Hotfix Release v1.5.11

Critical Bug Fix

Fixed: Installation Failure When Package Exists in Bubble

Severity: High - Blocks installations in common scenarios

Symptoms:

• 8pkg install <package> fails with "❌ Could not resolve all packages. Aborting installation."
• Occurs when using latest-active strategy (default)
• Package resolves successfully but exists only as a bubble (not in main env)
• Example: uv resolved to v0.9.5 (exists as bubble), v0.9.4 active → install fails

Root Cause:
Preflight check incorrectly treated "package needs installation" as "resolution failed" when:

1. Package resolves successfully (e.g., uv==0.9.5)
2. Found as bubble but not active in main environment
3. Strategy is latest-active (requires packages in main env, not bubbles)
4. Code aborted installation instead of proceeding

Fix:

• Removed incorrect abort logic after resolution phase
• Preflight now correctly distinguishes between:
  • ✅ Resolution success → package needs installation → continue
  • ❌ Resolution failure → abort
• Removed duplicate "packages need installation" log message

Impact:

• Installations now work correctly when upgrading from bubbled versions
• latest-active strategy functions as designed
• No behavior change for already-working scenarios

Changes

• Fixed preflight satisfaction check abort condition
• Cleaned up duplicate logging during preflight phase

Testing

Verified fix with:

• 8pkg install uv (when v0.9.5 bubbled, v0.9.4 active) ✅
• Cross-Python version swaps with bubbled packages ✅
• Fresh installs (no existing versions) ✅

Upgrade immediately if experiencing installation failures.

This is an emergency hotfix release that addresses a critical P0 bug introduced in v1.5.9.

🚨 CRITICAL FIX

• Fixed: A fatal AttributeError crash on startup if the redis Python library was not installed. The application would fail for any user who did not have Redis available in their environment. The caching logic is now fully resilient and correctly falls back to SQLite without crashing.

All users on v1.5.9 are strongly urged to upgrade to v1.5.10 immediately.

This is a critical update that significantly improves the intelligence, speed, and stability of the core installer. It addresses key logic bugs in the preflight satisfaction check and makes the caching mechanism far more robust, especially for cross-platform users.

✨ Key Features & Fixes

🧠 Smarter, Strategy-Aware Preflight Checks

The preflight satisfaction check is now significantly more intelligent, eliminating unnecessary installations and providing a faster, more accurate user experience.

• Fixed: The installer now correctly re-checks package satisfaction after resolving a version (e.g., when running 8pkg install pydantic). This prevents the tool from incorrectly proceeding to a full install when the resolved package is already active.
• Fixed: The preflight check is now fully "strategy-aware." It correctly understands that a bubbled package is not satisfied when using the latest-active strategy, ensuring the main installer runs to promote the package to the active environment.
• Result: A faster, more reliable, and less confusing installation process that does the right thing in all scenarios.

⚡️ Robust Caching with Redis Circuit Breaker

The connection logic for the caching backend has been completely overhauled to be faster and more resilient, eliminating frustrating delays.

• New: A "circuit breaker" pattern has been implemented for Redis connections. The tool tries to connect only once with an aggressive 0.2-second timeout. If it fails, it instantly and permanently falls back to the local SQLite cache for the remainder of the command's execution.
• Fixed: This completely solves the long (5+ second) startup delays experienced by users on Windows when a Redis server was running in WSL, as the tool no longer repeatedly tries to connect to an unreachable host.
• New: Added a redis_enabled: false option to the configuration file, allowing users to explicitly disable Redis and force the use of the SQLite cache.

⚛️ Atomic Knowledge Base Updates

The end-of-install process has been reordered to be more efficient and eliminate potential race conditions, paving the way for future high-concurrency features.

• Fixed: The "redundant bubble" cleanup now runs before the consolidated Knowledge Base (KB) update.
• Result: The KB is now updated once with the final, correct state of the filesystem. This eliminates temporary inconsistencies, reduces I/O operations, and ensures atomic updates.

foundational Work

• New: Added the deptimemachine.py module, laying the groundwork for a future feature to install packages with their historical dependencies.
• General code cleanup and improvements to the testing suite.

Release v1.5.8

This is a massive feature and stability release, incorporating over 100 commits. It introduces major new capabilities like Quantum Healing for Python version conflicts, an AI Import Healer, and significant improvements to the CI/CD pipeline, performance, and reliability of the core engine.

🚀 Major New Features & Enhancements

• 🌌 Quantum Healing for Python Versions: A groundbreaking feature that automatically detects when a package is incompatible with the current Python version. omnipkg will now find a compatible Python version, adopt or download it, switch the environment context, and seamlessly retry the installation—all in a single command with zero user intervention.
• 🤖 AI Import Healer: A new utility that runs before your script and automatically detects and removes "hallucinated" placeholder imports (e.g., from your_file import ...) commonly generated by AI code assistants. This prevents an entire class of frustrating runtime errors.
• ⚡️ Ultra-Fast Preflight Checks: The install command is now significantly faster. It performs sub-millisecond checks to see if packages are already satisfied before initializing the full dependency resolver, making runs for already-installed packages nearly instantaneous.
• Flask Port Finder & Auto-Healing: A new advanced demo and utility that can find open ports for Flask applications and automatically heal missing dependencies when running tests.
• Comprehensive upgrade Command: The omnipkg upgrade command is now fully implemented for upgrading both omnipkg itself and any other managed package.
• Enhanced run Command: The omnipkg run command now has a --verbose flag and provides clearer AI-facing status messages to indicate success, test failures, or healing attempts.
• Concurrency Optimization: The test suite has been optimized to run concurrent tests in under 500ms by eliminating unnecessary subprocess calls.

🐛 Bug Fixes & Reliability Improvements

• Fixed a critical bug with Windows socket handling in the run command.
• Resolved an AttributeError during the first-time setup for new environments.
• Fixed a bug where the uninstall command could fail in certain edge cases.
• Improved the self-upgrade logic to work correctly for both standard and editable developer installs.
• Made the dependency resolver more robust by adding fallbacks and better error handling for PyPI queries.
• Corrected path handling logic to preserve the integrity of the native Python environment during context swaps.
• Fixed a TypeError in the loader and prevented recursive omnipkg calls within bubbles.

🔧 CI/CD & Development Experience

• Massive CI Expansion: Added 10+ new GitHub Actions workflows to automate:
  • Package upgrade testing.
  • Cross-interpreter installation tests ("Quantum Healing").
  • omnipkg self-upgrade validation.
  • Flask port finder and auto-healing demos.
  • Windows concurrency tests.
  • Automatic Docker image builds and pushes to Docker Hub and GHCR on release.
• Parallel Priming on Windows: The Windows CI workflow now primes Python environments in parallel, significantly speeding up test runs.
• Automated requirements.txt Updates: The CI will now automatically update requirements.txt via pip-compile when pyproject.toml changes.
• Improved Test Suite: The entire test suite has been refactored for better robustness, debugging, and performance.

🧹 Housekeeping & Refactoring

• Overhauled the core installation logic for better performance and reliability.
• Synced and refactored the run and loader logic from the developer-port branch.
• Improved security scanning with a pip-audit fallback.
• Cleaned up and improved project documentation, repo maintenance scripts, and file organization.
• Consolidated commit identities by removing the .mailmap file.

🔒 Security Update

Fixed

• Security vulnerability in uv dependency - Updated uv from 0.8.20 to 0.9.5 to address CVE related to CWE-843
  • Impact: Type confusion vulnerability in tar extraction with PAX headers
  • Severity: Low
  • Affected versions: uv <= 0.9.4
  • Resolution: Upgraded to uv >= 0.9.5

Changed

• Updated pyproject.toml to enforce minimum uv version (>= 0.9.5)
• Regenerated requirements.txt with updated dependencies

Full Changelog: v1.5.6...v1.5.7

This release introduces major enhancements to security scanning, Python version compatibility, and internal automation. It resolves critical bugs related to multi-Python environment management and significantly improves the robustness of the test suite.
✨ Key Features & Enhancements
Intelligent Security Scanner Fallback:
pip-audit Integration: The security scanner now automatically falls back to using pip audit on modern Python versions (3.14+) where safety's dependencies may not be available. This ensures that security scanning functionality is always present, even on bleeding-edge Python releases.
Conditional Dependencies: The project's dependencies have been updated to conditionally install safety only on compatible Python versions, preventing installation failures in newer environments.
New Flask Port Finder Utility & Demo:
A new utility, flask_port_finder.py, has been added. It automatically finds available network ports and can patch Flask application code on the fly to prevent port conflicts, which is especially useful in testing and CI environments.
A new interactive demo (8pkg demo, option 9) has been added to showcase this new auto-healing capability.
Robust Bootstrap Process:
The bootstrapping process for newly adopted Python interpreters has been improved. It now prioritizes using the built-in ensurepip module for maximum reliability before falling back to other methods.
CI Automation for Dependencies:
A new GitHub Actions workflow (update-requirements.yml) has been implemented to automatically compile and commit an updated requirements.txt whenever pyproject.toml is changed, ensuring dependency lists are always in sync.
Enhanced Test Suite:
The concurrent installation test (test_concurrent_install.py) has been significantly improved. It now automatically checks for and adopts required Python versions before running and uses isolated subprocess calls to more accurately simulate real-world CLI usage.
🐛 Critical Bug Fixes
Context-Aware Redis Key Generation Fixed: Corrected a bug where the Redis key generation would fail to use the correct Python context after a swap command. The tool now reliably generates keys based on the target environment, eliminating false "ghost" package reports when switching between different Python versions.
🧹 Housekeeping & Refactoring
Project Structure Cleanup: Test scripts and utility files (like stress_test.py) have been moved from the main omnipkg/ source directory into the appropriate tests/ and omnipkg/utils/ folders, improving code organization.
Dependency Simplification: The pyproject.toml file has been cleaned up to use clearer and more precise environment markers for dependencies.
Code Cleanup: Removed obsolete files related to previous experiments (OMNIPKG_CODE_COMPARISON.txt, Ruby gem files).

Release Date: October 22, 2025
This is a security-focused maintenance release.
🚨 Security Fix
Critical Fix: authlib Dependency Update
• Vulnerability Addressed: This release patches a high-severity security vulnerability by updating the authlib dependency to a safe version.
• Action: All users are strongly encouraged to update to v1.5.5 immediately to mitigate this security risk.
⚙️ Versioning
• Version Bump: The project version has been officially bumped to v1.5.5.

This release focuses on improving stability, particularly for developers on Windows and those using Conda environments.

What's New ✨

• 🛡️ Enhanced Conda Stability: All output related to the Conda auto-healing mechanism is now wrapped in safe_print(). This resolves UnicodeEncodeError crashes that could occur on Windows systems, ensuring the corruption repair process runs smoothly across all platforms.

• 🔧 Smarter Developer Self-Healing: The _self_heal_omnipkg_installation logic has been rebuilt. It now uses a more robust method to check the omnipkg version in the target Python context, creating a clean environment for the check that is not influenced by the parent shell's PYTHONPATH. This prevents false positives and ensures that developer environments are always correctly synchronized.

A Note on pip Vulnerability GHSA-4xh5-x5gv-qwph

As part of our security workflow, we have identified a known vulnerability (GHSA-4xh5-x5gv-qwph) present in all current versions of pip.

• The Issue: The vulnerability involves a race condition that can be exploited when installing packages from a malicious, attacker-controlled source distribution (sdist).
• Our Mitigation: The omnipkg build and CI process only installs packages from trusted sources (PyPI and the local project directory), which significantly mitigates the risk of exploitation.
• Our Action: A patched version of pip (expected in v25.3) has not yet been released. Therefore, we are temporarily ignoring this specific vulnerability within our security audit to prevent unnecessary build failures. We will remove this exception as soon as a patched version of pip is released and stable.

This release is the culmination of the vision laid out in v1.5.0 and battle-tested in v1.5.2. We are moving from a powerful CI/CD demonstration to a fully-controlled, robust, and production-ready feature. Where v1.5.2 proved that concurrent interpreters were possible with a "sterile environment" workaround, v1.5.3 delivers the final solution, making this groundbreaking technology a seamless and core part of the omnipkg experience.

The result is our live GitHub Actions workflow running 3 distinct Python interpreters concurrently, from a single script, in a single environment—all in under 600ms, now with maximum reliability.

🚀 From a CI/CD Workaround to a Core Capability

Our "Known Issues" from v1.5.2 have become the flagship features of v1.5.3. We have solved the core challenges of context management in non-interactive environments, eliminating the need for special script handling.

• Mastered Environment Control with OMNIPKG_ENV_ID_OVERRIDE

  • The Problem (v1.5.2): CI environments could suffer from context contamination, requiring a temporary "sterile" script to guarantee correct interpreter swapping.
  • The Solution (v1.5.3): You can now pass the OMNIPKG_ENV_ID_OVERRIDE environment variable to explicitly tell every omnipkg process which environment to target. This provides absolute control, ensuring all concurrent scripts and processes operate on a single, authoritative environment without any context drift.

• Intelligent First-Time Setup & Knowledge Base Flagging

  • The Problem: The "first-time setup" flag for a newly swapped interpreter could sometimes trigger unnecessary or problematic knowledge base (KB) rebuilds in automated workflows.
  • The Solution: We've perfected the logic for managing this flag. omnipkg now intelligently clears the "first use" flag after a successful, forced KB rebuild (like those used to prime CI environments). This prevents redundant rebuilds, making interpreter swaps consistently instantaneous and reliable.

🐛 Additional Fixes & Major Improvements

Building on the healing capabilities from v1.5.1, this release further hardens omnipkg against complex environment issues.

• New Auto-Healing for ABI Incompatibilities
  omnipkg run is now smarter than ever. It can detect deep ABI (Application Binary Interface) errors that occur with complex compiled packages (e.g., TensorFlow, NumPy). When it detects an undefined symbol or DLL load failed error, it will now automatically trigger a full, clean reinstallation of the problematic package to fix the issue.

• Critical Fix for Windows Path Resolution
  We have implemented a more robust method for detecting the correct site-packages directory, especially on Windows. This resolves a class of path-related bugs and significantly improves reliability for Windows users.

• More Robust, Context-Aware Caching
  A bug in the PyPI caching layer has been fixed. The cache is now correctly keyed to the specific Python version context, preventing stale or incompatible version information from being served when swapping between interpreters like 3.9 and 3.11.

This release transitions the "Quantum Multiverse Warp" from a high-wire demonstration into a robust, controllable, and production-ready tool. The impossible is now not only possible—it's reliable.

This release marks a major milestone in omnipkg's journey, moving from powerful local capabilities to publicly-proven performance in automated CI/CD environments. Version 1.5.2 delivers a critical fix for security scans and introduces a live CI demonstration of its revolutionary concurrent Python interpreter technology.

🚀 Features & Major Improvements

• Live CI Proof of "Quantum Multiverse Warp" Technology
  This is the star of the show. We now have a live, public GitHub Actions workflow that proves omnipkg's ability to execute a single script across multiple Python interpreters (3.9, 3.10, 3.11) concurrently. This isn't a simulation; it's a real-world demonstration of a paradigm shift in Python testing and automation.

  

• Dramatically Improved README and Performance Metrics
  The project's README has been overhauled to better communicate the core value proposition. It now features the incredible sub-second performance metrics achieved in the "Quantum Multiverse Warp" demo, making the power of omnipkg immediately clear to new users.

🐛 Bug Fixes

• Critical Fix for Isolated Security Scans
  A critical bug has been resolved where isolated tool "bubbles" (like the one used for safety) would fail to initialize correctly due to a missing Python context.
  • Before: Scans would fail with the error: BubbleIsolationManager.create_isolated_bubble() missing 1 required positional argument: 'python_context_version'.
  • After: The Python context is now correctly passed to the isolated environment, ensuring that security scans and other tool bubbles run reliably and as intended. This makes omnipkg's security features robust and trustworthy.

💡 Known Issues & Future Plans

• Improving Python Context Swapping in Non-Interactive CI
  We have made a key discovery: non-interactive CI environments can be sensitive to sys.path and PYTHONPATH contamination. While Python hot-swapping works perfectly in local interactive shells, it requires a "sterile" script environment in CI to guarantee context is not lost.
  • Current Success: Our live "Multiverse" demo successfully uses this sterile environment technique, which is why it works perfectly.
  • Roadmap: A high-priority goal is to integrate this "sterile environment" detection and management directly into the core omnipkg logic. This will make Python interpreter hot-swapping bulletproof in any environment (local, CI, Docker, etc.) without requiring special workarounds, further solidifying its reliability for complex automated workflows.