What's New
✨ Features
- add lumberjack-backed log rotation, auto-enabled for file outputs with defaults (100MB max size, 30-day retention, 10 backups, no compression). stdout/stderr outputs unaffected (#791)
🐛 Bug Fixes
- default execd listener to IPv4-only (
tcp4) to avoid unintended IPv6 dual-stack socket binding (#801) - forward
SIGTERMto entrypoint process so sandbox workloads receive the signal and can shut down gracefully (#793) - import mitmproxy CA into NSS DB (
$HOME/.pki/nssdb) so Chrome trusts intercepted TLS in transparent egress mode; exportNODE_EXTRA_CA_CERTSfor Node.js/npm TLS trust behind interception; install nss-tools in execd image (#776)
🔒 Security
- fix medium/high CodeQL static analysis findings in execd: document and suppress sandbox-local SQL execution false positives, tighten OSSFS temp file creation to owner-only mode (#795, #797)
- bump OpenTelemetry Go dependencies to v1.43.0, addressing Dependabot security alerts across execd, egress, and shared internal telemetry modules (#799)
👥 Contributors
Thanks to these contributors ❤️
- Docker Hub: opensandbox/execd:v1.0.14
- Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.14