0.6.5

Excalibur 0.6.5 is a patch release fixing a security issue on the server.

It is recommended to upgrade both the server and app to this version.

App

⬆️ Dependencies

• ⬆️ Updated typescript-eslint development dependency from 8.59.2 to 8.60.1 (#36, #50)

Server

🔒️ Security

• 🔒️ Fixed a security issue where other authenticated users are permitted to view, access, or edit other users' stuff.

  In particular, the following endpoints were affected:

  • /api/users/vault/{username}: any authenticated user could get another user's encrypted vault key
  • /api/users/info/{username}: any authenticated user could get another user's additional info
  • /api/users/edit-info/{username}: any authenticated user could edit another user's additional info

  These endpoints now always refer to the currently authenticated user, regardless of the username parameter. For now, the username parameter is kept for backwards compatibility, but is silently ignored. It, however, still needs to be provided. This requirement will be removed in the next minor release.

⬆️ Dependencies

• ⬆️ Updated fastapi from 0.136.1 to 0.136.3 (#48)
• ⬆️ Updated httptools from 0.7.1 to 0.8.0 (#38)
• ⬆️ Updated pyjwt from 2.12.1 to 2.13.0 (#52)
• ⬆️ Updated typer from 0.25.1 to 0.26.7 (#49)
• ⬆️ Updated uvicorn from 0.47.0 to 0.49.0 (#40, #46)
• ⬆️ Updated ipython development dependency from 9.13.0 to 9.14.0 (#39)
• ⬆️ Updated watchfiles development dependency from 1.1.1 to 1.2.0 (#34)