This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Light signalVersion v4.3.1 introduces a scheduled rebroadcast feature for waypoints with a global airtime floor and hardens OTA firmware updates with timeouts and retry logic.
Why it matters: Patch to v4.3.1 immediately to enable the new scheduled rebroadcast capability and benefit from hardened OTA update reliability.
Summary
AI summaryFixed OTA update hardening and added a scheduled rebroadcast feature with global airtime floor.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Scheduled rebroadcast for waypoints with global airtime floor Scheduled rebroadcast for waypoints with global airtime floor Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Dashboard Add Widget menu includes More entry with help Dashboard Add Widget menu includes More entry with help Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Low |
Upgrade protobufjs from 8.0.3 to 8.2.0 Upgrade protobufjs from 8.0.3 to 8.2.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade archiver from 7.0.1 to 8.0.0 Upgrade archiver from 7.0.1 to 8.0.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade react-router-dom from 7.14.2 to 7.15.0 Upgrade react-router-dom from 7.14.2 to 7.15.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade i18next-http-backend from 3.0.6 to 4.0.0 Upgrade i18next-http-backend from 3.0.6 to 4.0.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade vite-plugin-pwa from 1.2.0 to 1.3.0 Upgrade vite-plugin-pwa from 1.2.0 to 1.3.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade puppeteer from 24.42.0 to 24.43.0 Upgrade puppeteer from 24.42.0 to 24.43.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Upgrade @eslint/compat from 2.0.5 to 2.1.0 Upgrade @eslint/compat from 2.0.5 to 2.1.0 Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Low |
Update production dependencies group with seven updates Update production dependencies group with seven updates Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Bugfix | Medium |
Zero-hop telemetry not recorded when hop_start unset Zero-hop telemetry not recorded when hop_start unset Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
PSK exposed to authorized writers enabling config UI access PSK exposed to authorized writers enabling config UI access Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Firmware OTA updates hardened with timeouts and retry logic Firmware OTA updates hardened with timeouts and retry logic Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Expose PSK to authorized writers so the config UI functions Expose PSK to authorized writers so the config UI functions Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Bugfix | Medium |
Harden firmware OTA updates with timeouts, cancel guard, async orchestration, retry widening, and half-flash detection Harden firmware OTA updates with timeouts, cancel guard, async orchestration, retry widening, and half-flash detection Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
Full changelog
Patch release rolling up fixes and small features landed since 4.3.0.
Features
- #2974 feat(waypoints): scheduled rebroadcast with global airtime floor
- #2960 feat(dashboard): "More..." entry in Add Widget menu with telemetry help
Fixes
- fix(firmware): harden OTA update — timeouts, cancel guard, async orchestration, retry widening, half-flash detection (073oa8b2)
- #2956 fix: don't record 0-hop telemetry when hop_start is unset
- #2953 fix(channels): expose PSK to authorized writers so config UI works
Dependencies
- protobufjs 8.0.3 → 8.2.0 (#2968)
- archiver 7.0.1 → 8.0.0 (#2964)
- react-router-dom 7.14.2 → 7.15.0 (#2967)
- i18next-http-backend 3.0.6 → 4.0.0 (#2970)
- vite-plugin-pwa 1.2.0 → 1.3.0 (#2969)
- puppeteer 24.42.0 → 24.43.0 (#2965)
- @eslint/compat 2.0.5 → 2.1.0 (#2966)
- production-dependencies group, 7 updates (#2963)
- @types/node (#2961)
Full Changelog: https://github.com/Yeraze/meshmonitor/compare/v4.3.0...v4.3.1
🚀 MeshMonitor v4.3.1
📦 Installation
Docker (recommended):
docker run -d \
--name meshmonitor \
-p 8080:3001 \
-v meshmonitor-data:/data \
ghcr.io/Yeraze/meshmonitor:4.3.1
🧪 Testing
✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7
📋 Changes
See commit history for detailed changes.
Security Fixes
- OTA update hardening: added timeouts, cancel guard, async orchestration, retry widening, and half-flash detection
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Yeraze/meshmonitor
All releases →Related context
Related tools
Earlier breaking changes
- v4.7.2 Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400.
Beta — feedback welcome: [email protected]