Release 14.2.0

[sulkaharo]

Welcome to Release 14.2 Sweet Liquorice!

This release focuses on improving the overall security of Nightscout. 14.2 adds a new method for Nightscout to notify you of various security issues in your setup. After upgrading to the this release, if Nightscout wants to tell you something about the system security, you'll see a red megaphone appear in the Nightscout web client. To see the messages, you'll have to sign in using your API-SECRET or a token that's got administration privileges. Full details of the messages can be found in the Nightscout documentation: https://nightscout.github.io/nightscout/security/

Advance warning regarding future releases: we are likely to make compatibility breaking changes in upcoming releases that will change how the authentication flows with the Nightscout API works, along with changes to validation of data sent to Nightscout. If you're an app developer and are using the Nightscout APIs in your application, please join our Discord channel to learn about the changes are they're implemented. You can join the channel here: https://discord.gg/zg7CvCQ

Nightscout translations are now made in Crowdin. This is very easy even for non-technical folks, so please join and contribute! https://crowdin.com/project/nightscout

Note if you're running your instance with a very old MongoDB version, your installation might break. We've tested the release using MongoDB 4.2 and 4.4.

New Features and Improvements

• Administration messages support
• Bolus bubble rendering in Nightscout UI is now more configurable, see the new Settings in the client settings panel
• You can now configure Nightscout to disable battery alarms during night
• Security improvement: treatments and CGM entries sent over the REST API V1 are now filtered for XSS injection code
• A lot of work has been put into localization, huge thanks to all the contributors
• Reports now remember the settings you've chosen across sessions
• Alexa integration now supports Spanish
• Fixed a bug with AAPS updating CGM values after Dexcom rounds the value
• Added support for Portuguese and Slovenian
• Support for Traditional Chinese has been removed until we find a contributor to help with translating more of the software. The next release will remove support for Japanese unless a larger portion of the text has been translated by time of release.

For developers

• APIV3 results are now wrapped differently from before
• Webpack was upgraded to V5
• Client JS bundling was simplified to just one bundle, cutting down bundling time to ~50% of current
• Removed cache invalidation token from bundling process and generating it on server boot
• Security improvement: generate strong persistent random string on deploy to use for JWT signing instead of api_secret
• Security improvement: moved api-secret and JWT signing to a separate centralized security component and deletes api_secret from environment, so it's not accessible elsewhere
• Security improvement: Clients can now send the api_secret using SHA512
• Moved some server components away from project root to make it easier to see what code runs in server vs client
• Fixes some issues reported by linter