Skip to content
← Back to release notes
v0.65.11 stable

Release v0.65.11

May 12, 2026

Several small reliability fixes across the dashboard, API, and hosting configuration.

Improved

  • The API now requires the hosted-vs-self-hosted mode to be set explicitly in production. A misconfigured hosted deployment that silently fell through to self-hosted defaults was the root cause of an earlier issue where new accounts could reach an active state without verifying their email; this is a defense-in-depth fix that refuses to start the server if the mode isn't explicitly set.
  • Codified our policy that automated container updates must never apply to the API or dashboard images. The repository's compose files are scanned in CI to reject the relevant configuration, so the policy can't drift over time.
  • Corrected the self-hosted upgrade guide. The instructions for setting the new application encryption key told operators to reuse their existing JWT secret, which the production validator (correctly) refuses; the docs now match what the validator expects.

Fixed

  • Fixed the Software Inventory "Actions" dropdown being invisible when a search returned exactly one row. The menu was being clipped by the table container; it now floats above the table and stays on-screen near the right edge.
  • Fixed the software catalog versions endpoint returning a 500 error for entries that have a file size recorded. The file size value was being returned in a JavaScript type that doesn't serialize to JSON, which made the upload wizard show "No versions" for affected catalog entries.
  • Fixed stale watchdog binaries retrying authentication forever after the security hardening release. The API now responds with a clearer signal that tells the watchdog to back off and re-enroll, so old credentials don't churn against the server indefinitely.
  • Fixed an OAuth cleanup job throwing an internal error during scheduled maintenance because of a date-binding type mismatch. The expired-token sweep now completes cleanly.
  • Fixed organization create and delete in the dashboard occasionally showing a misleading error state when an unrelated sidebar refresh hiccuped. The success or failure of the actual create or delete is no longer affected by the sidebar refresh.
  • Hardened the recovery-readiness scheduler against malformed organization identifiers from seed data, preventing silent corruption of readiness scores.

A maintenance release with a handful of small reliability fixes across the dashboard, API, and hosting configuration. The user-visible items are the Software Inventory dropdown becoming visible again on single-result searches, the software catalog versions endpoint no longer 500-ing on entries with a recorded file size, and a cleaner error path when stale agent credentials retry after the recent security hardening.

For self-hosted operators, the upgrade guide for the new application encryption key has been corrected — the previous version told you to reuse your JWT secret, which the production validator (correctly) refuses. Generate a fresh key as documented and the upgrade goes through.