v0.11.6

Fix LFS import local repository security issue that allows importing private repositories the users don't have access to.

Changelog

Fixed

• 80490de: fix(ci): use golangci-lint latest version (@aymanbagabas)

Other stuff

• c147421: Merge commit from fork (@evnsh)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.6/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.6/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.5

This release fixes an issue with SSRF protection rules related to DNS resolution.

Changelog

Fixed

• 879ece7: fix(ssrf): pin resolved IP in dial to prevent DNS rebinding (#791) (@vnykmshr)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.5/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.5/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.4

This release includes a bug fix to our SSRF protection rules where it won't do DNS resolutions before checking SSRF. It also adds LFS SSRF security checks so make sure you upgrade your instance to get the latest security updates.

Changelog

Fixed

• 19bc627: fix(ssh): add argument validation to webhook deliveries commands (@aymanbagabas)
• 3ef6600: fix(ssrf): handle DNS resolution in SSRF protection (@aymanbagabas)

Other stuff

• e80b183: Merge commit from fork (@vnykmshr)
• 85fecd7: ci: sync dependabot config (#774) (@charmcli)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.3

This release patches a critical auth issue that allows any malicious actor to gain access as any user.
Please upgrade ASAP!

Credits goes to @juancabe, so thank you so much for noticing and reporting this one 🙂

Certificate Reloading

You can now use SIGHUP signals to hot-reload Soft Serve to update your server's TLS certificates.
Thanks to @cheesyhypocrisy for sending working on this feature!

Changelog

New!

• 28c4854: feat: add support for certificate reloading upon SIGHUP (#710) (@cheesyhypocrisy)

Fixed

• 8539f9a: fix: authentication bypass (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.3/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.3/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.2

This release patches a security issue related to LFS locks of different users.
Thank you @Tomer-PL for reporting and fixing this one 🙂

Changelog

Fixed

• 62e2d5c: fix(ssh): ui: respect anon-access setting for the ui (@aymanbagabas)
• 2447a96: fix(tests): ignore stderr output in SSRF webhook test (@aymanbagabas)

Other stuff

• 000ab51: Merge commit from fork (@Tomer-PL)
• ba7d415: ci: sync golangci-lint config (#767) (@github-actions[bot])

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.2/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.2/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.1

Changelog

Security

• bb73b9a: sec: fix GHSA-vwq2-jx9q-9h9f (@caarlos0)

Docs

• 56e9784: docs: Add IdentitiesOnly option to ssh command examples (#628) (@robberwick)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.0

Changelog

New!

• ea8799b: feat: add CORS headers (#654) (@fetsorn)

Security

• d963932: sec: strip ansi from user input GHSA-fv2r-r8mp-pg48 (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.10.0

Changelog

New Features

• 52f7a9e: feat(tui): yank the patch/diff to clipboard (#725) (@ChausseBenjamin)
• 6856877: feat: add readiness and liveness probes for self healing (#734) (@Jay-Madden)

Bug fixes

• 397288d: fix(ui): help menu on file list view (#719) (@eldondev)
• 5a2bde5: fix: check that commit is a SHA1 (#737) (@caarlos0)
• fa175c7: fix: repo commit help (#736) (@caarlos0)

Other work

• 5d9034c: ci: sync dependabot config (#741) (@charmcli)
• 844f175: ci: sync golangci-lint config (#732) (@github-actions[bot])
• e5edfd5: sec: update git-module (#742) (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, Discord, Slack, The Fediverse.

v0.9.1

This is a small release fixing some UI artifacts after upgrading to v2.

Changelog

Bug fixes

• 8e6fd53: fix(ui): use more accurate scroll percent symbol and improve status bar (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.9.0

Upgraded UI

This release upgrades the UI stack to the new v2 stack which includes the
latest beta versions of Bubble Tea, Lip Gloss, Bubbles, Glamour, as well as
Wish. There are no breaking changes in this release nor any new features.

Happy hacking!

Changelog

New Features

• df3d71c: feat(ui): adapt to new glamour v2 updates (@aymanbagabas)
• d05c13c: feat(web): add support for http git-upload-archive service (@aymanbagabas)

Bug fixes

• e93eeff: fix(daemon): ensure daemon starts correctly in tests and ignore errors (@aymanbagabas)
• d4edeab: fix(daemon): handle multiple listeners gracefully (@aymanbagabas)
• 3f646c6: fix(daemon): mutex for listeners (@aymanbagabas)
• 9b2fe20: fix(server): properly handle server shutdown (@aymanbagabas)
• 91f28a8: fix(server): properly handle server shutdown (@aymanbagabas)
• 14a804a: fix(ssh): honor SOFT_SERVE_NO_COLOR env var in blob command (@aymanbagabas)
• 332fd00: fix(ssh): keep using EmulatedPty for now (@aymanbagabas)
• 7ed1994: fix(ui): ensure the code component width accounts for the horizontal (@aymanbagabas)
• 7e944a2: fix(ui): remove red background for empty spaces in code blocks (@aymanbagabas)
• 7c3fa24: fix(ui): viewport: rename HalfViewDown/Up to HalfPageDown/Up (@aymanbagabas)

Documentation updates

• 5356717: docs(common): update style comment (@aymanbagabas)
• 24c6f83: docs: add contributing guidelines (#715) (@bashbunni)

Other work

• 454df5d: ci: sync dependabot config (#698) (@charmcli)
• 5bcf420: ci: sync golangci-lint config (#685) (@github-actions[bot])
• 604f519: ci: sync golangci-lint config (#695) (@github-actions[bot])
• cae622b: ci: sync golangci-lint config (#708) (@github-actions[bot])
• 50710d3: refactor(ui): use bubblezone/v2 fork (@aymanbagabas)
• 41c4f31: refactor: upgrade the remaining components (@aymanbagabas)
• 7e51392: refactor: use KeyPressMsg and MouseClickMsg instead of KeyMsg and MouseMsg (@aymanbagabas)
• f9feea6: refactor: use glamour/v2 (@aymanbagabas)
• 9871df2: refactor: use the latest v2 packages (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.