Security
- Supply chain hardening: All Python dependencies pinned to exact versions with cryptographic hashes. Docker base image pinned to SHA256 digest. All GitHub Actions pinned to commit SHAs. New pip-audit CI job detects known vulnerabilities on every push/PR. Dependabot configured for automated weekly updates. (#294)
- Smokeping proxy hardening: Validate full PNG signature (ISO 15948) before serving proxied responses. Added
X-Content-Type-Options: nosniffand restrictive CSP header to prevent content injection. (#298) - ReDoS fixes: Replaced backtracking-prone regex in CM3000 driver and bounded quantifier in modulation engine. (#298)
- Webhook URL no longer logged: Notification channel setup no longer writes the webhook URL to application logs. (#298)
Improvements
- Python 3.13: Runtime upgraded from Python 3.12 to 3.13. (#296)
Bug Fixes
- Sagemcom login crash: Fixed crash on
XMO_INVALID_SESSION_ERRduring Sagemcom session recovery.
Documentation
- README: Added CGM4981COM to hardware table, updated BQM, Connection Monitor, Event Log, and Speedtest feature descriptions.
- Wiki: Roadmap updated to v2026-03-26 with all recently shipped features marked as complete.