github Darkdragon14/VolumeVault v1.8.0
on GitHub

6 hours ago

Summary

  • Host-path backup sources and local destinations are now fail-closed when VOLUMEVAULT_HOST_PATH_ALLOWLIST is empty, and approved paths are re-checked at run time to block symlink swaps.
  • Backup destinations that resolve to private, loopback, or link-local IPs are now blocked by default to reduce SSRF risk, unless their ranges are explicitly allowed in VOLUMEVAULT_SSRF_ALLOWED_IPS.
  • API tokens now expire 60 days after creation by default, limiting the impact of leaked tokens.
  • SSH/SFTP destinations can now pin the server host key, including support for trusting a fetched key or using the new POST /api/v1/destinations/host-key endpoint.
  • Sign-in and password-reset requests are now rate-limited to 5 attempts per minute.
  • Restore input validation is stricter, and restore extraction is now confined to the target volume to block unsafe keys and forged archives.

Upgrade Notes

  • This release does not include database migrations.
  • Existing installations that use host-path backup sources or local destinations must set VOLUMEVAULT_HOST_PATH_ALLOWLIST after upgrading if they relied on the previous open default. Run php artisan volumevault:host-path-allowlist:audit to generate the exact value to set.
  • Installations that use a LAN NAS, self-hosted S3 or MinIO endpoint, or any backup destination that resolves to a private IP must add the required CIDR ranges to VOLUMEVAULT_SSRF_ALLOWED_IPS before destination tests, restore listing or download, and storage-quota alerts will work again.
  • Existing API tokens older than 60 days stop working after the upgrade and must be recreated unless SANCTUM_TOKEN_EXPIRATION is changed or set to null.
  • SSH/SFTP host key pinning is optional. Existing destinations continue to work without a pinned key, but pinning is recommended for better protection against man-in-the-middle attacks.

Verification

  • Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan changelog:validate v1.8.0 --release --no-interaction.
  • Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan test --compact.
  • Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php ./vendor/bin/pint --dirty --format agent.
  • Local verification before release included npm run build.
Check out latest releases or
releases around Darkdragon14/VolumeVault v1.8.0

Don't miss a new VolumeVault release

NewReleases is sending notifications on new releases.

Get notifications