Releases: QuietWireDev/QuietKeep
v1.1.5 - Security hardening
Security
- JWT signing secret can now be injected via the
QUIETKEEP_JWT_SECRETenvironment variable. When set, it takes precedence and no secret file is written, letting operators keep the secret off disk and source it from an external secret manager. Behaviour is unchanged when unset: a secret is generated and persisted to a0600file in the data volume so login sessions survive restarts.
Defense-in-depth hardening prompted by a CodeQL clear-text-storage finding, triaged as accepted risk for the default self-hosted single-user threat model. See docs/USER_GUIDE.md for usage.
Full changelog: https://github.com/QuietWireDev/QuietKeep/blob/main/CHANGELOG.md
v1.1.4 - Security fix
Security
Same-day follow-up to v1.1.3, closing the last open Dependabot alert.
- python-multipart 0.0.30 to 0.0.31. Fixes a negative Content-Length in
parse_formthat turned the bounded chunked read into a read-until-EOF, buffering the entire request body in memory (CVE-2026-53540, GHSA-v9pg-7xvm-68hf, Low). Realistic exposure is limited: Starlette/FastAPI drive MultipartParser, notparse_formdirectly.
No functional or frontend changes. Verified on the test fleet.
Full changelog: https://github.com/QuietWireDev/QuietKeep/blob/main/CHANGELOG.md
v1.1.3 - Security fixes
Security
Dependency updates resolving all open Dependabot alerts plus one npm-audit finding. No functional changes; all fixes verified on the test fleet.
- python-multipart 0.0.27 to 0.0.30. Clears four advisories: quadratic-time querystring parsing causing CPU DoS (CVE-2026-53539), negative Content-Length buffering the entire body in memory, semicolon-as-separator parameter smuggling (CVE-2026-53538), and Content-Disposition smuggling via RFC 2231/5987. This is the only fix that ships in the runtime image.
- vite to 8.0.16. Fixes server.fs.deny bypass on Windows alternate paths (CVE-2026-53571) and the bundled launch-editor NTLMv2 hash disclosure (build-time only).
- js-yaml to 4.2.0. Quadratic-complexity DoS in merge key handling (CVE-2026-53550, dev only).
- @babel/core to 7.29.7. Arbitrary file read via sourceMappingURL comment (CVE-2026-49356, dev only).
- brace-expansion bumped. Large numeric range defeats the documented max DoS protection (GHSA-jxxr-4gwj-5jf2, dev only).
Frontend changes are lockfile-only. npm audit reports zero vulnerabilities and the production build is unchanged.
Full changelog: https://github.com/QuietWireDev/QuietKeep/blob/main/CHANGELOG.md
v1.1.2 - Bug Fixes
What's Fixed
BUG-008: Scan interval settings lost on container restart
The scheduler always started at the 6-hour default after a restart because it read the interval from config instead of the database. Saved scan and Docker scan intervals now persist correctly across restarts.
BUG-009: Patch All messaging and held-back packages
The bulk patch results banner now explains partial status in plain text and shows an amber badge per host when packages were held back, with a prompt to open the host and install them. The activity feed now logs held-back installs.
BUG-010: Proxmox kernel updates not triggering reboot required
PVE kernels do not reliably write /var/run/reboot-required. The reboot check now falls back to comparing the running kernel against the highest installed proxmox-kernel-*-pve-signed package. If they differ, the host is flagged for reboot.
What's Added
Version badge on Home page
The running version is now shown next to the "Overview" heading so you don't have to open Settings to check it.
v1.1.1 - Host Edit Fix
Fixed
- Host edit/create returns 500 (BUG-007). Tags relationship now eagerly loaded after commit to prevent MissingGreenlet error in async mode.
v1.1.0 - Tags, Bulk Patch, Activity Feed
Added
- Host tags/groups with colored labels, filtering on Home and Dashboard
- Bulk patch all hosts with one click, per-host error surfacing
- Recent activity feed with color-coded timeline
- Patch history export (per-host CSV and fleet-wide Excel)
- Disk usage monitoring with color-coded thresholds
- Build tag badge (TEST/BETA/PROD label in nav bar)
- Clickable metric tiles on Home page
- UI polish: host count badges, active filter chips, relative timestamps
- User Guide link in About and Help page
Fixed
- fetchJson now handles HTTP 204 No Content responses
v1.0.3 - Docker Update Fix
Fixed
- Docker stack update reporting false success (BUG-006). The SSH client now checks the remote command's exit code, so failed updates are correctly reported with a red badge in the UI.
v1.0.2 - Security Patch
Security
- Bumped python-multipart from 0.0.26 to 0.0.27 (CVE-2026-40347, denial of service via crafted multipart/form-data requests)
v1.0.1 - Wizard Fix & Security
Fixed
- First-Run Wizard reappearing on every login (BUG-005). Wizard completion is now persisted server-side.
Security
- Sanitized error messages in API responses to prevent information exposure (CWE-209)
- Restricted file permissions on server-side secrets
v1.0.0 - Initial Release
Added
- Multi-OS host management (Debian/Ubuntu, Kali, Arch/CachyOS, Proxmox)
- One-click scanning, patching, and reboot with full log capture
- Docker stack discovery and one-click updates
- Dashboard with filter cards, patch history, reboot detection
- Fleet-wide Diagnostics tab with sortable OS, kernel, uptime, reboot, and sudoers columns
- Per-host Diagnostics card consolidating system health in one view
- Real OS name detection from /etc/os-release and kernel version probing
- Automated sudoers probing with one-click Fix Sudoers
- GPG key rotation detection with in-app secure recovery guidance
- Held-back package detection with opt-in kernel upgrade flow
- Threat Intel dashboard with CISA KEV catalog and ransomware tracking
- Single-user auth with optional TOTP 2FA
- First-run wizard with SSH key generation, host import, and key deployment
- Settings page with theme support, SSH configuration, and security settings
- Help page with searchable FAQ, bug reporting, and feature requests
- Docker Compose deployment with auto-detected IP and SSH key management via web UI
- Password reset via filesystem token (no email or cloud required)
Security
- Bumped python-jose (CVE-2024-33663), python-multipart (CVE-2026-40347), postcss (CVE-2026-41305)