MeshMonitor v4.2.2

Security update + multi-source bug fixes. This release patches the MM-SEC-5/6/7/8 follow-on advisory (four authorization issues uncovered in a follow-up audit to the v4.2.1 disclosure), introduces an admin-configurable Default Landing Page, and fixes several multi-source routing bugs from the 4.0/4.2 line. The most severe finding (MM-SEC-5) leaked the local node's PKI private key to any logged-in user, and MM-SEC-6/7 exposed channel PSKs through endpoints missed by the v4.2.1 patches. All MeshMonitor 4.x deployments should upgrade. Operators of multi-tenant or untrusted-user installations should also rotate their local node's PKI key, any exposed channel PSKs, and any source credentials that non-admin users may have read.

Action Required

• Rotate your local node's PKI private key if untrusted users had login access on 4.2.1 or earlier.
• Rotate any channel PSKs that were exposed.
• Rotate any source credentials (password / apiKey) that may have been read by non-admin users.
• Full advisory: docs/security/SECURITY_ADVISORY.md

Security

• MM-SEC-5/6/7/8 follow-on advisory — Four authorization fixes, including a high-severity PKI private-key disclosure, two PSK leak channels missed by the MM-SEC-2 patch, and a source credential leak. (#2915)

Features

• Admin-configurable Default Landing Page — Choose what users see at the root URL: the unified multi-source dashboard (default) or any single configured source. Lives under Settings → Appearance, admin-only. (#2921, closes #2917)

Bug Fixes

• Multi-source: Exchange Node Info / Position / Neighbor Info — These actions now route through the source the user selected instead of always going through the default. (#2916, closes #2911)
• Auto Traceroute checkbox — Now hydrates from the per-source value instead of a stale global, so the toggle reflects what's actually configured on each source. (#2918, closes #2914)
• Node position override — Writes to the live source row instead of the legacy default row, so manual coordinate overrides actually render. (#2913, closes #2902)
• Auto-upgrade sidecar — Clears the stale .upgrade-status file before triggering a new upgrade, preventing the watchdog from looping on stale state. (#2920)
• Desktop x64 macOS DMG — Now ships with x86_64 native binaries instead of accidentally bundling the arm64 better_sqlite3.node. (#2912, closes #2901)
• Desktop script storage — Honors DATA_DIR so desktop builds can persist user scripts in the configured data directory. (#2919)
• /api/scan-remote-admin — Handles empty request bodies cleanly instead of 500-ing. (#2910)

Documentation

• New Default Landing Page section in docs/features/settings.md, linked from the Appearance section of docs/features/global-settings.md. (#2922)

Dependencies

• lucide-react 1.11.0 → 1.14.0 (#2895)
• npm audit fix cleared the serialize-javascript (high) and ip-address (moderate) advisory chains. The remaining 6 advisories are all dev-only esbuild via drizzle-kit / vitepress and have no production runtime exposure.

Issues Resolved

• #2901 — [BUG] MeshMonitor-Desktop-4.2.0-x64.dmg bundles better_sqlite3.node as arm64 instead of x86_64
• #2902 — [BUG] Node position override saved to non-rendered source row
• #2911 — [BUG] 4.2.0 — Exchange Node Info / Position emitted from wrong node
• #2914 — [BUG] Auto Traceroute
• #2917 — [FEAT] Load Default Node

Full Changelog

https://github.com/Yeraze/meshmonitor/compare/v4.2.1...v4.2.2

🚀 MeshMonitor v4.2.2

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.2.2

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.