v9.0.1

What's Changed

• Fix get_content_es_by_id argument type by @ytcleon in #614

Full Changelog: v9.0.0...v9.0.1

v9.0.0

This PR mitigates a security issue in the video/podcast download flow where user-supplied HTTP headers were being forwarded to external media URLs.

Slack thread

HackerOne report

Previously, cloneRequestHeaders() copied nearly all incoming request headers and passed them to fetch(download.url). If the media URL is external or attacker-controlled, this could result in leakage of sensitive user and internal headers, including session cookies and authorization tokens.

This change introduces a denylist to strip sensitive headers before making outbound requests.

v8.1.0

What's Changed

• Use request instead of fetch when a readable stream is needed by @emortong in #611

Full Changelog: v8.0.0...v8.1.0

v8.0.0

What's Changed

• fix(): explicitly use undici to fix fetch issue in worker processes by @emortong in #610

Full Changelog: v7.0.0...v8.0.0

v7.0.0

What's Changed

• Add runbook link to OpenTelemetry metrics Grafana dashboard by @andygout in #604
• dotcom-tool-kit upgrade by @manasiSantFT in #601

Full Changelog: v6.0.0...v7.0.0

v6.0.0

What's Changed

• Tidy Heroku references by @alexmuller in #580
• fix: remove version pin on pandoc and postgresql by @ytcleon in #587
• fix: remove temporary database dump files after upload to S3 by @ytcleon in #585
• fix: bump ajv from 6.12.6 to 8.18.0 by @dependabot[bot] in #583
• fix(LIF-1224): avoid passing Caption URLs retrieved from the database directly into a shell command by @cesarspg3 in #584
• fix: prevent SQL injection by using parameterized query by @ytcleon in #590
• fix: prevent SQL injection on get-all-existing-items-for-contract.js by @matias-aguero-parser in #591
• test: adding a new script to run the app locally to test simple SQL code without run the entire app by @matias-aguero-parser in #592
• fix: prevent SQL injection in controllers/export by @ytcleon in #594
• fix: prevent SQL injection on translations controller by @ytcleon in #593
• fix: replace execAsync by execFile to prevent Command Injection by @matias-aguero-parser in #596
• Remove test files referencing deleted files by @emortong in #597
• Add opentelemetry by @emortong in #602
• LIF-1251 n-express v32 migration by @emortong in #599

New Contributors

• @cesarspg3 made their first contribution in #584
• @matias-aguero-parser made their first contribution in #591

Full Changelog: v5.0.0...v6.0.0

v5.0.0

What's Changed

• Adding hasFlourishGraphics flag to the article by @manasiSantFT in #551
• Exporting hasFlourishGraphics flag by @manasiSantFT in #552
• [LIF-51] Begin migration from Heroku to AWS by @alexmuller in #554
• [LIF-51] Add pg_dump to container by @alexmuller in #555
• [LIF-51] Add worker service crons by @alexmuller in #556
• Update runbook Grafana dashboard links by @andygout in #559
• Disable env_check script by @alexmuller in #562
• Quote database password for special characters by @alexmuller in #561
• Removing env_check script by @manasiSantFT in #563
• [LIF-51] Add worker service "sync" to Hako by @alexmuller in #557
• Update runbook with temporary fix for Syndication hourly database backups alert by @julsviar in #566
• Add runbook Key Management Details section 'Self-service via API Gateway Portal' subsection by @andygout in #567
• Uppercase runbook file name by @andygout in #568
• Add hako config for test Postgres database by @alexmuller in #558
• Add production database config by @alexmuller in #570
• Add healthcheck command for worker service backup by @alexmuller in #565
• LIF-999 adding custom rotation section for keys by @jamesr101 in #569
• chore(): remove WHITESOURCE_API_KEY reference by @jamesr101 in #571
• fix: bump nodemailer from 6.8.0 to 6.9.9 by @dependabot[bot] in #512
• fix: bump es5-ext from 0.10.62 to 0.10.64 by @dependabot[bot] in #513
• chore: bump @babel/traverse from 7.20.10 to 7.26.4 by @dependabot[bot] in #516
• feat(): remove references to SESSION_PUBLIC_KEY by @jamesr101 in #573
• [Snyk] Upgrade nodemailer from 6.8.0 to 6.9.16 by @asugar13 in #524
• LIF-1000 Custom rotation process – add missing key by @emortong in #575
• LIF-1126 Breakdown ALS_API_KEY usage into keys with more specific policies by @emortong in #576

New Contributors

• @manasiSantFT made their first contribution in #551
• @julsviar made their first contribution in #566

Full Changelog: v4.0.0...v5.0.0

v4.0.0

What's Changed

• Update runbook.md to include contract refresh info by @emortong in #546
• Update runbook.md – remove OPS references from second line troubleshooting by @emortong in #548
• LIF-580: Remove graphic syndication flag by @Nazehs in #550

Full Changelog: v3.0.2...v4.0.0

v3.0.2

What's Changed

• feat: allow for non-string error paths by @jamesr101 in #545

Full Changelog: v3.0.1...v3.0.2

v3.0.1

What's Changed

• Revert "update node engine version to 22.x and npm to 10.x" by @ytcleon in #521
• Revert "update reliability kit and other FT related dependencies to s… by @ytcleon in #522
• chore: upgrade dependencies to support nodejs 22.x by @ytcleon in #530
• chore: update node to 22 by @ytcleon in #531
• chore: Toolkit migration to v4.x.x by @Nazehs in #529
• Bump cookiejar from 2.1.3 to 2.1.4 by @dependabot in #426
• Migrate to Reliability Kit logger by @rowanmanning in #539

Full Changelog: v3.0.0...v3.0.1