This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalIn v0.63.0 staff accounts are blocked from logging in via the login endpoint (HTTP 403) and workers can select an hourly rate using `rate_type='hourly'`.
Why it matters: A severity‑90 security change blocks housekeeping worker logins, directly impacting authentication; a new feature allows hourly billing for workers.
Summary
AI summaryStaff accounts are blocked from logging in and workers can use hourly rates.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Accounts linked to a housekeeping worker row are blocked from logging in (HTTP 403). Accounts linked to a housekeeping worker row are blocked from logging in (HTTP 403). Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Feature | Medium |
Workers can use daily flat rate or hourly rate (`rate_type='hourly'`). Workers can use daily flat rate or hourly rate (`rate_type='hourly'`). Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Feature | Medium |
Decay tasks can be edited, deleted, and undone from the chore list. Decay tasks can be edited, deleted, and undone from the chore list. Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Feature | Medium |
Housekeeping visits can be edited from dashboard strip and calendar event deep‑link. Housekeeping visits can be edited from dashboard strip and calendar event deep‑link. Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Feature | Medium |
Staff accounts hidden from task‑assignment pickers, dashboard member avatars, and family contact list; birthdays remain visible. Staff accounts hidden from task‑assignment pickers, dashboard member avatars, and family contact list; birthdays remain visible. Source: llm_adapter@2026-06-05 Confidence: high |
— |
Full changelog
Added
- Workers can now use either a daily flat rate or an hourly rate (
rate_type = 'hourly') (#239). The worker form has a rate-type selector; check-out computesminutes_workedfrom the session duration, rounds to the nearest 15 minutes, and stores the resulting amount. The visit editor shows a live recalculation preview when adjusting worked minutes. - Decay tasks (recurring chores) can now be edited, deleted, and undone directly from the chore list (#244). Undo clears
last_completed, resetting the urgency indicator to "not yet done". - Housekeeping visits can be edited from the dashboard (recent-visits strip) and from the calendar — tapping a housekeeping calendar event opens the visit editor via a deep-link (
?editVisit=<id>) (#245). - Staff accounts (users with a
housekeeping_workersrow) are now hidden from task-assignment pickers, dashboard member avatars, and the family contact list; their birthday entries remain visible in the calendar and birthday list (#243).
Security
- Accounts linked to a housekeeping worker row are now blocked from logging in (#243). The login endpoint returns HTTP 403 for such accounts, preventing staff from accessing family data.
Breaking Changes
- Accounts linked to a `housekeeping_workers` row are blocked from login (HTTP 403).
Security Fixes
- Login blocked for accounts linked to a housekeeping worker row; endpoint returns HTTP 403 (#243).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]