Skip to content

Release: turbovec 0.9.0 (Rust crate) + 0.8.0 (Python package)#109

Merged
RyanCodrai merged 8 commits into
mainfrom
release/rust-0.9.0-python-0.8.0
Jun 10, 2026
Merged

Release: turbovec 0.9.0 (Rust crate) + 0.8.0 (Python package)#109
RyanCodrai merged 8 commits into
mainfrom
release/rust-0.9.0-python-0.8.0

Conversation

@RyanCodrai

Copy link
Copy Markdown
Owner

Release turbovec 0.9.0 (Rust crate) + 0.8.0 (Python package) — the security-audit release (#108 fixes).

Version bumps

  • turbovec/Cargo.toml: 0.8.1 → 0.9.0
  • turbovec-python/Cargo.toml + pyproject.toml: 0.7.1 → 0.8.0

Minor bump on both because a few inputs that previously panicked or were silently accepted now return typed errors (NaN/Inf search → ValueError, dim capped at 65536, zero-dim lazy add rejected, side-car/index mismatch raises at load). Full details in CHANGELOG.md.

Also in this PR

Publishing

The release workflows trigger on tags after this merges:

  • v0.9.0release-crates.yml (crates.io)
  • py-v0.8.0release-pypi.yml (PyPI)

I have not pushed those tags — say the word once this is merged and I'll push them (or you can). No on-disk format change (still .tv / .tvim v3).

RyanCodrai and others added 8 commits June 10, 2026 17:31
Security-audit release (#108): untrusted-load hardening, binding panic
fixes, integration data-integrity fixes, and the x86 scalar-fallback
correctness fix. Resolves #104, #105, #106. Minor bump on both surfaces
because a few inputs that previously panicked or were silently accepted now
return typed errors. See CHANGELOG.md.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Fact-checked the README prose against benchmarks/results/. Several figures
had drifted (mostly from before TQ+ landed):
- ARM speed 12-20% -> 10-19% (actual range 10.3-19.4%)
- OpenAI R@1 +0.4-3.4 pts -> +0.2-1.9 pts (no config reaches 3.4)
- GloVe R@1 +0.3/-1.2 -> +0.9/tied (TQ+ closed the 2-bit gap)
- x86 2-bit 'within ~1% ST, 2-4% MT' -> trails 3-8% on both ST and MT
- softened 'matches the Shannon lower bound' -> 'near-optimal' (the
  how-it-works section already states within 2.7x of the bound)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- intro: 'matches the Shannon lower bound' -> 'near-optimal distortion';
  trim to 'no separate training phase'
- speed bullet/x86 prose: characterize x86 2-bit honestly (behind, most
  visibly d=1536 ST ~8%) instead of 'match-or-beat'/'3-8%'
- recall: OpenAI converge to 1.0 by k=8 (>=0.997 at k=4)
- baselines note: drop stale 'visible gap on GloVe' (TQ+ closed it; GloVe is
  now level at 2-bit, ahead at 4-bit)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Audited docs/ against the merged behavior changes:
- api.md: document that search() raises ValueError on non-finite/oversized
  query coords; dim must be a positive multiple of 8 and <= 65536 (MAX_DIM);
  zero-width add raises; load now validates the header before allocating.
- agno.md: duplicate derived doc_id is now keep-all (both kept and
  deletable, matching LanceDb) — previous text implied last-write-wins;
  clarify delete_by_name/_content_id/_metadata target only matching docs.
- agno/langchain/haystack/llama_index: loading a side-car out of sync with
  its .tvim now raises ValueError at load instead of a later KeyError.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Adding the DimTooLarge variant this release is already breaking for
downstream exhaustive matches. Mark both public error enums
#[non_exhaustive] now so future variant additions stop being breaking
changes — this release is the one-time free moment to do it. The Python
binding only uses Display (e.to_string()), so it is unaffected.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
turbovec's usize size/offset arithmetic in encode/pack/search assumes a
64-bit pointer width; on 32-bit/wasm those products can overflow and index
out of bounds. The untrusted-load path is already gated by checked_mul in
io.rs, so this is not a vulnerability via file input — but a developer
adding very large data on a 32-bit target could still overflow. Refuse to
compile on non-64-bit targets rather than ship a silently-unsafe build.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Route security reports through GitHub private vulnerability reporting /
Security Advisories instead of public issues, with reporting steps, what to
include, expectations, supported-version policy, and scope. #105 came in as
a public issue; this gives finders a private channel.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Private vulnerability reporting is the single channel; no alternate contact.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@RyanCodrai RyanCodrai merged commit 1e7200c into main Jun 10, 2026
6 checks passed
@RyanCodrai RyanCodrai deleted the release/rust-0.9.0-python-0.8.0 branch June 10, 2026 18:05
a-tokyo added a commit to a-tokyo/turbovec that referenced this pull request Jun 13, 2026
…ure/ts

Sync the Node-bindings branch onto the latest upstream before proposing it
upstream. Upstream's RyanCodrai#108 security audit independently hardened the same core
files this branch had touched, and RyanCodrai#109 cut crate 0.9.0 / Python 0.8.0.

Reconciliation:
- turbovec/src/io.rs, lib.rs: take upstream's hardening wholesale; drop our now
  -redundant copies. Removed our duplicate `pub use io::MAX_DIM` (upstream
  defines `pub const MAX_DIM` at the crate root); upstream already exposes
  `MAX_INPUT_MAGNITUDE` as `pub` for the bindings. Net core delta from this
  branch is now ~zero — the package is essentially additive.
- turbovec-node/src/error.rs + ts/errors.ts + docs/api.md: handle upstream's new
  `DimTooLarge` variants (both enums are now `#[non_exhaustive]`) via a new
  `DIM_TOO_LARGE` JS error code, plus a wildcard arm so future core variants
  don't break the binding build.
- turbovec/tests/io_versioning.rs: the lazy-header regression test now anchors on
  upstream's wording (clean InvalidData on a dim=0/n>0 header is unchanged).
- CHANGELOG/docs/api.md: keep our Node section under Unreleased alongside the
  0.9.0/0.8.0 release entry and upstream's richer Python tables.

Verified against the synced core: turbovec-node clippy clean; 193 vitest pass;
cargo test -p turbovec green (incl. io_versioning).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant