Skip to content

Prism

v1.4.0 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 10d Communication & Email
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

protonmail push-notifications self-hosted signal signal-cli telegram
+5 more
telegrambot unifiedpush webhook webpush webpush-notifications

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Light signal
editorial:auto 10d

The RealIP middleware has been removed; rate limiting now uses the actual connection IP instead of X-Forwarded‑For headers. The default rate limiter is tightened to 20 requests per second per IP.

Why it matters: Rate limiting defaults changed to 20 req/s per IP, affecting traffic shaping for all deployments using the built‑in limiter.

Summary

AI summary

RealIP middleware removed and rate limiter defaults tightened to 20 req/s per IP.

Changes in this release

Security Medium

Removes "RealIP" middleware; rate limiting now uses actual connection IP instead of X-Forwarded-For headers.

Removes "RealIP" middleware; rate limiting now uses actual connection IP instead of X-Forwarded-For headers.

Source: llm_adapter@2026-05-24

Confidence: low
Feature Medium

Tightens default rate limiter to 20 requests per second per IP.

Tightens default rate limiter to 20 requests per second per IP.

Source: llm_adapter@2026-05-24

Confidence: high
Dependency Medium

Upgrades signal-cli dependency to version 0.14.4.1.

Upgrades signal-cli dependency to version 0.14.4.1.

Source: llm_adapter@2026-05-24

Confidence: low
Full changelog
  • security: removing "RealIP" middleware - rate limiting now uses the real connection IP instead of potentially-spoofed X-Forwarded-For headers
  • rate limiter default tightened to 20 req/s per IP; set RATE_LIMIT=0 to disable (e.g. when running behind a reverse proxy with its own rate limiting)
  • update signal-cli to v0.14.4.1
  • dependency upgrades

Full Changelog: https://github.com/lone-cloud/prism/compare/v1.3.2...v1.4.0

Breaking Changes

  • Removed "RealIP" middleware; rate limiter now uses the real connection IP instead of X-Forwarded-For headers.
  • Default rate limit tightened to 20 requests per second per IP.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Prism

Get notified when new releases ship.

Sign up free

About Prism

All releases →

Related context

Beta — feedback welcome: [email protected]