github hankscafe/omnibus v1.1.0-beta.004
Omnibus v1.1.0-beta.004
on GitHub

latest release: v1.1.0-beta.005
4 hours ago

v1.1.0-beta.004 - feat/fix: major security, performance, rate-limiting, and metadata resolutions

This release addresses critical systemic bugs, introduces robust API rate limit protections, and mitigates severe performance bottlenecks.

๐Ÿ”’ Security

  • Fixed a critical path traversal (arbitrary file deletion) vulnerability in the delete-orphans diagnostics action by utilizing path.resolve() and enforcing strict child-directory boundaries.

๐Ÿš€ Performance & Stability

  • Mitigated severe OOM (Out of Memory) risks in the reader image API by drastically reducing the AdmZip in-memory cache size and TTL (10 -> 6).
  • Implemented a robust, atomic disk-caching layer for processed WebP reader images, utilizing MD5 hashing and file modified timestamps (mtimeMs) to prevent stale cache delivery and reduce CPU load.
  • Added a FATAL_RATE_LIMIT circuit breaker in the Metron Provider (src/lib/metadata/providers/metron.ts) for HTTP 429 responses where the Retry-After header exceeds 60 seconds.
  • Intercepted the FATAL_RATE_LIMIT error in the METADATA_SYNC background job (src/lib/queue.ts) to break the processing loop and log a [HALTED] status, protecting the server's IP from permanent bans without requiring manual intervention.

๐Ÿ› Bug Fixes

  • Resolved In-Place Seeding Destruction in the importer by deferring physical file renaming of fake extensions until after the payload is safely copied out of the active download client.
  • Fixed XML parsing crashes in src/lib/metadata-extractor.ts by safely escaping stray ampersands while preserving valid numeric entities (e.g., ').
  • Prevented database corruption (NaN IDs) by strictly ignoring non-numeric text slugs in URLs during metadata extraction, and added dynamic Metron API resolution to reverse-engineer true numeric IDs using the Series Name and Year.
  • Updated getSeriesDetails in the Metron Provider to safely resolve text slugs by querying the search endpoint (/?name=) instead of throwing 404s.
  • Fixed an over-aggressive title parsing bug in the Smart Matcher UI (src/app/admin/smart-match/page.tsx) that erased series legitimately named The Omnibus or Volume, and added UI error handling to gracefully intercept FATAL_RATE_LIMIT errors and break the Auto-Scan loop.
  • Updated metadata-extractor.ts to cleanly handle in-memory extension checks without throwing false-positive AdmZip format errors in the system logs.
  • Updated writeComicInfo in src/lib/metadata-writer.ts to log human-readable series names and issue numbers instead of raw database CUIDs during XML embedding.
  • Patched severe race conditions in cron.ts and library-scanner.ts by safely catching Prisma P2002 unique constraint violations to ensure strictly atomic job locking.
  • Restored missing fs, path, and NextResponse imports and fixed implicit any type errors in the reader image route.

๐Ÿงช Testing

  • Added defensive fallbacks in src/lib/library-scanner.ts for incomplete Prisma mocks (jobLock.updateMany, jobLock.create) to ensure test suites pass successfully.

Addresses #112

Check out latest releases or
releases around hankscafe/omnibus v1.1.0-beta.004

Don't miss a new omnibus release

NewReleases is sending notifications on new releases.

Get notifications