You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey all. This release includes some small goodies and fixes. Let's take a look.
Exited is alised to Quit
When filtering for commands in the command dialog, "exit" will be properly return the "quit" command.
New flat_rate provider config
If you want to skip cost calculation for a given provider, you can now set it as a flat rate provider on your crush.json. This is useful when using subscription, where the cost is theorically zero as you're not really paying per token.
Another one from @huaiyuWangh. If the project initialization fails, Crush will now properly show in the staatus bar that it failed.
Fixed model stopping after Glob
In certain scenarios, the model could stop working when no files were returned in a glob tool call. We now fixed it, so the model will keep working.
Fixed context window issue with background jobs
When the model inspected the output of a background job, it would fill the context window if the output is too large. We're doing the same as regular Bash command: truncating large output to something reasonable.
Fixed behavior on invalid tool call
When the model called a tool with invalid parameters, it could hang the session. @mkaaad worked on a fix to ensure the error is reported to the model so it can continue to work.
There are a few more fixes, but those make a good highlight.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=v7.0.0
Fixed version
Not Fixed
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.346%
EPSS Percentile
57th percentile
Description
This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=7.0.0
Fixed version
Not Fixed
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.149%
EPSS Percentile
35th percentile
Description
This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.
golang.org/x/image0.38.0 (golang)
pkg:golang/golang.org/x/image@0.38.0
Affected range
<0.39.0
Fixed version
0.39.0
EPSS Score
0.064%
EPSS Percentile
20th percentile
Description
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Affected range
<0.39.0
Fixed version
0.39.0
EPSS Score
0.013%
EPSS Percentile
2nd percentile
Description
Parsing a malicious font file can cause excessive memory allocation.
Disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nicholasdille-bot
left a comment
This PR contains the following updates:
0.66.0→0.66.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
charmbracelet/crush (crush)
v0.66.1Compare Source
Small things + killin' bugs
Hey all. This release includes some small goodies and fixes. Let's take a look.
Exited is alised to Quit
When filtering for commands in the command dialog, "exit" will be properly return the "quit" command.
New
flat_rateprovider configIf you want to skip cost calculation for a given provider, you can now set it as a flat rate provider on your
crush.json. This is useful when using subscription, where the cost is theorically zero as you're not really paying per token.This is nicely done by @huaiyuWangh.
{ "providers": { "my-favorite-provider": { "flat_rate": true } } }Show error if project initialization fails
Another one from @huaiyuWangh. If the project initialization fails, Crush will now properly show in the staatus bar that it failed.
Fixed model stopping after Glob
In certain scenarios, the model could stop working when no files were returned in a
globtool call. We now fixed it, so the model will keep working.Fixed context window issue with background jobs
When the model inspected the output of a background job, it would fill the context window if the output is too large. We're doing the same as regular Bash command: truncating large output to something reasonable.
Fixed behavior on invalid tool call
When the model called a tool with invalid parameters, it could hang the session. @mkaaad worked on a fix to ensure the error is reported to the model so it can continue to work.
There are a few more fixes, but those make a good highlight.
Enjoy your weekend and keep Crushing!
Charm ™️
Changelog
Fixed
5816fad: fix(agent): support flat_rate cost handling (#2116) (@huaiyuWangh)8bc4a75: fix(config): atomically update multiple fields during oauth (@taciturnaxolotl)11eabdf: fix(errors): surface errors in subagents (@taciturnaxolotl)ae1c95a: fix(posthog): do not discard custom properties of an error (#2829) (@andreynering)abeaff0: fix(pubsub): respect channelBufferSize parameter in Subsribe (@yeonuk-hwang)89181a6: fix(tools): don't return a go error on glob tool failure (@taciturnaxolotl)5aad790: fix(tools): fix a potential nill crash in cached glob results (@taciturnaxolotl)44ece2c: fix(tools): truncate long running background commands to 30k chars (@taciturnaxolotl)a924ca1: fix(tui): show initialization mark errors in status footer (#2825) (@huaiyuWangh)95e93e9: fix(ui): add exit alias to the quit command (@taciturnaxolotl)b90bcc3: fix(ui): allow oauth modals to consume enter (@taciturnaxolotl)086cfda: fix: update fantasy with tool call fixes (#2839) (@andreynering)Docs
3b9b361: docs(readme): documentHYPER_API_KEY(@andreynering)d5b4765: docs(readme): fixed typo in hooks (#2801) (@ardevd)Verifying the artifacts
First, download the
checksums.txtfile and thechecksums.txt.sigstore.jsonfile files, for example, withwget:Then, verify it using
cosign:If the output is
Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release usingsha256sum:Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.