This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
Summary
AI summaryUpdates span desktop version bump, terminal clipboard decoding fixes, billing invoice retention, API security hardening (chat ownership & OAuth token validation), relay tunnel latency improvements, MCP agent timeout adjustment, project deletion access control, and pty-daemon file‑descriptor limits.
Full changelog
What's Changed
- chore(desktop): bump version to 1.12.0 by @Kitenite in https://github.com/superset-sh/superset/pull/4970
- fix(desktop): decode terminal clipboard as UTF-8 (#4839, #4956) by @Kitenite in https://github.com/superset-sh/superset/pull/4983
- fix: solve #4939 — right-click closing terminal/CLI tab by @Kitenite in https://github.com/superset-sh/superset/pull/4968
- fix(billing): keep invoice access after downgrade by @Kitenite in https://github.com/superset-sh/superset/pull/4995
- fix(api): enforce chat session ownership on /api/chat routes (IDOR) by @saddlepaddle in https://github.com/superset-sh/superset/pull/5017
- fix(api): reject OAuth tokens from untrusted clients on tRPC bearer path by @saddlepaddle in https://github.com/superset-sh/superset/pull/5018
- fix(relay): read tunnel directory from regional replicas by @saddlepaddle in https://github.com/superset-sh/superset/pull/5019
- fix(relay): disable Nagle on tunnel sockets to cut interactive terminal latency by @philbirtles in https://github.com/superset-sh/superset/pull/5013
- fix(relay): return tRPC error envelopes for failed tRPC requests by @saddlepaddle in https://github.com/superset-sh/superset/pull/5034
- Prevent tab button from stealing focus by @Bilal-Afzal-AI in https://github.com/superset-sh/superset/pull/5025
- fix(api): restore maxDuration=800 to MCP agent routes to prevent 300s timeout by @sazabi[bot] in https://github.com/superset-sh/superset/pull/4770
- fix(panes): remove redundant close tooltip on tabs by @AviPeltz in https://github.com/superset-sh/superset/pull/5037
- [codex] Focus active terminal panes by @Kitenite in https://github.com/superset-sh/superset/pull/5054
- fix(terminal): remove ACK output flow control to end PTY back-pressure deadlock (SUPER-939/#4993) by @Kitenite in https://github.com/superset-sh/superset/pull/5031
- feat(cli/sdk/mcp): ws create --command, agents create rename, terminals create by @saddlepaddle in https://github.com/superset-sh/superset/pull/5027
- release(cli,sdk): cut cli v0.2.21 + sdk alpha.12 by @saddlepaddle in https://github.com/superset-sh/superset/pull/5063
- fix(desktop): bound applied_tx growth in tanstack-db.sqlite (SUPER-967) by @saddlepaddle in https://github.com/superset-sh/superset/pull/5035
- fix: route organization creation through auth hooks by @Kitenite in https://github.com/superset-sh/superset/pull/5055
- feat(projects): restrict project deletion to organization owners by @saddlepaddle in https://github.com/superset-sh/superset/pull/5066
- fix(pty-daemon): raise daemon RLIMIT_NOFILE and surface real spawn errno by @saddlepaddle in https://github.com/superset-sh/superset/pull/5067
New Contributors
- @philbirtles made their first contribution in https://github.com/superset-sh/superset/pull/5013
- @Bilal-Afzal-AI made their first contribution in https://github.com/superset-sh/superset/pull/5025
Full Changelog: https://github.com/superset-sh/superset/compare/desktop-v1.12.1...desktop-v1.12.2
Security Fixes
- API enforces chat session ownership on /api/chat routes (IDOR fix)
- API rejects OAuth tokens from untrusted clients on tRPC bearer path
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Superset
Code Editor for the AI Agents Era - Run an army of Claude Code, Codex, etc. on your machine
Related context
Related tools
Beta — feedback welcome: [email protected]