Skip to content

kastelldev/kastell

v2.0.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth deps

Summary

AI summary

Structured error migration to KastellError hierarchy across all command files.

Full changelog

v2.0.0 — Technical Debt + Infrastructure Hardening

Highlights

  • Structured error migration — all 9 command files use classifyError with instanceof branching (KastellError hierarchy)
  • logSafeModeBlock — structured security logging wired into all SAFE_MODE guard sites
  • secureWriteFileSync — platform-aware secure file operations with POSIX permissions
  • Config repairkastell config repair diagnoses and repairs corrupted configs
  • MCP audit enhancements — snapshot save/compare, category/severity filter, threshold gate
  • Property-based + fuzz tests — fast-check arbitraries, kernel/firewall/filesystem fuzzing
  • E2E nightly CI — automated provision→lock→audit→destroy pipeline

Security

  • secureWrite migration (SEC-06) for all credential files
  • TOCTOU fix in auth.ts
  • ESLint security plugins, Zod schemas for all 4 providers
  • CI hardening with explicit permissions + SHA-pinned actions
  • Dependency updates: axios 1.15.0 (CVE-2025-62718), follow-redirects 1.16.0, hono 4.12.14

Stats

  • 240 test suites, 10127 tests, 12 snapshots
  • 9 phases (P105-P113) completed
  • Coverage: 90% global, 95% audit, 90% provider, 90% MCP

Full changelog: https://github.com/kastelldev/kastell/blob/main/CHANGELOG.md

Breaking Changes

  • All 9 command files now use `classifyError` with instanceof branching against the KastellError hierarchy, altering error propagation and handling.

Security Fixes

  • dep: axios 1.15.0 — CVE-2025-62718
  • TOCTOU fix in auth.ts
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]