chore(deps): update dependency binwiederhier/ntfy to v2.26.0 #90
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/binwiederhier-ntfy-2.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
v2.23.0→v2.26.0Release Notes
binwiederhier/ntfy (binwiederhier/ntfy)
v2.26.0Compare Source
This release hardens message templates, which are now executed with a hard-capped execution timeout. This closes
a denial-of-service hole.
On the web app side, it adds configurable date and time formats, a smoother loading and page-transition experience,
and a fix that strips unsafe URL protocols from rendered Markdown.
Security:
Template: yes), #1826, thanks to @alanturing881 for reporting)Features:
Bug fixes + maintenance:
GET /accountnow reads from the primary database instead of a read replica, so the account view no longer shows stale data right after a change when replicas lag behindjavascript:,data:, ...) from links and images in Markdown-rendered messages, so they no longer trigger an uncaught "React has blocked a javascript: URL" error (thanks to @jvoisin for reporting)v2.25.0Compare Source
This release adds password reset via email, and reworks email verification to use durable, link-based magic links (replacing the old in-memory 6-digit codes). Email stays optional at signup; a user can reset their password only once they have a verified "primary" (recovery)email.
All of this work is probably not useful for self-hosters, but it hopefully will be useful for me, since I do have to reset accounts on a regular basis.
Security issues:
crypto/rand) instead of a clock-seeded PRNGFeatures:
ntfy user reset-passCLI command for adminsX-Email: yestarget) with verified/unverified state in the account UIBug fixes + maintenance:
X-Email: yes(alsotrue/1) now sends to your primary verified email regardless of thesmtp-sender-verifysetting (previously it was rejected unless verification was enabled); it requires being logged in with a verified addressst_...) so cross-device subscription sync works underauth-default-access: deny-all(#733, #1795, thanks to @lmorchard for the contribution)<,>, and&as\u003c/\u003e/\u0026in JSON responses (#1511, #1512, thanks to @wunter8 for the contribution)v2.24.0Compare Source
The main feature for this release is an in-memory ACL cache (
auth-access-cache) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.Security issues:
secretno longer also matches a request forSECRET. SQLite'sLIKEis case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).Features:
auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume serversntfy --versionflag to the CLI (#1722, #1748, thanks to @sskender for the contribution, and @Saucy9607 for reporting)Bug fixes + maintenance:
relattribute on auto-linked notification URLs sonoreferrer/noopenerare actually applied (#1720, thanks to @dmitrylyzo for the contribution)ntfy.serviceunit (#1467, thanks to @Velocifyer for the contribution)cmdpackage build on macOS (darwin) so the server compiles from source (#1631, #1696, thanks to @ShipItAndPray for the contribution, and @XYenon for reporting)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
05e55a2ee0to37516337c1chore(deps): update dependency binwiederhier/ntfy to v2.24.0to chore(deps): update dependency binwiederhier/ntfy to v2.25.037516337c1to5a8451620fchore(deps): update dependency binwiederhier/ntfy to v2.25.0to chore(deps): update dependency binwiederhier/ntfy to v2.26.0View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.