Version 2.10.0 Release Notes

Released: January 27, 2025

Overview

Version 2.10.0 represents a comprehensive security audit and performance overhaul of the Plugged.in platform. This release addresses ALL critical vulnerabilities identified by GitHub’s security scanning tools while delivering significant performance improvements.

Key Highlights

Security Audit

Complete resolution of all CodeQL findings and security vulnerabilities

Performance Boost

40% reduction in bundle size and 10x faster database queries

Encryption Overhaul

Migration from bcrypt to argon2 with enhanced key management

UI Improvements

Simplified Custom Instructions and better error handling

Security Enhancements

Vulnerability Fixes

Encryption System Overhaul

The entire encryption system has been redesigned for better security: 
// Old system (deprecated)
bcrypt.hash(password, 10)

// New system
argon2.hash(password, {
  type: argon2.argon2id,
  memoryCost: 65536,
  timeCost: 3,
  parallelism: 4
})
Migration Features:
  • Automatic migration of existing passwords on next login
  • Secure token generation for password resets
  • Enhanced session management with rolling tokens
  • Encrypted storage for API keys and sensitive configuration

Content Security Policy

Implemented strict CSP headers: 
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  connect-src 'self' wss: https:;

Performance Improvements

Database Optimizations

Database queries are now up to 10x faster with new indexing strategies.

New Indexes Added

-- User lookup optimization
CREATE INDEX idx_users_email ON users(email);
CREATE INDEX idx_users_username ON users(username);

-- Server discovery optimization
CREATE INDEX idx_servers_profile_uuid ON mcp_servers(profile_uuid);
CREATE INDEX idx_shared_servers_is_public ON shared_servers(is_public);

-- Document search optimization
CREATE INDEX idx_docs_project_profile ON docs(project_uuid, profile_uuid);
CREATE INDEX idx_docs_created_at ON docs(created_at DESC);

Bundle Size Reduction

Achieved 40% reduction in JavaScript bundle size:
1

Code Splitting

Implemented dynamic imports for heavy components
2

Tree Shaking

Removed unused code and dependencies
3

Compression

Enabled Brotli compression for static assets
4

Image Optimization

Converted images to WebP format with lazy loading

Memory Management

  • Fixed memory leaks in WebSocket connections
  • Implemented connection pooling for database
  • Added garbage collection hints for large operations
  • Optimized React component re-renders

New Features

Simplified Custom Instructions UI

The Custom Instructions interface has been completely redesigned:
  • Cleaner Layout: Removed clutter and improved spacing
  • Better Validation: Real-time validation with helpful error messages
  • Auto-save: Changes are automatically saved as you type
  • Templates: Pre-built instruction templates for common use cases

Enhanced Error Handling

Standardized error responses across all API endpoints: 
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid input provided",
    "details": {
      "field": "email",
      "issue": "Invalid email format"
    }
  },
  "timestamp": "2025-01-27T12:00:00Z",
  "requestId": "req_abc123"
}

Improved Loading States

  • Skeleton loaders for better perceived performance
  • Progressive content loading
  • Optimistic UI updates
  • Background refresh indicators

Breaking Changes

These changes may require updates to your integrations.
  1. API Authentication: Bearer tokens now require Bearer prefix
  2. Password Requirements: Minimum 12 characters (up from 8)
  3. Session Duration: Reduced to 7 days (from 30 days)
  4. Rate Limits: Stricter limits on authentication endpoints

Migration Guide

For Users

No action required. The platform will automatically:
  • Migrate your password on next login
  • Update your session tokens
  • Apply new security settings

For Developers

1

Update API Calls

// Old
headers: { 'X-API-Key': apiKey }

// New
headers: { 'Authorization': `Bearer ${apiKey}` }
2

Handle New Error Format

try {
  const response = await api.call();
} catch (error) {
  if (error.code === 'RATE_LIMITED') {
    // Handle rate limiting
  }
}
3

Update Password Validation

// Minimum 12 characters, 1 uppercase, 1 lowercase, 1 number
const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{12,}$/;

For Self-Hosted Instances

Run the migration script: 
# Backup your database first
pg_dump pluggedin_prod > backup.sql

# Run migrations
pnpm db:migrate

# Run encryption migration
pnpm migrate:encryption

# Restart the application
systemctl restart pluggedin

Bug Fixes

  • Fixed race conditions in concurrent server discovery
  • Resolved memory leaks in real-time connections
  • Fixed infinite loop in recursive document processing
  • Corrected timezone handling in activity logs
  • Fixed file upload size validation
  • Resolved OAuth state management issues
  • Fixed duplicate notification delivery
  • Corrected collection sharing permissions

Technical Details

Dependencies Updated

Major dependency updates in this release:
PackageOld VersionNew Version
next15.0.015.5.2
@modelcontextprotocol/sdk1.13.11.17.5
postgres3.4.03.4.7
bcrypt5.1.0- (removed)
argon2-0.31.2 (added)

Performance Metrics

Improvements measured in production:
  • Page Load Time: 2.1s → 1.2s (43% faster)
  • API Response Time: 150ms → 45ms (70% faster)
  • Database Queries: 500ms → 50ms (90% faster)
  • Bundle Size: 2.4MB → 1.4MB (40% smaller)
  • Memory Usage: 512MB → 320MB (37% reduction)

Known Issues

  • OAuth redirect may fail on Safari with strict privacy settings
  • Large document uploads (>50MB) may timeout on slow connections
  • Search indexing may lag during high traffic periods

Future Improvements

Planned for v2.11.0:
  • WebAuthn/Passkey support
  • Advanced threat detection
  • Real-time collaboration features
  • Enhanced mobile app
  • GraphQL API endpoint

Support

For help with this release:

Acknowledgments

Special thanks to:
  • The security research community for responsible disclosure
  • Our beta testers for performance testing
  • Contributors who helped with the security audit