nebraska-helm-2.0.0

Nebraska is an update manager for Flatcar Container Linux.

Nebraska 3.0.0 - Semantic Versioning Correction

Important Notice

Version 2.13.0 was released with breaking OIDC changes that should have been v3.0.0 per Semantic Versioning.

v3.0.0 contains functionally identical code to v2.13.0 - only the version number and documentation have changed.

What You Should Do

If you're on v2.13.0:

• You already completed the OIDC migration
• Updating to v3.0.0 is optional (no code/config changes)
• Recommended: Update to align with proper versioning

If you're on v2.12.0 or earlier:

• ⚠️ Upgrade to v3.0.0 (not v2.13.0)
• ⚠️ Follow the OIDC Migration Guide

For new deployments:

• Use v3.0.0

Breaking Changes (Same as 2.13.0)

• OIDC Authentication: Complete refactor
  • Removed: --oidc-client-secret, --oidc-valid-redirect-urls, --oidc-session-secret, --oidc-session-crypt-key
  • Removed: GET /login, POST /login/token
  • Changed scopes: openid,offline_access → openid,profile,email
  • See OIDC Migration Guide

We apologize for this versioning mistake.

See previous release: https://github.com/flatcar/nebraska/releases/tag/2.13.0
Full Changelog: 2.13.0...3.0.0

nebraska-helm-1.7.0

Nebraska is an update manager for Flatcar Container Linux.

2.13.0

This release was incorrectly versioned. It contains breaking changes that should have triggered a major version bump.

Please use v3.0.0 instead (identical code, correct versioning).

Breaking Changes

• OIDC Authentication: A complete refactor of OIDC auth that ⚠️ requires migration (see OIDC Migration Guide) ⚠️
  • Removed configuration options:
    • --oidc-client-secret / NEBRASKA_OIDC_CLIENT_SECRET - OIDC now requires public client type
    • --oidc-valid-redirect-urls - No longer needed with direct frontend flow
    • --oidc-session-secret / NEBRASKA_OIDC_SESSION_SECRET - Backend is now stateless
    • --oidc-session-crypt-key / NEBRASKA_OIDC_SESSION_CRYPT_KEY - No server-side sessions
  • Removed API endpoints:
    • GET /login - Frontend initiates OIDC flow directly with provider
    • POST /login/token - Password grant type no longer supported
    • GET /login/cb now returns 501 for OIDC mode (GitHub mode only)
  • Changed default scopes: From openid,offline_access to openid,profile,email
  • Migration requirements:
    • OIDC provider must be reconfigured from confidential to public client type
    • CORS must be enabled for Nebraska domain on OIDC provider if it is not hosted under the same domain
    • Recommended: Enable session cookies on OIDC provider for seamless SSO re-authentication
      • Configure SSO session duration to 8-12 hours (idle timeout) and 1-7 days (maximum lifetime) based on your security requirements
      • Keycloak: Configure "SSO Session Max" and "SSO Session Idle Timeout" under Realm Settings → Sessions
      • Auth0: Configure "Maximum Session Lifetime" and "Idle Session Lifetime" under Tenant Settings → Advanced → Session Expiration
      • NOTE: Many times, these SSO session attributes are already set by default
    • When access tokens get lost after page refresh, the OIDC provider automatically re-authenticates users if SSO session is still active (no password re-entry required)
    • Recommended: Configure OIDC provider access token expiration to 1-8 hours (should be less than the SSO maximum session lifetime)

Security

• OIDC Implementation Refactor - Authorization Code Flow with PKCE (nebraska#642)
  • Tokens no longer exposed in server logs or query parameters
  • Frontend handles OIDC flow directly with identity provider using PKCE (Proof Key for Code Exchange)
  • In-memory token storage prevents XSS vulnerabilities
  • Stateless backend architecture eliminates session storage related vulnerabilities

Changed

• helm/postgresql: temporarily overwrite PostgreSQL subchart images to the Bitnami Legacy registry (bitnamilegacy/*) to restore Helm chart deployments after Bitnami Docker Hub deprecations. This is a short-term workaround only; Bitnami Legacy images are archived and will not receive security updates.
• backend: OIDC authentication refactored to use standard SPA authentication pattern with stateless JWT validation (nebraska#642)
• frontend: Implements OIDC Authorization Code Flow with PKCE directly, removing backend proxy (nebraska#642)
• api: Note that oidcCookieAuth security scheme in OpenAPI spec was never implemented and should be removed in future cleanup

Full Changelog: 2.12.0...2.13.0

2.12.0

Breaking Change

• ⚠️ Postgresql 17.x is now the tested and default version. ⚠️ For existing Kubernetes deployment, you might need to run a manual intervention (see: charts/nebraska/README.md)(nebraska#1088)

Security

• [email protected] → v4.0.4
  • Fixes CVE-2025-7783 (GHSA-fjxv-7rqg-78g4): Critical vulnerability (CVSS 9.4) where form-data uses Math.random() for selecting multipart/form-data boundary values. This predictable randomness could allow attackers to inject additional parameters into requests (HTTP Parameter Pollution), potentially making arbitrary requests to internal systems. Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3. Fixed in: 2.5.4, 3.0.4, 4.0.4. Updated via npm audit fix. (#1146)
• github.com/go-viper/mapstructure/v2 → v2.3.0
  • Fixes GHSA-fv92-fjc5-jj9h: Prevents sensitive information leakage in error messages during type conversion failures (#1099)

Added

• helm: add ability to specify extra annotations and labels for pods, PVCs, ingress, deployments, and other resources (nebraska#1097)

Changed

• backend: updated kinvolk references to flatcar (nebraska#1091)
• backend: migrate from go-bindata to embed (nebraska#1132)
• backend: update go to v1.24 (nebraska#1130)
• updater: update go to v1.24 and remove final kinvolk references (nebraska#1151)

New Contributors

• @sayanchowdhury made their first contribution in #1145

Full Changelog: 2.11.0...2.12.0

nebraska-helm-1.6.0

Nebraska is an update manager for Flatcar Container Linux.

Potential Breaking Change

⚠️ Postgresql 17.x is now the tested and default version. ⚠️ For existing Kubernetes deployment, you might need to run a manual intervention (see: charts/nebraska/README.md)(#1088)

nebraska-helm-1.5.1

Nebraska is an update manager for Flatcar Container Linux.

nebraska-helm-1.5.0

Nebraska is an update manager for Flatcar Container Linux.

2.11.0

Security

• Dependency Audit & Vulnerability Mitigation:
  • In the pursuite of a clean npm audit outcome free of vulnerabilities removed legacy CRA/Webpack dependencies that relied on unmaintained libraries, posing ongoing security risks. See the Internal / Maintenance Notes for further details.
• golang.org/x/net → v0.38.0
  • Fixes CVE-2025-22870 and CVE-2025-22872 in the HTML tokenizer/parser (#1016)
• golang.org/x/crypto → v0.35.0
  • Patches CVE-2025-22869 in SSH server implementations to prevent DoS via untransmitted pending content (#1001)

Added

• Tooling Upgrades:
  • Migrated the build system from Webpack (CRA) to Vite to achieve faster build time and modern native ES module support.
• Add new_release.md template based on Flatcar release guidelines (#1002)

Changed

• TypeScript Enhancements:
  • Simplified the tsconfig.json file and enabled stricter type-checking settings.
  • Addressed some newly surfaced TypeScript warnings and errors
• Bump Helm chart versions: app → v2.10.0, charts → v1.3.0 (#1012)

Internal / Maintenance Notes

• The legacy CRA/Webpack setup, although reliable in the early stages, has become increasingly difficult to maintain due to slow update cycles and performance inefficiencies.
• Transitioning to Vite and Vitest was driven by the need for a modern build and testing environment that offers faster development cycles, improved maintainability, and a cleaner security profile.
• Switched from Jest to Vitest to leverage a Vite-native testing environment, enhancing overall developer experience with faster test cycles.
• Upgraded react router to v7 (#1048)
• improved HMR
• Updated and standardized ESLint and Prettier configurations.
• Removed the deprecated headlamp dependency.
• Introduced eslint.config.js to centralize and simplify linting rules.
• Moved index.html from the public/ folder to the root (frontend/) to better align with Vite’s optimal project structure and optimized the file for Vite usage.
• Reformatted and cleaned up End-to-End (E2E) test files to enhance clarity and consistency.
• Add badges to README for CI/status/integration (#993)

Refactors & Improvements

• MUI Upgrade:

  • Minor visual improvements
    by upgrading @mui/material, @mui/system, @mui/icons-material, @mui/utils, @mui/styles, @mui/styled-engine-sc to ^7.0.0 (https://github.com/flatcar/nebraska/pull/1040/files)

• Icon Management:

  • Refactored the icon builder to utilize the new Iconify API for improved performance and maintainability.

• General Codebase Improvements:

  • Optimized import arrangements and removed unused parameters across multiple functions.
  • Enhanced the package.json scripts for development, testing, and build processes.
  • Updated various minor and major dependencies to maintain compatibility and stability.

New Contributors

• @John15321 made their first contribution in #993

Full Changelog: 2.10.0...2.11.0

nebraska-helm-1.4.0

Nebraska is an update manager for Flatcar Container Linux.