v2.14.2

[kOaDT]

Release Notes

Bug Fixes

• Fixed the NEXT_PUBLIC_ environment variable leak challenge, which only worked in development mode. The payment secret is now forwarded via an X-Payment-Auth header so it survives SWC dead code elimination in production builds (npm start), restoring the intended challenge behavior. @kOaDT
• Made the padding oracle test deterministic by flipping the entire block, eliminating flaky runs. @kOaDT

Improvements

• Added server-side pagination to the SIEM log viewer for smoother navigation of large log volumes. @kOaDT
• Migrated application logging from console to Pino structured logging. @MDFarhan-1 Replace console.log with structured logging (Pino) #84
• Enhanced the welcome PR message with contribution stats, size labels, and CI information. @kOaDT
• Refactored authentication by replacing scattered manual checks with unified withAuth and withAdminAuth wrappers. @kOaDT Create reusable authentication middleware #81

Documentation

• Added a writeup for the NEXT_PUBLIC_ environment variable leak challenge. @kOaDT Add Missing Walkthrough for public-env-variable flag #59
• Updated the plaintext-password-in-logs writeup to reflect the Pino logging migration. @kOaDT
• Linked walkthroughSlug for the public-env and info-disclosure flags to streamline access to related walkthroughs. @kOaDT

Maintenance / Chore

• Bumped several GitHub Actions dependencies via Dependabot, including major updates to actions/github-script (7 → 9), actions/upload-artifact (4 → 7), actions/upload-pages-artifact (4 → 5), and docker/build-push-action (6 → 7), along with minor/patch updates to docker/login-action and cypress-io/github-action.

---

This discussion was created from the release v2.14.2.