Skip to content

1.4.3

Choose a tag to compare

@Dim145 Dim145 released this 20 Jun 01:10

Patch release — dependency security.

Clears the 8 Dependabot alerts in the frontend lockfile (npm overrides):

  • dompurify 3.4.5 → 3.4.11 (7 advisories; mostly IN_PLACE-mode bypasses not used here — the markdown-view XSS neutralisation was re-verified on 3.4.11)
  • markdown-it 14.1.1 → 14.2.0 (smartquotes quadratic-complexity DoS, CVE-2026-48988)

Also bumped from the same dependency tree:

  • undici 7.25.0 → 7.28.0 (high; via jsdom, unreachable since DOMPurify makes no network calls)
  • @babel/core → 7.29.7 (low, build-time)

npm audit reports 0 vulnerabilities. Container images (backend / worker / frontend) are published to GHCR by CI for this release — pull :1.4.3 and redeploy. Reminder: the worker service must use the *-worker image (bundles the JDK for index signing), never the *-backend image.