mealie-recipes/mealie v1.4.0

on GitHub

Highlights

• Security updates (more on that below)
• OIDC Login Support - #2860, #3280
• Initial Startup Workflow - #3204

Security Updates

The team at Github Security Lab provided us with a disclosure containing some recommendations for enhancing the security of Mealie, which have been implemented as part of this release. The vulnerabilities all required an authenticated user to exploit, so were likely only an issue if you allowed open registration to your system.

The key functional change you'll notice is that it's now not possible to scrape recipes/images from URLs that resolve to internal IP addresses. This is to prevent a user being able to map out the network the Mealie instance is part of.

Note that we now default the ALLOW_SIGNUP environment variable to false, previously it was true.

There is a new security page available in the documentation should you want to read up on some extra security steps you can take for your Mealie instance.

The pull request was #3368

What's Changed

• docs(auto): Update image tag, for release v1.3.2 by @github-actions in #3279
• feat: Login with OAuth via OpenID Connect (OIDC) by @hay-kot in #3280
• fix: Typos in OIDC docs by @boc-the-git in #3285
• fix: Allow UserOut to accept list of slugs for recipe favorites by @michael-genson in #3283
• feat: First Time Setup Wizard by @michael-genson in #3204
• fix(deps): update dependency tzdata to v2024 by @renovate in #3281
• New Crowdin updates by @hay-kot in #3286
• New Crowdin updates by @hay-kot in #3299
• fix(deps): update dependency pydantic to v2.6.4 by @renovate in #3300
• feat: Timeline Filters by @michael-genson in #3284
• fix: Only call store APIs once by @michael-genson in #3306
• fix: Date pickers not respecting locale or first day of the week by @michael-genson in #3303
• New Crowdin updates by @hay-kot in #3307
• fix: Limit shopping list owners to current group by @michael-genson in #3305
• fix: Shopping List Migration Fails With No Users by @michael-genson in #3290
• New Crowdin updates by @hay-kot in #3313
• fix: proxy get_all to page_all by @hay-kot in #3312
• fix: Purge Group Exports type mismatch by @michael-genson in #3314
• fix: remove deprecated lifecycle and consolidate startup actions by @hay-kot in #3311
• New Crowdin updates by @hay-kot in #3319
• chore(deps): update dependency coverage to v7.4.4 by @renovate in #3316
• chore(deps): update dependency ruff to v0.3.3 by @renovate in #3261
• chore(deps): update dependency black to v24.3.0 by @renovate in #3322
• chore(deps): update dependency mkdocs-material to v9.5.14 by @renovate in #3333
• docs: Update maintainers.md by @eltociear in #3339
• Dicsussion Template: OAuth example template by @cmintey in #3340
• chore(deps): update dependency pytest-asyncio to v0.23.6 by @renovate in #3341
• fix(deps): update dependency uvicorn to v0.28.1 by @renovate in #3342
• fix: Repeated calls to group self by @michael-genson in #3321
• New Crowdin updates by @hay-kot in #3328
• fix(deps): update dependency uvicorn to ^0.29.0 by @renovate in #3346
• New Crowdin updates by @hay-kot in #3347
• OIDC Docs Updates by @cmintey in #3323
• New Crowdin updates by @hay-kot in #3351
• chore(deps): update dependency ruff to v0.3.4 by @renovate in #3353
• Add OIDC environment variable for specififying the signing algorithm by @cmintey in #3354
• feat: Migrate from My Recipe Box by @michael-genson in #3352
• New Crowdin updates by @hay-kot in #3355
• New Crowdin updates by @hay-kot in #3361
• Update dependency mkdocs-material to v9.5.15 by @renovate in #3358
• New Crowdin updates by @hay-kot in #3366
• Update dependency SQLAlchemy to v2.0.29 by @renovate in #3362
• Update dependency pre-commit to v3.7.0 by @renovate in #3369
• Reset the search input after selection on the RecipeOrganizerSelector by @Kuchenpirat in #3373
• Update dependency rapidfuzz to v3.7.0 by @renovate in #3370
• fix: Recipe Search URL State by @michael-genson in #3332
• New Crowdin updates by @hay-kot in #3377
• feat: Add auto-select-first attribute to RecipeOrganizerSelector by @Kuchenpirat in #3376
• feat: cookbook editor on cookbook page by @Kuchenpirat in #3378
• New Crowdin updates by @hay-kot in #3379
• docs: Tidy up the 'task' template by @boc-the-git in #3380
• New Crowdin updates by @hay-kot in #3381
• fix(deps): update dependency orjson to v3.10.0 by @renovate in #3383
• fix(deps): update dependency tzdata to v2024 by @renovate in #3386
• fix(deps): update dependency apprise to v1.7.5 by @renovate in #3394
• chore(deps): update dependency mkdocs-material to v9.5.16 by @renovate in #3397
• New Crowdin updates by @hay-kot in #3400
• refactor: Sidebar UI by @Kuchenpirat in #3390
• fix(deps): update dependency pillow to v10.3.0 by @renovate in #3402
• chore(deps): update dependency ruff to v0.3.5 by @renovate in #3405
• chore(deps): update dependency mkdocs-material to v9.5.17 by @renovate in #3407
• fix(deps): update dependency fastapi to v0.110.1 by @renovate in #3408
• security: gh security recs by @hay-kot in #3368
• redirect to direct login on failure by @cmintey in #3406

New Contributors

• @eltociear made their first contribution in #3339

Full Changelog: v1.3.2...v1.4.0