Releases: juice-shop/juice-shop
Releases · juice-shop/juice-shop
v12.6.1
v12.6.0
This release contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release. Feeback on these features is particularly welcome via Gitter, Slack or by opening a GitHub issue.
🎲 Cheat Detection (🔬)
- Solved challenges now receive a cheat score which indicates the likelyhood (
0..1
) of the user having cheated - The average likelyhood of the user having cheated in any challenges exposed via Prometheus metrics as
juiceshop_cheat_score
🎣 Solution Webhook
- Solution webhook payload now contains the
cheatScore
andtotalCheatScore
- Removed the
evidence: null
property from the solution webhook payload
💾 Local Backup
- #1579: When restoring a local
JSON
backup all changes including hacking progress can now be applied immediately by clicking Apply changes now in the import success notification
🎨 Frontend
- #1276: Applied facelifted design to Order History and Token Sale screens (kudos to @cigar-galaxy82)
📈 Monitoring
- Added Cheat Score panel to Grafana dashboard
JSON
template consuming
🤝 Contributor QoL
- Added
.devcontainer.json
to pre-define plugins and settings for working on Juice Shop inside GitHub Codespaces
v12.5.0
This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.
🎨 Frontend
- #1276: Applied facelifted design to Accounting screen
- #1276: Hamonized design of Challenge Solved and Server Restarted notifications with
MatSnackBar
toasts
🎯 Challenges
- Changed default promotion video used in the Video XSS challenge to OWASP Membership ad video made by @nanzggits (:zap:)
⚙️ DevOps Automation
- CI/CD pipeline now uses timeouts and retries for some test steps to compensate for flakiness of tests, race conditions or other occasional irregularities
- Unit tests step (in
test
job) times out after 10 minutes and is retried twice - Integration tests step (in
test
job) times out after 5 minutes and is retried twice - End-to-end step (in
e2e
job) times out after 20 minutes and is retried once - No timeouts or retries are configured for the
smoke
anddocker-smoke
jobs
- Unit tests step (in
- Added WebAppDefn specification
.config/webapp.yml
as proposed by the OSSF Security Tooling working group (🔬)
🐛 Bugfixes
- #1562: Charging of digital wallet without or with another user's credit card is now prevented on server side
🧹 Code Style/Linting
- Included
stylelint
module for linting and auto-fixing frontend SCSS files
🌐 I18N
- Extended 🇫🇮, 🇷🇴, 🇹🇷 and 🇨🇳 translations
🛄 Miscellaneous
- Marked both Juice Shop Adversary Trading Card products as deleted due to discontinuation of the "Adversary Trading Cards" CCG
v12.4.0
🎨 Frontend
- #1542: Migrated Angular frontend from version 10 to 11
🧹 Code Style/Linting
- Migrated frontend code linter from TSLint to ESLint based on
standard-with-typescript
configuration - Migrated backend code linter from Standard to ESLint based on
standard
configuration - Refactored code to comply with additional ESLint rules not present in previous TSLint/Standard linters
🐛 Bugfixes
- #1527: Fixed race condition between creation of PDF confirmation and wallet payment during checkout process
- #1525: Fixed memory leak in Score Board tutorial when waiting for DevTools
🛄 Miscellaneous
- #1547: Added distinct default user profile image for all admin accounts to set them apart from regular user accounts
- Rotated Juice Shop Artwork out of the available product inventory replacing it with Best Juice Shop Salesman Artwork
- Added new user
stan@juice-sh.op
to userbase prepopulated on startup - #1440: Updated
file-types
dependency to latest major version (kudos to @cigar-galaxy82)
v12.3.0
🚀 Features
- The
security.txt
is now accessible from both URLs officially defined in the corresponding RFC draft - The
security.txt
now also contains thePreferred-Languages
andExpires
properties
🎒 Tutorials
- #1524: Added option to helper functions allowing case insensitive input checks (kudos to @cnotin)
- #1524: Fixed skipped steps in Login Bender and Login Jim tutorials (kudos to @cnotin)
- #1526: Hint speech bubbles can now be placed after the fixture element with
fixtureAfter: true
(kudos to @cnotin) - #1526: Reduce frequency of hint speech bubbles blocking input elements or menu items by using
fixtureAfter
(kudos to @cnotin)
🐛 Bugfixes
- #1516, #1517: User session residue is now cleaned up properly (kudos to @cnotin)
- #1519: Fix items counter being displayed as zero after login even when basket contained items (kudos to @cnotin)
- #1533: Product quantity limit is now applied on a per-order basis instead of a per-user basis (kudos to @cnotin)
- #1538: Delay search for security question by 1sec after last keystroke in Forgot Password screen
- #1536: Fixed visual glitch with horizontal dividers on My Payment Options screen (kudos to @MarcRler)
v12.2.1
⚙️ DevOps Automation
- Swap out GitHub Action for uploading release assets with one that works with existing
draft
releases in matrix builds - Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) has been restored
v12.2.0
⚙️ DevOps Automation
- #1530: Replaced Travis-CI with GitHub Actions based CI/CD pipeline
- Docker
latest
,snapshot
andv*.*.*
images are now published for platformslinux/amd64
,linux/arm/v7
andlinux/arm64
- Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) is no longer available (
⚠️ ) - Packaged
.tgz
archives forlinux/arm64
are no longer provided (⚠️ ) in favor oflinux/arm64
Docker images
🗣️ Chatbot
- Added new chatbot utterances (e.g. for the official theme song of the shop)
- Reduced threshold for fuzzy matching of product price requests to produce hits earlier and make multi-match results occur at all
🐛 Bugfixes
- #1514: Fixed server crash upon notifying an unreachable
SOLUTIONS_WEBHOOK
URL - #1512: Avoid accidental solve of View Basket challenge for Basket IDs that became
NaN
(kudos to @cnotin)
🛅 Miscellaneous
v12.1.1
🎯 Challenges
- a0feeb8: Rephrased White-/Blacklist into Allow-/Blocklist in all affected challenges, corresponding hints as well as in entire code base
🔒 Security
- #1471: Payments from wallets with insufficient funds for purchase are now rejected on client- and server-side (kudos to @grijul)
- #1498: Credit card numbers are now returned in masked form by the API instead of masking on the client (kudos to @PranjalAgni)
🎨 User Interface
- #1496: Slightly improved responsiveness of Score Board to have less off-screen elements and not hide columns prematurely
v12.1.0
⚙️ DevOps Automation
- #1470: Added startup time metrics to Prometheus endpoint and Grafana dashboard template in
monitoring/grafana-dashboard.json
- #1478: Added customization time metrics to Prometheus endpoint
- Failing
Arm64
-based build jobs will now break the CI/CD build again
🎯 Challenges
- Seal accidental leakage of 2FA secret via some admininstrative API endpoint (now handled identical to password)
- #1469: Close loophole that allowed a too easy solve of the "Deluxe Fraud" challenge
🐛 Bugfixes
- #1466: Fix typo in DB property preventing retrieval of existing shopping baskets
- f95cb15: Hide "Show tutorials only" button on Score Board if Hacking Instructor is not even enabled
- #1478: Refactored various startup preparations into
async
/await
code and parallelize as much as possible - #1474: Fixed contrast issues for captions on Photo Wall in all light-background themes
- Fixed issue with sold-out/quantity-left ribbon preventing clicks to open Product Details dialogs
🐳 Docker
- #1467: Update Docker container user to work properly with the
runAsNonRoot
flag in Kubernetes
🌐 I18N
- Removed languages with no translations at all: 🇵🇰, 🇱🇹 and 🇦🇲