releases.shpreview

IAST false positives fixed; profiling crash hardened

v4.10.9

5 fixesThis release5 fixesBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Bug Fixes

  • bootstrap: keep yaml/_yaml loaded during module cleanup, fixing an issue that broke PyYAML consumers such as Airflow.
<!-- -->
  • IAST: This fix resolves an issue where IAST could report a false positive vulnerability against a request whose input did not actually contain tainted data. A concurrent or still-open request holding a tainted value could leak its taint into the current request's checks. Queries are now scoped to the calling request's slot.
<!-- -->
  • Code Security (IAST): fixes an issue where taint tracking could abort the Python process when old-style % string formatting handled tainted text containing literal IAST evidence marker delimiters.
<!-- -->
  • Code Security (IAST): Resolve a weak-hash false positive reported on ddtrace's own code when IAST and the live debugger (Symbol Database) are both enabled.
<!-- -->
  • profiling: crash fix for stack sampler in case where another component installs its own SIGSEGV/SIGBUS handler that the profiler cannot wrap (e.g. CUDA, PyTorch, etc.). The sampler upgrades to the faster fault-recovery copy if it still owns both fault handlers afterwards. Otherwise, it permanently falls back to the syscall-based copy.

Fetched July 16, 2026

IAST false positives fixed; profiling crash hardened… — releases.sh