Release history
FaynoSync releases
Self-hosted Dynamic Update Server with statistics, supporting multiple updaters. Flexible features for seamless app updates and insights.
All releases
15 shown
v1.5.12
Breaking risk
Breaking changes
- MongoDB migrations decoupled from API startup; must run `./faynoSync migrate up`/`down` explicitly.
Notable features
- Added GET /tuf/v1/metadata/targets and GET /tuf/v1/metadata/delegated endpoints
- Added tuf TypeScript example
Full changelog
Improvements
- Decoupled MongoDB migrations from API startup: the server now starts with
./faynoSynconly, and migrations run explicitly via./faynoSync migrate upor./faynoSync migrate down.
Features
- Added
GET /tuf/v1/metadata/targetsandGET /tuf/v1/metadata/delegatedendpoints to retrieve TUF metadata for targets and delegated roles. - Added tuf typescript example.
Fixes
- Fixed telemetry period aggregation for
range=weekandrange=monthto deduplicate repeatedclient_idvalues across days instead of summing daily set sizes. - Updated telemetry integration coverage to validate that
unique_clients,clients_using_latest_version, andclients_outdatedremain deduplicated at period level.
v1.5.11
New feature
Notable features
- Added `POST /tuf/v1/bootstrap/recovery` endpoint to rebuild Redis settings from persisted TUF metadata
- Asynchronous `bootstrap_recovery` task flow with lock protection, prechecks, timeout support, and status reporting
Full changelog
Features
- Added
POST /tuf/v1/bootstrap/recoveryto rebuild bootstrap Redis settings from persisted TUF metadata for already initialized repositories. - Added asynchronous
bootstrap_recoverytask flow with lock protection, recovery prechecks, timeout support, and task status reporting.
Security & Access Control
- Added RBAC edit permission checks for TUF task status, artifact publish, and artifact delete endpoints.
- Added owner resolution middleware for team users so TUF artifact operations run under resolved owner context.
Reliability
- Unified bootstrap settings persistence and recovery via a shared Redis save path, including delegated role expirations and
ROOT_SIGNINGinitialization.
API Tooling
- Updated Postman collection with bootstrap recovery API request examples.
v1.5.10
Breaking risk
Breaking changes
- Removed legacy bootstrap generation API surface: /tuf/v1/bootstrap/generate and /tuf/v1/bootstrap/locks
- Deleted obsolete generate handlers/tests associated with the above endpoints
Notable features
- Extended TUF online signing to support multiple key types (Ed25519, ECDSA, RSA-PSS) loaded from filesystem private keys
- Added signer/verifier construction by key type with explicit keyid‑to‑key‑material validation to prevent mismatched key usage
Full changelog
Dependencies
- Upgraded
go.opentelemetry.io/otel,go.opentelemetry.io/otel/metric,go.opentelemetry.io/otel/sdk,go.opentelemetry.io/otel/sdk/metric, andgo.opentelemetry.io/otel/tracetov1.43.0.
Security & Signing Improvements
- Extended TUF online signing to support multiple key types (Ed25519, ECDSA, and RSA-PSS) loaded from filesystem private keys.
- Added signer/verifier construction by key type with explicit keyid-to-key-material validation to prevent mismatched key usage.
Maintenance
- Removed legacy bootstrap generation API surface (
/tuf/v1/bootstrap/generateand/tuf/v1/bootstrap/locks) and deleted obsolete generate handlers/tests.
v1.5.9
Maintenance
Minor fixes and improvements.
Full changelog
Dependencies
- Upgraded
github.com/aws/aws-sdk-go-v2/service/s3tov1.97.3. - Upgraded
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstreamtov1.7.8.
v1.5.8
Maintenance
Minor fixes and improvements.
Changelog
Dependencies
- Upgraded
github.com/go-jose/go-jose/v4tov4.1.4.
v1.5.7
Maintenance
Minor fixes and improvements.
Changelog
Dependencies
- Upgraded Go to v1.26.1.
- Upgraded
google.golang.org/grpcto v1.79.3.
v1.5.6
Maintenance
Migrated from MinIO to Garage for default local S3 storage.
Changelog
Maintenance
- Migrated from MinIO to Garage for default local S3 storage.
v1.5.5
New feature
Notable features
- Slack notifications reuse a single mutable message per app version across create, update, and delete flows, with Redis‑backed state, configurable TTL, and cleanup on version deletion
Full changelog
Features
- Slack notifications now reuse a single mutable message per app version across artifact create, update, and delete flows, with Redis-backed state, configurable TTL, and cleanup when a version is deleted.
v1.5.4
Breaking risk
Breaking changes
- Token create endpoint now returns a different HTTP status code
Full changelog
Dependencies
- Upgraded
go.opentelemetry.io/otel/sdkto v1.40.0.
Improvements
- Token create endpoint: changed response status code for token creation.
v1.5.3
New feature
Notable features
- API Tokens: secure and scoped access to the API
Full changelog
Features
- API Tokens: Added API tokens for secure and scoped access to the API.
Testing
- API Tokens integration tests: Added integration tests for creating, listing, and deleting API tokens.
v1.5.2
New feature
Notable features
- Added multi-signer support for secure cryptographic operations across roles
- Introduced per-role key threshold configuration for enhanced key management
- Enhanced bootstrap process with conflict detection and persistent metadata validation
Full changelog
-
New Features
- Added multi-signer support for secure cryptographic operations across roles
- Introduced per-role key threshold configuration for enhanced key management
- Enhanced bootstrap process with conflict detection and persistent metadata validation
-
Improvements
- More detailed error messages including per-key failure information
- Better root metadata versioning with intelligent fallback logic
- Added context-aware cancellation support and improved compatibility with large datasets
v1.5.1
Security relevant
⚠ Upgrade required
- Upgraded github.com/theupdateframework/go-tuf/v2 to version v2.4.1
Security fixes
- go-tuf client DoS via malformed server response (unspecified CVE)
- go-tuf improper validation of delegation threshold (unspecified CVE)
- sigstore legacy TUF client allows arbitrary file writes with target cache path traversal (unspecified CVE)
Notable features
- Added `POST /tuf/v1/metadata/online` endpoint for force updating online metadata roles
- Added `POST /tuf/v1/metadata/sign/delete` endpoint for deleting pending metadata signatures
Full changelog
Bug Fixes
- Fixed incorrect key usage in metadata signing: Each TUF role (snapshot, targets, delegated roles) now uses its own dedicated key for signing instead of incorrectly using the timestamp key. This ensures proper TUF specification compliance.
Features
-
Online metadata update endpoint: Added
POST /tuf/v1/metadata/onlineendpoint for force updating online metadata roles (snapshot, timestamp, targets, delegated roles) without requiring offline signing workflow. -
Metadata sign deletion endpoint: Added
POST /tuf/v1/metadata/sign/deleteendpoint for deleting pending metadata signatures from Redis.
Improvements
- Delegated roles expiration: Each delegated role now uses its own expiration configuration from Redis instead of a shared BINS_EXPIRATION setting.
Testing
- TUF unit test coverage: Added unit tests for TUF metadata, metadata root, config, storage, signing, tasks, settings, delegations, artifacts, generate, bootstrap, delete, converter and utils. Storage mock is now global for tests.
Security Fixes
- Fix: go-tuf affected by client DoS via malformed server response
- Fix: go-tuf improperly validates the configured threshold for delegations
- Fix: sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
- Fix: go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names
- Upgraded github.com/theupdateframework/go-tuf/v2 to version v2.4.1