Security
- CodeQL #40 (High): XSS in dashboard search —
cockpit-search.jsfallbackesc()function wasfunction(s) { return String(s); }— no HTML escaping. Replaced with safetextContent→innerHTMLimplementation matchingformat.js. - CodeQL #38/#39 (Medium): Unpinned GitHub Actions —
codecov/codecov-action@v4andEmbarkStudios/cargo-deny-action@v2are now pinned to commit SHAs (b9fd7d16…,5bb39ff5…) inci.yml.
Fixed
- Codex config corruption on mode change (GitHub #189) — When
lean-ctx setuporlean-ctx updateran with v3.5.6 (where Codex was CLI-Redirect mode),remove_codex_toml_sectionremoved the[mcp_servers.lean-ctx]parent section but left orphaned sub-tables like[mcp_servers.lean-ctx.env], causing Codex to fail with "invalid transport in mcp_servers.lean-ctx".remove_codex_toml_sectionnow removes all TOML sub-tables via prefix matching when removing a parent section.ensure_codex_mcp_servernow detects orphaned sub-tables and inserts the parent section before them instead of appending at the end.ensure_codex_mcp_servernow usestoml_quote_valuefor Windows backslash-safe TOML quoting (was using rawformat!with double quotes).
Upgrade
lean-ctx update # recommended (auto-downloads + refreshes shell hooks)
cargo install lean-ctx # or
npm update -g lean-ctx-bin # or
brew upgrade lean-ctxNote: After upgrading via cargo/npm/brew, run
lean-ctx setupto refresh shell aliases.lean-ctx updatedoes this automatically.
Full Changelog: v3.5.8...v3.5.8