Skip to content

spupuz/VibeNVR

v1.20.0 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 3mo Media Servers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ffmpeg lightweight local-storage nvr opensource privacy
+1 more
video-surveillance

Affected surfaces

auth breaking_upgrade

Summary

AI summary

HttpOnly session cookies eliminate XSS token theft and Argon2 hardens password storage.

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.19.3...v1.20.0

VibeNVR Release Notes - v1.20.0 🔐

This significant update focuses on security hardening, architectural robusteness.

🚀 What's New

🛡️ Security Hardening (Critical)

  • HttpOnly Session Cookies: Migrated JWT storage from localStorage to HttpOnly, Secure cookies (auth_token and media_token). This completely eliminates the risk of token theft via XSS.
  • Argon2 Hashing: Standardized on Argon2 for all user passwords and recovery codes, ensuring maximum resistance to brute-force attacks.
  • 2FA Password Confirmation: Disabling Two-Factor Authentication now requires current password confirmation for enhanced account safety.
  • SSRF & Path Traversal Guards: Strengthened input validation for webhooks and media requests to prevent server-side request forgery and unauthorized file access.
  • Weak Secret Key Block: The application now performs a pre-flight check and refuses to start if a weak or default SECRET_KEY is detected.

🎨 UI/UX Improvements

  • Avatar Cache-Busting: Fixed the issue where changed avatars wouldn't refresh without a manual page reload.
  • Premium Design Tweaks: Refined UI components for a smoother, more "premium" experience.

⚠️ Required Updates

This version introduces architectural changes that may require updates to your deployment:

.env Updates

  1. SECRET_KEY: Ensure your SECRET_KEY is at least 32 characters long and not the default.
  2. COOKIE_SECURE:
    • Set COOKIE_SECURE=true if serving over HTTPS (highly recommended).
    • Set COOKIE_SECURE=false only for local HTTP testing.
  3. ALLOWED_ORIGINS: For production, restrict this to your actual domain (e.g., https://nvr.example.com).

When a new version is released, follow these steps to ensure a clean update:

Back up your .env file:

cp .env .env.bak

Retrieve the new production compose file: Ensure you are in the project root.

curl -O https://raw.githubusercontent.com/spupuz/VibeNVR/main/docker-compose.prod.yml

Pull the new images:

docker compose -f docker-compose.prod.yml pull

Stop the current stack:

docker compose -f docker-compose.prod.yml down

Start the new stack:

docker compose -f docker-compose.prod.yml up -d

Breaking Changes

  • JWT storage moved from localStorage to HttpOnly, Secure cookies (`auth_token` and `media_token`).
  • Application refuses to start if a weak or default `SECRET_KEY` is detected.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track spupuz/VibeNVR

Get notified when new releases ship.

Sign up free

About spupuz/VibeNVR

All releases →

Related context

Earlier breaking changes

  • v1.28.3 Must update docker-compose.yml with TZ variable for all services

Beta — feedback welcome: [email protected]