What’s New

4 min read

What’s New

More detailed information about changes in each version can be found in GitHub Releases.

v2.0.2

  • 🔒 Security hardening: Closed several static-analysis findings — HMAC-based (instead of plain SHA-256) direct-auth pool cache keys, an explicit containment check for static file serving, HTML-escaping of the SSE Tester’s login status text, a URL-scheme allowlist for docs-site search result links, and least-privilege permissions on the CI workflow.
  • 📦 Dependency updates: Upgraded all Go dependencies, including gin-gonic/gin to v1.12.0 and lib/pq to v1.12.3 (now requires Go 1.25).
  • 🌐 3 new languages: The documentation site is now available in Polish, Ukrainian, and Greek — 10 languages total.

v2.0.1

  • 🔒 Security fix: Upgraded the transitive HTTP/3 dependency quic-go to v0.59.1, closing a QPACK trailer expansion vulnerability that could let a malicious peer exhaust memory on the server or client.
  • 🎨 Docs site polish: New light/dark/auto theme switcher and icon-only language switcher, GitHub/Support icon links in the navbar, fixed double-encoded JSON-LD structured data, and an expanded llms.txt.

v2.0.0

  • 🔒 Secure defaults (breaking): DB_SSLMODE now defaults to require, ALLOWED_ORIGINS no longer defaults to *, and JWT_SECRET must be at least 32 bytes. Existing deployments must review their configuration before upgrading.
  • 🧹 Legacy cleanup: Removed the /api/… and /sse/… redirect routes and the deprecated JSON-RPC login alias. Use /{prefix}/:database/… and get_jwt directly.
  • 🛡️ Tighter auth & error handling: New per-IP login rate limit (LOGIN_RATE_LIMIT_PER_IP) closes a credential-spraying gap, and MCP tool errors no longer leak raw PostgreSQL error text by default (opt back in with MCP_SQL_ERROR_DETAIL).
  • ⚙️ Configurable connection limits: The direct-auth connection pool cap is now configurable via DIRECT_POOL_LIMIT.
  • 🔑 External IdP support (BYO JWT): New JWT_ISSUER, JWT_AUDIENCE, and JWT_LEEWAY settings bind issued tokens to a specific issuer/audience and tune clock-skew tolerance.
  • 🧰 New tools: A standalone JWT Getter (/tools/get-jwt) and SSE Tester (/tools/test-sse) join the Explorer for quick manual testing.
  • 🐛 Reliability fixes: Fixed a stuck SSE shutdown and a dead-connection recovery bug that could leave the server unable to reconnect to PostgreSQL.
  • 🧪 CI hardening: Added golangci-lint, the Go race detector, and govulncheck to every build, plus expanded test coverage.
  • 📦 Release process: Added CHANGELOG.md and split the release workflow into make release-local (build & verify) and make release (tag, publish, update the Homebrew tap).

v1.3.0

  • 🌐 PgArachne Explorer – modern PWA: Complete visual & functional refresh – dark/light theme (auto), responsive cards layout, JSON syntax highlighting, copy-to-clipboard button, better auth UX (password/token tabs), PWA install support (manifest, icons, service worker), shareable links via ?url=… parameter.
  • 🛠️ Model Context Protocol (MCP) support: New endpoint /{prefix}/{db}/mcp with standard methods resources/list, resources/read, prompts/list, prompts/get – fully backed by PostgreSQL functions and reusing existing auth & role switching.
  • 🔧 Configurable API prefix: Default changed to /db/{database}/jsonrpc and /db/{database}/sse, with the legacy /api/… and /sse/… paths kept as 307 redirects for backward compatibility. Controlled via the API_PREFIX environment variable.
  • 🛡️ Idempotency protection: Optional idempotencyKey field in JSON-RPC requests – automatic duplicate detection (HTTP 409 + error code on collision) using pgarachne.save_idempotency_key().
  • 📚 Documentation improvements: New /tools/ section with cards (Explorer + upcoming macOS Toolbar), new page “Architectural Decisions”, SECURITY.md with vulnerability reporting instructions, better typography across all languages via TypoLima, improved 404 page support for GitHub Pages.
  • 📝 Login method rename: JSON-RPC method login renamed to get_jwt (old name kept as deprecated alias with warning in logs).
  • 📊 Logging cleanup: When logging to file, console shows only minimal startup info → cleaner output in production/docker environments.

v1.2.0

  • 🛡️ Security: Access token validation now occurs before establishing a database connection. Improved protection against IP spoofing (added TRUSTED_PROXIES setting) and hiding internal database errors from end users.
  • 📊 Isolated Metrics: The Prometheus /metrics endpoint moved from the public API to its own secure port (by default available only on 127.0.0.1:9090).
  • 📦 New Installation Option: The project now has an official Homebrew tap for macOS and Linux. Builds are signed and generated via GoReleaser.
  • 📚 Redesigned Documentation: Completely new look built on the Hugo framework. Added lightning-fast full-text search, code copying capabilities, and production deployment examples (Nginx hardening, BYO JWT).
  • ⚙️ Improved Daemon Management: Added support for custom PID_FILE path configuration.

v1.1.0

  • 🔌 Unified API: All calls go through POST /api/<db> (the called method is specified in the JSON-RPC body).
  • Real-time Notifications: New endpoint GET /sse/<db>?channels=... for listening to database events with multi-channel support.
  • 📈 Observability: Detailed Prometheus metrics for HTTP, auth, JSON-RPC, and SSE.
  • 🏋️ Major Stability Improvements: Protection against slow clients, strict timeouts, and automatic connection cleanup.