github mnemosyne-artificial-intelligence/doppelganger v0.5.6
Release 0.5.6
on GitHub

9 hours ago

Release notes

  • Hardened the agent “start” block so it always calls 127.0.0.1:<port> instead of trusting a potentially forged Host header, eliminating the SSRF vector when agents call /tasks/:id/api.
  • Added express-rate-limit on /api/auth/login and /api/auth/setup (default 10 attempts per 15 minutes, configurable via AUTH_RATE_LIMIT_MAX) plus inline guidance so brute-force attacks are now throttled.
  • Documented the intentional CodeQL “user input evaluation” and “weak crypto” findings, noted why they’re false positives, and kept SHA-1 limited to deterministic IDs.
  • Enabled secure session cookies in production (SESSION_COOKIE_SECURE / NODE_ENV=production) and explained the behavior for reviewers so auth sessions only travel over HTTPS.
  • Bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in #10
  • Bump react-router and react-router-dom by @dependabot[bot] in #11

This patch is highly recommended because it closes multiple security findings (SSRF, brute-force limits, secure cookies) and documents remaining CodeQL alerts for future audits.

Full Changelog: 0.5.5...v0.5.6

Check out latest releases or
releases around mnemosyne-artificial-intelligence/doppelganger v0.5.6

Don't miss a new doppelganger release

NewReleases is sending notifications on new releases.

Get notifications