vavallee/bindery v0.4.1

v0.4.1 — Security & quality patch

on GitHub

Security & quality patch

Fixed

• Rebuilt against go1.25.9, clearing 17 stdlib CVEs reachable via the API, TLS, and URL-parsing paths (most notably GO-2026-4870 TLS KeyUpdate DoS, GO-2025-4012 cookie memory exhaustion, GO-2025-4009 PEM quadratic complexity, GO-2025-4007 x509 name-constraint quadratic).
• Repaired .golangci.yml — removed gosimple (absorbed into staticcheck in lint v2) and dropped continue-on-error on the lint job. The lint CI gate had been silently failing since the v2 upgrade.
• qBittorrent client no longer panics on session-expiry retry when http.NewRequestWithContext fails — the error is now propagated instead of calling Do on a nil request.
• API handlers that take {id} in the URL path now return HTTP 400 for non-numeric IDs instead of silently acting on ID 0. New parseID helper in internal/api/helpers.go consolidates the pattern.
• Library-scan importer no longer dereferences nil pointers when a book or author lookup fails; lookup errors are logged and the file falls through to the unmatched-import path.
• History-blocklist handler logs corrupt JSON data columns instead of silently returning a zero-value event to the client.
• SQL UPDATE in downloads.UpdateStatus no longer interpolates a column name via fmt.Sprintf. Three explicit statements, one per known status, with the column name as a fixed literal.
• Primary HTTP server now sets ReadHeaderTimeout / ReadTimeout / WriteTimeout / IdleTimeout instead of running with the defaults (which are effectively unlimited). Mitigates slow-loris and resource-exhaustion attacks on the public API surface.

Added

• Startup warning logged when BINDERY_API_KEY is unset, making it obvious that /api/v1/* is unauthenticated.
• Helm chart deployment.yaml now sets a hardened pod+container securityContext: runAsNonRoot: true, runAsUser: 65532, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities.drop: [ALL], seccompProfile.RuntimeDefault, plus a writable emptyDir mounted at /tmp.
• CI workflow now auto-creates a GitHub Release with notes extracted from the matching CHANGELOG section on every v* tag push. Title is derived from the first ### subheading. Idempotent — updates notes if a release already exists.

Changed

• Dockerfile base image pinned to golang:1.25.9-alpine (was golang:1.25-alpine) and runtime switched to gcr.io/distroless/static-debian12:nonroot with USER nonroot.
• go.mod bumped to go 1.25.9.
• Internal DB queries using sql.ErrNoRows comparison now use errors.Is for wrap-safety.

Frontend

• Fixed four missing reset dependencies in useEffect hooks on Authors / Books / History / Wanted pages (react-hooks/exhaustive-deps).
• Extracted usePagination hook into its own file (web/src/components/usePagination.ts) so Pagination.tsx is a pure component module (fixes react-refresh/only-export-components).