Upgrading
If you installed with Docker Hub
# In the same directory as the one you installed
docker compose -f docker-compose.prod.yml down
# Make edits as appropriate to the configuration (see below)
# Pull the new images
docker compose -f docker-compose.prod.yml pull
# Start the daemon
docker compose -f docker-compose.prod.yml up -dIf you installed with Docker Build
# in the same directory as the one you cloned
docker compose down
git pull
# Make edits as appropriate to the configuration (see below)
# Build new images
docker compose up --buildChanges
This relesae addresses multiple high-severity vulnerabilities.
- Security: Replaced wildcard CORS (
origin: "*") with strict origin checks. The backend now rejects requests not matchingprocess.env.FRONTEND_URL(defaults to localhost:6767). - Security: Implemented
zodschema validation for all drawing payloads (POST/PUT). This prevents Stored XSS and malformed data injection. - Security: Refactored SQLite import endpoint. It now writes to a temporary staging area and performs a
PRAGMA integrity_checkbefore atomically swapping the database file, preventing arbitrary file overwrites. - Ops: Updated
docker-compose.prod.ymlto acceptFRONTEND_URLvia environment variable injection. - Deps: Added
zodandbetter-sqlite3to backend dependencies.
BREAKING CHANGE:
This update requires infrastructure changes.
- Non-localhost deployments MUST define
FRONTEND_URLindocker-compose.yml.
services:
backend:
image: zimengxiong/excalidash-backend:latest
# ... other settings ...
environment:
- DATABASE_URL=file:/app/prisma/dev.db
- PORT=8000
- NODE_ENV=production
# Uses the user's system ENV var if present, otherwise defaults to localhost
- FRONTEND_URL=${FRONTEND_URL:-http://localhost:6767}
- Containers must be rebuilt to install new dependencies.
Full Changelog: v0.1.0...v0.1.1