Skip to content
Release history

Changelog

11 releases shipped — every feature, fix, and security improvement on the record. Latest: v0.9.7 on 2026-05-14.

Showing 11 releases matching any change

  1. v0.9.7

    2026-05-14

    Latest4 changes
    • fixedPackaged builds rendered unstyled — the static-export HTTP server inside the Electron main process rejected any pathname containing `..` as a traversal attempt, which also matched Turbopack's content-hashed CSS chunk filenames, so the renderer 403'd its own stylesheet. The check is now per-segment (only literal `..`/`.` segments are rejected), and AppImage / deb / rpm / flatpak builds look the same as dev again
    • addedARCHITECTURE.md (326 lines) — system diagram, renderer & backend layout, HTTP API contract, project layout, build-from-source, VM-testing harness, pre-commit checks, contributing guide, and the release process
    • changedREADME rewrite — social-card hero, CI / release / downloads / license badges, "Why ProtonShift?" intro, consolidated install section with copy-pasteable per-format commands (AppImage, deb, dnf, zypper, flatpak), and a roadmap
    • changedVersion bumped in all six sources (Electron, renderer, Python __version__, AppStream metainfo, issue template, nav-bar fallback); zero open Dependabot alerts
  2. v0.9.6

    2026-05-13

    3 changes
    • securityNext.js 16.2.3 → 16.2.6 — closes 13 CVEs including high-severity proxy bypasses (segment-prefetch, Pages-Router i18n, dynamic-route params), SSRF on WebSocket upgrades, and two DoS vectors, plus medium CSP-nonce and beforeInteractive XSS issues
    • securityTransitive overrides — postcss ≥8.5.10 (XSS via unescaped </style>), ip-address ≥10.1.1, and @xmldom/xmldom ≥0.8.13 (3 high CVEs, build-time only); overrides are pinned narrowly so they auto-disengage once upstreams ship the patched floor
    • changedSecurity maintenance release closing all 18 open Dependabot alerts — no functional changes. The renderer ships as a static export inside Electron, so Next's server-runtime attack surface isn't reachable, but bundled versions are patched anyway
  3. v0.9.5

    2026-05-13

    7 changes
    • addedScopeBuddy — dedicated page with a KV editor for the global scb.conf, per-game overrides under scb.conf.d/, and detection toasts in the Gamescope builder
    • addedCommand palette — Ctrl+K anywhere for cross-page navigation, game search focus, and common actions
    • addedLive gamepad tester on the Controllers page — every button, axis, and trigger in real time, with a rumble test
    • changedGame detail rebuilt as a KPI strip + tabs + profiles menu; renderer-wide HeroUI v3 polish with semantic tokens replacing ad-hoc opacity classes
    • addedNew scopebuddy backend module and /scopebuddy API routes (detect, read, write KV overrides); hardening across gamescope, protontricks, presets, steam, and tool_check; API state/model split for testability (103 tests passing)
    • addedvm-test/ harness — packaged builds exercised against real distros via Quickemu: Ubuntu 24.04, Fedora 41, Debian 12, CachyOS, openSUSE Tumbleweed, and Bazzite
    • fixedNavbar version now reads app.getVersion() over IPC — no more stale v0.1 brand string drifting behind releases
  4. v0.9.0

    2026-04-18

    6 changes
    • fixedAppImage compatibility, fixed for real — _vendor_compat.py now mutates sys.path in memory instead of trying to delete bundled pydantic_core from read-only squashfs, so AppImage users on a different Python minor version silently fall back to the system copy; the PYTHONNOUSERSITE="" foot-gun in electron/main.ts was removed
    • securityTwo critical command-injection fixes — protontricks.py (whitelist Steam App ID + winetricks verb) and display.py set_resolution (whitelist monitor name, bound width/height/refresh)
    • securityPer-launch bearer-token auth on every API endpoint, CORS narrowed to 127.0.0.1/localhost, --print-token removed so credentials stay out of journald, and defense-in-depth validate_user_path() inside prefix and save operations
    • changedAtomic writes everywhere — all config / VDF / env / profile / MangoHud / Heroic writes go through tempfile + fsync + os.replace, VDF endpoints refuse to write while Steam is running, and a centralized path sanitizer rejects .., null bytes, and anything outside user-writable roots; backup/restore hardened against zip-slip
    • changedThe 1183-line api.py decomposed into an api/ package with 8 domain routers (games, system, saves, mangohud, heroic, profiles, utility, health); real SDL controller GUIDs; TTL cache on Steam discovery; dead GTK4 UI deleted
    • addedFirst real test suite — 96 cases (was 0) covering VDF round-trip, env vars, gamescope arg building, controllers, path sanitizing, vendor-compat, and injection whitelists; ruff and pyright both clean
  5. v0.8.11

    2026-04-18

    2 changes
    • fixedAppImage crash on Python 3.13 systems (CachyOS, Arch) — vendored pydantic_core was compiled for 3.12 and failed with ModuleNotFoundError on ABI mismatch; a startup compatibility layer now detects mismatched native extensions and falls back to system packages (#13)
    • changedCI pins Python 3.12 via actions/setup-python; python3-pydantic added as a .deb/.rpm dependency; vendor script cleans __pycache__ and dist-info bloat