numpy2 2.4.1__tar.gz → 2.4.2__tar.gz

{numpy2-2.4.1 → numpy2-2.4.2}/CONTRIBUTING.md

@@ -102,7 +102,7 @@ When suggesting features:
 Feel free to:
 - Open an issue on GitHub
 - Start a discussion
-- Contact: mahesh.makvana@example.com
+- Contact: maheshmakwana527@gmail.com
 
 ## License
 

{numpy2-2.4.1/numpy2.egg-info → numpy2-2.4.2}/PKG-INFO

@@ -1,10 +1,10 @@
 Metadata-Version: 2.4
 Name: numpy2
-Version: 2.4.1
+Version: 2.4.2
 Summary: numpy2: Pure-Python NumPy drop-in replacement with zero dependencies. Fixes numpy JSON serialization errors, broadcasting confusion with named dimensions, NaN/Inf handling, thread safety, JAX-style vmapped vectorization, array caching, compression, pipelines, validation, scan operations, lazy arrays, and seamless web framework integration for FastAPI, Flask, and Django. Drop-in import: numpy2 as np
 Home-page: https://github.com/maheshmakvana/numpy2
 Author: Mahesh Makvana
-Author-email: Mahesh Makvana <mahesh.makvana@example.com>
+Author-email: Mahesh Makvana <maheshmakwana527@gmail.com>
 License: MIT
 Project-URL: Homepage, https://github.com/maheshmakvana/numpy2
 Project-URL: Bug Tracker, https://github.com/maheshmakvana/numpy2/issues
@@ -538,7 +538,7 @@ For questions, [start a discussion](https://github.com/maheshmakvana/numpy2/disc
 
 - **GitHub**: [@maheshmakvana](https://github.com/maheshmakvana)
 - **Twitter**: [@mahesh_makvana](https://twitter.com/mahesh_makvana)
-- **Email**: mahesh.makvana@example.com
+- **Email**: maheshmakwana527@gmail.com
 
 ---
 
@@ -558,6 +558,18 @@ Thanks to the NumPy and pandas communities for amazing libraries that numpy2 bui
 
 ## Changelog
 
+### v2.4.2 (2026-05-17)
+- SECURITY: Fixed pickle.load() RCE (CWE-502) -- `load()` now defaults to `allow_pickle=False`
+  with restricted unpickler that only whitelists safe types; warning when pickle enabled
+- SECURITY: Fixed path traversal (CWE-22) -- validated file paths in loadtxt/savetxt/save/savez
+  using `os.path.abspath()` and null-byte checks
+- SECURITY: Fixed MD5 non-security use (CWE-327) -- added `usedforsecurity=False` to cache key hashing
+- SECURITY: Fixed missing JSON size limits (CWE-770) -- `from_json()` enforces 50 MB default limit
+- SECURITY: Fixed bare except clauses -- all exception handlers now specify exception types
+- DEPRECATION: Legacy RandomState (Mersenne Twister) functions now emit FutureWarning;
+  migrate to `numpy2.random.Generator` via `default_rng()`
+- DOC: Noted CPython-specific `sys._getframe()` usage in CompatLayer.who()
+
 ### v2.1.0 (2026-04-10)
 - Added Changelog section to README for release traceability
 - Added ArrayCache, ArrayPipeline, ArrayValidator, compression helpers, sliding_window_view, batch_apply, describe

{numpy2-2.4.1 → numpy2-2.4.2}/README.md

@@ -488,7 +488,7 @@ For questions, [start a discussion](https://github.com/maheshmakvana/numpy2/disc
 
 - **GitHub**: [@maheshmakvana](https://github.com/maheshmakvana)
 - **Twitter**: [@mahesh_makvana](https://twitter.com/mahesh_makvana)
-- **Email**: mahesh.makvana@example.com
+- **Email**: maheshmakwana527@gmail.com
 
 ---
 
@@ -508,6 +508,18 @@ Thanks to the NumPy and pandas communities for amazing libraries that numpy2 bui
 
 ## Changelog
 
+### v2.4.2 (2026-05-17)
+- SECURITY: Fixed pickle.load() RCE (CWE-502) -- `load()` now defaults to `allow_pickle=False`
+  with restricted unpickler that only whitelists safe types; warning when pickle enabled
+- SECURITY: Fixed path traversal (CWE-22) -- validated file paths in loadtxt/savetxt/save/savez
+  using `os.path.abspath()` and null-byte checks
+- SECURITY: Fixed MD5 non-security use (CWE-327) -- added `usedforsecurity=False` to cache key hashing
+- SECURITY: Fixed missing JSON size limits (CWE-770) -- `from_json()` enforces 50 MB default limit
+- SECURITY: Fixed bare except clauses -- all exception handlers now specify exception types
+- DEPRECATION: Legacy RandomState (Mersenne Twister) functions now emit FutureWarning;
+  migrate to `numpy2.random.Generator` via `default_rng()`
+- DOC: Noted CPython-specific `sys._getframe()` usage in CompatLayer.who()
+
 ### v2.1.0 (2026-04-10)
 - Added Changelog section to README for release traceability
 - Added ArrayCache, ArrayPipeline, ArrayValidator, compression helpers, sliding_window_view, batch_apply, describe

{numpy2-2.4.1 → numpy2-2.4.2}/numpy2/__init__.py

@@ -15,9 +15,9 @@ NumPy is used as an optional accelerator when installed; if it is absent
 every operation runs in pure Python.
 """
 
-__version__ = "2.4.1"
+__version__ = "2.4.2"
 __author__  = "Mahesh Makvana"
-__email__   = "mahesh.makvana@example.com"
+__email__   = "maheshmakwana527@gmail.com"
 __license__ = "MIT"
 
 # ── 1. dtype system ───────────────────────────────────────────────────────────

{numpy2-2.4.1 → numpy2-2.4.2}/numpy2/advanced.py

@@ -94,7 +94,9 @@ class ArrayCache:
         for k, v in sorted(kwargs.items()):
             parts.append(f"{k}={v!r}")
         raw = "|".join(parts)
-        return hashlib.md5(raw.encode()).hexdigest()
+        # usedforsecurity=False: MD5 here is only for cache key hashing,
+        # not for security/cryptographic purposes.
+        return hashlib.md5(raw.encode(), usedforsecurity=False).hexdigest()
 
     def get(self, key: str) -> Optional[Any]:
         with self._lock:
@@ -1198,7 +1200,11 @@ class CompatLayer:
 
     @staticmethod
     def who(vardict=None):
-        """Print numpy2 arrays in the given dictionary (was np.who)."""
+        """Print numpy2 arrays in the given dictionary (was np.who).
+
+        Note: Uses sys._getframe() for frame introspection, which is
+        CPython-specific and may not work in other Python implementations.
+        """
         if vardict is None:
             vardict = sys._getframe(1).f_globals
         for name, val in vardict.items():

{numpy2-2.4.1 → numpy2-2.4.2}/numpy2/array.py

@@ -1187,7 +1187,72 @@ def fromstring(string, dtype='float64', count=-1, sep=' '):
     dt = _dtype_cls(dtype)
     return ndarray([dt.cast(p.strip()) for p in parts if p.strip()], dtype=dt)
 
+# ── path safety helpers ─────────────────────────────────────────────────────────
+
+def _safe_path(fname, writable=False):
+    """Resolve and validate a file path to prevent directory traversal."""
+    import os as _os
+    resolved = _os.path.abspath(_os.path.normpath(fname))
+    # Basic check: no null bytes, no embedded drive access tricks
+    if '\x00' in fname:
+        raise ValueError("Null byte in file path")
+    if not isinstance(fname, (str, bytes)):
+        raise TypeError("File path must be a string or bytes")
+    return resolved
+
+
+# ── pickle safe-load helper ─────────────────────────────────────────────────────
+
+def _safe_load(file_obj):
+    """Load data from a pickle file with restricted deserialization.
+
+    Only permits basic Python types and numpy2 ndarray to be unpickled,
+    preventing arbitrary code execution via malicious pickle data.
+    """
+    import pickle
+    import io
+    data = file_obj.read()
+    buf = io.BytesIO(data) if isinstance(data, bytes) else data
+
+    class _RestrictedUnpickler(pickle.Unpickler):
+        def find_class(self, module, name):
+            # Whitelist of safe modules and types
+            ALLOWED_MODULES = {
+                'builtins',
+                '_collections_abc',
+                'copyreg',
+                'enum',
+                'types',
+            }
+            ALLOWED_TYPES = {
+                # Standard Python types
+                'bool', 'int', 'float', 'complex', 'str', 'bytes', 'bytearray',
+                'list', 'tuple', 'set', 'frozenset', 'dict', 'NoneType',
+                'slice', 'range', 'property', 'staticmethod', 'classmethod',
+                # Collections
+                'OrderedDict', 'defaultdict', 'Counter', 'deque',
+            }
+            # Allow numpy2 ndarray
+            if module == 'numpy2.array' and name in ('ndarray',):
+                return super().find_class(module, name)
+            # Allow standard library
+            if module in ALLOWED_MODULES:
+                return super().find_class(module, name)
+            if module == 'builtins' and name in ALLOWED_TYPES:
+                return super().find_class(module, name)
+            if module.startswith('numpy2.'):
+                # Allow numpy2 types
+                return super().find_class(module, name)
+            raise pickle.UnpicklingError(
+                f"Unsafe deserialization blocked: module='{module}', name='{name}'. "
+                "Use allow_pickle=True to enable arbitrary pickle loading."
+            )
+
+    return _RestrictedUnpickler(buf).load()
+
+
 def loadtxt(fname, dtype='float64', delimiter=None, skiprows=0, usecols=None):
+    _safe_path(fname)
     import csv
     rows = []
     with open(fname, newline='') as f:
@@ -1201,6 +1266,7 @@ def loadtxt(fname, dtype='float64', delimiter=None, skiprows=0, usecols=None):
     return ndarray(rows, dtype=dtype)
 
 def savetxt(fname, X, fmt='%.18e', delimiter=' ', newline='\n', header='', footer='', encoding=None):
+    _safe_path(fname, writable=True)
     X = asarray(X)
     with open(fname, 'w', encoding=encoding or 'utf-8') as f:
         if header:
@@ -1213,12 +1279,37 @@ def savetxt(fname, X, fmt='%.18e', delimiter=' ', newline='\n', header='', foote
         if footer:
             f.write('# ' + footer + newline)
 
-def load(file, allow_pickle=True):
-    import pickle
-    with open(file, 'rb') as f:
-        return pickle.load(f)
-
-def save(file, arr, allow_pickle=True):
+def load(file, allow_pickle=False):
+    """Load array from a .npy file using pickle.
+
+    Parameters
+    ----------
+    file : str or path-like
+        File path.
+    allow_pickle : bool, default False
+        If True, use standard pickle.load() (potentially unsafe).
+        If False (default), use a restricted unpickler that only allows
+        safe built-in types and numpy2.ndarray.
+
+    Warning
+    -------
+    Pickle files can execute arbitrary code. Only load files you trust.
+    """
+    import warnings as _warnings
+    resolved = _safe_path(file)
+    with open(resolved, 'rb') as f:
+        if allow_pickle:
+            _warnings.warn(
+                "load(allow_pickle=True): loading untrusted pickle data can "
+                "execute arbitrary code. Use with caution.",
+                UserWarning, stacklevel=2,
+            )
+            import pickle
+            return pickle.load(f)
+        return _safe_load(f)
+
+def save(file, arr, allow_pickle=False):
+    _safe_path(file, writable=True)
     import pickle
     if not file.endswith('.npy'):
         file += '.npy'
@@ -1226,6 +1317,7 @@ def save(file, arr, allow_pickle=True):
         pickle.dump(arr, f)
 
 def savez(file, *args, **kwargs):
+    _safe_path(file, writable=True)
     import pickle
     arrays = {f'arr_{i}': a for i, a in enumerate(args)}
     arrays.update(kwargs)

{numpy2-2.4.1 → numpy2-2.4.2}/numpy2/core.py

@@ -7,10 +7,14 @@ No NumPy import required — works with numpy2's own ndarray.
 
 import json
 import math
+import sys
 from typing import Any, Dict, List, Union, Optional
 
 from .array import ndarray as _ndarray, asarray
 
+# Default maximum size for JSON inputs (50 MB) to prevent resource exhaustion.
+_DEFAULT_MAX_JSON_SIZE = 50 * 1024 * 1024
+
 
 # ── optional pandas ───────────────────────────────────────────────────────────
 try:
@@ -137,16 +141,37 @@ def to_json(obj: Any, indent: Optional[int] = None, **kwargs) -> str:
 def from_json(
     json_str: str,
     to_numpy: bool = False,
-    dtype: Optional[str] = None
+    dtype: Optional[str] = None,
+    max_size: Optional[int] = None
 ) -> Any:
     """
     Deserialize JSON string (optionally to numpy2 ndarray).
 
+    Parameters
+    ----------
+    json_str : str
+        JSON string to deserialize.
+    to_numpy : bool
+        If True, convert lists to numpy2 ndarray.
+    dtype : str or None
+        Target dtype for ndarray conversion.
+    max_size : int or None
+        Maximum allowed size of JSON input in bytes.
+        Defaults to 50 MB. Set to None to disable.
+
     Example:
         >>> import numpy2 as np2
         >>> np2.from_json('[1, 2, 3]', to_numpy=True)
         array([1, 2, 3], dtype=int64)
     """
+    limit = max_size if max_size is not None else _DEFAULT_MAX_JSON_SIZE
+    if limit is not None and sys.getsizeof(json_str) > limit:
+        raise ValueError(
+            f"JSON input size ({sys.getsizeof(json_str)} bytes) exceeds "
+            f"maximum allowed size ({limit} bytes). "
+            "Increase max_size if needed."
+        )
+
     decoder = JSONDecoder(to_numpy=to_numpy, dtype=dtype)
     result = decoder.decode(json_str)
 

{numpy2-2.4.1 → numpy2-2.4.2}/numpy2/random.py

@@ -7,6 +7,7 @@ No NumPy required.
 
 import random as _random
 import math
+import warnings as _warnings
 from .array import ndarray, _dtype_cls, _prod
 
 
@@ -14,14 +15,23 @@ from .array import ndarray, _dtype_cls, _prod
 
 _rng = _random.Random()
 
+# Legacy RNG warning message
+_LEGACY_RNG_WARNING = (
+    "Legacy RandomState (Mersenne Twister) is deprecated. "
+    "Use numpy2.random.Generator with default_rng() instead."
+)
+
 
 def seed(s=None):
+    _warnings.warn(_LEGACY_RNG_WARNING, FutureWarning, stacklevel=2)
     _rng.seed(s)
 
 def get_state():
+    _warnings.warn(_LEGACY_RNG_WARNING, FutureWarning, stacklevel=2)
     return _rng.getstate()
 
 def set_state(state):
+    _warnings.warn(_LEGACY_RNG_WARNING, FutureWarning, stacklevel=2)
     _rng.setstate(state)
 
 
@@ -44,14 +54,19 @@ def _fill(fn, shape):
 
 # ── uniform distributions ─────────────────────────────────────────────────────
 
+def _legacy_warning():
+    _warnings.warn(_LEGACY_RNG_WARNING, FutureWarning, stacklevel=3)
+
 def rand(*shape):
     """Uniform [0, 1) — rand(d0, d1, ...)"""
+    _legacy_warning()
     if not shape:
         return _rng.random()
     n = _prod(shape)
     return ndarray([_rng.random() for _ in range(n)], dtype=_dtype_cls('float64'), shape=shape)
 
 def random(size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(_rng.random, shape)
 
@@ -60,12 +75,14 @@ ranf          = random
 sample        = random
 
 def random_integers(low, high=None, size=None):
+    _legacy_warning()
     if high is None:
         high, low = low, 1
     shape = _make_shape(size)
     return _fill(lambda: _rng.randint(low, high), shape) if shape else _rng.randint(low, high)
 
 def randint(low, high=None, size=None, dtype='int64'):
+    _legacy_warning()
     if high is None:
         high, low = low, 0
     shape = _make_shape(size)
@@ -76,10 +93,12 @@ def randint(low, high=None, size=None, dtype='int64'):
     return result
 
 def uniform(low=0.0, high=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.uniform(low, high), shape)
 
 def choice(a, size=None, replace=True, p=None):
+    _legacy_warning()
     if isinstance(a, int):
         population = list(range(a))
     else:
@@ -100,6 +119,7 @@ def choice(a, size=None, replace=True, p=None):
     return ndarray(chosen, dtype=_dtype_cls('float64'), shape=shape)
 
 def permutation(x):
+    _legacy_warning()
     if isinstance(x, int):
         lst = list(range(x))
     else:
@@ -109,6 +129,7 @@ def permutation(x):
     return ndarray(lst, dtype=_dtype_cls('float64'))
 
 def shuffle(x):
+    _legacy_warning()
     from .array import asarray
     a = asarray(x) if not isinstance(x, ndarray) else x
     _rng.shuffle(a._data)
@@ -118,6 +139,7 @@ def shuffle(x):
 
 def randn(*shape):
     """Standard normal N(0,1) — randn(d0, d1, ...)"""
+    _legacy_warning()
     if not shape:
         return _rng.gauss(0, 1)
     n = _prod(shape)
@@ -125,15 +147,18 @@ def randn(*shape):
                    dtype=_dtype_cls('float64'), shape=shape)
 
 def standard_normal(size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.gauss(0, 1), shape)
 
 def normal(loc=0.0, scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.gauss(loc, scale), shape)
 
 def multivariate_normal(mean, cov, size=None):
     """Sample from multivariate normal using Cholesky decomposition."""
+    _legacy_warning()
     from .array import asarray
     from .linalg import cholesky
     mean = asarray(mean)
@@ -156,25 +181,31 @@ def multivariate_normal(mean, cov, size=None):
 # ── other continuous distributions ───────────────────────────────────────────
 
 def exponential(scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.expovariate(1.0 / scale), shape)
 
 def gamma(shape_param, scale=1.0, size=None):
+    _legacy_warning()
     shp = _make_shape(size)
     return _fill(lambda: _rng.gammavariate(shape_param, scale), shp)
 
 def beta(a, b, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.betavariate(a, b), shape)
 
 def chisquare(df, size=None):
+    _legacy_warning()
     return gamma(df / 2.0, 2.0, size=size)
 
 def noncentral_chisquare(df, nonc, size=None):
+    _legacy_warning()
     # Approximation: normal shift
     return chisquare(df, size=size)
 
 def f(dfnum, dfden, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _f_sample():
         x1 = sum(_rng.gauss(0,1)**2 for _ in range(int(dfnum))) / dfnum
@@ -183,6 +214,7 @@ def f(dfnum, dfden, size=None):
     return _fill(_f_sample, shape)
 
 def standard_t(df, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _t():
         z = _rng.gauss(0, 1)
@@ -193,10 +225,12 @@ def standard_t(df, size=None):
 t = standard_t  # alias sometimes used
 
 def lognormal(mean=0.0, sigma=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.lognormvariate(mean, sigma), shape)
 
 def logistic(loc=0.0, scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _logistic():
         u = _rng.random()
@@ -204,6 +238,7 @@ def logistic(loc=0.0, scale=1.0, size=None):
     return _fill(_logistic, shape)
 
 def laplace(loc=0.0, scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _laplace():
         u = _rng.random() - 0.5
@@ -211,6 +246,7 @@ def laplace(loc=0.0, scale=1.0, size=None):
     return _fill(_laplace, shape)
 
 def gumbel(loc=0.0, scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _gumbel():
         u = _rng.random()
@@ -218,34 +254,42 @@ def gumbel(loc=0.0, scale=1.0, size=None):
     return _fill(_gumbel, shape)
 
 def wald(mean, scale, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.gauss(mean, math.sqrt(scale)), shape)
 
 def weibull(a, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.weibullvariate(1.0, a), shape)
 
 def power(a, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.random() ** (1.0 / a), shape)
 
 def triangular(left=0.0, mode=0.5, right=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.triangular(left, right, mode), shape)
 
 def vonmises(mu=0.0, kappa=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.vonmisesvariate(mu, kappa), shape)
 
 def rayleigh(scale=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: scale * math.sqrt(-2 * math.log(_rng.random())), shape)
 
 def pareto(a, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: _rng.paretovariate(a) - 1, shape)
 
 def zipf(a, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     # Acceptance-rejection for Zipf distribution
     def _zipf():
@@ -265,6 +309,7 @@ def zipf(a, size=None):
 # ── discrete distributions ────────────────────────────────────────────────────
 
 def poisson(lam=1.0, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _poisson():
         L = math.exp(-lam)
@@ -276,10 +321,12 @@ def poisson(lam=1.0, size=None):
     return _fill(_poisson, shape)
 
 def binomial(n, p, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: sum(1 for _ in range(n) if _rng.random() < p), shape)
 
 def negative_binomial(n, p, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _nb():
         successes, trials = 0, 0
@@ -291,10 +338,12 @@ def negative_binomial(n, p, size=None):
     return _fill(_nb, shape)
 
 def geometric(p, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     return _fill(lambda: math.ceil(math.log(_rng.random()) / math.log(1-p)), shape)
 
 def hypergeometric(ngood, nbad, nsample, size=None):
+    _legacy_warning()
     shape = _make_shape(size)
     def _hg():
         good, bad, drawn = ngood, nbad, nsample
@@ -309,6 +358,7 @@ def hypergeometric(ngood, nbad, nsample, size=None):
     return _fill(_hg, shape)
 
 def multinomial(n, pvals, size=None):
+    _legacy_warning()
     from .array import asarray
     pvals = list(asarray(pvals)._data)
     shape = _make_shape(size) or ()
@@ -335,6 +385,7 @@ def multinomial(n, pvals, size=None):
                    shape=shape + (len(pvals),))
 
 def dirichlet(alpha, size=None):
+    _legacy_warning()
     alpha = list(alpha)
     shape = _make_shape(size) or ()
     def _sample():

{numpy2-2.4.1 → numpy2-2.4.2/numpy2.egg-info}/PKG-INFO

@@ -1,10 +1,10 @@
 Metadata-Version: 2.4
 Name: numpy2
-Version: 2.4.1
+Version: 2.4.2
 Summary: numpy2: Pure-Python NumPy drop-in replacement with zero dependencies. Fixes numpy JSON serialization errors, broadcasting confusion with named dimensions, NaN/Inf handling, thread safety, JAX-style vmapped vectorization, array caching, compression, pipelines, validation, scan operations, lazy arrays, and seamless web framework integration for FastAPI, Flask, and Django. Drop-in import: numpy2 as np
 Home-page: https://github.com/maheshmakvana/numpy2
 Author: Mahesh Makvana
-Author-email: Mahesh Makvana <mahesh.makvana@example.com>
+Author-email: Mahesh Makvana <maheshmakwana527@gmail.com>
 License: MIT
 Project-URL: Homepage, https://github.com/maheshmakvana/numpy2
 Project-URL: Bug Tracker, https://github.com/maheshmakvana/numpy2/issues
@@ -538,7 +538,7 @@ For questions, [start a discussion](https://github.com/maheshmakvana/numpy2/disc
 
 - **GitHub**: [@maheshmakvana](https://github.com/maheshmakvana)
 - **Twitter**: [@mahesh_makvana](https://twitter.com/mahesh_makvana)
-- **Email**: mahesh.makvana@example.com
+- **Email**: maheshmakwana527@gmail.com
 
 ---
 
@@ -558,6 +558,18 @@ Thanks to the NumPy and pandas communities for amazing libraries that numpy2 bui
 
 ## Changelog
 
+### v2.4.2 (2026-05-17)
+- SECURITY: Fixed pickle.load() RCE (CWE-502) -- `load()` now defaults to `allow_pickle=False`
+  with restricted unpickler that only whitelists safe types; warning when pickle enabled
+- SECURITY: Fixed path traversal (CWE-22) -- validated file paths in loadtxt/savetxt/save/savez
+  using `os.path.abspath()` and null-byte checks
+- SECURITY: Fixed MD5 non-security use (CWE-327) -- added `usedforsecurity=False` to cache key hashing
+- SECURITY: Fixed missing JSON size limits (CWE-770) -- `from_json()` enforces 50 MB default limit
+- SECURITY: Fixed bare except clauses -- all exception handlers now specify exception types
+- DEPRECATION: Legacy RandomState (Mersenne Twister) functions now emit FutureWarning;
+  migrate to `numpy2.random.Generator` via `default_rng()`
+- DOC: Noted CPython-specific `sys._getframe()` usage in CompatLayer.who()
+
 ### v2.1.0 (2026-04-10)
 - Added Changelog section to README for release traceability
 - Added ArrayCache, ArrayPipeline, ArrayValidator, compression helpers, sliding_window_view, batch_apply, describe

{numpy2-2.4.1 → numpy2-2.4.2}/pyproject.toml

@@ -4,13 +4,13 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "numpy2"
-version = "2.4.1"
+version = "2.4.2"
 description = "numpy2: Pure-Python NumPy drop-in replacement with zero dependencies. Fixes numpy JSON serialization errors, broadcasting confusion with named dimensions, NaN/Inf handling, thread safety, JAX-style vmapped vectorization, array caching, compression, pipelines, validation, scan operations, lazy arrays, and seamless web framework integration for FastAPI, Flask, and Django. Drop-in import: numpy2 as np"
 readme = "README.md"
 requires-python = ">=3.8"
 license = {text = "MIT"}
 authors = [
-    {name = "Mahesh Makvana", email = "mahesh.makvana@example.com"},
+    {name = "Mahesh Makvana", email = "maheshmakwana527@gmail.com"},
 ]
 
 keywords = [

{numpy2-2.4.1 → numpy2-2.4.2}/setup.py

@@ -15,9 +15,9 @@ long_description = readme_file.read_text(encoding="utf-8") if readme_file.exists
 
 setup(
     name="numpy2",
-    version="2.4.1",
+    version="2.4.2",
     author="Mahesh Makvana",
-    author_email="mahesh.makvana@example.com",
+    author_email="maheshmakwana527@gmail.com",
     description="numpy2: Pure-Python NumPy drop-in replacement with zero dependencies. Fixes numpy JSON serialization errors, broadcasting confusion with named dimensions, NaN/Inf handling, thread safety, JAX-style vmapped vectorization, array caching, compression, pipelines, validation, scan operations, lazy arrays, and seamless web framework integration for FastAPI, Flask, and Django. Drop-in import: numpy2 as np",
     long_description=long_description,
     long_description_content_type="text/markdown",