Skip to content

kastelldev/kastell

v1.15.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth rbac deps

Summary

AI summary

Added kastell changelog command and comparison table in README.

Full changelog

Added

  • kastell changelog command — Parse and display CHANGELOG.md in terminal (kastell changelog, kastell changelog v1.14.0, kastell changelog --all)
  • "Why Kastell?" manifesto in README (EN + TR) — problem statement, approach, AI-native positioning
  • Kastell vs Alternatives comparison table in README (EN + TR) — Kastell vs Lynis vs OpenSCAP across 12 dimensions
  • Zero Telemetry badge in README (EN + TR) — trust signal, no data collection
  • CI profile stats dispatch.github org profile auto-updates on every main push (test/check/category/MCP counts)
  • Interactive menu: "View changelog" entry in Configuration section
  • CHANGELOG.md included in npm package files

Fixed

  • sshExec SSH banner handling — servers with login banners caused non-zero exit codes on Windows, breaking health checks, audit scores (42→11 false drop), and doctor cache writes. Now checks stdout content when stderr is banner-only
  • 3 incorrect fix commandsgrub2-mkpasswd-pbkdf2grub-mkpasswd-pbkdf2 (Ubuntu), dc3ddsleuthkit (available in repos), vectorrsyslog (no 3rd party repo needed)
  • Backup fix commandkastell backup create (local CLI, not available on server) → server-side tar command
  • audit-watch test timeout — Windows CI fake timer slowness (jest.setTimeout 15s + extra microtick flushes)
  • CI dispatch format — JSON body for repository_dispatch (was form-encoded)

Security

  • 10 security audit remediation items applied: SHELL_METACHAR validation, bot middleware fail-closed, clearKnownHostKey IP validation, sendTelegram token validation, unhandled rejection handler, npm publish --provenance, staging token scope, debugLog→KASTELL_DEBUG
  • Security audit report: security-audit-report.md (39 findings, 0 critical)

Changed

  • Test count: 5,506 → 5,522 (16 new tests: 4 SSH banner + 12 changelog)
  • Test suites: 206 → 207

Security Fixes

  • SHELL_METACHAR validation, bot middleware fail‑closed, clearKnownHostKey IP validation, sendTelegram token validation, unhandled rejection handler, npm publish --provenance, staging token scope, debugLog→KASTELL_DEBUG
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]