instead of raw Subquery in notin_() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3076
fix: make settings type-conversion tests find keys dynamically by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3116
fix: add ldr- prefix to violations across metrics, detail, news, pdf, and expand hook allowed list by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3119
fix: add ldr- prefix to pdf.js inline CSS and fix alert-error bug by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3123
fix: revert settings type-conversion tests to use known seeded keys by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3170
fix(ui): ensure 44px mobile touch targets on Library page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3114
fix: replace 19 undefined CSS variables with canonical theme equivalents by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3196
fix: add semantic CSS variables and fix theme-breaking bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3234
fix: correct import paths and add debug logging for provider availability checks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3192
fix(db): add busy_timeout and temp_store PRAGMAs to auth database by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3210
fix(tests): dispose SQLAlchemy engines in deletion test fixtures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3203
fix(tests): dispose SQLAlchemy engines in test_database_init.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3242
fix(web): add missing exception logging in history routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3228
fix: prevent duplicate event listeners in settings.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3180

⚡ Performance Improvements

ci: add scoped GHA cache to security scan Docker builds by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2914

🗄️ Database Changes

fix(tests): dispose SQLAlchemy engines in database model test fixtures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3204

📚 Documentation

fix: correct misleading docstring in test_session_context_coverage.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2874
docs: move detailed install instructions from README to dedicated pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2819
docs: link Docker Compose Guide from README Quick Start by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2899
ci: document PAT_TOKEN scope requirements in release workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2928
docs: explain why security scanners build Docker images independently by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2974
ci: document ci-gate and e2e-test-gate permission rationale by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2926

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2851
fix: resolve CI test failures in SSRF and auth tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2960
Tests/increase coverage round4 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2993
chore(deps): bump docker/metadata-action from 5.10.0 to 6.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2988
chore(deps): bump anchore/sbom-action from 0.23.1 to 0.24.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2986
fix: remove empty artifact upload from infrastructure tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2924
chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2984
fix(ci): use 'plain' format for pip-licenses 5.x compatibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3061
chore(deps): bump actions/cache from 5.0.3 to 5.0.4 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2987
cleanup: remove dead CSS rules from settings.css by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3178
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3074
fix(ci): add .yamllint.yaml to file whitelist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3239
fix(tests): skip flaky sentence splitter tests in CI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3241
chore(hooks): add yamllint for YAML style enforcement by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3233

⬆️ Dependencies

chore(deps-dev): bump flatted from 3.4.1 to 3.4.2 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2853
chore(deps-dev): bump puppeteer from 24.39.1 to 24.40.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2880
chore(deps): bump puppeteer from 24.39.1 to 24.40.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2881
chore(deps): bump python from 584e89d to fb83750 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2879
chore(deps): bump puppeteer from 24.39.1 to 24.40.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2882
chore(deps): bump puppeteer from 24.39.1 to 24.40.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2883
chore(deps-dev): bump eslint from 10.0.3 to 10.1.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2982
chore(deps): bump marked from 17.0.4 to 17.0.5 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2983
chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in /tests/infrastructure_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3070
chore(deps-dev): bump picomatch from 4.0.3 to 4.0.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3069
chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3113
chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3112
chore(deps): bump path-to-regexp from 0.1.12 to 0.1.13 in /tests/accessibility_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/3237

🧹 Code Quality & Refactoring

refactor: extract shared exporter logic into BaseExporter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2896
fix: remove dead vLLM tests and add new search engine snapshot divergences by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2962
refactor: extract constants for hardcoded default URLs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2934
refactor: deduplicate days_map period calculation in metrics_routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2940
refactor: extract SnapshotSettingsContext to settings/manager.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2939
fix: remove 12 cleaned modules from mypy override list by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2967
refactor: extract @with_user_session decorator to eliminate db session boilerplate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2903
refactor: add create_llm to BaseLLMProvider interface by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3003
refactor: consolidate delete_manager.js fetch utilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2935
refactor: delete 5 empty package stubs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3206

🧪 Tests

test: add 11 coverage tests for history_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2838
test: add 20 coverage tests for api_routes.py error paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2840
test: add 31 extra coverage tests for news/flask_api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2837
test: add 15 coverage tests for upload_to_collection and get_collection_documents by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2855
test: add 18 coverage tests for settings_routes validation and save paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2856
test: add 32 coverage tests for library_routes and research_service by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2861
test: branch-coverage for evaluator.py and cross_constraint_manager.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2857
test: add 12 coverage tests for start_research route by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2862
test: coverage for TokenCountingCallback LLM paths and LibraryRAGService index methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2860
test: add 15 coverage tests for scheduler/folder/history endpoints in news/flask_api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2865
test: add 60 coverage tests for history_routes and context_overflow_api by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2877
test: add ~248 coverage tests across 15 files (rounds 1-10) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2871
test: add 57 extra coverage tests across 5 files (round 2) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2885
test: expand coverage tests to 120 across 5 files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2887
test: add 110 coverage tests for error_reporter and resource_utils by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2893
test: add ~354 coverage tests across 5 new files (round 3) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2900
test: add 64 coverage tests for sources service and notifications (round 5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2909
test: add 33 settings manager tests + fix broken import (round 7) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2948
test: add 86 coverage gap tests across 6 critical modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2957
test: add 62 coverage tests for LLM config, socket service, notifications (round 6) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2938
test: rewrite json_utils + type_utils coverage (112 tests) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2892
test: add comprehensive coverage for url_utils and thread_context by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2895
style: fix black formatting in test_auth_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2959
test: add branch-coverage tests for search_engine_factory and llm_config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2954
test: add tests for auto_convert_research and rag_service_factory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2975
test: add 102 high-value tests targeting coverage gaps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2979
test: add 42 high-value tests targeting coverage gaps (round 4) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2990
test: add targeted coverage gap tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3014
test: add coverage tests for meta_search, library engine, and evaluator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3016
test: add high-value coverage tests for rag_routes and settings_routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3017
test: add coverage for exception/edge-case branches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3031

🐍 Python Changes

style: standardize SnapshotSettingsContext imports to relative by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2969
fix: explicit allow_none and path-specific hook skips by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3028

🎨 Frontend Changes

fix: replace hardcoded API URLs with URLS/URLBuilder constants by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2942
cleanup: remove dead checkForCompletedNewsSearches code by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2943

🚧 Review & Blocked Items

fix: annotate silent except-pass patterns to prevent hidden bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2964

Other Changes

docs: polish installation docs after migration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2889
test: add settings type-safety tests to prevent fact-checking-style bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2796
feat: make cross-engine filter max_context_items configurable by @ashenrelay in https://github.com/LearningCircuit/local-deep-research/pull/3021
ci: add post-publish verification for PyPI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2931
test: increase coverage for security_settings, llm_utils, base_card, bytes_loader by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3041
fix(ci): add setuptools dep for semgrep on Python 3.12 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3060
fix(ci): pin setuptools<82 for semgrep pkg_resources compatibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3063
feat: give MCP agent control over sub-research iterations and search engine by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3067
chore: bump minor version to 1.4.0 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2714
fix: handle None input in metrics domain extraction by @sztoplover-bit in https://github.com/LearningCircuit/local-deep-research/pull/3025
fix(auth): use valid dashboard route on change password page by @sztoplover-bit in https://github.com/LearningCircuit/local-deep-research/pull/3024
fix(ci): remove pip-audit in favor of OSV-Scanner by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/3108

New Contributors

@ashenrelay made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3021
@sztoplover-bit made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/3025

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.60...v1.4.0

View release on GitHub

v1.3.60 Security relevant 2mo

Security fixes

upgrade pyjwt to 2.12.1 (GHSA-752w-5fwx-jx9f)
bump pypdf 6.8.0 → 6.9.1 (CVE-2026-33123)
resolve yauzl vulnerability blocking release gate

Full changelog

What's Changed

🔒 Security Updates

fix(ci): resolve yauzl vulnerability blocking release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2711
fix(security): resolve yauzl vulnerability in all test lockfiles by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2713
fix(security): suppress CVE-2026-4105 in grype scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2718
fix(security): suppress CVE-2026-4105 in Grype scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2719
fix(security): upgrade pyjwt to 2.12.1 (GHSA-752w-5fwx-jx9f) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2720
fix(security): suppress CVE-2025-13462, CVE-2026-2673 in Grype scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2722
fix(security): resolve CVE-2026-2219, yauzl and tmp vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2748
feat: detect bare .close() in finally/except blocks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2765
fix: suppress 5 false-positive security scan alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2822
fix: normalize absolute module paths in security whitelist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2823
fix: bump step-security/harden-runner v2.15.1 → v2.16.0 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2827
fix: add environment declarations to jobs referencing secrets by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2828
fix: suppress 2 unfixable Python 3.14.3 CVEs in Grype scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2833
fix: bump pypdf 6.8.0 → 6.9.1 (CVE-2026-33123) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2834
fix: normalize full_search_module paths and remove dead serpapi references by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2826
chore(deps): bump socket.io-parser from 4.2.5 to 4.2.6 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2835

✨ New Features

fix: add expandvars() to 4 expanduser().resolve() locations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2681
feat: add ARIA attributes for accessibility improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1989
test: add 79 pure-logic tests for untested strategy methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2721
test: add 292 tests to improve coverage for 6 low-coverage modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2730
test: comprehensive coverage for news/core/storage.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2736
tests: add comprehensive pytest coverage for web/api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2737
test: add comprehensive coverage tests for rate_limiting/tracker.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2738
test: add ~2000 coverage tests across 27 modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2741
feat: add safe_close() utility for visible cleanup failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2749
test: add 72 coverage tests for benchmark_service.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2750
test: add 97 coverage tests for settings_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2753
test: add 47 coverage tests for search_engine_arxiv.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2754
test: add 11 coverage tests for search_engine_serper.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2767
test: add 17 edge-case tests for loader_registry.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2774
test: add 64 coverage tests for news/flask_api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2790
fix: rename 'Custom OpenAI Endpoint' to 'OpenAI-Compatible Endpoint' by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2818
docs: pip install now works natively on Windows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2766

🐛 Bug Fixes

fix: close leaked file descriptors causing 'Too many open files' by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2708
fix: close remaining LLM and Elasticsearch FD leaks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2712
fix(tests): reduce auth timeouts to prevent flaky UI test failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2733
fix(ci): use pdm run python in e2e-research-test workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2742
refactor: add close() to LLM wrappers, fix 3 remaining FD leaks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2732
fix(ci): resolve flaky invalidDocumentIdHandled UI test timeout by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2731
fix(tests): remove references to deleted close_llm function by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2760
fix: debug logging now visible on stderr when LDR_APP_DEBUG=true by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2761
fix: fact-checking setting toggle was broken (ui_element text→checkbox) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2763
test: add 17 coverage tests for semantic_scholar.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2776
fix: increase E2E test timeouts to prevent CI flakes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2800
fix(ci): remove networkidle waits causing accessibility tests timeout by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2764

🔧 CI/CD & Maintenance

cleanup: remove unused _execute_parallel_searches_with_progress method by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2701
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2706
fix: remove fallbacks and fix real bugs in UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2814
ci: skip UI tests in release pipeline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2821
chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2805
chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2808
chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2806
chore(deps): bump github/codeql-action from 4.31.11 to 4.32.6 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2807
chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2804

⬆️ Dependencies

chore(deps): bump jspdf from 4.2.0 to 4.2.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2824
chore(deps): bump python from 6a27522 to 35f442c by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2820
chore(deps): bump python from 35f442c to 584e89d by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2829

🧪 Tests

tests: comprehensive coverage for DirectPDFDownloader by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2734
test: comprehensive OpenAlexDownloader coverage tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2735
tests: comprehensive coverage tests for library_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2739
test: add 32 coverage tests for benchmarks/metrics/calculation.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2740
test: add 62 coverage tests for benchmark_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2751
test: add 102 coverage tests for rag_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2752
test: add 29 coverage tests for document_deletion.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2755
test: add 34 coverage tests for benchmarks/runners.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2757
test: add 72 coverage tests for scheduler.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2758
test: add 17 coverage tests for search_engine_searxng.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2768
test: add 14 coverage tests for resource_monitor.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2771
test: add 23 coverage tests for search_engine_google_pse.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2772
test: add 14 coverage tests for search_cache.py exception paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2773
test: add 25 coverage tests for arxiv downloader by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2775
test: add 13 coverage tests for utilities/llm_utils.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2777
test: add 24 coverage tests for llm_config.py missing paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2778
test: add 30 coverage tests for delete_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2779
test: add 19 coverage tests for search_tracker.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2780
test: add 10 coverage tests for thread_context.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2782
test: add 48 coverage tests for pricing_fetcher.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2783
test: add 48 coverage tests for search_engine_pubmed.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2784
test: add 22 coverage tests for diversity_explorer.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2785
test: add 13 coverage tests for simpleqa evaluator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2786
test: add 26 coverage tests for findings/repository.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2787
test: add 25 coverage tests for metrics/token_counter.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2788
test: add 28 deep coverage tests for library_routes.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2791
test: add 28 coverage tests for rate_limiting/tracker.py DB paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2792
test: add 23 coverage tests for search_engine_google_pse.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2794
test: add 46 coverage tests for library_rag_service.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2793
test: add 16 coverage tests for benchmark_functions.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2781
fix: timing attack test flaky due to xdist mock pollution by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2798

🐍 Python Changes

fix: wrap bare .close() in finally blocks with safe_close() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2756
fix: warn when safe_close() receives resource without close() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2795

Other Changes

chore: bump patch version to 1.3.60 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2709
test: add 49 coverage tests for search_engine_github.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2770

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.59...v1.3.60

View release on GitHub

v1.3.59 Breaking risk 2mo

Security fixes

Suppress CVE-2026-2297 until Python 3.14.4
CVE-2026-31826

Full changelog

What's Changed

🔒 Security Updates

security: gate global scheduler control behind setting by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2035
security: scope scheduler GET endpoints to current user and harden decorator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2551
security: bump step-security/harden-runner to v2.14.2 in mcp-tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2561
security: fix scheduler endpoint scoping issues (follow-up to #2551) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2559
test: add 132 high-value tests across 10 under-tested modules (round 5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2569
fix: handle auth errors in SSE generators and download routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2564
fix: add retry logic for pip-audit OSV failures and guard Trivy SARIF uploads by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2518
feat: add shared helper methods to BaseSearchEngine by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2272
fix: enforce API authentication and narrow CSRF exemptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1957
security: fix multiple authentication and redirect vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2168
test: add end-to-end CSRF flow test for browser-facing API endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2585
fix: remove CORS wildcard, restrict CSP connect-src, use logger by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1960
fix: remove unused Chrome from production Docker image (10 CVEs) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2583
security: validate redirect targets in SSRF-protected HTTP requests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1949
refactor: eliminate server_config.json — env-var-only server settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2505
docs: add explanatory comments for SSRF security patterns by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2607
feat: auto-close idle database connections on session expiry by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2592
security: add path traversal protection for file reads by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1890
feat: move security hardening to security/ module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2594
test: add 55 high-value tests for LibraryService (round 14) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2623
fix: security hardening follow-up improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2625
fix: handle multiple Content-Length values in SSRF size check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2621
fix: normalize auth log messages and minor cleanups in library_routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2617
refactor: path traversal protection cleanup — sentinel constants, symlink checks, bug fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2615
fix: extend log sanitizer for Unicode format chars + change-password tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2641
fix: remove vacuous is_intermediate_redirect guard in SafeSession.send() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2643
fix: suppress CVE-2026-2297 until Python 3.14.4 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2647
security: enforce body-size limit for chunked/missing Content-Length by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2644
test: add 42 security-focused tests for safe_requests and settings validation (round 15) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2645
fix: sentinel guard in download_service & .exists() → .is_file() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2646
fix: canonicalize library root paths with .resolve() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2648
fix: remove early-return guard in _install_body_guard for invalid Content-Length by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2654
fix: align stale tests with current safe_requests and warning_checks behavior by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2659
fix: make PasswordValidator single source of truth for password rules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2664
fix: escape label in agent thinking panel to prevent XSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2670
fix: increase UI test timeout, fix Playwright password, add registration debugging by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2676
fix: update password strength algorithm and fix 3 CI test failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2687
fix: bump pypdf 6.7.5 → 6.8.0 for CVE-2026-31826 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2688

💥 Breaking Changes

fix: skip user_exists query on failed validation and init auth DB in rate limit tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2543
refactor: thread-safe accessors for global state by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2402
fix: prevent file descriptor exhaustion (too many open files) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2591
fix: eliminate DB connection leaks via context manager improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2595
improve: connection cleanup observability & test coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2608

✨ New Features

test: add 169 high-value edge case tests across 8 under-tested modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2534
test: add 253 high-value tests across 10 under-tested modules (round 4) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2541
feat: re-merge MCP server feature (originally PR #1366) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2263
test: add 185 high-value tests across 7 modules (round 5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2547
test: add 220 high-value tests across 8 modules (round 6) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2560
feat: implement Reddit feedback improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1909
test: add 38 high-value pure logic tests for IterativeRefinementStrategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2568
docs: add comprehensive MCP server documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2546
test: add 53 high-value tests for EvidenceRequirements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2576
fix: prevent SSRF errors for library document URLs in scheduler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2548
fix: improve settings descriptions — fix wrong values, mark deprecated, clarify behavior by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2176
feat: add inline form validation utility with ARIA support by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1985
perf: fix N+1 queries and add bounded caches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2031
test: add 323 high-value tests across 10 modules (round 9) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2581
feat: add LDR_STATIC_MODEL variable for static label research by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2596
test: add 72 high-value tests across 5 modules (round 11) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2597
docs: thread lifecycle, FD budget, and resource exhaustion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2605
test: add 53 high-value tests across 3 modules (round 12) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2600
fix: remove hardcoded TV-domain terms from _validate_search_results by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2598
test: add 59 high-value tests across 3 modules (round 13) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2619
fix: soften server_config.json warnings & fix test quality by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2613
fix: minor robustness improvements from PR #2595 review by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2618
improve: route APScheduler logs through loguru by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2624
fix: only show server_config.json warning when file has non-default values by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2655
test: add ~35 integration-style tests for error handlers, teardown, socket concurrency, and middleware (round 17) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2661
fix: address review issues in Exa search engine (#2075) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2660

🐛 Bug Fixes

fix: add mcp strategy to search_strategy options by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2550
fix: remove redundant thread_db metrics path causing ValueError by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2558
fix(ui): remove scheduler start button that returns 403 by default by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2544
fix: clean up thread-local DB engines in search strategy worker threads by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2502
test: add 670 high-value tests across 19 modules (round 7) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2570
perf: batch DOM updates in log panel with DocumentFragment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2588
fix: track failed text extractions by creating Document records by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2590
fix: remove playwright browser directory check from CI smoke test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2589
fix: update auth test mocks for auth_db_session rename by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2622
fix: followup improvements from PR #2618 review by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2626
fix: filter non-downloadable sources from Library by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2627
fix: handle SSE auth errors in library and download manager frontends by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2616
fix: refresh provider status after embedding provider or Ollama URL change by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2656
fix: complete ldr- CSS class prefix migration in settings.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2658
fix: add missing ldr- CSS class prefixes in subscriptions and news by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2663
fix: add missing CSRF token to research API start E2E test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2668
fix: align stale test assertions with current behavior by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2673
fix: add UnicodeDecodeError to _load_legacy_config exception handler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2679
fix: remove duplicate api.js script tags and correct library test selectors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2680
fix: skip sentence-splitter tests when HuggingFace Hub is unreachable by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2689
fix: resolve Safari mobile overflow in Settings and missing label in Research by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2697
fix(ci): speed up slow UI tests and fix DOMPurify race condition by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2694

⚡ Performance Improvements

fix(ci): move Register Full Flow test to end of suite by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2693

🗄️ Database Changes

fix: CASCADE→SET NULL, remove dead SQL views, centralise resource lookups by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2587
fix: stop linking FAILED documents to Library collection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2640

📚 Documentation

docs: fix inaccurate credential sweep wording and inconsistent file paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2614
test: document auth mock design choices and add missing assertion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2629
docs: add review-informed comments to InterceptHandler setup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2632
fix: align CSRF token pattern in research API test with codebase conventions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2671

🔧 CI/CD & Maintenance

ci: disable automatic main-to-dev branch sync by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2539
fix: UI tests job timeout and cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2584
chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2635
chore(deps): bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2636
chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2637
chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2638
chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2639

⬆️ Dependencies

chore(deps): bump puppeteer from 24.37.5 to 24.38.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2553
chore(deps): bump puppeteer from 24.37.5 to 24.38.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2554
chore(deps): bump puppeteer from 24.37.5 to 24.38.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2552
chore(deps-dev): bump puppeteer from 24.37.5 to 24.38.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2555
chore(deps): bump dompurify from 3.3.1 to 3.3.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2557
chore(deps-dev): bump eslint from 10.0.2 to 10.0.3 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2633
chore(deps): bump marked from 17.0.3 to 17.0.4 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2634
chore(deps-dev): bump jest from 30.2.0 to 30.3.0 in /tests/infrastructure_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2669
chore(deps): bump puppeteer from 24.38.0 to 24.39.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2683
chore(deps): bump puppeteer from 24.38.0 to 24.39.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2684
chore(deps-dev): bump puppeteer from 24.38.0 to 24.39.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2686
chore(deps): bump puppeteer from 24.38.0 to 24.39.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2685

🧹 Code Quality & Refactoring

fix: centralize boolean type conversion (improved #1372) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2563
test: rewrite constraint_analyzer high-value tests with 29 focused tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2579
fix: remove dead allow_redirects parameter from validate_url() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2620
fix: remove hardcoded keyword matching from strategy files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2628
fix: remove no-op PROPERTY branch from difficulty classification by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2642
refactor: extract has_legacy_customizations() to reduce duplication by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2675
fix: complete path-hardening follow-ups from PRs #2646, #2648 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2672

🧪 Tests

test: add 165 high-value tests across 8 modules (round 3) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2536
fix: regenerate golden master settings after allow_api_control addition by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2556
test: add high-value pure logic tests for AdaptiveDecompositionStrategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2567
test: add 30 high-value pure logic tests for EvidenceEvaluator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2575
test: add 27 high-value tests for benchmarks/datasets/utils by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2578
test: add 31 high-value tests for base_evidence module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2577
test: add 51 high-value pure logic tests for EnhancedEvidenceBasedStrategy v2 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2572
test: add 30 high-value tests for base_constraint module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2573
chore: use sentinel constants in tests & fix outdated docstring by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2650
test: add 40 tests for paths, multiselect parsing, domain extraction, and notifications (round 16) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2649
test: add 33 edge-case tests for sanitizer, queue middleware, settings parser, and exporters (round 18) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2667
test: add 53 tests for HTMLDownloader pure logic and globals.py gaps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2677
test: add 236 pure-logic tests for advanced search strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2703

🚧 Review & Blocked Items

fix: follow-up fixes from PR #2654 body-guard review by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2662

Other Changes

test: add 33 high-value edge case tests for optuna_optimizer by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2540
fix(mcp): add settings_snapshot support to all search engines by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2571
test: add 29 high-value tests for rate_limiting/tracker.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2580
fix: eliminate document content duplication for library resources by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2582
test: add 250 high-value tests across 8 modules (round 10) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2586
test: review-identified improvements for PR #2641 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2652
Fixes class names. by @MicahZoltu in https://github.com/LearningCircuit/local-deep-research/pull/2657
chore: bump patch version to 1.3.59 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2527
Feature: Add Exa.ai search engine implementation by @NimbleAINinja in https://github.com/LearningCircuit/local-deep-research/pull/2075
fix: address review findings in round 18 tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2678
fix: add missing ldr- CSS class prefixes across 8 JS files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2666
fix: E2E password validation alignment & missing CSRF token by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2674
fix: resolve Safari CI test failures from duplicate scripts and mobile overflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2682
fix: regenerate pdm.lock to fix primp wheel resolution for Python 3.14 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2692

New Contributors

@NimbleAINinja made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/2075

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.58...v1.3.59

View release on GitHub

v1.3.58 Breaking risk 3mo

Breaking changes

Removed deprecated settings-based local search engines

Security fixes

Suppress CVE-2026-28350 in lxml-html-clean (>=0.4.4)
Suppress CVE-2026-23865 (libfreetype6 OOB read) – unfixable
Bump pypdf >=6.7.5 to address GHSA-9m86-7pmv-2852

Full changelog

What's Changed

🔒 Security Updates

refactor(csrf): complete CSRF token deduplication across all JS files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2453
docs: add security transparency links to README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2463
security: add Nuclei DAST scanner by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1975
security: harden session username access across all routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2268
fix: SSRF & debug mode security hardening by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1961
security: complete session username hardening for missed routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2478
chore: remove detect-secrets pre-commit hook (redundant with gitleaks) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2476
fix: improve 5 setting descriptions and widen tooltip by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2485
test: add 134 high-value tests across 4 modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2498
fix: remove local engine dead code and standardize null byte rejection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2500
security: replace gosu with setpriv, suppress 8 unfixable CVEs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2501
chore: add .grype.yaml to suppress false positive and unfixable CVEs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2503
chore: suppress all remaining Grype alerts (140 CVEs) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2511
chore(deps): bump step-security/harden-runner from v2.14.0 to v2.14.2 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2522
ci: fix docker/build-push-action version pin in grype.yml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2523
ci: pin trivy-version to v0.69.2 (security incident workaround) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2524
security: defense-in-depth for post-login redirect (CWE-601) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2521
chore(deps): bump lxml-html-clean >=0.4.4 (CVE-2026-28350) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2528
chore(security): suppress CVE-2026-23865 (libfreetype6 OOB read) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2531
security: fix GHSA-vxmw-7h4f-hqxh false positive for pypi-publish action by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2535

💥 Breaking Changes

refactor: remove deprecated settings-based local search engines by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2344
fix: clean up session management issues found during PR #2266 audit by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2471
fix: prevent server overload and white page under sustained load by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2326
fix: add cleanup_current_thread() to prevent file descriptor leaks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2495
fix: remove dead code and fix socket subscription cleanup from PR #2326 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2492
refactor: centralize thread cleanup into @thread_cleanup decorator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2499

✨ New Features

feat: add module.exports guard to api.js + comprehensive CSRF tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2461
fix: remove max concurrent researches upper cap by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2409
ci: add pre-commit hook for golden master settings sync by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2468
docs: link Configuration Reference across docs & fix stale env var docs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2472
feat: add golden master regeneration script by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2475
test: add 131 tests for FocusedIteration, IterativeRefinement & LLM Registry by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2480
test: add 86 tests for RIS parsing, strategy logic, PubMed metadata by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2483
test: add 76 tests for news strategy, news questions, and xbench dataset by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2486
a11y: add ARIA alert roles + inline error for follow-up modal by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2484
test: add 111 tests for LLM rate limiting, topic validation, and card helpers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2490
feat: add UI warnings for context-related issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2375
fix: add null checks for request.json across API routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2051
fix: report generator iteration override, progress, and cancellation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2400
fix: handle RateLimitError, filter unavailable providers, resolve cancel username by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2454

🐛 Bug Fixes

fix: helpful .gguf file listing swallowed by except ValueError by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2451
fix: resolve PendingRollbackError freezing web UI after database lock by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2266
fix(tests): prevent flaky TTL expiration tests from second-boundary race by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2465
fix: resolve WebKit Safari auth navigation test failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2469
fix: correct env var names in search engine error messages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2473
fix: broaden golden master hook to catch config/ changes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2488
fix: resolve pre-existing bugs in logpanel.js and socket.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2491
fix: add cleanup_current_thread() to remaining thread leak sources by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2496
refactor: extract calculate_warnings into web/warning_checks/ module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2493
fix: set HOME=/home/ldruser in entrypoint before dropping to non-root by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2520
ci: fix trivy-action version pin (use 'version' not 'trivy-version') by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2525

📚 Documentation

fix: remove flaky Docker tests and Release Gate badges by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2462

🔧 CI/CD & Maintenance

fix(ci): nuclei-action inputs + bump serialize-javascript to 7.0.3 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2470
fix: remove deprecated local_collections mounts and resource limits from compose by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2494
chore(deps): bump actions/download-artifact from 4.3.0 to 8.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2506
chore(deps): bump EnricoMi/publish-unit-test-result-action from 2.22.0 to 2.23.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2507
chore(deps): bump anthropics/claude-code-action from 1.0.55 to 1.0.64 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2510
chore(deps): bump actions/setup-node from 4.4.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2508
fix: exclude deleted .secrets.baseline from gitleaks scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2514
fix: whitelist score_threshold to unblock vulture CI gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2519
chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2509

🧹 Code Quality & Refactoring

fix: update news input validation tests for @require_json_body decorator by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2497

🧪 Tests

test: add 1024 comprehensive tests across 12 new test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2447
test: add unit tests for IntegratedReportGenerator init by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2441
test: add 51 tests for strategy helper pure logic methods by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2489
test: add 174 high-value edge case tests across 9 under-tested modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2533

Other Changes

fix(tests): prevent temp dir cleanup race with open SQLite connections by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2460
docs: document GitHub Security tab dismissals by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2464
feat: add cancellation checks to search strategy main loops by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2452
test: add 110 tests for quality stats, exporter registry, citation errors, and entity cache by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2481
test: rewrite test_search_system.py with fixture-based tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2437
security: suppress 14 unfixable CVEs in Grype scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2504
chore: bump patch version to 1.3.58 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2458
fix: pass settings_snapshot to CitationHandler in all strategy constructors by @sethu-108-ai in https://github.com/LearningCircuit/local-deep-research/pull/2517
security: bump pypdf >=6.7.5 (GHSA-9m86-7pmv-2852) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2529

New Contributors

@sethu-108-ai made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/2517

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.57...v1.3.58

View release on GitHub

v1.3.57 Security relevant 3mo

Security fixes

CVE-2025-14009 — upgrade nltk from 3.9.2 to 3.9.3
CVE-2026-27888 — bump pypdf from ~=6.7.1 to ~=6.7.3

Full changelog

What's Changed

🔒 Security Updates

test: add app_factory middleware unit tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2433
test: add extended tests for auth decorators module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2431
fix(deps): bump nltk 3.9.2 → 3.9.3 (CVE-2025-14009) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2457

🐛 Bug Fixes

fix: resolve WebKit Safari auth navigation test failure by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2434

🔧 CI/CD & Maintenance

fix: increase pip-audit OSV API timeout to 120s by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2456

⬆️ Dependencies

chore(deps): bump basic-ftp from 5.1.0 to 5.2.0 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2436
chore(deps): bump basic-ftp from 5.1.0 to 5.2.0 in /tests/ui_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2438
chore(deps): bump basic-ftp from 5.1.0 to 5.2.0 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2439
chore(deps-dev): bump rollup from 4.57.1 to 4.59.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2446
chore(deps): bump minimatch from 10.2.2 to 10.2.4 in /tests/puppeteer in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2448
chore(deps): bump minimatch from 10.2.2 to 10.2.4 in /tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2449
chore(deps-dev): bump minimatch from 10.2.2 to 10.2.4 in /tests/infrastructure_tests in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2450

🧪 Tests

test: add unit tests for research_service helper functions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2435
test: add session cleanup and rate limiter IP tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2432
test: add extended tests for UserQueueService and log_utils by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2427
test: comprehensive tests for search_system_factory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2428
test: comprehensive tests for ThreadSafeMetricsWriter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2429
test: add CitationHandler factory unit tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2430

Other Changes

test: comprehensive SessionManager tests with proper mocking by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2425
test: add globals and history routes extended tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2440
chore: bump patch version to 1.3.57 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2424
fix(deps): bump pypdf ~=6.7.1 → ~=6.7.3 to fix CVE-2026-27888 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2459

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.56...v1.3.57

View release on GitHub

v1.3.56 Bug fix 3mo

Fixed a race condition in emit_to_subscribers iteration.

Full changelog

What's Changed

✨ New Features

fix: reduce CI test output noise for easier failure diagnosis by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2423

🐛 Bug Fixes

test: fix disconnect tests to match correct subscription schema by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2416
fix: add missing search strategy options to validation list by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2411
fix: sources not accumulating across iterations in source-based strategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2412
fix: race condition in emit_to_subscribers iteration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2415
fix: guard flask_session with has_request_context() to prevent background thread crash by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2410
fix: add missing search.question_context_limit default by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2422
fix: resolve Hadolint SC2015 warnings in Dockerfile by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2426
fix: add transaction rollback handling in queue service by @haosenwang1018 in https://github.com/LearningCircuit/local-deep-research/pull/2414
fix: clean up socket subscriptions on client disconnect by @haosenwang1018 in https://github.com/LearningCircuit/local-deep-research/pull/2413

⬆️ Dependencies

chore(deps): bump python from 486b809 to 9006fc6 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2419

🔄 Branch Syncs & Automation

Other Changes

chore: bump patch version to 1.3.56 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2417
docs: restore inline comments in SourceBasedSearchStrategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2418

New Contributors

@haosenwang1018 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/2413

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.55...v1.3.56

View release on GitHub

v1.3.55 Bug fix 3mo

Fixed settings save crash when using plain-string options with encrypted DB access.

Full changelog

What's Changed

🔒 Security Updates

ci: fail security gate on open code scanning alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1913
fix: settings save crash on plain-string options + scheduler encrypted DB access by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2406

✨ New Features

Fix JS timer leaks, DOM growth, and mobile navigation cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1990
test: add 186 high-value tests across 10 files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2403

🐛 Bug Fixes

test: add 27 verified-unique edge-case tests (round 2) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2385
fix(tests): resolve 4 failing Mobile Safari Playwright tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2401
fix: use to_bool for checkbox env var conversion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1879
fix(test): correct mock paths and providers in langchain LLM integration tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2399

⚡ Performance Improvements

fix: remove redundant setupProviderChangeListener() + dead code cleanup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2404

⬆️ Dependencies

chore(deps-dev): bump eslint from 10.0.1 to 10.0.2 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2407

Other Changes

chore: bump patch version to 1.3.55 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2378

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.54...v1.3.55

View release on GitHub

v1.3.54 Breaking risk 3mo

Security fixes

GHSA-2g4f-4pwh-qvx6 — patch ajv ReDoS vulnerability
GHSA-3ppc-4f35-3m26 — patch minimatch ReDoS vulnerability
CVE-2025-14009

Notable features

Add defer attribute to all external script tags for performance
Introduce CI gate in release pipeline

Full changelog

What's Changed

🔒 Security Updates

fix: patch ajv ReDoS vulnerability (GHSA-2g4f-4pwh-qvx6) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2367
fix: SQLCipher mlock() warnings — default cipher_memory_security to OFF by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2355
perf: improve history page load performance on mobile by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2360
fix(ci): grant contents:write through release workflow chain by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2377
fix: remaining bug fixes from PR #1393 (xss-protection, deprecated imports) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2376
fix(ci): eliminate false positives in file-whitelist-check.sh by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2381
fix(docker): document security model, harden cookiecutter, add CI cap test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2384
chore(security): Document unfixable OS vulnerabilities in .trivyignore by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1467
fix(ci): ignore unfixed nltk CVE-2025-14009 in pip-audit by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2386
fix(security): patch minimatch ReDoS vulnerability (GHSA-3ppc-4f35-3m26) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2387

💥 Breaking Changes

fix(ci): resolve 31 pytest + 10 Playwright failures blocking release #1116 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2396

✨ New Features

perf: add defer to all external script tags by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2346
feat(ci): add CI gate to release pipeline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2371
chore: add vulture dead code detection (non-blocking CI) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1986
fix(docker): add diagnostic error when gosu user-switch fails in LXC by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2373

🐛 Bug Fixes

fix: reject negative indices and deduplicate reindex in cross-engine filter by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2160
fix(docker): add SETUID/SETGID capabilities for gosu in LXC environments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2372
fix: correct runtime bugs and CI failure masking (from #2039) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2118
fix: record search metrics before clearing search context by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2379
fix: Advanced Options panel defaults to open and renders all rows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2364
test: add 64 edge-case tests across 7 modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2383
fix(ci): resolve 9 remaining failures blocking Create Release #1118 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2397
fix(ci): fix variable scope issue in Dockle workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1919
fix(ci): remove stale CODEOWNERS entries and fix Puppeteer test bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2398

📚 Documentation

docs: add config docs generator script by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2134
docs(faq): add Proxmox LXC troubleshooting for Docker permission errors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2382

🔧 CI/CD & Maintenance

fix(tests): remove toHaveScreenshot assertions causing Safari CI failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2369
chore: remove PR-blocking config docs check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2380
refactor: remove dead code from disabled file location endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1898
chore(deps): bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2391
chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2392
chore(deps): bump anchore/sbom-action from 0.22.1 to 0.22.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2393
chore(deps): bump anthropics/claude-code-action from 1.0.52 to 1.0.55 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2394
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 2.3.2 to 2.3.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2390

⬆️ Dependencies

chore(deps-dev): bump eslint from 10.0.0 to 10.0.1 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2388
chore(deps): bump marked from 17.0.2 to 17.0.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2389

Other Changes

chore: bump patch version to 1.3.54 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2370

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.53...v1.3.54

View release on GitHub

v1.3.53 Security relevant 3mo

Security fixes

fix: escape untrusted data in innerHTML to prevent DOM-based XSS

Notable features

Added warning log when settings_snapshot is missing in meta-search
Tracked failure count for dataset processing

Full changelog

What's Changed

🔒 Security Updates

fix: escape untrusted data in innerHTML to prevent DOM-based XSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1951
fix: remove redundant String() wrapping and revert ||→?? in escapeHtml calls by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2347
fix(security): dismiss false-positive Bearer alerts #6916 and #6020 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2343
fix(docker): add capabilities for entrypoint chown in LXC environments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2357
docs: document in-memory credential security model by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2359

✨ New Features

fix(meta-search): add warning log when settings_snapshot is missing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2342
fix: add failure count tracking to dataset processing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2064
test: add 162 unit tests covering untested functions and edge cases by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2345
docs: add development guide and expand SQLCipher troubleshooting by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2117
docs: emphasize atomic PRs and welcoming tone in contributing guide by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2352

🐛 Bug Fixes

test: add high-value tests for real functionality + fix infinite recursion bug by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2341
fix: use URLS config instead of hardcoded routes in mobile-navigation.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2351
fix: use text() wrapper for SQLAlchemy 2.0 session health check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2353
fix: Advanced Options panel scrolling with CSS Grid by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2354
fix: misleading error messages in settings API endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2356
fix: upgrade flask-socketio to 5.6.1 for Flask 3.1.3 compatibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2361
fix: remove redundant xAI provider registration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2362
fix(ci): handle missing SARIF file in Bearer scan workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2363

🧪 Tests

test: use explicit type assertion for text() wrapper check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2358

Other Changes

chore: bump patch version to 1.3.53 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2328

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.52...v1.3.53

View release on GitHub

v1.3.52 Security relevant 3mo

Security fixes

Added input validation and rate limiting to news API endpoints
dep: Patched werkzeug, pypdf, flask security vulnerabilities

Notable features

Token usage analytics added for all providers

Full changelog

What's Changed

🔒 Security Updates

fix(security): resolve Bearer scanner false positives (#6916, #6739, #6020) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2316
fix: add research blueprint to CSRF exemptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2325
fix: add input validation and rate limiting to news API endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2274
fix(ci): correct SHA/version comment mismatches in workflow action pins by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2334
fix(deps): patch werkzeug, pypdf, flask security vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2336
feat: token usage analytics + fix context_limit tracking for all providers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2314

✨ New Features

tests: edge case coverage for type conversion functions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2315
fix: guard against None settings and whitespace-only API keys by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2113
fix: settings form novalidate, queue limit, and Pydantic deprecation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2106
ci: gate release workflow behind version-change check + concurrency guard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2337
feat(benchmark): add evaluator info and optional examples to YAML export by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2296

🐛 Bug Fixes

fix: prevent white page under load by fixing static file MIME types by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2323
fix: context leak in search_engine_base.run() + context manager wrappers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2329
fix(ci): allow E2E gate to run on push events from release workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2331
fix: remove unimplemented /news/insights and /news/preferences routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2270
refactor: extract coerce_setting_for_write() helper + fix api_update_setting type coercion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2332
fix(tests): correct E2E test URLs for subscriptions API and embeddings page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2338
fix: add validation to api_update_setting and version logging at startup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2339

⬆️ Dependencies

chore(deps): bump puppeteer from 24.37.4 to 24.37.5 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2317
chore(deps): bump puppeteer from 24.37.4 to 24.37.5 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2318

Other Changes

chore: bump patch version to 1.3.52 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2324
fix: regenerate stale golden master settings snapshot by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2335

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.51...v1.3.52

View release on GitHub

v1.3.51 Breaking risk 3mo

Breaking changes

Removed debug endpoints from the news system.
Removed redundant nested volume mount in Docker causing permission denied errors.

Security fixes

CVE-2026-26996 – patched minimatch ReDoS vulnerability
CVE-2026-26189 – upgraded trivy-action to v0.34.0

Full changelog

What's Changed

🔒 Security Updates

fix: remove debug endpoints from news system by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2294
fix: prevent context leaks in decorator, scheduler, and services by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2281
fix(deps): patch minimatch ReDoS vulnerability (CVE-2026-26996) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2312
fix(ci): upgrade trivy-action to v0.34.0 (CVE-2026-26189) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2322

💥 Breaking Changes

fix(docker): remove redundant nested volume mount causing permission denied by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2310

✨ New Features

feat: auto-save embedding settings with push notifications by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2291

🐛 Bug Fixes

fix: prevent context leaks in decorator and subscription scheduler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2114

📚 Documentation

docs: update search iterations help text to suggest 10-20 for focused iteration by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2293

🔧 CI/CD & Maintenance

fix(ci): fix WebKit false positives and remove snapshot PNGs from repo by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2259

⬆️ Dependencies

chore(deps): bump puppeteer from 24.37.2 to 24.37.3 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2284
chore(deps): bump puppeteer from 24.37.3 to 24.37.4 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2305
chore(deps): bump puppeteer from 24.37.3 to 24.37.4 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2302
chore(deps-dev): bump puppeteer from 24.37.3 to 24.37.4 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2304
chore(deps): bump puppeteer from 24.37.3 to 24.37.4 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2303
chore(deps): bump jspdf from 4.1.0 to 4.2.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2309
chore(deps): bump puppeteer from 24.37.4 to 24.37.5 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2320
chore(deps-dev): bump puppeteer from 24.37.4 to 24.37.5 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2319

📊 Metrics & Analytics

benchmark: Add benchmark for qwen3-4b by @kwhyte7 in https://github.com/LearningCircuit/local-deep-research/pull/2301

Other Changes

chore(node): upgrade to Node.js 24 LTS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2313
chore: bump patch version to 1.3.51 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2260

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.50...v1.3.51

View release on GitHub

v1.3.50 Mixed 3mo

Security fixes

CVE-2026-1703 – fixed by upgrading pip to version 26.0

Notable features

Authentication required for all news API endpoints

Full changelog

What's Changed

🔒 Security Updates

fix: upgrade pip to 26.0 to fix CVE-2026-1703 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1932
security: add authentication to all news API endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1941
security: remove sensitive data from log statements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1947
security: add rate limiting to settings endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2021
test: add tests for security/module_whitelist.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2018
security: validate cipher_page_size and kdf_iterations PRAGMA params by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1948
Add login_required to scheduler endpoints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1894
security: fix XSS in markdown rendering paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1945
fix: suppress DevSkim false positives for hash algorithm detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1930
test: add security module test coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2005
fix: resolve 5 Bearer P0 SAST security alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1934
feat: add comprehensive Puppeteer E2E tests with CI workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1360
fix: validate query parameter type in quick_summary endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2049
security: fix command injection in cookiecutter GPU detection hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1946
test: add tests for Bearer P0 security fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2081
ci: run security file write check on all PRs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2090
fix: resolve zizmor security scanning alerts in CI workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2093
fix: replace weak hash algorithms in tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2094
Remove sensitive data from debug logs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1896
fix: SQLCipher key derivation & crypto security fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1953
fix: address security vulnerabilities in Pillow and cryptography by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2173
docs: fix SECURITY_SCORECARD.md inaccuracies and document alert #5688 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2175
security: make allow_registrations env-var-only by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2164
refactor: extract duplicated safeFetch into shared utility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1998
fix: UX polish and XSS hardening for embedding provider dropdown by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2196
fix: suppress code scanning false positives and fix real security issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2098
ci: add pre-commit hook to detect double HTML escaping by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2198
fix(security): escape API data in details.js and ui.js to prevent XSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1865
fix: harden XSS escaping and add security comments for Bearer scanner alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2162
test: add 52 high-value tests for security, core logic, and persistence by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2209
fix(security): harden re-run research feature defensively by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2208
chore: audit and tighten check-env-vars hook exceptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2212
security: add pagination bounds to unbounded database queries by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1956
security: Docker hardening and session/debug setting tightening by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1958
fix: eliminate blanket wildcards from file whitelist and block PNG snapshots by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2261
fix: changing default Remember Me Duration (Days) to 30 days as per industry standard by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2279
fix(ci): remove unnecessary pull-requests:write and fix inaccurate comment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2265
chore: suppress false positive CodeQL url-redirection alert by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1915
fix: resolve 13 Bearer SAST alerts + 1 open redirect vulnerability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2283

✨ New Features

Add mojeek search engine v2 by @kwhyte7 in https://github.com/LearningCircuit/local-deep-research/pull/2278
fix: fail validation for invalid model file extensions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1923
fix: replace bare except clauses in downloaders by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2008
fix: replace bare except clauses in search strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2020
fix: replace bare except clauses in candidate exploration and evidence analyzer by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2022
fix: replace bare except clauses in web routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2013
fix(ci): remove preinstall npm audit hook that breaks CI builds by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1937
Fix CI/CD test paths: use absolute paths and fix news test directory by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1965
Add exporters with ODT support and dropdown UI by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1667
fix: replace bare except clauses in api, web routes, and classifier by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2027
fix: replace print() with loguru logger in library_views.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2048
fix(ci): add job timeout to Dockle workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1920
chore: strengthen type hints in advanced_search_system base classes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2065
test: fix incorrectly skipped tests and triage xfail by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2011
fix(ci): prevent auth-tests timeout in critical-ui-tests workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2084
a11y: add skip-to-content link for keyboard navigation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2026
feat: add fetch timeout with AbortController by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1994
ci: remove 3 redundant/broken workflows (round 2) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2087
fix: optimize N+1 queries and O(n²) searches by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2003
feat: add prefers-reduced-motion support for accessibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1993
ci: consolidate 6 UI test workflows into docker-tests.yml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2086
fix: reduce noisy logging in Ollama provider discovery by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2107
ci: remove redundant metrics-analytics-tests workflow (round 4) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2097
test: reduce verbose console output in Puppeteer UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2137
fix: force reindex uses current default embedding model by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2158
feat: change default search config to 1x3 (better than 2x2) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2169
fix: harden env var pre-commit hook and fix remaining violations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2166
chore: add pre-commit hook to catch absolute module paths by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2163
chore: add pre-commit hooks for test and doc coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2167
ci: add pre-commit hooks for pdm.lock and version sync by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2116
fix: show all embedding providers in dropdown even when unreachable by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2157
fix: deduplicate chunk IDs before FAISS indexing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2182
fix: add null-coalescing defaults for chunk_size and chunk_overlap display by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2199
feat: add re-run button to research history items by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1779
docker: optimize build caching and eliminate expensive chown -R by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2132
fix: display newest logs at top of log panel by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1752
test: add 92 high-value tests across 5 untested modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2215
fix: improve embedding test UX - move to top and add LLM hint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2269
fix: prevent knowledge_graph leakage and expand language map by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2275
fix: pass settings snapshot to embedding test endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2289
feat: filter Ollama embedding dropdown to only show embedding models by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2290

🐛 Bug Fixes

fix: change debug logging from warning to debug level by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2017
fix: replace bare except clauses in citation_formatter.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2016
fix: remove non-existent discovery stage methods from evidence_based_strategy_v2 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2007
fix(ci): correct Dockle suppressions for false positives by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1917
fix: resolve test naming conflicts and fix test timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2033
fix: resolve ~40 pre-existing test failures in tests/web/ by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2073
fix(ci): correct news tests path from test_news to news by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2002
fix: repair pre-existing broken tests in news/test_news_api.py by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2078
fix: resolve all failing CI tests across 15 test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2076
fix: validate query parameter type in quick_summary API by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2034
fix: remove dangerous body * overflow override in CSS by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1997
fix: datetime timezone comparison crash in subscription scheduler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2104
fix: add checkfirst=True to auth DB init to prevent intermittent CI failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2146
fix: warn when subscription has naive datetime, assuming UTC by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2152
fix: use relative module paths for engine configs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2156
fix: align CSS dropdown-active class names with JavaScript by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2096
fix: add missing SafeLogger script to auth pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2153
fix: sync package.json version with version.py and update auto-bump workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2172
fix: reduce noisy thread context warning to debug by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2181
fix: pass missing username to cleanup_research_resources by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2180
fix: add API poll after UI completion to fix E2E race condition by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2184
fix: check request context before accessing Flask session in SearchTracker by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2185
fix: add thread-safe locking to embedding model initialization by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2183
fix: resolve false error detection in E2E tests and settings import 500 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2192
fix: correct DOM selectors and add assertions in UI page tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2188
fix: correct SSRF test selectors, endpoints, and add real assertions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2197
docs: document ResearchStatus lifecycle and fix terminal-state bug by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2200
fix: remaining chunk dedup and ID consistency issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2201
fix: pass missing collection_id to load_or_create_faiss_index by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2204
fix: correct API endpoint URLs and navigation handling in Puppeteer E2E tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2221
fix: filter invalid columns when constructing Setting objects by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2271
fix(ci): use step output instead of hashFiles for SARIF detection by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1918
fix: thread context leak between research tasks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2105
fix(ci): remove concurrency block that cancels security-headers in release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2286
ci: fix release skipped when advisory test-gate jobs fail by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2287

📚 Documentation

fix: correct README badge URLs for gitleaks and all-tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2050
docs: fix incorrect pre-commit tool names in CONTRIBUTING.md by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2111
docs: clarify SQLCipher is optional for pip users by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2151
fix: remove provider region/location metadata and GDPR badge by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2288

🔧 CI/CD & Maintenance

chore: remove unused .flake8 and .isort.cfg config files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1972
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2024
fix: remove 152 stub tests that inflate CI test counts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2041
ci: remove mcp-tests.yml and owasp-zap-full-scan.yml (round 5) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2108
chore(deps): bump anthropics/claude-code-action from 1.0.34 to 1.0.46 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2129
chore(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2130
chore(deps): bump actions/checkout from 6.0.0 to 6.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2128
chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2127
chore(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2126
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2161
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2170
chore: add elpikola as limited code owner by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2190
fix: eliminate mypy version duplication between CI and pyproject.toml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2206
ci: remove paths filters from required workflow checks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2277
ci: extract backwards-compatibility from security gate to top-level release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2273

⬆️ Dependencies

chore(deps): bump python from 9b81fe9 to 0c6bb25 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1925
chore(deps): bump python from 0c6bb25 to fa0acdc by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2023
chore(deps-dev): bump puppeteer from 24.36.1 to 24.37.1 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2044
chore(deps): bump puppeteer from 24.36.1 to 24.37.1 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2042
chore(deps): bump puppeteer from 24.36.1 to 24.37.1 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2043
chore(deps): bump puppeteer from 24.36.1 to 24.37.1 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2045
chore(deps): bump chai from 4.5.0 to 6.2.2 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2124
chore(deps): bump puppeteer from 24.37.1 to 24.37.2 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2122
chore(deps-dev): bump puppeteer from 24.37.1 to 24.37.2 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2121
chore(deps): bump python from fa0acdc to 486b809 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2119
chore(deps): bump puppeteer from 24.37.1 to 24.37.2 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2120
chore(deps-dev): bump eslint from 9.39.2 to 10.0.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2123
chore(deps): bump puppeteer from 24.37.1 to 24.37.2 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/2125

🧹 Code Quality & Refactoring

refactor: modernize type hints in API module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2009
refactor: deduplicate LLM settings wrapper across 6 files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1964
refactor: deduplicate citation formatter logic by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1969
refactor: deduplicate private IP ranges and metadata parsing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1966
fix: remove redundant traceback usage alongside logger.exception() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2069
refactor: extract hardcoded values into named constants by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2032
refactor: deduplicate provider availability and queue patterns by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2066
fix: rename _UI_ELEMENT_TO_SETTING_TYPE to public API by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2187
refactor: replace print() with logger in non-CLI code by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1992

🧪 Tests

test: add tests for recent PRs (#2013, #2016, #2020, #2021, #2022) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2038
test: add 1300+ behavioral tests across 24 module categories by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1871
fix: improve metrics UI tests for CI reliability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2036

🔄 Branch Syncs & Automation

fix: pass username instead of Session to get_default_library_id by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2136

Other Changes

test: add SettingsManager API compatibility tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1908
refactor: consolidate escapeHtml implementations with fallback pattern by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2019
refactor: replace bare except clauses with specific exception types by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1983
refactor: add error handling decorator to news routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1996
fix: remove duplicate escapeHtmlFallback declarations that crash settings page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2091
fix: scope RateLimitEstimate preload to relevant engine types by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2092
chore: auto-bump version to 1.3.50 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1933
fix: address review feedback on CI consolidation PR by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2207
fix: escape unescaped innerHTML variables in details.js and detail.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2203
fix: replace bare except clauses in database module by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2006
fix: improve registration form validation with visual feedback by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1688
fix: defer non-critical post-login work to background thread by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2135
refactor: extract shared SQLCipher connection factory method by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1967
docs: clarify that auth DB stores no passwords by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2149
Revert "Revert "fix: add SQLCipher 4.x compatibility for cipher pragma ordering"" by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1867
fix: unify SettingsManagers, fix env var bugs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2070
test: add regression tests for PRs #2145, #2136, #2146 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2165
fix: detect all redundant exception patterns in logger.exception hook by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/2194

New Contributors

@kwhyte7 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/2278

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.49...v1.3.50

View release on GitHub

v1.3.49 Security relevant 4mo

Security fixes

fix: validate model path before filesystem operations (CWE-22)
fix: don't expose exception details to users (CWE-209)

Notable features

Document loaders

Full changelog

What's Changed

🔒 Security Updates

Add rate limiting to collection upload endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1892
fix: validate model path before filesystem operations (CWE-22) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1910
fix: don't expose exception details to users (CWE-209) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1914
ci: add PR trigger for CodeQL scanning by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1911
Add CRLF injection protection to redirect URL validation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1893

✨ New Features

Document loaders by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1666

🔧 CI/CD & Maintenance

chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1902
chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1903
chore(deps): bump anchore/sbom-action from 0.22.0 to 0.22.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1905
fix: ignore hadolint DL3059 to preserve Docker layer caching by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1926

⬆️ Dependencies

chore(deps): bump jspdf from 4.0.0 to 4.1.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1924

Other Changes

Allow npm commands to be cached by docker when building the image by @Parura5726 in https://github.com/LearningCircuit/local-deep-research/pull/1884
chore: auto-bump version to 1.3.49 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1907

New Contributors

@Parura5726 made their first contribution in https://github.com/LearningCircuit/local-deep-research/pull/1884

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.48...v1.3.49

View release on GitHub

v1.3.48 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

🔧 CI/CD & Maintenance

chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1901
chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1904

Other Changes

chore: auto-bump version to 1.3.48 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1900

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.47...v1.3.48

View release on GitHub

v1.3.47 Security relevant 4mo

Security fixes

Validate PRAGMA parameters against whitelists to prevent injection attacks.
Add module whitelist and input validation for enhanced security.

Full changelog

What's Changed

🔒 Security Updates

fix: configure gitleaks to scan only main branch by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1886
security: use defusedxml in arxiv downloader by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1888
security: validate PRAGMA parameters against whitelists by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1889
fix: split gitleaks workflows for PR vs security gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1899
security: add module whitelist and input validation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1887

🐛 Bug Fixes

fix: add 18 false positive fingerprints to gitleaksignore by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1885

Other Changes

chore: auto-bump version to 1.3.47 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1897

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.46...v1.3.47

View release on GitHub

v1.3.46 Breaking risk 4mo

Breaking changes

Search defaults changed (specific new default values not detailed) and associated help text updated.

Full changelog

What's Changed

💥 Breaking Changes

feat: update search defaults and improve help text by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1874

✨ New Features

ci: remove 3 redundant pytest workflows and 1 schedule by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1876
Fix issue with indexing local files. by @djpetti in https://github.com/LearningCircuit/local-deep-research/pull/1877
docs: add pip to Quick Start and reorder installation options by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1880
ci: consolidate 4 Docker-based test workflows into 1 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1753
test: add regression tests for SettingsManager API compatibility by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1878

Other Changes

fix: add false positive fingerprints to gitleaksignore by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1873
chore: auto-bump version to 1.3.46 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1881

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.45...v1.3.46

View release on GitHub

v1.3.45 Breaking risk 4mo

Security fixes

fix(security): Resolve XSS vulnerabilities and Bearer scanner alerts
fix(security): sanitize user input to prevent XSS vulnerabilities
fix(security): resolve XSS vulnerabilities and update Bearer config

Notable features

ci: Add MCP server tests workflow
docs: add missing docker-compose-guide.md

Full changelog

What's Changed

🔒 Security Updates

test: add SQLCipher integration tests and pragma order verification by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1695
fix(security): Resolve XSS vulnerabilities and Bearer scanner alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1858
fix(security): suppress false positive security scanner alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1864

💥 Breaking Changes

fix: add SQLCipher 4.x compatibility for cipher pragma ordering by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1614
fix: comprehensive file descriptor leak prevention by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1860
Revert "fix: add SQLCipher 4.x compatibility for cipher pragma ordering" by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1866
test: add comprehensive tests for utils.py and web.py news modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1869

✨ New Features

fix(llm): remove broken llamacpp HTTP mode, guide users to openai_endpoint by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1855
ci: Add MCP server tests workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1506
fix: Reduce repetition in detailed reports by passing previous section context by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1542
docs: add missing docker-compose-guide.md by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1863
docs: fix inaccuracies in docker-compose-guide.md by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1868

🐛 Bug Fixes

fix: complete file descriptor leak fixes for DownloadService and LibraryRAGService by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1856

Other Changes

fix(security): resolve XSS vulnerabilities and update Bearer config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1857
fix(security): sanitize user input to prevent XSS vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1862
fix(security): suppress Bearer false positives in xss-protection.js by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1861
chore: auto-bump version to 1.3.45 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1859

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.44...v1.3.45

View release on GitHub

v1.3.44 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

Other Changes

chore: auto-bump version to 1.3.44 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1854

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.43...v1.3.44

View release on GitHub

v1.3.43 Breaking risk 4mo

Security fixes

CVE-2026-22702 — TOCTOU vulnerability fixed by upgrading virtualenv

Full changelog

What's Changed

🔒 Security Updates

fix(ci): resolve zizmor security alerts #6607, #6602, #6682-6684 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1841
fix(security): resolve CodeQL URL redirection vulnerability #6685 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1838
fix: consolidate OSSF Scorecard security PRs with official GitHub Actions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1830
fix(security): suppress DevSkim false positives for MD5 cache key usage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1840
fix(auth): make remember me session lifetime configurable by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1438
fix: use PDM for e2e-research-test to resolve pinned-dependencies alert by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1700
fix(ci): revert checkov to CLI approach to fix heredoc bug by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1850

💥 Breaking Changes

fix: address remaining file descriptor leaks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1849

✨ New Features

test: add valuable tests to increase coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1842
test: add library_init tests and remove placeholder benchmark tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1845
refactor: consolidate document scheduler settings with dataclass by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1552
refactor: consolidate settings retrieval with TTL caching in NewsScheduler by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1411

🐛 Bug Fixes

fix: comprehensive file descriptor leak prevention for Docker deployments by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1832

📚 Documentation

docs: add Chinese coverage references (CSDN, NetEase) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1839

🔧 CI/CD & Maintenance

ci: remove redundant followup-research-tests workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1791

Other Changes

chore: auto-bump version to 1.3.43 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1846
fix: upgrade virtualenv to fix TOCTOU vulnerability (CVE-2026-22702) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1712

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.42...v1.3.43

View release on GitHub

v1.3.42 Security relevant 4mo

Security fixes

CVE-2026-24688 — update pypdf to 6.6.2

Notable features

Reorganized README badges for better scannability
Added The Art Of The Terminal video to Reviews section
Embedded YouTube review video in README header

Full changelog

What's Changed

🔒 Security Updates

fix(security): update pypdf to 6.6.2 for CVE-2026-24688 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1831

✨ New Features

docs: reorganize README badges for better scannability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1826
docs: add The Art Of The Terminal video to Reviews section by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1829
docs: add YouTube video review embed to README header by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1828
fix: extend citation regex to support Unicode lenticular brackets【】 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1834

🐛 Bug Fixes

fix(ci): update Python version path in Dockle accept-file by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1827

📚 Documentation

docs: add OSSF alert reference to downloadThenRun section by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1833

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1836

Other Changes

chore: auto-bump version to 1.3.42 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1837

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.41...v1.3.42

View release on GitHub

v1.3.41 Security relevant 4mo

Security fixes

Disabled setup-node caching to prevent cache poisoning attacks (fix(ci))

Notable features

Info note added for Ollama embedding provider
PyPI publish workflow now skips existing versions

Full changelog

What's Changed

🔒 Security Updates

chore: add Bearer config to suppress false positive alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1814
fix(ci): disable setup-node caching to prevent cache poisoning attacks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1819

✨ New Features

feat: add info note for Ollama embedding provider by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1811
fix(ci): skip existing versions in PyPI publish workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1813
fix(ui): display newest logs at top using CSS column-reverse by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1796

⬆️ Dependencies

chore(deps): bump puppeteer from 24.36.0 to 24.36.1 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1820
chore(deps-dev): bump puppeteer from 24.36.0 to 24.36.1 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1821
chore(deps): bump puppeteer from 24.36.0 to 24.36.1 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1822
chore(deps): bump puppeteer from 24.36.0 to 24.36.1 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1823

Other Changes

test: add high-quality tests for identified coverage gaps by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1815
fix: handle navigation race condition in export test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1797
chore: auto-bump version to 1.3.41 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1812

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.39...v1.3.41

View release on GitHub

v1.3.40 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

🔒 Security Updates

ci: consolidate security scans to release gate only by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1636
fix: add github-token to zizmor action for API rate limits by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1756
ci: add OSSAR and Security Headers to security release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1759
fix: add missing permissions for security-gate and disable ZAP fail_action by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1765
Remove push triggers from security workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1770
fix: resolve gitleaks false positives with explicit config and baseline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1772
ci: add Bandit SARIF upload to GitHub Code Scanning by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1775
Fix OWASP ZAP security warnings for Server header by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1776
fix(ci): resolve zizmor security alerts in GitHub Actions workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1781
ci: reduce workflow token permissions to least privilege by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1766
fix: update gitleaks baseline with 42 new false positive fingerprints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1785
Add missing ZAP IGNORE rules for alerts 10036 and 100001 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1786
fix(ci): resolve zizmor security alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1790
fix: resolve release workflow startup_failure by removing OSV-Scanner from gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1789
ci: remove redundant push triggers from test/validation workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1788
security: add SafeLogger to fix javascript_lang_logger_leak alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1751
fix: add missing security-events permission for security-tests job by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1795
fix(ci): add missing rules_file_name to ZAP API scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1798
chore(deps): bump python from 3.13-slim to 3.14-slim by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1801
fix: add missing frame-ancestors CSP directive by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1800

✨ New Features

fix: resolve Hadolint SC2015 warning in Dockerfile by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1758
test: add 89 tests for OpenAI and Google LLM providers (Phase 6) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1744
fix: prevent duplicate PDF upload button on main page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1742
Add guidance for context window and iterations settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1740
ci: remove push triggers from test workflows to reduce API rate limits by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1773
test: add 1,462 tests for Phases 16-35 (download, metrics, strategies, web, database, security, API) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1769
fix: rewrite advanced search system tests to test actual classes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1783
test: add high-quality test expansion for edge cases and concurrency by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1794

🐛 Bug Fixes

fix: remove invalid --hash option from pip install in publish workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1760
fix: use correct 'token' parameter for zizmor-action by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1763
fix(ci): prevent Dockle workflow failure when SARIF file missing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1755
fix(ci): add DATABASE_URL to responsive UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1774
test: expand test coverage for advanced search system modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1780
test: expand test coverage to 13,122 tests with bug fix by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1784
fix(tests): patch db_manager at decorator import location by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1787
fix: use -I flag for ZAP scan to only fail on FAIL-level alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1809
fix: remove concurrency block from RetireJS workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1810

🔧 CI/CD & Maintenance

fix(ci): add historical commit false positives to gitleaks allowlist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1778
fix(ci): suppress Dockle false positives for container security alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1767
chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1802
chore(deps): bump anthropics/claude-code-action from 1.0.30 to 1.0.34 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1803
chore(deps): bump github/codeql-action from 4.31.2 to 4.31.11 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1804
chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1805
chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1806
fix(ci): update codeql-action to v4.31.2 in retirejs workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1799

🧪 Tests

test: add 179 tests for settings module (Phase 7) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1745
test: expand test coverage with 657 tests for Phases 8-15 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1750

🐳 Docker & Deployment

fix(docker): use if-then-else instead of && || pattern by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1757

Other Changes

chore: auto-bump version to 1.3.36 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1761
fix: allowlist coverage HTML commit in gitleaks config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1762
fix: add missing commits and patterns to gitleaks allowlist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1764
chore: auto-bump version to 1.3.37 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1771
chore: auto-bump version to 1.3.38 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1782
chore: auto-bump version to 1.3.39 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1793
chore: auto-bump version to 1.3.40 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1808

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.35...v1.3.40

View release on GitHub

v1.3.39 Breaking risk 4mo

Prevent duplicate PDF upload button on the main page.

Full changelog

What's Changed

🔒 Security Updates

ci: consolidate security scans to release gate only by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1636
fix: add github-token to zizmor action for API rate limits by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1756
ci: add OSSAR and Security Headers to security release gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1759
fix: add missing permissions for security-gate and disable ZAP fail_action by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1765
Remove push triggers from security workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1770
fix: resolve gitleaks false positives with explicit config and baseline by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1772
ci: add Bandit SARIF upload to GitHub Code Scanning by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1775
Fix OWASP ZAP security warnings for Server header by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1776
fix(ci): resolve zizmor security alerts in GitHub Actions workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1781
ci: reduce workflow token permissions to least privilege by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1766
fix: update gitleaks baseline with 42 new false positive fingerprints by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1785
Add missing ZAP IGNORE rules for alerts 10036 and 100001 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1786
fix(ci): resolve zizmor security alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1790
fix: resolve release workflow startup_failure by removing OSV-Scanner from gate by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1789
ci: remove redundant push triggers from test/validation workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1788
security: add SafeLogger to fix javascript_lang_logger_leak alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1751
fix: add missing security-events permission for security-tests job by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1795
fix(ci): add missing rules_file_name to ZAP API scan by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1798
chore(deps): bump python from 3.13-slim to 3.14-slim by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1801
fix: add missing frame-ancestors CSP directive by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1800

💥 Breaking Changes

test: expand test coverage with 657 tests for Phases 8-15 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1750

✨ New Features

fix: resolve Hadolint SC2015 warning in Dockerfile by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1758
test: add 89 tests for OpenAI and Google LLM providers (Phase 6) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1744
fix: prevent duplicate PDF upload button on main page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1742
Add guidance for context window and iterations settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1740
ci: remove push triggers from test workflows to reduce API rate limits by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1773
test: add 1,462 tests for Phases 16-35 (download, metrics, strategies, web, database, security, API) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1769
fix: rewrite advanced search system tests to test actual classes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1783
test: add high-quality test expansion for edge cases and concurrency by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1794

🐛 Bug Fixes

fix: remove invalid --hash option from pip install in publish workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1760
fix: use correct 'token' parameter for zizmor-action by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1763
fix(ci): prevent Dockle workflow failure when SARIF file missing by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1755
fix(ci): add DATABASE_URL to responsive UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1774
test: expand test coverage for advanced search system modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1780
test: expand test coverage to 13,122 tests with bug fix by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1784
fix(tests): patch db_manager at decorator import location by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1787
fix: use -I flag for ZAP scan to only fail on FAIL-level alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1809
fix: remove concurrency block from RetireJS workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1810

🔧 CI/CD & Maintenance

fix(ci): add historical commit false positives to gitleaks allowlist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1778
fix(ci): suppress Dockle false positives for container security alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1767
chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1802
chore(deps): bump anthropics/claude-code-action from 1.0.30 to 1.0.34 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1803
chore(deps): bump github/codeql-action from 4.31.2 to 4.31.11 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1804
chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1805
chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1806
fix(ci): update codeql-action to v4.31.2 in retirejs workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1799

🧪 Tests

test: add 179 tests for settings module (Phase 7) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1745

🐳 Docker & Deployment

fix(docker): use if-then-else instead of && || pattern by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1757

Other Changes

chore: auto-bump version to 1.3.36 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1761
fix: allowlist coverage HTML commit in gitleaks config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1762
fix: add missing commits and patterns to gitleaks allowlist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1764
chore: auto-bump version to 1.3.37 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1771
chore: auto-bump version to 1.3.38 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1782
chore: auto-bump version to 1.3.39 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1793
chore: auto-bump version to 1.3.40 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1808

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.35...v1.3.39

View release on GitHub

v1.3.35 Security relevant 4mo

Security fixes

CVE-2026-24049 — fixed by updating wheel to 0.46.2 in CI

Notable features

Added Bearer scanner, defusedxml, and nh3 dependencies
Consolidated 15 test jobs into 3 workflow files

Full changelog

What's Changed

🔒 Security Updates

security: add Bearer scanner, defusedxml, and nh3 dependencies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1723
fix(ci): update wheel to 0.46.2 to fix CVE-2026-24049 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1738

✨ New Features

test: add 48 new scheduler tests (Phase 4) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1729
ci: consolidate 15 test jobs into 3 workflow files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1743

🐛 Bug Fixes

fix: repair 3 failing library service tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1737

⬆️ Dependencies

chore(deps): bump puppeteer from 24.35.0 to 24.36.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1735
chore(deps-dev): bump puppeteer from 24.35.0 to 24.36.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1734

🔄 Branch Syncs & Automation

fix(security): address Trivy and OSSF Scorecard vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1671

Other Changes

test: expand test coverage Phase 5 - 244 new tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1739
chore: auto-bump version to 1.3.35 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1747

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.34...v1.3.35

View release on GitHub

v1.3.34 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

🔒 Security Updates

fix: use npm ci for integrity hash verification in npm update workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1708
fix: pin puppeteer version and document APT package strategy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1692
fix: resolve CI/CD publishing failures (PyPI and Docker) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1730

⬆️ Dependencies

chore(deps): bump puppeteer from 24.35.0 to 24.36.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1732
chore(deps): bump puppeteer from 24.35.0 to 24.36.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1733

🧪 Tests

test: add ~200 new tests for Phase 3 coverage expansion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1728

Other Changes

fix: add PDM timeout and retry for Docker build reliability by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1691
chore: auto-bump version to 1.3.34 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1731

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.33...v1.3.34

View release on GitHub

v1.3.33 Breaking risk 4mo

Security fixes

dep: update weasyprint and pin jaraco-context for CVE fixes

Full changelog

What's Changed

🔒 Security Updates

fix(security): update weasyprint and pin jaraco-context for CVE fixes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1719
fix(ci): resolve checkov hash pinning and codeql-action impostor-commit issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1718

💥 Breaking Changes

test: expand test coverage for benchmarks, news, research library, web, and security modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1687

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1724

Other Changes

chore: auto-bump version to 1.3.33 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1726
test: add ~315 new tests for Phase 2 coverage expansion by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1727

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.32...v1.3.33

View release on GitHub

v1.3.32 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

🔒 Security Updates

fix: pin pip and pdm by hash in fuzz.yml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1706
fix: remove unpinned npm install from audit workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1698
fix: allow CGNAT and container networking IPs with allow_private_ips by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1717

Other Changes

chore: auto-bump version to 1.3.32 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1722

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.31...v1.3.32

View release on GitHub

v1.3.31 Maintenance 4mo

Security fixes

Resolved OSSF Scorecard alert by pinning pip hash
Pinned checkov by hash in CI workflow
Pinned wheel by hash in publish.yml

Notable features

CI test stability improved with singleton isolation and timeouts
Claude Code review now opt-in via label only

Full changelog

What's Changed

🔒 Security Updates

fix: resolve OSSF Scorecard alert #5609 (pip not pinned by hash) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1705
fix: pin checkov by hash in CI workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1701
fix: pin wheel by hash in publish.yml by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1704

✨ New Features

fix: improve CI test stability with singleton isolation and timeouts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1676
fix(ci): make Claude Code review opt-in via label only by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1694

🔧 CI/CD & Maintenance

fix: resolve Gitleaks and Dockle CI failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1693

Other Changes

chore: auto-bump version to 1.3.31 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1690

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.30...v1.3.31

View release on GitHub

v1.3.30 Breaking risk 4mo

Breaking changes

Minimum Node.js version increased to 20

Security fixes

Update Node.js from 18 to 20 and patch vulnerable dependencies
dep: Resolve jsdiff DoS vulnerability (GHSA-73rr-hh4g-fpgx)

Full changelog

What's Changed

🔒 Security Updates

refactor: use exceptions instead of return tuples for auth errors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1490
fix(security): Update Node.js 18→20 and patch vulnerable dependencies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1656
docs: Add security alert assessment documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1478
fix(security): resolve zizmor template injection vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1668
fix: exclude DevSkim false positive rules DS148264 and DS172411 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1677
test: Add coverage tests for research routes and web API by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1674
fix(security): resolve jsdiff DoS vulnerability (GHSA-73rr-hh4g-fpgx) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1685
fix: filter unfixed CVEs from Trivy SARIF reports by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1672

✨ New Features

Add favorites feature for search engine selector by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1630
fix: centralize boolean type conversion for settings by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1547
docs: Add architecture, extension guide, and troubleshooting documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1497
Fix cookiecutter docker-compose generation on Windows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1644
fix: use AuthHelper in test_register_full_flow.js for robust CI handling by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1530
Add ~400 tests to increase code coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1655
refactor: Address PR review feedback for CI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1570

🐛 Bug Fixes

fix(ci): prevent gh-pages deployment failure from breaking tests badge by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1651

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1663
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 2.3.1 to 2.3.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1679
chore(deps): bump anthropics/claude-code-action from 1.0.29 to 1.0.30 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1680
chore(deps): bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1681
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml from 2.3.1 to 2.3.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1682
chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1683

⬆️ Dependencies

chore(deps): bump puppeteer from 24.34.0 to 24.35.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1649
chore(deps): bump puppeteer from 24.34.0 to 24.35.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1650
chore(deps): bump puppeteer from 24.34.0 to 24.35.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1648
chore(deps-dev): bump puppeteer from 24.34.0 to 24.35.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1647

🧪 Tests

Add comprehensive tests for web modules and search engines by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1637
test: add unit tests for untested modules by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1664
test: add quality test coverage improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1673

Other Changes

Add comprehensive test coverage for multiple modules (batch 1) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1643
fix: harden XSS protection with inline fallbacks and simplified markdown rendering by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1670
fix: add tabnabbing protection and settings.js XSS fallback by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1675
chore: auto-bump version to 1.3.30 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1645

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.29...v1.3.30

View release on GitHub

v1.3.29 Breaking risk 4mo

Breaking changes

Fix connection leak in encrypted_db causing critical-ui-tests failures

Notable features

Multi-theme support with 5 preset themes
API key inputs for cloud providers on the research front page
Automatic RAG indexing when documents are added

Full changelog

What's Changed

💥 Breaking Changes

Fix connection leak in encrypted_db causing critical-ui-tests failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1621

✨ New Features

feat: add multi-theme support with 5 preset themes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1586
feat: Add API key inputs to research front page for cloud providers by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1524
feat: Add automatic RAG indexing when documents are added by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1528
Add comprehensive unit tests to improve code coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1631
fix(ci): Optimize CI workflows to reduce timeout and skipped noise by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1556

🐛 Bug Fixes

fix(mobile): resolve tablet sidebar and metrics page overflow issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1549

🔧 CI/CD & Maintenance

chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1640
chore(deps): bump peter-evans/create-pull-request from 7.0.8 to 8.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1639
chore(deps): bump anthropics/claude-code-action from 1.0.27 to 1.0.29 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1638
chore(deps): bump anchore/sbom-action from 0.21.0 to 0.21.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1641

Other Changes

Fix strategy bugs and add comprehensive tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1624
chore: auto-bump version to 1.3.29 by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1635

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.28...v1.3.29

View release on GitHub

v1.3.28 Maintenance 4mo

Minor fixes and improvements.

Full changelog

What's Changed

✨ New Features

fix: use github-actions[bot] for version bump PRs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1634

🔧 CI/CD & Maintenance

chore: auto-bump version to 1.3.28 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1633

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.27...v1.3.28

View release on GitHub

v1.3.27 Security relevant 4mo

Security fixes

Fixed pypdf and werkzeug vulnerabilities (dependency updates)

Notable features

Docker cache path fix and version bump to 1.3.24

Full changelog

What's Changed

🔒 Security Updates

security(deps): fix pypdf and werkzeug vulnerabilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1622
test: add tests to improve code coverage for security and web routes by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1625
docs: Add Metrics Dashboard documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1502
fix: version bump workflow creates PR instead of direct push by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1576
security(deps): remove unused jupyter dev dependency by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1628

✨ New Features

test: add tests to improve code coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1593
fix: Complete RAG Docker cache path fix and bump version to 1.3.24 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1582
fix(ci): Optimize CI workflows to reduce timeout and skipped noise by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1550
Revise Docker instructions in README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1620
fix(ci): Speed up UI tests by reducing KDF iterations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1623
fix: Dropdown search highlighting shows raw HTML tags by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1538

🐛 Bug Fixes

fix(ci): add PYTHONPATH to Docker test runs for accurate coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1619

📚 Documentation

Update Local Deep Research description by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1555

🔧 CI/CD & Maintenance

🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1606
chore: bump version to 1.3.27 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1629

🧪 Tests

test: allow database/initialize.py in raw SQL check by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1627

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.26...v1.3.27

View release on GitHub

v1.3.26 Security relevant 4mo

Security fixes

dep: CVE-2026-21441 — fixed by updating urllib3 to 2.6.3

Full changelog

What's Changed

🔒 Security Updates

security(deps): Update urllib3 to 2.6.3 to fix CVE-2026-21441 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1616

📚 Documentation

docs: Add CI/CD infrastructure documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1580

⚙️ Configuration

chore: add shreydekate as restricted code owner by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1615

Other Changes

chore: bump version to 1.3.26 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1617

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.25...v1.3.26

View release on GitHub

v1.3.25 Bug fix 4mo

Notable features

Added Docker Run quickstart option for Linux users
Added technical analysis and project health metrics to architecture documentation

Full changelog

What's Changed

✨ New Features

docs: add Docker Run quickstart option for Linux users by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1577
docs: Add technical analysis and project health metrics to architecture by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1545

🐛 Bug Fixes

fix: Remove settings_snapshot from list_models_for_api (restore Dec 16 fix) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1591
fix(ci): Copy coverage files to fresh dir before git deploy by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1594

🔧 CI/CD & Maintenance

chore: bump version to 1.3.25 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1612

Other Changes

fix(lmstudio): use URL as-is instead of appending /v1 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1609

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.24...v1.3.25

View release on GitHub

v1.3.24 New feature 4mo

Security fixes

security: update vulnerable dependencies (v1.3.24)
security: Add pip CVE-2025-8869 to .trivyignore (mitigated)

Notable features

Add Dockle Container Image Security Linting
Add auth_tests and security tests to Unit Tests with proper CI config

Full changelog

What's Changed

🔒 Security Updates

Add Dockle Container Image Security Linting by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1568
fix: Add auth_tests and security tests to Unit Tests with proper CI config by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1537

✨ New Features

Fix RAG Docker issues: missing import and cache path errors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1563
feat(ci): Deploy coverage report to GitHub Pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1574
fix: Resolve Extended UI Test flakiness by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1587
test: add comprehensive tests for search engines and utilities by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1579
Fix model refresh to clear all stale cached models by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1581
fix(ci): Replace peaceiris with direct git deploy for gh-pages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1590
fix(ci): use real registration flow for UI test user setup by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1602
Remove search engine fallbacks by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1560

🐛 Bug Fixes

Fix osv-scanner workflow: remove unsupported branches filter from merge_group by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1573
fix(ci): Fix GitHub Pages coverage deployment permissions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1585
fix(ci): Force orphan gh-pages for coverage deployment by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1588
fix(ci): Add id-token permission to Claude Code Review workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1566
fix: Replace hardcoded Path.home() paths with centralized path functions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1584
fix: Remove dead code and fix factory bugs in search strategies by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1557

🔧 CI/CD & Maintenance

fix(ci): Target main branch for dependency update workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1592
chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1599
chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1596
chore(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1598
chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1597

⬆️ Dependencies

chore(deps): bump jspdf from 3.0.4 to 4.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1595

🧪 Tests

fix: Comprehensive mobile UI responsive improvements by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1558

Other Changes

security: Add pip CVE-2025-8869 to .trivyignore (mitigated) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1477
security: update vulnerable dependencies (v1.3.24) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1607

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.23...v1.3.24

View release on GitHub

v1.3.23 Security relevant 5mo

Security fixes

CVE-2025-68480 — fixed by upgrading marshmallow to 3.26.2
CVE-2025-68664 — fixed by upgrading langchain-core to 1.2.5

Notable features

Add comprehensive form validation UI tests
Add community feedback note to settings page
Log SearXNG backend engine failures

Full changelog

What's Changed

🔒 Security Updates

Fix security scanning alerts by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1426
fix: prevent settings snapshot leak in log messages by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1440
fix(searxng): filter out error pages when backend engines fail by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1341
test: add critical path stability tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1435
security: Add pdfminer.six GHSA-f83h-ghpp-7wcc to .trivyignore by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1465
security: Upgrade marshmallow to 3.26.2 to fix CVE-2025-68480 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1466
ci: Update pip to 25.0 in workflows by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1470
security: Upgrade langchain-core to 1.2.5 to fix CVE-2025-68664 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1474
docs: Document fuzzing strategy and OSS-Fuzz considerations by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1472
docs: Document Pinned-Dependencies Scorecard compliance by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1471
fix(ci): Use .trivyignore in container security workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1468
docs: Add branch protection configuration guide by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1469
fix: Pin pip-audit to version 2.10.0 for OSSF compliance by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1486
docs: Document OSSF Scorecard pinned-dependencies decisions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1487
fix: Preserve redirect URL after login by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1494
fix: Suppress DevSkim false positives (~700 alerts) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1483
chore: Expand code owners for workflows and docs by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1514
fix: Add path validation to LibraryService.open_file_location() by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1492
fix: Mask sensitive values in settings change notifications by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1522
fix: prevent memory exhaustion in PDF uploads (issue #1176) by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1421

✨ New Features

fix: Use consistent ldr-form-control CSS class in register form by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1455
feat: Add comprehensive form validation UI tests by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1462
docs: Fix broken links, version references, and strategy count by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1498
docs: Add CLI tools reference documentation by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1501
docs: improve settings tooltips and descriptions by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1488
docs: Add Research Library and RAG user guide by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1499
docs: Add News Subscriptions user guide by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1500
test: Add 93 unit tests across 13 new test files by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1493
fix: Remove duplicate Upload Files button on collection details page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1510
feat: Add community feedback note to settings page by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1509
feat: log SearXNG backend engine failures by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1489
feat: Restore Claude Code Review workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1515
fix: Increase UI test timeouts for registration flow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1511
feat: Use Claude Opus 4.5 for code reviews by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1523
docs: Add architecture diagrams to README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1512
feat: Add comprehensive in-tool documentation with tooltips and help panels by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1503
docs: Expand Featured In section with verified international coverage by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1533
Fix model dropdown showing wrong provider's models by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1559
fix: Speed up CI tests by using pre-created test user by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1564
docs: add link to dependency license allowlist in README by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1571
docs: Add NVIDIA GPU option to Quick Start section by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1562

🐛 Bug Fixes

fix(tests): replace invalid Playwright-specific CSS selectors by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1452
fix: skip GitHub Pages upload if screenshots directory doesn't exist by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1473
fix: Handle Puppeteer protocol timeout in registration test by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1484
fix: UI test failures - regex pattern and CSRF token issues by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1505
fix: Refresh login page to get fresh CSRF token after logout by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1507
fix: Check env vars before returning default when db value is None by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1525
fix: Remove non-functional Report issue menu item from news cards by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1508
fix: Enable persist-credentials for version auto-bump workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1561

🔧 CI/CD & Maintenance

chore(deps): bump slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml from 2.0.0 to 2.1.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1445
chore(deps): bump EnricoMi/publish-unit-test-result-action from 2.21.0 to 2.22.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1448
chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1446
chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1447
chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1449
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1461
chore(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1521
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml from 2.3.0 to 2.3.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1517
chore(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1520
chore(deps): bump anchore/sbom-action from 0.20.11 to 0.21.0 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1519
chore(deps): bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 2.3.0 to 2.3.1 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1518
fix: Add DISABLE_RATE_LIMITING to Unit Tests workflow by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1532
🤖 Update dependencies by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1539
fix: Update claude-code-action to v1.0+ input format by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1535
chore: bump version to 1.3.23 by @LearningCircuit in https://github.com/LearningCircuit/local-deep-research/pull/1575

⬆️ Dependencies

chore(deps-dev): bump puppeteer from 24.33.0 to 24.34.0 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1443
chore(deps): bump puppeteer from 24.33.0 to 24.34.0 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1444
chore(deps): bump puppeteer from 24.33.0 to 24.34.0 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1442
chore(deps): bump puppeteer from 24.33.1 to 24.34.0 in /tests/ui_tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1441
chore(deps-dev): bump chai from 6.2.1 to 6.2.2 in /tests/api_tests_with_login by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1458
chore(deps): bump chai from 6.2.1 to 6.2.2 in /tests/puppeteer by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1456
chore(deps): bump chai from 6.2.1 to 6.2.2 in /tests by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1457
chore(deps): bump socket.io-client from 4.8.1 to 4.8.3 by @dependabot[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1516

🔄 Branch Syncs & Automation

✅ Sync main to dev by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1430
✅ Sync main to dev by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1436
✅ Sync main to dev by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1450
✅ Sync main to dev by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1459
✅ Sync main to dev by @github-actions[bot] in https://github.com/LearningCircuit/local-deep-research/pull/1460

Full Changelog: https://github.com/LearningCircuit/local-deep-research/compare/v1.3.22...v1.3.23

View release on GitHub

All releases

TL;DR

What's Changed

✨ New Features

🐛 Bug Fixes

🔧 CI/CD & Maintenance

🧪 Tests

1.6.8 — release notes

Bug fixes

Hardening

What's Changed

🔒 Security Updates

✨ New Features

🐛 Bug Fixes

🔧 CI/CD & Maintenance

🧹 Code Quality & Refactoring

What's Changed

🔒 Security Updates

🐛 Bug Fixes

🔧 CI/CD & Maintenance

⬆️ Dependencies

⚙️ Configuration

🐍 Python Changes

Other Changes

New Contributors

What's Changed

🐛 Bug Fixes

Other Changes

What's Changed

💥 Breaking Changes

🐛 Bug Fixes

⚡ Performance Improvements

📚 Documentation

Other Changes

What's Changed

🔒 Security Updates

🐛 Bug Fixes

🔧 CI/CD & Maintenance

⬆️ Dependencies

🧪 Tests

Other Changes

What's Changed

🔒 Security Updates

✨ New Features

🐛 Bug Fixes

🔧 CI/CD & Maintenance

🧹 Code Quality & Refactoring

🐍 Python Changes

Other Changes

What's Changed

🔒 Security Updates

💥 Breaking Changes

✨ New Features

🐛 Bug Fixes

📚 Documentation

🔧 CI/CD & Maintenance

🧹 Code Quality & Refactoring

🧪 Tests

🎨 Frontend Changes

Other Changes

What's Changed

🔒 Security Updates

✨ New Features

🐛 Bug Fixes

🔧 CI/CD & Maintenance

⬆️ Dependencies

🧹 Code Quality & Refactoring

🧪 Tests

🎨 Frontend Changes

Other Changes

What's Changed

🔒 Security Updates

✨ New Features

🐛 Bug Fixes

⚡ Performance Improvements

🗄️ Database Changes

📚 Documentation

🔧 CI/CD & Maintenance

⬆️ Dependencies

🧹 Code Quality & Refactoring