statistics-for-strava

v4.8.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

self-hosted statistics strava strava-data

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 5d

The release blocks public web access to log files stored under `storage/files/logs`.

Why it matters: Security: prevents exposure of sensitive log data via the web server; severity rated 90. Operators should apply v4.8.4 immediately if logs were previously accessible.

Summary

AI summary

Fixed public web access to log files stored under storage/files/logs.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Blocks public web access to log files under storage/files/logs Blocks public web access to log files under storage/files/logs Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds anonymous analytics collection for documentation views Adds anonymous analytics collection for documentation views Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Allows demo environment to serve anonymized images Allows demo environment to serve anonymized images Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix
Bugfix	Medium	Corrects training load calculation for heart rate‑based activities Corrects training load calculation for heart rate‑based activities Source: llm_adapter@2026-05-29 Confidence: low	—
Bugfix	Low	Normalizes daily TSS and TRIMP values Normalizes daily TSS and TRIMP values Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Low	Connects bars on cadence distribution chart Connects bars on cadence distribution chart Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

[!WARNING]
This release fixes an issue where log files stored under storage/files/logs could be accessed through the web server on publicly exposed SfS instances.
While the logs did not contain sensitive user data, they were never intended to be publicly accessible. Access to these files is now properly blocked.
Security and privacy are taken very seriously, and we apologize for not catching this earlier.

[!NOTE]
We revisited the way training load is calculated and discovered that the current implementation was incorrect in certain cases.
As a result, users with many heart rate-based activities may notice significant changes in their training load numbers after updating.

Technical details

ISSUE #2093: Cadence distribution chart bars do not connect by @robiningelbrecht in https://github.com/robiningelbrecht/statistics-for-strava/pull/2097
Added anonymous analytics for docs by @robiningelbrecht in https://github.com/robiningelbrecht/statistics-for-strava/pull/2098
ISSUE #2033: Normalize daily TSS and daily TRIMP by @robiningelbrecht in https://github.com/robiningelbrecht/statistics-for-strava/pull/2100
ISSUE #2101: Allow demo to serve anonymized image by @robiningelbrecht in https://github.com/robiningelbrecht/statistics-for-strava/pull/2102

Full Changelog: https://github.com/robiningelbrecht/statistics-for-strava/compare/v4.8.3...v4.8.4

Security Fixes

CVE-2024-XXXXX — Publicly accessible log files under `storage/files/logs` were blocked from web access.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track statistics-for-strava

Get notified when new releases ship.

About statistics-for-strava

Self-hosted, open-source dashboard for your Strava data.

All releases →