Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: yurug/maplume
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.6.0
Choose a base ref
...
head repository: yurug/maplume
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.6.1
Choose a head ref
  • 3 commits
  • 17 files changed
  • 2 contributors

Commits on Jan 31, 2026

  1. Add security hardening: rate limiting, size limits, and resource caps 

    - Add global API rate limiting (200 req/min) via express-rate-limit
- Add dedicated rate limiter for challenge endpoint (10/min)
- Add configurable limits for all field sizes and resource counts
- Reduce body size limit from 10MB to 6MB
- Add size validation for encrypted blobs, share data, comments
- Add per-user limits for shares, parties, friend requests
- Add per-share limits for comments and reactions
- Add field length limits for bio, message, title, targetId, emoji
- Add database count functions for enforcing limits
- Add challenge cleanup to prevent memory exhaustion
- Sort entries chronologically in UI

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
    @yurug @claude
    yurug and claude committed Jan 31, 2026
    Configuration menu
    Copy the full SHA
    5b21c9a View commit details
    Browse the repository at this point in the history

  2. Fix security audit findings 

    - Require admin token for /api/stats endpoint (prevents user enumeration)
- Validate shell.openExternal URLs (HTTPS only, domain whitelist)
- Escape SQL LIKE pattern special characters (prevents pattern injection)
- Add file path validation for IPC read/write (prevents path traversal)
- Warn if using default JWT_SECRET in production

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
    @yurug @claude
    yurug and claude committed Jan 31, 2026
    Configuration menu
    Copy the full SHA
    8552692 View commit details
    Browse the repository at this point in the history

  3. Release v1.6.1 

    Security hardening release:
- Add global API rate limiting and resource caps
- Fix stats endpoint data exposure
- Validate shell.openExternal URLs
- Escape SQL LIKE pattern injection
- Add file path traversal protection

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
    @yurug @claude
    yurug and claude committed Jan 31, 2026
    Configuration menu
    Copy the full SHA
    e082e6e View commit details
    Browse the repository at this point in the history
Loading