Skip to content

v0.5.2 — Bugfixes

Choose a tag to compare

@ulsklyc ulsklyc released this 01 Apr 16:32

Full Changelog: v0.5.1...v0.5.2

fix: address CodeQL security findings (v0.5.2)

  • Rate-limit SPA fallback route (missing rate limiting on fs access)
  • Add csrfMiddleware to all state-changing auth routes (logout, create
    user, change password, delete user) — previously bypassed global CSRF
    middleware due to router registration order
  • Fix incomplete vCard escaping: escape backslashes before other special
    characters to prevent injection via contact fields
  • Restrict CI GITHUB_TOKEN to contents: read (least privilege)