Release Notes
Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9
⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release)
Compare to previous Release v2.35.0
This release falls outside the quarterly schedule. We opted for an early release due to:
- Security fix for the internal cors proxy
- API change of the weather provider smi
- Several bug fixes
Breaking Changes
The cors proxy is now disabled by default. If required, it must be explicitly enabled in the config.js file. See the documentation.
⚠️ Security
You can find several publicly accessible MagicMirror² instances.
This should never be done. Doing so makes your entire configuration, including secrets and API keys, publicly visible. Furthermore, it allows attackers to target the host; this is only prevented beginning with this release.
Public MagicMirror² instances should always run behind a reverse proxy with authentication.
[core]
- Prepare Release 2.36.0 (#4126)
- Allow HTTPFetcher to pass through 304 responses (#4120)
- fix(http-fetcher): fall back to reloadInterval after retries exhausted (#4113)
- config endpoint must handle functions in module configs (#4106)
- fix replaceSecretPlaceholder (#4104)
- restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102)
- fix: prevent crash when config is undefined in socket handler (#4096)
- fix cors function for alpine linux (#4091)
- fix(cors): prevent SSRF via DNS rebinding (#4090)
- add option to disable or restrict cors endpoint (#4087)
- fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs (#4084)
- chore: add permissions section to enforce pull-request rules workflow (#4079)
- update version for develop
[dependencies]
- update dependencies (#4124)
- chore: update dependencies (#4088)
- refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
[modules/newsfeed]
- fix(newsfeed): prevent duplicate parse error callback when using pipeline (#4083)
[modules/updatenotification]
- fix(updatenotification): harden git command execution + simplify checkUpdates (#4115)
- fix(tests): correct import path for git_helper module in updatenotification tests (#4078)
[modules/weather]
- fix(weather): use nearest openmeteo hourly data (#4123)
- fix(weather): avoid loading state after reconnect (#4121)
- weather: fix UV index display and add WeatherFlow precipitation (#4108)
- fix(weather): restore OpenWeatherMap v2.5 support (#4101)
- fix(weather): use stable instanceId to prevent duplicate fetchers (#4092)
- SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082)