Releases: CodesWhat/drydock
Release list
v1.5.1
v1.5.1
Full Changelog: v1.5.1-rc.6...v1.5.1
[1.5.1] — 2026-07-09
Consolidates the 1.5.1-rc.1 … 1.5.1-rc.6 prereleases. Users upgrading from 1.5.0
get everything below; users already on a 1.5.1 release candidate get the rc.6 fixes.
Added
-
Container software version in the detail panels and a new Version column in the containers table. Drydock now surfaces the application version baked into an image — read from the
org.opencontainers.image.versionOCI label, falling back to the running container's inspect metadata — asimage.softwareVersion. It appears in the container side panel, the full-page detail view, and a new Version column in the containers table. The existing Tag column (column keyversion, preserved so saved column preferences keep working) continues to show the image tag; the new Version column showsimage.softwareVersion, falling back to the tag when no software version is available.dd.inspect.tag.pathnow dual-writes the extracted value intoimage.softwareVersionas well as overwriting the image tag, so the Version column is populated for inspect-path containers with no label change needed. The Version column is visible by default for new installs; existing users have it inserted into their saved column list automatically on first load after upgrading. (#209) -
dd.inspect.tag.version-onlyopt-in label. Whendd.inspect.tag.pathis set, the extracted value normally overwrites the image tag (enabling update detection against the semver embedded in the running container). Settingdd.inspect.tag.version-only=trueroutes the extracted value toimage.softwareVersiononly, leaving the real image tag intact for update detection. This is useful when the inspect path carries a displayable application version that differs in format from the registry tag — the Version column shows it without disrupting how drydock matches updates. The default (tag overwrite) is unchanged when the label is absent. (#209) -
Intermediate release notes between the running and target version. When a container is several versions behind, drydock now fetches the releases between the running tag (exclusive) and the update target (inclusive) and shows them in the release-notes popover. Best-effort and semver-only — date tags and rolling tags (
latest,stable) fall back to the standard two-panel view. Cap the range withDD_RELEASE_NOTES_MAX_INTERMEDIATE(default20; set to0to disable). When the range exceeds the cap, the popover shows a non-silent "N older releases not shown" notice. Supports the__FILEsecret-file convention (DD_RELEASE_NOTES_MAX_INTERMEDIATE__FILE). (#453) -
New
GET /api/containers/{id}/intermediate-release-notesendpoint. Lazy-loads the intermediate release list on demand when the release-notes popover opens; not embedded in the container model or agent snapshot, so it adds no ongoing payload weight. Acceptsfrom(required) andto(defaults to the container's pending update tag) query parameters. (#453) -
Optional mount-prefix fallback for Docker Compose path matching. When a watched container's resolved compose file path differs from the trigger's configured compose file only by a mount prefix (common with Portainer and bind-mounted compose files), drydock can now match on the trailing
<project-dir>/<file>tail instead of skipping the container. Off by default — enable it per trigger withDD_ACTION_DOCKERCOMPOSE_<name>_MOUNT_PREFIX_FALLBACK=true. It stays opt-in because tail matching cannot distinguish two stacks that share a project-directory name across environments (e.g./prod/myappvs/staging/myapp). (#365) -
$currentReleaseNotestrigger template variable. Trigger templates (notification bodies, command arguments, and the like) can now reference$currentReleaseNotesto include the release notes for the container's currently running version, alongside the existing variable for the update target's notes. (#295) -
Container uptime. The side panel and full-page detail view now show how long a container has been running (from the Docker
State.StartedAttimestamp), and a new opt-in Uptime column can be enabled in the containers table via the column picker. The value updates live and falls back to an em-dash when the start time is unknown. -
Warn log when a
dd.source.repocontainer label shadows a trusted OCI image source label. Adding add.source.repolabel to a running container when the image already carries a trustedorg.opencontainers.image.source(ororg.opencontainers.image.url) OCI label silently downgrades source resolution from trusted to untrusted, which drops the GHCR token fallback for release-notes lookups. Drydock now logs awarn-level line each watch cycle when it detects this conflict, naming both repos. (#452) -
Remote agents now report their log level and watcher schedule. The agent handshake (
dd:ack) includeslogLevelandpollInterval(the watcher's cron), so theGET /api/v1/agentsresponse and the Agents view populate these fields for connected agents instead of leaving them blank.
Changed
-
The entire UI is now translatable. The last hardcoded English strings (dashboard widgets, security view, detail panels, host-status labels, the log viewer's invalid-regex notice, and SSE update-failed fallbacks) were extracted into the vue-i18n catalogs, so every surface now resolves through the translation system. Combined with the newly opened community translation project on Crowdin, contributors can translate any part of the interface. The 16 community locales ship with this release, synced from Crowdin.
-
Maturity gate counts from the registry publish date when trustworthy. For Docker Hub and GHCR (including lscr.io), the gate now measures elapsed time from the real image push date (
last_updated/updated_at) instead of from when drydock first detected the update. An image that has been public longer thanmaturityMinAgeDaysclears the gate immediately on the first scan that finds it. All other registries expose only the OCI image build date, which is not a reliable push signal, so drydock falls back to its own first-detection timestamp (updateDetectedAt) for those. A trusted publish date is skipped if it fails to parse or is in the future (clock-skew protection). -
DD_RELEASE_NOTES_GITHUB_TOKENis now forwarded to release-notes lookups for repos resolved from add.source.repocontainer label or a persistedcontainer.sourceRepovalue. Previously these sources were always fetched anonymously. The GHCR token fallback stays restricted to trusted sources (OCI image labels and GHCR image paths) and is never sent to a container-label source. Because the dedicated token can be sent to a repo named by a container label, scope it narrowly: a classic PAT withpublic_reposcope only, or a fine-grained PAT with read-only Contents permission limited to public repositories and no write or account permissions. (#452) -
Container validation now tolerates fields written by newer drydock versions. The store validator no longer rejects unknown keys, so a
dd.jsonwritten by a newer release stays readable after a downgrade. Note: this protects downgrades from v1.5.1 onward — rolling back from v1.5.1 to v1.5.0 (which predates this change) still requires removing the newdetails.startedAtandimage.softwareVersionfields fromdd.json, since v1.5.0 rejects them. -
Coverage reporting moved from Codecov to Qlty Cloud. Part of the org-wide consolidation onto Qlty (one vendor for code quality and coverage). CI now publishes the normalized app/ui lcov reports to Qlty Cloud via GitHub OIDC — no stored coverage token — replacing the Codecov upload and
codecov.yml. The vitest 100% coverage thresholds in the app/ and ui/ test suites remain the enforced gate; the README coverage badge now points at Qlty.
Fixed
-
Maturity gate (
maturityMode: 'mature') never triggered; the first-detection timestamp was never computed. The function that stampsupdateDetectedAtreturnedundefinedimmediately wheneverupdateAvailablewasfalse, which is always the case while maturity suppression is active, so the timestamp was never computed and the maturity clock never started. Containers blocked by the maturity gate remained permanently "maturing" and never became update-available. -
Maturity clock reset on every container recreation. When a container was stopped and recreated (Portainer stack redeploy,
docker compose down && up), its new Docker container ID caused drydock to treat it as a fresh container, resettingupdateDetectedAtto zero. Containers that are frequently redeployed could never accumulate enough age to clear the gate. The clock is now keyed on a stable container identity and survives recreation as long as the same update remains pending, including the common case where a slow image pull means the replacement container isn't yet visible when the old one is pruned. -
A changed update candidate now restarts the maturity soak. When a new image digest or tag is published while an earlier update is still inside the maturity window, the gate restarts the clock for the new candidate instead of letting it inherit the previous candidate's elapsed time. A freshly pushed image always soaks for the full
maturityMinAgeDaysrather than being treated as already mature. (Local watches previously kept the original detection time here; remote-agent containers already behaved this way.) -
In-memory container cache key collision. The cache key joined watcher name and container name with
_, somy_prod+nginxandmy+prod_nginxproduced the same key. A wrong cache hit could apply a stale security scan result or maturity timestamp from one container to a different container, most visibly after a recreation event. The separator is now::. -
**Docker an...
v1.5.1-rc.6
v1.5.1-rc.6
Full Changelog: v1.5.1-rc.5...v1.5.1-rc.6
[1.5.1-rc.6] — 2026-07-05
Fixed
- Home Assistant-style PEP 440 nightly tags (and other lossy version formats) no longer masquerade as a stable "suggested pin". Tag suggestions for
latest/untagged containers relied onsemver.coerce()as a last-resort parser, which silently drops any suffix it doesn't understand — a PEP 440 dev/post release (2026.8.0.dev202607050315,1.2.3.post1), an OS-variant suffix (3.11-bullseye), or a hyphenated CalVer date (2024-01-15) all coerced down to a baremajor.minor.patchand got offered as "stable". Suggestions now reject any candidate tag that required this lossy coercion unless the raw tag is itself a bare numeric version (optionallyv-prefixed, 1-3 dot-separated groups) that provably lost nothing. The containers table also now renders the suggested-tag hint through the existingSuggestedTagBadgecomponent (labeled "Suggested" with a tooltip) instead of an unlabeled raw string next to the Digest/NEW badges. (#473) - "Click to copy" did nothing and logged a TypeError on deployments served over plain HTTP (the common self-hosted LAN setup), because the browser Clipboard API only exists in secure contexts. Copying now falls back to the legacy execCommand technique when the API is missing or rejects, covers the log viewer's Copy button too, and shows a "Copy failed" state instead of failing silently when no copy mechanism works at all. (#472)
- An open tooltip whose text changed — like the copy button's "Copied" confirmation — stayed stuck on the old text until you moved the mouse away and back. Clicking to copy hid the tooltip outright, so the "Copied"/"Copy failed" state never appeared until a re-hover. Tooltips now update their text in place while open, reposition themselves for the new content, and reappear immediately if the pointer never left. (#472)
- Three call sites bound a second tooltip directly onto a copyable tag's root element (the containers table's digest-delta tooltip and two spots in the dashboard's recent-updates widget), so it silently clobbered the tag's own copy-state tooltip — duplicate listeners and, after the content-change re-show above, occasional spurious re-shows while hovering. The informative text now flows into the tag's own tooltip via a new
idleTooltipprop instead of stacking a second directive on the same element. (#472)
Warning
Upgrade notes: behavioral changes, please read before updating. Three security-hardening fixes that change runtime behavior first shipped in 1.4.6 and carry through the entire 1.5 line. Anyone updating from a release older than 1.4.6 is affected, whatever version you land on (1.4.6, any 1.5.x, or later), because these changes sit across the 1.4.6 boundary rather than in one specific version. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.1-rc.5
v1.5.1-rc.5
Full Changelog: v1.5.1-rc.4...v1.5.1-rc.5
[1.5.1-rc.5] — 2026-07-02
Fixed
- Grouped "Update All" buttons could scroll out of view after upgrading to rc.4. The new Version column added in rc.4 widened the containers table for existing users, and at moderate desktop widths the table overflowed horizontally in a way its responsive column-hiding never accounted for: columns were only ever laid out at their preferred widths, so the per-stack Update All button — positioned at the far end of the group header row — ended up past the visible edge while everything else looked normal. Tables now shrink columns proportionally toward their minimum widths when space is tight (matching the widths the responsive logic already budgets for), and the group header's Update All button is additionally pinned to the visible edge, so it stays reachable even when a table legitimately overflows. (#467)
Warning
Upgrade notes: behavioral changes, please read before updating. Three security-hardening fixes that change runtime behavior first shipped in 1.4.6 and carry through the entire 1.5 line. Anyone updating from a release older than 1.4.6 is affected, whatever version you land on (1.4.6, any 1.5.x, or later), because these changes sit across the 1.4.6 boundary rather than in one specific version. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.1-rc.4
v1.5.1-rc.4
Full Changelog: v1.5.1-rc.3...v1.5.1-rc.4
[1.5.1-rc.4] — 2026-06-29
Added
-
Optional mount-prefix fallback for Docker Compose path matching. When a watched container's resolved compose file path differs from the trigger's configured compose file only by a mount prefix (common with Portainer and bind-mounted compose files), drydock can now match on the trailing
<project-dir>/<file>tail instead of skipping the container. Off by default — enable it per trigger withDD_ACTION_DOCKERCOMPOSE_<name>_MOUNT_PREFIX_FALLBACK=true. It stays opt-in because tail matching cannot distinguish two stacks that share a project-directory name across environments (e.g./prod/myappvs/staging/myapp). (#365) -
$currentReleaseNotestrigger template variable. Trigger templates (notification bodies, command arguments, and the like) can now reference$currentReleaseNotesto include the release notes for the container's currently running version, alongside the existing variable for the update target's notes. (#295) -
Container software version in the detail panels and a new Version column in the containers table. Drydock now surfaces the application version baked into an image — read from the
org.opencontainers.image.versionOCI label, falling back to the running container's inspect metadata — asimage.softwareVersion. It appears in the container side panel, the full-page detail view, and a new Version column in the containers table. The existing Tag column (column keyversion, preserved so saved column preferences keep working) continues to show the image tag; the new Version column showsimage.softwareVersion, falling back to the tag when no software version is available.dd.inspect.tag.pathnow dual-writes the extracted value intoimage.softwareVersionas well as overwriting the image tag, so the Version column is populated for inspect-path containers with no label change needed. The Version column is visible by default for new installs; existing users have it inserted into their saved column list automatically on first load after upgrading. (#209) -
dd.inspect.tag.version-onlyopt-in label. Whendd.inspect.tag.pathis set, the extracted value normally overwrites the image tag (enabling update detection against the semver embedded in the running container). Settingdd.inspect.tag.version-only=trueroutes the extracted value toimage.softwareVersiononly, leaving the real image tag intact for update detection. This is useful when the inspect path carries a displayable application version that differs in format from the registry tag — the Version column shows it without disrupting how drydock matches updates. The default (tag overwrite) is unchanged when the label is absent. (#209) -
Container uptime. The side panel and full-page detail view now show how long a container has been running (from the Docker
State.StartedAttimestamp), and a new opt-in Uptime column can be enabled in the containers table via the column picker. The value updates live and falls back to an em-dash when the start time is unknown.
Changed
- Container validation now tolerates fields written by newer drydock versions. The store validator no longer rejects unknown keys, so a
dd.jsonwritten by a newer release stays readable after a downgrade. Note: this protects downgrades from v1.5.1 onward — rolling back from v1.5.1 to v1.5.0 (which predates this change) still requires removing the newdetails.startedAtandimage.softwareVersionfields fromdd.json, since v1.5.0 rejects them.
Fixed
- Completed i18n coverage for the last untranslated UI surfaces. A code-level audit found several strings that still rendered in English for non-English users; they now resolve through the translation catalog: the trigger status badge (
active/inactive), the running/writes-composeyes/nopreview values, the "container actions disabled by server configuration" tooltip, the update-maturity "Available for N days" tooltip (the translate function is now threaded through the container mapper, which previously left the existing catalog keys unused), the grouped "Update All" success toast (which appended a raw Englishin <group>— it now interpolates the group name through a translatable key), the security-view severity tooltips (CRITICAL/HIGH/MEDIUM/LOW), the backup operationunknownfallback label, and the search-bar hint footer connectors. The new English catalog keys ship now; the 16 community locales fill in through the normal Crowdin sync after release. (#329)
Security
- Base image refreshed to clear 24 container-scan CVEs. Bumped the pinned
node:24-alpinebase from a stale digest (Node 24.16.0, Alpine 3.21) to the current digest (Node 24.18.0, Alpine 3.24) and addedlibexpatto the targetedapk upgradeset. This resolves all 11 Node binary CVEs reported by the image scan — including the one critical (CVE-2026-48930) and four high — plus 13 mediumlibexpatCVEs (now2.8.2-r0). A rebuild + rescan confirms zero critical/high/Node/libexpat findings remain. The threebusybox/ssl_clientfindings (CVE-2025-60876, medium) have no upstream fix in Alpine yet and are tracked for a later base bump. All previously pinned Alpine package versions still resolve on 3.24, so the build is otherwise unchanged.
Warning
Upgrade notes: behavioral changes, please read before updating. Three security-hardening fixes that change runtime behavior first shipped in 1.4.6 and carry through the entire 1.5 line. Anyone updating from a release older than 1.4.6 is affected, whatever version you land on (1.4.6, any 1.5.x, or later), because these changes sit across the 1.4.6 boundary rather than in one specific version. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.1-rc.3
v1.5.1-rc.3
Full Changelog: v1.5.1-rc.2...v1.5.1-rc.3
[1.5.1-rc.3] — 2026-06-28
Added
-
Intermediate release notes between the running and target version. When a container is several versions behind, drydock now fetches the releases between the running tag (exclusive) and the update target (inclusive) and shows them in the release-notes popover. Best-effort and semver-only — date tags and rolling tags (
latest,stable) fall back to the standard two-panel view. Cap the range withDD_RELEASE_NOTES_MAX_INTERMEDIATE(default20; set to0to disable). When the range exceeds the cap, the popover shows a non-silent "N older releases not shown" notice. Supports the__FILEsecret-file convention (DD_RELEASE_NOTES_MAX_INTERMEDIATE__FILE). (#453) -
New
GET /api/containers/{id}/intermediate-release-notesendpoint. Lazy-loads the intermediate release list on demand when the release-notes popover opens; not embedded in the container model or agent snapshot, so it adds no ongoing payload weight. Acceptsfrom(required) andto(defaults to the container's pending update tag) query parameters. (#453) -
Warn log when a
dd.source.repocontainer label shadows a trusted OCI image source label. Adding add.source.repolabel to a running container when the image already carries a trustedorg.opencontainers.image.source(ororg.opencontainers.image.url) OCI label silently downgrades source resolution from trusted to untrusted, which drops the GHCR token fallback for release-notes lookups. Drydock now logs awarn-level line each watch cycle when it detects this conflict, naming both repos. (#452)
Changed
-
DD_RELEASE_NOTES_GITHUB_TOKENis now forwarded to release-notes lookups for repos resolved from add.source.repocontainer label or a persistedcontainer.sourceRepovalue. Previously these sources were always fetched anonymously. The GHCR token fallback stays restricted to trusted sources (OCI image labels and GHCR image paths) and is never sent to a container-label source. Because the dedicated token can be sent to a repo named by a container label, scope it narrowly: a classic PAT withpublic_reposcope only, or a fine-grained PAT with read-only Contents permission limited to public repositories and no write or account permissions. (#452) -
Re-synced the UI translation catalogs from Crowdin. The 16 target-locale
containerComponents.jsonfiles were regenerated from the Crowdin project so their key order tracks the English source catalog, keeping the on-disk catalogs and the translation platform in lockstep as community translations land.
Warning
Upgrade notes: behavioral changes, please read before updating. Three security-hardening fixes that change runtime behavior first shipped in 1.4.6 and carry through the entire 1.5 line. Anyone updating from a release older than 1.4.6 is affected, whatever version you land on (1.4.6, any 1.5.x, or later), because these changes sit across the 1.4.6 boundary rather than in one specific version. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.1-rc.2
v1.5.1-rc.2
Full Changelog: v1.5.1-rc.1...v1.5.1-rc.2
[1.5.1-rc.2] — 2026-06-28
Changed
- The entire UI is now translatable. The last hardcoded English strings (dashboard widgets, security view, detail panels, host-status labels, the log viewer's invalid-regex notice, and SSE update-failed fallbacks) were extracted into the vue-i18n catalogs, so every surface now resolves through the translation system. Combined with the newly opened community translation project on Crowdin, contributors can translate any part of the interface.
Fixed
-
The security view now shows release notes for the running image even when no update is pending. The detail panel, table, and card surfaces previously gated the release-notes link behind "an update is available," so a container with no pending update showed nothing even though its current release notes were known. The running-tag notes now appear whenever they exist, and a "View project" link (the source repository) was added alongside them, matching the containers view. (Discussion #295)
-
The dashboard "Recent Updates" widget now uses the shared release-notes and project-link components. It previously rendered a bare release-notes anchor with no project link and no structured current/available notes. It now renders the same icon links as every other surface, fed from the container's
sourceRepo,releaseNotes, andcurrentReleaseNotes. (Discussion #295) -
Auto-apply update triggers now honor the maintenance window on every detection path. A container update detected through certain code paths could be auto-applied outside the configured maintenance window because the window check was missing on those paths. The gate is now enforced uniformly, so updates only auto-apply inside the window regardless of how the update was detected. (#321)
Security
- Suppressed a ZAP DAST false positive (rule 10049, Storable and Cacheable Content). The baseline scan flagged cacheable static responses that are not sensitive; the rule is now downgraded in
.zap/rules.tsvand the JSON-to-SARIF converter handles the suppression so the security workflow stays green without masking real findings. (#374)
Warning
Upgrade notes — behavioral changes, please read before updating. Releases 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.1-rc.1
v1.5.1-rc.1
Full Changelog: v1.5.0...v1.5.1-rc.1
[1.5.1-rc.1] — 2026-06-26
Added
- Remote agents now report their log level and watcher schedule. The agent handshake (
dd:ack) includeslogLevelandpollInterval(the watcher's cron), so theGET /api/v1/agentsresponse and the Agents view populate these fields for connected agents instead of leaving them blank.
Changed
-
Coverage reporting moved from Codecov to Qlty Cloud. Part of the org-wide consolidation onto Qlty (one vendor for code quality and coverage). CI now publishes the normalized app/ui lcov reports to Qlty Cloud via GitHub OIDC — no stored coverage token — replacing the Codecov upload and
codecov.yml. The vitest 100% coverage thresholds in the app/ and ui/ test suites remain the enforced gate; the README coverage badge now points at Qlty. -
Maturity gate counts from the registry publish date when trustworthy. For Docker Hub and GHCR (including lscr.io), the gate now measures elapsed time from the real image push date (
last_updated/updated_at) instead of from when drydock first detected the update. An image that has been public longer thanmaturityMinAgeDaysclears the gate immediately on the first scan that finds it. All other registries expose only the OCI image build date, which is not a reliable push signal, so drydock falls back to its own first-detection timestamp (updateDetectedAt) for those. A trusted publish date is skipped if it fails to parse or is in the future (clock-skew protection).
Fixed
-
Maturity gate (
maturityMode: 'mature') never triggered; the first-detection timestamp was never computed. The function that stampsupdateDetectedAtreturnedundefinedimmediately wheneverupdateAvailablewasfalse, which is always the case while maturity suppression is active, so the timestamp was never computed and the maturity clock never started. Containers blocked by the maturity gate remained permanently "maturing" and never became update-available. -
Maturity clock reset on every container recreation. When a container was stopped and recreated (Portainer stack redeploy,
docker compose down && up), its new Docker container ID caused drydock to treat it as a fresh container, resettingupdateDetectedAtto zero. Containers that are frequently redeployed could never accumulate enough age to clear the gate. The clock is now keyed on a stable container identity and survives recreation as long as the same update remains pending, including the common case where a slow image pull means the replacement container isn't yet visible when the old one is pruned. -
In-memory container cache key collision. The cache key joined watcher name and container name with
_, somy_prod+nginxandmy+prod_nginxproduced the same key. A wrong cache hit could apply a stale security scan result or maturity timestamp from one container to a different container, most visibly after a recreation event. The separator is now::. -
A changed update candidate now restarts the maturity soak. When a new image digest or tag is published while an earlier update is still inside the maturity window, the gate restarts the clock for the new candidate instead of letting it inherit the previous candidate's elapsed time. A freshly pushed image always soaks for the full
maturityMinAgeDaysrather than being treated as already mature. (Local watches previously kept the original detection time here; remote-agent containers already behaved this way.) -
Docker and Docker Compose actions can pull private GCR and Google Artifact Registry images again.
getAuthPull()for the GCR and GAR providers returned the raw service-account email as the username and the private key as the password, whichdocker loginrejects, so any action trigger targeting a privategcr.ioor*-docker.pkg.devimage failed to authenticate and could not apply the update. It now returns the_json_keyusername with the service-account JSON as the password, the format Google's registry auth expects (and the same one the token-exchange path already used). -
Quay tag pagination no longer breaks on standard
Linkheaders. Thenext_pagecursor was matched with a greedy pattern that swallowed the trailing>; rel="next"from an RFC 5988Linkheader and corrupted the cursor, so repositories with more than one page of tags could silently stop paginating. The parser now readsnext_pageandlastcursors correctly from both bare-URL and RFC 5988 header forms, and still URL-encodes them to block scope injection. The inherited TrueForge provider gets the same fix.
Security
-
Custom registry TLS settings now apply to every registry request.
DD_REGISTRY_*_CAFILE,_INSECURE, and_CLIENTCERTwere honored only on the credential handshake for the GAR, GitLab, Mau, DHI, ACR, and ECR providers; the follow-up tag-list, manifest, and blob calls fell back to the system CA bundle. The custom TLS agent is now propagated to those calls, including the anonymous (no-credential) code paths in GAR, GCR, and Quay, so a private CA or aninsecuresetting is enforced end to end rather than only while fetching the token. -
Hook command environment values are sanitized against shell injection. Lifecycle hook commands run through
/bin/sh -c, and registry-controlled values (image name, tag, update digest) flowed into the hook environment unsanitized, so a crafted tag could inject shell commands into a hook script that expanded those variables unquoted. The values are now scrubbed of shell metacharacters, matching the sanitization thecommandaction already applies. -
DD_SESSION_SECRET__FILEis now honored. The session secret was read straight fromprocess.env, bypassing the__FILEsecret-file resolution every other secret uses, so the documented file form was silently ignored and the instance fell back to a generated secret on every restart. It now reads the resolved value, so a secret supplied viaDD_SESSION_SECRET__FILEis used (and, as with every other secret, the file form wins when both the file and the bare variable are set). -
Secret files are checked for unsafe permissions and trailing newlines. When a
DD_*__FILEsecret is readable by group or others, drydock logs a non-fatal warning recommendingchmod 600(skipped on Windows, where the mode bits are not meaningful). File-sourced secret values are also trimmed of a trailing newline so an editor- orecho-added\ncan't corrupt a credential, matching the common Docker*_FILEconvention. -
Debug dump and container environment no longer leak credentials. The debug dump's redaction missed SMTP passwords (
*_PASSkeys) and webhook URLs with embedded secrets, both of which appeared in the dumped environment for any authenticated user. They are now redacted, and the same*_PASSgap is closed for the container runtime environment shown via/api/containers. Registry usernames and service hostnames stay visible by design, since they aren't secrets and aid debugging.
Upgrade Notes
- One-time notification burst on first scan after upgrade (Docker Hub / GHCR containers only). Containers on Docker Hub or GHCR whose pending update is already older than
maturityMinAgeDayswill clear the maturity gate immediately on the first poll after upgrading. Notification triggers inalwaysmode will fire once for each such container. Action triggers (docker,docker-compose,command) will also fire, so containers previously held by the gate may be updated automatically on that first poll. Review your active action-trigger configuration before upgrading if you want to control the timing. This is expected behavior: those images were already mature; the gate was simply unaware of it.
Warning
Upgrade notes — behavioral changes, please read before updating. Releases 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.0
Drydock v1.5.0
The reliability release — a durable update queue, a notification outbox with dead-letter recovery, live container-log streaming, full 17-locale i18n, and a top-to-bottom security-hardening sweep.
Full Changelog: v1.4.6...v1.5.0
[1.5.0] — 2026-06-22
Added
-
Trigger taxonomy split —
DD_ACTION_*andDD_NOTIFICATION_*prefixes. Action triggers (Docker, Docker Compose, Command) now useDD_ACTION_*/dd.action.*; messaging triggers (Slack, SMTP, Discord, Telegram, ntfy, Pushover, and all others) useDD_NOTIFICATION_*/dd.notification.*. All three families remain interchangeable at runtime through v1.7.0. A migration CLI (drydock config migrate --source trigger) rewrites existing configs automatically. The legacyDD_TRIGGER_*/dd.trigger.*aliases are deprecated (removal targeted v1.7.0). -
Experimental Portwing edge-agent mode. Agents behind NAT or firewalls can dial out to the controller over a persistent
wss://WebSocket instead of requiring an inbound connection. Enable withDD_EXPERIMENTAL_PORTWING=true. Uses Ed25519 public-key challenge-response auth; operator key management is exposed at/api/v1/portwing/keys. -
Real-time container log viewer. WebSocket-based live log streaming from Docker containers in the UI — ANSI color rendering, automatic JSON pretty-printing, free-text/regex search, stdout/stderr and log-level filtering, copy to clipboard, and gzip download. Available in the container detail panel and at
/containers/:id/logs. -
Notification outbox with retry and dead-letter queue. Failed notification deliveries are persisted and retried with exponential backoff + jitter. After 5 attempts (configurable), entries move to a dead-letter queue. New
/api/notifications/outboxREST surface and a dedicated UI page let operators list, retry, or discard entries. -
Durable update queue with restart recovery. Container updates are queued server-side with per-trigger concurrency limits. Queued and mid-pull operations survive controller restarts and are recovered automatically. New cancel endpoint (
POST /api/operations/:id/cancel) accepts both queued and in-flight operations. A global concurrent-update cap (DD_UPDATE_MAX_CONCURRENT) is available. -
Customizable dashboard. Drag-to-reorder, resize, and per-widget visibility toggles. New Resource Usage widget shows fleet-wide CPU and memory with top-N consumers, fed by a live fleet-stats SSE stream (
GET /api/v1/stats/summary/stream). -
Diagnostic debug dump. One-click export of redacted system state from Configuration > Diagnostics — runtime metadata, component state, Docker diagnostics, recent events, and
DD_*env vars, with sensitive values auto-redacted. Available atGET /api/v1/debug/dump. -
SSE Last-Event-ID replay. Every broadcast event carries a monotonic
<bootId>:<counter>id; clients reconnecting withLast-Event-IDreceive missed events from a 5-minute ring buffer. Clients that fall behind the buffer receive add:resync-requiredevent. -
Update-eligibility blockers on container rows. Sixteen structured blocker reasons are surfaced inline on the Containers list, so users see why a container isn't updating without opening the detail drawer. Hard blockers lock the Update button; soft blockers show a warn-and-confirm modal.
-
Per-agent Home Assistant MQTT topic segmentation (
DD_NOTIFICATION_MQTT_<name>_HASS_AGENTTOPICSEGMENT). Prevents two agents sharing the default watcher name from overwriting each other's topics. Opt-in for v1.5.x; targets default-on in v1.7.0. -
Full i18n coverage across the UI. All hardcoded strings migrated to per-namespace JSON catalogs with 17 locale options (de, es, fr, it, nl, pl, pt-BR, tr, zh-CN, zh-TW, ar, ja, ko, ru, uk, vi, plus English). Human translations synced from Crowdin.
-
Colored startup banner. Renders the whale logo as a truecolor half-block art print on interactive terminals; auto-suppressed when not a TTY or when
NO_COLORis set.
Changed
-
Action trigger default mode changed to
AUTO=oninclude. Action triggers no longer auto-update every container by default; an explicitdd.action.includelabel is required. Notification triggers are unaffected. -
Default watcher cron relaxed from hourly to every 6 hours. Reduces registry pressure for the common case; override with
DD_WATCHER_{name}_CRON. -
Consolidated security scanning on Grype; dropped Snyk. Grype now scans both the built container image and all six npm lockfiles. Snyk's GitHub SCM integration,
.snykpolicy file,security-snyk-weekly.yml, and related scripts are removed. Free gates (CodeQL, dependency-review, OpenSSF Scorecard, zizmor) continue to run on every PR. -
Healthcheck binary replaces curl. Default HEALTHCHECK now uses a 65 KB static C binary (
/bin/healthcheck). curl is retained for user-defined overrides through v1.6.0 (removal in v1.7.0). -
DD_SESSION_SECRETauto-generated and persisted when unset. On first boot without the variable set, drydock generates 64 random bytes and persists them in the store so sessions survive restarts. The env var still takes precedence. -
Tag-last release pipeline. The git tag is pushed only after the Docker image is built, pushed, signed (cosign), and attested (SLSA). If the tag exists, the image exists.
Fixed
-
Containers pinned to a fully-specified semver tag no longer climb to newer versions by default. Tags classified as
specificprecision now track digest changes only. Opt in to semver climbing withdd.tag.includeordd.tag.family=loose. -
Multi-agent deployments no longer produce spurious 409 conflicts, cross-agent container contamination, or persistent "0 running containers" in the controller UI. Root causes: the controller's local watcher was pruning remote-agent rows; agent watcher snapshots were lost when the SSE stream was half-open mid-reconnect. Fixed by scoping store reads and key derivation to
{ agent, watcher }at every call site, and having agents replay the latest snapshot to each new SSE client immediately afterdd:ack. -
Self-update overlay holds until the swap is complete. Three compounding bugs (premature overlay dismissal, unreachable finalize callback, helper container appearing in the watcher list) are fixed. A new unauthenticated
/api/v1/self-update/{operationId}/statusendpoint lets the UI poll during the restart window. -
Spurious "update failed" and "update available" notifications eliminated. False notifications arising from concurrent duplicate requests (409 race), post-update stale watcher scans, timed-out operation TTLs, and digest/batch path suppress-lifecycle gaps are all closed.
-
Live log viewer and WebSocket upgrades now work behind TLS-terminating reverse proxies. WebSocket upgrades and the log-stream origin check now honor
X-Forwarded-Host/X-Forwarded-ProtowhenDD_SERVER_TRUSTPROXYis set. -
Docker Compose update no longer destroys the running container on failure. A pre-flight architecture-compatibility check runs before removing the old container; if the recreate still fails, the original container is restored from its captured spec.
-
Registry 429/503 handling with Retry-After and per-host token bucket. Every registry HTTP call retries up to 3 times with exponential backoff honoring upstream
Retry-After; a per-host token bucket prevents self-inflicted rate limiting during large cron cycles. -
Standard Bearer token exchange now works for Chainguard, Codeberg/Forgejo, and other v2 registries that issue a WWW-Authenticate challenge.
callRegistryimplements the spec-compliant challenge-response flow with realm-host validation.
Security
-
Command trigger no longer inherits the full process environment. Child processes receive a fixed allowlist of system variables plus drydock-provided container vars. Additional variables can be whitelisted with
DD_ACTION_COMMAND_{name}_ENV. -
HTTP trigger blocks cloud metadata endpoints. Requests resolving to
169.254.0.0/16,fe80::/10, and related link-local ranges (including IPv4-mapped and IPv4-compatible spellings) are rejected before sending. Opt-out available viaDD_NOTIFICATION_HTTP_{name}_ALLOWMETADATA=true. -
CSRF same-origin enforcement hardened. Forwarded-host headers are now trusted only when Express
trust proxyis enabled;/authmutations (logout, remember) are now covered by the same-origin check; andDD_SERVER_TRUSTPROXY=true(all hops) now emits a startup warning recommending a hop count. -
Security digest templates no longer evaluated as JavaScript.
SECURITYDIGESTTITLE/SECURITYDIGESTBODYpreviously passed throughnew Function()— arbitrary code execution. The renderer now uses the same sandboxed${…}interpolation engine as all other trigger templates. -
Bearer token-endpoint requests now set
maxRedirects: 0to prevent credential exfiltration if a token endpoint returns a redirect. Applied toBaseRegistryand all providers that build their own credentialed token-fetch requests. -
Container image CVE surface cleared. Bumped
node:24-alpinebase (24.14.0 → 24.16.0),cosign(2.6.3 → 3.0.6), musl, curl, and git, clearing all HIGH/CRITICAL findings in drydock-controlled packages. Residual HIGHs inside vendored Go binaries (cosign,trivy) are sco...
v1.5.0-rc.38
v1.5.0-rc.38
Full Changelog: v1.5.0-rc.37...v1.5.0-rc.38
[1.5.0-rc.38] — 2026-06-19
Added
- Colored startup banner. When drydock starts on an interactive terminal it now renders the whale logo as a compact truecolor half-block banner followed by a
drydock v<version> · <mode>identity line. The art is baked from the master logo (drydock.png) at build time byscripts/gen-banner.mjs, so startup decodes no image. The banner is written to stderr and suppressed automatically when stdout/stderr is not a TTY orNO_COLORis set, so logs and piped output stay clean.
Changed
- Consolidated dependency/CVE scanning on Grype; dropped Snyk. Snyk's GitHub SCM integration scans the full dependency requirement graph across every
package.json/package-lock.jsonin the repo rather than the resolved, shipped dependency set, so it over-reports advisories in transitive packages the lockfile never actually resolves to — noise on top of a redundant paid integration. Grype replaces it on both axes: it scans the built container image (the image's package catalog is the dependency set actually shipped) and the six npm lockfiles (root,app,ui,e2e,apps/demo,apps/web), matching the lockfile-resolved versions instead of the manifest graph, so it does not emit the requirement-graph false positives. The free gates already in CI cover the rest — CodeQL (SAST),dependency-review(new-dependency CVEs on PRs), OpenSSF Scorecard, and zizmor — so nothing else was needed (Trivy intentionally not added; drydock is TypeScript/Node, so the Go call-graph scanner govulncheck used on sibling repos does not apply here). The newsecurity-grype.ymlruns the dependency scan on pull requests (path-filtered to dependency/Dockerfile/workflow changes) plus a weekly cron and manual dispatch, builds and scans the container image on scheduled/manual runs, and uploads distinct-category SARIF to the GitHub Security tab. Removed the.snykpolicy file, thesecurity-snyk-weekly.ymlworkflow, thesetup-snykcomposite action, and thescripts/snyk-*gate/quota scripts. - Refreshed the drydock whale logo across the app, website, demo, and docs. A new master render replaces the brand mark everywhere — the in-app logo and favicons, the website/demo favicons, PWA icons, and OpenGraph cards, and the README/docs logos (including the dark-mode variant). All brand assets are now regenerated from a single master (
drydock.png) viascripts/regenerate-brand-assets.sh. Filenames are unchanged, so the Home Assistantentity_pictureURL contract is preserved.
Security
-
Documentation site (
apps/web) js-yaml pinned to 4.2.0 (GHSA-h67p-54hq-rp68).fumadocs-mdxpulled js-yaml 4.1.1 transitively; an override forces the patched 4.2.0. Build-time dependency of the website only — not part of the shipped drydock image. -
E2E load-test harness
@opentelemetry/corepinned to 2.8.0 (CVE-2026-54285). artillery pulled@opentelemetry/core2.7.1 transitively, vulnerable to unbounded memory allocation in W3C Baggage propagation; an override forces the patched 2.8.0. Test-only dependency — not part of the shipped drydock image. -
Patched the container image's HIGH/CRITICAL CVE surface and scoped the Grype image gate. The first
grype-imagescan onmainflagged a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran — no token was configured). Bumped thenode:24-alpinebase (node 24.14.0 → 24.16.0 clearing CVE-2026-21710, musl 1.2.5 → 1.2.6, curl 8.19.0 → 8.20.0, git 2.52.0 → 2.54.0) andcosign2.6.3 → 3.0.6, which clears every HIGH/CRITICAL in the Node runtime and Alpine OS packages. The only residual HIGH/CRITICAL findings live inside the vendored Go module graphs compiled into the bundledcosignandtrivyCLI binaries (drydock shells out to them for signature verification and container scanning) — those clear only when Alpine rebuilds the packages, so a documented.grype.yamlscopes the fail-on-HIGH image gate to the dependencies drydock controls (Node, OS packages, the app npm graph) and excludes the two tool-binary locations. cosign 3.0.6 keeps theverify --output json/--certificate-identity/--certificate-oidc-issuer/--keyflags drydock's signature path uses. -
Patched a batch of newly-disclosed
undiciCVEs across the runtime and tooling workspaces. osv-scanner flagged eight undici advisories disclosed in 2026 — CVE-2026-6733, CVE-2026-6734, CVE-2026-9675, CVE-2026-9678, CVE-2026-9679, CVE-2026-9697, CVE-2026-11525, and CVE-2026-12151. The shipped backend (app) carries undici as a direct dependency and was on8.3.0, vulnerable to all eight — bumped to8.5.0, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned inoverridesas well. The dashboard build (ui) and the e2e load-test harness pulled undici7.25.0/7.26.0transitively; anoverridesentry forces7.28.0(the patched 7.x line) in each — build- and test-only, not part of the shipped image. -
Patched
nodemailerto 9.0.1 (GHSA-p6gq-j5cr-w38f, CVSS 7.1). A message-levelrawoption bypassed nodemailer'sdisableFileAccess/disableUrlAccessguards, allowing arbitrary file read and full-response SSRF in the delivered message. drydock's SMTP trigger only callscreateTransport/sendMailwith plainfrom/to/subject/textfields and never passesraw, so the sink isn't reachable here — but the advisory affects every release through 9.0.0 with the fix landing only in 9.0.1, so the direct dependency inappis bumped from8.0.10. The 8→9 major jump doesn't touch the stablecreateTransport/sendMailcore drydock relies on.
Warning
Upgrade notes — behavioral changes, please read before updating. Releases 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.
v1.5.0-rc.37
v1.5.0-rc.37
Full Changelog: v1.5.0-rc.36...v1.5.0-rc.37
[1.5.0-rc.37] — 2026-06-15
Security
- Patched a batch of newly-disclosed transitive CVEs across every workspace. osv-scanner flagged advisories disclosed 2026-06-15 in build- and test-time dependencies:
vite(CVE-2026-53571, CVE-2026-53632),@babel/core(CVE-2026-49356),form-data(CVE-2026-12143),protobufjs(CVE-2026-54269), andws(CVE-2026-48779). Each is pinned to a fixed version via an override (or a direct bump where the dependency is direct).js-yaml@3.14.2, reachable only through artillery's test-only load-test harness, is triaged as unreachable: its sole fix removes thesafeLoad()API artillery still calls, and it parses only trusted in-repo configs.
Changed
-
Registry rate-limiter burst raised from 5 to 10 for ghcr.io and Docker Hub. The conservative burst allowance was tripping the limiter during legitimate request spikes (enumerating tags across many containers at once); the sustained rate (2 req/s) is unchanged.
-
Hardened the E2E/CI suite against transient flakes. Crash-prone real-application e2e fixtures (Home Assistant, Radarr) now run a keep-alive entrypoint so the watcher consistently discovers the full container set instead of intermittently seeing one short; the test-bootstrap readiness count is now exact and strict; and the Playwright container-detail helpers wait on real conditions rather than fixed timeouts. No shipped runtime behavior changes from this item.
Warning
Upgrade notes — behavioral changes, please read before updating. Releases 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.
- OIDC login now requires
authorization_endpointin your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your/.well-known/openid-configurationdoes not advertiseauthorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it. - Unauthenticated rate-limit buckets now key on the TCP peer address instead of
X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless ofDD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected429 Too Many Requestson unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected. - HTTP-trigger
proxyURLs must now use thehttp://orhttps://scheme. Any other scheme (e.g.socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to anhttp(s)://proxy URL.