Shelf

Security release

This release contains a security fix for GHSA-xgrm-8w6v-mvjg — a Server-Side Request Forgery (SSRF) in the asset CSV import (imageUrl). Severity: High (CVSS 7.1).

Affected versions: all versions prior to 1.20.3.

All self-hosted operators should upgrade immediately.

What's Changed

• fix(companion): dismiss custody picker on member select [LAUNCH-BLOCKER] by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2558
• fix(deps): patch path-to-regexp ReDoS via scoped pnpm override (CVE-2026-4867) by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2560
• fix(security): authorize public scan geo-update + allowlist scanner extra-include by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2559
• chore(deps): close build-chain Dependabot alerts via pnpm overrides by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2563
• chore(deps-dev): bump turbo from 2.9.7 to 2.9.14 by @dependabot[bot] in https://github.com/Shelf-nu/shelf.nu/pull/2561
• fix(booking): prevent P2028 transaction-not-found on checkout of large bookings by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2565
• chore(deps): bump js-cookie from 3.0.5 to 3.0.7 by @dependabot[bot] in https://github.com/Shelf-nu/shelf.nu/pull/2566
• perf(assets): trigram indexes and id-aware search fast path by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2568
• chore(sentry): unblock server traces and add release/org context by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2571
• feat(barcodes): surface preferred display code on every asset & kit list view by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2567
• fix(ci): report clean React Doctor scans correctly in PR comment by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2572
• fix(react-doctor): resolve derived-state error and stable-key warnings by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2573
• fix(layout): gate route SSR on hydration to avoid client-only call crash by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2576
• feat(companion): in-app QR linking, audit evidence, and Android image fix by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2574
• feat(webapp): replace PWA install prompt with iOS Smart App Banner by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2577
• fix(webapp): complete partial check-in from records, not global asset status by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2581
• fix(companion): prevent silent audit scan loss (P0) by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2580
• fix(webapp): enforce SELF_SERVICE custody self-restriction in shared services (P1) by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2582
• feat(bookings): add per-asset check-in status to CSV export by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2579
• feat: show location on booking page by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2578
• feat(companion): audits redesign for ownership & urgency clarity by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2583
• ci(react-doctor): extend react-doctor to the companion app by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2587
• chore(companion): move EXPO_PUBLIC env vars to EAS, drop from eas.json by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2588
• fix(companion): harden audit-scan durability against first-write loss by @carlosvirreira in https://github.com/Shelf-nu/shelf.nu/pull/2586
• fix(webapp): prevent SSRF via asset import imageUrl (GHSA-xgrm-8w6v-mvjg) by @DonKoko in https://github.com/Shelf-nu/shelf.nu/pull/2589

Full Changelog: https://github.com/Shelf-nu/shelf.nu/compare/[email protected]@1.20.3