The team at Github Security Lab provided us with a disclosure containing some recommendations for enhancing the security of Mealie, which have been implemented as part of this release. The vulnerabilities all required an authenticated user to exploit, so were likely only an issue if you allowed open registration to your system.
The key functional change you'll notice is that it's now not possible to scrape recipes/images from URLs that resolve to internal IP addresses. This is to prevent a user being able to map out the network the Mealie instance is part of.
Note that we now default the ALLOW_SIGNUP environment variable to false, previously it was true.
There is a new security page available in the documentation should you want to read up on some extra security steps you can take for your Mealie instance.
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [ghcr.io/mealie-recipes/mealie](https://github.com/mealie-recipes/mealie) | minor | `v1.3.2` -> `v1.4.0` |
---
### Release Notes
<details>
<summary>mealie-recipes/mealie (ghcr.io/mealie-recipes/mealie)</summary>
### [`v1.4.0`](https://github.com/mealie-recipes/mealie/releases/tag/v1.4.0)
[Compare Source](https://github.com/mealie-recipes/mealie/compare/v1.3.2...v1.4.0)
#### Highlights
- Security updates (more on that below)
- OIDC Login Support - https://github.com/mealie-recipes/mealie/pull/2860, https://github.com/mealie-recipes/mealie/pull/3280
- Initial Startup Workflow - https://github.com/mealie-recipes/mealie/pull/3204
#### Security Updates
The team at Github Security Lab provided us with a disclosure containing some recommendations for enhancing the security of Mealie, which have been implemented as part of this release. The vulnerabilities all required an authenticated user to exploit, so were likely only an issue if you allowed open registration to your system.
The key functional change you'll notice is that it's now not possible to scrape recipes/images from URLs that resolve to internal IP addresses. This is to prevent a user being able to map out the network the Mealie instance is part of.
Note that we now default the `ALLOW_SIGNUP` environment variable to false, previously it was true.
There is a new security page available in the documentation should you want to read up on some extra security steps you can take for your Mealie instance.
The pull request was https://github.com/mealie-recipes/mealie/pull/3368
#### What's Changed
- docs(auto): Update image tag, for release v1.3.2 by [@​github-actions](https://github.com/github-actions) in https://github.com/mealie-recipes/mealie/pull/3279
- feat: Login with OAuth via OpenID Connect (OIDC) by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3280
- fix: Typos in OIDC docs by [@​boc-the-git](https://github.com/boc-the-git) in https://github.com/mealie-recipes/mealie/pull/3285
- fix: Allow UserOut to accept list of slugs for recipe favorites by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3283
- feat: First Time Setup Wizard by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3204
- fix(deps): update dependency tzdata to v2024 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3281
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3286
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3299
- fix(deps): update dependency pydantic to v2.6.4 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3300
- feat: Timeline Filters by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3284
- fix: Only call store APIs once by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3306
- fix: Date pickers not respecting locale or first day of the week by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3303
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3307
- fix: Limit shopping list owners to current group by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3305
- fix: Shopping List Migration Fails With No Users by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3290
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3313
- fix: proxy get_all to page_all by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3312
- fix: Purge Group Exports type mismatch by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3314
- fix: remove deprecated lifecycle and consolidate startup actions by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3311
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3319
- chore(deps): update dependency coverage to v7.4.4 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3316
- chore(deps): update dependency ruff to v0.3.3 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3261
- chore(deps): update dependency black to v24.3.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3322
- chore(deps): update dependency mkdocs-material to v9.5.14 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3333
- docs: Update maintainers.md by [@​eltociear](https://github.com/eltociear) in https://github.com/mealie-recipes/mealie/pull/3339
- Dicsussion Template: OAuth example template by [@​cmintey](https://github.com/cmintey) in https://github.com/mealie-recipes/mealie/pull/3340
- chore(deps): update dependency pytest-asyncio to v0.23.6 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3341
- fix(deps): update dependency uvicorn to v0.28.1 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3342
- fix: Repeated calls to group self by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3321
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3328
- fix(deps): update dependency uvicorn to ^0.29.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3346
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3347
- OIDC Docs Updates by [@​cmintey](https://github.com/cmintey) in https://github.com/mealie-recipes/mealie/pull/3323
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3351
- chore(deps): update dependency ruff to v0.3.4 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3353
- Add OIDC environment variable for specififying the signing algorithm by [@​cmintey](https://github.com/cmintey) in https://github.com/mealie-recipes/mealie/pull/3354
- feat: Migrate from My Recipe Box by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3352
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3355
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3361
- Update dependency mkdocs-material to v9.5.15 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3358
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3366
- Update dependency SQLAlchemy to v2.0.29 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3362
- Update dependency pre-commit to v3.7.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3369
- Reset the search input after selection on the RecipeOrganizerSelector by [@​Kuchenpirat](https://github.com/Kuchenpirat) in https://github.com/mealie-recipes/mealie/pull/3373
- Update dependency rapidfuzz to v3.7.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3370
- fix: Recipe Search URL State by [@​michael-genson](https://github.com/michael-genson) in https://github.com/mealie-recipes/mealie/pull/3332
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3377
- feat: Add auto-select-first attribute to RecipeOrganizerSelector by [@​Kuchenpirat](https://github.com/Kuchenpirat) in https://github.com/mealie-recipes/mealie/pull/3376
- feat: cookbook editor on cookbook page by [@​Kuchenpirat](https://github.com/Kuchenpirat) in https://github.com/mealie-recipes/mealie/pull/3378
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3379
- docs: Tidy up the 'task' template by [@​boc-the-git](https://github.com/boc-the-git) in https://github.com/mealie-recipes/mealie/pull/3380
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3381
- fix(deps): update dependency orjson to v3.10.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3383
- fix(deps): update dependency tzdata to v2024 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3386
- fix(deps): update dependency apprise to v1.7.5 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3394
- chore(deps): update dependency mkdocs-material to v9.5.16 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3397
- New Crowdin updates by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3400
- refactor: Sidebar UI by [@​Kuchenpirat](https://github.com/Kuchenpirat) in https://github.com/mealie-recipes/mealie/pull/3390
- fix(deps): update dependency pillow to v10.3.0 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3402
- chore(deps): update dependency ruff to v0.3.5 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3405
- chore(deps): update dependency mkdocs-material to v9.5.17 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3407
- fix(deps): update dependency fastapi to v0.110.1 by [@​renovate](https://github.com/renovate) in https://github.com/mealie-recipes/mealie/pull/3408
- security: gh security recs by [@​hay-kot](https://github.com/hay-kot) in https://github.com/mealie-recipes/mealie/pull/3368
- redirect to direct login on failure by [@​cmintey](https://github.com/cmintey) in https://github.com/mealie-recipes/mealie/pull/3406
#### New Contributors
- [@​eltociear](https://github.com/eltociear) made their first contribution in https://github.com/mealie-recipes/mealie/pull/3339
**Full Changelog**: https://github.com/mealie-recipes/mealie/compare/v1.3.2...v1.4.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNzkuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI3OS4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Because you closed this PR without merging, Renovate will ignore this update (v1.4.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
### Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update (`v1.4.0`). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the `ignoreDeps` array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
v1.3.2->v1.4.0Release Notes
mealie-recipes/mealie (ghcr.io/mealie-recipes/mealie)
v1.4.0Compare Source
Highlights
Security Updates
The team at Github Security Lab provided us with a disclosure containing some recommendations for enhancing the security of Mealie, which have been implemented as part of this release. The vulnerabilities all required an authenticated user to exploit, so were likely only an issue if you allowed open registration to your system.
The key functional change you'll notice is that it's now not possible to scrape recipes/images from URLs that resolve to internal IP addresses. This is to prevent a user being able to map out the network the Mealie instance is part of.
Note that we now default the
ALLOW_SIGNUPenvironment variable to false, previously it was true.There is a new security page available in the documentation should you want to read up on some extra security steps you can take for your Mealie instance.
The pull request was https://github.com/mealie-recipes/mealie/pull/3368
What's Changed
New Contributors
Full Changelog: https://github.com/mealie-recipes/mealie/compare/v1.3.2...v1.4.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update (
v1.4.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to theignoreDepsarray of your Renovate config.If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.