v2.24.0

🚀 Features

• chore: update default Node.js from 22 to 24
  • PRs: #2373 #2374
• feat: upgrade baconjs from v1.0.1 to v3.0
  • PR: #2384
• feature: default allow_readonly to false when security is enabled
  • PR: #2366
• fix(streams): set default TCP idle timeout to 60 seconds
  • PR: #2465
• Add EXTERNALSSL env var for proxy-terminated TLS
  • PR: #2484
• feat: Authenticate WebSocket provider connections to secured remote servers
  • PR: #2365
• feat: make server-admin-ui-react19 the main server-admin-ui
  • PR: #2441
• feat(plugins): isolate plugin crashes from server process
  • PR: #2447
• feat(appstore): show update-disabled plugins in admin UI
  • PR: #2467
• fix(admin-ui): warn about disk space when enabling data logging
  • PR: #2463
• fix(streams): fetch remote metadata on demand via HTTP
  • PR: #2449
• feat(admin-ui): R19 Show node/npm version and compatibility warnings in admin UI footer
  • PR: #2443
• fix: extend atomic writes to all config file saves
  • PR: #2461
• refactor(history): add HistoryProvider type and HistoryProviderRegistry
  • PR: #2495

🐛 Fixes

• fix(streams): handle serial port write backpressure correctly
  • PR: #2464
• fix(course): use courseApi provider id for v2 deltas
  • PR: #2450
• fix(udp): report connection status to dashboard
  • PR: #2469
• fix(settings): correct mDNS default status in admin UI
  • PR: #2471
• fix(admin-ui): encode connection ID in provider API URLs
  • PR: #2470
• fix(rest): serve snapshot at spec-compliant path /signalk/v1/snapshot
  • PR: #2473
• fix(appstore): handle invalid semver versions gracefully
  • PR: #2456
• fix(admin-ui): bridge legacy React plugins in React 19 admin UI
  • PR: #2452
• fix(security): make token expiration "NEVER" case-insensitive
  • PR: #2459
• fix(meta): prevent deleted metadata fields from reappearing
  • PR: #2482
• fix(admin-ui): use separate R16 share scope for legacy plugin bridge
  • PR: #2496
• fix: persist unit preferences in config directory instead of package directory
  • PR: #2454
• fix: Validate permissions in device access requests
  • PR: #2445
• feat(security): add sliding session token refresh
  • PR: #2476
• fix(resources): return 404 for nonexistent resource ID
  • PR: #2462
• fix(security): require admin auth for config mutation endpoints
  • PR: #2505
• fix(security): add auth middleware for v2 API endpoints
  • PR: #2506
• fix(demo): enable security with readonly access for demo.signalk.org
  • PR: #2509
• fix(admin-ui): preserve enabled state when editing data connections
  • PR: #2511
• fix(security): validate from field in JSON patch prototype pollution guard
  • PR: #2518
• fix(subscriptions): coerce period and minPeriod to number
  • PR: #2526

📦 Uncategorized

• Replace express-easy-zip with archiver to fix glob deprecation
  • PR: #2213
• chore(deps): remove unused fix and express-namespace
  • PR: #2442
• fix: Deduplicate geolib to single version
  • PR: #2444
• Replace heavy dependencies in signalk-server-setup with lighter alternatives
  • PR: #2479
• feature: add TypeBox schemas for OpenApi data objects
  • PR: #2480
• test(security): add auth tests for config and v2 API endpoints
  • PR: #2507