chore: release main

[github-actions]

🤖 I have created a release beep boop

0.2.38

0.2.38 (2026-04-17)

Features

• add scanner selection controls (83334ca), closes #7520

Bug Fixes

• address code quality findings (#1038) (7af03cf)
• avoid per-call rule mapper closures (fa0dc70)
• bound pytorch zip jit reads (#1048) (f920d76)
• define analysis lazy exports (8aeeadd)
• deps: update rust crate pyo3 to 0.28.0 (#1006) (fe93b47)
• detect hidden pytorch zip pickles (#1043) (19b6ebe)
• detect proto0 pickles in 7z probes (c1fb7d6)
• enforce ZIP aggregate size budget (#1022) (94d576f)
• fail closed on incomplete ONNX weight analysis (#1025) (03413c5)
• fail closed on incomplete XGBoost analysis (#1019) (b8f334e)
• fail closed on oversized Skops entries (#1018) (3d74ab0)
• fail closed on pytorch zip timeouts (bf72f62)
• fail closed on RAR archives (#1030) (14b6e8f)
• fail closed on template truncation (#1026) (3d7967d)
• fail closed on unclassified scan failures (#1014) (dfe0455)
• harden incomplete Keras scanner paths (#1020) (86e017a)
• harden NeMo Hydra deserialization targets (#1021) (0f899a6)
• harden pickle nested bypass detection (#1027) (c3a3b9d)
• harden PyTorch pickle import classification (#1015) (7b00e55)
• harden remote cache and scanner bounds (#1031) (74c2b6d)
• preserve active payload severities (#1046) (13752e9)
• preserve scannable skipped ZIP containers (#1028) (29747d5)
• redact telemetry issue fields (#1023) (cd80d22)
• restore nested pickle CI coverage (b7a4846)
• route disguised nested archives in sevenzip scans (#1017) (cb2572e)
• route ONNX pb files by content (#1029) (6e9aa45)
• route PyTorch ZIP archives without metadata (#1016) (1f56bb8)
• route UBJSON-format .bst files to UBJ scanner (#1037) (52f869a)
• rule-mapper: preserve unknown opcode fallback (5153d68)
• run full Docker image as non-root (#1024) (c1d2be6)
• scan generic archive python handlers (#1047) (5b90a84)

Performance Improvements

• optimize model scan hot paths (#1012) (6a0c53a)

Documentation

• align markdown with current repo state (#1035) (690bc52)
• align README support and dependency guidance (#1008) (5dcd62b)
• clarify security report closure policy (#1049) (d53e445)
• prune stale planning artifacts (#1010) (851cc10)

0.1.0

0.1.0 (2026-04-17)

Features

• extract standalone pickle scanner package with parity harness (#832) (e2986cd)

Bug Fixes

• address code quality findings (#1038) (7af03cf)
• bound standalone pickle stream reads (4d0cb84)
• deps: update rust crate pyo3 to 0.28.0 (#1006) (fe93b47)
• detect hidden pytorch zip pickles (#1043) (19b6ebe)
• flag pickle persistent ids (#938) (2cfba40)
• harden pickle nested bypass detection (#1027) (c3a3b9d)
• harden standalone pickle scanner (#901) (31f7dd3)
• narrow suspicious dunder string detection (#947) (e866760)
• preserve picklescan stack state (#910) (fabac5c)

Documentation

• align markdown with current repo state (#1035) (690bc52)

---

This PR was generated with Release Please. See documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c0ae646e88

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c26b4f0249

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4c9756069d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 19 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 19 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 193.05ms -> 192.16ms (-0.5%).

Benchmark	Target	Size	Files	Baseline	Current	Change	Status
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_opcode_budget_tail_payload	opcode_budget_tail	14 B	1	71.2us	76.3us	+7.3%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payloads[nested_base64]	nested_base64	98 B	1	109.3us	103.0us	-5.8%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_dangerous_global_payloads[stack_global]	stack_global	21 B	1	65.8us	67.7us	+2.9%	stable
tests/benchmarks/test_scan_benchmarks.py::test_detect_file_format_safe_pickle	safe_model.pkl	49.4 KiB	1	30.9us	31.7us	+2.6%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_directory	duplicate-corpus	840.0 KiB	81	48.51ms	47.37ms	-2.3%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_hidden_suspicious_string_budget	hidden_suspicious_string	8.0 KiB	1	584.2us	574.7us	-1.6%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_dangerous_global_payloads[malicious_reduce]	malicious_reduce	52 B	1	77.2us	76.0us	-1.6%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_safe_payloads[safe_large]	safe_large	278.2 KiB	1	3.47ms	3.42ms	-1.4%	stable
tests/benchmarks/test_scan_benchmarks.py::test_validate_file_type_pytorch_zip	state_dict.pt	1.5 MiB	1	51.2us	50.6us	-1.3%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payloads[nested_raw]	nested_raw	78 B	1	101.9us	100.6us	-1.3%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_safe_payloads[safe_small]	safe_small	68 B	1	56.2us	55.6us	-1.1%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_safe_pickle	safe_model.pkl	49.4 KiB	1	11.58ms	11.69ms	+0.9%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_safe_payloads[long_benign_string]	long_benign_string	1.0 MiB	1	1.08ms	1.08ms	-0.5%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_pytorch_zip	state_dict.pt	1.5 MiB	1	31.46ms	31.60ms	+0.4%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_stream	chunked_stream	278.2 KiB	1	6.55ms	6.57ms	+0.3%	stable
tests/benchmarks/test_scan_benchmarks.py::test_skip_filter_plain_text_files	-	4.6 KiB	256	13.37ms	13.41ms	+0.3%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payloads[nested_hex]	nested_hex	130 B	1	107.7us	107.8us	+0.1%	stable
tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_multi_stream_padded_payload	multi_stream_padded	4.1 KiB	1	136.3us	136.2us	-0.1%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_mixed_directory	mixed-corpus	1.7 MiB	54	75.63ms	75.65ms	+0.0%	stable

[mldangelo-oai]

Reviewed again after the release-please fixes. Local validation passed: ruff format/check, mypy, full non-slow/non-integration pytest, prettier check, uv lock checks, and actionlint for the release workflow.

[github-actions]

🤖 Created releases:

• v0.2.38

🌻