Skip to content

Hashavatar API 1.1.0

Latest

Choose a tag to compare

@eldryoth eldryoth released this 24 Jun 19:18
Immutable release. Only release title and notes can be modified.
v1.1.0-release
2a9f37b

hashavatar-api 1.1.0

This release updates hashavatar-api to the hashavatar 1.1.0 renderer and expands the public demo site while tightening several security and release-path details.

Highlights

  • Updated hashavatar-api to 1.1.0.
  • Updated the renderer dependency to crates.io hashavatar 1.1.0.
  • Added a large TOML-backed website translation set with RTL support where needed.
  • Added a searchable, scrollable language selector for the expanded language list.
  • Added privacy-policy wording that translations are AI-assisted/best-effort and can be improved on GitHub.
  • Added privacy-preserving OpenTelemetry metrics for aggregate page views, clicks, outbound links, avatar generation, and visitor interaction patterns.
  • Kept telemetry bounded and non-identifying: no raw IDs, tenant/style namespaces, IPs, user agents, referrers, cookies, full URLs, or free-form text in telemetry labels.

Security And Hardening

  • Added rate limiting for telemetry endpoints.
  • Added a dedicated telemetry rate-limit bucket.
  • Improved rate limiting with a sliding-window approximation to reduce boundary bursts.
  • Added early avatar size validation before render semaphore acquisition.
  • Escaped shared page i18n heading/lead text before HTML body insertion.
  • Restricted remote OTLP endpoints to HTTPS, while still allowing localhost loopback collectors for development.
  • Preserved strict CSP behavior for inline scripts via nonces.
  • Kept the language selector CSP-compatible.

Container And CI

  • Updated GitHub checkout action to actions/checkout@v7.0.0.
  • Fixed the Wolfi container build by copying compile-time locale config into the build stage.
  • Verified the Wolfi image locally with /healthz, /, and WebP avatar generation.
  • Release image tag for the fixed container build: v1.1.0-release.

Verification

  • scripts/checks.sh passes.
  • 68 tests pass.
  • Clippy passes.
  • Cargo deny and cargo audit pass.
  • Local Wolfi container smoke test passes.