Tapflow

v0.9.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

android android-emulator app-testing appetize-alternative browserstack-alternative developer-tools

+13 more

emulator flutter ios ios-simulator macos mcp mobile-qa mobile-testing qa-tools react-native self-hosted simulator testing

Affected surfaces

auth deps

Summary

AI summary

Updates relay, dashboard, and deps across a mixed release.

Full changelog

What's Changed

chore(deps): bump esbuild to >=0.28.1 (Dependabot GHSA-g7r4-m6w7-qqqr) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/278
Harden relay: cross-origin, CSRF, invite links, and upload handling by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/279
fix(relay): log handler exceptions instead of swallowing them by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/280
feat(relay): LAN HTTPS cert issuance for secure-context / WebCodecs (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/281
feat(relay): auto-publish LAN IP to domain A record (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/282
refactor(relay): DnsProviderRegistry for pluggable DNS providers (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/283
refactor(relay): namespace DNS/ACME credential env vars under TAPFLOW_ (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/285
docs(reference): document tls / LAN HTTPS configuration (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/286
fix(cli): wire trustedProxies/corsOrigins in relay start by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/288
feat(dashboard): surface Standard vs High performance + upgrade notice (#232) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/289
fix(relay): exempt loopback origins from the CSRF guard by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/290
fix(dashboard): session panel width alignment, copy-link toast, recordings flicker by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/291
feat(relay): load DNS/ACME credentials from a gitignored .env file (#287) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/292
chore(deps): resolve Dependabot security alerts via dependency bumps by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/295
Slim the dashboard bundle: variable fonts + visx charts by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/296
perf(relay): serve precompressed static assets (brotli/gzip) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/297
perf(dashboard): route-level code splitting by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/298
chore(deps): bump hono to 4.12.25 and enable Dependabot by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/299
chore: release v0.9.0 — LAN HTTPS by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/301
fix(dashboard): add @types/d3-array to fix release build by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/302

Full Changelog: https://github.com/jo-duchan/tapflow/compare/v0.8.2...v0.9.0

Security Fixes

dep: GHSA-g7r4-m6w7-qqqr – bump esbuild >=0.28.1 resolves security alerts
Relay: Harden cross‑origin, CSRF protection, invite link handling and upload processing

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Tapflow

Get notified when new releases ship.

About Tapflow

All releases →