Skip to content

fran-olivares/usulnet

v26.5.2 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 13d Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agplv3 docker docker-deployment docker-management docker-management-tool docker-manager
+12 more
docker-swarm docker-ui go goland moby postgresql self-hosted swarm templ ui usulnet webui

ReleasePort's take

Light signal
editorial:auto 11d

Release v26.5.2 adds smoke E2E testing in CI, tightens vulnerability scanning with govulncheck, and raises the code‑coverage threshold to 16%.

Why it matters: CI now fails builds on any 5xx response; govulncheck enforces an allowlist that blocks future invalid justifications; coverage must meet 16% before merge.

Summary

AI summary

Updates Privacy and security tier, Operator UX, and Performance pass across a mixed release.

Changes in this release

Security Medium

Zero breaking changes against v26.5.1; no new external port, bind mount, container capability, or call‑home behavior.

Zero breaking changes against v26.5.1; no new external port, bind mount, container capability, or call‑home behavior.

Source: llm_adapter@2026-05-23

Confidence: low
Feature Medium

Adds Smoke E2E in CI that boots compose stack, logs in as admin, walks sidebar, fails build on any 5xx.

Adds Smoke E2E in CI that boots compose stack, logs in as admin, walks sidebar, fails build on any 5xx.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds govulncheck with empirically-pinned allowlist enforced by CI script that fails build if future commit invalidates justification.

Adds govulncheck with empirically-pinned allowlist enforced by CI script that fails build if future commit invalidates justification.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Increases coverage threshold from 15% to 16% with new tests on panic‑prone routers and recon wiring.

Increases coverage threshold from 15% to 16% with new tests on panic‑prone routers and recon wiring.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Implements tag‑driven release workflow publishing multi‑arch images (linux/amd64 + linux/arm64) to GHCR and Docker Hub on every `v*` tag.

Implements tag‑driven release workflow publishing multi‑arch images (linux/amd64 + linux/arm64) to GHCR and Docker Hub on every `v*` tag.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds Shodan recon connector (BYO key) as second external integration with full‑cycle secrecy test ensuring the key never leaks to logs or errors.

Adds Shodan recon connector (BYO key) as second external integration with full‑cycle secrecy test ensuring the key never leaks to logs or errors.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Introduces L7 egress filter — in‑process forward proxy with per‑host allow/deny policies, default‑deny, audit log of denials without TLS interception.

Introduces L7 egress filter — in‑process forward proxy with per‑host allow/deny policies, default‑deny, audit log of denials without TLS interception.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds YARA scanner for one‑shot scans against host files and container paths via recon‑toolkit sandbox, shipping the `linux-elf-suspicious` ruleset.

Adds YARA scanner for one‑shot scans against host files and container paths via recon‑toolkit sandbox, shipping the `linux-elf-suspicious` ruleset.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Provides Container forensics snapshot — one‑click memory dump, process tree, open FDs, network connections packaged as verifiable tarball.

Provides Container forensics snapshot — one‑click memory dump, process tree, open FDs, network connections packaged as verifiable tarball.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds Marketplace honeypots: Cowrie (SSH/Telnet), Dionaea (malware‑catcher), Endlessh (SSH tarpit) with one‑click deployable.

Adds Marketplace honeypots: Cowrie (SSH/Telnet), Dionaea (malware‑catcher), Endlessh (SSH tarpit) with one‑click deployable.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds Tor SOCKS5 proxy marketplace app for routing individual workloads through Tor.

Adds Tor SOCKS5 proxy marketplace app for routing individual workloads through Tor.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Ships host‑side `usulnet` CLI (`contexts`, `login`, `containers ls`, `stack deploy`, `recon scan`, ...) as static binary alongside server.

Ships host‑side `usulnet` CLI (`contexts`, `login`, `containers ls`, `stack deploy`, `recon scan`, ...) as static binary alongside server.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Regroups sidebar from 9 to 7 sections (Compute / Operations / Security / Privacy / Platform / Admin / Help).

Regroups sidebar from 9 to 7 sections (Compute / Operations / Security / Privacy / Platform / Admin / Help).

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Introduces first‑run onboarding wizard guiding password change and host attach.

Introduces first‑run onboarding wizard guiding password change and host attach.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Uniforms empty‑states across 12 modules, removing the bare "NPM Not Connected" card from v26.5.1.

Uniforms empty‑states across 12 modules, removing the bare "NPM Not Connected" card from v26.5.1.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Adds a11y landmarks on header, sidebar, modal, and flash regions.

Adds a11y landmarks on header, sidebar, modal, and flash regions.

Source: llm_adapter@2026-05-23

Confidence: high
Feature Medium

Provides shell tab‑completion install script and Makefile target baked into production Docker images.

Provides shell tab‑completion install script and Makefile target baked into production Docker images.

Source: llm_adapter@2026-05-23

Confidence: high
Performance Medium

Applies route‑scoped frontend gzip (~70% off vendor JS/CSS bundles); authenticated route group remains uncompressed to mitigate BREACH risk on CSRF pages.

Applies route‑scoped frontend gzip (~70% off vendor JS/CSS bundles); authenticated route group remains uncompressed to mitigate BREACH risk on CSRF pages.

Source: llm_adapter@2026-05-23

Confidence: high
Performance Medium

Implements host summary fan‑out across goroutine pool capped at 16, reducing latency from N×T to max(T).

Implements host summary fan‑out across goroutine pool capped at 16, reducing latency from N×T to max(T).

Source: llm_adapter@2026-05-23

Confidence: high
Performance Medium

Implements container reconciliation fan‑out across goroutine pool capped at 8.

Implements container reconciliation fan‑out across goroutine pool capped at 8.

Source: llm_adapter@2026-05-23

Confidence: high
Performance Medium

Introduces shared WebSocket JSON encoder pool reducing wall time ~36% and garbage per message ~99% on editor and SSH terminal hot paths.

Introduces shared WebSocket JSON encoder pool reducing wall time ~36% and garbage per message ~99% on editor and SSH terminal hot paths.

Source: llm_adapter@2026-05-23

Confidence: high
Refactor Medium

Rebases recon‑toolkit on Arch weekly rebuilt via cron (mat2, exiftool, yara, holehe, h8mail, oletools, pdfid).

Rebases recon‑toolkit on Arch weekly rebuilt via cron (mat2, exiftool, yara, holehe, h8mail, oletools, pdfid).

Source: llm_adapter@2026-05-23

Confidence: high
Full changelog

usulnet v26.5.2 lands the 14-session development plan that earns the
"ciberseguridad + privacidad + self-host" tagline beyond container management.
Zero breaking changes against v26.5.1; no new external port, no new bind
mount, no new container capability, no call-home.

Highlights

Reliability gates

  • Smoke E2E in CI boots the actual compose stack against a freshly built
    image, logs in as admin, walks the sidebar, fails the build on any 5xx.
  • govulncheck with empirically-pinned allowlist — every allowlist entry
    is enforced by a CI script that fails the build if a future commit silently
    invalidates its "not exploitable" justification.
  • Coverage threshold bumped 15% → 16% with new tests on the panic-prone
    routers and the recon wiring.
  • Tag-driven release workflow publishes multi-arch images
    (linux/amd64 + linux/arm64) to GHCR and Docker Hub on every v* tag.

Privacy and security tier

  • Shodan recon connector (BYO key) joins HIBP as the second external
    integration. Full-cycle secrecy test pins that the key never leaks to logs
    or errors.
  • L7 egress filter — in-process forward proxy with per-host allow/deny
    policies, default-deny, audit log of denials. No TLS interception.
  • YARA scanner — one-shot scans against host files and container paths
    via the recon-toolkit sandbox. Ships the linux-elf-suspicious ruleset.
  • Container forensics snapshot — one-click memory dump, process tree,
    open FDs, network connections, packaged as a verifiable tarball.
  • Marketplace honeypots — Cowrie (SSH/Telnet), Dionaea (multi-protocol
    malware-catcher), Endlessh (SSH tarpit), one-click deployable.
  • Tor SOCKS5 proxy marketplace app for routing individual workloads
    through Tor.

Operator UX

  • Host-side usulnet CLI (contexts, login, containers ls,
    stack deploy, recon scan, ...) shipped as a static binary alongside
    the server.
  • Sidebar regrouped from 9 to 7 sections (Compute / Operations /
    Security / Privacy / Platform / Admin / Help).
  • First-run onboarding wizard for password change + host attach.
  • Uniform empty-states across 12 modules — the bare "NPM Not Connected"
    card from v26.5.1 is gone.
  • a11y landmarks on header, sidebar, modal, and flash regions.
  • Shell tab-completion install script and Makefile target, baked into
    both production Docker images.

Recon sandbox

  • recon-toolkit rebased on Arch (mat2, exiftool, yara,
    holehe, h8mail, oletools, pdfid). Weekly rebuild via cron so the
    toolset stays current. amd64-only.

Performance pass

  • Route-scoped frontend gzip (~70% off vendor JS/CSS bundles); the
    authenticated route group stays uncompressed to close the BREACH-class
    risk on CSRF-bearing pages.
  • Host summary fan-out across a goroutine pool capped at 16:
    max(T) latency instead of N × T for N-host installs.
  • Container reconciliation fan-out across a goroutine pool capped at 8.
  • Shared WebSocket JSON encoder pool — ~36% less wall time, ~99% less
    garbage per message on the editor and SSH terminal hot paths.

Upgrade

docker pull usulnet/usulnet:v26.5.2
docker pull usulnet/usulnet-agent:v26.5.2
# or via GHCR
docker pull ghcr.io/fran-olivares/usulnet:v26.5.2
docker pull ghcr.io/fran-olivares/usulnet-agent:v26.5.2

**Full Changelog**: https://github.com/fran-olivares/usulnet/compare/v26.5.1...v26.5.2
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track fran-olivares/usulnet

Get notified when new releases ship.

Sign up free

About fran-olivares/usulnet

All releases →

Related context

Beta — feedback welcome: [email protected]