Release 2.36.0 (#4127)

## Release Notes
Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9
> ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change
to previous release)

[Compare to previous Release
v2.35.0](v2.35.0...v2.36.0)

This release falls outside the quarterly schedule. We opted for an early
release due to:
- Security fix for the internal cors proxy
- API change of the weather provider smi
- Several bug fixes

### Breaking Changes

The cors proxy is now disabled by default. If required, it must be
explicitly enabled in the `config.js` file. See the
[documentation](https://docs.magicmirror.builders/configuration/cors.html).

### ⚠️ Security

You can find several publicly accessible MagicMirror² instances.

This should never be done. Doing so makes your entire configuration,
including secrets and API keys, publicly visible. Furthermore, it allows
attackers to target the host; this is only prevented beginning with this
release.

Public MagicMirror² instances should always run behind a reverse proxy
with authentication.

### [core]
- Prepare Release 2.36.0 (#4126)
- Allow HTTPFetcher to pass through 304 responses (#4120)
- fix(http-fetcher): fall back to reloadInterval after retries exhausted
(#4113)
- config endpoint must handle functions in module configs (#4106)
- fix replaceSecretPlaceholder (#4104)
- restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102)
- fix: prevent crash when config is undefined in socket handler (#4096)
- fix cors function for alpine linux (#4091)
- fix(cors): prevent SSRF via DNS rebinding (#4090)
- add option to disable or restrict cors endpoint (#4087)
- fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs
(#4084)
- chore: add permissions section to enforce pull-request rules workflow
(#4079)
- update version for develop

### [dependencies]
- update dependencies (#4124)
- chore: update dependencies (#4088)
- refactor: enable ESLint rule "no-unused-vars" and handle related
issues (#4080)

### [modules/newsfeed]
- fix(newsfeed): prevent duplicate parse error callback when using
pipeline (#4083)

### [modules/updatenotification]
- fix(updatenotification): harden git command execution + simplify
checkUpdates (#4115)
- fix(tests): correct import path for git_helper module in
updatenotification tests (#4078)

### [modules/weather]
- fix(weather): use nearest openmeteo hourly data (#4123)
- fix(weather): avoid loading state after reconnect (#4121)
- weather: fix UV index display and add WeatherFlow precipitation
(#4108)
- fix(weather): restore OpenWeatherMap v2.5 support (#4101)
- fix(weather): use stable instanceId to prevent duplicate fetchers
(#4092)
- SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082)

### [testing]
- ci(actions): set explicit token permissions (#4114)
- fix(http_fetcher): use undici.fetch when dispatcher is present (#4097)
- ci(codeql): also scan develop branch on push and PR (#4086)
- refactor: replace implicit global config with explicit global.config
(#4085)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: sam detweiler <sdetweil@gmail.com>
Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
Co-authored-by: Veeck <github@veeck.de>
Co-authored-by: veeck <gitkraken@veeck.de>
Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com>
Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com>
Co-authored-by: Nathan <n8nyoung@gmail.com>
Co-authored-by: mixasgr <mixasgr@users.noreply.github.com>
Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr>
Co-authored-by: Konstantinos <geraki@gmail.com>
Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com>
Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr>
Co-authored-by: Koen Konst <koenspero@gmail.com>
Co-authored-by: Koen Konst <c.h.konst@avisi.nl>
Co-authored-by: dathbe <github@beffa.us>
Co-authored-by: Marcel <m-idler@users.noreply.github.com>
Co-authored-by: Kevin G. <crazylegstoo@gmail.com>
Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com>
Co-authored-by: Jboucly <contact@jboucly.fr>
Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com>
Co-authored-by: Jordan Welch <JordanHWelch@gmail.com>
Co-authored-by: Blackspirits <blackspirits@gmail.com>
Co-authored-by: Samed Ozdemir <samed@xsor.io>
Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com>
Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com>
Co-authored-by: cgillinger <christian.gillinger@gmail.com>
Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com>
Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>

Author: 31 people

.github/workflows/codeql.yaml

@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    branches: [develop]
+  schedule:
+    - cron: "0 4 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, javascript-typescript]
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - uses: github/codeql-action/autobuild@v4
+
+      - uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/electron-rebuild.yaml

@@ -1,5 +1,8 @@
 name: "Electron Rebuild Testing"
 
+permissions:
+  contents: read
+
 on: [pull_request]
 
 jobs:

.github/workflows/enforce-pullrequest-rules.yaml

@@ -3,6 +3,9 @@
 
 name: "Enforce Pull-Request Rules"
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:

cspell.config.json

@@ -13,9 +13,12 @@
 		"armv",
 		"ashishtank",
 		"autoplay",
+		"avghumidity",
+		"avgtemp",
 		"Autorestart",
 		"beada",
 		"Behaviour",
+		"Beschreibung",
 		"Binney",
 		"bluemanos",
 		"bnitkin",
@@ -111,6 +114,7 @@
 		"flopp",
 		"fontawesome",
 		"fontface",
+		"forecastday",
 		"forecastweather",
 		"fortawesome",
 		"frameguard",
@@ -186,14 +190,18 @@
 		"luxon",
 		"lxsession",
 		"magicmirror",
+		"mapbox",
 		"martingron",
 		"marvai",
 		"mastermerge",
 		"matchtype",
 		"maxentries",
+		"maxtemp",
+		"maxwind",
 		"Meteo",
 		"michaelteeuw",
 		"michmich",
+		"mintemp",
 		"Midori",
 		"mirontoli",
 		"MISSINGLANG",
@@ -212,7 +220,9 @@
 		"NEWSFEED",
 		"newsfeedfetcher",
 		"newsfetcher",
+		"newyear",
 		"newsitems",
+		"nextdaysrelative",
 		"nfogal",
 		"njwilliams",
 		"nonrepeating",
@@ -239,8 +249,10 @@
 		"pmin",
 		"Português",
 		"PRECIP",
+		"precips",
 		"Problema",
 		"psieg",
+		"ptype",
 		"pubdate",
 		"radokristof",
 		"rajniszp",
@@ -255,12 +267,14 @@
 		"Rosso",
 		"Rothfusz",
 		"rrule",
+		"sameorigin",
 		"savvadam",
 		"sdetweil",
 		"searchstr",
 		"sendheaders",
 		"serveronly",
 		"sexualized",
+		"showend",
 		"Sitecode",
 		"skpanagiotis",
 		"SMHI",
@@ -295,8 +309,11 @@
 		"timeformat",
 		"titlereplacestr",
 		"titlesearchstr",
+		"TOCTOU",
 		"todaytemp",
 		"tomzt",
+		"totalprecip",
+		"totalsnow",
 		"trunc",
 		"ttlms",
 		"ukmetoffice",
@@ -317,6 +334,7 @@
 		"Vorberechnung",
 		"vppencilsharpener",
 		"Wallys",
+		"weatherapi",
 		"Weatherbit",
 		"weathercode",
 		"WEATHERDATA",
@@ -336,6 +354,7 @@
 		"Woolridge",
 		"worktree",
 		"Wsymb",
+		"xhvw",
 		"xlarge",
 		"xmark",
 		"xrandr",

defaultmodules/calendar/calendar.js

@@ -167,7 +167,7 @@ Module.register("calendar", {
 		this.selfUpdate();
 	},
 
-	notificationReceived (notification, payload, sender) {
+	notificationReceived (notification, payload) {
 		if (notification === "FETCH_CALENDAR") {
 			this.sendSocketNotification(notification, { url: payload.url, id: this.identifier });
 		}

defaultmodules/calendar/calendarfetcher.js

@@ -1,6 +1,5 @@
 const ical = require("node-ical");
 const Log = require("logger");
-const { Agent } = require("undici");
 const CalendarFetcherUtils = require("./calendarfetcherutils");
 const HTTPFetcher = require("#http_fetcher");
 

defaultmodules/calendar/calendarfetcherutils.js

@@ -62,7 +62,7 @@ const CalendarFetcherUtils = {
 				// Subtract 1 second so that events that start on the middle of the night will not repeat.
 				.subtract(1, "seconds");
 
-		Object.entries(data).forEach(([key, event]) => {
+		Object.values(data).forEach((event) => {
 			if (event.type !== "VEVENT") {
 				return;
 			}

defaultmodules/compliments/compliments.js

@@ -308,7 +308,7 @@ Module.register("compliments", {
 	},
 
 	// Override notification handler.
-	notificationReceived (notification, payload, sender) {
+	notificationReceived (notification, payload) {
 		if (notification === "CURRENTWEATHER_TYPE") {
 			this.currentWeatherType = payload.type;
 		}

defaultmodules/newsfeed/newsfeed.js

@@ -411,7 +411,7 @@ Module.register("newsfeed", {
 		}
 	},
 
-	notificationReceived (notification, payload, sender) {
+	notificationReceived (notification) {
 		const before = this.activeItem;
 		if (notification === "MODULE_DOM_CREATED" && this.config.hideLoading) {
 			this.hide();

defaultmodules/newsfeed/newsfeedfetcher.js

@@ -40,7 +40,7 @@ class NewsfeedFetcher {
 		});
 
 		// Wire up HTTPFetcher events
-		this.httpFetcher.on("response", (response) => this.#handleResponse(response));
+		this.httpFetcher.on("response", (response) => void this.#handleResponse(response));
 		this.httpFetcher.on("error", (errorInfo) => this.fetchFailedCallback(this, errorInfo));
 	}
 
@@ -67,7 +67,7 @@ class NewsfeedFetcher {
 	 * Handles successful HTTP response
 	 * @param {Response} response - The fetch Response object
 	 */
-	#handleResponse (response) {
+	async #handleResponse (response) {
 		this.items = [];
 		const parser = new FeedMe();
 
@@ -106,11 +106,6 @@ class NewsfeedFetcher {
 
 		parser.on("end", () => this.broadcastItems());
 
-		parser.on("error", (error) => {
-			Log.error(`${this.url} - Feed parsing failed: ${error.message}`);
-			this.fetchFailedCallback(this, this.#createParseError(`Feed parsing failed: ${error.message}`, error));
-		});
-
 		parser.on("ttl", (minutes) => {
 			const ttlms = Math.min(minutes * 60 * 1000, 86400000);
 			if (ttlms > this.httpFetcher.reloadInterval) {
@@ -123,7 +118,7 @@ class NewsfeedFetcher {
 			const nodeStream = response.body instanceof stream.Readable
 				? response.body
 				: stream.Readable.fromWeb(response.body);
-			nodeStream.pipe(iconv.decodeStream(this.encoding)).pipe(parser);
+			await stream.promises.pipeline(nodeStream, iconv.decodeStream(this.encoding), parser);
 		} catch (error) {
 			Log.error(`${this.url} - Stream processing failed: ${error.message}`);
 			this.fetchFailedCallback(this, this.#createParseError(`Stream processing failed: ${error.message}`, error));