Release v25.07.3

• Fixes error thrown for single sign on setup
• Hides login/logout/reset options with SSO

Release v25.07.2

Adds missing ws library dependency required for the backend.

The dependency was working before with npm install but it broke after we moved to npm ci command instead. Now the backend server requires explicit installation of ws to run.

Release v25.07.1

Summary

This release implements an urgent, proactive mitigation against a widespread npm ecosystem threat involving malicious code in popular packages.

Important Context

While the application does not directly use these compromised packages, they are indirect dependencies pulled in by other libraries. Crucially, our existing package-lock.json did not include the known infected versions. However, the volatile nature of the npm registry means that a fresh npm install performed today could potentially pull in a malicious version. This release eliminates that risk.

This update is a temporary safeguard to ensure continuous protection while the situation remains active and upstream maintainers work on permanent solutions.

Action Taken

We have implemented mandatory dependency overrides to enforce known secure versions of all at-risk packages across our entire dependency tree. It:

• Forces npm to ignore vulnerable version ranges specified by any indirect dependency.
• Pins and guarantees the use of audited, safe versions.
• Protects the application from the specific data exfiltration and credential theft attempts executed by the compromised packages.

Required User Actions

To apply this critical mitigation, users must perform a clean installation. Please follow these steps precisely:

• Ensure you are on the latest version
• Run npm ci which uses the updated lockfile to ensure exact, secure versions
• Rebuild the Application with npm run build
• Remove Development Dependencies with npm prune --omit=dev

Next Steps & Long-Term Solution

This override is a defensive best practice to ensure security. We are actively monitoring the official npm repositories for permanent patches and statements from the affected package maintainers. We will issue a subsequent update to remove these overrides and upgrade all dependencies to their official, stable versions as soon as they become available and are vetted.

References

For an in-depth analysis of the vulnerability and the discovered malicious code, please read the original disclosure:
https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the

Release v25.07

• Environment Variables Overhaul – Updated and streamlined environment variables for improved configuration and usability
• Wallet Connection Screen Redesign – Revamped the wallet connection screen to support the new environment variables and standard Core Lightning connection URIs
• Commando over Secure WebSocket – Added support for running Commando over secure WebSocket (eg. wss-proxy) connections
• Git Optimization – Removed pre-compiled folders (build, dist) from Git tracking to reduce repository clutter
• Misc UX Enhancements:
  • Removed version and commit suffix from node aliases for a cleaner display
  • Updated BKPR date format from YYYY-MM-DD to UI standard DD MMM, YYYY
  • Fixed inconsistent screen widths in graph displays
  • Added infinite scroll support for BTC Transactions, CLN Offers, and CLN Transactions

Release v0.0.7

• Adding long awaited Bookkeeper graphs for:
  • Account Events
  • Sats Flow
  • Volume
• New SQL Terminal to run SQL queries directly from the UI
• Connect wallet modal shows clnrest and cln-grpc information too
• Migrated from application context to redux store
• Enhanced Github workflows

Contributors @evansmj and @Crypto4udit.
Special thanks to @evansmj for Bookkeeper UI.

Release v0.0.6

Bug fix: Change uppercase invoices and offers to lowercase

Enhancement: Create and Display Invoice Rune on Connect Wallet

Deprecation: Resolve commando-rune deprecation and use createrune instead

Release v0.0.5

Enhancement: Added gRPC options on connect wallet
Enhancement: Make env.sh compatible with zsh
Enhancement: Adding test data and more tests

Bug fix: RC version compatibility check
Bug fix: Channel opening error
Bug fix: Fix empty transactions channel helper text

Version compatibility: listpeers no longer returns channel[] after 24.02, Update to listpeerchannels
Version compatibility: Remove msatoshi_received, msatoshi, msatoshi_sent from Payments

Release v0.0.4 - User Authentication

Bug fix: Filter lnmessage's pubkey from peers list
Enhancement: Add support for more fiat currencies
Enhancement: User Authentication
- Default singleSignOn is false, which means that user will be prompted to set (first time) or enter the password
- User can opt-out by setting env variable SINGLE_SIGN_ON to true OR by setting singleSignOn to true in config.json
- Environment variables take precedence over config values

Release V0.0.3

Bug fix: Invalid Rune
Bug fix: Spendable/Receivable are shown as Nan if undefined
Enhancement: Updates for CLN v23.05 msat migration
Enhancement: Add Offers list view
Enhancement: Add Tor option for lnmessage on connect wallet

Release v0.0.2

• Updated connect wallet to show Device domain name instead of IP.
• Added new environment variable as PROTOCOL.
• Adding application version.
• Fixed other style bugs.