Skip to content

SteamBee 1.0.3

Latest

Choose a tag to compare

@ill-yes ill-yes released this 09 Jul 23:52
Immutable release. Only release title and notes can be modified.
0f01348

Security

  • Enforce 16-byte AES-GCM authentication tags and strict encrypted-payload validation.
  • Make setup-token creation race-free and keep data directories, database files, instance secrets, and setup tokens private by default.
  • Bound correlation IDs, redact credentials from errors and events, disable API response caching, and apply instance-wide admin authentication throttling.
  • Cancel expired QR login polling and reject stale authentication events.
  • Validate proxy trust as an exact hop count or trusted IP/CIDR list; use TRUST_PROXY=1 for one reverse proxy.

Container and supply chain

  • Pin Node.js 22.23.1 by multi-architecture digest and remove npm, Corepack, and Yarn from the runtime image.
  • Run with UID/GID 10001, a read-only root filesystem, all capabilities dropped, and a 256-process limit.
  • Gate releases with dependency audit, Trivy HIGH/CRITICAL scanning, amd64 smoke tests, and SHA-pinned GitHub Actions.
  • Publish linux/amd64 and linux/arm64 images with SBOM, provenance, and GitHub artifact attestations.

Deployment

  • GHCR tags: 1.0.3, 1.0, and latest.
  • The included Compose files are updated for VPS and Unraid deployments, including safer backups and a Community Apps template.
  • Existing clones must rebase or clone again because historical commit metadata and earlier release tags were rewritten to remove a private author email. File contents of the rewritten commits are unchanged.

Verify the image with:

gh attestation verify oci://ghcr.io/ill-yes/steam-bee:1.0.3 --repo ill-yes/steam-bee