Skip to content

Yeraze/meshmonitor

v3.10.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

meshcore meshtastic mqtt

Affected surfaces

deps

Summary

AI summary

Upgrade ARMv7 base image to node:22.22.1-bookworm-slim and then to node:22.22.2-bookworm-slim fixing a critical zlib vulnerability.

Full changelog

MeshMonitor v3.10.2

Bug Fixes

  • #2438 fix: rename legacy system_backup_history columns (#2419)
  • #2442 fix: add missing api_tokens name column (#2435)
  • #2444 fix: correct frequency display when channelNum is 0 — implements DJB2 hash matching firmware (#2436)
  • #2449 fix: change traceroute "MQTT" label to "IP" for non-LoRa hops (#2443)
  • #2450 fix: replace node-cron with croner for missed execution recovery (#2409)
  • #2451 fix: auto-mark incoming messages as read when viewing channel/DM (#2316)
  • #2434 fix: packet monitor renders on mobile devices

Features

  • #2433 feat: detect channel moves on startup, migrate messages and permissions
  • #2439 feat: migrate automation channel references on channel move (#2425)
  • #2448 feat: add extraEnv support to Helm chart for arbitrary environment variables

Security

  • #2446 fix: upgrade ARMv7 base image to node:22.22.1-bookworm-slim (fixes critical zlib vulnerability)
  • #2447 security upgrade node to 22.22.2-bookworm-slim

Testing

  • 3110 unit tests pass
  • 11/11 system tests pass (config import, security, reverse proxy, OIDC, backup/restore, DB migration, API exercise across SQLite/Postgres/MySQL)
  • 3/3 backend soak tests pass (300s each, no errors)

🚀 MeshMonitor v3.10.2

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:3.10.2

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Security Fixes

  • CVE‑2024‑XXXXX — critical zlib vulnerability fixed by upgrading ARMv7 base image from node:22.22.1-bookworm-slim (fix #2446) and then to node:22.22.2-bookworm-slim (security upgrade #2447)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Yeraze/meshmonitor

Get notified when new releases ship.

Sign up free

About Yeraze/meshmonitor

All releases →

Related context

Earlier breaking changes

  • v4.7.2 Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400.

Beta — feedback welcome: [email protected]