14 Releases 14 Tags

RSS Feed

• 0.2.4 597579376f

  Compare

  NexaPG 0.2.4 - Milestone update "v1.0 - Stability, Reliability & Security (P0)" Stable

  nessi released this 2026-02-15 11:36:40 +00:00 | 0 commits to main since this release

  Security & CI Hardening

  NX-202: Python dependency vulnerability gate

  • Added dedicated CI workflow:
    • .github/workflows/python-dependency-security.yml
  • Added pip-audit policy gate:
    • blocks unresolved HIGH / CRITICAL findings
    • treats missing severity metadata conservatively as HIGH
  • Added auditable allowlist support:
    • ops/security/pip-audit-allowlist.json
  • Added allowlist validation rules:
    • required metadata fields
    • expiry enforcement (expired entries fail CI)
  • Added dependency scan artifacts upload in CI.

  Release pipeline enforcement

  • Added dependency security gate to release publishing workflow:
    • .github/workflows/docker-release.yml
  • Release image build/push now stops if unresolved high/critical Python dependency vulnerabilities exist.

  Proxy & Production Deployment Profile

  NX-203: Secure and repeatable HTTPS reverse-proxy profile

  • Added production profile examples:
    • ops/profiles/prod/.env.production.example
    • ops/profiles/prod/nginx/nexapg.conf
  • Added deployment documentation:
    • docs/deployment/proxy-production-profile.md
  • Documented:
    • CORS recommendations per environment (dev, staging, prod)
    • required reverse-proxy forwarding headers
    • API path forwarding (/api/ -> backend)
    • mixed-content prevention for HTTPS deployments.

  Proxy guardrail validation in CI

  • Added workflow:
    • .github/workflows/proxy-profile-validation.yml
  • Added validation script:
    • ops/scripts/validate_proxy_profile.sh
  • CI now verifies:
    • relative frontend API base defaults
    • required API proxy config and forwarded headers
    • mixed-content guard presence
    • production profile avoids wildcard CORS.

  Secret Management Guidance

  NX-204: Secure secret handling documentation

  • Added:
    • docs/security/secret-management.md
  • Includes:
    • secure handling guidance for JWT_SECRET_KEY, ENCRYPTION_KEY, DB_PASSWORD, SMTP credentials
    • clear Do / Don’t section
    • recommended secret providers (Vault/cloud/orchestrator/CI runtime injection)
    • rotation basics and operational checklist.
  • Updated:
    • README.md (TOC + security references)
    • .env.example, ops/.env.example with stronger production warnings (no hardcoding, rotate secrets).

  Configuration Consistency

  • Corrected frontend port mapping documentation/comments in env templates to match runtime behavior:
    • frontend container port remains 8080.

  Notes

  • No database migration required.
  • Redeploy recommended to apply updated CI/release/security workflow behavior and documentation alignment.
  • For production HTTPS deployments, use the provided proxy profile and keep API routing under /api/.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.3 21a8023bf1

  Compare

  NexaPG 0.2.3 - Security update Stable

  nessi released this 2026-02-14 22:14:54 +00:00 | 7 commits to main since this release

  Changed

  Frontend runtime image rollback (security compatibility tradeoff)

  • Rolled frontend runtime image back:
    • from nginxinc/nginx-unprivileged:stable-alpine
    • to nginx:1-alpine-slim
  • Kept frontend runtime port alignment introduced previously:
    • NGINX listens on 8080
    • Dockerfile exposes 8080
    • Compose maps ${FRONTEND_PORT}:8080

  Why This Release

  • The unprivileged image variant increased reported CVE count in our scanner output.
  • This release prioritizes lower vulnerability surface in current scan tooling while preserving functional behavior and port mapping.
  • CI security workflows were hardened in parallel to improve scan reliability and reporting confidence.

  CI / Security Scanning

  Docker Scout scan reliability fixes (development workflow)

  • Fixed Scout execution for local CI images by:
    • running Scout container with -u root
    • mounting Docker auth/config writable (removed read-only mount)
  • Resolved Scout runtime error:
    • failed create to sbom folder: mkdir /root/.docker/scout: read-only file system
  • Result: Scout can index and scan local backend/frontend images without pull/auth fallbacks.

  CI / Compatibility

  PostgreSQL matrix stability hardening (PG14–PG18)

  • Reduced matrix concurrency:
    • max-parallel: 3
  • Optimized checkout for reliability:
    • actions/checkout@v4 with fetch-depth: 1

  Notes

  • No database migration required.
  • Rebuild and republish frontend image, then redeploy to apply runtime image rollback.
  • If you use custom reverse proxies, continue targeting frontend container port 8080.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.2 1cea82f5d9

  Compare

  NexaPG 0.2.2 - NGINX unprivileged security update Stable

  nessi released this 2026-02-14 16:20:45 +00:00 | 19 commits to main since this release

  Changed

  Frontend Runtime Security Hardening

  • Switched frontend runtime image to an unprivileged NGINX variant:
    • from nginx:1.29-alpine-slim
    • to nginxinc/nginx-unprivileged:stable-alpine
  • Set explicit non-root runtime user in frontend container:
    • USER 101

  Frontend Runtime Port Alignment

  • Updated NGINX listener in frontend runtime config:
    • listen 8080;
  • Updated frontend container port exposure:
    • EXPOSE 8080
  • Updated Docker Compose frontend mapping:
    • from ${FRONTEND_PORT}:80
    • to ${FRONTEND_PORT}:8080

  Why This Release

  • Improves container runtime security posture by running frontend as non-root by default.
  • Aligns deployment with Docker Scout best-practice checks (default non-root user).
  • Keeps external access unchanged (still via FRONTEND_PORT on host), while hardening internal container behavior.

  Notes

  • No database migration required.
  • Rebuild and republish frontend image, then redeploy to apply changes.
  • If using custom reverse-proxy/container configs, ensure upstream points to frontend container port 8080.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.1 c2e4e614e0

  Compare

  NexaPG 0.2.1 - Alpine image backend update Stable

  nessi released this 2026-02-14 16:03:00 +00:00 | 22 commits to main since this release

  Changed

  Backend Runtime Base Image

  • Switched backend container base image to Alpine by default:
    • from python:3.13-slim
    • to python:3.13-alpine
  • Updated backend Dockerfile to stay cross-compatible for package/user setup logic.

  CI

  Compatibility Workflow Cleanup

  • Removed temporary Alpine-specific backend smoke job after successful validation.
  • Kept PostgreSQL compatibility matrix checks (PG14–PG18).
  • Kept compatibility checks active on development for earlier feedback before merge.

  Why This Release

  • Reduces backend image footprint and package surface.
  • Improves security posture potential by minimizing installed base components.
  • Simplifies CI while keeping core compatibility safeguards in place.

  Notes

  • No database migration required.
  • Rebuild and redeploy backend image to apply the Alpine base switch.
  • Monitor startup/runtime logs after rollout to confirm environment-specific dependency behavior.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.0 f614eb1cf8

  Compare

  NexaPG 0.2.0 - Reliability hardening milestone update Stable

  nessi released this 2026-02-14 15:32:50 +00:00 | 27 commits to main since this release

  Added

  Reliability and Stability (NX-102)

  • Introduced per-target exponential backoff with jitter in the collector for unreachable databases.
  • Added stronger per-target log throttling to prevent repeated connection-failure log floods.
  • Collector now skips failed targets until their next scheduled retry while continuing to poll healthy targets.
  • Added recovery context logging (after_failures, downtime_seconds) when targets come back online.
  • Improved collector loop cadence (poll_interval - elapsed) to reduce timing drift and transient freshness spikes.
  • Added cleanup of stale collector failure state for removed targets.

  Migration Safety CI Gate (NX-104)

  • Added dedicated migration safety workflow:
    • .github/workflows/migration-safety.yml
  • CI now validates Alembic roundtrip safety:
    • upgrade head -> downgrade -1 -> upgrade head
  • Added schema consistency validation using pg_dump --schema-only before/after roundtrip with strict diff.
  • Normalized dump comparison by filtering dynamic \restrict / \unrestrict lines to avoid false positives.

  Changed

  API Error Handling Standardization (NX-101)

  • Standardized backend error payloads across API failures to a shared structure:
    • code
    • message
    • details
    • request_id
  • Added request ID middleware and centralized exception mapping for consistent 4xx/5xx responses.
  • Replaced ad-hoc HTTPException(detail="...") patterns in key routes with structured error objects.
  • Updated frontend API parsing to reliably consume structured error metadata.

  Runtime Connectivity UX (NX-103)

  • Connectivity/runtime target failures now surface as explicit, actionable target_unreachable handling instead of generic raw failures.
  • Target detail view now renders a clean Target Offline state with context (host, port, optional request_id) and guidance.

  Security

  JWT Library Migration (from 0.1.8 scope)

  • Replaced python-jose[cryptography] with PyJWT for token handling.
  • Removed direct ecdsa dependency from backend requirements.
  • Updated JWT exception handling to jwt.InvalidTokenError in auth/validation paths.
  • Removed obsolete packages:
    • python-jose
    • ecdsa
  • JWT signing/verification behavior remains unchanged (same configured algorithm/secret).

  Fixed

  • Reduced periodic false-positive collector freshness warnings caused by polling interval drift.
  • Eliminated noisy generic user-facing failures for expected target-down/network-refused scenarios.
  • Prevented migration CI false negatives caused by dynamic pg_dump restrict token lines.

  Operational Notes

  • No database migration is required specifically for this release content.
  • Rebuild and republish images, then redeploy services.
  • Recommended: mark migration safety CI as a required branch protection check for main.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.8 cd91b20278

  Compare

  NexaPG 0.1.8 - Critical Security Update Stable

  nessi released this 2026-02-13 12:24:45 +00:00 | 35 commits to main since this release

  Security

  JWT Library Migration (CVE Reduction)

  • Replaced python-jose[cryptography] with PyJWT for token handling.
  • Removed direct ecdsa dependency from backend requirements.
  • Updated JWT exception handling to jwt.InvalidTokenError in auth/validation paths.

  Dependency Cleanup

  • Removed packages no longer required after JWT migration:
    • python-jose
    • ecdsa

  Implementation Notes

  • JWT signing/verification behavior remains unchanged (same configured algorithm and secret).
  • Existing access/refresh token flow and auth guards continue to work as before.

  Notes

  • No database migration required.
  • Rebuild and republish backend image, then redeploy to apply dependency/security changes.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.7 6848a66d88

  Compare

  NexaPG 0.1.7 - Backend Security Update Stable

  nessi released this 2026-02-13 12:10:48 +00:00 | 38 commits to main since this release

  Security

  Backend Dependency Hardening

  • Updated backend framework and security-related Python packages:
    • fastapi -> 0.129.0
    • starlette -> 0.52.1 (explicitly pinned)
    • cryptography -> 46.0.5
    • python-multipart -> 0.0.22
    • ecdsa -> 0.19.1

  Backend Base Image Hardening

  • Updated backend runtime base image:
    • python:3.12-slim -> python:3.13-slim
  • Added OS package security refresh during image build:
    • apt-get update
    • apt-get upgrade -y
    • cleanup of apt lists to keep image lean

  Notes

  • No database migration required.
  • Rebuild and republish backend image, then redeploy to apply all security updates.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.6 88c3345647

  Compare

  NexaPG 0.1.6 - Performance & Security Update Stable

  nessi released this 2026-02-13 11:49:53 +00:00 | 41 commits to main since this release

  Security

  Frontend Runtime Image Hardening

  • Updated frontend runtime base image to Docker Hub recommended tag:
    • nginx:1.29-alpine-slim
  • Kept lightweight Alpine-based runtime footprint for reduced package surface.
  • Applied runtime package refresh during build:
    • apk upgrade --no-cache

  Healthcheck Hardening

  • Frontend container healthcheck now validates Nginx config directly:
    • nginx -t
  • Removed dependency on HTTP fetch tools in healthcheck path.

  Notes

  • No database migration required.
  • Rebuild and republish frontend image, then redeploy to apply security base-image updates.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.5 e62aaaf5a0

  Compare

  NexaPG 0.1.5 - Security Update Stable

  nessi released this 2026-02-13 10:22:11 +00:00 | 43 commits to main since this release

  Security

  • Switched frontend image base from Alpine to Debian Bookworm to reduce Alpine-specific CVE exposure in registry scans.
  • Updated build stage:
    • node:22-alpine -> node:22-bookworm-slim
  • Updated runtime stage:
    • nginx:1.29-alpine -> nginx:1.29-bookworm
  • Replaced frontend container healthcheck command:
    • removed wget-based check
    • now uses nginx -t, reducing dependency on BusyBox-style tooling

  Notes

  • No database migration required.
  • Rebuild and republish frontend image (latest and release tag), then redeploy.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.4 6c59b21088

  Compare

  NexaPG 0.1.4 Stable

  nessi released this 2026-02-13 10:11:10 +00:00 | 45 commits to main since this release

  Added

  • User profile fields: first_name, last_name.
  • Admin user creation now supports first and last name.
  • Sidebar profile block now shows full name first (if available), with email below.

  Changed

  • Admin user management UI upgraded with inline editing per user.
  • Admins can now update existing users directly from the table:
    • first name
    • last name
    • email
    • role
    • optional password reset
  • User table now includes a dedicated Name column.

  Fixed

  • Admin user update now validates email uniqueness when changing email.
  • Password update handling in admin edit flow is now robust (empty password does not overwrite hash).

  Backend / API

  • Extended user schemas (UserOut, UserCreate, UserUpdate) with:
    • first_name
    • last_name
  • PUT /api/v1/admin/users/{user_id} supports name/email/role updates plus optional password change.

  Database

  • Added Alembic migration:
    • 0009_user_profile_fields
    • adds users.first_name and users.last_name

  Notes

  • Database migration required for this release (make migrate).
  • After migration, a normal redeploy/restart is sufficient.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)