- Upgraded
@hey-api/openapi-tsto v0.95.0 and removed the standalone@hey-api/client-fetchdependency, which is now bundled with the code generator. (#24)
-
The default
REF_CONFIGURATIONpath in the image changed from/app/.refto/ref, to align with theclimate-refworker image. Deployments that relied on the default must remount their config/state volume at/ref, or setREF_CONFIGURATIONexplicitly.Added a
REF_READ_ONLY_DATABASEsetting so the API can run against a read-only/refvolume, usingclimate-ref0.13.1'sDatabase.from_config(read_only=True)andDatabase.migration_statushelpers. Bumpedviteto>=7.3.2for a security fix and refreshed the Python lockfile. (#30)
- Fixed high-priority security vulnerabilities: replaced raw SQL interpolation in diagnostics facets endpoint with safe ORM queries, disabled PII collection in Sentry, and restricted CORS to GET-only methods for the read-only API. (#28)
- Updated GitHub Actions to Node.js 24 compatible versions ahead of the Node.js 20 deprecation. (#27)
- Allowed the application to start without a
ref.tomlfile by falling back to environment defaults. (#26)
- Added an "Explorer" tab to the diagnostic detail view that displays interactive explorer visualizations from the associated CMIP7 AFT collection. (#19)
- Added server-side pagination to the series and scalar metric value tables. Requests now return pages of 50 results by default (configurable up to 500), preventing timeouts on diagnostics with hundreds of timeseries. Pagination controls allow navigating between pages and selecting page size. (#23)
- Added region filter dropdown to annual cycle explorer cards, allowing users to filter time series charts by geographic region. (#25)
- Added BACKEND_CORS_ORIGIN_REGEX environment variable to support regex patterns for CORS origins (#21)
- Updated backend and frontend dependencies to their latest compatible versions. (#22)