From: Chris Duncan Date: Tue, 22 Apr 2025 22:53:01 +0000 (-0700) Subject: Patch version. X-Git-Tag: v4.1.5^0 X-Git-Url: https://zoso.dev/?a=commitdiff_plain;p=nano-pow.git Patch version. --- diff --git a/CHANGELOG.md b/CHANGELOG.md index 51946e9..456d7ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,63 @@ SPDX-FileCopyrightText: 2025 Chris Duncan SPDX-License-Identifier: GPL-3.0-or-later --> +## v4.1.5 + +### Notable Changes + +#### Server hardening + +Security is an ongoing endeavor, and to that end, several improvements have been +made to the NanoPow server implementation. First, the temporary HTML file +written to disk to provide puppeteer with a secure context has been replaced +with an intercepted request to load an invalid HTTPS URL which provides the +secure context required by WebGPU while also mitigating a TOCTOU attack vector. +Second, numerous Node `http` and `server` variables have been set with +reasonable constant values to implement basic rate limiting and connection +timeouts. Third, the server now listens on `localhost` instead of `::1` so that +the IP address can be extracted; this works best in tandem with reverse proxy +rules that can forward real IPs instead of potentially spoofed addresses. + +#### Bug fixes + +Some minor bugs included the comparison of the low 32 bits of each nonce to the +difficulty and the device load loop that continuously checks for the GPU. These +issues have been fixed. + +#### Performance improvements + +The `GPUBindGroup` was the same for both `work_generate` and `work_validate` +pipelines, so it is now saved as a static variable, initialized once, and used +for both. Compute results are also now initialized once as a static variable and +reused throughout execution to avoid additional memory allocations. A call to +`Math.random()` was eliminated by implementing a new "sliding randomness" value +for each search seed. The NanoPow module is now cached as a puppeteer handle, +and work calls are now split by action instead of using a generic evaluate +function in order to avoid unnecessary JSON serialization. Finally, a trivial +dispatch upon WebGPU load completion compiles and caches the compute shader +prior to actual work calls. + +### Other Changes + +Reduce workgroup size to 64 to improve portability between GPU vendors. + +Capture logging over IPC from server process spawned by CLI. + +Lower timeout duration when tool is busy. + +Allow difficulty of zero. + +Throw an error if work to be validated does not match the nonce returned by the +compute result. + +Add max HTTP header size limit to launch script to protect server process. + +Check more generate calls in test script, and reduce run size of benchmark. + +Tweak error messaging. + + + ## v4.1.4 ### Notable Changes diff --git a/package-lock.json b/package-lock.json index 2159e1a..7db0b83 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "nano-pow", - "version": "4.1.4", + "version": "4.1.5", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "nano-pow", - "version": "4.1.4", + "version": "4.1.5", "license": "(GPL-3.0-or-later AND MIT)", "bin": { "nano-pow": "dist/bin/nano-pow.sh" diff --git a/package.json b/package.json index 0ebf913..7690d40 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "nano-pow", - "version": "4.1.4", + "version": "4.1.5", "description": "Proof-of-work generation and validation with WebGPU/WebGL for Nano cryptocurrency.", "keywords": [ "nemo",