Ziit

v1.1.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

coding-statistics coding-stats web developer-tools productivity self-hosted

+4 more

time-management time-tracker time-tracking wakatime

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

The release prevents path traversal vulnerabilities in the chunked import API by validating fileId.

Why it matters: Addresses a high-severity (severity 90) security flaw that could allow unauthorized file access via path traversal; immediate mitigation is required for deployments using this API.

Summary

AI summary

Updates https://github.com/0PandaDEV, bug: Bug Fixes, and recycle: Refactors across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevents path traversal in chunked import by validating fileId. Prevents path traversal in chunked import by validating fileId. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Medium	Changes inactive user deletion to occur after 90 days. Changes inactive user deletion to occur after 90 days. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Medium	Adds today's data to get_user_stats for all views. Adds today's data to get_user_stats for all views. Source: llm_adapter@2026-05-31 Confidence: high	—
Dependency	Medium	Replaces lucide-vue-next with @lucide/vue. Replaces lucide-vue-next with @lucide/vue. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes Docker image failure to migrate Prisma database. Fixes Docker image failure to migrate Prisma database. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Corrects getTimezoneOffset to return positive values when appropriate. Corrects getTimezoneOffset to return positive values when appropriate. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Accounts for midnight offset in user total time range calculations. Accounts for midnight offset in user total time range calculations. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Ensures env variables are correctly read. Ensures env variables are correctly read. Source: llm_adapter@2026-05-31 Confidence: low	—
Bugfix	Low	Fixes leaderboard banner always reappearing and stats loading issues. Fixes leaderboard banner always reappearing and stats loading issues. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Ensures badge displays data when a project is specified. Ensures badge displays data when a project is specified. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—

Full changelog

[v1.1.2] - 2026-05-30

:sparkles: New Features

81b2b4d - change inactive user deletation to 90 days by @0PandaDEV
4ce3af7 - change get_user_stats to also include today for all views by @0PandaDEV

:bug: Bug Fixes

7400832 - replace lucide-vue-next with @lucide/vue by @0PandaDEV
90766fe - env variable not getting read by @0PandaDEV
95867ad - validate fileId to prevent path traversal in chunked import by @obvTiger
51fb071 - docker image woulnt migrate prisma db by @0PandaDEV
a890303 - lowercase only for ci docker builds by @0PandaDEV
0a390b9 - leaderboard banner did always reapear and stats did not load properly by @0PandaDEV
a945c90 - getTimezoneOffset returns negative value when it should be positive by @0PandaDEV
9b79366 - badge not showing data when specifying a project by @0PandaDEV
ffc3ce6 - midnight offset was not accounted for in user total time range by @0PandaDEV
bbc20cd - leaderboard setup banner wouldnt hide upon interraction by @0PandaDEV

:recycle: Refactors

7fbcb7d - fix all type warnings from nuxt typecheck by @0PandaDEV
d67fc16 - move prisma output to generated by @0PandaDEV
5406cf3 - move prisma.ts to db.ts by @0PandaDEV
62d6bac - move stats.ts to uitls folder by @0PandaDEV
3e16b4b - update to new prisma db handeling and unify it all in one file by @0PandaDEV

:flying_saucer: Other Changes

4fa6cd8 - Merge commit from fork by @0PandaDEV
a8b3414 - Add clarification for account deletion issue by @0PandaDEV

Security Fixes

validate fileId to prevent path traversal in chunked import

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Ziit

Get notified when new releases ship.

About Ziit

The Swiss army knife of code time tracking.

All releases →