What’s New
What’s New
More detailed information about changes in each version can be found in GitHub Releases.
v2.0.2
- 🔒 Security hardening: Closed several static-analysis findings — HMAC-based (instead of plain SHA-256) direct-auth pool cache keys, an explicit containment check for static file serving, HTML-escaping of the SSE Tester’s login status text, a URL-scheme allowlist for docs-site search result links, and least-privilege permissions on the CI workflow.
- 📦 Dependency updates: Upgraded all Go dependencies, including
gin-gonic/ginto v1.12.0 andlib/pqto v1.12.3 (now requires Go 1.25). - 🌐 3 new languages: The documentation site is now available in Polish, Ukrainian, and Greek — 10 languages total.
v2.0.1
- 🔒 Security fix: Upgraded the transitive HTTP/3 dependency
quic-goto v0.59.1, closing a QPACK trailer expansion vulnerability that could let a malicious peer exhaust memory on the server or client. - 🎨 Docs site polish: New light/dark/auto theme switcher and icon-only language switcher, GitHub/Support icon links in the navbar, fixed double-encoded JSON-LD structured data, and an expanded
llms.txt.
v2.0.0
- 🔒 Secure defaults (breaking):
DB_SSLMODEnow defaults torequire,ALLOWED_ORIGINSno longer defaults to*, andJWT_SECRETmust be at least 32 bytes. Existing deployments must review their configuration before upgrading. - 🧹 Legacy cleanup: Removed the
/api/…and/sse/…redirect routes and the deprecated JSON-RPCloginalias. Use/{prefix}/:database/…andget_jwtdirectly. - 🛡️ Tighter auth & error handling: New per-IP login rate limit (
LOGIN_RATE_LIMIT_PER_IP) closes a credential-spraying gap, and MCP tool errors no longer leak raw PostgreSQL error text by default (opt back in withMCP_SQL_ERROR_DETAIL). - ⚙️ Configurable connection limits: The direct-auth connection pool cap is now configurable via
DIRECT_POOL_LIMIT. - 🔑 External IdP support (BYO JWT): New
JWT_ISSUER,JWT_AUDIENCE, andJWT_LEEWAYsettings bind issued tokens to a specific issuer/audience and tune clock-skew tolerance. - 🧰 New tools: A standalone JWT Getter (
/tools/get-jwt) and SSE Tester (/tools/test-sse) join the Explorer for quick manual testing. - 🐛 Reliability fixes: Fixed a stuck SSE shutdown and a dead-connection recovery bug that could leave the server unable to reconnect to PostgreSQL.
- 🧪 CI hardening: Added
golangci-lint, the Go race detector, andgovulncheckto every build, plus expanded test coverage. - 📦 Release process: Added
CHANGELOG.mdand split the release workflow intomake release-local(build & verify) andmake release(tag, publish, update the Homebrew tap).
v1.3.0
- 🌐 PgArachne Explorer – modern PWA: Complete visual & functional refresh – dark/light theme (auto), responsive cards layout, JSON syntax highlighting, copy-to-clipboard button, better auth UX (password/token tabs), PWA install support (manifest, icons, service worker), shareable links via
?url=…parameter. - 🛠️ Model Context Protocol (MCP) support: New endpoint
/{prefix}/{db}/mcpwith standard methodsresources/list,resources/read,prompts/list,prompts/get– fully backed by PostgreSQL functions and reusing existing auth & role switching. - 🔧 Configurable API prefix: Default changed to
/db/{database}/jsonrpcand/db/{database}/sse, with the legacy/api/…and/sse/…paths kept as 307 redirects for backward compatibility. Controlled via theAPI_PREFIXenvironment variable. - 🛡️ Idempotency protection: Optional
idempotencyKeyfield in JSON-RPC requests – automatic duplicate detection (HTTP 409 + error code on collision) usingpgarachne.save_idempotency_key(). - 📚 Documentation improvements: New /tools/ section with cards (Explorer + upcoming macOS Toolbar), new page “Architectural Decisions”, SECURITY.md with vulnerability reporting instructions, better typography across all languages via TypoLima, improved 404 page support for GitHub Pages.
- 📝 Login method rename: JSON-RPC method
loginrenamed toget_jwt(old name kept as deprecated alias with warning in logs). - 📊 Logging cleanup: When logging to file, console shows only minimal startup info → cleaner output in production/docker environments.
v1.2.0
- 🛡️ Security: Access token validation now occurs before establishing a database connection. Improved protection against IP spoofing (added
TRUSTED_PROXIESsetting) and hiding internal database errors from end users. - 📊 Isolated Metrics: The Prometheus
/metricsendpoint moved from the public API to its own secure port (by default available only on127.0.0.1:9090). - 📦 New Installation Option: The project now has an official Homebrew tap for macOS and Linux. Builds are signed and generated via GoReleaser.
- 📚 Redesigned Documentation: Completely new look built on the Hugo framework. Added lightning-fast full-text search, code copying capabilities, and production deployment examples (Nginx hardening, BYO JWT).
- ⚙️ Improved Daemon Management: Added support for custom
PID_FILEpath configuration.
v1.1.0
- 🔌 Unified API: All calls go through
POST /api/<db>(the called method is specified in the JSON-RPC body). - ⚡ Real-time Notifications: New endpoint
GET /sse/<db>?channels=...for listening to database events with multi-channel support. - 📈 Observability: Detailed Prometheus metrics for HTTP, auth, JSON-RPC, and SSE.
- 🏋️ Major Stability Improvements: Protection against slow clients, strict timeouts, and automatic connection cleanup.