v1.1.21 — 3DPrintForge Slicer Integration, Filament Overhaul, Security Hardening
Three concurrent tracks in v1.1.21: a REST integration with our skynett81/OrcaSlicer fork, a top-to-bottom rewrite of the filament inventory experience (Storage tab, drag-and-drop, bulk-add), and a security audit that closed six CVE-class issues. Plus an i18n overhaul that fixed a broken-fallback pattern across 504 call sites, a tabbed Analytics dashboard, and 6 new database migrations.
3DPrintForge Slicer integration
3DPrintForge can now drive the skynett81/OrcaSlicer fork in REST service mode instead of spawning the slicer CLI per request. The fork hosts a small embedded HTTP service (cpp-httplib); 3DPrintForge probes it, mirrors profiles automatically, and routes slicing through it when available — falling back to the CLI bridge or native engine if not.
What you get:
- Live status pill in the dashboard header
- Slice models with live progress (stage, layer counter, percent) over Server-Sent Events
- Slice-and-Send to printer in one click
- Profile catalog mirrored automatically every 5 minutes
- Cancel button mid-slice
- Multi-extruder filament breakdown
- Toast notifications on disconnect/reconnect
- Outage notifications via the existing 7-channel notifier (Telegram, Discord, email, etc.)
Surface area:
- 12 REST proxy endpoints under
/api/slicer/forge/* - Settings card auto-mounts in Slicer Studio AND System → Integrations
- Pterodactyl egg env vars (
FORGE_SLICER_URL,FORGE_SLICER_TOKEN) - Docker Compose env var examples
- Norwegian translations (27 keys) for the entire UI surface
- Setup guide and full REST contract on the docs site
For fork-side dev:
tools/forge-slicer-mock.js— full Node implementation of the contract incl. SSE, so the integration can be tested end-to-end without waiting for a C++ buildwebsite/docs/forge-slicer-cpp/— Phase-1 cpp-httplib + nlohmann/json skeleton, CMakeLists fragment, step-by-stepmain_integration.md- 33 new tests covering probe + cache, multipart slice, SSE error handling, fallback chain, sync idempotency, and more
Security hardening
A focused security audit closed six issues this release:
| Severity | Issue | Fix |
|---|---|---|
| CRITICAL | Path traversal in milestone file serving (CWE-22) | Boundary check on resolved path, plus 5 regression tests |
| HIGH | Settings export leaked all notification secrets (CWE-200) | Shared _maskNotificationSecrets() helper covers all 8 sensitive fields |
| HIGH | XSS via printer-supplied filenames (CWE-79) | Switched inline onclick= strings to dataset + delegated click handler |
| HIGH | SSRF in /api/spoolman/test (CWE-918) | New _isDangerousUrl() blocks link-local and non-HTTP schemes |
| MEDIUM | Slicer profile paths could escape profileDir (CWE-22) | pathResolve() + boundary validation |
| MEDIUM | Bearer token leaked from /api/slicer/forge/status | Masked to '***' with token_set: bool flag |
The audit also confirmed clean state on hardcoded secrets (none), npm audit (0 vulnerabilities), SQL injection (all parameterized), and command injection in updater.js (semver regex prevents tag-string abuse).
Filament inventory overhaul
Major UX rewrite:
- Top-level Storage tab with location overview, drag-and-drop discoverability, first-time empty state
- Drag spools to/from Active Filament slots in every view mode (was only grid + table). Clearer swap interaction when dragging onto an occupied slot. File-drop overlay no longer hijacks internal drags.
- Bulk-add multiple spools with a prominent quantity field. "Add another" registers a second reel of the same filament without re-entering the metadata.
- Spool detail view shows storage method, last dried timestamp, and tare weight
- Stats / Storage / Database now show the full inventory, not just used spools. Stats auto-refreshes on tab switch with material reclassification. Usage Predictions surfaces both Total runway and per-material runway.
- Visual — icons added to inventory tabs for faster scanning
Analytics dashboard
analytics-panel.js rewritten as a tabbed dashboard with auto-refresh and drill-downs across Overview, Statistics, Calendar, Filament, Cost, Waste, and Comparison views.
i18n — 504-site fix
window.t(key, varsOrFallback) previously short-circuited on missing keys (the function returned the truthy key string, so t('foo') || 'Default' never used the fallback — users saw the raw key like 📊analytics.tab_overview). 504 sites across 28 files used that pattern. The helper now accepts a string fallback as the second argument and all call sites have been migrated.
Database — six new migrations
- v136-138 — color hex storage normalisation (drops the leading
#so'#' + color_hexno longer produces##8c8c8c) - v139 — comprehensive eSUN filament catalogue
- v140 — ~80 missing profiles seeded across 10 vendors
- v141 — material classification normalisation: product-line strings like "Rapid" or "PLA-Basic" roll to base materials (PLA / PETG / ABS / TPU) so Stats buckets correctly
Internal
- CI tests —
.github/workflows/test.ymlrunsnpm testplus JSON validation for language files and the Pterodactyl egg on every push and PR to main - Test count — 762 tests pass (up from ~720 at v1.1.20)
- Service-worker cache bumped to v196
Upgrade notes
If you set up the 3DPrintForge Slicer integration, see the setup guide for how to launch the fork in service mode and wire it up. The integration is opt-in — leaving FORGE_SLICER_URL blank disables it and slicing continues through the existing CLI bridge or native engine.
Restart your container (or run git pull && npm install) to pick up the fixes. For Pterodactyl users, the egg env vars are visible after the next panel-side egg refresh.