Wheels 4.0.5 released — a hardening release, now installable anywhere #3233
bpamiri
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Wheels 4.0.5 is out. It's really two releases: 4.0.4 was a large hardening pass (100+ commits across security, performance, and deploy), and 4.0.5 makes all of it installable the same way on every major platform, including arm64 Linux. 4.0.4 shipped and was superseded by 4.0.5 the same day, before any announcement — so this single post (and this thread) covers both.
Read: https://blog.wheels.dev/posts/wheels-4-0-5-released
What's in it
Security
$isSafeRedirectUrl()now normalizes input per WHATWG URL parsing (stripping embedded tab/CR/LF) and rejects backslash / schemeless-authority tricks (/\evil.com,https:/evil.com)./wheels/infono longer render secrets —csrfCookieEncryptionSecretKeyand the full application metadata (datasource credentials, ORM settings) are gone from the output./wheels/*dev-UI handlers is now a fail-closed allowlist, and the URL reload gate refuses to act unless a non-emptyreloadPasswordis configured.$getRequestFormatrejects non-alphanumericurl.formatvalues.trustProxyHeaderssetting (defaultfalse) governs whetherX-Forwarded-*is believed —isSecure(), maintenance-mode IP exceptions, and the reload rate-limit key all stop trusting client-supplied forwarded headers unless you opt in.Performance
model()andcontroller()on cache hits.URLFor()route lookups (with negative caching) and a per-datasource schema-column cache.wheels deploy— ~20 Kamal-port fixes: works on fresh hosts, all-or-nothing fleet lock, bounded secret resolution, secret redaction in failure output, correctrollback --destinationoverlay, on-server audit trail, stricter IPv6 host validation.Cross-engine
cfabort;that 500'dGET /on Adobe.@@IDENTITY/MAX(ROWID).New capabilities:
wheels jobs work/status(background-job worker loop),wheels upgrade apply(framework swap),wheels upgrade check --strict, asubpathsetting, and a/upwarm-up endpoint in scaffolded apps.…and roughly eighty fixes in total (routing
scope()/namespace()callbacks, CORS duplicate-header arbitration, multi-nodeRateLimiterstorage, honestmigrate/seed/testexit codes,hasManyshortcut associations, and more). Full list: CHANGELOG.Install / upgrade — now including arm64
The Linux
.deb/.rpmare now architecture-independent (the CLI launches through a portablejava -jarrunner), soapt install/dnf installwork on arm64 (aarch64) — Raspberry Pi, AWS Graviton, Ampere — as well as x86_64. And a CI job installs through all four channels on real runners every day and asserts the version, so a broken install gets caught before you hit it.If you installed 4.0.4, just upgrade to 4.0.5 — everything in 4.0.4 is in it.
Discussion
Questions, upgrade reports (especially from arm64 Linux and stock Adobe-on-Linux deployments), or anything that broke — drop them in this thread.
Beta Was this translation helpful? Give feedback.
All reactions