| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-07-12 | 5.3 kB | |
| ruvector-core 2.3.0 + ruvector-extensions 0.1.2 -- Lattice embeddings, CVE cleanup source code.tar.gz | 2026-07-12 | 118.7 MB | |
| ruvector-core 2.3.0 + ruvector-extensions 0.1.2 -- Lattice embeddings, CVE cleanup source code.zip | 2026-07-12 | 126.0 MB | |
| Totals: 3 Items | 244.7 MB | 2 | |
What's in this release
A Rust crate and an npm package, shipped together: local (non-API) embeddings via Lattice, plus a supply-chain cleanup that turned CI green again.
ruvector-core@2.3.0 + ruvector-extensions@0.1.2 — Lattice embeddings, two ways
Huge thanks to @ohdearquant for a complete, coordinated feature spanning both packages — six PRs across two weeks (#645, [#647], [#648], [#651], [#663], [#664]):
ruvector-coregains an optionallattice-embeddingsCargo feature (#648): a pure-Rust, CPU-nativeLatticeEmbeddingprovider backed by thelattice-embedcrate, bridging its async-only API toEmbeddingProvider's sync interface via a dedicated worker thread rather than risking ablock_on-inside-a-runtime panic. Fully opt-in — verified withcargo treethat it adds zero dependencies to the default build.ruvector-extensionsgainsLatticeWasmEmbeddings(#651): the same capability for the npm/WASM side, following the package's existing provider pattern with test coverage ahead of some sibling providers.- The two providers now agree with each other (#663). Shipping both in parallel surfaced a subtle bug: they disagreed on whether
bge-smallneeds a query-side instruction prefix, which would have silently degraded retrieval for anyone indexing with one provider and querying with the other. Fixed, and locked in with a genuinely nice piece of test infrastructure — both the Rust and TypeScript test suites now assert against the same shared fixture (fixtures/lattice-embed/query-prefixes.json), so the two implementations can't quietly re-diverge again. ruvllm's Llama 3.2 support (#645): fixed a hardcodedtie_word_embeddings = falsethat made Llama 3.2 1B/3B — and any other checkpoint that ties its input/output embedding weights — fail to load in the candle backend. Closes [#646].- Housekeeping:
lattice-embed/lattice-inferencebumped to 0.6 (#664), and a rustfmt pass onlattice_backend.rs(#647) that also unblocked CI formatting checks for everything else in flight.
Postgres RLS: per-statement current_setting() evaluation (#639)
Thanks to @dmitrymaranik for a careful performance fix to tenant-isolation policy generation in ruvector-postgres — wrapping current_setting() in a scalar subquery so Postgres evaluates it once via an InitPlan instead of per-row. This is security-sensitive code (it's what stops one tenant from seeing another tenant's rows), so it got the most scrutiny of anything this cycle: verified the missing_ok=true argument survives at all 9 call sites, and that an unset session variable still fails closed (excludes rows) rather than open.
CI: build-native permissions fix (#632)
Thanks to @FritzHeider for catching a classic GitHub Actions reusable-workflow gotcha — build-native.yml pushes NAPI binary commits internally and declares permissions: contents: write on itself, but the calling job in release.yml wasn't granting that permission, so it silently couldn't inherit it. One-line fix.
Security: CVE scan + supply-chain hygiene (#672)
Ran cargo audit + cargo deny check against main and found it failing both: 3 real RustSec advisories and a cargo deny policy violation.
crossbeam-epochbumped to the patched 0.9.20 (real fix).quick-xml's two DoS advisories: traced the full transitive path (inferno <- pprof's optional flamegraph feature) and confirmed it's blocked upstream — evenpprof's newest release still pinsinferno ^0.11, which pinsquick-xml ^0.26. Documented, justified ignore rather than a silent suppress.ttf-parser(unmaintained, "no safe upgrade available" per the advisory itself) was the actual thing failingcargo deny— present in three different versions via three unrelated dev/bench/example-only dependency chains. Documented ignore.- Along the way, found and fixed a real bug in the policy files themselves: three RUSTSEC IDs had their human-readable justification comments cyclically swapped between
deny.tomland.cargo/audit.toml(verified against the authoritative advisory-dbpackagefield) — the ignored IDs were always correct, but the descriptions would have misled the next person doing a security review. Also removed 5 dead ignore entries thatcargo denyitself flagged as no-longer-applicable.
cargo audit and cargo deny check both exit clean on main for the first time in a while.
A process note
Neither ruvector-core nor ruvector-extensions had a working automated publish path at the time of this release — release.yml (the documented Rust release pipeline) has been failing with a workflow-file startup_failure for over a month, and ruvector-extensions has never had CI publish coverage. Both were published by hand this round with the equivalent gates run locally (full test suites, including the previously-silently-skipped TypeScript tests, plus --dry-run on both registries) in lieu of CI. Worth a follow-up to fix release.yml and add real publish CI for ruvector-extensions.
Upgrade
:::bash
cargo add ruvector-core --features lattice-embeddings
npm install ruvector-extensions@0.1.2