Security

If you are still running boxlite < 0.9.0, upgrade. Two Critical vulnerabilities were fixed in 0.9.0:

• GHSA-g6ww-w5j2-r7x3 (CVE-2026-46695) — read-only volume remount bypass
• GHSA-f396-4rp4-7v2j (CVE-2026-46703) — OCI layer symlink escape

Surfacing this here is intended for users not covered by Dependabot — curl | sh installer, prebuilt C SDK / native library, vendored source, cargo audit (uses RustSec, not the GitHub Advisory Database). See SECURITY.md.

What's Changed

• ci(e2e): rescue logs, disk precheck, attempt-namespaced artifacts by @DorianZheng in #508
• feat(release): sh.boxlite.ai Cloudflare Worker for installer by @DorianZheng in #510
• docs(cli): add CLI reference + README CLI Quick Start by @DorianZheng in #511
• Fix mobile credential row overflow by @DorianZheng in #513
• chore(deps): bump astro from 6.1.6 to 6.1.10 in /apps in the npm_and_yarn group across 1 directory by @dependabot[bot] in #514
• fix(runner): pong-based liveness for WebSocket attach sessions by @DorianZheng in #516
• chore(deps): add lint:yarn-lock make target + pre-commit hook by @DorianZheng in #517
• fix(dashboard): constrain dialog grid/flex children so long values stay inside on mobile by @DorianZheng in #518
• feat(dashboard): mobile-first sandbox terminal and VNC by @DorianZheng in #521
• fix(runner): SSH gateway uses BoxLite exec (ssh -p 2222 back online) by @DorianZheng in #524
• fix(dashboard): RP-initiated logout fallback for non-compliant IdPs by @DorianZheng in #526
• fix(runtime): preserve box record on init failure as Failed state by @DorianZheng in #520
• feat(api): single bearer auth, /v1/me, RFC 8628 device flow endpoints by @DorianZheng in #527
• feat(api): drop OAuth device-flow endpoints + schemas from spec by @DorianZheng in #531
• fix: move test cache under workspace target by @uran0sH in #533
• feat(auth): bearer auth + RFC 8628 device flow (SDK + CLI + server stubs) by @DorianZheng in #532
• test: keep-going matrix via FAIL_FAST + FILTER for every suite by @DorianZheng in #534
• refactor(node): move rest bag adaptation into the napi binding by @DorianZheng in #536
• fix(runtime): prune embedded cache by each dir's own build profile by @DorianZheng in #537
• chore(sdk): bump SDK patch version 0.9.4 -> 0.9.5 by @DorianZheng in #538
• test(security): GHSA-g6ww-w5j2-r7x3 Python regression + advisory note by @DorianZheng in #539
• test(security): GHSA-f396-4rp4-7v2j Python regression + advisory note by @DorianZheng in #540

Full Changelog: v0.9.4...v0.9.5

What's Changed

• Separate shim package from runtime embedding by @DorianZheng in #494
• feat(c-ffi): post-and-drain async callback C API (phase 2) by @DorianZheng in #495
• rest: treat BoxID as opaque server-issued identifier by @DorianZheng in #498
• ci(e2e): make runner instance persistence non-fatal by @DorianZheng in #499
• ci(e2e): expand subnet pool to all AZs in the VPC by @DorianZheng in #500
• ci(e2e): move make setup from user-data to a job step by @DorianZheng in #501
• chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in /apps/daemon in the go_modules group across 1 directory by @dependabot[bot] in #503
• chore(deps): bump @opentelemetry/sdk-node from 0.207.0 to 0.217.0 in /apps in the npm_and_yarn group across 1 directory by @dependabot[bot] in #504
• feat(exec): runner attach controller + env/workdir/timeout plumbing by @DorianZheng in #505
• feat(release): curl|sh installer + SHA256SUMS + build provenance by @DorianZheng in #506
• chore(release): bump SDK patch versions to 0.9.4 by @DorianZheng in #509

Full Changelog: v0.9.3...v0.9.4

What's Changed

• chore(deps): bump github.com/distribution/distribution/v3 from 3.1.0 to 3.1.1 in /apps/snapshot-manager in the go_modules group across 1 directory by @dependabot[bot] in #474
• fix: plumb sandbox disk size and correct CPU/memory unit conversions by @DorianZheng in #475
• ci(e2e): add VM integration tests on ephemeral AWS EC2 runner by @DorianZheng in #477
• ci(e2e): improve error reporting for PAT validation by @DorianZheng in #478
• ci(e2e): fix app verification, use c8i.xlarge for vCPU quota by @DorianZheng in #479
• ci(e2e): enable nested virtualization for KVM support by @DorianZheng in #480
• ci(e2e): fix user-data script (heredoc indentation + kvm group) by @DorianZheng in #481
• ci(e2e): fix runner version (deprecated) and update to Ubuntu 24.04 by @DorianZheng in #482
• ci(e2e): simplify to make setup + make test:integration by @DorianZheng in #483
• ci(e2e): install make on bare Ubuntu AMI by @DorianZheng in #484
• ci(e2e): fix HOME not set for root runner (cargo env) by @DorianZheng in #485
• ci(e2e): add Go to PATH for libgvproxy-sys build by @DorianZheng in #486
• ci(e2e): switch to persistent stop/start model by @DorianZheng in #487
• ci(e2e): fix heredoc indentation in user-data script by @DorianZheng in #489
• docs: install requests in Python CodeBox quickstart by @zxyasfas in #490
• ci(e2e): add multi-AZ fallback for EC2 instance creation by @DorianZheng in #491
• chore: bump SDK versions to 0.9.3 by @DorianZheng in #493

New Contributors

• @zxyasfas made their first contribution in #490

Full Changelog: v0.9.2...v0.9.3

What's Changed

• feat(guest): enable libseccomp in guest runtime by @DorianZheng in #472
• Bump SDK patch versions to 0.9.2 by @DorianZheng in #473

Full Changelog: v0.9.1...v0.9.2

What's Changed

• Revise project description for clarity and impact by @DorianZheng in #470
• Bump SDK patch versions to 0.9.1 by @DorianZheng in #471

Full Changelog: v0.9.0...v0.9.1

Security

This release fixes two Critical vulnerabilities affecting all SDKs at versions < 0.9.0. Upgrade to 0.9.0 or later — there is no workaround.

Dependabot covers consumers using pip boxlite, npm @boxlite-ai/boxlite, go github.com/boxlite-ai/boxlite/sdks/go, cargo boxlite, or cargo boxlite-cli. If you install via the curl | sh installer, the prebuilt C SDK / native library, vendored source, or rely on cargo audit (which reads RustSec, separate from the GitHub Advisory Database), you will not receive a Dependabot alert — please confirm you are on 0.9.0+. See SECURITY.md for the full table.

What's Changed

• Add allow_net and secrets support across SDKs by @DorianZheng in #426
• feat(vmm): add HypervisorProbe for post-failure VM diagnostics by @DorianZheng in #430
• fix(build): remove stale guest dir reference in clean script by @DorianZheng in #431
• Add built-in host alias for box-to-host access by @DorianZheng in #441
• Expose runtime image handles across SDKs safely by @DorianZheng in #433
• fix(lint): replace sort_by with sort_by_key for clippy compliance by @uran0sH in #442
• feat(images): harden OCI image pull security by @DorianZheng in #429
• feat(sdk/go): local OCI bundle via WithRootfsPath by @GatewayJ in #443
• [codex] Auto-use sudo in Linux setup scripts by @DorianZheng in #444
• docs: add SECURITY.md with private vulnerability reporting process by @DorianZheng in #445
• refactor(images): split OCI extractor and fix containment bugs by @DorianZheng in #446
• chore(deps): bump rand from 0.9.2 to 0.9.3 in the cargo group across 1 directory by @dependabot[bot] in #447
• chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /src/deps/libgvproxy-sys/gvproxy-bridge in the go_modules group across 1 directory by @dependabot[bot] in #448
• fix(security): enforce read-only virtiofs at hypervisor level by @DorianZheng in #454
• Drop JSON FFI boundary APIs by @DorianZheng in #456
• Add interactive execution support to C and Go SDKs by @DorianZheng in #458
• Add structured image registry configuration by @DorianZheng in #459
• refactor(images): adopt resolve-once pattern, port upstream security tests by @DorianZheng in #461
• refactor: replace Rust server with apps workspace by @DorianZheng in #460
• chore: align app workspace with BoxLite by @DorianZheng in #464
• chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates by @dependabot[bot] in #462
• chore(deps): bump the go_modules group across 8 directories with 6 updates by @dependabot[bot] in #463
• chore(setup): install Node 22 LTS via unified setup_nodejs by @DorianZheng in #466
• refactor(runner): build runner binary in CI, deploy from GitHub Releases by @DorianZheng in #467
• chore(deps): bump the go_modules group across 3 directories with 2 updates by @dependabot[bot] in #465

New Contributors

• @GatewayJ made their first contribution in #443
• @dependabot[bot] made their first contribution in #447

Full Changelog: v0.8.2...v0.9.0

What's Changed

• feat(serve): complete REST API server and add --url flag by @DorianZheng in #384
• docs(readme): add REST API quick start section by @DorianZheng in #385
• refactor(go): replace go generate with setup tool and flatten CGO structure by @DorianZheng in #386
• fix(go): correct README example to match actual SDK API by @DorianZheng in #387
• fix(snapshot): harden snapshot subsystem with chain-walk safety and crash recovery by @DorianZheng in #390
• feat(server): add distributed server with coordinator and worker roles by @DorianZheng in #391
• fix(server): keep exec in HashMap during output streaming for TTY sessions by @DorianZheng in #392
• feat(server): align utoipa OpenAPI spec with rest-sandbox-open-api.yaml by @DorianZheng in #394
• feat(server): implement all OpenAPI endpoints end-to-end by @DorianZheng in #396
• feat: upgrade MiniMax default model to M2.7 by @octo-patch in #393
• feat(server): implement WebSocket TTY for interactive terminal sessions by @DorianZheng in #397
• feat(net): add SocketShortener for Unix socket sun_path limit by @DorianZheng in #398
• feat(guest): add auto-idmap for transparent volume UID remapping by @DorianZheng in #399
• feat(ci): add Linux ARM64 to CI platform matrix by @DorianZheng in #400
• fix(ci): use dynamic manylinux arch in warm-caches workflow by @DorianZheng in #402
• feat(audit): add audit logging for box operations by @DorianZheng in #403
• feat(net): add network allowlist with DNS sinkhole filtering by @DorianZheng in #410
• feat(net): add TCP-level allowlist filtering with SNI/Host inspection by @DorianZheng in #411
• feat(net): add secret substitution via TLS MITM proxy by @DorianZheng in #412
• feat(vmm): add KVM health check to detect broken nested virtualization by @DorianZheng in #417
• feat(jailer): add Landlock LSM sandbox with composable Sandbox API by @DorianZheng in #416
• chore: bump all SDK versions to 0.8.0 by @DorianZheng in #418
• refactor: reorganize workspace into src/ layout by @DorianZheng in #419
• feat(server): add coordinator admin REST API and gRPC registration by @DorianZheng in #420
• fix(vmm): fix KVM smoke test for nested virtualization by @DorianZheng in #421
• chore: bump all SDK versions to 0.8.1 by @DorianZheng in #422
• fix(build): fix workspace root detection in build.rs by @DorianZheng in #423

Full Changelog: v0.7.5...v0.8.2

What's Changed

• fix(publish): chain build-go after build-c for reliable go generate by @DorianZheng in #381
• fix(libgvproxy-sys): force static linking of libresolv on Linux by @DorianZheng in #382
• chore: bump SDK patch versions by @DorianZheng in #383

Full Changelog: v0.7.4...v0.7.5

What's Changed

• fix: prevent TLS panic in shutdown_on_exit atexit handler by @DorianZheng in #377
• feat(publish): publish boxlite-cli via cargo install and cargo binstall by @DorianZheng in #378
• chore: bump SDK patch versions by @DorianZheng in #379
• feat(publish): add build-c and build-go workflows for Go SDK publishing by @DorianZheng in #380

Full Changelog: v0.7.3...v0.7.4

What's Changed

• refactor: consistent -sys dependency naming and feature gates by @DorianZheng in #374
• fix(publish): fix crates.io publishing for static-linked -sys crates by @DorianZheng in #375
• docs: use cargo add instead of hardcoded git dependency by @DorianZheng in #376

Full Changelog: v0.7.0...v0.7.3