maxfield-allison/dnsweaver v1.1.3

on GitHub

Security

• CACHE_BUST build arg for Docker layer cache invalidation: --pull alone was
  insufficient — if the Alpine base image tag hasn't been rebuilt, Docker layer
  caching preserves stale apk upgrade output. Added ARG CACHE_BUST in the
  runtime stage and --build-arg CACHE_BUST=$CI_PIPELINE_ID to all CI Docker
  build commands, ensuring every pipeline runs a fresh apk upgrade
• Reconciler race condition: Added reconcileMu mutex to serialize
  Reconcile() calls, preventing concurrent map access
• Case-sensitive hostname comparison: Fixed orphan cleanup to use
  source.NormalizeHostname() for consistent case-insensitive hostname matching
• SSH config getEnvOrFile alignment: When _FILE key is set but file is
  unreadable, now returns empty string (hard-fail) matching config behavior
• Dry-run orphan accuracy: Always build record cache (was nil in dry-run mode);
  refactored deletion functions to check dry-run per-record
• RecoverOwnership error handling: Now returns error listing failed providers
  instead of silently continuing
• Bounded HTTP response reading: Replaced all io.ReadAll calls in Pi-hole
  client with httputil.ReadBody (10 MB limit) to prevent memory exhaustion
• Integer overflow guards: Added gosec G115 clamps — TTL to uint32 in
  RFC 2136, SRV/HTTPS fields to uint16 in Technitium

Fixed

• Hostname provider map initialization: Initialize hostnameProviders map in
  New() instead of lazy nil check

Docker Images

docker pull ghcr.io/maxfield-allison/dnsweaver:v1.1.3
docker pull docker.io/maxamill/dnsweaver:v1.1.3