Skip to content

Releases: devituz/lagodev

v0.26.0 — production hardening

25 Jun 04:21
@devituz devituz
v0.26.0
d6685f8

Choose a tag to compare

View all tags
v0.26.0 — production hardening Latest
Latest

A fleet of adversarial test agents (load, fuzz, injection, leak, security) probed every subsystem like a real attacker. This release ships the root-cause fixes plus extensive new regression/fuzz/stress tests.

Critical fixes

  • web: panicking handler returned an empty 200 instead of 500 — recovery now writes the 500.
  • web/router: Get("/") crashed net/http at startup — fixed empty-prefix path join.
  • admin: panel was open by default → now fail-closed (no Authorizer = 403); added WithInsecureAllowAll() opt-in. Runtime behavior change.
  • validation: data race on the global regex cache → sync.RWMutex.
  • openapi: stack overflow on recursive types → inline cycle guard.

High / medium fixes

  • query: operator injection via Where(col,op,val) → operator whitelist + strict column quoting.
  • realtime: goroutine flood under broadcast storms to a slow consumer → single CAS-guarded teardown.
  • telescope: unbounded N+1 map → FIFO cap; added RequireBasicAuth.
  • process: timeout leaked the child process tree → process-group kill.
  • cache: thundering herd in Remember → per-key single-flight; tighter TTL sweep.

Production safety

  • graphql: configurable DoS limits (depth/nodes/aliases/bytes/tokens) + introspection toggle. Handler(cs, ...Option) backward-compatible.
  • New fuzz/stress/injection/security suites across the framework.
  • drivers/redis: tests no longer need a live server.

Quality

go test -race green (55 packages) · go vet + gofmt clean · govulncheck: no vulnerabilities.

⚠️ Upgrade note: if you mount the admin panel without an Authorizer, add one (production) or admin.WithInsecureAllowAll() (local) — it is now fail-closed.

Assets 2
Loading

v0.25.0 — framework-grade docs + resilience/observability/search

25 Jun 03:33
@devituz devituz
v0.25.0
b50310a

Choose a tag to compare

View all tags
v0.25.0 — framework-grade docs + resilience/observability/search

Framework-grade hardening release. All changes are additivego get github.com/devituz/lagodev@v0.25.0 is backward-compatible.

Highlights

  • 24 new documentation guides under docs/ covering every subsystem, plus a Laravel/Django/NestJS/Express comparison and a benchmarks guide with measured numbers.
  • resilience — implemented the advertised primitives: Retry (constant/exponential/jitter backoff), Timeout, Bulkhead, RateLimiter. All compose with Wrap/Do[T].
  • observability — HTTP integration layer: Middleware, NewRoundTripper, MetricsHandler (Prometheus text), Provider.
  • searchSearchable + Indexer model auto-indexing (ORM-agnostic).
  • README rebranded from "template" to a full-stack framework.

Security

Cleared all open Dependabot advisories: grpc → v1.81.1 (critical), fiber → v2.52.13 (2 criticals), go-redis → v9.21.0, chi → v5.3.0, x/crypto + x/net bumped in adapters/grpc.

Quality

go vet + gofmt clean · go test -race green (55 packages) · govulncheck: no vulnerabilities.

Loading