v1.0.17 - Security & Performance
Security
- Override dompurify >=3.4.1 (CVE-2026-41238, CVE-2026-41239, GHSA-h8r8-wccr-v5f2, GHSA-v2wj-7wpq-c8vv)
- Update axios to 1.15.0 (CVE-2025-62718 - SSRF via NO_PROXY bypass)
- Update flatted to 3.4.2 (CVE-2026-33228 - Prototype Pollution)
- Update picomatch to 2.3.2 (CVE-2026-33671, CVE-2026-33672)
- Update yaml to 2.8.3 (stack overflow fix)
- Update minimatch to 3.1.5 (ReDoS fix)
- Update rembg version range
- Bump docker/login-action to v4
- Bump docker/setup-buildx-action to v4
- Bump docker/metadata-action to v6
- Bump docker/build-push-action to v7
Performance
- Fix thumbnail generating full-size PNG 14 times (5-minute delay reduced to <1 second)
- Thumbnail generation moved to background tasks (HTTP response returns immediately)
- Preserve input format during processing (JPG stays JPG, prevents file size inflation)
- Fix RQ Worker crash from deprecated Connection import (rq >= 2.0)