release: v4.8.6 security hardening patch
This commit is contained in:
lockbitchat
@@ -1,5 +1,34 @@
|
||||
# Changelog
|
||||
|
||||
## v4.8.6 — Security hardening patch release
|
||||
|
||||
This patch release strengthens SecureBit.chat across verification, sanitization, privacy, transport abuse resistance, cache safety, and repository hygiene.
|
||||
|
||||
### Security hardening
|
||||
|
||||
- Bound SAS verification to the actual DTLS fingerprint strings of both peers.
|
||||
- Replaced regex-based chat sanitization with DOMPurify-backed sanitization.
|
||||
- Made WebRTC privacy mode explicit and kept relay-only state synchronized at runtime.
|
||||
- Removed production exposure of internal debug/control hooks.
|
||||
- Added receiver-side rate limiting for inbound chat messages.
|
||||
- Added receiver-side throttling for inbound file chunks.
|
||||
|
||||
### Runtime and privacy safety
|
||||
|
||||
- Hardened service-worker caching so only explicitly allowlisted safe assets are cached.
|
||||
- Removed an untracked disconnect timer so teardown no longer leaves delayed callbacks behind.
|
||||
- Preserved relay-only TURN behavior while making privacy implications clearer when relay-only mode is disabled or TURN is unavailable.
|
||||
|
||||
### Repository hygiene
|
||||
|
||||
- Stopped tracking `node_modules` in Git so platform-specific dependency binaries no longer pollute the repository or break cross-platform builds.
|
||||
|
||||
### Validation
|
||||
|
||||
- Full regression suite passes.
|
||||
- Clean install succeeds with `npm ci`.
|
||||
- Production build succeeds with `npm run build`.
|
||||
|
||||
## v4.8.5 — Security hardening release
|
||||
|
||||
This release consolidates several months of security, privacy, and lifecycle hardening work by the SecureBit.chat team.
|
||||
|
||||
Reference in New Issue
Block a user