{
"interval": {
"intervalStart": "2026-04-13T00:00:00.000Z",
"intervalEnd": "2026-04-14T00:00:00.000Z",
"intervalType": "day"
},
"repository": "elizaos/eliza",
"overview": "From 2026-04-13 to 2026-04-14, elizaos/eliza had 6 new PRs (3 merged), 0 new issues, and 5 active contributors.",
"topIssues": [],
"topPRs": [
{
"id": "PR_kwDOMT5cIs7R5qtC",
"title": "chore(deps): bump the cargo group across 21 directories with 6 updates",
"author": "dependabot",
"number": 6724,
"body": "Bumps the cargo group with 3 updates in the /packages/examples/a2a/rust directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 4 updates in the /packages/examples/app/tauri/src-tauri directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn), [rustls-webpki](https://github.com/rustls/webpki) and [time](https://github.com/time-rs/time).\nBumps the cargo group with 1 update in the /packages/examples/autonomous/rust/autonomous directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 3 updates in the /packages/examples/aws/rust directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 3 updates in the /packages/examples/bluesky/rust/bluesky-agent directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 3 updates in the /packages/examples/chat/rust/chat directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 1 update in the /packages/examples/cloudflare/rust-worker directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 3 updates in the /packages/examples/discord/rust/discord-agent directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [time](https://github.com/time-rs/time).\nBumps the cargo group with 3 updates in the /packages/examples/form/rust/chat directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 1 update in the /packages/examples/game-of-life/rust/game-of-life directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 3 updates in the /packages/examples/gcp/rust directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 4 updates in the /packages/examples/polymarket/rust/polymarket-demo directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn), [rustls-webpki](https://github.com/rustls/webpki) and [keccak](https://github.com/RustCrypto/sponges).\nBumps the cargo group with 2 updates in the /packages/examples/rest-api/actix directory: [bytes](https://github.com/tokio-rs/bytes) and [time](https://github.com/time-rs/time).\nBumps the cargo group with 1 update in the /packages/examples/rest-api/axum directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 2 updates in the /packages/examples/rest-api/rocket directory: [bytes](https://github.com/tokio-rs/bytes) and [time](https://github.com/time-rs/time).\nBumps the cargo group with 1 update in the /packages/examples/roblox/rust directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 3 updates in the /packages/examples/telegram/rust/telegram-agent directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 3 updates in the /packages/examples/text-adventure/rust/game directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 1 update in the /packages/examples/tic-tac-toe/rust directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 3 updates in the /packages/examples/twitter-xai/rust/xai-agent directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the cargo group with 1 update in the /packages/examples/virus directory: [rustls-webpki](https://github.com/rustls/webpki).\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `quinn-proto` from 0.11.13 to 0.11.14\n\nRelease notes
\nSourced from quinn-proto's releases.
\n\nquinn-proto 0.11.14
\n@jxs reported a denial of service issue in quinn-proto 5 days ago:
\n\nWe coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.
\nOrganizations that want to participate in coordinated disclosure can contact us privately to discuss terms.
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n2c315aa proto: bump version to 0.11.148ad47f4 Use newer rustls-pki-types PEM parser APIc81c028 ci: fix workflow syntax0050172 ci: pin wasm-bindgen-cli version8a6f82c Take semver-compatible dependency updatese52db4a Apply suggestions from clippy 1.916df7275 chore: Fix unnecessary_unwrap clippyc8eefa0 proto: avoid unwrapping varint decoding during parameters parsing9723a97 fuzz: add fuzzing target for parsing transport parameterseaf0ef3 Fix over-permissive proto dependency edge (#2385)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `rustls-webpki` from 0.103.8 to 0.103.11\n\nRelease notes
\nSourced from rustls-webpki's releases.
\n\n0.103.11
\nIn response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
\nWhat's Changed
\n\n0.103.10
\nCorrect selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
\nThis vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
\nWhat's Changed
\n\nFull Changelog: https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10
\n0.103.9
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n57bc62c Bump version to 0.103.11d0fa01e Allow parsing trust anchors with unknown criticial extensions348ce01 Prepare 0.103.10dbde592 crl: fix authoritative_for() support for multiple URIs9c4838e avoid std::prelude imports009ef66 fix rust 1.94 ambiguous panic macro warningsc41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3e401d00 generate.py: reformat for black 2026.1.006cedec Take semver-compatible deps6bc9931 Bump version to 0.103.9- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `quinn-proto` from 0.11.13 to 0.11.14\n\nRelease notes
\nSourced from quinn-proto's releases.
\n\nquinn-proto 0.11.14
\n@jxs reported a denial of service issue in quinn-proto 5 days ago:
\n\nWe coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.
\nOrganizations that want to participate in coordinated disclosure can contact us privately to discuss terms.
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n2c315aa proto: bump version to 0.11.148ad47f4 Use newer rustls-pki-types PEM parser APIc81c028 ci: fix workflow syntax0050172 ci: pin wasm-bindgen-cli version8a6f82c Take semver-compatible dependency updatese52db4a Apply suggestions from clippy 1.916df7275 chore: Fix unnecessary_unwrap clippyc8eefa0 proto: avoid unwrapping varint decoding during parameters parsing9723a97 fuzz: add fuzzing target for parsing transport parameterseaf0ef3 Fix over-permissive proto dependency edge (#2385)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `rustls-webpki` from 0.103.8 to 0.103.11\n\nRelease notes
\nSourced from rustls-webpki's releases.
\n\n0.103.11
\nIn response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
\nWhat's Changed
\n\n0.103.10
\nCorrect selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
\nThis vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
\nWhat's Changed
\n\nFull Changelog: https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10
\n0.103.9
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n57bc62c Bump version to 0.103.11d0fa01e Allow parsing trust anchors with unknown criticial extensions348ce01 Prepare 0.103.10dbde592 crl: fix authoritative_for() support for multiple URIs9c4838e avoid std::prelude imports009ef66 fix rust 1.94 ambiguous panic macro warningsc41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3e401d00 generate.py: reformat for black 2026.1.006cedec Take semver-compatible deps6bc9931 Bump version to 0.103.9- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `time` from 0.3.45 to 0.3.47\n\nRelease notes
\nSourced from time's releases.
\n\nv0.3.47
\nSee the changelog for details.
\nv0.3.46
\nSee the changelog for details.
\n
\n \n\nChangelog
\nSourced from time's changelog.
\n\n0.3.47 [2026-02-05]
\nSecurity
\n\n- \n
The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been\neliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now,\nthe depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable\nlimit.
\nThis attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.
\n \n
\nCompatibility
\n\n- Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will\nerror at compile time if the type being formatted does not provide sufficient information. This\nwould previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is\nonly configured for parsing (i.e.
Iso8601::PARSING) will error at compile time. \n
\nAdded
\n\n- Builder methods for format description modifiers, eliminating the need for verbose initialization\nwhen done manually.
\ndate!(2026-W01-2) is now supported. Previously, a space was required between W and 01.[end] now has a trailing_input modifier which can either be prohibit (the default) or\ndiscard. When it is discard, all remaining input is ignored. Note that if there are components\nafter [end], they will still attempt to be parsed, likely resulting in an error.
\nChanged
\n\n- More performance gains when parsing.
\n
\nFixed
\n\n- If manually formatting a value, the number of bytes written was one short for some components.\nThis has been fixed such that the number of bytes written is always correct.
\n- The possibility of integer overflow when parsing an owned format description has been effectively\neliminated. This would previously wrap when overflow checks were disabled. Instead of storing the\ndepth as
u8, it is stored as u32. This would require multiple gigabytes of nested input to\noverflow, at which point we've got other problems and trivial mitigations are available by\ndownstream users. \n
\n0.3.46 [2026-01-23]
\nAdded
\n\n- All possible panics are now documented for the relevant methods.
\n- The need to use
#[serde(default)] when using custom serde formats is documented. This applies\nonly when deserializing an Option<T>. \nDuration::nanoseconds_i128 has been made public, mirroring\nstd::time::Duration::from_nanos_u128.
\n\n
\n... (truncated)
\n \n\nCommits
\n\nd5144cd v0.3.47 releasef6206b0 Guard against integer overflow in release mode1c63dc7 Avoid denial of service when parsing Rfc28225940df6 Add builder methods to avoid verbose construction00881a4 Manually format macros everywherebb723b6 Add trailing_input modifier to end31c4f8e Permit W12 in date! macro490a17b Mark error paths in well-known formats as cold6cb1896 Optimize Rfc2822 parsing6d264d5 Remove erroneous #[inline(never)] attributes- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `quinn-proto` from 0.11.13 to 0.11.14\n\nRelease notes
\nSourced from quinn-proto's releases.
\n\nquinn-proto 0.11.14
\n@jxs reported a denial of service issue in quinn-proto 5 days ago:
\n\nWe coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.
\nOrganizations that want to participate in coordinated disclosure can contact us privately to discuss terms.
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n2c315aa proto: bump version to 0.11.148ad47f4 Use newer rustls-pki-types PEM parser APIc81c028 ci: fix workflow syntax0050172 ci: pin wasm-bindgen-cli version8a6f82c Take semver-compatible dependency updatese52db4a Apply suggestions from clippy 1.916df7275 chore: Fix unnecessary_unwrap clippyc8eefa0 proto: avoid unwrapping varint decoding during parameters parsing9723a97 fuzz: add fuzzing target for parsing transport parameterseaf0ef3 Fix over-permissive proto dependency edge (#2385)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `rustls-webpki` from 0.103.8 to 0.103.11\n\nRelease notes
\nSourced from rustls-webpki's releases.
\n\n0.103.11
\nIn response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
\nWhat's Changed
\n\n0.103.10
\nCorrect selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
\nThis vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
\nWhat's Changed
\n\nFull Changelog: https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10
\n0.103.9
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n57bc62c Bump version to 0.103.11d0fa01e Allow parsing trust anchors with unknown criticial extensions348ce01 Prepare 0.103.10dbde592 crl: fix authoritative_for() support for multiple URIs9c4838e avoid std::prelude imports009ef66 fix rust 1.94 ambiguous panic macro warningsc41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3e401d00 generate.py: reformat for black 2026.1.006cedec Take semver-compatible deps6bc9931 Bump version to 0.103.9- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `sqlx` from 0.7.4 to 0.8.6\n\nChangelog
\nSourced from sqlx's changelog.
\n\n0.8.6 - 2025-05-19
\n9 pull requests were merged this release cycle.
\nAdded
\n\n- [#3849]: Add color and wrapping to cli help text [[
@joshka]] \n
\nChanged
\n\nFixed
\n\n#3830: launchbadge/sqlx#3830\n#3840: launchbadge/sqlx#3840\n#3845: launchbadge/sqlx#3845\n#3848: launchbadge/sqlx#3848\n#3849: launchbadge/sqlx#3849\n#3855: launchbadge/sqlx#3855\n#3856: launchbadge/sqlx#3856\n#3863: launchbadge/sqlx#3863\n#3866: launchbadge/sqlx#3866
\n0.8.5 - 2025-04-14
\nHotfix release to address two new issues:
\n\n- [#3823]:
sqlx-cli@0.8.4 broke .env default resolution mechanism \n- [#3825]:
sqlx@0.8.4 broke test fixture setup \n
\nThe 0.8.4 release will be yanked as of publishing this one.
\nAdded
\n\n- In release PR:
sqlx-cli now accepts --no-dotenv in subcommand arguments. \n- In release PR: added functionality tests for
sqlx-cli to CI. \n- In release PR: test
#[sqlx::test] twice in CI to cover cleanup. \n
\nFixed
\n\n- In release PR:
sqlx-cli correctly reads .env files by default again.\n\n \n- In release PR: fix bugs in MySQL implementation of
#[sqlx::test].\n\n \n
\n#3823: launchbadge/sqlx#3823\n#3825: launchbadge/sqlx#3825
\n\n
\n... (truncated)
\n \n\nCommits
\n\nbab1b02 0.8.6 release (#3870)b27b47c Pick default features to fix docs.rs build of sqlx-sqlite (#3840)d335f78 Use unnamed statement in pg when not persistent (#3863)760b395 fix(macros): don't mutate environment variables (#3848)4259862 fix(macros): slightly improve unsupported type error message (#3856)1b94e1d chore(doc): clarify compile-time verification and case conversion behavior (#...92c3845 fix attrubute typo in doc (#3855)3edc619 build: drop unused tempfile dependency (#3830)6b2e024 Add color and wrapping to cli help text (#3849)5736ab6 chore: clean up no longer used imports (#3845)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `quinn-proto` from 0.11.13 to 0.11.14\n\nRelease notes
\nSourced from quinn-proto's releases.
\n\nquinn-proto 0.11.14
\n@jxs reported a denial of service issue in quinn-proto 5 days ago:
\n\nWe coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.
\nOrganizations that want to participate in coordinated disclosure can contact us privately to discuss terms.
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n2c315aa proto: bump version to 0.11.148ad47f4 Use newer rustls-pki-types PEM parser APIc81c028 ci: fix workflow syntax0050172 ci: pin wasm-bindgen-cli version8a6f82c Take semver-compatible dependency updatese52db4a Apply suggestions from clippy 1.916df7275 chore: Fix unnecessary_unwrap clippyc8eefa0 proto: avoid unwrapping varint decoding during parameters parsing9723a97 fuzz: add fuzzing target for parsing transport parameterseaf0ef3 Fix over-permissive proto dependency edge (#2385)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `rustls-webpki` from 0.103.8 to 0.103.11\n\nRelease notes
\nSourced from rustls-webpki's releases.
\n\n0.103.11
\nIn response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
\nWhat's Changed
\n\n0.103.10
\nCorrect selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
\nThis vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
\nWhat's Changed
\n\nFull Changelog: https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10
\n0.103.9
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n57bc62c Bump version to 0.103.11d0fa01e Allow parsing trust anchors with unknown criticial extensions348ce01 Prepare 0.103.10dbde592 crl: fix authoritative_for() support for multiple URIs9c4838e avoid std::prelude imports009ef66 fix rust 1.94 ambiguous panic macro warningsc41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3e401d00 generate.py: reformat for black 2026.1.006cedec Take semver-compatible deps6bc9931 Bump version to 0.103.9- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `bytes` from 1.11.0 to 1.11.1\n\nRelease notes
\nSourced from bytes's releases.
\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nChangelog
\nSourced from bytes's changelog.
\n\n1.11.1 (February 3rd, 2026)
\n\n- Fix integer overflow in
BytesMut::reserve \n
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `quinn-proto` from 0.11.13 to 0.11.14\n\nRelease notes
\nSourced from quinn-proto's releases.
\n\nquinn-proto 0.11.14
\n@jxs reported a denial of service issue in quinn-proto 5 days ago:
\n\nWe coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.
\nOrganizations that want to participate in coordinated disclosure can contact us privately to discuss terms.
\nWhat's Changed
\n\n
\n \n\nCommits
\n\n2c315aa proto: bump version to 0.11.148ad47f4 Use newer rustls-pki-types PEM parser APIc81c028 ci: fix workflow syntax0050172 ci: pin wasm-bindgen-cli version8a6f82c Take semver-compatible dependency updatese52db4a Apply suggestions from clippy 1.916df7275 chore: Fix unnecessary_unwrap clippyc8eefa0 proto: avoid unwrapping varint decoding during parameters parsing9723a97 fuzz: add fuzzing target for parsing transport parameterseaf0ef3 Fix over-permissive proto dependency edge (#2385)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `rustls-webpki` from 0.103.8 to 0.103.11\n\nRelease notes
\nSourced from rustls-webpki's releases.
\n\n0.103.11
\nIn response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
\nWhat's Changed
\n\n0.103.10
\nCorrect selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
\nThis vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1...\n\n_Description has been truncated_",
"repository": "elizaos/eliza",
"createdAt": "2026-04-13T07:34:28Z",
"mergedAt": "2026-04-13T08:16:21Z",
"additions": 4008,
"deletions": 450
},
{
"id": "PR_kwDOMT5cIs7R12_x",
"title": "feat(core): shared batch-queue drains and bounded knowledge embeddings",
"author": "odilitime",
"number": 6722,
"body": "Introduce utils/batch-queue (PriorityQueue, BatchProcessor, TaskDrain, BatchQueue, Semaphore) so embedding drains, action-filter index build, prompt-batcher affinity tasks, and knowledge embedding paths share one concurrency/retry/task story.\r\n\r\n- EmbeddingGenerationService uses BatchQueue; optional TEXT_EMBEDDING boots as no-op.\r\n- ActionFilterService buildIndex uses BatchProcessor for action embeddings.\r\n- PromptBatcher uses TaskDrain per affinity (skipRegisterWorker for BATCHER_DRAIN).\r\n- Knowledge: document-processor fallback and generateTextEmbeddingsBatch use BatchProcessor.\r\n- Remove duplicate Semaphore from runtime; re-export canonical Semaphore from package entries.\r\n- Polish: invalid priority warn + normal tier, TaskDrain interval reconcile on existing task, dispose high-priority flush via BatchProcessor, onDrainBatchOutcomes, maxAttemptsCap, clear after dispose.\r\n\r\nDocs: BATCH_QUEUE.md, DESIGN, ROADMAP, CHANGELOG, README, public runtime/batch-queue.mdx; tests for batch-queue and TaskDrain.\r\n\r\nMade-with: Cursor\n\n\n---\n\n> [!NOTE]\n> **Medium Risk**\n> Touches core background-processing paths (embedding drain scheduling, prompt-batcher affinity tasks, and knowledge/action embedding concurrency), so regressions could affect throughput and task execution behavior, though changes are additive and covered by new unit tests and docs.\n> \n> **Overview**\n> Introduces a new shared `utils/batch-queue` stack in `@elizaos/core` (**`PriorityQueue`**, **`BatchProcessor`**, **`TaskDrain`**, **`BatchQueue`**, and a single **`Semaphore`**) to standardize priority ordering, bounded parallelism, retries/backoff, and repeat-task drain lifecycle.\n> \n> Refactors key runtime paths to use this shared pipeline: `EmbeddingGenerationService` now drains via `BatchQueue` (and becomes a **no-op** when no `TEXT_EMBEDDING` model is registered), action-filter index embedding uses `BatchProcessor` with retries and non-fatal handling of invalid vectors, prompt-batcher per-affinity scheduling uses `TaskDrain` with `skipRegisterWorker`, and knowledge embedding fallbacks replace unbounded `Promise.all` with bounded concurrency.\n> \n> Updates exports to remove duplicate `Semaphore` implementations (now re-exported from `utils/batch-queue` across `index.node`/`index.browser`/`index.edge`), adds unit tests for the new queue/drain primitives, and expands public and contributor docs (new batch-queue docs page, `BATCH_QUEUE.md`, roadmap/design/changelog/README updates) and navigation to surface the subsystem.\n> \n> Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 62169a6da95fd375bf35472601cc0f1aacb2b78b. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).\n\n\n\n\n## Summary by CodeRabbit\n\n## Release Notes\n\n* **New Features**\n * Introduced a standardized batch queue subsystem for managing concurrent task processing, queue prioritization, and automatic retries with backoff.\n * Added prompt cache support via `promptSegments` parameter for text generation, enabling providers to optimize cache efficiency.\n * Enhanced embedding generation with bounded concurrency control and improved retry behavior.\n\n* **Improvements**\n * Embedding service now gracefully handles missing models with a warning instead of throwing an error.\n * Refined error handling and recovery for batch processing workflows across embedding, knowledge, and action filtering.\n\n* **Documentation**\n * New comprehensive guides on batch queue subsystem design and usage patterns.\n * Updated README and added ROADMAP documenting planned features and design rationale.\n\n\n\n\n\nGreptile Summary
\n\nThis PR introduces a shared `utils/batch-queue` stack (`PriorityQueue`, `BatchProcessor`, `TaskDrain`, `BatchQueue`, `Semaphore`) to consolidate previously ad-hoc concurrency/retry/task patterns across `EmbeddingGenerationService`, `ActionFilterService`, `PromptBatcher`, and knowledge-processing paths. The architecture is well-reasoned and the `skipRegisterWorker` / `BATCHER_DRAIN` delegation pattern is correctly grounded in `task.ts`.\n\n- **P1 in `batch-processor.ts`:** `onExhausted` is `await`-ed inside the `catch` block without a try-catch guard. If `onExhausted` throws (e.g., `runtime.log()` or `runtime.emitEvent()` on a DB outage in `EmbeddingGenerationService`), the error escapes `processOne`, causes `Promise.all` in `processBatch` to reject, and propagates through `BatchQueue.drain()` — disrupting the drain task lifecycle and skipping `onDrainBatchOutcomes`/`onDrainComplete` callbacks.\n- Two P2 style/consistency issues in `llm.ts` and `document-processor.ts` around error-swallowing inside `process` callbacks are noted inline.\n\nConfidence Score: 4/5
\n\nSafe to merge after fixing the onExhausted error propagation in batch-processor; P2 findings are non-blocking style improvements.\n\nOne P1 issue: if onExhausted throws (possible in EmbeddingGenerationService on DB failure), the entire drain cycle errors and outcome callbacks are skipped. The fix is a one-line try-catch wrap. The rest of the architecture — PriorityQueue, TaskDrain, BatchQueue, BATCHER_DRAIN delegation — is correct.\n\npackages/typescript/src/utils/batch-queue/batch-processor.ts (P1: onExhausted propagation). packages/typescript/src/features/knowledge/llm.ts and document-processor.ts (P2 style notes).\n\nImportant Files Changed
\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/typescript/src/utils/batch-queue/batch-processor.ts | New: stateless batch executor with semaphore, retries, backoff. P1 issue: onExhausted errors propagate through Promise.all, disrupting BatchQueue.drain() lifecycle and skipping outcome callbacks. |\n| packages/typescript/src/utils/batch-queue/index.ts | New: composed BatchQueue (PriorityQueue + BatchProcessor + TaskDrain) with dispose, drain, and interval-update. Logic is sound; drain re-entry guard and disposed flag are correct. |\n| packages/typescript/src/utils/batch-queue/task-drain.ts | New: repeat-task lifecycle manager (find-or-create, interval reconcile, dispose). skipRegisterWorker pattern for BATCHER_DRAIN is correct; maxFailures: -1 JSON-safe sentinel is well-reasoned. |\n| packages/typescript/src/utils/batch-queue/priority-queue.ts | New: three-tier priority queue (high/normal/low) with O(1) enqueue, maxSize/onPressure overflow hooks, and drain filter. Logic is correct. |\n| packages/typescript/src/utils/batch-queue/semaphore.ts | Canonical Semaphore extracted from runtime; logic is correct and re-exported consistently across all entry points. |\n| packages/typescript/src/services/embedding.ts | Refactored to use BatchQueue; onExhausted makes async runtime.log/emitEvent calls that can throw — which would propagate through drain() due to the P1 issue in batch-processor. |\n| packages/typescript/src/features/knowledge/llm.ts | generateTextEmbeddingsBatch now uses BatchProcessor for concurrency limiting but swallows errors inside process(), bypassing retry/onExhausted (P2). generateBatchEmbeddingsViaRuntime fallback adds retries — correct. |\n| packages/typescript/src/features/knowledge/document-processor.ts | generateBatchEmbeddingsViaRuntime fallback migrated to BatchProcessor with retries; sparse-array pattern leaves undefined holes when text is undefined (P2), but caller handles gracefully. |\n| packages/typescript/src/services/action-filter.ts | buildIndex now uses BatchProcessor for action embeddings; onExhausted is synchronous (no async calls), so no propagation risk. Logic is clean. |\n| packages/typescript/src/utils/prompt-batcher/batcher.ts | affinityTaskIds replaced with TaskDrain instances; skipRegisterWorker pattern for BATCHER_DRAIN confirmed correct (worker registered in task.ts:74). Dispose path properly awaits drain.dispose() per-affinity. |\n| packages/typescript/src/utils/prompt-batcher/shared.ts | Re-exports canonical Semaphore from batch-queue/semaphore so existing dispatcher imports continue to work without code changes. |\n\n
\n\n\n\nSequence Diagram
\n\n```mermaid\nsequenceDiagram\n participant TW as TaskWorker (repeat task)\n participant BQ as BatchQueue\n participant PQ as PriorityQueue\n participant BP as BatchProcessor\n participant S as Semaphore\n participant P as process(item)\n participant OE as onExhausted(item,err)\n\n TW->>BQ: drain()\n BQ->>BQ: isDraining = true\n BQ->>PQ: dequeueBatch(batchSize)\n PQ-->>BQ: items[]\n BQ->>BP: processBatch(items[])\n BP->>BP: Promise.all(items.map(processOne))\n loop per item\n BP->>S: acquire()\n BP->>P: await process(item)\n alt success\n P-->>BP: returns\n BP->>S: release()\n BP-->>BP: outcome success:true\n else all retries exhausted\n P-->>BP: throws\n BP->>OE: await onExhausted(item, err)\n Note over BP,OE: If OE throws, Promise.all rejects\n OE-->>BP: returns or throws\n BP->>S: release() via finally\n BP-->>BP: outcome success:false\n end\n end\n BP-->>BQ: BatchItemOutcome[]\n BQ->>BQ: onDrainBatchOutcomes(outcomes)\n BQ->>BQ: isDraining = false\n```\n\n\nComments Outside Diff (1)
\n\n1. `packages/typescript/src/features/knowledge/document-processor.ts`, line 549-580 ([link](https://github.com/elizaos/eliza/blob/a5f6ac9d40ca8cb8c68b0a9dcd40320591228cd0/packages/typescript/src/features/knowledge/document-processor.ts#L549-L580)) \n\n ![\"P2\"](\"https://greptile-static-assets.s3.amazonaws.com/badges/p2.svg?v=7\")
**Sparse array leaves `undefined` holes when `text` is `undefined`**\n\n `new Array(texts.length)` creates a sparse array. The `if (text === undefined) { return; }` guard makes `process` return successfully without writing `slots[idx]`, and `onExhausted` is never triggered (since no error was thrown). The slot stays `undefined`, which differs from the `onExhausted` path that writes `[]`. The caller in `generateEmbeddingsBatch` handles `undefined` correctly (`embedding && embedding.length > 0`), so this is not a runtime crash, but the inconsistency between the two failure paths could confuse future changes.\n\n Consider replacing the early-return guard with an explicit `throw` so `onExhausted` consistently handles all failure cases:\n ```ts\n process: async (idx) => {\n const text = texts[idx];\n if (text === undefined) {\n throw new Error(`No text for index ${idx}`);\n }\n // ...\n },\n ```\n\n\nDependabot commands and options
\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/elizaOS/eliza/network/alerts).\n\n \n\n\n\nGreptile Summary
\n\nDependabot bump of 20 Python packages across the OSWorld and solana-gym-env benchmarks. Most updates are routine minor/patch bumps to stable releases (Flask, requests, cryptography, torch, aiohttp, etc.); the two items worth a second look are `transformers~=5.0.0rc3` (a pre-release candidate pinned as a direct dependency with a major version jump from 4.x) and the `protobuf` minimum-version jump from 6.x to 7.x in the solana package.\n\nConfidence Score: 5/5
\n\nSafe to merge; all findings are P2 style/best-practice notes in benchmark packages that don't affect production code.\n\nAll changed files are benchmark packages isolated from the main runtime. The transformers RC pin and protobuf major-version bump are worth noting but neither blocks the benchmark from running today, and both are non-production paths. No P0/P1 issues were found.\n\npackages/benchmarks/OSWorld/pyproject.toml (transformers RC pin) and packages/benchmarks/solana/solana-gym-env/pyproject.toml (protobuf major bump) deserve a manual sanity-check before relying on benchmark results.\n\nImportant Files Changed
\n\n| Filename | Overview |\n|----------|----------|\n| packages/benchmarks/OSWorld/pyproject.toml | Major dependency bumps: transformers 4.35.2→5.0.0rc3 (pre-release, major version change), torch 2.5.0→2.8.0, requests 2.31.0→2.33.0, flask 3.0.0→3.1.3; the RC pin for transformers warrants attention. |\n| packages/benchmarks/OSWorld/requirements.txt | Mirrors pyproject.toml bumps: transformers 4.35.2→5.0.0rc3, torch 2.5.0→2.8.0, flask 3.0.0→3.1.3; same RC version concern applies here. |\n| packages/benchmarks/OSWorld/monitor/requirements.txt | Flask updated from 3.0.0 to 3.1.3 (minor/patch bump, low risk). |\n| packages/benchmarks/OSWorld/uv.lock | Lock file regenerated to match new dependency resolutions; many transitive packages updated (aiohttp 3.12.15→3.13.4, etc.). |\n| packages/benchmarks/solana/solana-gym-env/pyproject.toml | cryptography bumped 46.0.4→46.0.7 (patch, fine); protobuf bumped 6.33.5→7.34.1 (major version, potential breaking change). |\n| packages/benchmarks/solana/solana-gym-env/uv.lock | Lock file regenerated for solana-gym-env transitive dependencies; routine update. |\n\n\n\nFlowchart
\n\n```mermaid\n%%{init: {'theme': 'neutral'}}%%\nflowchart TD\n A[Dependabot PR] --> B[OSWorld benchmark]\n A --> C[solana-gym-env benchmark]\n\n B --> D[\"Flask 3.0.0 → 3.1.3 ✅\"]\n B --> E[\"requests 2.31.0 → 2.33.0 ✅\"]\n B --> F[\"torch 2.5.0 → 2.8.0 ✅\"]\n B --> G[\"transformers 4.35.2 → 5.0.0rc3 ⚠️ RC + major bump\"]\n\n C --> H[\"cryptography 46.0.4 → 46.0.7 ✅\"]\n C --> I[\"protobuf ≥6.33.5 → ≥7.34.1 ⚠️ major bump\"]\n C --> J[\"other transitive bumps ✅\"]\n\n G --> K[uv.lock updated]\n I --> K\n```\n\nReviews (1): Last reviewed commit: [\"chore(deps): bump the uv group across 2 ...\"](https://github.com/elizaos/eliza/commit/2dbc12bdcf35ef0ad3ff1af6149269855499810f) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=28179942)\n\n> Greptile also left **2 inline comments** on this PR.\n\n",
"repository": "elizaos/eliza",
"createdAt": "2026-04-13T08:25:09Z",
"mergedAt": null,
"additions": 1515,
"deletions": 1166
},
{
"id": "PR_kwDOMT5cIs7R5i0r",
"title": "chore(deps): bump the npm_and_yarn group across 11 directories with 5 updates",
"author": "dependabot",
"number": 6723,
"body": "Bumps the npm_and_yarn group with 1 update in the /packages/agent directory: [drizzle-orm](https://github.com/drizzle-team/drizzle-orm).\nBumps the npm_and_yarn group with 1 update in the /packages/benchmarks/solana/solana-gym-env/docs/trajectory-viewer directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/_app directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/app/capacitor/frontend directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/app/electron/backend directory: [electron](https://github.com/electron/electron).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/app/electron/frontend directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/app/tauri/frontend directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/elizagotchi directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/react directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 1 update in the /packages/examples/react-wasm directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).\nBumps the npm_and_yarn group with 2 updates in the /packages/native-plugins/agent directory: [rollup](https://github.com/rollup/rollup) and [minimatch](https://github.com/isaacs/minimatch).\n\nUpdates `drizzle-orm` from 0.45.1 to 0.45.2\n\nRelease notes
\nSourced from drizzle-orm's releases.
\n\n0.45.2
\n\n- Fixed
sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped\ncausing a possible SQL Injection (CWE-89) vulnerability \n
\nThanks to @EthanKim88, @0x90sh and @wgoodall01 for reaching out to us with a reproduction and suggested fix
\n
\n \n\nCommits
\n\n \n
\n\nUpdates `vite` from 5.4.21 to 8.0.8\n\nRelease notes
\nSourced from vite's releases.
\n\nv8.0.8
\nPlease refer to CHANGELOG.md for details.
\nv8.0.7
\nPlease refer to CHANGELOG.md for details.
\nv8.0.6
\nPlease refer to CHANGELOG.md for details.
\nv8.0.5
\nPlease refer to CHANGELOG.md for details.
\nv8.0.4
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.3
\nPlease refer to CHANGELOG.md for details.
\nv8.0.3
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.2
\nPlease refer to CHANGELOG.md for details.
\nv8.0.2
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.1
\nPlease refer to CHANGELOG.md for details.
\nv8.0.1
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.1
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.18
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.17
\nPlease refer to CHANGELOG.md for details.
\n\n
\n... (truncated)
\n \n\nChangelog
\nSourced from vite's changelog.
\n\n8.0.8 (2026-04-09)
\nFeatures
\n\nBug Fixes
\n\n- avoid
dns.getDefaultResultOrder temporary (#22202) (15f1c15) \n- ssr: class property keys hoisting matching imports (#22199) (e137601)
\n
\n8.0.7 (2026-04-07)
\nBug Fixes
\n\n- use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)
\n
\n8.0.6 (2026-04-07)
\nFeatures
\n\nBug Fixes
\n\n- css: avoid mutating sass error multiple times (#22115) (d5081c2)
\n- optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)
\n
\nPerformance Improvements
\n\n- early return in
getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256) \n
\nMiscellaneous Chores
\n\n8.0.5 (2026-04-06)
\nBug Fixes
\n\n- apply server.fs check to env transport (#22159) (f02d9fd)
\n- avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
\n- check
server.fs after stripping query as well (#22160) (a9a3df2) \n- disallow referencing files outside the package from sourcemap (#22158) (f05f501)
\n
\n8.0.4 (2026-04-06)
\nFeatures
\n\n- allow esbuild 0.28 as peer deps (#22155) (b0da973)
\n- hmr: truncate list of files on hmr update (#21535) (d00e806)
\n- optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)
\n
\nBug Fixes
\n\n
\n... (truncated)
\n \n\nCommits
\n\n \n
\n\nUpdates `vite` from 5.4.21 to 8.0.8\n\nRelease notes
\nSourced from vite's releases.
\n\nv8.0.8
\nPlease refer to CHANGELOG.md for details.
\nv8.0.7
\nPlease refer to CHANGELOG.md for details.
\nv8.0.6
\nPlease refer to CHANGELOG.md for details.
\nv8.0.5
\nPlease refer to CHANGELOG.md for details.
\nv8.0.4
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.3
\nPlease refer to CHANGELOG.md for details.
\nv8.0.3
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.2
\nPlease refer to CHANGELOG.md for details.
\nv8.0.2
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.1
\nPlease refer to CHANGELOG.md for details.
\nv8.0.1
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.1
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.18
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.17
\nPlease refer to CHANGELOG.md for details.
\n\n
\n... (truncated)
\n \n\nChangelog
\nSourced from vite's changelog.
\n\n8.0.8 (2026-04-09)
\nFeatures
\n\nBug Fixes
\n\n- avoid
dns.getDefaultResultOrder temporary (#22202) (15f1c15) \n- ssr: class property keys hoisting matching imports (#22199) (e137601)
\n
\n8.0.7 (2026-04-07)
\nBug Fixes
\n\n- use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)
\n
\n8.0.6 (2026-04-07)
\nFeatures
\n\nBug Fixes
\n\n- css: avoid mutating sass error multiple times (#22115) (d5081c2)
\n- optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)
\n
\nPerformance Improvements
\n\n- early return in
getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256) \n
\nMiscellaneous Chores
\n\n8.0.5 (2026-04-06)
\nBug Fixes
\n\n- apply server.fs check to env transport (#22159) (f02d9fd)
\n- avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
\n- check
server.fs after stripping query as well (#22160) (a9a3df2) \n- disallow referencing files outside the package from sourcemap (#22158) (f05f501)
\n
\n8.0.4 (2026-04-06)
\nFeatures
\n\n- allow esbuild 0.28 as peer deps (#22155) (b0da973)
\n- hmr: truncate list of files on hmr update (#21535) (d00e806)
\n- optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)
\n
\nBug Fixes
\n\n
\n... (truncated)
\n \n\nCommits
\n\n \n
\n\nUpdates `vite` from 5.4.21 to 8.0.8\n\nRelease notes
\nSourced from vite's releases.
\n\nv8.0.8
\nPlease refer to CHANGELOG.md for details.
\nv8.0.7
\nPlease refer to CHANGELOG.md for details.
\nv8.0.6
\nPlease refer to CHANGELOG.md for details.
\nv8.0.5
\nPlease refer to CHANGELOG.md for details.
\nv8.0.4
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.3
\nPlease refer to CHANGELOG.md for details.
\nv8.0.3
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.2
\nPlease refer to CHANGELOG.md for details.
\nv8.0.2
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.1
\nPlease refer to CHANGELOG.md for details.
\nv8.0.1
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.1
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.18
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.17
\nPlease refer to CHANGELOG.md for details.
\n\n
\n... (truncated)
\n \n\nChangelog
\nSourced from vite's changelog.
\n\n8.0.8 (2026-04-09)
\nFeatures
\n\nBug Fixes
\n\n- avoid
dns.getDefaultResultOrder temporary (#22202) (15f1c15) \n- ssr: class property keys hoisting matching imports (#22199) (e137601)
\n
\n8.0.7 (2026-04-07)
\nBug Fixes
\n\n- use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)
\n
\n8.0.6 (2026-04-07)
\nFeatures
\n\nBug Fixes
\n\n- css: avoid mutating sass error multiple times (#22115) (d5081c2)
\n- optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)
\n
\nPerformance Improvements
\n\n- early return in
getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256) \n
\nMiscellaneous Chores
\n\n8.0.5 (2026-04-06)
\nBug Fixes
\n\n- apply server.fs check to env transport (#22159) (f02d9fd)
\n- avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
\n- check
server.fs after stripping query as well (#22160) (a9a3df2) \n- disallow referencing files outside the package from sourcemap (#22158) (f05f501)
\n
\n8.0.4 (2026-04-06)
\nFeatures
\n\n- allow esbuild 0.28 as peer deps (#22155) (b0da973)
\n- hmr: truncate list of files on hmr update (#21535) (d00e806)
\n- optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)
\n
\nBug Fixes
\n\n
\n... (truncated)
\n \n\nCommits
\n\n \n
\n\nUpdates `electron` from 33.4.11 to 41.2.0\n\nRelease notes
\nSourced from electron's releases.
\n\nelectron v41.2.0
\nRelease Notes for v41.2.0
\nFeatures
\n\n- Added
allowExtensions privilege to protocol.registerSchemesAsPrivileged() to enable Chrome extensions on custom protocols. #50529 (Also in 40, 42) \n
\nFixes
\n\n- BrowserWindow now enforces min/max size constraints on window creation, even if they conflict with the requested width and height. #50753 (Also in 42)
\n- Fixed a regression on Linux where transparent frameless windows would have visible borders. Also fixed a longstanding issue where transparent windows on Linux could show smeared and glitched content as windows moved around. #50605
\n- Fixed an intermittent
Invoke in DisallowJavascriptExecutionScope crash on application quit when a WebContents (or other JS-emitting native object) is garbage-collected during shutdown. #50694 (Also in 40, 42) \n- Fixed an issue on macOS where
show/hide events and WebContents visibility state could be reported incorrectly when multiple WebContentsViews were attached to a window. #50715 (Also in 40, 42) \n- Fixed an issue where concurrent
getFileHandle requests on the same path could stall indefinitely. #50670 (Also in 40, 42) \n- Fixed an issue where margins did not look as expected when printing in silent mode. #50652 (Also in 42)
\n- Fixed an issue where the
webContents.print() callback may not fire correctly in some cases. #50604 (Also in 42) \n- Fixed the appearance of maximized windows on GNOME in Wayland, especially when non-default GTK themes like Breeze are set. #50645 (Also in 42)
\n- Removed "representedObject is not a WeakPtrToElectronMenuModelAsNSObject" logging when interacting with macOS menus. #50613 (Also in 42)
\n
\nOther Changes
\n\n- Updated Chromium to 146.0.7680.179. #50616
\n
\nelectron v41.1.1
\nRelease Notes for v41.1.1
\nFixes
\n\n- Fixed a crash when calling
contentTracing.getTraceBufferUsage() while a trace session is active. #50594 (Also in 39, 40, 42) \n- Fixed printing on Linux failing with "Invalid printer settings". #50486 (Also in 42)
\n
\nOther Changes
\n\n- Enabled profile-guided optimization for V8 builtins in release builds, improving JavaScript builtin performance (Array, String, RegExp, etc.). #50574 (Also in 40, 42)
\n
\nelectron v41.1.0
\nRelease Notes for v41.1.0
\nFeatures
\n\n- Added nativeTheme.shouldDifferentiateWithoutColor on macOS. #50408 (Also in 42)
\n- Notes: Added support for the
urgency option in Notifications on Windows. #50382 (Also in 42) \n
\nFixes
\n\n- Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #50483 (Also in 40)
\n- Fixed a crash in
clipboard.readImage() when the clipboard contains malformed image data. #50492 (Also in 39, 40, 42) \n- Fixed a crash when calling an offscreen shared texture's
release() after the texture object was garbage collected. #50501 (Also in 39, 40, 42) \n- Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #50506 (Also in 40, 42)
\n- Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #50519 (Also in 40)
\n
\nOther Changes
\n\n- Updated Chromium to 146.0.7680.166. #50458
\n
\n\n
\n... (truncated)
\n \n\nCommits
\n\n7394591 ci: use hermetic mac SDK for the release ffmpeg build (#50755)d37b4f5 fix: enforce size constraints on window creation on Windows and Linux (#50753)6f1d53a ci: make src-cache upload atomic (#50750)fb150b2 docs: link menu type references (#50752)c219f2c build: derive patches upstream-head ref from script path (41-x-y) (#50741)3fa5280 fix: re-enable MacWebContentsOcclusion with embedder window fix (#50715)45ad6b3 chore: bump chromium to 146.0.7680.179 (41-x-y) (#50616)26e20c7 ci: use github mirror to get lint dependency versions (#50736)ca15223 chore: harden GitHub Actions against script injection patterns (#50708)3d743a6 build: replace npx with lockfile-pinned binaries (#50718)- Additional commits viewable in compare view
\n
\n \n
\n\nUpdates `vite` from 5.4.21 to 8.0.8\n\nRelease notes
\nSourced from vite's releases.
\n\nv8.0.8
\nPlease refer to CHANGELOG.md for details.
\nv8.0.7
\nPlease refer to CHANGELOG.md for details.
\nv8.0.6
\nPlease refer to CHANGELOG.md for details.
\nv8.0.5
\nPlease refer to CHANGELOG.md for details.
\nv8.0.4
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.3
\nPlease refer to CHANGELOG.md for details.
\nv8.0.3
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.2
\nPlease refer to CHANGELOG.md for details.
\nv8.0.2
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.1
\nPlease refer to CHANGELOG.md for details.
\nv8.0.1
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.1
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.18
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.17
\nPlease refer to CHANGELOG.md for details.
\n\n
\n... (truncated)
\n \n\nChangelog
\nSourced from vite's changelog.
\n\n8.0.8 (2026-04-09)
\nFeatures
\n\nBug Fixes
\n\n- avoid
dns.getDefaultResultOrder temporary (#22202) (15f1c15) \n- ssr: class property keys hoisting matching imports (#22199) (e137601)
\n
\n8.0.7 (2026-04-07)
\nBug Fixes
\n\n- use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)
\n
\n8.0.6 (2026-04-07)
\nFeatures
\n\nBug Fixes
\n\n- css: avoid mutating sass error multiple times (#22115) (d5081c2)
\n- optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)
\n
\nPerformance Improvements
\n\n- early return in
getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256) \n
\nMiscellaneous Chores
\n\n8.0.5 (2026-04-06)
\nBug Fixes
\n\n- apply server.fs check to env transport (#22159) (f02d9fd)
\n- avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
\n- check
server.fs after stripping query as well (#22160) (a9a3df2) \n- disallow referencing files outside the package from sourcemap (#22158) (f05f501)
\n
\n8.0.4 (2026-04-06)
\nFeatures
\n\n- allow esbuild 0.28 as peer deps (#22155) (b0da973)
\n- hmr: truncate list of files on hmr update (#21535) (d00e806)
\n- optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)
\n
\nBug Fixes
\n\n
\n... (truncated)
\n \n\nCommits
\n\n \n
\n\nUpdates `vite` from 5.4.21 to 8.0.8\n\nRelease notes
\nSourced from vite's releases.
\n\nv8.0.8
\nPlease refer to CHANGELOG.md for details.
\nv8.0.7
\nPlease refer to CHANGELOG.md for details.
\nv8.0.6
\nPlease refer to CHANGELOG.md for details.
\nv8.0.5
\nPlease refer to CHANGELOG.md for details.
\nv8.0.4
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.3
\nPlease refer to CHANGELOG.md for details.
\nv8.0.3
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.2
\nPlease refer to CHANGELOG.md for details.
\nv8.0.2
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.1
\nPlease refer to CHANGELOG.md for details.
\nv8.0.1
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.1
\nPlease refer to CHANGELOG.md for details.
\ncreate-vite@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nplugin-legacy@8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.18
\nPlease refer to CHANGELOG.md for details.
\nv8.0.0-beta.17
\nPlease refer to CHANGELOG.md for details.
\n\n
\n... (truncated)
\n \n\nChangelog
\nSourced from vite's changelog.
\n\n8.0.8 (2026-04-09)
\nFeatures
\n\nBug Fixes
\n\n- avoid
dns.getDefaultResultOrder temporary (#22202) (15f1c15) \n- ssr: class property keys hoisting matching imports (#22199) (e137601)
\n
\n8.0.7 (2026-04-07)
\nBug Fixes
\n\n- use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)
\n
\n8.0.6 (2026-04-07)
\nFeatures
\n\nBug Fixes
\n\n- css: avoid mutating sass error multiple times (#22115) (d5081c2)
\n- optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)
\n
\nPerformance Improvements
\n\n- early return in
getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256) \n
\nMiscellaneous Chores
\n\n8.0.5 (2026-04-06)
\nBug Fixes
\n
\n\nFlowchart
\n\n```mermaid\n%%{init: {'theme': 'neutral'}}%%\nflowchart TD\n A[dependabot bump PR] --> B[packages/agent]\n A --> C[packages/examples/*]\n A --> D[packages/benchmarks/...]\n A --> E[packages/native-plugins/agent]\n\n B --> B1[\"drizzle-orm 0.45.1 → 0.45.2\\n✅ SQL injection security fix\\nCWE-89 patch\"]\n\n C --> C1[\"vite ^5.x → ^8.0.8\\n⚠️ 3 major versions\\n(8 packages)\"]\n C --> C2[\"electron ^33.2.0 → ^41.2.0\\n⚠️ 8 major versions\\n(backend only)\"]\n\n D --> D1[\"vite ^5.0.0 → ^8.0.8\\n⚠️ 3 major versions\"]\n\n E --> E1[\"rollup ^4.0.0 → ^4.59.0\\n✅ Same major, safe\"]\n E --> E2[\"minimatch 9.0.5 → 9.0.9\\n✅ Patch bump, safe\"]\n\n C1 --> F[\"Vite 8: Rolldown engine\\nbreaking plugin/config API changes\\nrequires migration audit\"]\n C2 --> G[\"Electron 34–41 breaking changes\\nipcMain, webContents, context isolation\\nrequires compat review\"]\n```\n\nReviews (1): Last reviewed commit: [\"chore(deps): bump the npm\\_and\\_yarn group...\"](https://github.com/elizaos/eliza/commit/e62229730824eaff246e54db6a01a4b9b0f206b9) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=28175061)\n\n> Greptile also left **2 inline comments** on this PR.\n\n",
"repository": "elizaos/eliza",
"createdAt": "2026-04-13T07:26:45Z",
"mergedAt": "2026-04-13T08:16:11Z",
"additions": 119,
"deletions": 119
},
{
"id": "PR_kwDOMT5cIs7SDVbE",
"title": "feat(skills): add MiniMax-AI/cli as bundled skill",
"author": "octo-patch",
"number": 6727,
"body": "# Relates to\n\nAdding MiniMax AI CLI as a bundled skill so elizaOS agents can discover and use it out of the box.\n\n# Risks\n\nLow — new file only, no changes to existing code.\n\n# Background\n\n## What does this PR do?\n\nAdds `mmx-cli` ([MiniMax-AI/cli](https://github.com/MiniMax-AI/cli)) to `packages/skills/skills/` as a bundled skill, following the same pattern as existing CLI tool skills (`blucli`, `wacli`).\n\n- **1 new file**: `packages/skills/skills/mmx-cli/SKILL.md`\n- The skill is auto-discovered by the skills loader (no code changes needed)\n\n## What kind of change is this?\n\nFeatures (non-breaking change which adds functionality)\n\n## What is mmx-cli?\n\n[mmx-cli](https://github.com/MiniMax-AI/cli) is a CLI tool for the MiniMax AI platform, providing:\n- **Text generation** (MiniMax-M2.7)\n- **Image generation** (image-01)\n- **Video generation** (MiniMax-Hailuo-2.3)\n- **Speech synthesis** (speech-2.8-hd, 300+ voices)\n- **Music generation** (music-2.6, with lyrics, cover, and instrumental)\n- **Web search**\n\nThe [SKILL.md](https://github.com/MiniMax-AI/cli/blob/main/skill/SKILL.md) follows the [agentskills.io](https://agentskills.io) standard and includes agent-specific flags (`--non-interactive`, `--quiet`, `--output json`).\n\n# Documentation changes needed?\n\nMy changes do not require a change to the project documentation.\n\n# Testing\n\n## Where should a reviewer start?\n\n`packages/skills/skills/mmx-cli/SKILL.md`\n\n## Detailed testing steps\n\nThe bundled skills loader auto-discovers SKILL.md files by scanning the `packages/skills/skills/` directory — no additional wiring is needed. After building the package, `loadSkills()` will include `mmx-cli` in the returned skill list.\n\n\n\nGreptile Summary
\n\nThis PR adds `packages/skills/skills/mmx-cli/SKILL.md` as a new bundled skill for the MiniMax AI CLI, following the same pattern as `blucli` and `wacli`. The frontmatter is valid and fully compatible with the skills loader — `name` matches the directory, `description` is present, and the `otto` metadata block is well-formed.\n\nConfidence Score: 5/5
\n\nSafe to merge — documentation-only change with no impact on existing code.\n\nAll findings are P2 style suggestions about documentation consistency in the SKILL.md. There are no logic errors, security issues, or breaking changes. The loader will discover and validate the skill correctly at runtime.\n\npackages/skills/skills/mmx-cli/SKILL.md — minor inconsistencies in agent flag examples and an undocumented `vision describe` subcommand.\n\nImportant Files Changed
\n\n| Filename | Overview |\n|----------|----------|\n| packages/skills/skills/mmx-cli/SKILL.md | New bundled skill for the MiniMax AI CLI; frontmatter is valid and loader-compatible, but agent flag examples are inconsistently applied and `mmx vision describe` is referenced without documentation. |\n\n\n\nFlowchart
\n\n```mermaid\n%%{init: {'theme': 'neutral'}}%%\nflowchart TD\n A[loadSkills] --> B[Scan bundled skills dir]\n B --> C[packages/skills/skills/]\n C --> D[mmx-cli/SKILL.md]\n D --> E{Validate frontmatter}\n E -->|name matches dir ✓| F{description present ✓}\n F --> G[Skill loaded: mmx-cli]\n G --> H[Agent invokes mmx binary]\n H --> I[Text / Image / Video / Speech / Music / Search]\n```\n\nReviews (1): Last reviewed commit: [\"feat(skills): add MiniMax-AI/cli as defa...\"](https://github.com/elizaos/eliza/commit/056b192c562fb2a4618291f2013cae88fc7a873b) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=28232787)\n\n> Greptile also left **2 inline comments** on this PR.\n\n",
"repository": "elizaos/eliza",
"createdAt": "2026-04-13T16:52:06Z",
"mergedAt": null,
"additions": 84,
"deletions": 0
}
],
"codeChanges": {
"additions": 5825,
"deletions": 1065,
"files": 60,
"commitCount": 29
},
"completedItems": [
{
"title": "chore(deps): bump the cargo group across 21 directories with 6 updates",
"prNumber": 6724,
"type": "other",
"body": "Bumps the cargo group with 3 updates in the /packages/examples/a2a/rust directory: [bytes](https://github.com/tokio-rs/bytes), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).\nBumps the",
"files": [
"packages/examples/a2a/rust/Cargo.lock",
"packages/examples/app/tauri/src-tauri/Cargo.lock",
"packages/examples/autonomous/rust/autonomous/Cargo.lock",
"packages/examples/aws/rust/Cargo.lock",
"packages/examples/bluesky/rust/bluesky-agent/Cargo.lock",
"packages/examples/chat/rust/chat/Cargo.lock",
"packages/examples/cloudflare/rust-worker/Cargo.lock",
"packages/examples/discord/rust/discord-agent/Cargo.lock",
"packages/examples/form/rust/chat/Cargo.lock",
"packages/examples/game-of-life/rust/game-of-life/Cargo.lock",
"packages/examples/gcp/rust/Cargo.lock",
"packages/examples/polymarket/rust/polymarket-demo/Cargo.lock",
"packages/examples/rest-api/actix/Cargo.lock",
"packages/examples/rest-api/axum/Cargo.lock",
"packages/examples/rest-api/rocket/Cargo.lock",
"packages/examples/roblox/rust/Cargo.lock",
"packages/examples/telegram/rust/telegram-agent/Cargo.lock",
"packages/examples/text-adventure/rust/game/Cargo.lock",
"packages/examples/tic-tac-toe/rust/Cargo.lock",
"packages/examples/twitter-xai/rust/xai-agent/Cargo.lock",
"packages/examples/virus/Cargo.lock"
]
},
{
"title": "chore(deps): bump the npm_and_yarn group across 11 directories with 5 updates",
"prNumber": 6723,
"type": "other",
"body": "Bumps the npm_and_yarn group with 1 update in the /packages/agent directory: [drizzle-orm](https://github.com/drizzle-team/drizzle-orm).\nBumps the npm_and_yarn group with 1 update in the /packages/benchmarks/solana/solana-gym-env/docs/traje",
"files": [
"packages/agent/package.json",
"packages/benchmarks/solana/solana-gym-env/docs/trajectory-viewer/package.json",
"packages/examples/_app/package.json",
"packages/examples/app/capacitor/frontend/package.json",
"packages/examples/app/electron/backend/package.json",
"packages/examples/app/electron/frontend/package.json",
"packages/examples/app/tauri/frontend/package.json",
"packages/examples/elizagotchi/package.json",
"packages/examples/react-wasm/package.json",
"packages/examples/react/package.json",
"packages/native-plugins/agent/package-lock.json",
"packages/native-plugins/agent/package.json"
]
},
{
"title": "feat(core): shared batch-queue drains and bounded knowledge embeddings",
"prNumber": 6722,
"type": "feature",
"body": "Introduce utils/batch-queue (PriorityQueue, BatchProcessor, TaskDrain, BatchQueue, Semaphore) so embedding drains, action-filter index build, prompt-batcher affinity tasks, and knowledge embedding paths share one concurrency/retry/task stor",
"files": [
"packages/docs/docs.json",
"packages/docs/guides/background-tasks.mdx",
"packages/docs/runtime/batch-queue.mdx",
"packages/docs/runtime/core.mdx",
"packages/typescript/CHANGELOG.md",
"packages/typescript/README.md",
"packages/typescript/ROADMAP.md",
"packages/typescript/docs/BATCH_QUEUE.md",
"packages/typescript/docs/DESIGN.md",
"packages/typescript/src/__tests__/batch-queue.test.ts",
"packages/typescript/src/__tests__/task-drain.test.ts",
"packages/typescript/src/features/knowledge/document-processor.ts",
"packages/typescript/src/features/knowledge/llm.ts",
"packages/typescript/src/index.browser.ts",
"packages/typescript/src/index.edge.ts",
"packages/typescript/src/index.node.ts",
"packages/typescript/src/runtime.ts",
"packages/typescript/src/services/action-filter.ts",
"packages/typescript/src/services/embedding.ts",
"packages/typescript/src/utils/batch-queue.ts",
"packages/typescript/src/utils/batch-queue/batch-processor.ts",
"packages/typescript/src/utils/batch-queue/index.ts",
"packages/typescript/src/utils/batch-queue/priority-queue.ts",
"packages/typescript/src/utils/batch-queue/semaphore.ts",
"packages/typescript/src/utils/batch-queue/task-drain.ts",
"packages/typescript/src/utils/prompt-batcher/batcher.ts",
"packages/typescript/src/utils/prompt-batcher/shared.ts"
]
}
],
"topContributors": [
{
"username": "odilitime",
"avatarUrl": "https://avatars.githubusercontent.com/u/16395496?u=c9bac48e632aae594a0d85aaf9e9c9c69b674d8b&v=4",
"totalScore": 109.0437738965761,
"prScore": 59.5437738965761,
"issueScore": 0,
"reviewScore": 49.5,
"commentScore": 0,
"summary": null
},
{
"username": "greptile-apps",
"avatarUrl": "https://avatars.githubusercontent.com/in/867647?v=4",
"totalScore": 22.5,
"prScore": 0,
"issueScore": 0,
"reviewScore": 22.5,
"commentScore": 0,
"summary": null
},
{
"username": "octo-patch",
"avatarUrl": "https://avatars.githubusercontent.com/u/266937838?u=a3f158f9820f3869e6107980de78a21419ab6ae8&v=4",
"totalScore": 16.221325628245157,
"prScore": 16.221325628245157,
"issueScore": 0,
"reviewScore": 0,
"commentScore": 0,
"summary": null
}
],
"newPRs": 6,
"mergedPRs": 3,
"newIssues": 0,
"closedIssues": 0,
"activeContributors": 5
}