A security and bug-fix release. Upgrading is recommended — it includes a SAML authentication-bypass fix and clears multiple Go standard-library CVEs.
Security
- SAML signature-bypass fixed —
goxmldsigbumped to v1.6.0 (GO-2026-4753, "Loop Variable Capture Signature Bypass"), which was reachable in the SSO auth path. SSO users should upgrade. - Go 1.25.11 — clears 7 Go standard-library CVEs (
net/textproto,crypto/x509,html/template,net). Go 1.24 is end-of-life and no longer receives these fixes. - npm advisories cleared —
posthog-jsbumped past the vulnerable range; production dependencies are clean.
Bug fixes
- Fixed a full-app crash on an incident's Alerts tab when a linked alert had no labels (
Object.keys(null)). Hardened the same class across timeline entries, routing rules, and post-mortem action items by making nullable API fields explicit so the compiler enforces guards. - The brand logo now renders in PostHog session replays (inlined as a small data URI), so recordings show it correctly.
Maintenance
- golangci-lint upgraded to v2.
- Helm chart version corrected (it had been stale at 0.11.0).
Docs
- Slack setup guide rewritten — it incorrectly documented Socket Mode; Regen uses the HTTP Events API. Added a local-development (ngrok) section, the three Request URLs (events / interactivity / commands), the signing-secret-must-match note, and troubleshooting. Removed the dead
SLACK_APP_TOKEN.
Docker: ghcr.io/fluidifyai/regen:0.20.0
Helm: charts.fluidify.ai (chart 0.20.0)
Full changelog: v0.19.1...v0.20.0