Skip to content

v0.16.2

Choose a tag to compare

@bvis bvis released this 27 Apr 17:16
347fe4c

Security hardening and async correctness

This release focuses on closing security gaps and removing blocking I/O from the event loop. No new user-facing features.

Security

  • HTTPS enforced on signaling URL — default URL upgraded; insecure http:///ws:// schemes received via push notifications are auto-upgraded to https:///wss://.
  • Config flow URL validation — API and auth URLs now require HTTPS scheme.
  • send_audio path validation — audio file paths validated against hass.config.media_dirs to prevent arbitrary file reads.
  • Explicit shell=False for ffmpeg recording calls.

Reliability

  • Transient setup failures raise ConfigEntryNotReady (HA retries) instead of crashing.
  • Notification dedup uses ordered deque(maxlen=100) instead of unordered set.
  • TTS temp files cleaned up after use.
  • Recording cleanup runs as a background task and no longer blocks startup.
  • Hardcoded /media/ paths replaced by hass.config.media_dirs.

Async correctness

  • gTTS.save, glob fallback, mkdir, and media_source path resolution moved to executors.
  • pymediasoup patch deferred until first stream start instead of running at module import.
  • dispatcher_sendasync_dispatcher_send across the coordinator.
  • Replaced deprecated asyncio.get_event_loop() with get_running_loop() captured outside the threadsafe callback.

Cleanup

  • Camera icon centralized in icons.json (mdi:doorbell-video); redundant _attr_icon removed from sensor descriptors.

Full changelog: https://github.com/bvis/fermax-blue-hass/blob/main/CHANGELOG.md