v2026-04-20.1

Fixes

• Fixed dashboard hero layout overflow with long status and device metadata strings.
• Fixed correlation tooltips when SNR is hidden but other modem series remain visible.
• Updated Docker build workflow dependencies.

v2026-04-16.1

Changes since v2026-04-15.1

Security

• Path traversal hardening for community modules: All file references from module manifests (contributes values) are now validated through shared path sanitizers before reaching any filesystem operation. This prevents a malicious community module from reading, serving, or executing files outside its own directory.
  • Affected paths: routes, collector, publisher, driver, thresholds, theme, i18n, static, tab, card, settings
  • Plain filenames are validated against a strict character allowlist
  • Subdirectory references are checked for traversal sequences and directory containment
  • CodeQL py/path-injection alerts #73 and #74 are resolved

Maintenance

• Extracted shared path-safety utilities into app/path_safety.py for consistent validation across install and load paths
• Contribution guide wording refreshed

v2026-04-15.1

Changes since v2026-04-14.1

Features

• Dashboard: show current device info badges in the hero area

Fixes

• Correlation: support segment source filter
• Weather: harden SQLite writes during startup
• Security: bump pypdf to 6.10.2 to resolve the dependency audit failure

Maintenance

• Consolidate internal module implementations and remove replaced legacy collector/storage paths
• Extract shared driver utilities and tighten typed driver/module data contracts
• Keep the release backward-compatible for existing installs, config keys, routes, schema, and module manifests

v2026-04-14.1

Changes since v2026-04-09.1

Features

• Discord: native webhook support for notifications (#324)

Fixes

• Dashboard: error tile shows N/A for modems without error counter support instead of misleading "0.0% good" (#328)
• Notifications: remove URL from Discord webhook log output
• Security: bump pillow to 12.2.0 (CVE-2026-40192)
• Security: bump pypdf to 6.10.0

Maintenance

• CI: bump docker/login-action to 4.1.0
• Deps: bump cryptography to 46.0.7, pytest to 9.0.3
• Docs: bare-metal install instructions for ICMP helpers

v2026-04-09.1

Changes since v2026-04-03.1

Features

• Speedtest: enriched detail view with 18 additional fields (latency, jitter, server info, ISP, result URL) displayed on row expand
• Speedtest: Clear Cache button in settings UI

Fixes

• SB8200: two-step HTML login and error masking in surfboard driver
• SB8200: retry + skip on intermittent non-channel HTML responses
• Security: bump cryptography to 46.0.7 (CVE-2026-39892)
• Dependency: bump requests to 2.33.1

Maintenance

• Remove 193 lines of dead code across 32 files (ruff + vulture audit)
• Remove unused imports, variables, functions, and storage methods

v2026-04-03.1

Fixes

• Correlation PNG export now includes legend and overlay -- Exported PNGs from the Cross-Source Correlation page now contain the chart legend labels (with colors and toggle state) and overlay layer (crosshairs, pinned highlights). Handles long legends by scaling text to fit (#313, #314)

• HTML fallback for SB8200 with broken HNAP firmware -- SB8200 modems where HNAP returns empty or malformed responses now fall back to direct HTML channel-table scraping. Shared Arris HTML parser extracted for CM8200 and SB8200 reuse (#312)

• Transport-level retry for SB8200 body read failures -- HNAP POST requests that fail during body read (connection reset mid-response) now retry at the transport layer before escalating (#309, #310)

• SURFboard connection reset during HNAP body read -- Fixed intermittent ConnectionResetError when reading HNAP response bodies on SB8200 (#308)

• SURFboard legacy TLS Phase 2 hardening -- Normalized chunked transfer reset handling under legacy TLS fallback for SB8200 modems with older firmware (#184, #306, #307)

v2026-03-31.1

Fixes

• Legacy TLS fallback for SB8200 -- SB8200 modems with older firmware that only support TLS 1.0/1.1 now connect via a scoped legacy TLS retry before falling back to HTTP. Improved error messages include the original TLS error context (#184, #304)

Security

• Pygments 2.19.2 -> 2.20.0 -- Resolves CVE-2026-4539 (low severity, test-only dependency) (#305)

v2026-03-28.1

Features

• Temperature unit toggle -- Switch between Celsius and Fahrenheit in settings, including correlation chart axis scaling (#301)

Improvements

• Dashboard layout -- 3-tier spacing hierarchy, 3-column metrics grid on desktop, reduced visual noise, improved metric card contrast (#299)
• Extensions panel UX -- Redesigned settings extensions panel for better usability (#302)
• Smart capture panel UX -- Redesigned smart capture settings panel (#303)
• Mobile overflow -- Fixed card header and trigger toggle overflow on small screens

Internal

• Stabilized E2E navigation and server fixtures

v2026-03-26.1

Security

• Supply chain hardening: All Python dependencies pinned to exact versions with cryptographic hashes. Docker base image pinned to SHA256 digest. All GitHub Actions pinned to commit SHAs. New pip-audit CI job detects known vulnerabilities on every push/PR. Dependabot configured for automated weekly updates. (#294)
• Smokeping proxy hardening: Validate full PNG signature (ISO 15948) before serving proxied responses. Added X-Content-Type-Options: nosniff and restrictive CSP header to prevent content injection. (#298)
• ReDoS fixes: Replaced backtracking-prone regex in CM3000 driver and bounded quantifier in modulation engine. (#298)
• Webhook URL no longer logged: Notification channel setup no longer writes the webhook URL to application logs. (#298)

Improvements

• Python 3.13: Runtime upgraded from Python 3.12 to 3.13. (#296)

Bug Fixes

• Sagemcom login crash: Fixed crash on XMO_INVALID_SESSION_ERR during Sagemcom session recovery.

Documentation

• README: Added CGM4981COM to hardware table, updated BQM, Connection Monitor, Event Log, and Speedtest feature descriptions.
• Wiki: Roadmap updated to v2026-03-26 with all recently shipped features marked as complete.

v2026-03-24.2

Bug Fixes

• Modem URL no longer reverts to default: The settings page silently replaced user-configured modem URLs with driver defaults on every page load. Users with bridge-mode setups (e.g. 192.168.100.1 on a Vodafone Station) were particularly affected. (#289, fixes #288)

New Features

• System font toggle: Settings > Appearance now has a toggle to switch from Outfit to your OS default font. Improves readability on RDP/remote desktop connections. (#290, fixes #287)

Community Modules

• UDM WAN Monitor by @Oggy512 is now available in the Module Manager. Monitors WAN1/WAN2 on Ubiquiti UDM Pro/SE devices with failover detection and event logging.