Yeraze/meshmonitor

v4.0.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

meshcore meshtastic mqtt

Affected surfaces

breaking_upgrade deps

Summary

AI summary

Migration from 3.12 to 4.0 now preserves legacy telemetry and neighbor data.

Full changelog

MeshMonitor v4.0.1

Hotfix release for v4.0.0. Addresses critical migration and stability issues encountered during 3.12 → 4.0 upgrades, plus several multi-source bugs reported by early upgraders. The server now survives SIGTERM and DB-not-ready conditions during long migrations, preserves legacy telemetry and neighbor data when migrating from 3.12, and correctly maps existing 3.x data structures into the new multi-source schema. Multi-source operation is more forgiving: virtual node ports may now equal a source TCP port, and the auto-favorite warning is correctly scoped to the active source. Also includes Node base image security upgrades and a settings hydration fix.

Bug Fixes

Migrations: preserve legacy telemetry & neighbor data on 3.12 → 4.0 upgrade (#2827)
Migrations: support 4.0 multi-source data structures in migrate-db tool (#2829)
Server: survive SIGTERM and DB-not-ready during long migrations (#2825)
Auto-favorite: scope status fetch to active source (#2828, fixes #2826)
Sources: allow virtualNode.port to equal source TCP port (#2823, fixes #2823)
Settings: stop re-POSTing tracerouteIntervalMinutes on hydration (#2822)

Security

Node base image: 24.14.0 → 24.14.1 → 24.15.0 (Alpine 3.22) (#2820, #2821)

Issues Resolved

#2826 — Autofavorite displays warning even when node is client_base
#2823 — Virtual Node port cannot equal the source TCP port

Upgrade Notes

If you are upgrading from 3.12 directly to 4.0, this release is strongly recommended — it preserves legacy telemetry and neighbor data that earlier 4.0.0 builds could lose during the migration. Long migrations are now resilient to SIGTERM and database-not-ready races, so container restarts during the upgrade no longer corrupt state.

Full Changelog: https://github.com/Yeraze/meshmonitor/compare/v4.0.0...v4.0.1

🚀 MeshMonitor v4.0.1

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.0.1

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Security Fixes

Node base image upgraded through versions 24.14.0 → 24.14.1 → 24.15.0 (Alpine 3.22)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Yeraze/meshmonitor

Get notified when new releases ship.

About Yeraze/meshmonitor

All releases →

Related context

Related tools

Earlier breaking changes

v4.7.2 Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400.