PatchMon V2.0.2 Release Notes

A focused fix release on top of 2.0.1.

Fixes

• Database deadlocks under concurrent agent reports: fixed Postgres deadlocks that dropped agent reports on installations with many hosts. Reports are now ingested in deterministic order with bulk SQL, plus automatic retry. Per-host SQL round-trips collapsed from 2N+1 to 2.
• Patching schedule timezone: configured timezone is now honoured when scheduling patching jobs.
• Agent reports failing with "Invalid request body": default AGENT_UPDATE_BODY_LIMIT raised from 2mb to 5mb so hosts with many packages no longer fail to update.
• OIDC and other features broken behind a reverse proxy: TRUST_PROXY now defaults to true. Most users run PatchMon behind a reverse proxy (Traefik, Caddy, nginx, NPM); the previous false default caused OIDC logins to fail and real client IPs to be lost. If you run PatchMon directly on a public IP without a reverse proxy, set TRUST_PROXY=false explicitly.
• Docker healthcheck failing on non-default ports: the container healthcheck now honours the PORT environment variable instead of hardcoding 3000.

Startup health check

If you run more than 50 active hosts, PatchMon now logs a warning at startup if DB_CONNECTION_LIMIT (default 30) looks too small, with a recommended value calculated from your host count.

Upgrade

No special steps. From your docker-compose.yml directory:

docker compose pull
docker compose up -d

Migrations run on startup.

A small follow-up release on top of 2.0.0 covering documentation, packaging, and a couple of important fixes.

Documentation

• Documentation now lives at https://patchmon.net/docs. The source of truth is this GitHub repository: the public site builds from PatchMon/docs/*.md at deploy time, so corrections and contributions flow through the normal pull-request process.

Fixes

• Docker image format on older clients: fixed an image format issue that prevented Docker and Podman versions from pulling ghcr.io/patchmon/patchmon-server:2.0.0. Image layers are now published with gzip compression instead of zstd, so clients without zstd support (Podman versions before 5.7, and Docker installations without the containerd image store) can pull cleanly. See issue #679.
• Database migration failure at migration 30: fixed an upgrade path that could fail at migration 000030 on some installations. The migration is now safe to re-run on a partially-upgraded database, so retries succeed without manual intervention.
• SMTP / TLS: the Use TLS option for email destinations is now respected end-to-end. Notification and scheduled-report delivery no longer upgrade the connection with STARTTLS when the server advertises it if you have turned TLS off in the UI.
• Email opt-in for security and instance notifications is now available.

Upgrade

No special steps. Pull the new image and restart your stack:

docker compose pull patchmon-server
docker compose up -d patchmon-server

Migrations run on startup as usual.

Architectural changes

Go

• Backend rewritten from the ground up in Go, replacing Node.js and Next.js. The stack is more scalable, uses less RAM, and is significantly more performant.
• sqlc is used for type-safe SQL against PostgreSQL (compile-time checked queries instead of ad-hoc ORM access patterns).
• golang-migrate is used for database migrations (replacing Prisma ORM).
• Structured logging with the standard library log/slog for cleaner, machine-parseable logs in production.

Background jobs and automation

• Background work is handled by asynq on Redis instead of BullMQ. PatchMon no longer ships the embedded Bull Board stack; queue visibility and triggers live in the existing Automation UI, which reduces attack surface, image size, and operational complexity.

Docker

• Docker is the officially supported deployment method going forward; bare-metal installs are discontinued. A migration document describes the upgrade path.
• Hardened base images are used. They ship with near-zero CVEs and a smaller footprint.
• No separate frontend container: static React build artifacts are embedded in the Go binary. The container runs that binary (by default on port 3000) with chi: /api/* is handled by the server, so nginx inside PatchMon is no longer required. You still use nginx or another reverse proxy in front for TLS termination and public access as usual.
• A Guacamole (guacd) sidecar is included for Windows RDP. It is separate for now; RDP/VNC for Windows is an area we intend to improve.

API documentation

• OpenAPI 3 spec is served at /api/v1/openapi.json, with Swagger UI under /api/v1/api-docs (authenticated) for exploring integration endpoints.

New features

• Linux patching: Deploy updates per host or in bulk, on demand or on a schedule. Policies support host/group assignments and exclusions; runs support approval, stop, retry validation, and live log streaming over WebSocket.
• Microsoft Windows agent (beta) and FreeBSD agent support.
• Windows Updates (beta Windows agent): server APIs for update results, reboot state, superseded cleanup, and approved-guid sync, aligned with the new Windows agent.
• Advanced monitoring & alerting: richer alert lifecycle (including assignment and bulk actions), optional advanced alert configuration for tuning and cleanup where your edition includes it.
• Notifications: first-class destinations (SMTP, webhooks, ntfy), routes, delivery log, and scheduled reports so operational signals leave PatchMon reliably.
• Environment variables in the GUI: many settings that were previously only in process environment can be viewed and edited from the Settings UI (per-key updates, with sensible validation), so you change less by hand in compose or shell env for day-to-day tuning.
• OIDC / SSO: configure OpenID Connect from the same Settings area, including import from environment when you are migrating from a file-based or container env setup.

Other improvements

• Compliance / OpenSCAP: SSG and CIS benchmarking content is bundled in the server binary at build time. Agents no longer pull scanning content from GitHub; everyone shares one versioned source of truth and less outbound traffic from agents.
• SSO: improved sign-in flows and Entra ID integration compared to 1.4.x OIDC edge cases (e.g. redirect loops with auto SSO).
• Dashboard: additional cards and data surfaces; dashboard layout preferences carry forward in the new UI.
• Host integration config: apply pending config from the server so integration changes are applied to agents in a controlled, observable way.
• Settings reliability: server URL and related configuration are reimplemented on the Go stack with database-backed resolution, addressing classes of “settings did not persist” issues from the Node era.
• Reverse proxy awareness: continued correct use of forwarded headers for HTTPS/WSS behind proxies (without the Bull Board-specific HTTP quirks from 1.4.x).
• Optional admin pprof: when enabled, CPU/memory profiling endpoints are available to administrators for performance investigation.

Known issues

• Remote Desktop (RDP): there is a known bug with the RDP connection flow in this release. A fix is planned for the next release

Migrations

This covers migration for Docker, Proxmox community scripts, and legacy setup.sh installs:

Migrating from 1.4.2 to 2.0.0

🎉 PatchMon 1.4.2

📈 Dashboard and UI

• Editable dashboard: Dashboard widgets can be edited and re-arranged; a default layout is provided and editing is the default experience.
• Bull Board missing over HTTP: The queue monitoring UI (Bull Board) did not appear when the app was served over HTTP (e.g. dev or internal HTTP). It now shows correctly for both HTTP and HTTPS.
• Ultrawide (21:9) layouts: Dashboard layout is adjusted for 21:9 and similar ultrawide screens so content uses space better.

📊 Compliance

• “Transaction already closed” errors: Compliance operations could fail with “Transaction already closed: A query cannot be executed on an expired transaction”. The underlying transaction/upsert handling is fixed so these errors no longer occur under normal use.
• Stuck compliance scans: Scans that ran for 3+ hours could leave jobs in a “running” state. Automatic cleanup now stops and cleans up these long-running scans.
• Cancel running scans: You can cancel a compliance scan that is in progress instead of waiting for it to finish or timeout.
• Compliance dashboard and tables: Compliance dashboard rework: new dashboard card, clearer tables for scan results, and scanner status stored per agent/host. Table display and behaviour are improved.
• Debian compliance scans: Fixes for Debian-related compliance scans so they run and report correctly.
• Per-host scanner toggles: OpenSCAP and Docker Bench can be enabled/disabled per host. OpenSCAP defaults to on when compliance is on; Docker Bench defaults to off. Existing data is preserved via migration.
• Log safety in compliance routes: Host IDs are sanitised before being written to logs so user-controlled input cannot inject fake log lines (e.g. via newlines).

🔐 HTTPS and reverse proxy

• WebSocket shown as insecure (ws) when using HTTPS: When PatchMon was behind a reverse proxy (e.g. nginx, Traefik) with HTTPS, the UI could still show the agent connection as insecure (ws instead of wss). This is fixed by correctly using X-Forwarded-Proto (including https and wss) and the header name used by some proxies (http_x_forwarded_proto), so the secure state matches how users actually connect.

🔑 OIDC and authentication

• OIDC login/logout loop: With “auto redirect to OIDC” enabled, some users hit a redirect loop between login and logout. That flow is fixed so OIDC-only setups work as intended.
• Auto-redirect to OIDC: When OIDC_ENABLED=true and OIDC_DISABLE_LOCAL_AUTH=true, the app now automatically redirects to the OIDC provider instead of showing the local login page.

⚙️ Settings and URL config

• Settings and URL not saving: Server URL and related settings (protocol, host, port) could fail to save or be lost after restart. The backend now uses the database as the source of truth for the server URL after initial creation, so URL and environment-related settings persist correctly and are retrieved when loading the settings page.

🖥️ Agent and hosts

• Agent download from GitHub: Fixes for downloading agents from GitHub so installs/updates complete reliably.
• NanoPi / no disks: On devices like NanoPi with no disks (or when no disks are detected), the UI could show “null” or errors. Disk handling and display are fixed for “no disks” cases, and related lint issues are addressed.
• Docker entrypoint agent update: The non-fatal warning during agent update in the Docker entrypoint was removed to reduce noisy logs.
• Agent log sanitisation: OpenSCAP agent logs sanitise output so user-controlled or command output cannot inject newlines into log streams.

🔗 Integrations

• Checkmk: You can export hosts from the Integrations page for use with Checkmk.
• Discord OAuth2: Discord login and account linking are supported. The Discord OAuth callback was also updated for CodeQL and security (e.g. no raw OAuth parameters in logs, proper validation).

🔒 Security and dependencies

• NPM vulnerabilities: Dependency bumps and fixes to address known NPM vulnerabilities.
• License: License is clearly stated as AGPL v3 in the repo.
• Code quality and secrets: Code scanning and CodeQL are enabled.

📦 Other

• Fonts: Fonts are self-hosted where applicable for faster load and fewer external requests via DNS.
• Biome: Linting/tooling uses a pinned Biome version for consistent formatting and checks.

Thank you

I appreciate the whole community for helping with PRs and help testing areas of PatchMon <3