Skip to content

reactive-resume

v5.1.5 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 15d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

better-auth react resume resume-builder self-hosted tailwindcss
+1 more
tanstack-start

Affected surfaces

auth

Summary

AI summary

Updates Self-Hosting & Environment, App Runtime & Architecture, and AI & Agent Workflows across a mixed release.

Changes in this release

Feature Medium

Dedicated Hono server runtime built for auth, RPC, MCP, OpenAPI, uploads, schema JSON, SEO endpoints, health checks, and web app.

Dedicated Hono server runtime built for auth, RPC, MCP, OpenAPI, uploads, schema JSON, SEO endpoints, health checks, and web app.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

Clearer self-hosting runtime model with Docker building both web and server, running node apps/server/dist/index.mjs.

Clearer self-hosting runtime model with Docker building both web and server, running node apps/server/dist/index.mjs.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

Safer Agent restore behavior storing resume snapshot before patch application for rollbacks.

Safer Agent restore behavior storing resume snapshot before patch application for rollbacks.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Added SERVER_PORT environment variable for local development, proxying API routes to Hono server on SERVER_PORT.

Added SERVER_PORT environment variable for local development, proxying API routes to Hono server on SERVER_PORT.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Improves Agent restore safety by storing a resume snapshot before applying patches, enabling exact rollbacks and marking later patches as rolled back.

Improves Agent restore safety by storing a resume snapshot before applying patches, enabling exact rollbacks and marking later patches as rolled back.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Medium

Moves startup checks (database migrations, local storage writability) into the server process, running them on application start.

Moves startup checks (database migrations, local storage writability) into the server process, running them on application start.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Medium

Introduces `FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI` for trusted self‑hosted deployments needing arbitrary redirect URIs; remains disabled by default on public instances.

Introduces `FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI` for trusted self‑hosted deployments needing arbitrary redirect URIs; remains disabled by default on public instances.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Adds `robots.txt`, `sitemap.xml`, `llms.txt`, structured data helpers, and SEO‑focused server responses.

Adds `robots.txt`, `sitemap.xml`, `llms.txt`, structured data helpers, and SEO‑focused server responses.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Replaces stored inverse JSON patches with `snapshot_data` on agent actions; legacy actions without snapshots remain non‑restorable.

Replaces stored inverse JSON patches with `snapshot_data` on agent actions; legacy actions without snapshots remain non‑restorable.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Updates Agent UI and documentation to use "Restore" terminology, clarifying that restoring an older action rolls back that action and subsequent patches.

Updates Agent UI and documentation to use "Restore" terminology, clarifying that restoring an older action rolls back that action and subsequent patches.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Keeps unsafe/private AI provider base URLs behind the flag `FLAG_ALLOW_UNSAFE_AI_BASE_URL`; public HTTPS providers remain the default safe path.

Keeps unsafe/private AI provider base URLs behind the flag `FLAG_ALLOW_UNSAFE_AI_BASE_URL`; public HTTPS providers remain the default safe path.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Adds direct PDF.js canvas preview and thumbnail rendering via legacy PDF.js entrypoints, with tests preventing browser preview imports of the modern PDF.js runtime.

Adds direct PDF.js canvas preview and thumbnail rendering via legacy PDF.js entrypoints, with tests preventing browser preview imports of the modern PDF.js runtime.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Feature Low

Simplifies shared sidebar summary handling for PDF templates and adds focused coverage for featured summary behavior.

Simplifies shared sidebar summary handling for PDF templates and adds focused coverage for featured summary behavior.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Deprecation Low

Removes `OAUTH_DYNAMIC_CLIENT_REDIRECT_HOSTS`; dynamic OAuth client registration now defaults to allowing app origin and loopback callbacks.

Removes `OAUTH_DYNAMIC_CLIENT_REDIRECT_HOSTS`; dynamic OAuth client registration now defaults to allowing app origin and loopback callbacks.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Deprecation Low

Removes documented overrides `BETTER_AUTH_URL` and `BETTER_AUTH_SECRET`; auth metadata, JWKS, and OAuth callbacks are now derived from `APP_URL` and `AUTH_SECRET`.

Removes documented overrides `BETTER_AUTH_URL` and `BETTER_AUTH_SECRET`; auth metadata, JWKS, and OAuth callbacks are now derived from `APP_URL` and `AUTH_SECRET`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Updates production Dockerfile to copy `apps/web/dist`, `apps/server/dist`, server dependencies, and migrations into the runtime image; start command is now `node apps/server/dist/index.mjs`.

Updates production Dockerfile to copy `apps/web/dist`, `apps/server/dist`, server dependencies, and migrations into the runtime image; start command is now `node apps/server/dist/index.mjs`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Moves API, auth, MCP, OpenAPI, and static route ownership from the web app to `apps/server`.

Moves API, auth, MCP, OpenAPI, and static route ownership from the web app to `apps/server`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Changes web app build to a Vite/TanStack Router SPA output under `apps/web/dist`; Hono server serves the built app with static fallback responses.

Changes web app build to a Vite/TanStack Router SPA output under `apps/web/dist`; Hono server serves the built app with static fallback responses.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Introduces package‑boundary rules in Turborepo with per‑workspace `turbo.json` to enforce ownership of browser, server, domain, adapter, and infra packages.

Introduces package‑boundary rules in Turborepo with per‑workspace `turbo.json` to enforce ownership of browser, server, domain, adapter, and infra packages.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Reorganizes API implementation into feature‑owned modules under `packages/api/src/features/*`.

Reorganizes API implementation into feature‑owned modules under `packages/api/src/features/*`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Adds migration that populates `agent_actions.snapshot_data` and drops `agent_actions.inverse_operations`.

Adds migration that populates `agent_actions.snapshot_data` and drops `agent_actions.inverse_operations`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Moves browser PDF preview code to `apps/web/src/features/resume/preview` and public resume viewer code to `apps/web/src/features/resume/public`.

Moves browser PDF preview code to `apps/web/src/features/resume/preview` and public resume viewer code to `apps/web/src/features/resume/public`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Introduces explicit generation adapters `@reactive-resume/pdf/browser` and `@reactive-resume/pdf/server`.

Introduces explicit generation adapters `@reactive-resume/pdf/browser` and `@reactive-resume/pdf/server`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Modifies `compose.yml` to use the published image by default and load app configuration via `.env` instead of inline environment blocks.

Modifies `compose.yml` to use the published image by default and load app configuration via `.env` instead of inline environment blocks.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Adjusts `compose.dev.yml` to expose ports 3000 and 3001, adds an app profile, and health‑checks the Hono server port.

Adjusts `compose.dev.yml` to expose ports 3000 and 3001, adds an app profile, and health‑checks the Hono server port.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Eliminates Cloudflare URL extraction environment variables; Live Agent web research now relies on the selected AI provider's native web search capabilities.

Eliminates Cloudflare URL extraction environment variables; Live Agent web research now relies on the selected AI provider's native web search capabilities.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Renames Crowdin token example from `CROWDIN_PERSONAL_TOKEN` to `CROWDIN_API_TOKEN`.

Renames Crowdin token example from `CROWDIN_PERSONAL_TOKEN` to `CROWDIN_API_TOKEN`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Splits focused domains into new packages: `@reactive-resume/docx`, `@reactive-resume/mcp`, and `@reactive-resume/resume`.

Splits focused domains into new packages: `@reactive-resume/docx`, `@reactive-resume/mcp`, and `@reactive-resume/resume`.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Moves development‑only scripts from `packages/scripts` to a `tooling` directory, keeping workspace packages free of private repo tooling.

Moves development‑only scripts from `packages/scripts` to a `tooling` directory, keeping workspace packages free of private repo tooling.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Modifies Agent tool docs to describe provider‑native `web_search` behavior instead of app‑owned URL fetching.

Modifies Agent tool docs to describe provider‑native `web_search` behavior instead of app‑owned URL fetching.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Low

Updates Knip configuration so server runtime dependencies imported by the built bundle are treated as intentional dependencies.

Updates Knip configuration so server runtime dependencies imported by the built bundle are treated as intentional dependencies.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Other Low

affected_surface

affected_surface

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Full changelog

Highlights

  • Dedicated Hono server runtime. Reactive Resume now builds a separate apps/server app that mounts auth, RPC, MCP, OpenAPI, uploads, schema JSON, SEO endpoints, health checks, and the built web app from one Node.js process. ecc1fd9a8, 9033da082
  • Clearer self-hosting runtime model. The Docker image now builds both web and server, runs node apps/server/dist/index.mjs, and keeps /api/health pointed at the production server port. ecc1fd9a8
  • Safer Agent restore behavior. Agent edits now store a resume snapshot before applying a patch, so restoring an action can roll the draft back to the exact prior state and mark later agent patches as rolled back. d961e6535

Self-Hosting & Environment

  • Added SERVER_PORT for local development. Vite serves the web app on PORT and proxies API, MCP, upload, well-known, and schema routes to the Hono server on SERVER_PORT.
  • Updated the production Dockerfile to copy apps/web/dist, apps/server/dist, server package dependencies, and migrations into the runtime image. The production start command is now node apps/server/dist/index.mjs.
  • Updated compose.yml to use the published image by default and load app configuration through .env instead of embedding the main app environment block inline.
  • Updated compose.dev.yml to expose both 3000 and 3001, add an app profile, and health-check the Hono server port.
  • Startup checks now run from the server process, including database migrations and local storage writability validation when S3-compatible storage is not configured.
  • Removed OAUTH_DYNAMIC_CLIENT_REDIRECT_HOSTS. Dynamic OAuth client registration now allows the app origin and loopback callbacks by default.
  • Added FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI for trusted self-hosted deployments that intentionally need arbitrary redirect URIs, including custom schemes, private hosts, or non-loopback http:// callbacks. Keep this disabled on public or multi-tenant instances. 445359ebe
  • Removed the documented BETTER_AUTH_URL and BETTER_AUTH_SECRET override path. Auth metadata, JWKS, and OAuth callback URLs are now derived from APP_URL and AUTH_SECRET.
  • Removed Cloudflare URL extraction environment variables. Live Agent web research now depends on the selected AI provider and model supporting native web search.
  • Renamed the Crowdin token example from CROWDIN_PERSONAL_TOKEN to CROWDIN_API_TOKEN.

App Runtime & Architecture

  • Moved API/auth/MCP/OpenAPI/static route ownership out of the web app and into apps/server.
  • Changed the web app build to a Vite/TanStack Router SPA output under apps/web/dist, with the Hono server serving the built app and static fallback responses.
  • Added robots.txt, sitemap.xml, llms.txt, structured data helpers, and server-owned SEO responses. 8fcf0ec64
  • Added package-boundary rules to Turborepo and per-workspace turbo.json files to enforce browser, server, domain, adapter, and infra ownership.
  • Split focused domains into new packages: @reactive-resume/docx, @reactive-resume/mcp, and @reactive-resume/resume.
  • Moved development-only scripts from packages/scripts to tooling so workspace packages contain app/runtime code rather than private repo tooling.
  • Reorganized API implementation into feature-owned modules under packages/api/src/features/*.

AI & Agent Workflows

  • Replaced stored inverse JSON patches with snapshot_data on agent actions. Legacy actions without snapshots remain non-restorable.
  • Added a migration that adds agent_actions.snapshot_data and drops agent_actions.inverse_operations.
  • Updated Agent UI and docs from "Revert" language to "Restore" language to clarify that restoring an older action rolls back that action and later applied agent patches.
  • Updated Agent tool documentation to describe provider-native web_search behavior instead of app-owned URL fetching.
  • Kept unsafe/private AI provider base URLs behind FLAG_ALLOW_UNSAFE_AI_BASE_URL, with public HTTPS provider URLs remaining the default safe path.

Resume Rendering & Exports

  • Moved browser PDF preview code into apps/web/src/features/resume/preview and public resume viewer code into apps/web/src/features/resume/public.
  • Added direct PDF.js canvas preview and thumbnail rendering through legacy PDF.js entrypoints, with tests that prevent browser preview code from importing the modern PDF.js runtime. 7cade6980
  • Added explicit @reactive-resume/pdf/browser and @reactive-resume/pdf/server generation adapters.
  • Simplified shared sidebar summary handling for PDF templates and added focused coverage for featured summary behavior. 17f351171

Docs & Maintenance

  • Added new use-case docs for free, open-source, self-hosted, privacy-focused, export/share, AI, and API/MCP resume workflows.
  • Rewrote contributor architecture docs around the new monorepo runtime, package ownership model, and boundary checks.
  • Updated self-hosting Docker and SSO docs for the Hono runtime, removed environment variables, OAuth redirect safety, provider-native Agent web research, and local development ports.
  • Added and updated architecture notes, plans, and specs for the Hono migration, monorepo reorganization, Docker tagging, manifest-only PWA behavior, unsafe OAuth redirect policy, and Agent snapshot restore design.
  • Updated Knip configuration so server runtime dependencies that are imported by the built server bundle are treated as intentional dependencies.

Full Changelog: v5.1.4...v5.1.5

Breaking Changes

  • Removed `OAUTH_DYNAMIC_CLIENT_REDIRECT_HOSTS`; dynamic OAuth clients now allow app origin and loopback callbacks by default.
  • Removed documented `BETTER_AUTH_URL` and `BETTER_AUTH_SECRET` overrides; auth metadata, JWKS, and OAuth callback URLs are derived from `APP_URL` and `AUTH_SECRET`.
  • Removed Cloudflare URL extraction environment variables; Live Agent web research now relies on the selected AI provider's native web search capability.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track reactive-resume

Get notified when new releases ship.

Sign up free

About reactive-resume

A one-of-a-kind resume builder that keeps your privacy in mind. Completely secure, customizable, portable, open-source and free forever. Try it out today!

All releases →

Related context

Related tools

Earlier breaking changes

  • v5.1.4 Private agent attachments require S3-compatible storage; local filesystem rejected
  • v5.1.4 AI Agent workspace requires REDIS_URL for self-hosted deployments
  • v5.1.4 Saved AI providers now require ENCRYPTION_SECRET for self-hosted deployments

Beta — feedback welcome: [email protected]