Skip to content

dagu

v2.7.5 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Automation & Workflows
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

agentic-workflow cron data-pipeline devops durable-execution durable-workflows
+14 more
human-in-the-loop job-scheduler mcp-server multiplayer-agent on-premise private-runners self-hosted self-service selfservice-portal task-automation task-scheduler workflow-engine workflow-orchestration workflow-scheduler

Affected surfaces

auth

Summary

AI summary

Updates fix, feat, and core across a mixed release.

Full changelog

This release mostly focuses on security improvements and bug fixes.

Changelog

  • e8ba3ef2387cc93cbcf609e15fd0b3f249f0e51e fix(core): serialize Container.Env so container.env: vars appear in step output (#2231)

Added

  • feat: add security headers middleware (#2195) @yohamta0
  • feat: add per-IP sliding window rate limiting to login endpoint (#2196) @yohamta0
  • feat: add persistent DAG state (#2203) @yohamta0

Fixed

  • fix: track temp files via registry file instead of subshell-local array (#2198) @kuishou68
  • fix(auth): invalidate JWT tokens on password change or reset (#2199) @yohamta0
  • fix(auth): move OIDC token from query param to hash fragment (#2200) @yohamta0
  • fix(cors): remove invalid AllowCredentials with wildcard origin (#2201) @yohamta0
  • fix: harden scheduler DAG file reload on Windows (#2204) @yohamta0
  • fix: recover scheduler tick panics (#2215) @yohamta0
  • fix: preserve dotenv env on retry (#2225) @yohamta0
  • fix(ui): guard api-keys page against undefined config.license (#2228) @yohamta0
  • fix(core): serialize Container.Env so container.env: vars appear in step output (#2231) @mingfang

Contributors

Thanks to our contributors for this release:

| Contribution | Contributor |
| --- | --- |
| bug: Environment variables are not loaded when retry from the failed step (#2223) | @Sky-Zeng (report) |
| [BUG] cleanup_tmpfiles in installer.sh does not clear tmp dir (#2001) | @jeremydelattre59 (report) |
| fix: track temp files via registry file instead of subshell-local array (#2198) | @kuishou68 |
| fix(core): serialize Container.Env so container.env: vars appear in step output (#2231) | @mingfang |

New Contributors

  • @mingfang made their first contribution in https://github.com/dagucloud/dagu/pull/2231

Full Changelog: https://github.com/dagucloud/dagu/compare/v2.7.4...v2.7.5

Security Fixes

  • fix(auth): invalidate JWT tokens on password change or reset (#2199)
  • fix(cors): remove invalid AllowCredentials with wildcard origin (#2201)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track dagu

Get notified when new releases ship.

Sign up free

About dagu

A local-first workflow engine built the way it should be: declarative, file-based, self-contained, air-gapped ready. One binary that scales from laptop to distributed cluster. Your Workflow Operator handles creating and debugging workflows.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]