12 Releases 12 Tags

RSS Feed

• 0.2.2 1cea82f5d9

  Compare

  NexaPG 0.2.2 - NGINX unprivileged security update Stable

  nessi released this 2026-02-14 16:20:45 +00:00 | 5 commits to main since this release

  Changed

  Frontend Runtime Security Hardening

  • Switched frontend runtime image to an unprivileged NGINX variant:
    • from nginx:1.29-alpine-slim
    • to nginxinc/nginx-unprivileged:stable-alpine
  • Set explicit non-root runtime user in frontend container:
    • USER 101

  Frontend Runtime Port Alignment

  • Updated NGINX listener in frontend runtime config:
    • listen 8080;
  • Updated frontend container port exposure:
    • EXPOSE 8080
  • Updated Docker Compose frontend mapping:
    • from ${FRONTEND_PORT}:80
    • to ${FRONTEND_PORT}:8080

  Why This Release

  • Improves container runtime security posture by running frontend as non-root by default.
  • Aligns deployment with Docker Scout best-practice checks (default non-root user).
  • Keeps external access unchanged (still via FRONTEND_PORT on host), while hardening internal container behavior.

  Notes

  • No database migration required.
  • Rebuild and republish frontend image, then redeploy to apply changes.
  • If using custom reverse-proxy/container configs, ensure upstream points to frontend container port 8080.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.1 c2e4e614e0

  Compare

  NexaPG 0.2.1 - Alpine image backend update Stable

  nessi released this 2026-02-14 16:03:00 +00:00 | 8 commits to main since this release

  Changed

  Backend Runtime Base Image

  • Switched backend container base image to Alpine by default:
    • from python:3.13-slim
    • to python:3.13-alpine
  • Updated backend Dockerfile to stay cross-compatible for package/user setup logic.

  CI

  Compatibility Workflow Cleanup

  • Removed temporary Alpine-specific backend smoke job after successful validation.
  • Kept PostgreSQL compatibility matrix checks (PG14–PG18).
  • Kept compatibility checks active on development for earlier feedback before merge.

  Why This Release

  • Reduces backend image footprint and package surface.
  • Improves security posture potential by minimizing installed base components.
  • Simplifies CI while keeping core compatibility safeguards in place.

  Notes

  • No database migration required.
  • Rebuild and redeploy backend image to apply the Alpine base switch.
  • Monitor startup/runtime logs after rollout to confirm environment-specific dependency behavior.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.2.0 f614eb1cf8

  Compare

  NexaPG 0.2.0 - Reliability hardening milestone update Stable

  nessi released this 2026-02-14 15:32:50 +00:00 | 13 commits to main since this release

  Added

  Reliability and Stability (NX-102)

  • Introduced per-target exponential backoff with jitter in the collector for unreachable databases.
  • Added stronger per-target log throttling to prevent repeated connection-failure log floods.
  • Collector now skips failed targets until their next scheduled retry while continuing to poll healthy targets.
  • Added recovery context logging (after_failures, downtime_seconds) when targets come back online.
  • Improved collector loop cadence (poll_interval - elapsed) to reduce timing drift and transient freshness spikes.
  • Added cleanup of stale collector failure state for removed targets.

  Migration Safety CI Gate (NX-104)

  • Added dedicated migration safety workflow:
    • .github/workflows/migration-safety.yml
  • CI now validates Alembic roundtrip safety:
    • upgrade head -> downgrade -1 -> upgrade head
  • Added schema consistency validation using pg_dump --schema-only before/after roundtrip with strict diff.
  • Normalized dump comparison by filtering dynamic \restrict / \unrestrict lines to avoid false positives.

  Changed

  API Error Handling Standardization (NX-101)

  • Standardized backend error payloads across API failures to a shared structure:
    • code
    • message
    • details
    • request_id
  • Added request ID middleware and centralized exception mapping for consistent 4xx/5xx responses.
  • Replaced ad-hoc HTTPException(detail="...") patterns in key routes with structured error objects.
  • Updated frontend API parsing to reliably consume structured error metadata.

  Runtime Connectivity UX (NX-103)

  • Connectivity/runtime target failures now surface as explicit, actionable target_unreachable handling instead of generic raw failures.
  • Target detail view now renders a clean Target Offline state with context (host, port, optional request_id) and guidance.

  Security

  JWT Library Migration (from 0.1.8 scope)

  • Replaced python-jose[cryptography] with PyJWT for token handling.
  • Removed direct ecdsa dependency from backend requirements.
  • Updated JWT exception handling to jwt.InvalidTokenError in auth/validation paths.
  • Removed obsolete packages:
    • python-jose
    • ecdsa
  • JWT signing/verification behavior remains unchanged (same configured algorithm/secret).

  Fixed

  • Reduced periodic false-positive collector freshness warnings caused by polling interval drift.
  • Eliminated noisy generic user-facing failures for expected target-down/network-refused scenarios.
  • Prevented migration CI false negatives caused by dynamic pg_dump restrict token lines.

  Operational Notes

  • No database migration is required specifically for this release content.
  • Rebuild and republish images, then redeploy services.
  • Recommended: mark migration safety CI as a required branch protection check for main.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.8 cd91b20278

  Compare

  NexaPG 0.1.8 - Critical Security Update Stable

  nessi released this 2026-02-13 12:24:45 +00:00 | 21 commits to main since this release

  Security

  JWT Library Migration (CVE Reduction)

  • Replaced python-jose[cryptography] with PyJWT for token handling.
  • Removed direct ecdsa dependency from backend requirements.
  • Updated JWT exception handling to jwt.InvalidTokenError in auth/validation paths.

  Dependency Cleanup

  • Removed packages no longer required after JWT migration:
    • python-jose
    • ecdsa

  Implementation Notes

  • JWT signing/verification behavior remains unchanged (same configured algorithm and secret).
  • Existing access/refresh token flow and auth guards continue to work as before.

  Notes

  • No database migration required.
  • Rebuild and republish backend image, then redeploy to apply dependency/security changes.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.7 6848a66d88

  Compare

  NexaPG 0.1.7 - Backend Security Update Stable

  nessi released this 2026-02-13 12:10:48 +00:00 | 24 commits to main since this release

  Security

  Backend Dependency Hardening

  • Updated backend framework and security-related Python packages:
    • fastapi -> 0.129.0
    • starlette -> 0.52.1 (explicitly pinned)
    • cryptography -> 46.0.5
    • python-multipart -> 0.0.22
    • ecdsa -> 0.19.1

  Backend Base Image Hardening

  • Updated backend runtime base image:
    • python:3.12-slim -> python:3.13-slim
  • Added OS package security refresh during image build:
    • apt-get update
    • apt-get upgrade -y
    • cleanup of apt lists to keep image lean

  Notes

  • No database migration required.
  • Rebuild and republish backend image, then redeploy to apply all security updates.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.6 88c3345647

  Compare

  NexaPG 0.1.6 - Performance & Security Update Stable

  nessi released this 2026-02-13 11:49:53 +00:00 | 27 commits to main since this release

  Security

  Frontend Runtime Image Hardening

  • Updated frontend runtime base image to Docker Hub recommended tag:
    • nginx:1.29-alpine-slim
  • Kept lightweight Alpine-based runtime footprint for reduced package surface.
  • Applied runtime package refresh during build:
    • apk upgrade --no-cache

  Healthcheck Hardening

  • Frontend container healthcheck now validates Nginx config directly:
    • nginx -t
  • Removed dependency on HTTP fetch tools in healthcheck path.

  Notes

  • No database migration required.
  • Rebuild and republish frontend image, then redeploy to apply security base-image updates.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.5 e62aaaf5a0

  Compare

  NexaPG 0.1.5 - Security Update Stable

  nessi released this 2026-02-13 10:22:11 +00:00 | 29 commits to main since this release

  Security

  • Switched frontend image base from Alpine to Debian Bookworm to reduce Alpine-specific CVE exposure in registry scans.
  • Updated build stage:
    • node:22-alpine -> node:22-bookworm-slim
  • Updated runtime stage:
    • nginx:1.29-alpine -> nginx:1.29-bookworm
  • Replaced frontend container healthcheck command:
    • removed wget-based check
    • now uses nginx -t, reducing dependency on BusyBox-style tooling

  Notes

  • No database migration required.
  • Rebuild and republish frontend image (latest and release tag), then redeploy.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.4 6c59b21088

  Compare

  NexaPG 0.1.4 Stable

  nessi released this 2026-02-13 10:11:10 +00:00 | 31 commits to main since this release

  Added

  • User profile fields: first_name, last_name.
  • Admin user creation now supports first and last name.
  • Sidebar profile block now shows full name first (if available), with email below.

  Changed

  • Admin user management UI upgraded with inline editing per user.
  • Admins can now update existing users directly from the table:
    • first name
    • last name
    • email
    • role
    • optional password reset
  • User table now includes a dedicated Name column.

  Fixed

  • Admin user update now validates email uniqueness when changing email.
  • Password update handling in admin edit flow is now robust (empty password does not overwrite hash).

  Backend / API

  • Extended user schemas (UserOut, UserCreate, UserUpdate) with:
    • first_name
    • last_name
  • PUT /api/v1/admin/users/{user_id} supports name/email/role updates plus optional password change.

  Database

  • Added Alembic migration:
    • 0009_user_profile_fields
    • adds users.first_name and users.last_name

  Notes

  • Database migration required for this release (make migrate).
  • After migration, a normal redeploy/restart is sufficient.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.3 75f8106ca5

  Compare

  NexaPG 0.1.3 Stable

  nessi released this 2026-02-13 09:14:17 +00:00 | 34 commits to main since this release

  Fixed

  • Query Insights: selected query no longer jumps to another/latest row after background refresh.
  • Stabilized selection logic by preserving selected item via queryid across data reloads.

  Technical

  • Query Insights refresh flow now uses stable references to avoid unintended re-selection on rerender/token refresh.
  • Selection fallback now only applies when the previously selected query no longer exists in refreshed data.

  Notes

  • No database migration required.
  • Safe patch release; redeploy/restart is sufficient.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• 0.1.2 07a7236282

  Compare

  NexaPG 0.1.2 Stable

  nessi released this 2026-02-13 08:36:24 +00:00 | 39 commits to main since this release

  Added

  • New User Settings entry in the sidebar (above Logout).
  • New User Settings page at /user-settings.
  • User self-service password change flow:
    • current password verification
    • new password + confirmation
    • minimum length validation

  Backend

  • Added endpoint:
    • POST /api/v1/me/password
  • Password change security behavior:
    • rejects invalid current password
    • rejects reusing the same password
    • stores new password hashed (Argon2)
  • Added audit log event:
    • auth.password_change
  • Added request schema:
    • UserPasswordChange

  Frontend

  • New UserSettingsPage with clear error/success feedback.
  • New profile action button styling (User Settings) integrated with existing sidebar design.

  UX / Service Information Improvements

  • Automatic update checks every 30 seconds while logged in.
  • Service Information navigation button now highlights (yellow) when an update is available.
  • Service Information page visual refresh for clearer update status presentation.
  • Removed noisy audit logging for automatic service update checks.

  Release / Version Control Policy

  • Version display remains maintainer-controlled in code.
  • Update checks remain tied to official upstream release source.

  Notes

  • No DB migration required specifically for the password-change feature.
  • If upgrading from 0.1.1, normal redeploy/restart is sufficient.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)