One Time Secret

v0.25.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 16d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

chat email messaging onetime onetimesecret privacy

+1 more

secrets-management

Affected surfaces

deps

Summary

AI summary

Updates ops, install-dev, and billing across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Update dependency axios to v1.15.2 [SECURITY] by @renovate[bot] Update dependency axios to v1.15.2 [SECURITY] by @renovate[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature
Feature	Low	Colonel admin refactoring, domain improvements, and i18n support Colonel admin refactoring, domain improvements, and i18n support Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Consolidate email validation into shared module Consolidate email validation into shared module Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Add coupon and promotion code CLI commands and enable promo codes at checkout Add coupon and promotion code CLI commands and enable promo codes at checkout Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Add HousekeepingJob for running Familia model maintenance chores Add HousekeepingJob for running Familia model maintenance chores Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Add redirect parameter to signup/signin URLs on Pricing page Add redirect parameter to signup/signin URLs on Pricing page Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Persist plan selection through email verification Persist plan selection through email verification Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Add housekeeping chore infrastructure Add housekeeping chore infrastructure Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	feat(ops): add region-scoped bulk Stripe metadata update CLI feat(ops): add region-scoped bulk Stripe metadata update CLI Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Low	Add CatalogValidationError and fail‑closed accumulation Add CatalogValidationError and fail‑closed accumulation Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Feature	Low	Materialize entitlement state on Organization (Phase 2) Materialize entitlement state on Organization (Phase 2) Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Feature	Low	Enhance domains CLI with sorting, limiting, and vhost display Enhance domains CLI with sorting, limiting, and vhost display Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Feature	Low	Extend materialize_entitlements_for_org with skip_if_fresh and dry_run options Extend materialize_entitlements_for_org with skip_if_fresh and dry_run options Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Dependency
Dependency	Low	Update actions/upload-artifact action to v7.0.1 by @renovate[bot] Update actions/upload-artifact action to v7.0.1 by @renovate[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Update actions/cache action to v5.0.5 by @renovate[bot] Update actions/cache action to v5.0.5 by @renovate[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Update dependency dompurify to ^3.4.0 by @renovate[bot] Update dependency dompurify to ^3.4.0 by @renovate[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Bump fast-uri from 3.1.0 to 3.1.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] Bump fast-uri from 3.1.0 to 3.1.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Bump nokogiri from 1.19.2 to 1.19.3 in the bundler group across 1 directory by @dependabot[bot] Bump nokogiri from 1.19.2 to 1.19.3 in the bundler group across 1 directory by @dependabot[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Bump faraday from 2.14.1 to 2.14.2 in the bundler group across 1 directory by @dependabot[bot] Bump faraday from 2.14.1 to 2.14.2 in the bundler group across 1 directory by @dependabot[bot] Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Update pnpm to v11.1.2 Update pnpm to v11.1.2 Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Dependency	Low	Bump fast-uri from 3.1.0 to 3.1.2 Bump fast-uri from 3.1.0 to 3.1.2 Source: granite4.1:30b@2026-05-19-audit Confidence: high	—
Dependency	Low	Bump nokogiri from 1.19.2 to 1.19.3 Bump nokogiri from 1.19.2 to 1.19.3 Source: granite4.1:30b@2026-05-19-audit Confidence: high	—
Dependency	Low	Bump faraday from 2.14.1 to 2.14.2 Bump faraday from 2.14.1 to 2.14.2 Source: granite4.1:30b@2026-05-19-audit Confidence: high	—
Bugfix
Bugfix	High	Fix #3089: Remove silent tier fallback, fail-closed on plan cache miss Fix #3089: Remove silent tier fallback, fail-closed on plan cache miss Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix free tier TTL: align DEFAULT_FREE_TTL with free_v1 plan (14 days) Fix free tier TTL: align DEFAULT_FREE_TTL with free_v1 plan (14 days) Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	fix(billing): require plan_id in product metadata, drop tier fallback fix(billing): require plan_id in product metadata, drop tier fallback Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Low	Fix custom logo sizing and disabled page vertical positioning Fix custom logo sizing and disabled page vertical positioning Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Low	Fix logo sizing for authenticated users and add LOGO_PROMINENT config Fix logo sizing for authenticated users and add LOGO_PROMINENT config Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Refactor
Refactor	Low	Refactor region configuration to use features.regions structure Refactor region configuration to use features.regions structure Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Refactor	Low	Simplify plan validation: fail-closed, remove legacy detection Simplify plan validation: fail-closed, remove legacy detection Source: granite4.1:30b@2026-05-19-audit Confidence: high	—
Refactor	Low	Migrate billing schema from JSON to Zod with generated JSON Schema Migrate billing schema from JSON to Zod with generated JSON Schema Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Refactor	Low	Use Familia v2.9 each_record for batched org iteration in materialize command Use Familia v2.9 each_record for batched org iteration in materialize command Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Refactor	Low	Refactor WithEntitlements to idiomatic Familia Feature pattern Refactor WithEntitlements to idiomatic Familia Feature pattern Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Other	Low	Add email validation documentation Add email validation documentation Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—

Full changelog

What's Changed

Colonel admin refactoring, domain improvements, and i18n support https://github.com/onetimesecret/onetimesecret/pull/3096
Consolidate email validation into shared module https://github.com/onetimesecret/onetimesecret/pull/3102
Add coupon and promotion code CLI commands and enable promo codes at checkout https://github.com/onetimesecret/onetimesecret/pull/3112
Add HousekeepingJob for running Familia model maintenance chores https://github.com/onetimesecret/onetimesecret/pull/3113
Add redirect parameter to signup/signin URLs on Pricing page https://github.com/onetimesecret/onetimesecret/pull/3121
Refactor region configuration to use features.regions structure https://github.com/onetimesecret/onetimesecret/pull/3125
Persist plan selection through email verification (#3126) https://github.com/onetimesecret/onetimesecret/pull/3127
Add housekeeping chore infrastructure https://github.com/onetimesecret/onetimesecret/pull/3129
feat(ops): add region-scoped bulk Stripe metadata update CLI https://github.com/onetimesecret/onetimesecret/pull/3131
Add email validation documentation https://github.com/onetimesecret/onetimesecret/pull/3133
Simplify plan validation: fail-closed, remove legacy detection https://github.com/onetimesecret/onetimesecret/pull/3136
improve(install-dev): add caddy webroot symlink step and clarify no-build intent https://github.com/onetimesecret/onetimesecret/pull/3138
Add CatalogValidationError and fail-closed accumulation https://github.com/onetimesecret/onetimesecret/pull/3137
Migrate billing schema from JSON to Zod with generated JSON Schema https://github.com/onetimesecret/onetimesecret/pull/3141
Materialize entitlement state on Organization (Phase 2) https://github.com/onetimesecret/onetimesecret/pull/3142
Use Familia v2.9 each_record for batched org iteration in materialize command https://github.com/onetimesecret/onetimesecret/pull/3147
Enhance domains CLI with sorting, limiting, and vhost display https://github.com/onetimesecret/onetimesecret/pull/3146
Refactor WithEntitlements to idiomatic Familia Feature pattern https://github.com/onetimesecret/onetimesecret/pull/3149
Extend materialize_entitlements_for_org with skip_if_fresh and dry_run (#3134) https://github.com/onetimesecret/onetimesecret/pull/3150

Fixes

Fix free tier TTL: align DEFAULT_FREE_TTL with free_v1 plan (14 days) https://github.com/onetimesecret/onetimesecret/pull/3119
Fix #3089: Remove silent tier fallback, fail-closed on plan cache miss https://github.com/onetimesecret/onetimesecret/pull/3097
Fix custom logo sizing and disabled page vertical positioning https://github.com/onetimesecret/onetimesecret/pull/3139
Fix logo sizing for authenticated users and add LOGO_PROMINENT config https://github.com/onetimesecret/onetimesecret/pull/3144
fix(billing): require plan_id in product metadata, drop tier fallback https://github.com/onetimesecret/onetimesecret/pull/3124

Dependencies

Update dependency axios to v1.15.2 [SECURITY] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3087
Update actions/upload-artifact action to v7.0.1 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3092
Update actions/cache action to v5.0.5 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3091
Update dependency dompurify to ^3.4.0 by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3123
Bump fast-uri from 3.1.0 to 3.1.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3103
Bump nokogiri from 1.19.2 to 1.19.3 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3090
Bump faraday from 2.14.1 to 2.14.2 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3143
Update pnpm to v11.1.2 https://github.com/onetimesecret/onetimesecret/pull/3132

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.25.2...v0.25.3

Breaking Changes

Refactor region configuration to use features.regions structure (old config format removed).
Migrate billing schema from JSON representation to Zod with generated JSON Schema (requires migration scripts).

Security Fixes

Update dependency axios to v1.15.2 — security patch (no CVE ID provided).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track One Time Secret

Get notified when new releases ship.

About One Time Secret

Share sensitive information securely with self-destructing links that are only viewable once.

All releases →

Related context

Related tools

Earlier breaking changes

v0.25.5-coda Removes `site.interface.ui.homepage.trusted_ip_header` config; replaces with `site.network.trusted_proxy.header` settings.
v0.25.5-coda Removes `site.interface.ui.homepage.trusted_proxy_depth` config; replaces with `site.network.trusted_proxy` settings.