github CodesWhat/drydock v1.4.1
on GitHub

5 hours ago

What's New

Added

  • Headless mode (DD_SERVER_UI_ENABLED) — Run drydock as an API-only service by setting DD_SERVER_UI_ENABLED=false. The REST API, SSE, and healthcheck endpoints remain fully functional while the UI is not served. Useful for controller nodes that only manage agents.
  • Maturity-based update policy — Per-container update maturity policy via dd.updatePolicy.maturityMode (all or mature) and dd.updatePolicy.maturityMinAgeDays (default 7). When set to mature, containers with updates detected less than the configured age threshold are blocked from triggering until the update has settled. UI shows NEW/MATURE badges with flame/clock icons on containers with available updates. (#120)
  • ?groupByStack=true URL parameter — Bookmarkable URL parameter to enable stack grouping on the containers page. (#145)

Fixed

  • Agent handshake and SSE validation failure — Fixed agent API returning redacted container data causing controller-side Joi validation to reject the handshake and crash on real-time SSE container events. (#141)
  • Mangled argon2 hash detection — Docker Compose $ interpolation can strip $ delimiters from argon2 PHC hashes. Drydock now detects mangled hashes at startup and surfaces an actionable error message. (#147)
  • Anonymous auth fallback — When all configured auth providers fail to register, Drydock now falls back to anonymous mode if DD_ANONYMOUS_AUTH_CONFIRM=true is set. (#147)
  • Auth registration errors on login page — Registration warnings are now surfaced on the login page instead of a generic "No authentication methods configured" message. (#147)
  • CSRF validation behind reverse proxies — Same-origin mutation checks now honor X-Forwarded-Proto and X-Forwarded-Host when present. (#146)
  • Hosts page missing env-var-configured watchers — Watchers configured via DD_WATCHER_* environment variables are now displayed on the Hosts page. (#151)
  • Compose trigger affinity — Enforce compose-file affinity when associating triggers with containers. (#139)
  • CSP inline style violations — Replaced runtime element.style mutations with CSS custom properties and class-based styling.

Security

  • Username enumeration timing side-channel — Eliminated timing difference between valid and invalid usernames during authentication.
  • LokiJS metadata exposure — Stripped internal LokiJS fields from API responses.
  • Permissions-Policy header — Added Permissions-Policy header to restrict browser feature access.
  • CSP and Cross-Origin-Embedder-Policy — Tightened Content Security Policy and added COEP header.
  • Production image hardening — Removed wget, nc, and npm from the production Docker image; upgraded zlib.

Dependencies

  • undici — Bumped to 7.24.1 (fixes 12 CVEs including WebSocket memory consumption, CRLF injection, and request smuggling).

Full Changelog: v1.4.0...v1.4.1

Check out latest releases or
releases around CodesWhat/drydock v1.4.1

Don't miss a new drydock release

NewReleases is sending notifications on new releases.

Get notifications