Whiskers v0.12.1 is out — a patch release focused on security hardening, bundling the features that landed right after the 0.12.0 tag was cut.

Security

  • SSH host keys are now verified (trust-on-first-use, pinned in <data>/ssh-keys/known_hosts). Behavior change: an intentionally rebuilt server needs its line refreshed in that file before reconnecting.
  • Fail-closed authorization: every endpoint and page requires authentication unless it explicitly opts out (login, setup wizard, health probes, HMAC webhooks). The SignalR hub is no longer reachable anonymously.
  • The MCP bearer scheme is parsed case-insensitively (RFC 7235).

Transparency note: these three items were already listed in the 0.12.0 changelog, but the published 0.12.0 artifacts were built before they landed — they ship starting with this release. The changelog has been corrected accordingly.

New

  • Git-based deployments: clone/pull a repository on a target server and bring it up with Docker Compose — deploy tokens live vault-only, and the new git-deploy webhook action enables push-to-deploy straight from CI.
  • Private container registries (v1): manage registries in Settings with vault-stored credentials; image pulls authenticate automatically by registry-host match.
  • Localized navigation (English/German) across the entire app navigation and chrome.
  • The audit log now also covers scheduler and webhook management; every push runs the full test suite in CI.

Upgrading

Image: ghcr.io/lupusmalusdeviant/whiskers:0.12.1 · Helm chart: oci://ghcr.io/lupusmalusdeviant/charts/whiskers. Full details in the changelog; all assets on the GitHub release.

Weitere Beiträge