Algernon

v1.17.8 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 11d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

algernon build-less cross-platform fasthttp go http3

+14 more

live-reload local-llm lua mysql npm-less ollama pongo2 postgresql quic react19 redis server-sent-events sqlite tls13

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 11d

Version v1.17.8 fixes a path‑traversal vulnerability when using the --domain flag and resolves a file‑descriptor leak after writing to /dev/shm.

Why it matters: Addresses CVE‑style security risk (path traversal) and prevents potential resource exhaustion from fd leaks; apply the update immediately if you use --domain or write to /dev/shm.

Summary

AI summary

Updates Other improvements, Security related, and New functionality across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fixes possible path traversal when --domain is used. Fixes possible path traversal when --domain is used. Source: llm_adapter@2026-05-24 Confidence: high	—
Feature
Feature	Medium	Adds new SQLite functions. Adds new SQLite functions. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Adds support for compiling TypeScript and rendering index.tsx files. Adds support for compiling TypeScript and rendering index.tsx files. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Adds multiple ways of specifying ports and protocols. Adds multiple ways of specifying ports and protocols. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Adds --noninteractive flag as alias for --server and deprecates --server. Adds --noninteractive flag as alias for --server and deprecates --server. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Allows desired React version to be specified in index.jsx/index.tsx comment (React 19 only). Allows desired React version to be specified in index.jsx/index.tsx comment (React 19 only). Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Low	Adds more Lua functions for building HTML output using the onthefly package. Adds more Lua functions for building HTML output using the onthefly package. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Dependency	Low	Updates dependencies and documentation. Updates dependencies and documentation. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Performance
Performance	Medium	Improves caching of JSX and TSX files. Improves caching of JSX and TSX files. Source: llm_adapter@2026-05-24 Confidence: low	—
Performance	Medium	Improves error handling when extracting .alg files. Improves error handling when extracting .alg files. Source: llm_adapter@2026-05-24 Confidence: low	—
Performance	Low	Improves Lua plugin system concurrency. Improves Lua plugin system concurrency. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Deprecation	Low	Deprecates the --server command‑line flag. Deprecates the --server command‑line flag. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Bugfix	Medium	Fixes possible file descriptor leak after writing to /dev/shm. Fixes possible file descriptor leak after writing to /dev/shm. Source: llm_adapter@2026-05-24 Confidence: high	—
Bugfix	Medium	Fixes issue with setting header values when proxying. Fixes issue with setting header values when proxying. Source: llm_adapter@2026-05-24 Confidence: high	—
Refactor	Low	Prioritizes configuration values: command‑line flags > positional arguments > serverconf.lua. Prioritizes configuration values: command‑line flags > positional arguments > serverconf.lua. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

Security related

Fix possible path traversal when --domain is used (thanks @fg0x0).

Fixes

Fix a possible file descriptor leak after trying to write to /dev/shm.
Fix a possible issue with setting header values when proxying.

New functionality

Add new functions for using SQLite, ref #156 (thanks for the feature request, @judell).
Add support for compiling TypeScript and rendering index.tsx files, ref #166 (thanks for the feature request @fayakun-it-consulting).
Add multiple ways of specifying ports and protocols, ref #173 (thanks for the feature request @DaVyze).

Other improvements

Improve how JSX and TSX files are cached.
Improve error handling when extracting .alg files.
Add a --noninteractive flag as an alias for the less descriptive --server flag, and also deprecate the --server flag. The short -s flag remains unchanged, and the --server flag is still supported.
Improve the Lua plugin system wrt. oncurrency.
Let the desired React version be specified in a comment in index.jsx/index.tsx instead of in an .algernon file. Currently only React 19 is supported and can be specified like this: // React: 19.
Add more Lua functions for building HTML output programmatically by using the github.com/xyproto/onthefly package.
Prioritize configuration values from command line flags first, then positional arguments and then serverconf.lua.

Examples

Add two new example projects under samples/react_tsx and samples/onthefly.

General

Update dependencies.
Update documentation.

Breaking Changes

--server flag is deprecated (use --noninteractive as alias)

Security Fixes

Fix possible path traversal when --domain is used

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Algernon

Get notified when new releases ship.

About Algernon

Small self-contained pure-Go web server with Lua, Markdown, HTTP/2, QUIC, Redis and PostgreSQL support.

All releases →