v2.4.5
v2.4.5
Dependency-refresh + README polish release. No plugin behavior changes — DLL functionally identical to v2.4.4. In-place upgrade.
Dependency bumps (via Dependabot)
CI / GitHub Actions:
actions/checkout5.0.1 → 6.0.2actions/setup-dotnet4.3.1 → 5.2.0actions/attest-build-provenance2.4.0 → 4.1.0sigstore/cosign-installer3.9.1 → 4.1.2github/codeql-action/*3.30.x → 4.35.5 (applied as a coordinated bump after Dependabot's grouped PR shipped an inconsistent diff — see commit history)
Test dependencies:
Microsoft.NET.Test.Sdk17.12.0 → 18.5.1
README + topics
- Test-count badge corrected from 125 → 150 (it had been stale since v2.4.0 added the HIBP + challenge-store test batch).
- GitHub repo topics expanded: added
passkey,webauthn,oidc,sso,fido2alongside the existingauthentication,csharp,dotnet,jellyfin,jellyfin-plugin,mfa,security,self-hosted,totp,two-factor-authentication.
Repo-level security toggles
Enabled earlier in the v2.4.4 cycle, surfaced here for users browsing the catalog:
- Dependabot vulnerability alerts: on
- Dependabot automated security fixes: on (auto-PR creation for CVEs)
- Dependabot version updates now also cover the fuzz project +
.clusterfuzzlite/Docker references - Secret scanning + push-protection: on
Upgrade
In-place. No config or behavior changes.
Package checksums
- MD5: see
Jellyfin.Plugin.TwoFactorAuthv2.4.5.0.md5 - SHA256: see
Jellyfin.Plugin.TwoFactorAuthv2.4.5.0.sha256
Sigstore-signed + SLSA-attested. Verify with cosign verify-blob or gh attestation verify.