-
Notifications
You must be signed in to change notification settings - Fork 11
Release Notes v2.174
NeySlim edited this page Jun 17, 2026
·
1 revision
Release Date: June 17, 2026
UCM v2.174 is a focused fix release: it makes webhook delivery exactly-once and refreshes two dependencies flagged by security scanning.
certificate.expiring (and other events) could be delivered twice with an identical payload, while the delivery log showed a single event. Two independent causes were fixed:
- Atomic delivery claim — each queued webhook delivery is now claimed with a conditional, single-row update before it is sent, so it is delivered exactly once even if delivery passes run concurrently.
- Single-process scheduler — under Gunicorn (with gevent/preload) the background scheduler could run in more than one process (the scheduler greenlet was inherited by a forked worker), causing every scheduled task to run in each process. The scheduler now runs its loop in a single process (pidfile lock plus a guard that makes an inherited/forked loop exit).
Verified end-to-end: with two concurrent schedulers, each delivery results in exactly one POST.
-
cryptographyupdated to 48.0.1 — GHSA-537c-gmf6-5ccf (vulnerable OpenSSL bundled in the wheels). -
wsforced to 8.21.0 — CVE-2026-48779 (WebSocket memory-exhaustion DoS); pulled in transitively via the realtime client.
- No action required. The webhook delivery queue and scheduled tasks are unchanged in behaviour other than no longer duplicating.
Smoke-tested on the Debian/RPM packages and the Docker image (SQLite and PostgreSQL); the single-scheduler behaviour was confirmed on the DEB and RPM builds (one scheduler tick per task, no duplicates).