docs: v0.41.0 release — TLS, CSP, session memory leak, slow-client timeout, update checker, CLI file browser (561 tests) (#205)
Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
This commit is contained in:
nesquena-hermes
GitHub
28
CHANGELOG.md
28
CHANGELOG.md
@@ -6,6 +6,34 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
## [v0.41.0] — 2026-04-10
|
||||||
|
|
||||||
|
### Features
|
||||||
|
- **Optional HTTPS/TLS support** (PR #199): Set `HERMES_WEBUI_TLS_CERT` and
|
||||||
|
`HERMES_WEBUI_TLS_KEY` env vars to enable HTTPS natively. Uses
|
||||||
|
`ssl.PROTOCOL_TLS_SERVER` with TLS 1.2 minimum. Gracefully falls back to HTTP
|
||||||
|
if cert loading fails. No reverse proxy required for LAN/VPN deployments.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- **CSP blocking Mermaid and Prism** (PR #197): Added Content-Security-Policy and
|
||||||
|
Permissions-Policy headers to every response. CSP allows `cdn.jsdelivr.net` in
|
||||||
|
`script-src` and `style-src` for Mermaid.js (dynamically loaded) and Prism.js
|
||||||
|
(statically loaded with SRI integrity hashes). All other external origins blocked.
|
||||||
|
- **Session memory leak** (PR #196): `api/auth.py` accumulated expired session tokens
|
||||||
|
indefinitely. Added `_prune_expired_sessions()` called lazily on every
|
||||||
|
`verify_session()` call. No background thread, no lock contention.
|
||||||
|
- **Slow-client thread exhaustion** (PR #198): Added `Handler.timeout = 30` to kill
|
||||||
|
idle/stalled connections before they exhaust the thread pool.
|
||||||
|
- **False update alerts on feature branches** (PR #201): Update checker compared
|
||||||
|
`HEAD..origin/master` even when on a feature branch, counting unrelated master
|
||||||
|
commits as missing updates. Now uses `git rev-parse --abbrev-ref @{upstream}` to
|
||||||
|
track the current branch's upstream. Falls back to default branch when no upstream
|
||||||
|
is set.
|
||||||
|
- **CLI session file browser returning 404** (PR #204): `/api/list` only checked
|
||||||
|
the WebUI in-memory session dict, so CLI sessions shown in the sidebar always
|
||||||
|
returned 404 for file browsing. Now falls back to `get_cli_sessions()` — the same
|
||||||
|
pattern used by `/api/session` GET and `/api/sessions` list.
|
||||||
|
|
||||||
## [v0.40.2] — 2026-04-09
|
## [v0.40.2] — 2026-04-09
|
||||||
|
|
||||||
### Features
|
### Features
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
<body>
|
<body>
|
||||||
<div class="layout">
|
<div class="layout">
|
||||||
<aside class="sidebar">
|
<aside class="sidebar">
|
||||||
<div class="sidebar-header"><div class="logo">H</div><div><h1 style="margin:0;font-size:15px;font-weight:700;letter-spacing:-.01em">Hermes</h1><div style="font-size:10px;color:var(--muted);opacity:.8;margin-top:1px">v0.40.2</div></div></div>
|
<div class="sidebar-header"><div class="logo">H</div><div><h1 style="margin:0;font-size:15px;font-weight:700;letter-spacing:-.01em">Hermes</h1><div style="font-size:10px;color:var(--muted);opacity:.8;margin-top:1px">v0.41.0</div></div></div>
|
||||||
<div class="sidebar-nav">
|
<div class="sidebar-nav">
|
||||||
<button class="nav-tab active" data-panel="chat" data-label="Chat" onclick="switchPanel('chat')" title="Chat">💬</button>
|
<button class="nav-tab active" data-panel="chat" data-label="Chat" onclick="switchPanel('chat')" title="Chat">💬</button>
|
||||||
<button class="nav-tab" data-panel="tasks" data-label="Tasks" onclick="switchPanel('tasks')" title="Tasks">📅</button>
|
<button class="nav-tab" data-panel="tasks" data-label="Tasks" onclick="switchPanel('tasks')" title="Tasks">📅</button>
|
||||||
|
|||||||
Reference in New Issue
Block a user