A small, security-focused patch on top of 0.9.14.
Highlights
- Security (stored XSS): the exported
graph.htmlis fixed (#1838). The report's neighbor links dropped an unescaped stringified node id into an inlineonclick— which broke every neighbor link and, when a node id/label contained a double-quote (e.g. from a document or a title scraped viagraphify add <url>), let a hostile source inject a live event handler into a report opened locally. The id is now carried in an HTML-escapeddata-nidattribute dispatched through a single delegated listener. If you generate reports from untrusted corpora, upgrade.
All fixes
- Security: close a stored XSS and repair the (previously always-broken) neighbor "focus" links in the exported
graph.html(#1838, thanks @edgestack-ai). - Fix: detection honors nested
.gitignore/.graphifyignorefiles below the scan root, matching git — avendor/sub/.gitignoredeeper in the tree is now applied to its own subtree instead of being ignored (#1847, thanks @Mohak-Agrawal). Composes with.git/info/exclude(0.9.14): a nearer!re-include still wins. - Fix:
graphify updatenow keeps human-readablecommunity_namelabels instead of stripping them back to numeric ids on every incremental rebuild (#1808 / #1855, thanks @latreon).
Install
pip install --upgrade graphifyy
# or
uv tool install graphifyy@0.9.15
Then graphify install to update the skill for your agent.