Releases: ITSEC-Research/bron-vault
Release Version 1.3.8
Summary:
- feat: add category slug validation and trigger 404 for invalid routes
- feat: implement SSRF protection and strict content validation in image proxy and migrate to Next.js Image component
- feat: render placeholder container when typing effect is hidden to prevent layout shift
- feat: implement device report generation system with HTML templates and API endpoints
- style: standardize page header icons with consistent styling and primary color accents
- style: improve responsive layout for documentation page and sidebar container
- style: improve table layout and add text truncation to report templates
Contributors:
YoKo Kho (@YoKoAcc)
Tomi Ashari (@mastomii)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version 1.3.7
Summary:
- feat: add category editing functionality and force page reloads after category mutations
- feat: add edit functionality for feed sources and implement forced page reloads after data mutations
- feat: implement advanced search builder with boolean logic support for article filtering
- feat: implement drag-and-drop reordering for feed sources and add user preference support for custom feed layouts
- feat: add SourceIcon component to display source favicons in news feed list
- feat: implement per-source pagination for grouped article view
- style: adjust sidebar menu item padding and height for improved layout consistency
- chore: update category page description text
Contributors:
YoKo Kho (@YoKoAcc)
Tomi Ashari (@mastomii)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version 1.3.6
Summary:
- feat(api): implement GET
/api/feeds/articleswith advanced search, pagination, and date range filtering - feat(api): implement complete CRUD operations for feed categories and sources at
/api/feeds/categoriesand/api/feeds/sources - feat(api): add manual sync trigger via POST
/api/feeds/syncand background processing utility using rss-parser - feat(ui): implement news feed aggregator page with dynamic category routing and interactive article previews
- feat(ui): build centralized feed configuration interface for admin-level management of sources and categories
- feat(ui): integrate dynamic feed categories directly into the application sidebar navigation
- feat(db): extend database schema definition to support multi-source feed aggregation and storage
- feat(api): implement GET
/api/v1/device/:deviceIdto retrieve device summary, system information, and optional credentials, software, and files - feat(api): implement GET
/api/v1/summaryto provide overall statistics (devices, credentials, files, domains, URLs) - feat(api): introduce pagination for credentials retrieval
- feat(api): add date filtering and top TLDs aggregation support
- feat(api): include country statistics with heatmap-ready aggregation data
- refactor: update authentication routes and sidebar layout components
- refactor: standardize global page container widths to max-w-7xl and stabilize session logout redirect mechanism
- chore(api): add error handling and request logging for device endpoint
- chore(api): enhance error handling and logging for summary endpoint
- chore(api): include developer debug routes for feed data inspection and serialization testing
- chore: update package.json and project dependencies for RSS feed parsing support
Contributors:
YoKo Kho (@YoKoAcc)
Tomi Ashari (@mastomii)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version 1.3.4
Summary:
- feat(upload-settings): Add apiConcurrency, tempCleanupHours, and apiMaxDurationSeconds for better upload control.
- refactor(upload-api): Improve file handling by saving uploads to temporary path before processing.
- refactor(upload-api): Implement concurrency control using p-limit for safer parallel API uploads.
- chore(deps): Add p-limit dependency and update package-lock.json.
- chore(gitignore): Exclude TypeScript build info files from version control.
- refactor(next-config): Disable webpack build worker to reduce memory usage during build.
Contributors:
YoKo Kho (@YoKoAcc)
Tomi Ashari (@mastomii)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version 1.3.3
Summary:
- refactor(docker): Fully migrate from docker-compose (v1) to docker compose (v2).
- refactor(docker): Update all scripts and documentation to use Docker Compose v2 syntax.
- refactor(docker): Improve
docker-start.shwith smarter Docker detection and Ubuntu auto-install guidance. - refactor(docker): Simplify
Dockerfileby removing UID/GID build args and host-side permission adjustments. - refactor(docker): Align
setup-docker.shwith updated compose conventions and service naming. - chore: Update README.md to reflect new Docker flow and requirements.
- refactor(audit-logs): Improve detail dialog layout and structured content rendering.
- refactor(audit-logs): Ensure DialogContent uses full width and prevents overflow.
- refactor(audit-logs): Render log details in code-block format for better readability and flexible data structures.
Contributors:
YoKo Kho (@YoKoAcc)
Tomi Ashari (@mastomii)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version 1.3.2
Summary:
- fix(domain-recon): Fix summary 500 by using "credentials c" so query builder conditions resolve.
- style(search): Improve query mode toggle button styling and accessibility
- chore: Updated README.md to include advanced search query options, domain monitoring features, S3-compatible storage details, roles for access control, and API v1 specifications.
Contributors:
Tomi Ashari (@mastomii)
YoKo Kho (@YoKoAcc)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version v1.3.1
Summary:
- fix(auth): Fix login session lost after redirect when using app over HTTP (e.g. Docker) by deriving cookie Secure from request.
Contributors:
Tomi Ashari (@mastomii)
YoKo Kho (@YoKoAcc)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version v1.3.0
Summary:
- feat: Add domain monitoring library with CRUD operations and webhook delivery.
- feat(api, dashboard): Add date filtering, improve caching, and support report export (.pdf and .html).
- feat(api): Add storage config API — GET/POST /api/settings/storage for reading and updating storage settings.
- feat(api): Add storage migration API — GET/POST /api/settings/storage/migrate for status, start, and abort migration.
- feat(api): Add storage test API — POST /api/settings/storage/test to test S3 connection with provided credentials.
- feat(audit-log): Add import logs page and audit logging system.
- feat(audit-log): Enhance logging for user login attempts and createAuditLog function.
- feat(audit-log): Enhance upload logging with detailed import logs and error handling.
- feat(database): Add domain monitoring and alerting tables.
- feat(storage): Add storage provider abstraction (local + S3).
- feat(storage): Implement S3-compatible storage provider (AWS S3, MinIO, path-style support).
- feat(storage): Implement migration engine from local storage to S3 with progress and logging.
- feat(dashboard): Add country heatmap and improve UI components.
- feat(upload): Implement upload job manager with CRUD operations and logging.
- feat(upload): Enhance upload job logging with progress tracking and database update optimization.
- feat(users): Add is_active field to user management and update related logic.
- feat(docker): Add MinIO service to docker-compose (S3 API and Console ports, env, volume).
- feat(docker): Enhance user permissions handling and uploads directory setup.
- feat(ui): Add S3/MinIO configuration and migration UI on Settings page.
- refactor(browser-analysis): Optimize unique device counting by normalizing browser names.
- refactor(dashboard, components): Enhance UI elements and improve styling.
- refactor: Update password handling in search APIs and remove bulk search documentation.
- refactor(country-heatmap): Update color constants for improved visual distinction.
- refactor: Refactor code structure for improved readability and maintainability.
- chore: Add .eslintignore and .nextignore to exclude data folders and build outputs.
- chore: Update .env.example and .gitignore for object storage and minio-data.
Contributors:
Tomi Ashari (@mastomii)
YoKo Kho (@YoKoAcc)
Migration note: JWT-based cookies
Bron Vault now uses JWT-based cookies for authentication. If you are upgrading from a version prior to February 11, you must add a JWT_SECRET variable to your .env file. For example:
JWT_SECRET=super_secret_random_string_at_least_32_chars_long
Make sure the secret is at least 32 characters long. This key is used by the server to sign and verify JWTs.
Release Version v1.2.1
Summary:
- feat: Add user preferences management
- feat: Implement API for retrieving and updating preferences
- feat: Enhance upload and user settings pages with preferences and URL-based navigation.
- feat(api): Implement abort handling and instrumentation for global error management.
- feat(auth): Restrict user preferences access to admin users.
- feat(auth): Add backup codes management with copy and download functionality
- feat(auth): Update TOTP verification window for enhanced security.
- feat(auth): Implement secure pending 2FA token generation and verification
- feat(auth): Enhance password validation and rate limiting for auth endpoints.
- feat(db): Refactor MySQL connection handling and improve Next.js configuration for production.
- feat(db): Enhance and implement database schema synchronization feature.
- feat(recon): Add deduplication option for subdomain queries
- feat(recon): Implement safe file path resolution and enhance UI components for better user experience.
- feat(docker): Enhance Docker setup and improve loading animations.
- feat(ui): Enhance loading states across various components for improved user experience.
- feat(ui): Improve preferences UX with URL-based tab navigation and stronger highlight/warning colors.
- feat(ui): Update text selection styles for light and dark modes.
- fix(ui): Adjust logo styling in 2FA header for better alignment.
- chore: Update dependencies and ESLint configuration.
- docs: Fix formatting.
Contributors:
Tomi Ashari (@mastomii)
YoKo Kho (@YoKoAcc)
Important Migration Notice
For deployments between November 27, 2025 and January 6, 2026
If you deployed Broń Vault between November 27, 2025 and January 6, 2026, please run the following script after updating::
npx tsx scripts/migrate-add-user-roles.ts
This migration adds a new role column to the users table.
Currently supported roles:
- admin: Full access to all features and menus.
- analyst: Restricted access, limited to searching and browsing data without upload permissions.
Release version v1.2.0
Summary:
- feat(ui): Redesigned login page.
- style(ui): Applied glassmorphism across the UI.
- refactor(ui): Centralized styles into global.css for easier theming and maintenance.
- docs: Improved README for clarity and accuracy.
- chore: Removed legacy Windows .bat auto-update script due to stability issues.
- feat(api): Enhanced chunk upload handling and prevented MaxListenersExceededWarning.
- feat(ui): Improved the layout of DeviceFileTreeViewer on the Device Details page for better usability and responsiveness.
- feat(auth): Implemented role-based access control (RBAC).
- feat(config): Added default values for MYSQL_HOST and MYSQL_PORT in the environment-loading migration script.
Contributors:
Tomi Ashari (@mastomii)
YoKo Kho (@YoKoAcc)
Important Migration Notice
For deployments between November 27, 2025 and January 6, 2026
If you deployed Broń Vault between November 27, 2025 and January 6, 2026, please run the following script after updating::
npx tsx scripts/migrate-add-user-roles.ts
This migration adds a new role column to the users table.
Currently supported roles:
- admin: Full access to all features and menus.
- analyst: Restricted access, limited to searching and browsing data without upload permissions.