Skip to content

v0.2.1 — security + tooling

Choose a tag to compare

View all tags
@SupremeCommanderHedgehog SupremeCommanderHedgehog released this 26 May 23:43
· 100 commits to master since this release
v0.2.1
This tag was signed with the committer’s verified signature.
SupremeCommanderHedgehog Patrick Connallon
GPG key ID: BE707B220C995478
Verified
Learn about vigilant mode.
e53f2ff
This commit was signed with the committer’s verified signature.
SupremeCommanderHedgehog Patrick Connallon
GPG key ID: BE707B220C995478
Verified
Learn about vigilant mode.

First patch release. Backwards-compatible — no config schema, CLI, or /stats shape changes.

Security

Resolves three of four open Dependabot alerts:

  • GHSA-4w7w-66w2-5vf9 — vite path traversal in optimized-deps .map handling. Bumped vite 5.x → 6.x (no v5 patch exists).
  • GHSA-67mh-4wv8-2f99 — esbuild dev-server CORS. Pinned esbuild ≥ 0.25.0 via npm overrides.
  • GHSA-58qx-3vcg-4xpxws uninitialized memory disclosure. Pinned ws ≥ 8.20.1 via npm overrides.

GHSA-wrw7-89jp-8q8g (glib < 0.20.0) remains intentionally open — Linux-only transitive via tauri → wry → gtk-rs 0.18; no tauri 2.x release on gtk-rs 0.20 yet.

Added

  • SECURITY.md — coordinated-disclosure policy pointing at GitHub private vulnerability reporting.
  • Gitleaks secret scanning — .pre-commit-config.yaml hook + .github/workflows/gitleaks.yml CI (sha256-verified tarball install).
  • CHANGELOG.mdKeep a Changelog format going forward.
  • scripts/bump-version.ps1 — one-command version sync across package.json, src-tauri/Cargo.toml, src-tauri/tauri.conf.json, Cargo.lock, and package-lock.json.

Changed

  • Cargo.lock refreshed: incidental semver-patch updates of filetime, hashbrown, kqueue-sys, libredox, plus new transitive bs58. No direct-dep or feature changes.

Full diff: v0.2.0...v0.2.1

Assets 2
Loading