Algernon

v1.17.9 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

algernon build-less cross-platform fasthttp go http3

+14 more

live-reload local-llm lua mysql npm-less ollama pongo2 postgresql quic react19 redis server-sent-events sqlite tls13

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 5d

The release adds a Windows/NTFS filename safety check and tightens request handling limits.

Why it matters: Security relevance: severity 70; performance impact: bounded memory usage via io.Copy and limited body buffers (severity 40).

Summary

AI summary

Updates General, Security related, and Configuration related across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Adds check for special Windows/NTFS filenames on Windows. Adds check for special Windows/NTFS filenames on Windows. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature
Feature	Medium	Uses specified HTTP/HTTPS ports for ACME/Let's Encrypt configuration. Uses specified HTTP/HTTPS ports for ACME/Let's Encrypt configuration. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds max size check (int64) for --largesize flag. Adds max size check (int64) for --largesize flag. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds check if --domain is given without certificates/keys. Adds check if --domain is given without certificates/keys. Source: llm_adapter@2026-05-29 Confidence: low	—
Feature	Low	Improves ServerInfo() output detail. Improves ServerInfo() output detail. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Makes React support smarter with top‑level element detection. Makes React support smarter with top‑level element detection. Source: llm_adapter@2026-05-29 Confidence: low	—
Feature	Low	Adds validation when --domain is provided without certificates/keys. Adds validation when --domain is provided without certificates/keys. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Feature	Low	Improves React top‑level element detection in the integration layer. Improves React top‑level element detection in the integration layer. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Dependency	Medium	Requires Go 1.26 as minimum runtime version. Requires Go 1.26 as minimum runtime version. Source: llm_adapter@2026-05-29 Confidence: high	—
Performance	Medium	Uses io.Copy in reverse proxy to bound memory usage. Uses io.Copy in reverse proxy to bound memory usage. Source: llm_adapter@2026-05-29 Confidence: high	—
Performance	Medium	Limits request body buffer size. Limits request body buffer size. Source: llm_adapter@2026-05-29 Confidence: high	—
Refactor	Low	Restructures configuration handling of addresses, ports, certificates, and protocols while preserving flag compatibility. Restructures configuration handling of addresses, ports, certificates, and protocols while preserving flag compatibility. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Security related

Add a check for special Windows/NTFS filenames (only applies on Windows). Thanks @Dredsen.

Memory usage while processing data

Use io.Copy in the reverse proxy to bound memory usage.
Limit the request body buffer size.

Configuration related

If HTTP and HTTPS ports are specified, then also use those for ACME / Let's Encrypt. Fixes #173, thanks for the feature request + testing @DaVyze.
Add a max size check (int64) for the --largesize flag.
Add a check for if --domain is given, without any certificates/keys being given.
Restructure how addresses, ports, certificates and protocols can be configured, while still supporting the same flags and arguments.

Other improvements

Make the React support a bit smarter with top level element detection.
Improve the ServerInfo() output.

General

Require Go 1.26.
Update Dockerfiles.
Add more tests.
Update documentation.
Update dependencies.

Breaking Changes

Require Go 1.26 as minimum runtime version.

Security Fixes

Windows NTFS filename validation prevents special‑name abuse.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Algernon

Get notified when new releases ship.

About Algernon

Small self-contained pure-Go web server with Lua, Markdown, HTTP/2, QUIC, Redis and PostgreSQL support.

All releases →