Fix Release v0.1.5

I totally messed up the releases this week and I am trying to get things fixed. I know that the latest release shows main for the version and that the upgrade indicator won't stop blinking. Previous fixes didn't help so I am stepping up the release to see if this fixes the issue. A new version should be built and the correct version should then be shown and released.

Release v0.1.4

This release is fairly uneventful but still worthy of a release. Continuing on the work to make sure that packages are updated, fixable vulnerabilities are patched and GitHub actions are run with care and provide the information needed. I had noticed an issue when running local-only (on the NTP server) that the gpspipe data kept disappearing so I made a change to refresh the data on a tab change for both local and remote connections.

What's Changed 💡

• GPS polling logic: Increased timeout, improved partial-output parsing, and ensured robust polling for both local and remote modes.
• Dockerfile: Added all required Alpine build dependencies (build-base, libffi-dev, openssl-dev, python3-dev) to resolve cffi/cryptography install issues and ensure consistent builds.

What was fixed 🛠️

• Resolved GPS polling dropouts and ensured dashboard stability when switching tabs or modes.
• Addressed Docker build failures related to Python native dependencies.
• Confirmed no regressions in dashboard polling, tab switching, or client listing.

What was updated 💾

• Security workflows: Forced Node.js 24 for all GitHub Actions due to Node.js 20 deprecation.
• Integrated and validated grype scans; confirmed that critical CVEs (notably CVE-2025-67268 in gpspipe) are non-fixable and mitigated by default (gpsd not installed unless explicitly enabled).
• All PRs merged and workflows passing for this release.

Weekly Security Scan Report

• Generated: 2026-04-15 12:14 UTC
• Target branch scanned: pre-update-release
• Grype image tag used: v0.111.0

Release Notes Summary

• Total findings across all scans: 35
• Critical findings: 2
• High findings: 8
• Medium findings: 23

Vulnerability Summary

Scan Target	Total	Critical	High	Medium	Low	Negligible	Unknown
Repository source	0	0	0	0	0	0	0
Local image build	35	2	8	23	1	1	0
Latest released image	0	0	0	0	0	0	0

What's Changed

• Bump actions/download-artifact from 5 to 8 by @dependabot[bot] in #111
• Bump python from 3.14.3-alpine3.22 to 3.15.0a8-alpine3.22 by @dependabot[bot] in #112
• Bump actions/github-script from 8 to 9 by @dependabot[bot] in #113
• Fix GPS local refresh dropout stability by @NightHawkATL in #114
• Weekly merge from pre-update-release to main (wk3) by @NightHawkATL in #115
• Revert "Weekly merge from pre-update-release to main (wk3)" by @NightHawkATL in #116
• Weekly Pre-Update-Release to Main merge (wk3) by @NightHawkATL in #117

Full Changelog: v0.1.3...v0.1.4

Fix Release v0.1.3

Now that all of the Remote SSH connectivity is fixed, I wanted to make sure that the Local deployment gets the same treatment. I did some testing with my NTP server on a Raspberry Pi 4 and noticed the clients list was empty and it was giving an error. This has been fixed and the compose YAML has been updated to reflect needing a new bind mount volume for /run/chrony:/run/chrony. There were fixes made to how the image is built to maintain the update path and make sure that any vulnerabilities are handled with the fix versions in a timely manner. Another release with lots of small tweaks but ending in a more stable release with a few fixes and better upgrade paths behind-the-scenes.

What’s Changed💡

• Added a Dependabot Grype Guard workflow to evaluate Dependabot PRs against base-image scan results and block new High/Critical regressions.
• Added a Grype remediation suggestions workflow that generates/updates a tracking issue from weekly scan artifacts.
• Added a repository pull request template to standardize intent and scope in PR descriptions.

What Was Fixed🛠️

• Corrected local Chrony client handling so API behavior and messaging are consistent for local socket-based deployments.
• Resolved security workflow execution issues (invalid YAML structures, dispatch input handling, and artifact retrieval pathing).
• Fixed documentation contradictions around local mode support and deployment requirements.

What Was Updated💾

• Shifted Dependabot schedule to run later on Wednesday to support the Grype-first security process.
• Forced JavaScript GitHub Actions in remediation flow to run on Node 24.
• Updated container hardening baseline to align with remediation recommendations, including patched Python/Alpine image usage and package refresh during build.

Weekly Security Scan Report

• Generated: 2026-04-08 19:54 UTC
• Target branch scanned: pre-update-release
• Grype image tag used: v0.110.0

Release Notes Summary

• Total findings across all scans: 45
• Critical findings: 0
• High findings: 9
• Medium findings: 28

Vulnerability Summary

Scan Target	Total	Critical	High	Medium	Low	Negligible	Unknown
Repository source	0	0	0	0	0	0	0
Local image build	45	0	9	28	7	1	0
Latest released image	0	0	0	0	0	0	0

Pull Request List

• fix(pwa): harden cache refresh and service worker update flow by @NightHawkATL in #84
• fix(security): apply v0.1.2 fixable Grype remediations by @NightHawkATL in #85
• fix(docker): remove zlib pin regression in Dockerfile by @NightHawkATL in #87
• fix(clients): handle chronyc 501 not authorised with fallback by @NightHawkATL in #88
• fix(clients): add sudo fallback chain when 501 persists by @NightHawkATL in #89
• fix(clients): improve local 501 handling and troubleshooting guidance by @NightHawkATL in #90
• Add chrony volumes for local deployments by @NightHawkATL in #91
• Bump python from 3.13-alpine3.21 to 3.14-alpine3.21 by @dependabot[bot] in #93
• Bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #94
• ci: fix grype-remediation-suggestions trigger, run ID resolution, underfixed false-positives, and least-privilege by @NightHawkATL in #96
• CI: finalize Grype remediation + Dependabot guard workflows by @NightHawkATL in #97
• fix: remove hard-coded branch filter from workflow_dispatch fallback in grype-remediation-suggestions by @NightHawkATL in #98
• ci: fix grype remediation workflow runner exit 2 by @NightHawkATL in #99
• Fix Grype remediation workflow artifact download by @NightHawkATL in #100
• ci: force Node 24 for remediation workflow actions by @NightHawkATL in #103
• Security: apply Grype remediation recommendations (refs #101) by @NightHawkATL in #104
• Security: apply Grype remediation recommendations (refs #101) by @NightHawkATL in #106
• docs: add default PR template for intent clarity by @NightHawkATL in #107
• Fix local clients fallback regression in local mode by @NightHawkATL in #108
• CI: fix Grype remediation workflow regressions and force Node 24 by @NightHawkATL in #110
• Weekly pre-update-release merge to main (wk 2) by @NightHawkATL in #92

Full Changelog: v0.1.2...v0.1.3

Bug Fix Update v0.1.2

This release comes with a ton of small fixes and updates here and there. I have added a weekly review of the image after all work has been completed for the week (cut-off Tuesday night [UTC]). This will scan with the latest DB from anchore/grype and create a result of the scan for release updates.

What's Changed 💡

• Replaced DEBUG_MODE boolean with standard [LOG_LEVEL] environment variable (DEBUG / INFO / WARNING / ERROR / CRITICAL)
• LOG_LEVEL now enforced globally across Flask and Werkzeug loggers (no more INFO leaking at WARNING level)
• Added comprehensive structured logging to container output: startup config, SSH errors, command failures, API errors

What's Fixed 🛠️

• PWA icon path corrected in [manifest.json] and [sw.js] to match actual image filename (ntp-dashboard-logo.png)
• Added rel="noopener noreferrer" to all external footer links with [target="_blank"]
• GPS error path in [dashboard.js] now uses safe [textContent] rendering instead of innerHTML
• Dockerfile case-sensitivity fix for Linux local builds
• Rare condition of gpspipe not showing data when returning to the dashboard

What's Updated 💾

• gpsd-clients made optional via INSTALL_GPSD_CLIENTS build arg as mitigation for CVE-2025-67268 — users on Alpine should await upstream patch before enabling
• Published security advisory GHSA-6wrg-2rh8-j35j documenting CVE-2025-67268 status and mitigation
• Weekly Grype security scan workflow added (Wednesday 12:00 UTC, targeting pre-update-release) to scan for vulnerabilities and provide the results in a table for each release (as seen below)
• Dependabot configured for pip, Docker, and GitHub Actions on weekly Wednesday schedule

Weekly Security Scan Report

• Generated: 2026-04-02 17:03 UTC
• Target branch scanned: pre-update-release
• Grype image tag used: v0.110.0

Release Notes Summary

• Total findings across all scans: 16
• Critical findings: 0
• High findings: 3
• Medium findings: 10

Vulnerability Summary

Scan Target	Total	Critical	High	Medium	Low	Negligible	Unknown
Repository source	0	0	0	0	0	0	0
Local image build	16	0	3	10	3	0	0
Latest released image	0	0	0	0	0	0	0

PR List

• Automate app version from release tag by @NightHawkATL in #54
• Mitigate gpsd CVE exposure by making local gpspipe optional by @NightHawkATL in #55
• Fix typos in README.md by @NightHawkATL in #56
• Weekly testing for vulnerabilities using Grype by @NightHawkATL in #57
• Weekly testing for vulnerabilities using grype by @NightHawkATL in #58
• Log backend errors to container output by @NightHawkATL in #60
• Fix/log level only by @NightHawkATL in #62
• Fix/log level enforcement by @NightHawkATL in #63
• Fix/log level only by @NightHawkATL in #64
• Change cron schedule for weekly security check by @NightHawkATL in #68
• Improve GPS field handling and clean up ignore/config comments by @jdam11 in #67
• Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #71
• Bump actions/checkout from 4 to 6 by @dependabot[bot] in #70
• Bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in #69
• Update resource usage section in README by @NightHawkATL in #72
• Chore/add grype workflow by @NightHawkATL in #73
• Chore/add grype workflow by @NightHawkATL in #74
• chore: add weekly grype security scan workflow by @NightHawkATL in #75
• fix(ci): force shared grype db cache path for update and scans by @NightHawkATL in #76
• ci: add weekly Grype security scan workflow by @NightHawkATL in #78
• Add upload artifact step for weekly security reports by @NightHawkATL in #79
• ci: refine weekly Grype report for release notes by @NightHawkATL in #80
• fix(web): align PWA icon path and add external link hardening by @NightHawkATL in #81
• fix: refresh dashboard data after cache resume by @NightHawkATL in #83
• Pre update release merge to main by @NightHawkATL in #82

New Contributors

• @jdam11 made their first contribution in #67

Full Changelog: v0.1.1...v0.1.2

Security Update v0.1.1

This release covers quite a few dependencies that were found during the development and testing while working on the initial app build and getting everything working as expected. Dependabot has joined the team to make sure that the app stays local, secure, and vulnerabilities are squashed in a timely manner! Lets all welcome them to the team!

]{}{}{}[ 🎉🎊 ]{}{}{}[

This initial release after launching the beta version is focused on improvements within the code and packages. Any new updates on coding and security will be delivered on a weekly cadence unless there are circumstances that arise needing a sooner release.

What's Changed

• Bump actions/checkout from 4 to 6 by @dependabot[bot] in #42
• Bump cryptography from 42.0.5 to 46.0.5 by @dependabot[bot] in #41
• Bump docker/metadata-action from 5 to 6 by @dependabot[bot] in #43
• Bump docker/login-action from 3 to 4 by @dependabot[bot] in #44
• Bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in #45
• Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #46
• Bump python from 3.11-alpine to 3.14-alpine by @dependabot[bot] in #48
• Bump flask from 3.0.2 to 3.1.3 by @dependabot[bot] in #47
• Bump paramiko from 3.4.0 to 4.0.0 by @dependabot[bot] in #49
• Bump docker/setup-qemu-action from 3 to 4 by @dependabot[bot] in #51
• Bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #52
• Pre update release merge to main by @NightHawkATL in #53

New Contributors

• @dependabot[bot] made their first contribution in #42

Full Changelog: v0.1.0...v0.1.1

Update v0.1.0

This release marks the move from alpha to beta! All roadmap items have been completed (more will be added later), along with support for SSH keys to further secure the SSH connection to the "remote" connection to your personal NTP server.

This release includes themes for changing colors of the interface to better match your favorite color, mood, style, or day. The themes are stored locally on your computer in the browser cache. This means you can have a different theme for each computer, browser, or device that you are viewing the dashboard with.

I appreciate all who helped me test the functions and features to make this app what it is today. The app will be left as it stands today until security patches are needed or I think of some other roadmap items or features that would be nice to have. Feel free to open an issue to suggest features that you think would be nice additions to the app.

What's Changed

• Update app.py to the latest version, theme and SSH key support by @NightHawkATL in #37
• Update dashboard.js for theme and SSH key support by @NightHawkATL in #38
• Update index.html for theme and key support by @NightHawkATL in #39
• Update README.md to show off the new features by @NightHawkATL in #40

Full Changelog: v0.0.9...v0.1.0

Update v0.0.9

Whew, this has been a fun exercise in app releases! With this release, we are 1 version away from v0.1.0!

This release changes the underlying OS from Debian to Alpine to further shrink the image size and make it not feel so "heavy". The idea is to make this a fast update, fast load, and easy to access. This release also adds the Light/Dark/System buttons rather than a big toggle button for light and dark mode and introduces an update notification in the footer so that anyone using the app can be notified of a pending update.

Its been huge fun seeing this come to life and working as expected. I hope any and all who are using this are enjoying the added features!

What's Changed

• Update dockerfile by @NightHawkATL in #29
• Update index.html by @NightHawkATL in #30
• Update dashboard.js by @NightHawkATL in #31
• Update README.md by @NightHawkATL in #32
• Update app.py by @NightHawkATL in #33
• Update index.html by @NightHawkATL in #34
• Update index.html by @NightHawkATL in #35
• Update dashboard.js by @NightHawkATL in #36

Full Changelog: v0.0.8...v0.0.9

Update v0.0.8

This release marks yet another roadmap item off the list. The image size has been reduced tremendously by removing packages that aren't needed and cleaning up the code more.

What's Changed

• Create .dockerignore by @NightHawkATL in #25
• Update dockerfile by @NightHawkATL in #26
• Update app.py by @NightHawkATL in #27
• Update README.md by @NightHawkATL in #28

Full Changelog: v0.0.7...v0.0.8

Update v0.0.7

Fixed a typo in app.py and bumped the version to reflect.

What's Changed

• Update app version to v0.0.7 and add paths by @NightHawkATL in #24

Full Changelog: v0.0.6...v0.0.7

Update v0.0.6

Marked another roadmap item off with this one. PWA is now officially supported. If you are hosting this through a reverse proxy and you have HTTPS, you should see a button on iOS/Android devices to "install" as an app. If you are accessing it local-only without a reverse proxy, then you will just need to use your respective browser (Safari/Chrome) to "Add to Home Screen" and still take full advantage of the PWA features.

What's Changed

• Add manifest.json for PWA configuration by @NightHawkATL in #17
• Add service worker for asset caching by @NightHawkATL in #18
• Add routes for manifest and service worker files by @NightHawkATL in #19
• Add manifest and theme color meta tags to index.html by @NightHawkATL in #20
• Register PWA Service Worker in dashboard.js by @NightHawkATL in #21
• Update roadmap to reflect completed tasks by @NightHawkATL in #22

Full Changelog: v0.0.5...v0.0.6