release notes

README.md

@@ -1,6 +1,6 @@
 <img src="logoExcaliDash.png" alt="ExcaliDash Logo" width="80" height="88">
 
-# ExcaliDash v0.1.3
+# ExcaliDash v0.1.5
 
 ![License](https://img.shields.io/github/license/zimengxiong/ExcaliDash)
 [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com)

RELEASE.md

@@ -1,34 +1,30 @@
-# ExcaliDash v0.1.4
+# ExcaliDash v0.1.5
 
-**Type:** Security Release  
+Date: 2025-11-23
-**Date:** 2025-11-23  
-**Compatibility:** v0.1.x (Backward Compatible)
 
-## Security Fixes
+Compatibility: v0.1.x (Backward Compatible)
 
-**Input Sanitization & XSS Prevention**
+# Security
 
-- Implemented basic sanitization using `dompurify` and `jsdom`. All drawing data, text inputs, and SVG content are now stripped of non-geometric elements and malicious attributes before persistence. URL validation now explicitly blocks `javascript:`, `data:`, and `vbscript:` schemes.
+- RCE: implemented strict Zod schema validation and input sanitization on file uploads; added path traversal guards to file handling logic
 
-**Network & Headers**
+- XSS: used DOMPurify for HTML sanitization; blocked execution-capable SVG attributes and enforces CSP headers.
 
-- Enforced Content Security Policy (CSP) with strict source restrictions. Added standard hardening headers: `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, and strict Referrer Policy. Rate limiting added (1,000 req/15min).
+- DoS: moved CPU-intensive operations to worker threads to prevent event loop blocking; request rate limiting (1,000 req/15 min per IP) and streaming for large files
-  **Validation Logic**
 
-- Adopted `zod` schemas for strict runtime type checking on all API inputs. Requests exceeding length limits or failing schema validation are rejected prior to processing.
+# Infras & Deployment
 
-## Infra
+- non-root execution (uid 1001) in containers
+- migrated to multi-stage Docker builds
 
-**Docker Architecture**
+# Database
 
-- Containers now execute as a non-root user (uid 1001) to minimize privilege escalation risks. Refactored into a multi-stage build to reduce image size and enforce proper file ownership/permissions on startup.
+- migrated to better-sqlite3, converted all DB interactions to non-blocking async operations and offloaded integrity checks to worker threads.
 
-**Async Operations & Database**
+- implemented SQLite magic header validation; added automatic backup triggers preceding data import
 
-- Moved blocking file I/O and SQLite integrity checks to worker threads (`src/workers/db-verify.js`) to prevent event loop stalling. Switched to `better-sqlite3`. Database imports now trigger automatic backups and validate SQLite file headers before execution.
+- input validation logic
 
-## Developer & Migration Notes
+# Frontend
 
-- **New Env Var**: `FRONTEND_URL` must be defined for CORS (e.g., `http://localhost:6767`).
+- updated Settings UI to show version
-- **Testing**: Added `npm run security-test` suite covering XSS payloads, SVG boundaries, and upload limits.
-- **Migration**: No database schema changes. Existing volumes are compatible; the container will automatically fix permissions on startup.

VERSION

@@ -1 +1 @@
-0.1.4
+0.1.5

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "",
   "main": "index.js",
   "scripts": {

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "frontend",
   "private": true,
-  "version": "0.1.4",
+  "version": "0.1.5",
   "type": "module",
   "scripts": {
     "dev": "vite",