Releases: juice-shop/juice-shop
v18.0.0
This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (
⚠️ ) which might require migrating to a newer Node.js version or updating existing customization files.
👟 Runtime
- Removed support for Node.js 18.x and no longer provide packaged distributions for this version (
⚠️ ) - Removed inofficial support for Node.js 19.x
- Switched from
libxmljs
tolibxmljs2
as XML parser where binaries are available for up to at least Node.js 24
🐳 Docker
- Official Docker image now uses Node.js 22.x base images
- Removed pre-build step specific to
libxmljs
🎭 Customization
- Added full-conversion DEF CON 33 theme that can be used with
NODE_ENV=defcon33 npm start
- #2625: Added a
metricsIgnoredUserAgents
config option to configure uncommon metric collector user-agents for challenge tracking. Support for more common metric collectors have been added too, see bugfixes. (kudos to @SvenKirschbaum)
🎯 Challenges
- Added new Leaked API Key ⭐⭐⭐⭐⭐-challenge
- #2602: Added accompanying
ftp/package-lock.json
to make several Vulnerable Components category challenges more accessible - Cross-Site Imaging challenge now uses https://cataas.com/ instead of frequently unavailable http://placecats.com/ service (⚡)
🐛 Bugfixes
- #2631: Fixed discount validation for "Forged Coupon" challenge to only trigger for 80%+ as intended
- #2625: Fixed metric challenge getting solved by non-prometheus monitoring agents. e.g. OpenTelemetry collector. (kudos to @SvenKirschbaum)
v17.3.0
🅰️ Frontend
- Updated frontend to Angular 19.x and Angular Material 19.x (kudos to @logz254)
🎨 User Interface
- #2541: Language selection dropdown is now searchable to make finding your preferred language even faster! (kudos to @AnvitaPrasad)
🐛 Bug Fixes
- Fixed issue causing colors from themes not getting displayed correctly
🧹 Technical Debt Reduction
- Migrated all server code to use ESM syntax for imports and exports
- Replaced
node-fetch
andrequest
with the new built-infetch
HTTP client in Node.js
🐳 Docker
- Update base image from debian 11 to debian 12
v17.2.0
This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
🅰️ Frontend
- Updated frontend to Angular 17.x and Angular Material 17.x (kudos to @martinakraus, @thomasbreland, @hxrshxz, @ayushrajparihar and @alekszivko for the help and hard work on this 🙌)
🎯 Challenges
- Added new Memory Bomb ⭐⭐⭐⭐⭐ -challenge
- Cross-Site Imaging challenge now uses http://placecats.com instead of abandoned http://placekitten.com service (⚡)
🔧 Configuration
- Added
blueSkyUrl
andmastodonUrl
tosocial
section of configuration
🎨 User Interface
- Added BlueSky and Mastodon links to About Us screen
🐛 Bugfixes
- #2341: Fixed "Product Tampering" challenge verification to work in any selected language
- #2365: Restored prevention of unintentional RCE in NoSQL challenges (kudos to @KapilSareen)
- #2384: Now checking challenge continue code for invalid characters before processing (kudos to @drwtsn95)
- #2404: Fixed "Upload Size" challenge verification to trigger properly in all situations (kudos to @criticic)
- #2317: Hacking Instructor script is now again lazy-loaded into the browser (kudos to @alekszivko)
v17.1.1
🛒 Product Inventory
- Added DSOMM & Juice Shop User Day Ticket as in-app advertisement for the corresponding real-world event
v17.1.0
👟 Runtime
- Added support for Node.js 22.x
🎨 User Interface
- #2261: Improved visuals of scrollbars on Score Board challenge panels with longer description text (kudos to @ThReinecke)
👨🏫 Tutorials
- #2273: Added tutorial script for "Admin Section" ⭐⭐-challenge (kudos to @ThReinecke)
- #2278: Added tutorial script for "Reflected XSS" ⭐⭐-challenge (kudos to @ThReinecke)
- #2286: Helper function now better recognizes when DevTools have been opened during a tutorial (kudos to @ThReinecke)
🐛 Bugfixes
- #2303: Reverted dependency optimization resulting in
build/
artifacts missing for production builds - #2266: Fixed long name of OWASP in Welcome Banner text (kudos to @stuebingerb)
- #2279: Hiding button to launch hacking instructor from Score Board when
hackingInstructor.isEnabled
isfalse
- #2279: Hiding or disabling button to launch coding challenge from Score Board according to
challenges.codingChallengesEnabled
beingnever
,always
orsolved
v17.0.0
This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (
⚠️ ) which might require migrating to a newer Node.js version or updating existing customization files.
🎯 Challenges
- #2198: Added new Security Advisory ⭐⭐⭐-challenge
🎨 UI
- Removed legacy Score Board and all related settings and services (
⚠️ ) - Removed re-routing of legacy
challenge=<name>
parameter obsoleted by OWASP/OpenCRE#467 (⚠️ )
🧹 Housekeeping
- Changed back to
libxmljs
becauselibxmljs2
is no longer maintained- Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in
libxmljs2
- Installation from source code on Node.js >20 currently requires C++ binaries to be built during installation (
⚠️ )
- Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in
💾 Local Backup
- Removed
scoreBoard
subsection from backup format along with removal of legacy Score Board (compatible with theversion: 1
backup format as the subsection from older exports would now simply be ignored during import)
🕵️ Cheat Detection
- Further pre-solve interactions after the first with the same expected URL will no longer be counted
- Cheat score is increased by half the percentage of missing expected pre-solve interactions with the server
🎭 Custom Theming
- Adjusted image URLs in
7ms
theme and extended with photo wall entries and new products
🐳 Docker
- #2447: Significantly reduce Docker image size by omitting unneeded dependencies
v16.0.1
v16.0.0
This release brings technical breaking changes or renamings (
⚠️ ) which might require migrating to a newer Node.js version or updating existing customization files.
👟 Runtime
- Added support for Node.js 21.x
- Removed support for Node.js 16.x and no longer provide packaged distributions for this version (
⚠️ ) - Removed inofficial support for Node.js 17.x
🎨 UI
- 1946f2e: The new Score Board introduced with
v15.1.0
is now the default - Inverted banners and option to switch layouts to allow setting the legacy Score Board as default
- #2152: Enchanced scrolling behavior in Coding Challenge modal to keep buttons always visible (kudos to @bogminic)
🕵️ Cheat Detection
- #2150: Switched to median instead of average to calculate total cheat score
- Monitor and report on expected URL interactions to happen before related challenges are solved (no score impact yet)
🔙 Backward compatibility
- #2149: Links to
/#/score-board?challenge=<name>
will now be rewritten into /#/score-board?searchQuery= to keep existing OpenCRE links working
⚙️ DevOps Automation
- Update default Node.js version for non-matrix build jobs to 20.x
- Update Node.js version in base Docker images to 20.x
v15.3.0
🎨 User Interface
- #2116: Introduced full responsiveness to Digital Wallet, Crypto Wallet, Token Sale, Juicy Chatbot SBT, Web3 Code Sandbox, and Bee Haven screens (kudos to @rishabhkeshan)
👮 Startup Validations
- 98c1941: Added warning-only startup check for domains (on Internet) being reachable from the server
https://www.alchemy.com/
is needed for the "Mint the Honeypot" and "Wallet Depletion" challenges
💾 Local Backup
- Added optional
scoreBoard.scoreBoardVersion
property to persist/restorescore-board-version
property from/to browser local storage
🐛 Bugfixes
- #2120: Replaced all references
github.com/bkimminich/juice-shop
withgithub.com/juice-shop/juice-shop
⚙️ DevOps Automation
- #2115: Unstuck Angular installation in configuration for GitHub Codespaces (kudos to @MatteoGheza)
🌐 I18N
- #2105: Add translation support for Crypto Wallet screen
- Add translation support for Web3 Code Sandbox screen
- Add translation support for Bee Haven and Juicy Chatbot SBT screen (kudos to @MatteoGheza)
- Extended 🇨🇳, 🇹🇷 and 🇩🇪 translations
- Added 🇧🇩 to language dropdown
v15.2.1
🐛 Bugfixes
- Added pinned dependency on
"zustand": "4.4.1"
to avoid build error due to subdependency issue https://github.com/pmndrs/zustand/discussions/2095