⚠️ Migration Required
This release changes the Docker container to run as a non-root user. If you are upgrading from a previous version, your host-side config directory may be owned by root and the container will fail to write config.json.
Fix — run this for the directory you mapped to /usr/src/app/config:
chmod 777 /path/to/your/configOn Unraid: set the host path permissions to 777 in the share settings.
🔒 Security
- Content-Security-Policy header: The dashboard now sends a
Content-Security-Policyheader restricting scripts to'self'andcdn.jsdelivr.net. Inline scripts have been moved to external files so nounsafe-inlineis needed for scripts - Container no longer runs as root:
USER appis now active in the Dockerfile — the container runs as a non-root user at runtime - Cookie Secure flag no longer bypassable via spoofed header: The
auth_tokencookie'sSecureflag previously trusted theX-Forwarded-Protoheader directly, allowing any client to fake HTTPS over plain HTTP. It now relies solely onreq.secure, which Express sets correctly whenTRUST_PROXYis configured - Dependencies updated:
npm audit fixresolved all known CVEs in transitive dependencies
🐛 Bug Fixes
- Debounce seconds field showed wrong value after config load: The display input was not synced when config loaded from the server — now updated correctly
- Container permission failures now fail fast: If the config directory is not writable on startup, the container exits immediately with a clear error message instead of starting in a broken state