This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
Affected surfaces
Summary
AI summaryUpdates feat, Chores / Docs, and index across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
strip HTML tags from custom CSS to prevent stored XSS strip HTML tags from custom CSS to prevent stored XSS Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
add completion status page for default/custom status configuration add completion status page for default/custom status configuration Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
add TIME_ZONE env var to override browser-detected timezone add TIME_ZONE env var to override browser-detected timezone Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Bugfix | Medium |
auto-refresh habit list when local date rolls over auto-refresh habit list when local date rolls over Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
Full changelog
Changes
Features
- feat: add completion status page for default/custom status configuration (#201)
- feat: add TIME_ZONE env var to override browser-detected timezone (#211)
Fixes
- fix(security): strip HTML tags from custom CSS to prevent stored XSS
- fix(index): auto-refresh habit list when local date rolls over
Chores / Docs
- chore: update yarl dependency from 1.22.0 to 1.23.0
Full Changelog: https://github.com/daya0576/beaverhabits/compare/v0.9.0...v0.9.1
Security Fixes
- strip HTML tags from custom CSS to prevent stored XSS
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]