Yeraze/meshmonitor v3.7.2 on GitHub

What's Changed

Enforce channel-based permission checks on telemetry and position endpoints — Anonymous and limited users can no longer fetch telemetry or position data for nodes on channels they don't have viewOnMap permission for. Closes AUTHZ-VULN-02 from the Shannon pentest. (#2038)
Regenerate session after authentication to prevent session fixation (#2034)

Exchange Position with selectable channel — Users can now choose which channel to send position exchange requests on. (#2026, closes #2021)
Light/dark overlay color schemes for map elements — Map overlays now respect the current theme. (#2028, closes #2020)
Add Watch and Reboot + Home Assistant Bridge to user scripts gallery — Two new community scripts from @maxhayim. (#2039, closes #2035, #2036)

AutoAnnounce channel selection ignores disabled channels (#2025, closes #2024)
Duplicate outgoing messages in chat (#2029, closes #2027)
Deploy upgrade watchdog to legacy path for backward compat (#2030, closes #1888)
Reduce node load to prevent firmware heap exhaustion (#2031, closes #2013)
Poll interval now respects WebSocket connection state internally (#2032)
Position precision accuracy was 2x off from Meshtastic documentation — The accuracy estimate displayed for precision bits (both in the info panel and on the map rectangle) was double the correct value. Now matches Meshtastic docs exactly. (#2040, closes #2037)
Fix CSRF token invalidation in system tests — After the session fixation fix, system tests needed to re-fetch the CSRF token post-login. (#2042)

Full Changelog: v3.7.1...v3.7.2

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:3.7.2

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

See commit history for detailed changes.