Happy New Year everyone! 2021 is finally here 🎉
As you probably are aware, recently we were made aware of security issues in several popular custom integrations. You can read more about that here:
In light of these incidents. Starting with the Home Assistant 2021.2.0 beta that was just released, we are changing two things that will affect custom integrations.
sanitize_path helpers located in the
homeassistant.utils package have been deprecated and are pending removal. This will happen with the release of Home Assistant 2021.4.0 scheduled for the first week of April this year.
We have added
raise_if_invalid_path as replacement. They are located in the same
homeassistant.utils package. These new functions will raise a
ValueError instead of relying on the developer comparing the output of the function to the input to see if it is different. This will prevent misuse.
The second change is pretty cool! Versions!
manifest.json file now has added support for a
version key. The version should be a string with a major, minor and patch version. For example,
This version will help users communicate with you the version they had issues with. And if you ever find a security issue with your custom integration, Home Assistant will be able to block insecure versions from being used.
version key will be required in a future version of Home Assistant.
hassfest is our internal tool that is used in Home Assistant to validate all integrations. In April we made this available as a GitHub Action to help you find issues in your custom integration. This action can be used in any custom integration hosted on GitHub. If you have not added that to your repository yet, now is the time! Read more about that here.
If you are using the
hassfest GitHub action, you will now start to see warnings when it runs if you are missing the
version key in your
manifest.json file. This warning will become an error at a later point when the
version key becomes fully required for custom integrations.
Making resources available to the user is a common use case for custom integrations, whether that is images, panels, or enhancements the user can use in Lovelace. The only way one should serve static files from a path is to use
hass.http.register_static_path. Use this method and avoid using your own, as this can lead to serious bugs or security issues.
That's it for this update about custom integrations. Keep doing awesome stuff! Until next time 👋