v1.13.11.9 rc0

[skrashevich]

Highlights of v1.13.11.9:

This release brings in much-needed flexibility for deployment configurations with the introduction of environment variables to set the server host and port. It also simplifies the integration between the API and frontend configurations, ensuring aligned service endpoints. The new expire_after MQTT configuration option enhances the control users have over the expiration time for MQTT messages.

Under the hood, the Dockerfiles have been updated for the frontend-builder, and key dependencies have been updated to their latest versions, ensuring a smooth and efficient development experience.

In terms of improvements, unnecessary code has been pruned for clarity, and the app's styles have received refinements for a better user interface.

Please refer to the changelog for a complete list of changes and updates included in this version. We value the feedback from our users and the community, and we continue to strive for excellence in each release. Thank you for your continued support.

This release includes several bug fixes, a major refactor, and dependency updates.

Added

• New MQTT expiration configuration option expire_after for customizing the timeout for "recognized" state in Home Assistant. (PR [FEAT] Decrease time of recognised state - MQTT  #181)
• Environment variables for configuring server host (DOUBLETAKE_HOST) and port (DOUBLETAKE_PORT) to allow for more flexible deployment scenarios. (Patch 26/38)

Changed

• Updated frontend-builder Dockerfile to use oven/bun:1.0.15 and use apt-get for package installations. (Patch 29/38)
• Updated Node version in Dockerfile to 18.19-bookworm and installed npm@^10.2.4 with fetch-retries set to 20. (Patch 30/38)
• Updated frontend dependencies with the latest releases including ace-builds, ace-code, @vitejs/plugin-vue, @vue/eslint-config-airbnb, @vue/eslint-config-prettier, eslint, and eslint-plugin-vue. (Patch 24/38)
• Updated vite to 5.0.5 in the frontend. (Patch 31/38)
• Added CodeFactor badge to README.md. (Patch 33/38)
• Updated primary Dockerfile to include storage directory initialization and volume for /.storage.
• Updated .github/workflows/playwright.yml to use actions/checkout@v4 and actions/setup-node@v4.
• entrypoint.sh script improvements for better directory handling.

Fixed

• Fixed incorrect import in recognize.util.js. (Patch 13/38)
• Refactored entrypoint.sh script to remove unnecessary double quotes around path variables. (Patch 34/38)
• Refactored Toolbar.vue styles to remove unnecessary CSS rules and improve readability. (Patch 36/38)
• Refactored recognize.util.js by removing the unused fs module import. (Patch 35/38)
• Application of fixes from CodeFactor analysis. (Patch 32/38)
• CodeFactor analysis fixes applied.
• UI and Styles refinements for improved consistency.

Security

The changes in storage.controller.js file reflect a security enhancement in the handling of filenames. The code modification takes place in the matches method of a controller that likely manages file retrieval.

Previously, the server was directly using the filename parameter from the request parameters in req.params. However, user-supplied filenames can be dangerous because they may contain special characters or sequences that could lead to file path traversal attacks, where an attacker attempts to access files and directories stored outside the intended directory structure.

The updated code now sanitizes the filename by calling the sanitize function, which presumably removes or escapes potentially dangerous characters in the filename. The sanitized filename is then used to construct the file's path and check its existence on the server.

Security Implication

The addition of filename sanitation ensures that any attempt by an attacker to manipulate the file path is mitigated. The sanitize-filename-truncate library likely removes or encodes characters that could lead to vulnerabilities such as directory traversal, allowing file operations to be performed safely on the server.

Summary of the Security Fix

In summary, this security fix mitigates a potential vulnerability by ensuring that user input (in this case, a filename) is properly sanitized before being used in file system operations. This helps protect the server from attacks that could exploit unsanitized input to gain unauthorized access to the file system.

Deprecated

• No deprecations in this release.

Removed

• No features were removed in this release.

Commits

• build(deps): bump ace-code from 1.31.1 to 1.31.2 in /frontend by @dependabot in build(deps): bump ace-code from 1.31.1 to 1.31.2 in /frontend #168
• build(deps-dev): bump @vitejs/plugin-vue from 4.4.0 to 4.5.0 in /frontend by @dependabot in build(deps-dev): bump @vitejs/plugin-vue from 4.4.0 to 4.5.0 in /frontend #165
• build(deps-dev): bump vite-svg-loader from 4.0.0 to 5.1.0 in /frontend by @dependabot in build(deps-dev): bump vite-svg-loader from 4.0.0 to 5.1.0 in /frontend #164
• build(deps): bump actions/setup-node from 3 to 4 by @dependabot in build(deps): bump actions/setup-node from 3 to 4 #163
• build(deps): bump ace-builds from 1.31.1 to 1.31.2 in /frontend by @dependabot in build(deps): bump ace-builds from 1.31.1 to 1.31.2 in /frontend #167
• build(deps): bump actions/checkout from 3 to 4 by @dependabot in build(deps): bump actions/checkout from 3 to 4 #162
• build(deps-dev): bump @vue/compiler-sfc from 3.3.8 to 3.3.9 in /frontend by @dependabot in build(deps-dev): bump @vue/compiler-sfc from 3.3.8 to 3.3.9 in /frontend #176
• build(deps): bump vue from 3.3.8 to 3.3.9 in /frontend by @dependabot in build(deps): bump vue from 3.3.8 to 3.3.9 in /frontend #175
• Document additional mqtt configuration options by @ccutrer in Document additional mqtt configuration options #149
• build(deps): bump jsdom from 22.1.0 to 23.0.0 in /api by @dependabot in build(deps): bump jsdom from 22.1.0 to 23.0.0 in /api #174
• build(deps-dev): bump vite from 4.5.0 to 5.0.5 in /frontend by @dependabot in build(deps-dev): bump vite from 4.5.0 to 5.0.5 in /frontend #186
• build(deps-dev): bump @vue/compiler-sfc from 3.3.9 to 3.3.10 in /frontend by @dependabot in build(deps-dev): bump @vue/compiler-sfc from 3.3.9 to 3.3.10 in /frontend #185
• build(deps): bump vue from 3.3.9 to 3.3.10 in /frontend by @dependabot in build(deps): bump vue from 3.3.9 to 3.3.10 in /frontend #184
• Apply fixes from CodeFactor by @skrashevich in Apply fixes from CodeFactor #188
• Match controller optimise by @skrashevich in Match controller optimise #190
• Apply fixes from CodeFactor by @skrashevich in Apply fixes from CodeFactor #195
• Apply fixes from CodeFactor by @skrashevich in Apply fixes from CodeFactor #198
• build(deps-dev): bump @vitejs/plugin-vue from 4.5.1 to 4.5.2 in /frontend by @dependabot in build(deps-dev): bump @vitejs/plugin-vue from 4.5.1 to 4.5.2 in /frontend #199
• build(deps-dev): bump vite from 5.0.5 to 5.0.6 in /frontend by @dependabot in build(deps-dev): bump vite from 5.0.5 to 5.0.6 in /frontend #200
• Apply fixes from CodeFactor by @skrashevich in Apply fixes from CodeFactor #201

New Contributors

• @ccutrer made their first contribution in Document additional mqtt configuration options #149

Full Changelog: v1.13.11.8...v1.13.11.9rc0

---

This discussion was created from the release v1.13.11.9 rc0.