What's Changed

Acknowledgements for GIRO provided data through kc2g by @alanhargreaves in #730
fix: coordinates at lat=0 or lon=0 silently rejected by @ceotjoe in #732
Fixes for Ionosonde and rate limiting of console messages when debugging by @alanhargreaves in #723
Update Malay translations by @9M2PJU in #733
Chris sandbox by @accius in #736
Might have added a Meshtastic Module to Dockable by @accius in #737
Chris sandbox by @accius in #738
meshtastic by @accius in #739
[translation] weather forecast cross-reference language JSON for day-of-week by @MichaelWheeley in #740
Chris sandbox by @accius in #743
prepping for monday nights merge to production by @accius in #744
Make the SOTA code more error resilient and tidy up debug messages by @alanhargreaves in #741
add thai language by @MichaelWheeley in #742
sidebar updates by @accius in #750
Chris sandbox by @accius in #751
Chris sandbox by @accius in #753

Full Changelog: v15.6.5...v15.7.1

Docker image: ghcr.io/accius/openhamclock:15.7.1

docker pull ghcr.io/accius/openhamclock:15.7.1

Changelog

All notable changes to OpenHamClock will be documented in this file.

📅 Schedule Change: Starting with v15.5.10, OpenHamClock moves to a weekly release cycle. Updates will ship on Tuesday nights (EST) — one release per week for better testing and stability.

[15.6.5] - 2026-03-09

Security

CORS lockdown: Replaced wildcard origin: true with explicit origin allowlist (localhost, openhamclock.com/app). Prevents malicious websites from accessing the API via the user's browser. Custom origins configurable via CORS_ORIGINS env var.
SSRF elimination: Custom DX cluster hosts are now DNS-resolved to IPv4, validated against private/reserved ranges, and the connection uses the validated IP (not hostname) to prevent DNS rebinding. IPv6 fallback removed to eliminate representation bypass attacks.
Rotator & QRZ auth: /api/rotator/turn, /api/rotator/stop, /api/qrz/configure, /api/qrz/remove now require API_WRITE_KEY authentication.
Trust proxy auto-detect: trust proxy enabled only on Railway (auto-detected), disabled on Pi/local installs to prevent rate-limit bypass via spoofed X-Forwarded-For headers. Override with TRUST_PROXY env var.
SSE connection limiter: Per-IP cap on concurrent SSE streams (default 10, configurable via MAX_SSE_PER_IP) to prevent resource exhaustion.
Telnet command injection: Control characters stripped from DX cluster login callsigns.
DOM XSS fixes: sanitizeColor() for N3FJP logged QSO line colors; esc() helper for APRS Newsfeed userscript.
ReDoS fix: Replaced /\d+$/ regex with substring() for IP anonymization.
URL encoding: encodeURIComponent() applied to callsign parameters in localhost fetch calls.
RBN callsign validation: Input sanitized and length-checked on /api/rbn/location/:callsign.
Health endpoint: Session details (partial IPs, user agents) gated behind API_WRITE_KEY auth.
Dockerfile: Application now runs as non-root user (nodejs, UID 1001).
Startup warning: Server prints visible warning when API_WRITE_KEY is not set.
Rig-bridge CORS: Restricted to explicit origin allowlist (was wildcard *).
Rig-bridge localhost binding: HTTP server binds to 127.0.0.1 by default (was 0.0.0.0).
Rig-bridge serial port validation: Paths validated against OS-specific patterns (COM*, /dev/tty*, /dev/cu.*).
Rig-bridge relay SSRF: Relay URL validated to reject private/reserved addresses.

Added

LMSAL solar image fallback: Three-source failover for solar imagery: SDO direct → LMSAL Sun Today (Lockheed Martin) → Helioviewer API. Independent of NASA Goddard infrastructure.
Lightning unit preferences: Proximity panel distances respect km/miles setting from allUnits.
DXCC entity selector: Browse/search DXCC entities to set DX target in Modern and Dockable layouts.
DX News text scale: Adjustable font size (0.7x–2.0x) with A-/A+ buttons. Persists in localStorage.
Layout lock border panel: Lock/unlock toggle in dedicated FlexLayout border tab (Dockable layout).
Rig-bridge multicast: WSJT-X relay supports UDP multicast for multi-app packet sharing.
Rig-bridge simulated radio: Mock plugin for testing without hardware (radio.type = "mock").
DX cluster TCP keepalive: Persistent telnet sessions use OS-level keepalive and auto-reconnect after 5 min silence.
DX cluster SSID: Callsign SSID (-56) appended automatically when not provided.

Fixed

Rotator enabled by default: .env.example had ROTATOR_PROVIDER=pstrotator_udp uncommented, causing fresh installs to send UDP to a hardcoded IP. All rotator lines now commented out.
Pi setup (armhf): NodeSource dropped 32-bit ARM support for Node 20+. Setup script now downloads armv7l binaries directly from nodejs.org with retry support.
Pi setup (electron): npm install --ignore-scripts prevents electron-winstaller postinstall failures on ARM. ELECTRON_SKIP_BINARY_DOWNLOAD=1 skips useless Electron download. npm prune --omit=dev frees ~500MB after build.

[15.5.10] - 2026-02-20

Fixed

Log flooding — 115K dropped messages in 30 minutes: Six hot-path loggers (RBN spot responses, callsign mismatch warnings, WSPR heatmap, PSK-MQTT SSE connect/disconnect) were writing directly to console.log on every request instead of going through the log level system. All moved behind logDebug/logInfo/logErrorOnce. Added global token-bucket rate limiter (burst 20, refill 10/sec) as a safety net — excess logs silently dropped with 60-second summary.
Moon Image retry storm: When NASA Dial-A-Moon API was down, every client request triggered a fresh fetch attempt. Added 5-minute negative cache — stale Moon images served during outages instead of returning errors.
RBN callsign lookup storm: When QRZ/HamQTH was down, every uncached skimmer callsign triggered a failed lookup on every spot cycle. Failed lookups now cached for 10 minutes with automatic expiry.
Header vertical centering: Text in header bar (callsign, clocks, solar stats, buttons) was misaligned after layout changes. Fixed with alignItems: 'center' on stats and buttons rows, lineHeight: 1 on large text spans, boxSizing: border-box, and auto grid row height.
TLE data failures: CelesTrak rate-limited/banned the cloud server IP from excessive TLE polling. See "TLE Multi-Source Failover" below.

Added

TLE multi-source failover: Satellite TLE data now automatically fails over across three sources: CelesTrak → CelesTrak legacy (.com) → AMSAT. Rate limit responses (429/403) trigger immediate failover. Cache extended 6h → 12h. Stale TLEs served up to 48 hours. 30-minute negative cache prevents hammering. TLE_SOURCES env var for self-hosters to reorder sources.
Ultrawide monitor layout: Sidebars scale proportionally with viewport using clamp() (left: 260–480px, right: 280–500px). On 2560px displays, sidebars grow to ~960px combined instead of being capped at 660px. Panel height caps removed — DXpeditions, POTA, Contests flex to fill space.
Mobile single-module scroll: Mobile layout (<768px) rebuilt with full-width cards, 60vh map, scroll-snap momentum, and proper vertical stacking order.
Russian translation (Русский 🇷🇺) — 379 keys, 100% coverage
Georgian translation (ქართული 🇬🇪) — 379 keys, 100% coverage
13 languages total: en, de, es, fr, it, ja, ko, ms, nl, pt, sl, ru, ka — all at 100%
Global log rate limiter: Token bucket wraps console.log/warn/error to prevent Railway/cloud log pipeline floods regardless of source. Burst of 20, refill 10/sec, 60-second drop summary.
WhatsNew notice banner: Release announcements can now include a highlighted notice bar (used for the Tuesday schedule announcement).

[15.5.9] - 2026-02-20

Added

APRS-IS live tracking: Full APRS integration via server-side APRS-IS connection (rotate.aprs2.net). Stations parsed in real-time with position, course, speed, altitude, and symbol. Watchlist groups for EmComm nets, ARES/RACES events, Field Day tracking.
Wildfire map layer: Active wildfires worldwide via NASA EONET satellite detection. Markers with severity indicators under new Natural Hazards category.
Floods & Storms map layer: Active floods and severe storms worldwide via NASA EONET. Grouped under Natural Hazards in Settings.
PSKReporter TX/RX split view: Separate "Being Heard" and "Hearing" tabs with per-direction counts, replacing combined view.
Map layers categorized & sorted: Settings groups layers by category (📡 Propagation, 📻 Amateur Radio, 🌤️ Weather, ☀️ Space Weather, ⚠️ Natural Hazards, 🪨 Geology, 🗺️ Overlays) with alphabetical sorting within each.
100% translation coverage — all 11 languages: Every string fully translated. Previously 45–61% coverage with 292 missing keys total.

Fixed

Duplicate WSJT-X/PSK spots (#396): Content-based dedup IDs replace timestamp-based. QSO logging checks call+freq+mode within 60s. MQTT ingestion deduplicates before buffering.
Windows update mechanism: Git operations use proper path resolution and restart handles Windows process semantics.
DX Cluster time display: Spot timestamps now show relative time ("5m ago") with original UTC in parentheses.

[15.5.8] - 2026-02-19

Fixed

Memory leaks — three unbounded caches: Propagation heatmap (200-entry cap, 10-min purge), custom DX sessions (15-min reap), DX path cache (100-key cap, 5-min cleanup).
Merge conflict cleanup: Duplicate zoom buttons, triplicated switch/case blocks, duplicate variable declarations, broken cache check.

Added

Live NASA Moon imagery: Dial-A-Moon 730×730 JPG with 1-hour server-side cache replaces static SVG.
Map legend & band colors restored: Clickable band color legend, rotator bearing line, satellite tracks, My Spots markers.

[15.5.7] - 2026-02-19

Added

Settings export filenames include time: e.g. hamclock-current-2026-02-19-143022.json — multiple exports no longer overwrite.

[15.5.6] - 2026-02-19

Fixed

Draggable panel disappear bug: Stale mousemove/mouseup listeners from layout switches teleported panels off-screen. Fixed with AbortController cleanup.
Portable callsign location: PJ2/W9WI, DL/W1ABC now resolve to correct DXCC entity via new extractOperatingPrefix().
Rig control CW mode: Band plan JSON now labels CW segments correctly. Rewritten mapModeToRig() for proper CW/SSB/DATA switching.
Rig Listener FT-DX10 & Windows serial: DTR assertion fix for CP210x adapters, npm path resolution on Windows.
Emoji icons on Linux: Proper emoji font-family CSS stack, auto-installed fonts-noto-color-emoji in Pi setup.