chore(main): release 1.4.2

[varfish-bot]

🤖 I have created a release beep boop

1.4.2 (2026-06-02)

Bug Fixes

• grch38 freq sample count display (#2641) (fd08f14)
• old sv settings are displayed in dropdown (#2636) (f852be1)
• sv filter settings iteration may 2026 (#2621) (36f624c)
• sv settings adjustments May 2026 part 2 (#2627) (e38a652)
• update consequences to match mehari 0.43.2 (#2630) (#2633) (3933660)

---

This PR was generated with Release Please. See documentation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Version metadata (.release-please-manifest.json and VERSION) bumped from 1.4.1 to 1.4.2 and a new v1.4.2 changelog section (Bug Fixes, two bullets) was inserted dated 2026-05-18.

Changes

Release Version 1.4.2

Layer / File(s)	Summary
Version Strings .release-please-manifest.json, VERSION	Version bumped from 1.4.1 to 1.4.2 in release manifest and VERSION file.
Changelog Documentation CHANGELOG.md	Inserted v1.4.2 changelog section dated 2026-05-18 with a Bug Fixes subsection and two linked bullet items referencing #2621 and #2627.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• varfish-org/varfish-server#2466: Changes to .release-please-manifest.json affecting manifest mappings.
• chore(main): release 1.4.0 #2497: Consecutive release-please/version bump updating manifest, VERSION, and CHANGELOG.
• chore(main): release 1.4.1 #2591: Release-pipeline metadata updates that bump version numbers in the same files.

Suggested labels

autorelease: tagged

Poem

🐰 A tiny hop, a tiny cheer,
Manifest and VERSION now appear,
Changelog notes in tidy view,
Two bug fixes join the crew,
Rabbit twirls and stamps a cheer.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(main): release 1.4.2' directly and accurately reflects the main purpose of the pull request, which is to release version 1.4.2 as confirmed by the version updates in all three files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release-please--branches--main--components--varfish-server

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

deps-report 🔍

Commit scanned: c2347fc
ℹ️ Python version 3.11 is used by your project but the latest version is 3.14.

Vulnerable dependencies

11 dependencies have vulnerabilities 😱

Dependency	Advisory	Versions impacted
black (dev)	Affected versions of the black package are vulnerable to Path Traversal due to unsanitized user input in a cache file name. The vulnerability exists because Black incorporates the --python-cell-magics option value into the cache filename without sanitizing path elements, allowing the computed cache path to escape the intended cache directory.	<26.3.1
idna (transitive)	Affected versions of the idna package are vulnerable to Denial of Service due to an incomplete fix for CVE-2024-3651 that still allows specially crafted inputs to consume significant resources during encoding. The idna.encode() function invokes the valid_contexto validator on every label before applying length-based rejection, so payloads such as long repetitions of the Arabic-Indic digit U+0660 or sequences of the Katakana middle dot U+30FB followed by a CJK character cause valid_contexto to perform extensive context-rule processing across each character. A remote attacker who can supply domain-name input to an application that calls idna.encode() without first enforcing the 253-character DNS length limit can submit arbitrarily large strings that drive the validator to exhaust CPU time, resulting in Denial of Service through resource consumption.	<3.15
markdown (transitive)	Affected versions of the Markdown package are vulnerable to an Uncaught Exception due to improper handling of malformed HTML-like input during Markdown parsing. Python-Markdown 3.8 passes crafted HTML-like sequences to Python’s html.parser.HTMLParser, and when HTMLParser raises an AssertionError, the parsing flow does not catch the exception.	<3.8.1
mistune (transitive)	Affected versions of the mistune package are vulnerable to Cross-Site Scripting due to insufficient output encoding of user-controlled attributes in the Figure directive renderer. The render_figure() function in src/mistune/directives/image.py concatenates figclass and figwidth option values directly into HTML attributes without escaping, bypassing the HTMLRenderer escape=True setting. An attacker can inject arbitrary HTML attributes or JavaScript through crafted figclass or figwidth values in reStructuredText Figure directives, leading to script execution in the browser of any user viewing the rendered output.	<=3.2.0
requests	Affected versions of the requests package are vulnerable to Insecure Temporary File reuse due to predictable temporary filename generation in extract_zipped_paths(). The requests.utils.extract_zipped_paths() utility extracts files from zip archives into the system temporary directory using a deterministic path, and if that file already exists, the function reuses it without validating that it is the expected extracted content.	<2.33.0
setuptools (transitive)	Affected versions of Setuptools are vulnerable to Path Traversal via PackageIndex.download(). The impact is Arbitrary File Overwrite: An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.	<78.1.1
social-auth-app-django (transitive)	Affected versions of the social-auth-app-django package are vulnerable to Authentication Bypass due to unintended email-based account association during the authentication pipeline. In social_django.storage.create_user (invoked by social_core.pipeline.user.create_user), an IntegrityError during user creation triggers a fallback that returns an existing User looked up by e-mail, effectively performing social_core.pipeline.social_auth.associate_by_email even when that step is disabled.	<5.6.0
sqlalchemy	Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. sqlalchemy/sqlalchemy#8563	<2.0.0b1
urllib3 (transitive)	Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.	>=1.23,<2.7.0
wheel (transitive)	Affected versions of the wheel package are vulnerable to Path Traversal due to applying extracted file permissions using an unsanitized archive pathname. The vulnerable logic is in wheel.cli.unpack.unpack (and setuptools._vendor.wheel.cli.unpack.unpack), where the code calls wf.extract(zinfo, destination) but then performs destination.joinpath(zinfo.filename).chmod(permissions) using zinfo.filename directly, allowing dot-dot-slash sequences to escape the intended directory.	>=0.40.0,<=0.46.1
xmltodict (transitive)	Affected versions of the xmltodict package are vulnerable to Improper Input Validation due to insufficient validation of XML element, attribute, and xmlns prefix names. The xmltodict._validate_name function did not reject the ", ', and = characters, allowing unparse to serialize keys into tag or attribute names containing illegal tokens and produce ill-formed XML.	<0.15.1

Outdated dependencies

81 outdated dependencies found (including 24 outdated major versions)😢

Dependency	Installed version	Latest version
alabaster (transitive)	0.7.16	1.0.0
aldjemy	2.6	3.2
argon2-cffi (transitive)	21.3.0	25.1.0
attrs	25.4.0	26.1.0
black (dev)	25.12.0	26.5.1
crispy-bootstrap4 (transitive)	2024.1	2026.2
django	4.2.30	6.0.5
django-autocomplete-light (transitive)	3.11.0	4.0.1
django-model-utils (transitive)	4.4.0	5.0.0
django-rest-knox (transitive)	4.2.0	5.0.4
isort (dev)	7.0.0	8.0.1
mypy-protobuf (dev)	3.6.0	5.1.0
packaging (transitive)	23.2	26.2
pandas	2.3.3	3.0.3
protobuf	5.29.6	7.35.0
redis	7.4.0	8.0.0
rpds-py (transitive)	0.30.0	2026.5.1
setuptools (transitive)	70.0.0	82.0.1
simplejson	3.20.2	4.1.1
sphinx (transitive)	7.2.6	9.1.0
sphinx-rtd-theme (transitive)	2.0.0	3.1.0
sqlalchemy	1.4.54	2.0.50
unidecode (transitive)	0.4.21	1.4.0
xmltodict (transitive)	0.13.0	1.0.4

Dependency	Installed version	Latest version
aiobotocore (transitive)	3.6.0	3.7.0
aiohappyeyeballs (transitive)	2.6.1	2.6.2
aiohttp (transitive)	3.13.5	3.14.0
botocore (transitive)	1.43.0	1.43.19
celery (transitive)	5.3.6	5.6.3
certifi (transitive)	2026.4.22	2026.5.20
click	8.3.3	8.4.1
coverage (dev,transitive)	7.13.5	7.14.1
decorator (dev,transitive)	5.2.1	5.3.1
django-coverage-plugin (dev)	3.1.1	3.2.2
django-crispy-forms (transitive)	2.1	2.6
django-environ (transitive)	0.11.2	0.13.0
django-iconify (transitive)	0.3	0.5.0
django-postgres-copy	2.3.7	2.8.0
django-sodar-core	1.0.6	1.3.2
django-test-plus (dev)	2.3.0	2.4.1
djangorestframework	3.15.2	3.17.1
docutils (transitive)	0.20.1	0.23
drf-spectacular-sidecar (transitive)	2026.5.1	2026.6.1
faker	40.15.0	40.20.0
greenlet (transitive)	3.5.0	3.5.1
grpcio (dev,transitive)	1.80.0	1.81.0
grpcio-tools (dev)	1.68.1	1.81.0
idna (transitive)	3.13	3.18
ipython (dev,transitive)	9.13.0	9.14.0
jedi (dev)	0.19.2	0.20.0
lxml	6.1.0	6.1.1
markdown (transitive)	3.5.2	3.10.2
markdown-it-py (transitive)	4.0.0	4.2.0
matplotlib-inline (dev,transitive)	0.2.1	0.2.2
mistune (transitive)	3.0.2	3.2.1
numpy	2.4.4	2.4.6
platformdirs (dev,transitive)	4.9.6	4.10.0
propcache (transitive)	0.4.1	0.5.2
pydantic	2.13.3	2.13.4
pydantic-core (transitive)	2.46.3	2.47.0
pyjwt (transitive)	2.12.1	2.13.0
regex (transitive)	2026.4.4	2026.5.9
reportlab	4.5.0	4.5.1
requests	2.32.5	2.34.2
requests-http-signature	0.2.0	0.7.1
rules (transitive)	3.3	3.5
selenium (dev)	4.43.0	4.44.0
sentry-sdk	2.59.0	2.61.1
snowballstemmer (transitive)	3.0.1	3.1.0
social-auth-app-django (transitive)	5.4.3	5.9.0
social-auth-core (transitive)	4.8.7	4.9.1
soupsieve (transitive)	2.8.3	2.8.4
traitlets (dev,transitive)	5.14.3	5.15.0
typer (transitive)	0.25.1	0.26.6
types-protobuf (dev)	7.34.1.20260508	7.34.1.20260518
types-psycopg2 (dev,transitive)	2.9.21.20260422	2.9.21.20260518
urllib3 (transitive)	2.6.3	2.7.0
vcfpy	0.13.8	0.14.2
wheel (transitive)	0.42.0	0.47.0
wrapt	2.1.2	2.2.1
yarl (transitive)	1.23.0	1.24.2

_Logs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89%. Comparing base (fd08f14) to head (c2347fc).

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #2622   +/-   ##
=====================================
  Coverage     89%     89%           
=====================================
  Files        692     692           
  Lines      40753   40753           
=====================================
  Hits       36602   36602           
  Misses      4151    4151           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.