Skip to content

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 13 Jul 18:51
0b1819d

Umami Compass 0.3.1 — Traffic analysis hardening

Umami Compass 0.3.1 is a focused patch release from an independent logic and code audit of the 0.3.0 traffic-analysis surface. It fixes unsafe filter composition, sparse/DST series alignment, evidence-scope mismatches, and silent upstream-data degradation without expanding the tool surface.

Important

Restart the MCP process or client after upgrading. The default and full tool counts are unchanged.

Fixes

  • Fail closed when filters.match: "any" would weaken mandatory human-traffic exclusions or derived channel predicates.
  • Fill sparse comparison series against real timezone buckets, handle DST spring-forward, and omit unsafe deltas when fall-back produces unequal local bucket counts.
  • Keep release-impact traffic and Core Web Vitals in comparable scopes; channel-specific verdicts no longer mix filtered traffic with all-channel performance.
  • Reject unsupported channel × event breakdowns and malformed expanded/breakdown rows instead of returning misleading empty results.
  • Enforce field-specific structured-filter limits plus aggregate condition, value, and 16 KiB serialized-query budgets.
  • Distinguish empty-referrer isolation from exact direct attribution and report capabilities from the actually enabled toolsets.

Safety and data quality

  • All tools remain read-only.
  • Ambiguous OR composition and malformed upstream evidence now fail closed.
  • Sparse-series output exposes alignment quality; derived deltas are omitted when bucket counts are not safely comparable.
  • Human-referrer exclusions are applied consistently to both traffic and performance evidence where Umami supports them.

Upgrade

npx --yes --prefer-online umami-compass@latest

Pin this exact patch when reproducibility matters:

npx --yes umami-compass@0.3.1

Compatibility and verification

  • Umami Cloud and self-hosted Umami 3.2+.
  • Node.js 22 or newer.
  • 100 automated tests plus lint, typecheck, build, package smoke testing, and CI on Node.js 22, 24, and 26.
  • Independently reviewed before and after the fixes; final verdict found no remaining P0–P2 issues.
  • npm publication includes SLSA provenance.

Release links