Avg Release Cycle
99 days ago
- ⏪ Reverted broken static publishing change.
- 🔒 When an app uses static publishing, symlinks placed in the publish directory are no longer allowed to point outside that directory. This could hypothetically have been a security issue if an app allowed a non-trusted user to instruct it to publish symlinks, but we're not aware of any current apps that do this. Only the app's own data was at risk, not the system. (Thanks @zenhack.)
- ✂ Removed implementation of
HackSessionContext. This has been disabled for some time, with the ability to re-enable it through a hidden setting, but no one has asked us for the hidden setting, so we believe this feature is no longer in use. Apps must now use powerbox requests to get permission to make HTTP requests. (Thanks @zenhack.)
- ⚡️ Updated Dutch translation. (Thanks @m-burg.)
- 🛠 Fixed regression that broke downloading backups for some Linux kernel versions. Unfortunately, these versions do not support cgroup freezing and so will not get atomic backups.
- 👍 Extended Let's Encrypt automatic certificate renewal to support deSEC DNS. (Thanks @rs22.)
- Grains will now be temporarily paused while creating backups, to ensure the backup is atomic. (Thanks @zenhack.)
- ⚡️ Updated Simplified Chinese translation. (Thanks @misaka00251.)
- 🛠 Fixed bug in sandstorm-http-bridge when responding to HEAD requests. Apps will need to be re-packaged to get the update. (Thanks @zenhack.)
- 🛠 Fixed "Unhandled exception in Promise: TypeError: Cannot read property 'catch' of undefined" when using scheduled tasks. (Thanks @zenhack.)
- ⚡️ Regular dependency updates.
- To make porting apps a little easier, the headers
X-CSRF-Tokenare now automatically passed through to the app. Thanks @zenhack.
- ⏪ We have reverted the change preventing apps from talking to third-party servers in client-side code. This caused more breakage than was expected. We will work to fix and/or grandfather the affected apps before trying to roll this out again.
- ✅ Apps can no longer talk to third-party servers in client-side code, except for embedding images and video. This has long been a goal of Sandstorm, but we did not want to begin enforcing it until apps could explicitly request access to third-party servers via the Powerbox. We have tested all apps on the app market and found only minor breakage (e.g. wrong fonts), but it is possible that we missed bigger breakages or that some private apps are broken. Please contact sandstorm-dev to report any issues. Thanks @zenhack for pushing this change through.
- ⚡️ Apps can no longer make server-side HTTP requests without requsting permission through the Powerbox. We believe the only app that ever did so was Tiny Tiny RSS, but it was recently updated to use the powerbox. If you experience other app breakages, please let sandstorm-dev know. Thanks again to @zenhack.
- ⚡️ Updated Finnish translation. Thanks @xet7.
- ⚡️ Updated dependencies, including Meteor to 1.11.
- 👯 You can now clone a grain via a button in the top bar. Thanks @zenhack.
- 👍 Grains now run inside cgroups, if the kernel supports cgroup namespaces and cgroups v2. Thanks @zenhack.
- 👍 Code implementing old Sandcats TLS issuance has been deleted. Sandcats now supports only Let's Encrypt.
- ➕ Added CLI commands for configuring ACME (Let's Encrypt), so that this can be done before HTTPS is working.
- 🆕 New installs using Sandcats will now use Let's Encrypt immediately.
- 👌 Improved error page when accessing Sandstorm using an unrecognized hostname. Thanks @zenhack.
- ➕ Added Google Cloud Platform DNS provider for ACME challenges (not to be confused with Google Domains). Thanks @abliss.
- ⚡️ Updated Sandstorm RPC APIs to use Cap'n Proto streaming flow control where applicable.
- The box showing the changelog is now taller. Thanks @ocdtrekkie.
- Made navigation menu scrollable on mobile. Thanks @spollard.
- 🛠 Fix possible problem where Let's Encrypt auto-migration would not actually renew the certificate until Sandstorm was restarted.