RepoJournal
OpenAI

OpenAI

Codex, the SDKs, and the engine behind ChatGPT

Pick a date

  1. Sat 2 may
  2. Sun 3 may
  3. Mon 4 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

CODEX PATCHES WINDOWS SANDBOX BUG WHILE PYTHON SDK SHIPS IMAGE API FIX

By RepoJournal · Filed · About OpenAI

Codex fixed a critical Windows sandbox git vulnerability that broke worktree handling, and the Python SDK is already on its second patch in hours after an imagegen regression slipped through.

Codex's Windows sandbox was silently failing on git worktrees because the safe.directory injection followed symlinks to internal `.git/worktrees/` paths that the dubious-ownership check rejected [1]. That's now fixed. In parallel, the vendored Bubblewrap dependency got yanked forward to 0.11.2 to pull in a setuid security update [2], though the real story is upstream is deprecating setuid builds entirely—expect that to ripple through sandbox initialization soon. On the app-server side, two architectural shifts landed: the skills watcher moved out of codex-core to let app-server own cache invalidation and change notifications [4], and MCP elicitations now route through Guardian approval when opted-in [5], closing the gap Browser Use prompts were exploiting. A state DB revert [3] keeps the newer session/thread identity tracking but restores optional plumbing—no impact for most deployments. The Python SDK shipped 2.35.0 with image API updates [6], then immediately hotfixed 2.35.1 because the imagegen size enum regressed [7]—if you pulled 2.35.0 in the last few hours, upgrade now.

Action items

References

  1. [1] [codex] Fix Windows sandbox git safe.directory for worktrees (#21409) openai/codex
  2. [2] vendor: update bubblewrap to 0.11.2 (#21389) openai/codex
  3. [3] Revert state DB injection and agent graph store (#21481) openai/codex
  4. [4] Move skills watcher to app-server (#21287) openai/codex
  5. [5] Route opted-in MCP elicitations through Guardian ↗ openai/codex
  6. [6] v2.35.0 ↗ openai/openai-python
  7. [7] release: 2.35.1 ↗ openai/openai-python

FAQ

What changed in OpenAI on May 7, 2026?
Codex fixed a critical Windows sandbox git vulnerability that broke worktree handling, and the Python SDK is already on its second patch in hours after an imagegen regression slipped through.
What should OpenAI teams do about it?
Upgrade openai-python to 2.35.1 if you deployed 2.35.0 in the last 4 hours • Pull Codex with Windows sandbox worktree fix before next production deploy • Monitor for Bubblewrap setuid deprecation breaking changes in next quarter
Which OpenAI repositories shipped on May 7, 2026?
openai/codex, openai/openai-python

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.