ovumcy/ovumcy-web v0.9.2

on GitHub

Highlights

• Public patch release that follows v0.9.1.
• Replaces DOM-provided recovery confirmation redirect paths with trusted continue-target tokens so the browser follows only fixed same-app destinations.
• Restores the Docker image publish workflow after the YAML parsing regression that prevented the image pipeline from starting.

Security and quality

• Recovery-code confirmation now maps a trusted token to a fixed route (/dashboard, /onboarding, /settings) instead of reading a raw continue path from DOM attributes before navigation.
• Short-lived recovery-code cookies remain backward-compatible during the transition, so the tighter client contract does not break in-flight acknowledgement flows.
• The Docker image workflow is YAML-safe again, allowing publish runs to start on main and on version tags.

Validation

• go test ./internal/api
• npm run build
• npm run lint
• focused recovery browser e2e
• actionlint .github/workflows/docker-image.yml
• staticcheck ./...
• go test ./...
• docker compose config for the root compose file and the official example stacks
• GitHub CI, Docker Image, Security, and CodeQL workflows passed on commit 2e14152

Upgrade notes

• No new database migration is introduced in this patch release.
• Tagged images publish under ghcr.io/ovumcy/ovumcy-web:v0.9.2.
• Existing deployments can upgrade in place and pin OVUMCY_IMAGE=ghcr.io/ovumcy/ovumcy-web:v0.9.2 if they do not want to track future tags manually.

Full changelog

• Compare: v0.9.1...v0.9.2
• Changelog entry: CHANGELOG.md section 0.9.2.