Rackula

v0.10.0 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 8d Virtualization

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

av-rack capacity-planning dcim drag-and-drop self-hosted netbox

+10 more

network-infrastructure rack rack-diagram rack-layout self-host server-rack svelte sysadmin typescript visualization

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 8d

The release patches multiple vulnerable dependencies in the API (better-auth, kysely, defu, lodash, effect, drizzle-orm) and resolves OIDC authentication redirect issues behind reverse proxies.

Why it matters: Patching these CVE‑affected dependencies (severity 90/80) prevents remote code execution risks; fixing the OIDC redirect bug ensures uninterrupted authentication for deployments using reverse proxies.

Summary

AI summary

Updates Technical, CVE-2026-35209, and CVE-2026-32887 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Patch vulnerable dependencies in api: better-auth 1.5.1 → 1.6.2, kysely, defu, lodash, effect, drizzle-orm CVEs resolved (#1676) Patch vulnerable dependencies in api: better-auth 1.5.1 → 1.6.2, kysely, defu, lodash, effect, drizzle-orm CVEs resolved (#1676) Source: llm_adapter@2026-05-26 Confidence: low	—
Security	High	Patch hono and defu dependency CVEs in the api (#1691) Patch hono and defu dependency CVEs in the api (#1691) Source: llm_adapter@2026-05-26 Confidence: high	—
Security	High	Resolve 7 Trivy alerts by upgrading better-auth, kysely, defu, lodash, effect, drizzle-orm in api image (#1676) Resolve 7 Trivy alerts by upgrading better-auth, kysely, defu, lodash, effect, drizzle-orm in api image (#1676) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Feature
Feature	Medium	Add right‑click context menu for custom devices in the device palette (#1701) Add right‑click context menu for custom devices in the device palette (#1701) Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Persist viewport zoom/pan across page reloads (#118) Persist viewport zoom/pan across page reloads (#118) Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Add share URL length warning at 1800 chars with download‑layout‑file fallback (#1720) Add share URL length warning at 1800 chars with download‑layout‑file fallback (#1720) Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Add vector PDF export for AutoCAD compatibility (#1731, PR #1734) Add vector PDF export for AutoCAD compatibility (#1731, PR #1734) Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Add cross‑rack device drag‑and‑drop support (#1592, PR #1744) Add cross‑rack device drag‑and‑drop support (#1592, PR #1744) Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Add Layouts navigation in the File Menu and mobile toolbar (#1722) Add Layouts navigation in the File Menu and mobile toolbar (#1722) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Dependency	Low	Upgrade qs 6.15.1 → 6.15.2 in the api (#1721) Upgrade qs 6.15.1 → 6.15.2 in the api (#1721) Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency	Low	Replace pako with lz-string for share‑URL compression in the api (#1718) Replace pako with lz-string for share‑URL compression in the api (#1718) Source: llm_adapter@2026-05-26 Confidence: high	—
Performance	Low	Validate interface positions on half‑depth device types (#254) Validate interface positions on half‑depth device types (#254) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Performance	Low	Reduce text stroke‑width and remove unsupported paint-order in rendering (PR #1737) Reduce text stroke‑width and remove unsupported paint-order in rendering (PR #1737) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Deprecation	Medium	Drop legacy AUTH* and API* environment variable fallbacks in the api (#1692) Drop legacy AUTH* and API* environment variable fallbacks in the api (#1692) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix OIDC auth redirect port when behind a reverse proxy (#1714) Fix OIDC auth redirect port when behind a reverse proxy (#1714) Source: llm_adapter@2026-05-26 Confidence: low	—
Bugfix	Low	Sync U-numbering settings across bayed rack groups (#1520, PR #1702) Sync U-numbering settings across bayed rack groups (#1520, PR #1702) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Convert position units in resize validator (#1683, PR #1695) Convert position units in resize validator (#1683, PR #1695) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Sync layout name to the first rack on creation (#1481, #1482, PR #1687) Sync layout name to the first rack on creation (#1481, #1482, PR #1687) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Clean up cables when a device type is deleted (#1483, PR #1693) Clean up cables when a device type is deleted (#1483, PR #1693) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Skip pointer drag events outside rack SVG bounds (#1467, PR #1690) Skip pointer drag events outside rack SVG bounds (#1467, PR #1690) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Respect per‑device face in PNG export filter (#1681, PR #1682) Respect per‑device face in PNG export filter (#1681, PR #1682) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Respect half‑width slot_position in PNG export (#1660, PR #1679) Respect half‑width slot_position in PNG export (#1660, PR #1679) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Recover slot_position and slot_width for half‑width device pairs on load (#1602, PR #1704) Recover slot_position and slot_width for half‑width device pairs on load (#1602, PR #1704) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Fix PDF export regressions: duplicate bay labels, serif font for structural labels, upward offset of device names (#1738, #1739, #1740, PR #1741) Fix PDF export regressions: duplicate bay labels, serif font for structural labels, upward offset of device names (#1738, #1739, #1740, PR #1741) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Adjust right‑click context menus to open at the cursor instead of top‑left origin (#1725, PR #1726) Adjust right‑click context menus to open at the cursor instead of top‑left origin (#1725, PR #1726) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Refactor	Low	Split api security.ts into focused modules (#1611, PR #1689) Split api security.ts into focused modules (#1611, PR #1689) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Refactor	Low	Introduce mountWithAlias helper for /api/* route aliases (#1684) Introduce mountWithAlias helper for /api/* route aliases (#1684) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Other
Other	Low	Enable TypeScript strict mode on the frontend (#1609, PR #1709) Enable TypeScript strict mode on the frontend (#1609, PR #1709) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Other	Low	Implement on‑demand Trivy security scan workflow aligned with deploy‑prod (#1675) Implement on‑demand Trivy security scan workflow aligned with deploy‑prod (#1675) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Other	Low	Add post‑release version‑alignment test across published Docker images (#1728, PR #1730) Add post‑release version‑alignment test across published Docker images (#1728, PR #1730) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Other	Low	Make dev deploy workflow fail loudly if data directory not writable by uid 1001 (#1742) Make dev deploy workflow fail loudly if data directory not writable by uid 1001 (#1742) Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

Added

Right-click context menu for custom devices in the device palette (#1701)
Persist viewport zoom/pan across page reloads (#118)
Share URL length warning at 1800 chars with a download-layout-file fallback (#1720)
Validate interface positions on half-depth device types (#254)
Layouts navigation in the File Menu and mobile toolbar (#1722)
Vector PDF export for AutoCAD compatibility (#1731, PR #1734)
Cross-rack device drag-and-drop (#1592, PR #1744)

Changed

Replace pako with lz-string for share-URL compression (#1718)

Fixed

Sync U-numbering settings across bayed rack groups (#1520, PR #1702)
Convert position from internal units in the resize validator (#1683, PR #1695)
Sync layout name to the first rack on creation (#1481, #1482, PR #1687)
Clean up cables when a device type is deleted (#1483, PR #1693)
Skip pointer drag events outside rack SVG bounds (#1467, PR #1690)
Respect per-device face in PNG export filter (#1681, PR #1682)
Respect half-width slot_position in PNG export (#1660, PR #1679)
Drop legacy AUTH**/API** env-var fallbacks in the api (#1692)
Recover slot_position and slot_width for half-width pairs on load (#1602, PR #1704)
Fix OIDC auth redirect port when behind a reverse proxy (#1714)
Right-click context menus now open at the cursor instead of the top-left origin (#1725, PR #1726)
Reduce text stroke-width and remove unsupported paint-order (PR #1737)
PDF export rendering regressions — bay labels duplicated in bayed racks, structural labels render in serif font, device names offset upward (#1738, #1739, #1740, PR #1741)

Security

Resolve all 7 open Trivy code-scanning alerts on the api image by bumping better-auth 1.5.1 → 1.6.2 (#1676), removing/upgrading vulnerable transitive deps: kysely (CVE-2026-44635, -33468, -32763), defu (CVE-2026-35209), lodash (CVE-2026-4800), effect (CVE-2026-32887), drizzle-orm (CVE-2026-39356)
Patch hono + defu dependency CVEs in the api (#1691)
Add to Content-Security-Policy headers (#1723)
Bump qs 6.15.1 → 6.15.2 (#1721)

Technical

Enable TypeScript strict mode on the frontend (#1609, PR #1709)
Split api security.ts into focused modules (#1611, PR #1689)
Introduce mountWithAlias helper for /api/* route aliases (#1684)
On-demand Trivy security scan workflow aligned with deploy-prod (#1675)
Post-release version-alignment test across published Docker images (#1728, PR #1730)
Dev deploy workflow fails loudly if data dir not writable by uid 1001 (#1742)
Disable binfmt cache to fix parallel cache-save collisions in CI (#1688)
Resolve a CodeQL code-quality finding (#1703)
Dependency bumps: svelte, vitest, tsx, marked, @types/node, eslint, typescript-eslint, and the production/development/actions dependency groups

Breaking Changes

Drop legacy AUTH*/* and API*/* env-var fallbacks in the api

Security Fixes

CVE-2026-35209 — defu vulnerability resolved by bumping the dependency
CVE-2026-32887 — effect vulnerability patched
CVE-2026-44635, CVE-2026-33468, CVE-2026-32763 — kysely vulnerabilities fixed by upgrading
CVE-2026-4800 — lodash vulnerability addressed
CVE-2026-39356

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Rackula

Get notified when new releases ship.

About Rackula

Open-source drag-and-drop rack layout designer

All releases →

Related context

Related tools

Earlier breaking changes

v26.5.0 Migrated from SemVer to CalVer versioning scheme