v10.0.1

🔓 Security

• Prevent possible Cross-site request forgery (CSRF) vulnerability in join endpoint which could be used to sign up people to your own team. @jub0bs #525

⚙️ Maintenance

• Minor golang and npm dependency updates

Full Changelog: v10.0.0...v10.0.1

v10.0.0

🚀 Features

🌍 CTF Globe View (now official!)

The CTF / Risk style globe visualization that was previewed in v9.2.0 is now an official, first‑class part of MultiJuicer and linked from the navbar. The view is primarily meant for in-person events to view on a projector / shared monitor. See
walkthrough.md for a screenshot of it.

• Countries are associated with a challenge. The team which first solves a challenge get the country colored in in their teams pattern.
• Country pattern reveal animation when challenges get solved, plus an automatic zoom + scroll/highlight to the country a team just solved
• Auto‑rotation when the globe is idle, resetting roughly to the equator
• Live activity sidebar with smooth entry animations and an increased feed cap (30 entries)

🤖 Native support for the Juice Shop v20 LLM challenges

• All AI/LLM requests are now proxied through MultiJuicer, so the actual AI token is hidden from the individual Juice Shop instances. See the LLM setup guide for the new LLM gateway component and how to configure MultiJuicer & JuiceShop for
  proper support for the new LLM challenges.
• JuiceShop v20 is now the default version used for MultiJuicer

🔔 Notifications & Events

• System‑wide notifications are now also displayed inside the Juice Shop instances, not just in the MultiJuicer UI
• Support for a Countdown / event end date, so teams can see how long is left in the CTF

🛠 Maintenance & internals

• Consolidated MultiJuicer into a single Deployment. The previously separate progress-watchdog and cleaner containers have been folded into the main MultiJuicer binary. Neither supported horizontal scaling, and the progress-watchdog actually received webhooks — which made the multi‑deployment split
  awkward in practice. Background loops are now gated by Kubernetes leader election (Lease), so multi‑replica deployments don't duplicate work while every replica still serves user traffic and webhooks.
• Renamed balancer → multi-juicer everywhere. With only one deployment left, "balancer" no longer described the whole thing. This touches the Deployment name, the public Service name, labels (app.kubernetes.io/name, component), the cookie name, the image
  (ghcr.io/juice-shop/multi-juicer/multi-juicer), and the Helm values layout — balancer.* keys are now top‑level (e.g. balancer.cookie.name → cookie.name, balancer.replicas → replicas).
• The cluster‑internal service now listens on port 80 (with the quirky :8082 mapped behind it), so the Juice Shop pods no longer need to know about it
• All HTTP metrics are now exported across every route (except /metrics and the healthchecks) with a type label, instead of only on a hand‑picked subset
• Migrated balancer logging to slog for structured logs
• Service and Secret cleanup is now done via Kubernetes ownerReferences, which simplifies team deletion and reduces the RBAC permissions MultiJuicer needs
• Added a Semgrep integration in CI and resolved the (mostly false‑positive) findings
• Logged‑out responses now include the Secure flag and a Clear-Site-Data header
• npm installs in CI now set a minimum release age and skip install scripts by default, to mitigate some classes of supply‑chain attacks
• Restructured the repo so build, lint, fmt and tests can be run consistently across all services; CI now fails when Go code isn't properly formatted/fixed
• Dropped a (verbose) build‑and‑deploy shell script in favor of inline task definitions
• Moved package.json to the top level and added JSON schema references so editors get autocompletion on config files
• staticcheck now runs via go tool, so contributors no longer need a separate install and Dependabot can keep it current
• Switched to the recommended Vite integration for the React Compiler; modernized the TypeScript config
• Removed an old workaround for missing challenge icons — fixed upstream in Juice Shop
• Tests now use a mocked clock instead of waiting on real timeouts/retries
• Upgraded to Go 1.26 and Vite 8, plus the usual round of npm and Go dependency bumps
• Consistently use docker.io/ prefixes for all Docker Hub sources
• Fixed a Go sort comparator to follow the strict‑weak‑ordering contract

📚 Docs

• New Contributing Guide with tooling references
• New Customization Guide
• Added user‑flow screenshots so people new to MultiJuicer can judge whether it fits their use case
• Updated architecture and monitoring guides, including a regenerated high‑level architecture diagram reflecting the single‑deployment layout

⚠️ Upgrade notes

• The balancer Deployment and Service have been renamed to multi-juicer, and the separate progress-watchdog / cleaner Deployments are gone. During the Helm upgrade, the old balancer Deployment will be deleted and a new multi-juicer Deployment created in its place.
• If you wrote your own Ingress (or any other resource pointing at the Service), update the backend.service.name from balancer to multi-juicer. The bundled Helm Ingress template has been updated for you. The Service port is unchanged.
• Helm values were restructured. If you had a custom values.yaml, move balancer.* keys to the top level: balancer.cookie.* → cookie.*, balancer.replicas → replicas, balancer.repository → repository, balancer.resources → resources, balancer.service.* → service.*,
  balancer.contentSecurityPolicy → contentSecurityPolicy, and so on. See the chart README for the new layout.
• Team cookies will be invalidated. The default cookie name changed from balancer to multi-juicer, so existing users will need to log back into their teams once. If you want to keep users signed in across the upgrade, override cookie.name: balancer in your values.
• Migrating Juice Shop owner references across the rename. Per‑team Juice Shop Deployments have always carried an ownerReference pointing at the balancer Deployment — that's what makes helm uninstall cascade‑delete all running team instances. Because v10 renames that Deployment, Kubernetes will GC every
  team's Juice Shop the moment Helm deletes the old balancer during the upgrade. Generally we recommend to do a clean install and delete the helm install and recreate it cleanly. If you have JuiceShop instances that you have to preserve: strip the stale references before running helm upgrade, then re‑link them to the new multi-juicer Deployment after the upgrade finishes:

# 1. BEFORE `helm upgrade`: drop the references pointing at the old `balancer` Deployment
#    so cascade GC doesn't take the Juice Shops with it.
kubectl get deployments -l app.kubernetes.io/part-of=multi-juicer,app.kubernetes.io/name=juice-shop \
    -o name | xargs -I{} kubectl patch {} --type=json \
    -p='[{"op": "remove", "path": "/metadata/ownerReferences"}]'

# 2. Run `helm upgrade` as usual.

# 3. AFTER the upgrade: re-attach each Juice Shop Deployment to the new `multi-juicer`
#    Deployment so future `helm uninstall`s clean them up correctly.
MJ_UID=$(kubectl get deployment multi-juicer -o jsonpath='{.metadata.uid}')
for d in $(kubectl get deployments -l app.kubernetes.io/part-of=multi-juicer,app.kubernetes.io/name=juice-shop -o name); do
    kubectl patch "$d" --type=merge -p "{\"metadata\":{\"ownerReferences\":[{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"name\":\"multi-juicer\",\"uid\":\"$MJ_UID\",\"controller\":true,\"blockOwnerDeletion\":true}]}}"
done

Juice Shop instances created after the upgrade get the correct multi-juicer owner reference automatically — this migration is only needed once, for instances that were already running.

• Service/Secret cleanup moved to ownerReferences — if you run with a tightly scoped RBAC policy, you can drop the now‑unused delete permissions. If you are upgrading from an older version the services or instances created by MultiJuicer v9 or earlier will not be automatically cleaned up, only the deployments.
  You can delete the services by hand if you no longer need them.
• Prometheus metrics are now served from the more standard /metrics path than the /balancer/metrics. If you are using the included SerivceMonitor of the helm chart, that has been updated for you. If you had something else pointed at /balancer/metrics you'll need to tweak it.

Full Changelog: v9.2.0...v10.0.0

v10.0.0-rc.2

Second release candidate for MultiJuicer v10)
First one worked well, but made some additional changes since then that require additional testing.
Release Canididate is primarily to test that the release / build process is still properly working after some codebase changes.

v10 brings some cool new features including the official release of the CTF Globe view and native support for JuiceShop v20 LLM challenges. More note coming with the actual release.

If you want to install / test this version make sure to also use the upcoming JuiceShop image version:

helm install multi-juicer oci://ghcr.io/juice-shop/multi-juicer/helm/multi-juicer --version 10.0.0-rc.2 --set="config.juiceShop.tag=snapshot"

v10.0.0-rc.1

First (and hopefully only 🫰) release candidate for MultiJuicer v10)
Primarily to test that the release / build process is still properly working after some codebase changes.

v10 brings some cool new features including the official release of the CTF Globe view and native support for JuiceShop v20 LLM challenges. More note coming with the actual release.

If you want to install / test this version make sure to also use the upcoming JuiceShop image version:

helm install multi-juicer oci://ghcr.io/juice-shop/multi-juicer/helm/multi-juicer --version 10.0.0-rc.1 --set="config.juiceShop.tag=snapshot"

v9.2.0

What's Changed

🚀 Features

• Added a new "System Wide Notification" system to post message / notification to all instances from the admin UI #251
• Include team-creation in the activity timeline by @sawankshrma in #444
• Add "reset team's passcode" button to admin page by @sawankshrma in #443
• (Sneaky Preview 🤫) Added a (FB)CTF/Risk style visualization of challenges and their progress view. You can preview this feature under /balancer/ctf. This view is not finished yet and isn't linked to from the normal MultiJuicer UI. The full release for the CTF style view is planned for v10.0.0

🐛 Bug Fixes

• Fixed Issues with copy to clipboard silently failing when the clipboard API is unavailable in #439

Full Changelog: v9.1.0...v9.2.0

v9.1.0

What's Changed

🚀 Features

• Add Cheat Score History Graph Popup to Admin Page to view changes to Cheat Score over time by @sawankshrma in #434

🐛 Bug Fixes

• Use Chart.AppVersion instead of Chart.Version for all image tags in helm templates to allow installation via Flux OCI Repositories by @kass-soptim in #437

🌐 Translations

• Add Romanian language by @bogminic in #412

New Contributors

• @bogminic made their first contribution in #412
• @sawankshrma made their first contribution in #434
• @kass-soptim made their first contribution in #437

Full Changelog: v9.0.0...v9.1.0

v9.0.0

🚀 Features

• New and Improved "Score Overview" including a Live Activity feed and an overview which teams have solved any particular challenge. Thanks to @AyushRajSinghParihar for a lot of the ground work for the new ScoreOverview
• Length of the generated team passcodes is now configurable and defaults to 12 alpha numeric chars instead of 8. The passcode for the admin team now defaults to a length of 24 chars
• Team Page now shows a "Join Link" which can be send to team members to join more easily
• MultiJuicer now has a updated page layout with a new navbar and better navigation
• Added a default Content Security Policy (CSP), which can be modified via helm values in the case of (unforeseen) problems.
• The current cheat score of the teams is now displayed on the admin page #252
• Updated default Juice Shop version to v19.1.1

⚙️ Maintenance

• Minor golang and npm dependency updates
• Added SecComp Profiles and minor container image security / best practice improvements

New Contributors

• @jub0bs made their first contribution in #339
• @AyushRajSinghParihar made their first contribution in #340

Full Changelog: v8.3.0...v9.0.0

v8.3.0

🚀 Features

• Updated default Juice Shop version to v18.0.0

⚙️ Maintenance

• Minor golang and npm dependency updates

🐛 Bug Fixes

• Correct load balancer target port in k8s guide by @kaitoz11 in #333

New Contributors

• @kaitoz11 made their first contribution in #333

Full Changelog: v8.2.0...v8.3.0

v8.2.0

🚀 Features

• Updated default Juice Shop version to v17.3.0

⚙️ Maintenance

• Minor golang and npm dependency updates

Full Changelog: v8.1.0...v8.2.0

v8.1.0

🚀 Features

• Updated default Juice Shop version to v17.2.0

⚙️ Maintenance

• Minor golang and npm dependency updates

Full Changelog: v8.0.5...v8.1.0