v12.6.1

🎲 Cheat Detection

• Fixed division by zero resulting in juiceshop_cheat_score metric of NaN while no challenges are solved yet

v12.6.0

This release contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release. Feeback on these features is particularly welcome via Gitter, Slack or by opening a GitHub issue.

🎲 Cheat Detection (🔬)

• Solved challenges now receive a cheat score which indicates the likelyhood (0..1) of the user having cheated
• The average likelyhood of the user having cheated in any challenges exposed via Prometheus metrics as juiceshop_cheat_score

🎣 Solution Webhook

• Solution webhook payload now contains the cheatScore and totalCheatScore
• Removed the evidence: null property from the solution webhook payload

💾 Local Backup

• #1579: When restoring a local JSON backup all changes including hacking progress can now be applied immediately by clicking Apply changes now in the import success notification

🎨 Frontend

• #1276: Applied facelifted design to Order History and Token Sale screens (kudos to @cigar-galaxy82)

📈 Monitoring

• Added Cheat Score panel to Grafana dashboard JSON template consuming

🤝 Contributor QoL

• Added .devcontainer.json to pre-define plugins and settings for working on Juice Shop inside GitHub Codespaces

v12.5.0

This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.

🎨 Frontend

• #1276: Applied facelifted design to Accounting screen
• #1276: Hamonized design of Challenge Solved and Server Restarted notifications with MatSnackBar toasts

🎯 Challenges

• Changed default promotion video used in the Video XSS challenge to OWASP Membership ad video made by @nanzggits (:zap:)

⚙️ DevOps Automation

• CI/CD pipeline now uses timeouts and retries for some test steps to compensate for flakiness of tests, race conditions or other occasional irregularities
  • Unit tests step (in test job) times out after 10 minutes and is retried twice
  • Integration tests step (in test job) times out after 5 minutes and is retried twice
  • End-to-end step (in e2e job) times out after 20 minutes and is retried once
  • No timeouts or retries are configured for the smoke and docker-smoke jobs
• Added WebAppDefn specification .config/webapp.yml as proposed by the OSSF Security Tooling working group (🔬)

🐛 Bugfixes

• #1562: Charging of digital wallet without or with another user's credit card is now prevented on server side

🧹 Code Style/Linting

• Included stylelint module for linting and auto-fixing frontend SCSS files

🌐 I18N

• Extended 🇫🇮, 🇷🇴, 🇹🇷 and 🇨🇳 translations

🛄 Miscellaneous

• Marked both Juice Shop Adversary Trading Card products as deleted due to discontinuation of the "Adversary Trading Cards" CCG

v12.4.0

🎨 Frontend

• #1542: Migrated Angular frontend from version 10 to 11

🧹 Code Style/Linting

• Migrated frontend code linter from TSLint to ESLint based on standard-with-typescript configuration
• Migrated backend code linter from Standard to ESLint based on standard configuration
• Refactored code to comply with additional ESLint rules not present in previous TSLint/Standard linters

🐛 Bugfixes

• #1527: Fixed race condition between creation of PDF confirmation and wallet payment during checkout process
• #1525: Fixed memory leak in Score Board tutorial when waiting for DevTools

🛄 Miscellaneous

• #1547: Added distinct default user profile image for all admin accounts to set them apart from regular user accounts
• Rotated Juice Shop Artwork out of the available product inventory replacing it with Best Juice Shop Salesman Artwork
• Added new user stan@juice-sh.op to userbase prepopulated on startup
• #1440: Updated file-types dependency to latest major version (kudos to @cigar-galaxy82)

v12.3.0

🚀 Features

• The security.txt is now accessible from both URLs officially defined in the corresponding RFC draft
• The security.txt now also contains the Preferred-Languages and Expires properties

🎒 Tutorials

• #1524: Added option to helper functions allowing case insensitive input checks (kudos to @cnotin)
• #1524: Fixed skipped steps in Login Bender and Login Jim tutorials (kudos to @cnotin)
• #1526: Hint speech bubbles can now be placed after the fixture element with fixtureAfter: true (kudos to @cnotin)
• #1526: Reduce frequency of hint speech bubbles blocking input elements or menu items by using fixtureAfter (kudos to @cnotin)

🐛 Bugfixes

• #1516, #1517: User session residue is now cleaned up properly (kudos to @cnotin)
• #1519: Fix items counter being displayed as zero after login even when basket contained items (kudos to @cnotin)
• #1533: Product quantity limit is now applied on a per-order basis instead of a per-user basis (kudos to @cnotin)
• #1538: Delay search for security question by 1sec after last keystroke in Forgot Password screen
• #1536: Fixed visual glitch with horizontal dividers on My Payment Options screen (kudos to @MarcRler)

v12.2.1

⚙️ DevOps Automation

• Swap out GitHub Action for uploading release assets with one that works with existing draft releases in matrix builds
• Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) has been restored

v12.2.0

⚙️ DevOps Automation

• #1530: Replaced Travis-CI with GitHub Actions based CI/CD pipeline
• Docker latest, snapshot and v*.*.* images are now published for platforms linux/amd64, linux/arm/v7 and linux/arm64
• Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) is no longer available (⚠️)
• Packaged .tgz archives for linux/arm64 are no longer provided (⚠️) in favor of linux/arm64 Docker images

🗣️ Chatbot

• Added new chatbot utterances (e.g. for the official theme song of the shop)
• Reduced threshold for fuzzy matching of product price requests to produce hits earlier and make multi-match results occur at all

🐛 Bugfixes

• #1514: Fixed server crash upon notifying an unreachable SOLUTIONS_WEBHOOK URL
• #1512: Avoid accidental solve of View Basket challenge for Basket IDs that became NaN (kudos to @cnotin)

🛅 Miscellaneous

• Reduced RAM and disk usage by updating to optimized juicy-chat-bot version
• #1515: Pre-existing orders now have a bonus point value corresponding with their total order amount (kudos to @cnotin)

v12.1.1

🎯 Challenges

• a0feeb8: Rephrased White-/Blacklist into Allow-/Blocklist in all affected challenges, corresponding hints as well as in entire code base

🔒 Security

• #1471: Payments from wallets with insufficient funds for purchase are now rejected on client- and server-side (kudos to @grijul)
• #1498: Credit card numbers are now returned in masked form by the API instead of masking on the client (kudos to @PranjalAgni)

🎨 User Interface

• #1496: Slightly improved responsiveness of Score Board to have less off-screen elements and not hide columns prematurely

v12.1.0

⚙️ DevOps Automation

• #1470: Added startup time metrics to Prometheus endpoint and Grafana dashboard template in monitoring/grafana-dashboard.json
• #1478: Added customization time metrics to Prometheus endpoint
• Failing Arm64-based build jobs will now break the CI/CD build again

🎯 Challenges

• Seal accidental leakage of 2FA secret via some admininstrative API endpoint (now handled identical to password)
• #1469: Close loophole that allowed a too easy solve of the "Deluxe Fraud" challenge

🐛 Bugfixes

• #1466: Fix typo in DB property preventing retrieval of existing shopping baskets
• f95cb15: Hide "Show tutorials only" button on Score Board if Hacking Instructor is not even enabled
• #1478: Refactored various startup preparations into async/await code and parallelize as much as possible
• #1474: Fixed contrast issues for captions on Photo Wall in all light-background themes
• Fixed issue with sold-out/quantity-left ribbon preventing clicks to open Product Details dialogs

🐳 Docker

• #1467: Update Docker container user to work properly with the runAsNonRoot flag in Kubernetes

🌐 I18N

• Removed languages with no translations at all: 🇵🇰, 🇱🇹 and 🇦🇲

v12.0.2

🐛 Bugfixes

• Changed order of startup validations so that failed frontend compilation becomes obvious earlier
• Fixed file downloads for custom themes causing potential Error: ENOENT: no such file or directory, copyfile issues