mehalter/camofox-browser
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages 1 Wiki Activity Actions

chore(deps): update dependency jo-inc/camofox-browser to v1.8.0 #5

Merged
mehalter merged 1 commit from renovate/jo-inc-camofox-browser-1.x into main 2026-04-27 17:16:47 -04:00
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate-bot commented 2026-04-27 17:01:23 -04:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
jo-inc/camofox-browser minor 1.7.41.8.0

Release Notes

jo-inc/camofox-browser (jo-inc/camofox-browser)

v1.8.0: — Global Access Key, Memory Leak Fix

Compare Source

Global Access Key

CAMOFOX_ACCESS_KEY env var — by @​trader-payne (#​586)

If you expose camofox beyond loopback — on a VPS, in a Docker network, behind a reverse proxy — you've needed to rely on network-level controls or CAMOFOX_API_KEY (which only gates cookie import). There was no single switch to require auth on every route.

Set CAMOFOX_ACCESS_KEY and every request must carry Authorization: Bearer <key>. Three routes are conditionally exempt:

  • GET /health — always open (Docker/Fly healthchecks need it)
  • POST /sessions/:userId/cookies — exempt only when CAMOFOX_API_KEY is also set (has its own gate)
  • POST /stop — exempt only when CAMOFOX_ADMIN_KEY is also set (has its own gate)

If the dedicated key for an exempted route is not configured, the access key still gates it — defense-in-depth, no accidentally unprotected endpoints.

The access key also works as a superkey on requireAuth() routes, so you don't need two tokens in a single request. 401 responses include WWW-Authenticate: Bearer realm="camofox" per RFC 7235. Env var values are whitespace-trimmed to prevent copy-paste mistakes.

Fully opt-in. If you don't set the env var, nothing changes.

Native Memory Leak Fix

browser.close() had a race condition that could lose the browser PID, leaving orphaned Firefox child processes alive after the context was torn down. On long-running servers this compounded — ~930MB leaked per orphaned browser tree.

Three fixes: closeBrowserFully() serializes concurrent close calls with a shared promise so the PID is never lost, _forceKillProcessTree() walks /proc to find and SIGKILL orphaned children that escaped the process group, and cleanupStaleFirefoxProfiles() sweeps leftover temp directories from enable_cache: true sessions on startup.

Fixes & Improvements

  • Crash reporter noise reduction: stable dedup signatures, active-tab gate, per-type rate limits, sleep/suspend false-positive suppression
  • npm publishing via OIDC trusted publishing — provenance attestations on every release, no NPM_TOKEN secret
  • Docker images published to GHCR on release: docker pull ghcr.io/jo-inc/camofox-browser:1.8.0

Thank You

Thanks to @​trader-payne for the access key feature.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [jo-inc/camofox-browser](https://github.com/jo-inc/camofox-browser) | minor | `1.7.4` → `1.8.0` | --- ### Release Notes <details> <summary>jo-inc/camofox-browser (jo-inc/camofox-browser)</summary> ### [`v1.8.0`](https://github.com/jo-inc/camofox-browser/releases/tag/v1.8.0): — Global Access Key, Memory Leak Fix [Compare Source](https://github.com/jo-inc/camofox-browser/compare/v1.7.4...v1.8.0) #### Global Access Key `CAMOFOX_ACCESS_KEY` env var — by [@&#8203;trader-payne](https://github.com/trader-payne) ([#&#8203;586](https://github.com/jo-inc/camofox-browser/issues/586)) If you expose camofox beyond loopback — on a VPS, in a Docker network, behind a reverse proxy — you've needed to rely on network-level controls or `CAMOFOX_API_KEY` (which only gates cookie import). There was no single switch to require auth on every route. Set `CAMOFOX_ACCESS_KEY` and every request must carry `Authorization: Bearer <key>`. Three routes are conditionally exempt: - `GET /health` — always open (Docker/Fly healthchecks need it) - `POST /sessions/:userId/cookies` — exempt only when `CAMOFOX_API_KEY` is also set (has its own gate) - `POST /stop` — exempt only when `CAMOFOX_ADMIN_KEY` is also set (has its own gate) If the dedicated key for an exempted route is *not* configured, the access key still gates it — defense-in-depth, no accidentally unprotected endpoints. The access key also works as a superkey on `requireAuth()` routes, so you don't need two tokens in a single request. 401 responses include `WWW-Authenticate: Bearer realm="camofox"` per RFC 7235. Env var values are whitespace-trimmed to prevent copy-paste mistakes. Fully opt-in. If you don't set the env var, nothing changes. #### Native Memory Leak Fix `browser.close()` had a race condition that could lose the browser PID, leaving orphaned Firefox child processes alive after the context was torn down. On long-running servers this compounded — \~930MB leaked per orphaned browser tree. Three fixes: `closeBrowserFully()` serializes concurrent close calls with a shared promise so the PID is never lost, `_forceKillProcessTree()` walks `/proc` to find and SIGKILL orphaned children that escaped the process group, and `cleanupStaleFirefoxProfiles()` sweeps leftover temp directories from `enable_cache: true` sessions on startup. #### Fixes & Improvements - Crash reporter noise reduction: stable dedup signatures, active-tab gate, per-type rate limits, sleep/suspend false-positive suppression - npm publishing via OIDC trusted publishing — provenance attestations on every release, no `NPM_TOKEN` secret - Docker images published to GHCR on release: `docker pull ghcr.io/jo-inc/camofox-browser:1.8.0` #### Thank You Thanks to [@&#8203;trader-payne](https://github.com/trader-payne) for the access key feature. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDkuNSIsInVwZGF0ZWRJblZlciI6IjQzLjEwOS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZSJdfQ==-->
chore(deps): update dependency jo-inc/camofox-browser to v1.8.0
All checks were successful
Build Docker Image / build (pull_request) Successful in 11m14s
Details
Build Docker Image / build (push) Successful in 9m32s
Details
38fe87a55a
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
mehalter
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
mehalter/camofox-browser!5
No description provided.