Highlights of v1.13.11.9:
This release brings in much-needed flexibility for deployment configurations with the introduction of environment variables to set the server host and port. It also simplifies the integration between the API and frontend configurations, ensuring aligned service endpoints. The new expire_after MQTT configuration option enhances the control users have over the expiration time for MQTT messages.
Under the hood, the Dockerfiles have been updated for the frontend-builder, and key dependencies have been updated to their latest versions, ensuring a smooth and efficient development experience.
In terms of improvements, unnecessary code has been pruned for clarity, and the app's styles have received refinements for a better user interface.
Please refer to the changelog for a complete list of changes and updates included in this version. We value the feedback from our users and the community, and we continue to strive for excellence in each release. Thank you for your continued support.
This release includes several bug fixes, a major refactor, and dependency updates.
Added
- New MQTT expiration configuration option
expire_afterfor customizing the timeout for "recognized" state in Home Assistant. (PR #181) - Environment variables for configuring server host (
DOUBLETAKE_HOST) and port (DOUBLETAKE_PORT) to allow for more flexible deployment scenarios. (Patch 26/38)
Changed
- Updated frontend-builder Dockerfile to use
oven/bun:1.0.15and useapt-getfor package installations. (Patch 29/38) - Updated Node version in Dockerfile to
18.19-bookwormand installednpm@^10.2.4withfetch-retriesset to20. (Patch 30/38) - Updated frontend dependencies with the latest releases including
ace-builds,ace-code,@vitejs/plugin-vue,@vue/eslint-config-airbnb,@vue/eslint-config-prettier,eslint, andeslint-plugin-vue. (Patch 24/38) - Updated
viteto5.0.5in the frontend. (Patch 31/38) - Added CodeFactor badge to
README.md. (Patch 33/38) - Updated primary Dockerfile to include storage directory initialization and volume for
/.storage. - Updated
.github/workflows/playwright.ymlto useactions/checkout@v4andactions/setup-node@v4. entrypoint.shscript improvements for better directory handling.
Fixed
- Fixed incorrect import in
recognize.util.js. (Patch 13/38) - Refactored
entrypoint.shscript to remove unnecessary double quotes around path variables. (Patch 34/38) - Refactored
Toolbar.vuestyles to remove unnecessary CSS rules and improve readability. (Patch 36/38) - Refactored
recognize.util.jsby removing the unusedfsmodule import. (Patch 35/38) - Application of fixes from CodeFactor analysis. (Patch 32/38)
- CodeFactor analysis fixes applied.
- UI and Styles refinements for improved consistency.
Security
The changes in storage.controller.js file reflect a security enhancement in the handling of filenames. The code modification takes place in the matches method of a controller that likely manages file retrieval.
Previously, the server was directly using the filename parameter from the request parameters in req.params. However, user-supplied filenames can be dangerous because they may contain special characters or sequences that could lead to file path traversal attacks, where an attacker attempts to access files and directories stored outside the intended directory structure.
The updated code now sanitizes the filename by calling the sanitize function, which presumably removes or escapes potentially dangerous characters in the filename. The sanitized filename is then used to construct the file's path and check its existence on the server.
Security Implication
The addition of filename sanitation ensures that any attempt by an attacker to manipulate the file path is mitigated. The sanitize-filename-truncate library likely removes or encodes characters that could lead to vulnerabilities such as directory traversal, allowing file operations to be performed safely on the server.
Summary of the Security Fix
In summary, this security fix mitigates a potential vulnerability by ensuring that user input (in this case, a filename) is properly sanitized before being used in file system operations. This helps protect the server from attacks that could exploit unsanitized input to gain unauthorized access to the file system.
Deprecated
- No deprecations in this release.
Removed
- No features were removed in this release.
Commits
- build(deps): bump ace-code from 1.31.1 to 1.31.2 in /frontend by @dependabot in #168
- build(deps-dev): bump @vitejs/plugin-vue from 4.4.0 to 4.5.0 in /frontend by @dependabot in #165
- build(deps-dev): bump vite-svg-loader from 4.0.0 to 5.1.0 in /frontend by @dependabot in #164
- build(deps): bump actions/setup-node from 3 to 4 by @dependabot in #163
- build(deps): bump ace-builds from 1.31.1 to 1.31.2 in /frontend by @dependabot in #167
- build(deps): bump actions/checkout from 3 to 4 by @dependabot in #162
- build(deps-dev): bump @vue/compiler-sfc from 3.3.8 to 3.3.9 in /frontend by @dependabot in #176
- build(deps): bump vue from 3.3.8 to 3.3.9 in /frontend by @dependabot in #175
- Document additional mqtt configuration options by @ccutrer in #149
- build(deps): bump jsdom from 22.1.0 to 23.0.0 in /api by @dependabot in #174
- build(deps-dev): bump vite from 4.5.0 to 5.0.5 in /frontend by @dependabot in #186
- build(deps-dev): bump @vue/compiler-sfc from 3.3.9 to 3.3.10 in /frontend by @dependabot in #185
- build(deps): bump vue from 3.3.9 to 3.3.10 in /frontend by @dependabot in #184
- Apply fixes from CodeFactor by @skrashevich in #188
- Match controller optimise by @skrashevich in #190
- Apply fixes from CodeFactor by @skrashevich in #195
- Apply fixes from CodeFactor by @skrashevich in #198
- build(deps-dev): bump @vitejs/plugin-vue from 4.5.1 to 4.5.2 in /frontend by @dependabot in #199
- build(deps-dev): bump vite from 5.0.5 to 5.0.6 in /frontend by @dependabot in #200
- Apply fixes from CodeFactor by @skrashevich in #201
New Contributors
Full Changelog: v1.13.11.8...v1.13.11.9rc0