spupuz/VibeNVR

v1.28.3 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 22d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ffmpeg lightweight local-storage nvr opensource privacy

+1 more

video-surveillance

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 13d

Release v1.28.3 adds automatic COOKIE_SECURE handling and log credential masking while requiring TZ variable updates in docker-compose.yml.

Why it matters: Patch to v1.28.3 immediately if using cookie security or logging sensitive credentials; update all docker‑compose.yml files with the TZ environment variable before redeploying services.

Summary

AI summary

Dynamic cookie management defaults to auto and timezone synchronization requires updating docker-compose.yml and .env.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Implements COOKIE_SECURE=auto with dynamic HTTP/HTTPS detection Implements COOKIE_SECURE=auto with dynamic HTTP/HTTPS detection Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Automatically masks RTSP credentials and Bearer tokens in logs Automatically masks RTSP credentials and Bearer tokens in logs Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Must update docker-compose.yml with TZ variable for all services Must update docker-compose.yml with TZ variable for all services Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	All logs now use unified YYYY-MM-DD HH:MM:SS timestamp format All logs now use unified YYYY-MM-DD HH:MM:SS timestamp format Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Docker stack now respects TZ environment variable for timestamps Docker stack now respects TZ environment variable for timestamps Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.28.2...v1.28.3

🚀 Release v1.28.3

[!IMPORTANT]
ACTION REQUIRED: This release introduces significant infrastructure improvements. To ensure proper logging and session stability, you MUST update your docker-compose.yml ( docker-compose-prod.yml ) and .env files. Specifically, ensure the TZ variable is set for all services and review your COOKIE_SECURE settings (now defaulting to auto).

📝 Summary

This release focuses on Dynamic Session Security and Log Standardization. We have resolved the common "No session cookie" issue for local network users by implementing a protocol-aware cookie management system. Additionally, we have unified the logging architecture across all containers to improve auditability and troubleshooting.

🛠️ Key Improvements

🛡️ Security: Dynamic Cookie Logic. VibeNVR now implements COOKIE_SECURE=auto. The system automatically detects if the request is over HTTP (Local IP) or HTTPS (Remote Proxy). The Secure flag is dynamically toggled, ensuring a "zero-config" experience for local users while maintaining high-grade protection on public networks.
📊 Auditability: Standardized Logging. All system logs (Backend, Engine, Frontend) now use a unified timestamp format (YYYY-MM-DD HH:MM:SS). We have also introduced Automatic Log Redaction; sensitive data such as RTSP credentials and Bearer tokens are now automatically masked in stdout.
🌍 Infrastructure: Timezone Synchronization. The entire Docker stack now respects the TZ environment variable, ensuring that all log events and recording timestamps correlate perfectly with your local time.

⚠️ Infrastructure Updates (Detailed)

Timezone Support: Add the TZ=${TZ:-Europe/Rome} variable to all services in your compose file. This ensures your logs match your actual time, making event correlation much easier.
Dynamic Cookies: The system now defaults to COOKIE_SECURE=auto. You can remove any manual COOKIE_SECURE=false overrides from your .env file unless you have a non-standard reverse proxy configuration.
Log Auditability: The backend now uses a root TokenRedactingFilter. If you share your logs for support, you can be confident that passwords and tokens are redacted at the source.

Audit & Verification Status

✅ Security Audit: All SAST and RBAC checks passed.
✅ Functional Tests: 60/60 tests passed, including session persistence on local/remote protocols.
✅ Documentation: Synchronized across README, SECURITY.md, CONTEXT.md, AGENTS.md, and the official Wiki.

VibeNVR — Modern, Secure, and Zero-Config.

Breaking Changes

Default `COOKIE_SECURE` changed to `auto`; manual overrides must be removed or adjusted for non‑standard reverse proxy setups.
All services now require the `TZ` environment variable (default Europe/Rome) in docker-compose.yml; missing TZ breaks timestamp synchronization.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track spupuz/VibeNVR

Get notified when new releases ship.

About spupuz/VibeNVR

All releases →