LeafWiki

v0.10.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

docker documentation file-based go knowledge-base markdown

+6 more

react runbooks self-hosted single-binary sqlite wiki

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 4d

The release hardens the auth module against unauthorized user updates and secures storage paths from traversal attacks.

Why it matters: Security fixes with severity 90 affect critical surfaces; operators must apply the update to block privilege‑escalation and path‑traversal exploits.

Summary

AI summary

Broad release touches @perber, 🐛 Bug Fixes, ✨ Features, and feat.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Hardens user update authorization against unauthorized changes. Hardens user update authorization against unauthorized changes. Source: llm_adapter@2026-05-30 Confidence: high	—
Security	Critical	Hardens asset and revision path handling to prevent path traversal. Hardens asset and revision path handling to prevent path traversal. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature
Feature	Medium	Adds UI line wrap option to editor and repositions copy‑paste button in codeblocks. Adds UI line wrap option to editor and repositions copy‑paste button in codeblocks. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Updates header spacing for improved layout. Updates header spacing for improved layout. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Improves logging and allows disabling of request logs. Improves logging and allows disabling of request logs. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Causes startup failure when --enable-http-remote-user is set without --trusted-proxy-ips. Causes startup failure when --enable-http-remote-user is set without --trusted-proxy-ips. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Adds health endpoint at GET /api/health. Adds health endpoint at GET /api/health. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix
Bugfix	Medium	Recovers from corrupt SQLite database files on startup. Recovers from corrupt SQLite database files on startup. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Keeps preview heading sync stable in the editor. Keeps preview heading sync stable in the editor. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Ensures GET /api/auth/me never returns 401 to avoid Basic Auth credential reset. Ensures GET /api/auth/me never returns 401 to avoid Basic Auth credential reset. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

📝 Changelog for v0.10.1

This patch release includes security fixes, minor bug fixes, and stability improvements. Please update to the latest version as soon as possible.

Security

fix(auth): harden user update authorization (#1081) (@perber)
fix(storage): harden asset and revision path handling (#1078) (@perber)

✨ Features

feat: add ui line wrap option to editor and position copy paste button in codeblocks (#1071) (@perber)
feat: update header spacing (#1070) (@perber)
feat: improve logging and allow disabling request logs (#1069) (@perber)
feat: fail on startup when --enable-http-remote-user is set without --trusted-proxy-ips (#1068) (@perber)
feat: add health endpoint at GET /api/health (#1065) (@perber)

🐛 Bug Fixes

fix(auth): harden user update authorization (#1079) (@perber)
fix: recover from corrupt SQLite database files on startup (#1077) (@perber)
fix(editor): keep preview heading sync stable (#1075) (@perber)
fix: GET /api/auth/me never returns 401 to avoid Basic Auth credential reset (#1067) (@perber)
fix: page scroll position on navigation (closes #1053) (#1059) (@perber)
fix: typo in readme (#1048) (@perber)

🧰 Chores

chore: bump the github-actions group with 10 updates (#1037) (@dependabot[bot])
chore: bump the npm-dependencies group in /ui/leafwiki-ui with 20 updates (#1038) (@dependabot[bot])

Security Fixes

fix(auth): harden user update authorization (#1081)
fix(storage): harden asset and revision path handling (#1078)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track LeafWiki

Get notified when new releases ship.

About LeafWiki

A fast wiki for people who think in folders, not feeds. Fast editing. Tree navigation. Markdown on disk.

All releases →