Patch version.

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51946e93c2efc830ef0206c3aeb2c9e6df9476bb..456d7edd92d6e5625a3177c2869cadfcf1f48401 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,63 @@ SPDX-FileCopyrightText: 2025 Chris Duncan <chris@zoso.dev>
 SPDX-License-Identifier: GPL-3.0-or-later
 -->
 
+## v4.1.5
+
+### Notable Changes
+
+#### Server hardening
+
+Security is an ongoing endeavor, and to that end, several improvements have been
+made to the NanoPow server implementation. First, the temporary HTML file
+written to disk to provide puppeteer with a secure context has been replaced
+with an intercepted request to load an invalid HTTPS URL which provides the
+secure context required by WebGPU while also mitigating a TOCTOU attack vector.
+Second, numerous Node `http` and `server` variables have been set with
+reasonable constant values to implement basic rate limiting and connection
+timeouts. Third, the server now listens on `localhost` instead of `::1` so that
+the IP address can be extracted; this works best in tandem with reverse proxy
+rules that can forward real IPs instead of potentially spoofed addresses.
+
+#### Bug fixes
+
+Some minor bugs included the comparison of the low 32 bits of each nonce to the
+difficulty and the device load loop that continuously checks for the GPU. These
+issues have been fixed.
+
+#### Performance improvements
+
+The `GPUBindGroup` was the same for both `work_generate` and `work_validate`
+pipelines, so it is now saved as a static variable, initialized once, and used
+for both. Compute results are also now initialized once as a static variable and
+reused throughout execution to avoid additional memory allocations. A call to
+`Math.random()` was eliminated by implementing a new "sliding randomness" value
+for each search seed. The NanoPow module is now cached as a puppeteer handle,
+and work calls are now split by action instead of using a generic evaluate
+function in order to avoid unnecessary JSON serialization. Finally, a trivial
+dispatch upon WebGPU load completion compiles and caches the compute shader
+prior to actual work calls.
+
+### Other Changes
+
+Reduce workgroup size to 64 to improve portability between GPU vendors.
+
+Capture logging over IPC from server process spawned by CLI.
+
+Lower timeout duration when tool is busy.
+
+Allow difficulty of zero.
+
+Throw an error if work to be validated does not match the nonce returned by the
+compute result.
+
+Add max HTTP header size limit to launch script to protect server process.
+
+Check more generate calls in test script, and reduce run size of benchmark.
+
+Tweak error messaging.
+
+
+
 ## v4.1.4
 
 ### Notable Changes

diff --git a/package-lock.json b/package-lock.json
index 2159e1a4d40f8e4609239f17e2ed47a6463a88a3..7db0b83c6fdecf84eaada6072fd10c650482d175 100644 (file)
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
        "name": "nano-pow",
-       "version": "4.1.4",
+       "version": "4.1.5",
        "lockfileVersion": 3,
        "requires": true,
        "packages": {
                "": {
                        "name": "nano-pow",
-                       "version": "4.1.4",
+                       "version": "4.1.5",
                        "license": "(GPL-3.0-or-later AND MIT)",
                        "bin": {
                                "nano-pow": "dist/bin/nano-pow.sh"

diff --git a/package.json b/package.json
index 0ebf9137f772f4b16e8744f0a21b430971b7447e..7690d406407f368b3fbe3f4e5d2b3a3d04bbb224 100644 (file)
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
        "name": "nano-pow",
-       "version": "4.1.4",
+       "version": "4.1.5",
        "description": "Proof-of-work generation and validation with WebGPU/WebGL for Nano cryptocurrency.",
        "keywords": [
                "nemo",