Release 2.35.0 (#4072)

## Release Notes Thanks to: @angeldeejay, @in-voker, @JHWelch, @khassel, @KristjanESPERANTO, @rejas, @sdetweil > ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release) [Compare to previous Release v2.34.0](https://github.com/MagicMirrorOrg/MagicMirror/compare/v2.34.0...v2.25.0) > ⚠️ We introduced some internal changes with this release, please read [this forum post](https://forum.magicmirror.builders/topic/20138/upcoming-release-april-1-2026-breaking-changes-some-operational-changes) before upgrading! ### [core] - Prepare Release 2.35.0 (#4071) - docs: add security policy and vulnerability reporting guidelines (#4069) - refactor: simplify internal `require()` calls (#4056) - allow environment variables in cors urls (#4033) - fix cors proxy getting binary data (e.g. png, webp) (#4030) - fix: correct secret redaction and optimize loadConfig (#4031) - change loading config.js, allow variables in config.js and try to protect sensitive data (#4029) - remove kioskmode (#4027) - Add dark theme logo (#4026) - move custom.css from css to config (#4020) - move default modules from /modules/default to /defaultmodules (#4019) - update node versions in workflows (#4018) - [core] refactor: extract and centralize HTTP fetcher (#4016) - fix systeminformation not displaying electron version (#4012) - Update node-ical and support it's rrule-temporal changes (#4010) - Change default start scripts from X11 to Wayland (#4011) - refactor: unify favicon for index.html and Electron (#4006) - [core] run systeminformation in subprocess so the info is always displayed (#4002) - set next release dev number (#4000) ### [dependencies] - update dependencies (#4068) - update dependencies incl. electron to v41 (#4058) - chore: upgrade ESLint to v10 and fix newly surfaced issues (#4057) - chore: update ESLint and plugins, simplify config, apply new rules (#4052) - chore: update dependencies + add exports, files, and sideEffects fields to package.json (#4040) - [core] refactor: enable ESLint rule require-await and handle detected issues (#4038) - Update node-ical and other deps (#4025) - chore: update dependencies (#4021) - chore(eslint): migrate from eslint-plugin-vitest to @vitest/eslint-plugin and run rules only on test files (#4014) - Update deps as requested by dependabot (#4008) - update Collaboration.md and dependencies (#4001) ### [logging] - refactor: further logger clean-up (#4050) - Fix Node.js v25 logging prefix and modernize logger (#4049) ### [modules/calendar] - fix(calendar): make showEnd behavior more consistent across time formats (#4059) - test(calendar): fix hardcoded date in event shape test (#4055) - [calendar] refactor: delegate event expansion to node-ical's expandRecurringEvent (#4047) - calendar.js: remove useless hasCalendarURL function (#4028) - fix(calendar): update to node-ical 0.23.1 and fix full-day recurrence lookup (#4013) - fix(calendar): correct day-of-week for full-day recurring events across all timezones (#4004) ### [modules/newsfeed] - fix(newsfeed): fix full article view and add framing check (#4039) - [newsfeed] refactor: migrate to centralized HTTPFetcher (#4023) ### [modules/weather] - fix(weather): fix openmeteo forecast stuck in the past (#4064) - fix(weather): fix weathergov forecast day labels off by one (#4065) - weather: fixes for templates (#4054) - weather: add possibility to override njk's and css (#4051) - Use getDateString in openmeteo (#4046) - [weather] refactor: migrate to server-side providers with centralized HTTPFetcher (#4032) - [weather] feat: add Weather API Provider (#4036) ### [testing] - chore: remove obsolete Jest config and unit test global setup (#4044) - replace template_spec test with config_variables test (#4034) - refactor(clientonly): modernize code structure and add comprehensive tests (#4022) - Switch to undici Agent for HTTPS requests (#4015) - chore: migrate CI workflows to ubuntu-slim for faster startup times (#4007) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com> Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: sam detweiler <sdetweil@gmail.com> Co-authored-by: Veeck <github@veeck.de> Co-authored-by: veeck <gitkraken@veeck.de> Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com> Co-authored-by: Nathan <n8nyoung@gmail.com> Co-authored-by: mixasgr <mixasgr@users.noreply.github.com> Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr> Co-authored-by: Konstantinos <geraki@gmail.com> Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com> Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com> Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com> Co-authored-by: Koen Konst <koenspero@gmail.com> Co-authored-by: Koen Konst <c.h.konst@avisi.nl> Co-authored-by: dathbe <github@beffa.us> Co-authored-by: Marcel <m-idler@users.noreply.github.com> Co-authored-by: Kevin G. <crazylegstoo@gmail.com> Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com> Co-authored-by: Jboucly <contact@jboucly.fr> Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com> Co-authored-by: Jordan Welch <JordanHWelch@gmail.com> Co-authored-by: Blackspirits <blackspirits@gmail.com> Co-authored-by: Samed Ozdemir <samed@xsor.io> Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com> Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com>
2026-06-04 10:19:29 +00:00 · 2026-04-01 12:35:16 +02:00
parent b742e839be
commit d05ea751d9
294 changed files with 35941 additions and 10259 deletions
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope and Deployment
+
+MagicMirror is primarily intended for trusted local/private network environments.
+Direct public exposure to the internet or other untrusted networks is not recommended.
+
+We take security seriously and encourage responsible disclosure of vulnerabilities to help us improve the software.
+
+## Reporting a Vulnerability
+
+**Please keep vulnerability details private** — do not post them in public GitHub issues.
+
+Instead, reach out privately via the MagicMirror forum to one of the core developers:
+
+- [rejas](https://forum.magicmirror.builders/user/rejas)
+- [karsten13](https://forum.magicmirror.builders/user/karsten13)
+- [sdetweil](https://forum.magicmirror.builders/user/sdetweil)
+- [Kristjan](https://forum.magicmirror.builders/user/kristjanesperanto)
+
+Please include, if possible:
+
+- Affected version(s)
+- Reproduction steps or proof-of-concept
+- What could an attacker do with this?
+- Any ideas how to fix it?
+
+## Coordinated Disclosure
+
+We will keep reported vulnerabilities private until a fix is available and coordinate the disclosure timeline with you.
+We aim to respond as quickly as possible.
--- a/.github/workflows/automated-tests.yaml
+++ b/.github/workflows/automated-tests.yaml
@@ -18,7 +18,7 @@ concurrency:

 jobs:
  code-style-check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    timeout-minutes: 15
    steps:
      - name: "Checkout code"
@@ -42,7 +42,7 @@ jobs:
    timeout-minutes: 30
    strategy:
      matrix:
-        node-version: [22.21.1, 22.x, 24.x]
+        node-version: [22.x, 24.x, 25.x]
    steps:
      - name: Install electron dependencies and labwc
        run: |
@@ -69,7 +69,7 @@ jobs:
          sudo chmod 4755 ./node_modules/electron/dist/chrome-sandbox
          # Start labwc
          WLR_BACKENDS=headless WLR_LIBINPUT_NO_DEVICES=1 WLR_RENDERER=pixman labwc &
-          touch css/custom.css
+          touch config/custom.css
      - name: "Run tests"
        run: |
          export WAYLAND_DISPLAY=wayland-0
--- a/.github/workflows/dep-review.yaml
+++ b/.github/workflows/dep-review.yaml
@@ -10,7 +10,7 @@ permissions:

 jobs:
  dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
--- a/.github/workflows/electron-rebuild.yaml
+++ b/.github/workflows/electron-rebuild.yaml
@@ -5,10 +5,10 @@ on: [pull_request]
 jobs:
  rebuild:
    name: Run electron-rebuild
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    strategy:
      matrix:
-        node-version: [22.21.1, 22.x, 24.x]
+        node-version: [22.x, 24.x, 25.x]
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
--- a/.github/workflows/enforce-pullrequest-rules.yaml
+++ b/.github/workflows/enforce-pullrequest-rules.yaml
@@ -12,7 +12,7 @@ on:

 jobs:
  check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.event_name == 'pull_request'
    timeout-minutes: 10
    steps:
--- a/.github/workflows/release-notes.yaml
+++ b/.github/workflows/release-notes.yaml
@@ -15,7 +15,7 @@ concurrency:

 jobs:
  release-notes:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    timeout-minutes: 15
    steps:
      - name: "Checkout code"
--- a/.github/workflows/spellcheck.yaml
+++ b/.github/workflows/spellcheck.yaml
@@ -12,7 +12,7 @@ permissions:

 jobs:
  spellcheck:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -10,7 +10,7 @@ permissions:

 jobs:
  stale:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    steps:
      - uses: actions/stale@v10
        with: