Changelog
11 releases shipped — every feature, fix, and security improvement on the record. Latest: v0.9.7 on 2026-05-14.
Showing 11 releases matching any change
v0.9.7
2026-05-14
Latest4 changes- fixedPackaged builds rendered unstyled — the static-export HTTP server inside the Electron main process rejected any pathname containing `..` as a traversal attempt, which also matched Turbopack's content-hashed CSS chunk filenames, so the renderer 403'd its own stylesheet. The check is now per-segment (only literal `..`/`.` segments are rejected), and AppImage / deb / rpm / flatpak builds look the same as dev again
- addedARCHITECTURE.md (326 lines) — system diagram, renderer & backend layout, HTTP API contract, project layout, build-from-source, VM-testing harness, pre-commit checks, contributing guide, and the release process
- changedREADME rewrite — social-card hero, CI / release / downloads / license badges, "Why ProtonShift?" intro, consolidated install section with copy-pasteable per-format commands (AppImage, deb, dnf, zypper, flatpak), and a roadmap
- changedVersion bumped in all six sources (Electron, renderer, Python __version__, AppStream metainfo, issue template, nav-bar fallback); zero open Dependabot alerts
v0.9.6
2026-05-13
3 changes- securityNext.js 16.2.3 → 16.2.6 — closes 13 CVEs including high-severity proxy bypasses (segment-prefetch, Pages-Router i18n, dynamic-route params), SSRF on WebSocket upgrades, and two DoS vectors, plus medium CSP-nonce and beforeInteractive XSS issues
- securityTransitive overrides — postcss ≥8.5.10 (XSS via unescaped </style>), ip-address ≥10.1.1, and @xmldom/xmldom ≥0.8.13 (3 high CVEs, build-time only); overrides are pinned narrowly so they auto-disengage once upstreams ship the patched floor
- changedSecurity maintenance release closing all 18 open Dependabot alerts — no functional changes. The renderer ships as a static export inside Electron, so Next's server-runtime attack surface isn't reachable, but bundled versions are patched anyway
v0.9.5
2026-05-13
7 changes- addedScopeBuddy — dedicated page with a KV editor for the global scb.conf, per-game overrides under scb.conf.d/, and detection toasts in the Gamescope builder
- addedCommand palette — Ctrl+K anywhere for cross-page navigation, game search focus, and common actions
- addedLive gamepad tester on the Controllers page — every button, axis, and trigger in real time, with a rumble test
- changedGame detail rebuilt as a KPI strip + tabs + profiles menu; renderer-wide HeroUI v3 polish with semantic tokens replacing ad-hoc opacity classes
- addedNew scopebuddy backend module and /scopebuddy API routes (detect, read, write KV overrides); hardening across gamescope, protontricks, presets, steam, and tool_check; API state/model split for testability (103 tests passing)
- addedvm-test/ harness — packaged builds exercised against real distros via Quickemu: Ubuntu 24.04, Fedora 41, Debian 12, CachyOS, openSUSE Tumbleweed, and Bazzite
- fixedNavbar version now reads app.getVersion() over IPC — no more stale v0.1 brand string drifting behind releases
v0.9.0
2026-04-18
6 changes- fixedAppImage compatibility, fixed for real — _vendor_compat.py now mutates sys.path in memory instead of trying to delete bundled pydantic_core from read-only squashfs, so AppImage users on a different Python minor version silently fall back to the system copy; the PYTHONNOUSERSITE="" foot-gun in electron/main.ts was removed
- securityTwo critical command-injection fixes — protontricks.py (whitelist Steam App ID + winetricks verb) and display.py set_resolution (whitelist monitor name, bound width/height/refresh)
- securityPer-launch bearer-token auth on every API endpoint, CORS narrowed to 127.0.0.1/localhost, --print-token removed so credentials stay out of journald, and defense-in-depth validate_user_path() inside prefix and save operations
- changedAtomic writes everywhere — all config / VDF / env / profile / MangoHud / Heroic writes go through tempfile + fsync + os.replace, VDF endpoints refuse to write while Steam is running, and a centralized path sanitizer rejects .., null bytes, and anything outside user-writable roots; backup/restore hardened against zip-slip
- changedThe 1183-line api.py decomposed into an api/ package with 8 domain routers (games, system, saves, mangohud, heroic, profiles, utility, health); real SDL controller GUIDs; TTL cache on Steam discovery; dead GTK4 UI deleted
- addedFirst real test suite — 96 cases (was 0) covering VDF round-trip, env vars, gamescope arg building, controllers, path sanitizing, vendor-compat, and injection whitelists; ruff and pyright both clean
v0.8.11
2026-04-18
2 changes- fixedAppImage crash on Python 3.13 systems (CachyOS, Arch) — vendored pydantic_core was compiled for 3.12 and failed with ModuleNotFoundError on ABI mismatch; a startup compatibility layer now detects mismatched native extensions and falls back to system packages (#13)
- changedCI pins Python 3.12 via actions/setup-python; python3-pydantic added as a .deb/.rpm dependency; vendor script cleans __pycache__ and dist-info bloat