v0.31.1

This release introduces significant security enhancements—including safe HTML template rendering, XSS mitigation, secure subprocess environments, and optional CORS and replay endpoint authentication. It also adds automated, AI-powered release notes generation to the project's release workflow.

Features

• Added automated, AI-powered release notes generation to the release workflow utilizing the Gemini API.

Security

• Fixed a bug where TLS certificate verification was disabled by default when forwarding webhooks to HTTPS targets; verification is now properly active by default.
• Switched server HTML rendering to Go’s context-aware html/template engine to prevent HTML and JavaScript injection.
• Sanitized and escaped incoming webhook metadata (such as Event IDs and timestamps) displayed in the live web UI dashboard to prevent stored XSS.
• Hardened --exec script runs by restricting the subprocess environment to a safe allowlist of variables. Specific environment variables can be safely passed through using the new --exec-env-vars flag.
• Added the --replay-token (GOSMEE_REPLAY_TOKEN) configuration flag to protect the replay endpoint with Bearer token authentication.
• Added the --cors-origin (GOSMEE_CORS_ORIGIN) configuration flag to restrict cross-origin access to the Server-Sent Events (SSE) channel endpoint.

Maintenance

• Updated README.md and SECURITY.md with documentation for the new security flags, environment variables, and safe-use practices.
• Removed dependency on the experimental golang.org/x/exp package by replacing slices.Contains with a manual loop implementation.
• Upgraded the project's linting configuration to utilize gomodguard_v2.
• Updated Homebrew formula for version v0.31.0.

Dependencies

• Upgraded Go library dependencies, including updating go-chi/chi/v5 to v5.3.0 and golang.org/x/crypto to v0.52.0.
• Bumped actions/checkout from v6.0.2 to v6.0.3.
• Bumped docker/login-action from v4.0.0 to v4.2.0.
• Bumped docker/metadata-action from v6.0.0 to v6.1.0.