Security
- Status pages: public payloads now use a strict allowlist of monitor fields — credentials and internal configuration are never sent to visitors (GHSA-3m74-8cg9-rp8j)
- Monitor advanced matching now uses RE2 with tightened regex validation — fixes ReDoS via user-controlled regex (GHSA-4c6j-p2cv-wf56)
Fixes
-
Docker: server images moved from Node 20 (EOL) to Node 22 — fixes broken image builds caused by
re2native compilation -
Added root
.dockerignoreso hostnode_modulesand.envfiles no longer leak into image builds -
New unit suite covering the public status-page payload