github prey/prey-node-client v1.13.36
on GitHub

6 hours ago

v1.13.36 (2026-06-19)

Full Changelog

  • Fix: Fixed an issue where the X-Prey-Status HTTP header could contain invalid characters (such as newlines) that violated RFC 7230, causing request failures when device status data included special characters. (SoraKenji)

  • Fix: Fixed the hostname trigger incorrectly firing a device_renamed event when location data (a JSON object) was stored as the hostname value in the local database, causing spurious rename notifications to the control panel. (SoraKenji)

  • Fix: Fixed edge cases in the Windows lock action where Task Manager windows opened during the lock session were not properly closed on unlock. (SoraKenji)

  • Fix: Removed an empty registry key created during installation that caused errors with the unattended (silent) installer on Windows. (SoraKenji)

  • Fix: Upgraded node-forge to 1.4.0 to address CVE-2026-33896 (BasicConstraints bypass vulnerability). (SoraKenji)

  • Fix: Upgraded underscore to 1.13.8 to address a Denial of Service vulnerability in the flatten function. (SoraKenji)

  • Fix: Upgraded minimatch to address a ReDoS (Regular Expression Denial of Service) vulnerability (GHSA-3ppc-4f35-3m26). (SoraKenji)

  • Fix: Upgraded plist to 3.1.1 to address a CVE in the bundled @xmldom/xmldom dependency. (SoraKenji)

  • Fix: New Windows Prey Lock guarding edge cases and solving focus on textbox issues. (SoraKenji)

  • Chore: Updated bundled Windows executables: Fenix 1.0.8, WpxSvc 2.0.34, and Updater 1.0.8. (SoraKenji)

  • Fix: Ensured the SQLite database connection is properly closed after every storage operation (set, del, update, all, query) and that initialization errors are propagated to callers, preventing connection leaks. (SoraKenji)

  • Fix: Replaced the firewall npm dependency with direct Windows API calls via the new winsvc module for managing firewall rules, with multi-level fallback (winsvc HTTP → CLI → PowerShell). Registry set/del operations also now prefer the Windows API with reg.exe fallback. (SoraKenji)

  • Fix: Registry keys are now cleaned up during full uninstallation (pre_uninstall), not only during dedicated cleanup tasks. (SoraKenji)

  • Fix: Fixed the Windows anchor location storage to perform an upsert (update if already exists) instead of silently failing on duplicate entries. Invalid cached locations are now cleared on load. (SoraKenji)

  • Fix: Fixed two connection leak edge cases in the storage layer: storage_fns.all and storage_fns.query were closing the SQLite connection on the success path but not on error paths. Also fixed a null dereference crash when the underlying dbComm.all callback returned (null, null), causing a TypeError reading err.code on a null value. (SoraKenji)

  • Fix: Fixed a double-callback and uncaught exception risk in the Wi-Fi geo location strategy: when the server returned HTTP 429 (rate limit), execution fell through to a second checkResponse call after the cache-query block completed, and a catch block was using throw inside an async callback instead of calling back with the error. (SoraKenji)

  • Fix: Fixed a double-callback during post_install on Windows where both setUpVersion and prey_user.create were invoked with the same ready callback, causing it to fire twice. (SoraKenji)

  • Fix: Fixed the Windows service version cache permanently storing null on a failed first attempt, preventing retries when the service binary was not yet present on disk. (SoraKenji)

  • Fix: Fixed command injection in the registry.js reg.exe fallback: path, key, and value parameters were unquoted in the shell exec string, allowing values with spaces or metacharacters to break the command or inject additional shell instructions. (SoraKenji)

  • Fix: Added NaN guards before process.kill() calls in utilinformation.js, tasks/os/windows.js, and panel/index.js: a corrupt or empty pidfile returning NaN from parseInt was passed directly to process.kill, causing unpredictable behavior. (SoraKenji)

  • Fix: Fixed force_new_config on Unix silently issuing kill -9 undefined when client_pid returned an error: a missing return caused execution to continue past the error log and schedule the kill command with an undefined PID. (SoraKenji)

  • Fix: Converted edr_log.js to a no-op module, removing synchronous fs.appendFileSync disk writes from production code paths. (SoraKenji)

  • Fix: Improved the hostname JSON guard to apply .trim() before checking the first character, preventing bypass when a stored hostname value has leading whitespace. (SoraKenji)

Check out latest releases or
releases around prey/prey-node-client v1.13.36

Don't miss a new prey-node-client release

NewReleases is sending notifications on new releases.

Get notifications