github CodesWhat/drydock v1.4.6
on GitHub

5 hours ago

Warning

Upgrade notes — behavioral changes, please read before updating. These are security hardening fixes, not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.

  1. OIDC login now requires authorization_endpoint in your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your /.well-known/openid-configuration does not advertise authorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it.
  2. Unauthenticated rate-limit buckets now key on the TCP peer address instead of X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless of DD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected 429 Too Many Requests on unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected.
  3. HTTP-trigger proxy URLs must now use the http:// or https:// scheme. Any other scheme (e.g. socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to an http(s):// proxy URL.

[1.4.6] — 2026-06-12

Security maintenance release for the 1.4.x line.

Security

  • Dependency security updates — Cleared all known advisories in the shipped backend (app) and dashboard (ui) dependencies, including a critical arbitrary-code-execution issue in protobufjs and high-severity SSRF / prototype-pollution / credential-leak issues in axios, plus @grpc/grpc-js, fast-uri, fast-xml-parser, path-to-regexp, qs, and others. Both workspaces now report zero npm audit vulnerabilities. No major dependency upgrades were needed — the Docker watcher stays on dockerode 4.x (the flagged transitive uuid advisory affects v3/v5/v6 with a buf argument and is not reachable through dockerode's v4() usage; it is pinned to a fixed release via an override).
  • OIDC authorization-redirect hardening — The OIDC provider now requires a strict authorization-endpoint match and no longer falls back to a broad same-origin allowlist when discovery metadata lacks an authorization_endpoint. This prevents an attacker who controls a different path under a shared-origin identity provider from steering the authorization redirect to an attacker-controlled endpoint.
  • HTTP trigger SSRF guard — Proxy URLs configured for the HTTP trigger are now restricted to http/https schemes, validated both at configuration time (schema) and at runtime, failing closed on any other scheme.
  • Rate-limit key spoofing fix — Unauthenticated rate-limit keys are now derived from the TCP peer address (socket.remoteAddress) instead of request.ip, so a client behind a trusted proxy cannot spoof X-Forwarded-For to evade per-IP rate limits.
Check out latest releases or
releases around CodesWhat/drydock v1.4.6

Don't miss a new drydock release

NewReleases is sending notifications on new releases.

Get notifications