Capka v0.6.6 🐾
Security
- Outbound fetches to user-supplied URLs (MCP servers, OAuth discovery, marketplace, custom provider base URLs, and provider model listing) now pin the TCP connection to the pre-validated IP, closing the DNS-rebinding window to a private/metadata address. First-party fixed hosts are unaffected.
- Cleared the
js-yamlmoderate advisory pulled in transitively throughgray-matter(npm audit).
Changed
- The
sandbox-controllerimage now installs strictly from its lockfile (npm ci) and fails the build on a broken/absent lockfile instead of silently falling back tonpm install.
Fixed
GET /api/automationsresolves each automation's last-run chat in one batched query instead of one round-trip per automation.- Workspace panel accessibility: file download buttons now have an accessible name, the closed panel is no longer reachable by keyboard (
inert), and the usage-limit bar animates only its width.
Full changelog: https://github.com/LyoSU/capka/blob/master/CHANGELOG.md