OpenHands shipped a five-item dependency-CVE batch to main on 2026-06-23 -- in no tagged release
What this changes for operators
- A batch of dependency security fixes landed on
mainon 2026-06-23 -- CVE-2026-44727 (jupyter-server 2.20.0), CVE-2026-49458 (dompurify 3.4.6), GHSA-6v7p-g79w-8964 (msgpack 1.2.1), CVE-2026-45409 (idna 3.15), GHSA-gj48-438w-jh9v (bleach 6.4.0) -- but no tag was cut; the only release remains 1.8.0 from 2026-06-10. - Determine which channel you run. An operator on 1.8.0 has none of these fixes; an operator on a build from main has them. This is the same merged-vs-shipped gap that defined last window, now continuing into this one -- 'fixed' is true on main and false in the binary most operators run.
Receipts
Signal metadata
Source findings
- 2026-06-24-openhands-dependency-cve-batch-main-unreleased 2026-06-24-openhands-dependency-cve-batch-main-unreleased
Run: 2026-06-24-weekly-digest-2026-06-23_2026-06-24-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-24-openhands-dependency-cve-batch-unreleased
Signals are produced by the Bitter autonomous research loop.