Skip to content

v5.0.0-beta #2449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

v5.0.0-beta #2449

wants to merge 10 commits into from

Conversation

bwp91
Copy link
Contributor

@bwp91 bwp91 commented Jun 8, 2025
edited by NorthernMan54
Loading

Related PRs:

⚠️ Breaking Changes

  • This version of the Homebridge UI:
    • Is compatible with Homebridge v1 and v2-beta
    • Drops support for Node.js v18 and earlier, so please update to v20 or v22 - more info on updating
    • Drops support for Raspberry Pi devices running on the armv6 architecture (like the Pi 1 and Pi Zero) - please update your hardware
    • Drops support for instances using pnpm as the package manager - consider updating your Homebridge instance to use npm instead - more info on updating

UI Changes

Other Changes

  • retire use of pnpm and code references
  • bump the default node version from 20 to 22
  • make terminal enabled by default on new macOS hb-service installs
  • update fastify and nestjs dependencies
  • set service mode as default, remove standalone
  • Initial support for NodeJS 24 in preparation for LTS in Fall of 2025 (NodeJS 24 initial support #2451) (@NorthernMan54)

Homebridge Dependencies

  • @homebridge/hap-client @ v3.0.0-beta
  • @homebridge/node-pty-prebuilt-multiarch @ v0.13.0-beta
  • @homebridge/plugin-ui-utils @ v2.1.0

@bwp91 bwp91 mentioned this pull request Jun 8, 2025
Merged
@github-actions github-actions bot added the latest Related to Latest Branch label Jun 8, 2025
This was referenced Jun 8, 2025
Merged
Draft
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 8, 2025
View reviewed changes
@bwp91 bwp91 force-pushed the beta-5.0.0 branch 9 times, most recently from f070763 to a8acb1c Compare June 15, 2025 11:41
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 15, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 15, 2025
View reviewed changes
ui/src/app/core/settings.service.ts Outdated
current = current[keys[i]]
}
if (!this.forbiddenKeys.includes(keys[keys.length - 1])) {
current[keys[keys.length - 1]] = value

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

The property chain
here
Loading
is recursively assigned to
current
Loading
without guarding against prototype pollution.

Copilot Autofix

AI 13 days ago

To fix the issue, we need to explicitly block the keys __proto__ and constructor in the setEnvItem function. This can be done by adding a check to ensure that these keys are not included in the keys array or its elements. This approach is consistent with best practices for preventing prototype pollution.

The changes will be made in the setEnvItem function:

  1. Add a check to block __proto__ and constructor in the loop that iterates over keys.
  2. Ensure that the final key in the chain (i.e., keys[keys.length - 1]) is also checked before assigning the value.
Suggested changeset 1
ui/src/app/core/settings.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ui/src/app/core/settings.service.ts b/ui/src/app/core/settings.service.ts
--- a/ui/src/app/core/settings.service.ts
+++ b/ui/src/app/core/settings.service.ts
@@ -184,3 +184,3 @@
       for (let i = 0; i < keys.length - 1; i++) {
-        if (this.forbiddenKeys.includes(keys[i])) {
+        if (this.forbiddenKeys.includes(keys[i]) || keys[i] === '__proto__' || keys[i] === 'constructor') {
           return
@@ -192,4 +192,5 @@
       }
-      if (!this.forbiddenKeys.includes(keys[keys.length - 1])) {
-        current[keys[keys.length - 1]] = value
+      const finalKey = keys[keys.length - 1];
+      if (!this.forbiddenKeys.includes(finalKey) && finalKey !== '__proto__' && finalKey !== 'constructor') {
+        current[finalKey] = value
       }
EOF
@@ -184,3 +184,3 @@
for (let i = 0; i < keys.length - 1; i++) {
if (this.forbiddenKeys.includes(keys[i])) {
if (this.forbiddenKeys.includes(keys[i]) || keys[i] === '__proto__' || keys[i] === 'constructor') {
return
@@ -192,4 +192,5 @@
}
if (!this.forbiddenKeys.includes(keys[keys.length - 1])) {
current[keys[keys.length - 1]] = value
const finalKey = keys[keys.length - 1];
if (!this.forbiddenKeys.includes(finalKey) && finalKey !== '__proto__' && finalKey !== 'constructor') {
current[finalKey] = value
}
Copilot is powered by AI and may make mistakes. Always verify output.
@bwp91 bwp91 force-pushed the beta-5.0.0 branch 6 times, most recently from 8913b6d to 8a04ab0 Compare June 19, 2025 15:06
@bwp91 bwp91 force-pushed the beta-5.0.0 branch 2 times, most recently from b02bd97 to 1a6bd29 Compare June 29, 2025 09:13
@bwp91 bwp91 force-pushed the latest branch 3 times, most recently from b4c4194 to 2670df4 Compare June 29, 2025 15:45
@bwp91 bwp91 force-pushed the beta-5.0.0 branch 2 times, most recently from c89db3d to 0fb3c1b Compare June 29, 2025 20:30
@bwp91 bwp91 force-pushed the beta-5.0.0 branch 4 times, most recently from 53863b3 to 12cf639 Compare July 9, 2025 18:49
@bwp91 bwp91 force-pushed the latest branch 3 times, most recently from ce82c3b to 31ee102 Compare July 12, 2025 15:13
bwp91 and others added 10 commits July 12, 2025 16:30
@bwp91
retire use of pnpm and code references
3bd78b1
@bwp91
bump the default node version from 20 to 22
337a53f
@donavanbecker @bwp91
Update Default Dashboard Layout
abf5f89
@bwp91
make terminal enabled by default on new macOS hb-service installs
050a2a4
@l1500s @bwp91
updates to the fi.json language file (#2253)
06da7e0
@bwp91
set service mode as default, remove standalone
02a98f5
@bwp91 @NorthernMan54
add support for dark mode switching with custom plugin uis
1bd3b0c 
Co-Authored-By: Northern Man <19808920+NorthernMan54@users.noreply.github.com>
@bwp91 @NorthernMan54
Initial support for NodeJS 24 in preparation for LTS in Fall of 2025 (#…
d586ba0 
…2451)

Co-Authored-By: Northern Man <19808920+NorthernMan54@users.noreply.github.com>
@bwp91
update fastify and nestjs dependencies
52da7c9
@bwp91 @NorthernMan54
Display Docker Version Details in the Update Information Box (#2488)
de9fedb 
Co-Authored-By: Northern Man <19808920+NorthernMan54@users.noreply.github.com>
@bwp91 bwp91 force-pushed the latest branch 7 times, most recently from c4738cc to eb824f6 Compare July 12, 2025 20:42
@bwp91 bwp91 closed this Jul 12, 2025
@bwp91 bwp91 deleted the beta-5.0.0 branch July 12, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
latest Related to Latest Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bwp91 @donavanbecker @l1500s