github CodesWhat/drydock v1.3.3
on GitHub

latest releases: v1.5.0-rc.5, v1.6.0, v1.5.0-rc.4...
one month ago

What's Changed

16 bug fixes and 7 security hardening patches for reliability, correctness, and defense-in-depth.

Fixed

  • Self-update leaves container stopped — helper container pattern prevents process death during self-update
  • Stale digest after container updates — re-inspects local image on each watch cycle to refresh digest
  • Quay auth token extraction — reads response.data.token instead of response.token
  • GHCR anonymous bearer token — skips auth header when no token configured
  • Created-date-only updates crash — rejects unknown update kind in threshold logic
  • Compose write failure silently ignored — now propagates errors to prevent state desync
  • Self-update fallback removes running old container — only removes old after successful new start
  • Registry calls have no timeout — 30s timeout on all registry API calls
  • HTTP trigger providers have no timeout — 30s timeout on Http, Apprise, Discord, Teams, Telegram
  • Kafka producer connection leak — disconnects producer after send
  • Rollback timer labels not validated — validates with Number.isFinite(), falls back to defaults
  • Health monitor overlapping async checks — in-flight guard prevents duplicate rollback executions
  • Anonymous login double navigation guard — prevents Vue Router errors on anonymous auth
  • Container API response not validated — checks response.ok before parsing
  • express-rate-limit IPv6/X-Forwarded-For warnings — suppressed noisy validation errors

Security

  • fast-xml-parser DoS — override to 5.3.6 (CVE GHSA-jmr7-xgp7-cmfj)
  • tar arbitrary file read/write — replaced native re2 with re2-wasm to eliminate tar entirely (CVE GHSA-83g3-92jg-28cx)
  • Unauthenticated SSE endpoint — moved behind auth middleware + per-IP connection limits
  • Session cookie missing sameSite — set sameSite: 'strict'
  • Predictable session secret — added DD_SESSION_SECRET env override
  • Global error handler leaks internals — replaced with generic error message
  • Entrypoint masks crash exit codes — enabled pipefail for proper restart policy behavior

Full Changelog: https://github.com/CodesWhat/drydock/blob/main/CHANGELOG.md#133--2026-02-16

Check out latest releases or
releases around CodesWhat/drydock v1.3.3

Don't miss a new drydock release

NewReleases is sending notifications on new releases.

Get notifications