fix: resolve login errors, prevent password leaks, and protect state files

Changelog

@@ -3,10 +3,17 @@
 2.8.42 2026-05-25
 
 - chore: bump version to 2.8.42.
+- fix: resolve invalid login credentials error by defaulting to root when only --pass is set and escaping single quotes in passwords (#781).
 - fix: resolve fake aborted connections count increase during password strength checks (#900).
 - fix: resolve EOF metadata corruption and duplicated configurations in Emacs block (#904).
+- fix: prevent plaintext password leakage in weak password diagnostic messages.
+- fix: implement symlink verification and atomic writes for aborted connects state file protection.
+- fix: append transport-specific host and container identifiers in state file path to prevent collisions.
+- test: strengthen authentication plugin checks and add verification suite for state file protections.
 - ci: optimize release notes generation to isolate branch changes.
 - perf: optimize --dumpdir performance by excluding heavy RDS/Aurora and internal metrics.
+- docs: improve authentication plugins algorithm labels and resolve absolute documentation links.
+- refactor: catch explicit exception classes in build/release_gen.py to prevent masking system signals.
 
 
 2.8.41 2026-05-17

ROADMAP.md

@@ -197,7 +197,10 @@ To ensure consistency and high-density development, the following roles are defi
 * [ ] **Automated Changelog Formatting Verification**: Implement a Git pre-commit hook that automatically checks if the `Changelog` has been modified when changes of type `feat` or `fix` are detected, preventing commits without changelog documentation.
 * [ ] **Containerized Validation Runners**: Standardize local pre-flight checks by executing all verification steps (including unit tests and version consistency checks) inside a standardized, minimal Docker environment to avoid environmental differences between developer environments and CI.
 * [ ] **Interactive Release Orchestrator**: Create a script that automates the interactive selection of version bump categories (micro, minor, major), executes the version replacement across all 6 reference locations, and automatically runs the `release_gen.py` script to generate release notes in a single workflow step.
-
+* [ ] **Automated Release Notes Synchronization**: Create a script or Git hook that automatically extracts changes from the branch commits and populates the `Executive Summary` sections in both the `Changelog` and release notes to prevent manual synchronization omissions.
+* [ ] **Schema Validation for Release Artifacts**: Implement a CI step to parse and validate that markdown formats, issues referenced, and version definitions in the `releases/` directory are syntactically and logically correct before release tagging.
+* [ ] **Structured Roadmap Schema Validation**: Implement a markdown linter or schema validator specifically for the `ROADMAP.md` checklist syntax (verifying correct hyperlinks, file pathways, and category labels).
+* [ ] **Automated Status Checklist Sync**: Integrate a workflow script that automatically marks roadmap checklist items as completed (`[x]`) upon detection of related commit scopes (e.g. `feat(auth):` marking authentication items as done).
 
 ## 🤝 Contribution & Feedback
 

build/release_gen.py

@@ -65,13 +65,13 @@ def get_git_commits(version):
             prev_tag = subprocess.check_output(['git', 'describe', '--tags', '--abbrev=0', f'{tag}^'], stderr=subprocess.DEVNULL).decode().strip()
             commits = subprocess.check_output(['git', 'log', f'{prev_tag}..{tag}', '--pretty=format:- %s (%h)']).decode().strip()
             return commits if commits else "No new commits recorded."
-        except:
+        except (subprocess.CalledProcessError, FileNotFoundError, OSError):
             # Maybe the tag doesn't exist yet, try HEAD instead of tag
             try:
                 prev_tag = subprocess.check_output(['git', 'describe', '--tags', '--abbrev=0'], stderr=subprocess.DEVNULL).decode().strip()
                 commits = subprocess.check_output(['git', 'log', f'{prev_tag}..HEAD', '--pretty=format:- %s (%h)']).decode().strip()
                 return commits if commits else "No new commits recorded."
-            except:
+            except (subprocess.CalledProcessError, FileNotFoundError, OSError):
                 return "Initial release or no previous tag found."
     except Exception:
         return "Commit history unavailable."
@@ -118,14 +118,14 @@ def analyze_tech_details(version):
         try:
             try:
                 prev_tag = subprocess.check_output(['git', 'describe', '--tags', '--abbrev=0', f'{tag}^'], stderr=subprocess.DEVNULL).decode().strip()
-            except:
+            except (subprocess.CalledProcessError, FileNotFoundError, OSError):
                 prev_tag = subprocess.check_output(['git', 'describe', '--tags', '--abbrev=0'], stderr=subprocess.DEVNULL).decode().strip()
 
             old_code = subprocess.check_output(['git', 'show', f'{prev_tag}:mysqltuner.pl']).decode()
             old_opts = get_cli_options(old_code)
             old_indicators = analyze_indicators(old_code)
             old_names = extract_diagnostic_names(old_code)
-        except:
+        except (subprocess.CalledProcessError, FileNotFoundError, OSError):
             # Fallback to empty if no previous tag at all
             old_opts = set()
             old_indicators = {'good':0, 'bad':0, 'info':0, 'total':0}

documentation/AUTHENTICATION_PLUGINS.md

@@ -6,8 +6,8 @@ This document provides a comprehensive overview of authentication plugins across
 
 | Plugin Name | Description | Algorithm | Security Level | Deprecated / Obsolete | Present in MySQL | Present in MariaDB |
 | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-| `mysql_native_password` | Historical default authentication method. | SHA-1 | Low | Yes (Removed from MySQL 8.4+ / Deprecated in MariaDB) | ✅ (Obsolete) | ✅ (Historical default) |
-| `mysql_old_password` | Ancient pre-4.1 authentication method. | SHA-1 (Old) | Very Low | Yes (Removed) | ❌ | ✅ (Obsolete) |
+| `mysql_native_password` | Historical default authentication method. | Double-SHA-1 | Low | Yes (Removed from MySQL 8.4+ / Deprecated in MariaDB) | ✅ (Obsolete) | ✅ (Historical default) |
+| `mysql_old_password` | Ancient pre-4.1 authentication method. | Legacy pre-4.1 hash | Very Low | Yes (Removed) | ❌ | ✅ (Obsolete) |
 | `sha256_password` | Authenticates using SHA-256 with salting. | SHA-256 | High | Yes (Due to CPU scalability issues without TLS) | ❌ (Removed in 8.4) | ✅ |
 | `caching_sha2_password` | Optimized version of SHA-256 with memory caching. | SHA-256 | High | No | ✅ (Default since 8.0) | ✅ (Since v11.4 for compatibility) |
 | `unix_socket` | Authentication via OS-level user identity (UID). | OS Identity | Very High | No | ✅ (as `auth_socket`) | ✅ |

documentation/REFERENCES.md

@@ -32,7 +32,7 @@ This document contains a curated list of official documentation, engineering blo
 - **MySQL**: [Primary Key Optimization](https://dev.mysql.com/doc/refman/8.4/en/optimizing-primary-keys.html) - Surrogate keys, UUID indexing, and index traversal efficiency.
 - **MySQL**: [JSON Datatype Indexing](https://dev.mysql.com/doc/refman/8.4/en/create-table-secondary-indexes.html#json-column-indirect-index) - Secondary indexing via virtual generated columns.
 - **MariaDB**: [Invisible Indexes KB](https://mariadb.com/kb/en/invisible-indexes/) - Hiding indexes to test query planner changes.
-- **MySQLTuner-perl Specification**: [Naming Conventions & Style Compatibility](file:///documentation/AUTHENTICATION_PLUGINS.md) - Summary of naming styles.
+- **MySQLTuner-perl Specification**: [Naming Conventions & Style Compatibility](AUTHENTICATION_PLUGINS.md) - Summary of naming styles.
 
 ### 6. Replication, High Availability & Clustering
 - **MySQL**: [Group Replication & InnoDB Cluster](https://dev.mysql.com/doc/refman/8.4/en/mysql-innodb-cluster-introduction.html) - Multi-primary setups and flow control.