This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+1 more
ReleasePort's take
Light signalv1.28.5 fixes an infinite loop in WebCodecs streaming on HTTP origins by implementing graceful fallback to MJPEG. Self-healing configuration pipeline repairs recursive encoding bugs and validates 70+ camera parameters against memory bloat.
Why it matters: Fix WebCodecs infinite loop on HTTP with MJPEG fallback immediately. Self-healing pipeline repairs encoding bugs; client-side rendering reduces server CPU. Configuration validation prevents memory bloat across 70+ camera parameters.
Summary
AI summaryImplemented a self-healing AI configuration pipeline and fixed an infinite loop in WebCodecs streaming on insecure origins.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Resource Guard enforces strict length validation on configuration fields to prevent memory bloat Resource Guard enforces strict length validation on configuration fields to prevent memory bloat Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Self-Healing Pipeline automatically repairs recursive encoding bugs Self-Healing Pipeline automatically repairs recursive encoding bugs Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Added seamless PostgreSQL array format compatibility preventing config resets Added seamless PostgreSQL array format compatibility preventing config resets Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
UI performs instant whitelist-based sanitization of AI filters ensuring data hygiene UI performs instant whitelist-based sanitization of AI filters ensuring data hygiene Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Added real-time Toast notifications and settings warning badges for WebCodecs HTTPS requirement Added real-time Toast notifications and settings warning badges for WebCodecs HTTPS requirement Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Real-time bounding boxes rendered client-side for WebCodecs streams reducing server CPU usage Real-time bounding boxes rendered client-side for WebCodecs streams reducing server CPU usage Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Dynamic Audio Sync with Drift Correction algorithm prevents lag during network spikes Dynamic Audio Sync with Drift Correction algorithm prevents lag during network spikes Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Insecure Context Protection gracefully falls back to MJPEG polling under HTTP restrictions Insecure Context Protection gracefully falls back to MJPEG polling under HTTP restrictions Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Successfully passed Deep Assurance Suite verifying field integrity across all 70+ camera parameters Successfully passed Deep Assurance Suite verifying field integrity across all 70+ camera parameters Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | High |
Resolves infinite loop in player when accessed via HTTP, falling back to MJPEG polling Resolves infinite loop in player when accessed via HTTP, falling back to MJPEG polling Source: granite4.1:30b@2026-05-22-audit Confidence: high |
— |
Full changelog
Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.28.4...v1.28.5
🚀 Release v1.28.5 – Stability, AI Hardening & WebCodecs Resilience
📝 Summary
VibeNVR v1.28.5 is a major stability release focused on "Self-Healing" data integrity, permanent resolution of AI configuration bugs, and a significantly more resilient WebCodecs streaming pipeline. This version ensures that VibeNVR remains stable even on insecure origins (HTTP) and under complex database conditions.
🛠️ Key Improvements
🤖 AI Configuration & Data Integrity
- Self-Healing Pipeline: Implemented a defensive, recursive validation pipeline that automatically repairs "recursive encoding" bugs (backslash explosion).
- PostgreSQL Native Support: Added seamless compatibility for PostgreSQL array formats (
{...}), preventing configuration resets after system restarts. - Proactive Sanitization: The UI now performs instant whitelist-based sanitization of AI filters before submission, ensuring 100% data hygiene.
📊 Streaming & WebCodecs Resilience
- Insecure Context Protection: Resolved a critical infinite loop in the player when accessed via HTTP. The system now gracefully and instantly falls back to MJPEG polling when browser security (Chrome 94+/Safari 15+) restricts WebCodecs.
- Protocol-Aware UI: Added real-time Toast notifications and settings warning badges that inform users when WebCodecs performance features require HTTPS or localhost.
- AI Tracking Boxes: Real-time bounding boxes are now rendered client-side for WebCodecs streams, maintaining low server CPU usage.
- Dynamic Audio Sync: Enhanced A/V alignment with a new Drift Correction algorithm that monitors and resets audio buffers to prevent lag during network spikes.
🛡️ Security & Performance
- Resource Guard: Enforced strict length validation on configuration fields to prevent memory bloat.
- Certified Stability: Successfully passed the Deep Assurance Suite (26/26 tests), verifying field integrity across all 70+ camera parameters.
Security Fixes
- Fixed infinite loop in player when accessed via HTTP; system now falls back to MJPEG polling under browser restrictions (Chrome 94+, Safari 15+)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About spupuz/VibeNVR
All releases →Related context
Related tools
Earlier breaking changes
- v1.28.3 Must update docker-compose.yml with TZ variable for all services
Beta — feedback welcome: [email protected]