1.5.9February 28, 2026
Full Project Re-Audit Fixes
6 changes
Security3 items
- CSRF tokens now session-bound — HMAC includes session JWT fingerprint (OWASP Signed Double-Submit Cookie)
- CI pipeline blocks on high/critical npm audit findings (was advisory-only)
- Production PostgreSQL TLS upgraded to sslmode=verify-full (CA cert verification)
Infrastructure2 items
- Added turbopack.root config to resolve multiple lockfile detection warning
- Added TruffleHog secret scanning and Anchore SBOM generation to CI pipeline
Improvement1 item
- CSRF documentation updated across all files to accurately describe session-bound HMAC model