You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Host-path backup sources and local destinations are now fail-closed when VOLUMEVAULT_HOST_PATH_ALLOWLIST is empty, and approved paths are re-checked at run time to block symlink swaps.
Backup destinations that resolve to private, loopback, or link-local IPs are now blocked by default to reduce SSRF risk, unless their ranges are explicitly allowed in VOLUMEVAULT_SSRF_ALLOWED_IPS.
API tokens now expire 60 days after creation by default, limiting the impact of leaked tokens.
SSH/SFTP destinations can now pin the server host key, including support for trusting a fetched key or using the new POST /api/v1/destinations/host-key endpoint.
Sign-in and password-reset requests are now rate-limited to 5 attempts per minute.
Restore input validation is stricter, and restore extraction is now confined to the target volume to block unsafe keys and forged archives.
Upgrade Notes
This release does not include database migrations.
Existing installations that use host-path backup sources or local destinations must set VOLUMEVAULT_HOST_PATH_ALLOWLIST after upgrading if they relied on the previous open default. Run php artisan volumevault:host-path-allowlist:audit to generate the exact value to set.
Installations that use a LAN NAS, self-hosted S3 or MinIO endpoint, or any backup destination that resolves to a private IP must add the required CIDR ranges to VOLUMEVAULT_SSRF_ALLOWED_IPS before destination tests, restore listing or download, and storage-quota alerts will work again.
Existing API tokens older than 60 days stop working after the upgrade and must be recreated unless SANCTUM_TOKEN_EXPIRATION is changed or set to null.
SSH/SFTP host key pinning is optional. Existing destinations continue to work without a pinned key, but pinning is recommended for better protection against man-in-the-middle attacks.
Verification
Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan changelog:validate v1.8.0 --release --no-interaction.
Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan test --compact.
Local verification before release included docker run --rm -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php ./vendor/bin/pint --dirty --format agent.
Local verification before release included npm run build.
