microsoft/PyRIT v0.13.0

v0.13.0

Repository: microsoft/PyRIT

Tag: v0.13.0

Published: 2026-04-17T21:08:11Z

Prerelease: no

Release notes:

What's changed?

This release continues the push toward a more composable framework. The headline items are the `TargetConfiguration` redesign (replacing TargetCapabilities), a new `AttackTechnique` abstraction that standardizes how attacks declare and consume their arguments, and a new Converter Panel in the CoPyRIT GUI. We also landed a large unit-test coverage push, hardened CoPyRIT for deployment, and closed out several security items.

⚠️ Breaking Changes

• `TargetConfiguration` replaces `TargetCapabilities` with per-piece input/output typing (#1573, #1588)
• New `AttackTechnique` abstraction with standardized attack args across the framework (#1592, #1608)
• Removed functionality deprecated for v0.13.0, including the FoundryScenario alias and piece.role in conversation analytics (#1618, #1623)
• Stricter validation of explicit empty field overrides in the attack executor (#1507)

Please review the deprecation notes and migration guidance before upgrading.

---

🎯 Targets & Attacks

• TargetConfiguration and message pieces redesign for richer target modeling (#1573, #1588)
• New TargetRequirements to express target-level capability requirements (#1582)
• AttackTechniqueRegistry for discoverable, composable attacks (#1611)
• supports_system_prompt flag on targets (#1563)
• Image input enabled by default for OpenAIChatTarget (#1628)
• Preserve roles when converting messages to seed prompts (#1508)

---

📚 Datasets

• Added VisualLeakBench dataset loader (#1531)
• Added ISO 42001-aligned harm definitions for AI supply chain, transparency, and governance (#1462)
• Normalize remote dataset file types from URLs (#1486)
• Handle empty CSV exports in the remote dataset cache (#1481)
• Include subdirectory jailbreak templates in listings (#1498)

---

📊 Scoring

• SelfAskRefusalScorer improvements and updated scorer metrics workflow (#1549)
• Pre-release scorer evaluation metrics refresh (#1626)
• Deduplicate message pieces before batch scoring (#1504)

---

🖥️ CoPyRIT (GUI) & CLI

• Converter Panel added to the CoPyRIT GUI (#1471)
• Security hardening and Azure deployment support for CoPyRIT (#1554)
• Backend now defaults to localhost instead of 0.0.0.0 (#1612)
• GUI target config now respects the configured model name even when an env var is set (#1590)
• CLI bug fixes and minor updates (#1559)
• Preserve quoted shell arguments in run parsing (#1483)

---

🧩 Framework internals

• IdentifierFilters to enable generic DB queries on component identifiers (#1557)
• Standardized AIRTInitializer (#1578)
• Support relative blob paths in AzureBlobStorageIO (#1478)
• Respect export type in SQLite conversation exports (#1493)
• Preserve raw HTTP body whitespace in HTTPTarget (#1495)

---

🔒 Security

• Mitigate Jinja2 Server-Side Template Injection (SSTI) vulnerability (#1577, #1587)
• Resolve code scanning path injection alerts in the media endpoint (#1607)
• Harden the Jupyter Docker image (#1584)
• Dependabot security bumps across Python and frontend (#1606, #1614)

---

🧪 Tests & Tooling

• Coverage enforcement gate added, with a 78% global floor and 90% on diffs (#1605)
• Massive unit-test coverage push: auth (#1596), models (#1601), score (#1602), executor (#1603), identifiers (#1597), remote dataset loaders (#1604), converters (#1594), memory models (#1598), common utilities (#1600), converter configuration (#1599)
• AWS Bedrock partner integration tests for OpenAI-compatible Mantle endpoints (#1575)
• Partner integration test pipeline YAML (#1543)
• Windows support for the npm lookup in prepare_package.py (#1569, #1629)

---

📖 Docs

• Documentation restructured around three user pathways (framework / CLI…