Immutable
release. Only release title and notes can be modified.
hashavatar-api 1.1.0
This release updates hashavatar-api to the hashavatar 1.1.0 renderer and expands the public demo site while tightening several security and release-path details.
Highlights
- Updated hashavatar-api to 1.1.0.
- Updated the renderer dependency to crates.io hashavatar 1.1.0.
- Added a large TOML-backed website translation set with RTL support where needed.
- Added a searchable, scrollable language selector for the expanded language list.
- Added privacy-policy wording that translations are AI-assisted/best-effort and can be improved on GitHub.
- Added privacy-preserving OpenTelemetry metrics for aggregate page views, clicks, outbound links, avatar generation, and visitor interaction patterns.
- Kept telemetry bounded and non-identifying: no raw IDs, tenant/style namespaces, IPs, user agents, referrers, cookies, full URLs, or free-form text in telemetry labels.
Security And Hardening
- Added rate limiting for telemetry endpoints.
- Added a dedicated telemetry rate-limit bucket.
- Improved rate limiting with a sliding-window approximation to reduce boundary bursts.
- Added early avatar size validation before render semaphore acquisition.
- Escaped shared page i18n heading/lead text before HTML body insertion.
- Restricted remote OTLP endpoints to HTTPS, while still allowing localhost loopback collectors for development.
- Preserved strict CSP behavior for inline scripts via nonces.
- Kept the language selector CSP-compatible.
Container And CI
- Updated GitHub checkout action to actions/checkout@v7.0.0.
- Fixed the Wolfi container build by copying compile-time locale config into the build stage.
- Verified the Wolfi image locally with /healthz, /, and WebP avatar generation.
- Release image tag for the fixed container build: v1.1.0-release.
Verification
- scripts/checks.sh passes.
- 68 tests pass.
- Clippy passes.
- Cargo deny and cargo audit pass.
- Local Wolfi container smoke test passes.