LvcidPsyche/auto-browser

v1.1.2 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 2d MCP Browser & Automation

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agent ai-agents browser-automation claude docker fastapi

+6 more

llm local-first mcp novnc playwright self-hosted

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 2d

The release hardens bearer‑token authentication by rejecting malicious Host‑header values and aligns middleware handling with ASGI scope paths.

Why it matters: Security: blocks Host-header abuse that could bypass bearer‑token checks; critical for all deployments using these middlewares.

Summary

AI summary

Bearer‑token, rate‑limit, operator‑identity and metrics middleware now use ASGI scope paths for correct handling.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevents Host-header crafted values from bypassing bearer-token checks. Prevents Host-header crafted values from bypassing bearer-token checks. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature
Feature	Low	Makes CONTROLLER_ALLOWED_HOSTS a production startup requirement instead of a warning. Makes CONTROLLER_ALLOWED_HOSTS a production startup requirement instead of a warning. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Added Dependabot configuration and CI dependency‑audit gates for recurring security coverage. Added Dependabot configuration and CI dependency‑audit gates for recurring security coverage. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Switched browser‑node Docker build to use npm ci against the committed lockfile. Switched browser‑node Docker build to use npm ci against the committed lockfile. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgraded FastAPI to 0.136.3 and Starlette to 1.0.1. Upgraded FastAPI to 0.136.3 and Starlette to 1.0.1. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Uses ASGI scope paths for bearer-token, rate-limit, operator-identity, and metrics middleware handling. Uses ASGI scope paths for bearer-token, rate-limit, operator-identity, and metrics middleware handling. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Low	Updates stale v1.1.0 version strings across dashboard, webhook user-agent, README, launch notes, and docs. Updates stale v1.1.0 version strings across dashboard, webhook user-agent, README, launch notes, and docs. Source: llm_adapter@2026-06-02 Confidence: high	—

Full changelog

Added

Added regression coverage for Host-header path confusion so crafted Host values cannot bypass bearer-token checks.
Added CI gates for Python dependency audits, browser-node npm audits, fixture eval validation, client tests, and Python wheel builds.
Added Dependabot configuration and CI dependency-audit gates for recurring security coverage.
Added concrete benchmark manifest tracking for WebArena-style, Online-Mind2Web-style, and CUAVerifier regression lanes.

Changed

Bumped controller, client, LangChain integration, and browser-node package metadata to 1.1.2.
Upgraded FastAPI to 0.136.3 and Starlette to 1.0.1.
Made CONTROLLER_ALLOWED_HOSTS a production startup requirement instead of a warning.
Raised the controller CI coverage gate from 65% to the release-audit 80% threshold.
Switched the browser-node Docker build to npm ci against the committed lockfile.

Fixed

Fixed bearer-token, rate-limit, operator-identity, and metrics middleware path handling to use ASGI scope paths instead of reconstructed URL paths.
Fixed stale v1.1.0 release-facing version strings in dashboard, webhook user-agent, README, launch notes, and good-first-issue docs.

Verification

Local release audit passed with --skip-doctor.
GitHub CI passed on main at 2fc7256.
GitHub default code scanning push automation passed on main at 2fc7256.
Open code-scanning alerts on main: 0.
Open Dependabot alerts: 0.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track LvcidPsyche/auto-browser

Get notified when new releases ship.

About LvcidPsyche/auto-browser

Give your AI agent a real browser — with a human in the loop. Open-source MCP-native browser agent.

All releases →