github Yeraze/meshmonitor v4.2.2
on GitHub

6 hours ago

MeshMonitor v4.2.2

Security update + multi-source bug fixes. This release patches the MM-SEC-5/6/7/8 follow-on advisory (four authorization issues uncovered in a follow-up audit to the v4.2.1 disclosure), introduces an admin-configurable Default Landing Page, and fixes several multi-source routing bugs from the 4.0/4.2 line. The most severe finding (MM-SEC-5) leaked the local node's PKI private key to any logged-in user, and MM-SEC-6/7 exposed channel PSKs through endpoints missed by the v4.2.1 patches. All MeshMonitor 4.x deployments should upgrade. Operators of multi-tenant or untrusted-user installations should also rotate their local node's PKI key, any exposed channel PSKs, and any source credentials that non-admin users may have read.

Action Required

  • Rotate your local node's PKI private key if untrusted users had login access on 4.2.1 or earlier.
  • Rotate any channel PSKs that were exposed.
  • Rotate any source credentials (password / apiKey) that may have been read by non-admin users.
  • Full advisory: docs/security/SECURITY_ADVISORY.md

Security

  • MM-SEC-5/6/7/8 follow-on advisory — Four authorization fixes, including a high-severity PKI private-key disclosure, two PSK leak channels missed by the MM-SEC-2 patch, and a source credential leak. (#2915)

Features

  • Admin-configurable Default Landing Page — Choose what users see at the root URL: the unified multi-source dashboard (default) or any single configured source. Lives under Settings → Appearance, admin-only. (#2921, closes #2917)

Bug Fixes

  • Multi-source: Exchange Node Info / Position / Neighbor Info — These actions now route through the source the user selected instead of always going through the default. (#2916, closes #2911)
  • Auto Traceroute checkbox — Now hydrates from the per-source value instead of a stale global, so the toggle reflects what's actually configured on each source. (#2918, closes #2914)
  • Node position override — Writes to the live source row instead of the legacy default row, so manual coordinate overrides actually render. (#2913, closes #2902)
  • Auto-upgrade sidecar — Clears the stale .upgrade-status file before triggering a new upgrade, preventing the watchdog from looping on stale state. (#2920)
  • Desktop x64 macOS DMG — Now ships with x86_64 native binaries instead of accidentally bundling the arm64 better_sqlite3.node. (#2912, closes #2901)
  • Desktop script storage — Honors DATA_DIR so desktop builds can persist user scripts in the configured data directory. (#2919)
  • /api/scan-remote-admin — Handles empty request bodies cleanly instead of 500-ing. (#2910)

Documentation

Dependencies

  • lucide-react 1.11.0 → 1.14.0 (#2895)
  • npm audit fix cleared the serialize-javascript (high) and ip-address (moderate) advisory chains. The remaining 6 advisories are all dev-only esbuild via drizzle-kit / vitepress and have no production runtime exposure.

Issues Resolved

  • #2901 — [BUG] MeshMonitor-Desktop-4.2.0-x64.dmg bundles better_sqlite3.node as arm64 instead of x86_64
  • #2902 — [BUG] Node position override saved to non-rendered source row
  • #2911 — [BUG] 4.2.0 — Exchange Node Info / Position emitted from wrong node
  • #2914 — [BUG] Auto Traceroute
  • #2917 — [FEAT] Load Default Node

Full Changelog

v4.2.1...v4.2.2

🚀 MeshMonitor v4.2.2

📦 Installation

Docker (recommended): 

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.2.2

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Check out latest releases or
releases around Yeraze/meshmonitor v4.2.2

Don't miss a new meshmonitor release

NewReleases is sending notifications on new releases.

Get notifications