Skip to content

v2.20.2: audit round 3

Choose a tag to compare

@nicglazkov nicglazkov released this 13 Jul 20:36
30d72f7

Tightened the web-push endpoint allowlist to exact push-service hosts and stopped forwarding raw exception text into the assistant's context. This release accompanies a live-verification pass confirming rate-limit spoofing is defeated, auth rejects bad tokens, database rules are deny-all, and the share pages resist injection.