github mealie-recipes/mealie v1.4.0

latest releases: v1.5.1, v1.5.0
21 days ago

Highlights

  • Security updates (more on that below)
  • OIDC Login Support - #2860, #3280
  • Initial Startup Workflow - #3204

Security Updates

The team at Github Security Lab provided us with a disclosure containing some recommendations for enhancing the security of Mealie, which have been implemented as part of this release. The vulnerabilities all required an authenticated user to exploit, so were likely only an issue if you allowed open registration to your system.

The key functional change you'll notice is that it's now not possible to scrape recipes/images from URLs that resolve to internal IP addresses. This is to prevent a user being able to map out the network the Mealie instance is part of.

Note that we now default the ALLOW_SIGNUP environment variable to false, previously it was true.

There is a new security page available in the documentation should you want to read up on some extra security steps you can take for your Mealie instance.

The pull request was #3368

What's Changed

New Contributors

Full Changelog: v1.3.2...v1.4.0

Don't miss a new mealie release

NewReleases is sending notifications on new releases.