All notable changes to NimasLab are documented here.
10.06.2026
SecurityDeploy pipeline hardened against secret exposure and MITM
•SSH host-key pinning (SSH_KNOWN_HOSTS) with StrictHostKeyChecking enforced — replaces accept-any, preventing a man-in-the-middle from capturing deploy secrets
•Runtime secrets now passed via --env-file piped over SSH stdin instead of docker run -e — keeps them out of the server process table and docker inspect
•Container bound to 127.0.0.1:3000 (TLS terminates at the same-host reverse proxy) instead of all interfaces
•Deploy gated behind a "production" GitHub environment for approval
•Third-party ssh-agent action pinned to a commit SHA
SecurityNext.js upgraded 16.1.6 → 16.2.9
•Clears high-severity middleware/proxy-bypass, Server Actions CSRF, and DoS advisories
•Transitive ws dependency bumped to 8.21.0 (uninitialized memory disclosure fix)
SecurityAPI and response-header hardening
•/api/portfolio: orderBy parameter now whitelisted (Month, date)
•/api/admin/export-portfolio-svg: unified to shared admin auth (session or CRON_SECRET), consistent with other admin routes
•Added a Content-Security-Policy (Report-Only) header to begin monitoring before enforcement
