One Time Secret

v0.25.9 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

chat email messaging onetime onetimesecret privacy

+1 more

secrets-management

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 1d

Update the puma runtime dependency to version 7.2.1 for a security fix.

Why it matters: The upgrade addresses a security vulnerability in the puma dependency; deploy v7.2.1 immediately.

Summary

AI summary

Updates SES, ses, and bin/dev across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Add CLI commands for managing global broadcast banner [PR #3388] Add CLI commands for managing global broadcast banner [PR #3388] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	Add on-demand heap dumps for memory growth diagnostics [PR #3371] Add on-demand heap dumps for memory growth diagnostics [PR #3371] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	Domain‑scoped SSO access toggle and enforcement [PR #3392] Domain‑scoped SSO access toggle and enforcement [PR #3392] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	Promote AWS SES sender‑domain provisioning to a supported provider [PR #3375] Promote AWS SES sender‑domain provisioning to a supported provider [PR #3375] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	SES: emit advisory DMARC record in provisioning output [PR #3400] SES: emit advisory DMARC record in provisioning output [PR #3400] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	SES: surface MAIL FROM status and add lifecycle tests [PR #3386] SES: surface MAIL FROM status and add lifecycle tests [PR #3386] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	Support multi‑provider sender domain deletion [PR #3369] Support multi‑provider sender domain deletion [PR #3369] Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Medium	Gate RemoveDomain on custom_domains entitlement (PR #3405) [breaking] Gate RemoveDomain on custom_domains entitlement (PR #3405) [breaking] Source: llm_adapter@2026-06-11 Confidence: low	—
Dependency	High	Update dependency puma to v7.2.1 (security) [PR #3391] Update dependency puma to v7.2.1 (security) [PR #3391] Source: llm_adapter@2026-06-11 Confidence: low	—
Bugfix	Medium	Fix incoming secrets UI and API gate when install‑level feature is disabled [PR #3372] Fix incoming secrets UI and API gate when install‑level feature is disabled [PR #3372] Source: llm_adapter@2026-06-11 Confidence: low	—
Refactor	Low	Refactor notification components to fix feedback toast leak Refactor notification components to fix feedback toast leak Source: granite4.1:30b@2026-06-11-audit Confidence: low	—

Full changelog

What's Changed

Add CLI commands for managing global broadcast banner https://github.com/onetimesecret/onetimesecret/pull/3388
Add on-demand heap dumps for memory growth diagnostics https://github.com/onetimesecret/onetimesecret/pull/3371
Address PR #3402 review: BANNER_KEY, duration forwarding, scoped styles, reduced motion https://github.com/onetimesecret/onetimesecret/pull/3403
Domain-scoped SSO access toggle and enforcement https://github.com/onetimesecret/onetimesecret/pull/3392
Gate RemoveDomain on custom_domains entitlement (#3340) https://github.com/onetimesecret/onetimesecret/pull/3405
Guard SsoConfig provider-enumeration drift in CI https://github.com/onetimesecret/onetimesecret/pull/3373
Migrate Tailwind CSS config to v4 CSS-first approach https://github.com/onetimesecret/onetimesecret/pull/3408
Promote AWS SES sender-domain provisioning to a supported provider https://github.com/onetimesecret/onetimesecret/pull/3375
SES: emit advisory DMARC record in provisioning output https://github.com/onetimesecret/onetimesecret/pull/3400
SES: surface MAIL FROM status and add lifecycle tests https://github.com/onetimesecret/onetimesecret/pull/3386
Support multi-provider sender domain deletion https://github.com/onetimesecret/onetimesecret/pull/3369
docs(ses): record #2833 region-through-validation as resolved by design https://github.com/onetimesecret/onetimesecret/pull/3374
dx(bin/dev): skip overmind .env loading to preserve direnv env https://github.com/onetimesecret/onetimesecret/pull/3376

Fixes

Fix incoming secrets UI and API gate when install-level feature is disabled https://github.com/onetimesecret/onetimesecret/pull/3372
Fix feedback toast leaking user message; refactor notification components https://github.com/onetimesecret/onetimesecret/pull/3398
Fix eslint-plugin-tailwindcss config target for Tailwind v4 https://github.com/onetimesecret/onetimesecret/pull/3407

Dependencies

chore(deps): update dependency puma to v7.2.1 [security] by @renovate[bot] in https://github.com/onetimesecret/onetimesecret/pull/3391
Bump the bundler group across 1 directory with 2 updates by @dependabot[bot] in https://github.com/onetimesecret/onetimesecret/pull/3404

Full Changelog: https://github.com/onetimesecret/onetimesecret/compare/v0.25.8...v0.25.9

Security Fixes

chore(deps): update dependency puma to v7.2.1 [security]

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track One Time Secret

Get notified when new releases ship.

About One Time Secret

Share sensitive information securely with self-destructing links that are only viewable once.

All releases →

Related context

Related tools

Earlier breaking changes

v0.25.5-coda Removes `site.interface.ui.homepage.trusted_ip_header` config; replaces with `site.network.trusted_proxy.header` settings.
v0.25.5-coda Removes `site.interface.ui.homepage.trusted_proxy_depth` config; replaces with `site.network.trusted_proxy` settings.