github CodesWhat/drydock v1.5.0-rc.38
on GitHub

pre-release6 hours ago

v1.5.0-rc.38

Full Changelog: v1.5.0-rc.37...v1.5.0-rc.38

[1.5.0-rc.38] — 2026-06-19

Added

  • Colored startup banner. When drydock starts on an interactive terminal it now renders the whale logo as a compact truecolor half-block banner followed by a drydock v<version> · <mode> identity line. The art is baked from the master logo (drydock.png) at build time by scripts/gen-banner.mjs, so startup decodes no image. The banner is written to stderr and suppressed automatically when stdout/stderr is not a TTY or NO_COLOR is set, so logs and piped output stay clean.

Changed

  • Consolidated dependency/CVE scanning on Grype; dropped Snyk. Snyk's GitHub SCM integration scans the full dependency requirement graph across every package.json/package-lock.json in the repo rather than the resolved, shipped dependency set, so it over-reports advisories in transitive packages the lockfile never actually resolves to — noise on top of a redundant paid integration. Grype replaces it on both axes: it scans the built container image (the image's package catalog is the dependency set actually shipped) and the six npm lockfiles (root, app, ui, e2e, apps/demo, apps/web), matching the lockfile-resolved versions instead of the manifest graph, so it does not emit the requirement-graph false positives. The free gates already in CI cover the rest — CodeQL (SAST), dependency-review (new-dependency CVEs on PRs), OpenSSF Scorecard, and zizmor — so nothing else was needed (Trivy intentionally not added; drydock is TypeScript/Node, so the Go call-graph scanner govulncheck used on sibling repos does not apply here). The new security-grype.yml runs the dependency scan on pull requests (path-filtered to dependency/Dockerfile/workflow changes) plus a weekly cron and manual dispatch, builds and scans the container image on scheduled/manual runs, and uploads distinct-category SARIF to the GitHub Security tab. Removed the .snyk policy file, the security-snyk-weekly.yml workflow, the setup-snyk composite action, and the scripts/snyk-* gate/quota scripts.
  • Refreshed the drydock whale logo across the app, website, demo, and docs. A new master render replaces the brand mark everywhere — the in-app logo and favicons, the website/demo favicons, PWA icons, and OpenGraph cards, and the README/docs logos (including the dark-mode variant). All brand assets are now regenerated from a single master (drydock.png) via scripts/regenerate-brand-assets.sh. Filenames are unchanged, so the Home Assistant entity_picture URL contract is preserved.

Security

  • Documentation site (apps/web) js-yaml pinned to 4.2.0 (GHSA-h67p-54hq-rp68). fumadocs-mdx pulled js-yaml 4.1.1 transitively; an override forces the patched 4.2.0. Build-time dependency of the website only — not part of the shipped drydock image.

  • E2E load-test harness @opentelemetry/core pinned to 2.8.0 (CVE-2026-54285). artillery pulled @opentelemetry/core 2.7.1 transitively, vulnerable to unbounded memory allocation in W3C Baggage propagation; an override forces the patched 2.8.0. Test-only dependency — not part of the shipped drydock image.

  • Patched the container image's HIGH/CRITICAL CVE surface and scoped the Grype image gate. The first grype-image scan on main flagged a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran — no token was configured). Bumped the node:24-alpine base (node 24.14.0 → 24.16.0 clearing CVE-2026-21710, musl 1.2.5 → 1.2.6, curl 8.19.0 → 8.20.0, git 2.52.0 → 2.54.0) and cosign 2.6.3 → 3.0.6, which clears every HIGH/CRITICAL in the Node runtime and Alpine OS packages. The only residual HIGH/CRITICAL findings live inside the vendored Go module graphs compiled into the bundled cosign and trivy CLI binaries (drydock shells out to them for signature verification and container scanning) — those clear only when Alpine rebuilds the packages, so a documented .grype.yaml scopes the fail-on-HIGH image gate to the dependencies drydock controls (Node, OS packages, the app npm graph) and excludes the two tool-binary locations. cosign 3.0.6 keeps the verify --output json/--certificate-identity/--certificate-oidc-issuer/--key flags drydock's signature path uses.

  • Patched a batch of newly-disclosed undici CVEs across the runtime and tooling workspaces. osv-scanner flagged eight undici advisories disclosed in 2026 — CVE-2026-6733, CVE-2026-6734, CVE-2026-9675, CVE-2026-9678, CVE-2026-9679, CVE-2026-9697, CVE-2026-11525, and CVE-2026-12151. The shipped backend (app) carries undici as a direct dependency and was on 8.3.0, vulnerable to all eight — bumped to 8.5.0, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned in overrides as well. The dashboard build (ui) and the e2e load-test harness pulled undici 7.25.0/7.26.0 transitively; an overrides entry forces 7.28.0 (the patched 7.x line) in each — build- and test-only, not part of the shipped image.

  • Patched nodemailer to 9.0.1 (GHSA-p6gq-j5cr-w38f, CVSS 7.1). A message-level raw option bypassed nodemailer's disableFileAccess/disableUrlAccess guards, allowing arbitrary file read and full-response SSRF in the delivered message. drydock's SMTP trigger only calls createTransport/sendMail with plain from/to/subject/text fields and never passes raw, so the sink isn't reachable here — but the advisory affects every release through 9.0.0 with the fix landing only in 9.0.1, so the direct dependency in app is bumped from 8.0.10. The 8→9 major jump doesn't touch the stable createTransport/sendMail core drydock relies on.

Warning

Upgrade notes — behavioral changes, please read before updating. Releases 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.

  1. OIDC login now requires authorization_endpoint in your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your /.well-known/openid-configuration does not advertise authorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it.
  2. Unauthenticated rate-limit buckets now key on the TCP peer address instead of X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless of DD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected 429 Too Many Requests on unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected.
  3. HTTP-trigger proxy URLs must now use the http:// or https:// scheme. Any other scheme (e.g. socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to an http(s):// proxy URL.
Check out latest releases or
releases around CodesWhat/drydock v1.5.0-rc.38

Don't miss a new drydock release

NewReleases is sending notifications on new releases.

Get notifications