Releases: yellowcooln/meshcore-mqtt-dashboard
Release list
v1.3.3
v1.3.3
This release focuses on security hardening, dependency maintenance, and CI/CD improvements.
Highlights
Security
- Hardened the dashboard against CVE-2026-45323-style stored XSS attacks from untrusted MeshCore/MQTT data.
- Reviewed and validated rendering paths across the dashboard, traffic page, and battery information views.
- Added regression tests covering malicious metadata, node fields, retained traffic data, and decoded message content.
Dependencies
- Updated safe non-major Python dependencies.
- Verified Node dependencies are current.
npm audit --audit-level=lowreports zero vulnerabilities.
CI/CD
-
Synced
devwithmainwhile preserving the self-hosted Docker build workflow. -
Docker builds now run on:
- Pushes to
main - Pushes to
dev - Pull requests targeting
main - Version tags (
v*) - Manual workflow dispatches
- Pushes to
-
Pull request validation now builds Docker images without requiring Docker Hub credentials or publishing artifacts.
Other Changes
- Updated application version to
v1.3.3. - Refreshed release documentation and changelog entries.
Validation
- Full test suite passed (
33 passed). - GitHub Actions test workflow passed.
- Docker build workflow completed successfully on the self-hosted runner.
See CHANGES.MD for the complete list of changes.
What's Changed
- Use self-hosted runner for Docker publish and improve XSS coverage by @yellowcooln in #9
Full Changelog: v1.3.2...v1.3.3
v1.3.2 - CPU Reduction and Docker Publishing
v1.3.2 focuses on reducing unnecessary runtime overhead and improving deployment options.
This release reduces idle CPU work in the MQTT hot path. When battery telemetry is disabled, the dashboard now skips the battery decode path entirely. It also avoids building websocket stats, traffic summaries, and broadcast queue work when no dashboard clients are connected.
For the write-heavy SQLite path, the app now uses:
journal_mode=WALsynchronous=NORMALtemp_store=MEMORY
to reduce database overhead under sustained message traffic.
This release also improves distribution and deployment support. A GitHub Actions Docker publish workflow is now included, and the published image is documented as:
yellowcooln/meshcore-mqtt-dashboard
The README now includes practical examples for:
- Pulling the published image
- Running with
docker run - Using the image in
docker compose
Validation
- Automated test suite passing
- Added regression coverage for new hot-path guards
What's Changed
- Bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #6
- Bump pytest from 8.3.5 to 9.0.3 by @dependabot[bot] in #7
- Enhance Docker support and optimize MQTT performance by @yellowcooln in #8
Full Changelog: v1.3.1...v1.3.2
v1.3.1 - Optional Battery Telemetry Dashboard
v1.3.1 adds an optional battery telemetry dashboard and the supporting decode pipeline behind it.
This release introduces a new public /batteryinfo page for decoded channel-based battery reports. It charts retained battery telemetry, shows the latest decoded values per sender, and keeps the page fast by persisting decoded events in SQLite instead of rescanning the full packet table on every load.
Battery info is fully opt-in. Fresh installs keep it disabled by default, and the page stays hidden unless it is explicitly enabled and configured with a channel key. The feature also has its own retention window and channel display controls, so it can be managed independently from the main packet retention settings.
This release also moves battery decoding to the official @michaelhart/meshcore-decoder package.
Included in v1.3.1
- New optional public
/batteryinfopage - Decoded battery telemetry charts and recent decoded reports
- SQLite-backed
batteryinfo_eventspersistence with retained-packet backfill - Battery-specific environment controls:
BATTERYINFO_ENABLEDBATTERYINFO_CHANNEL_NAMEBATTERYINFO_SHOW_CHANNEL_NAMEBATTERYINFO_RETENTION_SECONDSBATTERYINFO_CHANNEL_KEY
- Default battery feature state set to off in
.env.example - Switched battery decoding to official
@michaelhart/meshcore-decoder - Added automated tests for battery decode, persistence, and disabled-route behavior
Live Example
A live example can be found at the Boston MQTT Dashboard.
v1.3.0 - Traffic Dashboard and Presence Accuracy
v1.3.0
v1.3.0 adds a dedicated traffic dashboard and improves live node accuracy.
This release introduces a new public /traffic page that shows retained packet activity across the full retention window. It includes route and payload charts, top talkers, and burst detection so operators can see not just who is online, but what the network is actually doing over time.
Traffic history is now persisted in SQLite and rebuilt from retained packet data when needed, so the page survives restarts without losing context.
Role inference is also improved. The dashboard now uses MQTT payload hints from /status and /internal messages before falling back to name-based matching, improving classification for repeaters, observers, room systems, and MQTT-connected infrastructure.
This release also fixes a presence bug caused by retained /internal MQTT messages. Those retained startup replays no longer create ghost online nodes, resulting in more accurate node counts after reconnects and restarts.
Included in v1.3.0
- New public
/trafficpage - Retained route and payload traffic charts
- Top talkers and burst detection views
- SQLite-backed traffic history persistence
- Improved role inference from MQTT payload metadata
- Fix for ghost online nodes caused by retained
/internalmessages - Startup console log showing the running app version
v1.2.1 focuses on deployment cleanup and dashboard presentation improvements.
Release Summary
This release adds DASH_BROKER_HOST, allowing administrators to show a clean public broker label in the dashboard without changing the actual MQTT connection target.
The application can still connect to an internal Docker address such as host.docker.internal, while the UI displays a public-facing endpoint like broker.example.net:443. The override is rendered exactly as provided.
This release also simplifies Docker configuration. docker-compose.yaml now loads runtime settings from .env using env_file, instead of duplicating the environment list directly in the Compose file. This reduces configuration drift and makes local overrides easier.
Highlights
- Added
DASH_BROKER_HOSTfor display-only broker endpoint overrides - Simplified
docker-compose.yamlto load runtime configuration from.env - Updated documentation to reflect the new broker display override and Compose behavior
New Environment Variable
DASH_BROKER_HOST— optional broker endpoint shown in the dashboard UI only
Validation
- Pytest suite passing
v1.2.0
v1.2.0 — 2026-03-03
Added
- Server-rendered share/embed metadata on
/so previews use live configuration values. - Wired
title,og:title, andtwitter:titletoDASH_TITLE. - Optional favicon support via
DASH_LOGO_URL(.png,.jpg,.jpeg). - Optional external header button controlled by environment variables with URL validation.
- Pytest test suite (
tests/) covering:- API authentication
- index metadata and favicon rendering
- redaction behavior
- GitHub Actions CI test workflow at
.github/workflows/tests.ymlfor PRs and pushes. - Documentation updates covering:
- embed behavior
- external link configuration
- manual verification steps.
Environment Variables
-
DASH_LOGO_URL
Optional favicon URL or path (.png,.jpg,.jpeg). -
DASH_EXTERNAL_URL
Optional external header button URL (must behttporhttps). -
DASH_EXTERNAL_LABEL
Label for the external header button (default:External).