Skip to content

anubis 1.22.0 #236413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

anubis 1.22.0 #236413

wants to merge 1 commit into from
+2 −2

Conversation

BrewTestBot
Copy link
Member

Created by brew bump

Created with brew bump-formula-pr.

release notes 
> Someone has to make an effort at reconciliation if these conflicts are ever going to end.

In this release, we finally fix the odd number of CPU cores bug, pave the way for lighter weight challenges, make Anubis more adaptable, and more.


Big ticket items


Proof of React challenge


A new "proof of React" has been added. It runs a simple app in React that has several chained hooks. It is much more lightweight than the proof of work check.


Smaller features


    

  • The segments function was added for splitting a path into its slash-separated segments.
    • 

  • Added possibility to disable HTTP keep-alive to support backends not properly handling it.
    • 

  • When issuing a challenge, Anubis stores information about that challenge into the store. That stored information is later used to validate challenge responses. This works around nondeterminism in bot rules. (#917)
    • 

  • One of the biggest sources of lag in Firefox has been eliminated: the use of WebCrypto. Now whenever Anubis detects the client is using Firefox (or Pale Moon), it will swap over to a pure-JS implementation of SHA-256 for speed.
    • 

  • Proof of work solving has had a complete overhaul and rethink based on feedback from browser engine developers, frontend experts, and overall performance profiling.
    • 

  • Optimize the performance of the pure-JS Anubis solver.
    • 

  • Web Workers are stored as dedicated JavaScript files in static/js/workers/*.mjs.
    • 

  • Pave the way for non-SHA256 solver methods and eventually one that uses WebAssembly (or WebAssembly code compiled to JS for those that disable WebAssembly).
    • 

  • Legacy JavaScript code has been eliminated.
    • 

  • When parsing Open Graph tags, add any URLs found in the responses to a temporary "allow cache" so that social preview images work.
    • 

  • The hard dependency on WebCrypto has been removed, allowing a proof of work challenge to work over plain (unencrypted) HTTP.
    • 

  • The Anubis version number is put in the footer of every page.
    • 

  • Add a default block rule for Huawei Cloud.
    • 

  • Add a default block rule for Alibaba Cloud.
    • 

  • Added support to use Traefik forwardAuth middleware.
    • 

  • Add X-Request-URI support so that Subrequest Authentication has path support.
    • 



Fixes


Odd numbers of CPU cores are properly supported


Some phones have an odd number of CPU cores. This caused interesting issues. This was fixed by using Math.trunc to convert the number of CPU cores back into an integer.


Smaller fixes


    

  • A standard library HTTP server log message about HTTP pipelining not working has been filtered out of Anubis' logs. There is no action that can be taken about it.
    • 

  • Added a missing link to the Caddy installation environment in the installation documentation.
    • 

  • Downstream consumers can change the default log/slog#Logger instance that Anubis uses by setting opts.Logger to your slog instance of choice (#864).
    • 

  • The Thoth client is now public in the repo instead of being an internal package.
    • 

  • Custom-AsyncHttpClient's default User-Agent has an increased weight by default (#852).
    • 

  • Add option for replacing the default explanation text with a custom one (#747)
    • 

  • The contact email in the LibreJS header has been changed.
    • 

  • Firefox for Android support has been fixed by embedding the challenge ID into the pass-challenge route. This also fixes some inconsistent issues with other mobile browsers.
    • 

  • The default favicon pattern in data/common/keep-internet-working.yaml has been updated to permit requests for png/gif/jpg/svg files as well as ico.
    • 

  • The --cookie-prefix flag has been fixed so that it is fully respected.
    • 

  • The default patterns in data/common/keep-internet-working.yaml have been updated to appropriately escape the '.' character in the regular expression patterns.
    • 

  • Add optional restrictions for JWT based on the value of a header (#697)
    • 

  • The word "hack" has been removed from the translation strings for Anubis due to incidents involving people misunderstanding that word and sending particularly horrible things to the project lead over email.
    • 

  • Bump AI-robots.txt to version 1.39
    • 

  • Inject adversarial input to break AI coding assistants.
    • 

  • Add better logging when using Subrequest Authentication.
    • 



Security-relevant changes


    

  • Add a server-side check for the meta-refresh challenge that makes sure clients have waited for at least 95% of the time that they should.
    • 



Fix potential double-spend for challenges


Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is stored in the database.


The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessions in order to mint additional tokens.


This was fixed by adding a "spent" field to challenges in the data store. When a challenge is solved, that "spent" field gets set to true. If a future attempt to solve this challenge is observed, it gets rejected.


With the advent of store based challenge issuance in #749, this means that these challenge IDs are only good for 30 minutes. Websites using the most recent version of Anubis have limited exposure to this problem.


Websites using older versions of Anubis have a much more increased exposure to this problem and are encouraged to keep this software updated as often and as frequently as possible.


Thanks to @taviso for reporting this issue.


Breaking changes


    

  • The "slow" frontend solver has been removed in order to reduce maintenance burden. Any existing uses of it will still work, but issue a warning upon startup asking administrators to upgrade to the "fast" frontend solver.
    • 

  • The legacy JSON based policy file example has been removed and all documentation for how to write a policy file in JSON has been deleted. JSON based policy files will still work, but YAML is the superior option for Anubis configuration.
    • 



New Locales



What's Changed



New Contributors



Full Changelog: TecharoHQ/anubis@v1.21.3...v1.22.0

View the full release notes at https://github.com/TecharoHQ/anubis/releases/tag/v1.22.0.

@github-actions github-actions bot added go Go use is a significant feature of the PR or issue bump-formula-pr PR was created using `brew bump-formula-pr` labels Sep 6, 2025
@chenrui333
Copy link
Member

need to generate the static/app.js

@chenrui333 chenrui333 added the build failure CI fails while building the software label Sep 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build failure CI fails while building the software bump-formula-pr PR was created using `brew bump-formula-pr` go Go use is a significant feature of the PR or issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BrewTestBot @chenrui333