chore(deps): update binwiederhier/ntfy docker tag to v2.24.0

[renovate]

This PR contains the following updates:

Package	Update	Change
binwiederhier/ntfy (source)	minor	v2.22.0 → v2.24.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

binwiederhier/ntfy (binwiederhier/ntfy)

v2.24.0

Compare Source

The main feature for this release is an in-memory ACL cache (auth-access-cache) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.

Security issues:

• Fix case-insensitive ACL topic matching on SQLite: an access control rule for secret no longer also matches a request for SECRET. SQLite's LIKE is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).

Features:

• Add opt-in in-memory ACL cache (auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers
• Add ntfy --version flag to the CLI (#​1722, #​1748, thanks to @​sskender for the contribution, and @​Saucy9607 for reporting)

Bug fixes + maintenance:

• Extend account token automatically from the PWA service worker, so installed PWAs don't get logged out (#​1669, #​1203, #​1533, thanks to @​nihalgonsalves for the contribution)
• Fix rel attribute on auto-linked notification URLs so noreferrer/noopener are actually applied (#​1720, thanks to @​dmitrylyzo for the contribution)
• Add systemd sandboxing/hardening to the ntfy.service unit (#​1467, thanks to @​Velocifyer for the contribution)
• Fix cmd package build on macOS (darwin) so the server compiles from source (#​1631, #​1696, thanks to @​ShipItAndPray for the contribution, and @​XYenon for reporting)

v2.23.0

Compare Source

Features:

• Add per-visitor rate limit on new topic creations (visitor-topic-creation-limit-burst / visitor-topic-creation-limit-replenish, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map

Bug fixes + maintenance:

• Remove stacktrace-js, stacktrace-gps, humanize-duration, and js-base64 from the web app to reduce dependency and security footprint
• Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (GHSA-j8hr-p342-xrmh, thanks to @​Venukamatchi for reporting)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.