← Back to all posts

By Rox Team

Rox v2026.5.0 Released

Rox v2026.5.0 has been released! 🛡️

Rather than shipping new user-facing features, this update is themed around "safer, faster, more transparent", lifting the supply chain and runtime foundations that sit beneath Rox. With recent npm worm incidents and GitHub Actions compromises fresh in everyone's mind, we wanted to give operators running Rox a base they can trust.

Version Information

Component Version
Rox (Project) 2026.5.0
Hono Rox (Backend) 1.6.0
Waku Rox (Frontend) 1.6.0
Shared 1.6.0

Key Changes

1. 🛡️ Supply-Chain Hardening (Phase 1 + Phase 2)

We layered defenses on both sides of the build: the CI/CD pipeline that produces releases, and the release artifacts themselves.

CI/CD Hardening (Phase 1)

  • GitHub Actions pinned to commit SHA: Every Action used in our workflows — actions/checkout, oven-sh/setup-bun, and the rest — is now pinned to a commit SHA rather than a tag. This blocks the "tag silently re-pointed to something malicious" class of attacks.
  • Pinned Bun / Node versions: We dropped latest in favor of explicitly pinned Bun 1.3.14 and Node 24 (LTS).
  • bun install --frozen-lockfile everywhere: Enforced across CI so unexpected dependencies cannot slip in past the lockfile.
  • GITHUB_TOKEN reduced to least privilege: Default permissions are now contents: read; only the release / tag jobs opt in to write access.
  • Dependency Review job: Every PR is scanned for new dependencies and blocked on high-severity findings.
  • Dependabot enabled: Weekly updates for GitHub Actions (to keep pinned SHAs current) and for npm packages across root / backend / frontend / shared.

Release Provenance (Phase 2)

  • Automatic SBOM (SPDX-JSON): Every release attaches a generated rox-<version>.spdx.json to its GitHub Release.
  • Build provenance attestation: Signed via Sigstore using GitHub OIDC (keyless), cryptographically attesting that the artifact was built from the Rox repository without tampering.

Anyone consuming a release can verify it came from the right place, built the right way:

gh attestation verify rox-2026.5.0.spdx.json --repo Love-Rox/rox

2. 🐰 Full Migration from better-sqlite3 to bun:sqlite

The backend's long-standing SQLite driver — the C++ native module better-sqlite3 — has been replaced with Bun's built-in bun:sqlite.

  • No more Node.js setup in CI: SQLite tests previously required a separate actions/setup-node step. That's gone.
  • Smaller native-build surface: We've removed the need for python / build-essential, along with the pre-built binaries and post-install scripts that often live on the supply-chain attack surface.
  • Unified test runner: SQLite-related tests moved from vitest to bun:test, with all 28 tests passing. The backend now runs on a single Bun-native test runner.
  • Database files remain fully compatible: The on-disk SQLite format is unchanged, so existing databases keep working as-is.

better-sqlite3, @types/better-sqlite3, and vitest are all removed from the dependency tree, leaving a leaner, Bun-optimized configuration.

3. ⛩️ Tracking Waku 1.0.0-beta.0

We bumped Waku from ^1.0.0-alpha.6 to ^1.0.0-beta.0, and let bun update pull adjacent libraries forward at the same time:

  • Vite: 8.0.7 → 8.0.12
  • React: 19.2.4 → 19.2.6
  • React Aria Components: 1.16.0 → 1.17.0
  • Tailwind CSS: 4.2.2 → 4.3.0
  • Storybook: 10.3.4 → 10.3.6
  • Hono: 4.12.12 → 4.12.18
  • Zod: 4.3.6 → 4.4.3
  • BullMQ: 5.73.0 → 5.76.8

Major upgrades with breaking changes — TypeScript 6, Lingui 6, and similar — have been intentionally deferred to dedicated PRs and are not part of this release.

4. 🤖 Workflow and Documentation Refresh

We also tightened the development flow so contributors have fewer rules to memorize:

  • Unified issue-driven workflow: The release flow (dev → main, auto-tag, sync-dev) and the git workflow are now consolidated into github-workflow.md. The redundant .claude/rules/git-workflow.md has been removed.
  • Auto-close issues on PR merge: A new close-issues.yml workflow parses Closes #N / Fixes #N / Resolves #N from PR bodies and automatically closes the referenced issues with a comment when the PR merges into dev.

5. 🐛 Other Improvements

  • Incorporated CodeRabbit nitpick feedback to polish code quality around the release.
  • Unified the BUN_VERSION environment variable in the documentation workflow so Bun versions no longer need to be managed in two places.

How to Update

git pull origin main
bun install --frozen-lockfile

We recommend --frozen-lockfile locally as well, to keep lockfile drift visible.

🔍 Verifying a Release

Starting with this release, you can verify downloaded SBOM files against Sigstore-backed attestations:

# Download the SBOM attached to the release
gh release download v2026.5.0 -R Love-Rox/rox -p 'rox-2026.5.0.spdx.json'

# Verify provenance
gh attestation verify rox-2026.5.0.spdx.json --repo Love-Rox/rox

A successful verification cryptographically proves that the SBOM was built from a specific commit in Love-Rox/rox via GitHub Actions, with no tampering in between.

Looking Ahead

With this release, Rox levels up not just as software that runs, but as software you can confidently operate. With the foundations reinforced, the next cycle will shift focus back to user-facing features on top of this strengthened base.

Questions and feedback are always welcome on GitHub Issues.

The Love Rocks. Rox. 🚀