| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-05-21 | 411 Bytes | |
| Version 1.25.4 source code.tar.gz | 2026-05-21 | 331.7 kB | |
| Version 1.25.4 source code.zip | 2026-05-21 | 402.9 kB | |
| Totals: 3 Items | 735.0 kB | 0 | |
Security: fixes stored XSS in avatar.Proxy by rejecting non-image avatar content before storage and before serving. Also adds CSP/nosniff headers, WebP-safe validation, ETag parsing fixes, and decompression-bomb checks. Credit to @paskal.
Changes since v1.25.3
- [#290] prevent stored XSS via avatar content-type spoofing
Full Changelog: https://github.com/go-pkgz/auth/compare/v1.25.3...v1.25.4