Releases: pilinux/gorest
Releases · pilinux/gorest
v1.11.1
🐛 Fixes
- fix: out-of-bounds error in cc0070d
- security fix: G117 (CWE-499) in 84945f4
- security fix: addresses G301 (CWE-276) in 7c1f499
- fix: race condition in d5166bc
⚡ Performance
- performance: less memory pressure, less CPU work in 7f90bf8
- performance: use
strings.SplitSeqto reduce temporary allocations in f515877
♻️ Improvements / Refactor
- improvement: handle empty
time.Timejson in go modern way in ce4542c - refactor: using
bson.Din mongo query (example and example2) in faa5fc8 - refactor: sample code for paginated posts (example2) in 3c22c9a
✅ Tests
- tests: prevent closure-capture bugs in 561f229
🤖 CI
- ci: run actions when source code is changed in ce59aea
- gosec: handles false-positive in 37beb42, 21a6adb and 7ad3fa5
- ci: activate all default rules of gosec in f20eb89
📚 Docs
📦 Dependency Updates
- chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #360
- chore(deps): bump github.com/mrz1836/postmark from 1.8.3 to 1.8.4 by @dependabot[bot] in #359
- chore: bump indirect dependencies (bug fix + security patch) in 2c52b46
🚀 Upgrade Notes
If you are upgrading from v1.10.x, please check the release notes for v1.11.0 and v.1.10.5 for breaking changes and upgrade instructions.
Full Changelog: v1.11.0...v1.11.1
Contributors
dependabot
Assets 2
v1.11.0
This release introduces significant security enhancements, modernizes the database driver, and includes breaking changes to encryption and dependency management.
🚨 Breaking Changes
- MongoDB Driver Upgrade: Migrated from qmgo (and the official driver v1) to the official MongoDB Go Driver v2. If you are using qmgo or older driver interfaces, you will need to update your database code.
- 2FA Secret Encryption: 2FA secrets are now encrypted exclusively using keys derived from Argon2id. This strengthens the security of stored 2FA tokens.
🛡️ Security & Validation
- NoSQL Injection Prevention:
- Refactored MongoDB queries in example and example2 to use bson.D (ordered documents) instead of bson.M (unordered maps) for explicit field matching.
- Added explicit usage of the $eq operator in filters to prevent operator injection attacks.
- Strict Input Sanitization:
- Implemented strict input validation for geocoding and address data (max length, null-byte checks, UTF-8 validation).
- Added sanity checks to reject inputs containing MongoDB operator prefixes (e.g., fields starting with $).
🏗️ Refactoring & Improvements
- Architecture: example and example2 applications have been refactored to demonstrate the new strict validation patterns and secure BSON construction.
- Documentation: Updated llms.txt and other documentation to reflect the new repository patterns and security practices.
📦 Dependency Updates
- chore(deps): bump github.com/mrz1836/postmark from 1.8.2 to 1.8.3 by @dependabot[bot] in #357
- chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #358
⚙️ CI/CD
- Updated golangci-lint to v2.9.0
- Removed go report card integration
Full Changelog: v1.10.6...v1.11.0
Contributors
dependabot
Assets 2
v1.10.6
What's Changed
- implemented RFC 7505 "Null MX" for email validation in 553bea0
- chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #347
- chore(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 by @dependabot[bot] in #348
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.40.0 to 0.41.0 by @dependabot[bot] in #350
- chore(deps): bump go.mongodb.org/mongo-driver from 1.17.6 to 1.17.7 by @dependabot[bot] in #351
- chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @dependabot[bot] in #354
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.41.0 to 0.42.0 by @dependabot[bot] in #353
- chore: improved go docs in bb32000
- docs: define agent and LLM usage guidelines in 4af9822, af5716b, 875c219, 0736ea8, 0cf3cf6
- refactor: use gorm.ErrRecordNotFound for proper error handling in cd4e043
Full Changelog: v1.10.5...v1.10.6
Contributors
dependabot
Assets 2
v1.10.5
🔐 Release Notes
Security Enhancement: Argon2id for 2FA Secret Encryption
What's New
⚡ Stronger Encryption for 2FA Secrets
The key derivation process for encrypting two-factor authentication (2FA) secret codes at rest has been upgraded from SHA256(user_password) to Argon2id(user_password). This provides significantly stronger protection against length extension attacks.
Key Changes
- New 2FA secrets are now encrypted using a key derived from Argon2id.
- Backward compatibility is maintained for existing 2FA configurations that use encryption keys derived from the SHA256-based algorithm.
- Both key derivation methods are supported during the transition period.
Migration Guide
To ensure all users benefit from the stronger security feature, it is recommended to enforce users to:
- Disable their existing 2FA configuration.
- Re-activate 2FA on their account.
- This process will automatically migrate the user's 2FA secret to the new Argon2id-based encryption scheme.
Full Changelog: v1.10.4...v1.10.5
v1.10.4
What's Changed
- chore(deps): bump github.com/quic-go/quic-go from 0.56.0 to 0.57.0 by @dependabot[bot] in #346
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @dependabot[bot] in #345
Full Changelog: v1.10.3...v1.10.4
Contributors
dependabot
Assets 2
v1.10.3
What's Changed
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.37.0 to 0.40.0 by @dependabot[bot] in #341
- chore(deps): bump github.com/pilinux/argon2 from 0.22.0 to 0.23.0 by @dependabot[bot] in #343
- chore(deps): bump github.com/pilinux/twofactor from 1.1.11 to 1.1.12 by @dependabot[bot] in #342
- chore(deps): bump github.com/pilinux/crypt from 0.0.17 to 0.0.18 by @dependabot[bot] in #344
- ci: update actions/checkout version and simplify caching in d8dc099
- ci: prevent repo checkout by govulncheck in caa6ccb
Full Changelog: v1.10.2...v1.10.3
Contributors
dependabot
Assets 2
v1.10.2
What's Changed
- bump indirect dependencies in 02ff0ed
- chore(deps): bump github.com/mrz1836/postmark from 1.8.0 to 1.8.2 by @dependabot[bot] in #315
- chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #316
- chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #318
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.35.3 to 0.36.2 by @dependabot[bot] in #323
- chore(deps): bump go.mongodb.org/mongo-driver from 1.17.4 to 1.17.6 by @dependabot[bot] in #325
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.36.2 to 0.37.0 by @dependabot[bot] in #330
- chore(deps): bump gorm.io/gorm from 1.31.0 to 1.31.1 by @dependabot[bot] in #326
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.44.0 by @dependabot[bot] in #328
- chore(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #327
- chore(deps): bump github.com/pilinux/twofactor from 1.1.10 to 1.1.11 by @dependabot[bot] in #331
- chore(deps): bump github.com/pilinux/crypt from 0.0.16 to 0.0.17 by @dependabot[bot] in #332
- chore(deps): bump github.com/pilinux/argon2 from 0.21.0 to 0.22.0 by @dependabot[bot] in #333
Full Changelog: v1.10.1...v1.10.2
Contributors
dependabot
Assets 2
v1.10.1
What's Changed
- chore(deps): bump github.com/gin-gonic/gin from 1.10.1 to 1.11.0 by @dependabot[bot] in #310
- chore(deps): bump github.com/pilinux/crypt from 0.0.15 to 0.0.16 by @dependabot[bot] in #312
- chore(deps): bump github.com/pilinux/twofactor from 1.1.9 to 1.1.10 by @dependabot[bot] in #311
- chore(deps): bump github.com/pilinux/argon2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #313
Full Changelog: v1.10.0...v1.10.1
Contributors
dependabot
Assets 2
v1.10.0
v1.9.14
What's Changed
- chore(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #301
- chore(deps): bump gorm.io/gorm from 1.30.2 to 1.31.0 by @dependabot[bot] in #306
- chore(deps): bump github.com/mrz1836/postmark from 1.7.4 to 1.8.0 by @dependabot[bot] in #307
- chore(deps): bump github.com/getsentry/sentry-go/logrus from 0.35.1 to 0.35.3 by @dependabot[bot] in #309
Full Changelog: v1.9.13...v1.9.14
Contributors
dependabot