Skip to content

v0.20.0 — Security & bug fixes

Latest

Choose a tag to compare

@singret singret released this 23 Jun 04:44
a1fe700

A security and bug-fix release. Upgrading is recommended — it includes a SAML authentication-bypass fix and clears multiple Go standard-library CVEs.

Security

  • SAML signature-bypass fixedgoxmldsig bumped to v1.6.0 (GO-2026-4753, "Loop Variable Capture Signature Bypass"), which was reachable in the SSO auth path. SSO users should upgrade.
  • Go 1.25.11 — clears 7 Go standard-library CVEs (net/textproto, crypto/x509, html/template, net). Go 1.24 is end-of-life and no longer receives these fixes.
  • npm advisories clearedposthog-js bumped past the vulnerable range; production dependencies are clean.

Bug fixes

  • Fixed a full-app crash on an incident's Alerts tab when a linked alert had no labels (Object.keys(null)). Hardened the same class across timeline entries, routing rules, and post-mortem action items by making nullable API fields explicit so the compiler enforces guards.
  • The brand logo now renders in PostHog session replays (inlined as a small data URI), so recordings show it correctly.

Maintenance

  • golangci-lint upgraded to v2.
  • Helm chart version corrected (it had been stale at 0.11.0).

Docs

  • Slack setup guide rewritten — it incorrectly documented Socket Mode; Regen uses the HTTP Events API. Added a local-development (ngrok) section, the three Request URLs (events / interactivity / commands), the signing-secret-must-match note, and troubleshooting. Removed the dead SLACK_APP_TOKEN.

Docker: ghcr.io/fluidifyai/regen:0.20.0
Helm: charts.fluidify.ai (chart 0.20.0)

Full changelog: v0.19.1...v0.20.0