Yeraze/meshmonitor

v4.7.2 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 9d Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

meshcore meshtastic mqtt

Affected surfaces

deps auth

ReleasePort's take

Moderate signal

editorial:auto 9d

The API route `destination` field now strictly validates inputs, rejecting malformed node IDs or public keys and returning HTTP 400. This change tightens validation but may break existing integrations that send invalid data.

Why it matters: All clients sending destinations must provide either an 8‑hex nodeId or a 64‑hex publicKey; non‑conforming payloads will fail with HTTP 400, affecting request handling and error flows.

Summary

AI summary

Updates Bug Fixes, Issues Resolved, and Upgrade notes across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400. Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add "Import from URL" flow to paste Meshtastic channel URLs and save channels as virtual decryption‑key rows. Add "Import from URL" flow to paste Meshtastic channel URLs and save channels as virtual decryption‑key rows. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add MQTT bridge direction‑mode dropdown: `publish_only`, `subscribe_only`, `bidirectional` (default). Add MQTT bridge direction‑mode dropdown: `publish_only`, `subscribe_only`, `bidirectional` (default). Source: llm_adapter@2026-05-25 Confidence: high	—
Dependency
Dependency	Low	Bump `pg` from 8.20.0 to 8.21.0. Bump `pg` from 8.20.0 to 8.21.0. Source: llm_adapter@2026-05-25 Confidence: high	—
Dependency	Low	Bump `helmet` from 8.1.0 to 8.2.0. Bump `helmet` from 8.1.0 to 8.2.0. Source: llm_adapter@2026-05-25 Confidence: high	—
Dependency	Low	Bump `protobufjs` from 8.3.0 to 8.4.2. Bump `protobufjs` from 8.3.0 to 8.4.2. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix
Bugfix	Medium	Drop legacy `psk_length IN (16, 32)` CHECK constraint on Channel Database table. Drop legacy `psk_length IN (16, 32)` CHECK constraint on Channel Database table. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Sort messages by server‑side `receivedAt` instead of radio’s `timestamp`, stabilizing channel/DM order for nodes with bad RTCs. Sort messages by server‑side `receivedAt` instead of radio’s `timestamp`, stabilizing channel/DM order for nodes with bad RTCs. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Fix overflow crash when 64‑char public key pasted as destination exceeds PostgreSQL `bigint` column. Fix overflow crash when 64‑char public key pasted as destination exceeds PostgreSQL `bigint` column. Source: llm_adapter@2026-05-25 Confidence: high	—

Full changelog

MeshMonitor v4.7.2

A maintenance release focused on Channel Database robustness, message-ordering correctness, and request-input validation. The MQTT default-channel bootstrap no longer crashes on pre-v3.7 SQLite installs that still carry the legacy CHECK (psk_length IN (16, 32)) constraint, and a long-requested Import from URL flow lets admins paste a Meshtastic channel URL and save its channels as virtual decryption-key rows in one step. Messages from nodes with bad RTCs (year 1970 or 2065) now sort by server-side receipt time instead of the radio's claimed timestamp, so channel and DM lists stay in the order MeshMonitor actually saw the traffic. A long-standing crash where a 64-char public key pasted as a destination overflowed the PG bigint column is fixed: routes now treat 64-hex inputs as a publicKey lookup, malformed inputs return HTTP 400, and the underlying repository guard catches the entire class of bug regardless of the entry point. A new MQTT bridge direction mode ("publish only" / "subscribe only" / "bidirectional") silences the permission-denied spam on public servers like mqtt.meshtastic.org.

Features

#3191 Import channels from a Meshtastic URL — paste https://meshtastic.org/e/#…, MeshMonitor decodes the embedded ChannelSet and lets you select which channels to save as virtual rows (with editable names and PSK preview).
#3189 MQTT bridge direction-mode dropdown — publish_only for public servers that reject SUBSCRIBE, subscribe_only for read-only monitoring, bidirectional (default) preserves existing behavior.

Bug Fixes

#3185 Channel Database — drop legacy psk_length IN (16, 32) CHECK constraint that blocked the MQTT default-channel bootstrap on databases created before the v3.7 baseline. Adds migration 071 that detects and rebuilds the table on affected SQLite installs (no-op for fresh / PG / MySQL). Fixes #3184.
#3188 Nodes — reject out-of-range nodeNum and resolve publicKey destinations. Six routes (DM / traceroute / position / NodeInfo / NeighborInfo / telemetry) now route 8-hex strings to parseInt, 64-hex strings to a publicKey lookup, and everything else to HTTP 400. Defense-in-depth guard in NodesRepository.getNode / getNodesByNums catches the bug at the DB boundary too. Fixes #3186.
#3190 Messages — sort by server-side ingest time (receivedAt), not the radio's reported timestamp. Channel + DM lists and per-node "last message" aggregations are now stable under bad-clock senders. Display is unchanged — the bubble still shows the radio's claimed time so misconfigured nodes remain visible. Fixes #3187.

Dependencies

#3180 Bump pg from 8.20.0 to 8.21.0.
#3179 Bump helmet from 8.1.0 to 8.2.0.
#3181 Bump protobufjs from 8.3.0 to 8.4.2.
#3182 Bump production-dependencies group across 1 directory with 9 updates.
#3176 Bump development-dependencies group with 3 updates.

Issues Resolved

#3184 MQTT channel_database bootstrap fails with CHECK constraint when primary channel uses AQ==
#3186 nodeNum overflow causes DrizzleQueryError: invalid input syntax for type bigint
#3187 Nodes with bad time stay at the bottom of channels tab

Upgrade notes

Pre-v3.7 SQLite installs will pick up migration 071 on first boot. It rebuilds the channel_database table to drop the legacy CHECK constraint. Rows + ids + the idx_channel_database_enabled index are preserved. Fresh installs and PG/MySQL installs are a no-op.
API behavior change: routes that take a destination field (DM / traceroute / position / NodeInfo / NeighborInfo / telemetry requests) now return HTTP 400 for inputs that aren't an 8-hex nodeId or a 64-hex publicKey. Clients passing already-parsed numeric destination values are unaffected.
No schema changes for messages — receivedAt is computed from the existing messages.createdAt column, exposed as a new field on the wire.

Full changelog: https://github.com/Yeraze/meshmonitor/compare/v4.7.1...v4.7.2

🚀 MeshMonitor v4.7.2

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.7.2

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Breaking Changes

API routes now return HTTP 400 for invalid `destination` values (non‑8‑hex nodeId and non‑64‑hex publicKey).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Yeraze/meshmonitor

Get notified when new releases ship.

About Yeraze/meshmonitor

All releases →