Security
Fixes an unauthenticated path traversal in the GET /api/v1/view/* route. The route resolved attacker-controlled input without containment, allowing reads outside the intended assets directory. Requests are now confined to the uploads directory and anything resolving outside it returns 404. (#317)
Action required after upgrading: rotate DB_SECRET_KEY in your deployment — the previous value should be treated as potentially exposed. Note this invalidates existing sessions.
Other
- Build the Docker image on Node 20 (fast-jwt now requires node >=20; Node 18 is also EOL).
Docker
docker pull n4z3m/dialoqbase:v1.11.5
Full Changelog: v1.11.4...v1.11.5