Evilander/newamp

v1.6.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

ReleasePort's take

Light signal

editorial:auto 5d

The release adds macOS as a first‑class platform and removes `unsafe-eval` from the main renderer's CSP, sandboxing Butterchurn.

Why it matters: Security severity of 90 eliminates dynamic JavaScript evaluation in the renderer; all platforms now support Apple Silicon and Intel builds.

Summary

AI summary

Updates Highlights, Install, and installer across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Removes `unsafe-eval` from main renderer CSP, sandboxing Butterchurn to its own frame Removes `unsafe-eval` from main renderer CSP, sandboxing Butterchurn to its own frame Source: llm_adapter@2026-05-29 Confidence: high	—
Feature
Feature	Medium	Adds macOS as a first-class platform with Apple Silicon and Intel builds Adds macOS as a first-class platform with Apple Silicon and Intel builds Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Introduces CI pipeline running typecheck, build, and full smoke suite on every push Introduces CI pipeline running typecheck, build, and full smoke suite on every push Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds WebGL2 GPU particle flow-field visualizer to the visualizer Adds WebGL2 GPU particle flow-field visualizer to the visualizer Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Enables capture of PNG stills, WebM clips, and clipboard sharing from the visualizer Enables capture of PNG stills, WebM clips, and clipboard sharing from the visualizer Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Introduces NewAmp Wrapped shareable recap cards for daily, weekly, monthly, yearly, and all‑time views Introduces NewAmp Wrapped shareable recap cards for daily, weekly, monthly, yearly, and all‑time views Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds local‑first profile system with reviews, lists, and exportable static profile page requiring no account Adds local‑first profile system with reviews, lists, and exportable static profile page requiring no account Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Production-ready & special. macOS becomes a first-class platform, CI lands as a safety net, the deferred Butterchurn unsafe-eval CSP gap is closed (release gate green again), the visualizer gains a GPU particle engine + capture/share, NewAmp Wrapped ships as the hero shareable, and a local-first social/profile foundation arrives. Every feature ships with a smoke wired into CI.

Highlights

🍎 macOS, first-class — Apple Silicon + Intel builds alongside Windows & Linux
🟢 CI + release pipeline — typecheck + build + the full smoke suite on every push; a tag-triggered 3-OS release matrix
🔒 Butterchurn sandboxed — unsafe-eval scoped to its own frame; the main renderer is back on script-src 'self'
✨ Particle Flow — a WebGL2 GPU transform-feedback particle flow-field visualizer (a first for the Winamp lineage)
📸 Visualizer capture — PNG stills + WebM clips + clipboard
📊 NewAmp Wrapped — daily / weekly / monthly / yearly / all-time recap with one-tap shareable cards
📝 Local-first profile, reviews & lists — with an exportable static profile page; no account, no upload

Install

Windows — NewAmp Setup 1.6.0.exe (installer) or NewAmp Portable 1.6.0.exe
macOS — NewAmp 1.6.0 arm64.dmg (Apple Silicon) / NewAmp 1.6.0 x64.dmg (Intel). Unsigned for now → right-click → Open (or xattr -dr com.apple.quarantine /Applications/NewAmp.app)
Linux — NewAmp Linux 1.6.0 x64.tar.gz — extract and run ./newamp

All artifacts are listed with SHA256 hashes in SHA256SUMS.txt. See CHANGELOG.md for full notes.

Full Changelog: https://github.com/Evilander/newamp/compare/v1.5.7...v1.6.0

Security Fixes

Butterchurn visualizer sandboxed: `unsafe-eval` CSP restricted to its own frame; main renderer now uses `script-src 'self'`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Evilander/newamp

Get notified when new releases ship.

About Evilander/newamp

All releases →

Related context

Related tools

Earlier breaking changes

v1.5.7 IPC argument order standardized to (albumArtist, album) across all call sites
v1.5.7 Breaking: IPC argument order aligned to (albumArtist, album) everywhere
v1.5.7 Breaking: setAlbumRatingScore and getAlbumRating throw on missing input
v1.5.6 Milkdrop broken on 1.5.4 and 1.5.5 builds; upgrade recommended.
v1.5.5 Upgrade strongly recommended; version 1.5.4 cannot display albums.