Download Latest Version ruvector-core 2.3.0 + ruvector-extensions 0.1.2 -- Lattice embeddings, CVE cleanup source code.zip (126.0 MB)
Email in envelope

Get an email when there's a new version of RuVector

Home / ruvector-core-v2.3.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-07-12 5.3 kB
ruvector-core 2.3.0 + ruvector-extensions 0.1.2 -- Lattice embeddings, CVE cleanup source code.tar.gz 2026-07-12 118.7 MB
ruvector-core 2.3.0 + ruvector-extensions 0.1.2 -- Lattice embeddings, CVE cleanup source code.zip 2026-07-12 126.0 MB
Totals: 3 Items   244.7 MB 2

What's in this release

A Rust crate and an npm package, shipped together: local (non-API) embeddings via Lattice, plus a supply-chain cleanup that turned CI green again.

ruvector-core@2.3.0 + ruvector-extensions@0.1.2 — Lattice embeddings, two ways

Huge thanks to @ohdearquant for a complete, coordinated feature spanning both packages — six PRs across two weeks (#645, [#647], [#648], [#651], [#663], [#664]):

  • ruvector-core gains an optional lattice-embeddings Cargo feature (#648): a pure-Rust, CPU-native LatticeEmbedding provider backed by the lattice-embed crate, bridging its async-only API to EmbeddingProvider's sync interface via a dedicated worker thread rather than risking a block_on-inside-a-runtime panic. Fully opt-in — verified with cargo tree that it adds zero dependencies to the default build.
  • ruvector-extensions gains LatticeWasmEmbeddings (#651): the same capability for the npm/WASM side, following the package's existing provider pattern with test coverage ahead of some sibling providers.
  • The two providers now agree with each other (#663). Shipping both in parallel surfaced a subtle bug: they disagreed on whether bge-small needs a query-side instruction prefix, which would have silently degraded retrieval for anyone indexing with one provider and querying with the other. Fixed, and locked in with a genuinely nice piece of test infrastructure — both the Rust and TypeScript test suites now assert against the same shared fixture (fixtures/lattice-embed/query-prefixes.json), so the two implementations can't quietly re-diverge again.
  • ruvllm's Llama 3.2 support (#645): fixed a hardcoded tie_word_embeddings = false that made Llama 3.2 1B/3B — and any other checkpoint that ties its input/output embedding weights — fail to load in the candle backend. Closes [#646].
  • Housekeeping: lattice-embed/lattice-inference bumped to 0.6 (#664), and a rustfmt pass on lattice_backend.rs (#647) that also unblocked CI formatting checks for everything else in flight.

Postgres RLS: per-statement current_setting() evaluation (#639)

Thanks to @dmitrymaranik for a careful performance fix to tenant-isolation policy generation in ruvector-postgres — wrapping current_setting() in a scalar subquery so Postgres evaluates it once via an InitPlan instead of per-row. This is security-sensitive code (it's what stops one tenant from seeing another tenant's rows), so it got the most scrutiny of anything this cycle: verified the missing_ok=true argument survives at all 9 call sites, and that an unset session variable still fails closed (excludes rows) rather than open.

CI: build-native permissions fix (#632)

Thanks to @FritzHeider for catching a classic GitHub Actions reusable-workflow gotcha — build-native.yml pushes NAPI binary commits internally and declares permissions: contents: write on itself, but the calling job in release.yml wasn't granting that permission, so it silently couldn't inherit it. One-line fix.

Security: CVE scan + supply-chain hygiene (#672)

Ran cargo audit + cargo deny check against main and found it failing both: 3 real RustSec advisories and a cargo deny policy violation.

  • crossbeam-epoch bumped to the patched 0.9.20 (real fix).
  • quick-xml's two DoS advisories: traced the full transitive path (inferno <- pprof's optional flamegraph feature) and confirmed it's blocked upstream — even pprof's newest release still pins inferno ^0.11, which pins quick-xml ^0.26. Documented, justified ignore rather than a silent suppress.
  • ttf-parser (unmaintained, "no safe upgrade available" per the advisory itself) was the actual thing failing cargo deny — present in three different versions via three unrelated dev/bench/example-only dependency chains. Documented ignore.
  • Along the way, found and fixed a real bug in the policy files themselves: three RUSTSEC IDs had their human-readable justification comments cyclically swapped between deny.toml and .cargo/audit.toml (verified against the authoritative advisory-db package field) — the ignored IDs were always correct, but the descriptions would have misled the next person doing a security review. Also removed 5 dead ignore entries that cargo deny itself flagged as no-longer-applicable.

cargo audit and cargo deny check both exit clean on main for the first time in a while.

A process note

Neither ruvector-core nor ruvector-extensions had a working automated publish path at the time of this release — release.yml (the documented Rust release pipeline) has been failing with a workflow-file startup_failure for over a month, and ruvector-extensions has never had CI publish coverage. Both were published by hand this round with the equivalent gates run locally (full test suites, including the previously-silently-skipped TypeScript tests, plus --dry-run on both registries) in lieu of CI. Worth a follow-up to fix release.yml and add real publish CI for ruvector-extensions.

Upgrade

:::bash
cargo add ruvector-core --features lattice-embeddings
npm install ruvector-extensions@0.1.2
Source: README.md, updated 2026-07-12