[feat] Upgrade to 4.2.1

.github/workflows/beta_release.yml

@@ -61,20 +61,45 @@ jobs:
     strategy:
       matrix:
         include:
-          - target: "!(*musl*|*windows-arm64*|*windows7-*|*android*|*freebsd*)" # xgo and loongarch
+          - target: "!(*musl*|*windows-arm64*|*windows7-*|*android*|*freebsd*)" # xgo and loongarch (exclude mips64le)
             hash: "md5"
-          - target: "linux-!(arm*)-musl*" #musl-not-arm
+            flags: ""
+            goflags: ""
+          - target: "linux-(mips|mips64|mipsle|mips64le|loong64)-musl*" # musl-compat-family
+            hash: "md5-linux-musl-mips"
+            flags: "-ldflags=-linkmode external -extldflags '-static -fpic'"
+            goflags: ""
+            musl_static: "true"
+          - target: "linux-!(arm*|mips|mips64|mipsle|mips64le|loong64)-musl*" # musl-not-arm (exclude compat-family)
             hash: "md5-linux-musl"
+            flags: "-ldflags=-linkmode external -extldflags '-static -fpic'"
+            goflags: ""
+            musl_static: "true"
           - target: "linux-arm*-musl*" #musl-arm
             hash: "md5-linux-musl-arm"
+            flags: "-ldflags=-linkmode external -extldflags '-static -fpic'"
+            goflags: ""
+            musl_static: "true"
           - target: "windows-arm64" #win-arm64
             hash: "md5-windows-arm64"
+            flags: ""
+            goflags: ""
+            musl_static: "false"
           - target: "windows7-*" #win7
             hash: "md5-windows7"
+            flags: ""
+            goflags: "-tags=sqlite_cgo_compat"
+            musl_static: "false"
           - target: "android-*" #android
             hash: "md5-android"
+            flags: ""
+            goflags: ""
+            musl_static: "false"
           - target: "freebsd-*" #freebsd
             hash: "md5-freebsd"
+            flags: ""
+            goflags: ""
+            musl_static: "false"
 
     name: Beta Release
     runs-on: ubuntu-latest
@@ -99,6 +124,8 @@ jobs:
         uses: OpenListTeam/cgo-actions@v1.2.2
         with:
           targets: ${{ matrix.target }}
+          flags: ${{ matrix.flags || '-ldflags=' }}
+          static-link-for-musl: true
           musl-target-format: $os-$musl-$arch
           github-token: ${{ secrets.GITHUB_TOKEN }}
           out-dir: build
@@ -110,6 +137,26 @@ jobs:
             github.com/OpenListTeam/OpenList/v4/internal/conf.GitCommit=$git_commit
             github.com/OpenListTeam/OpenList/v4/internal/conf.Version=$tag
             github.com/OpenListTeam/OpenList/v4/internal/conf.WebVersion=rolling
+        env:
+          GOFLAGS: ${{ matrix.goflags }}
+
+      - name: Verify musl binaries are static
+        if: matrix.musl_static == 'true'
+        run: |
+          set -e
+          shopt -s nullglob
+          files=(build/openlist-*-musl-*)
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "No musl binaries found"
+            exit 1
+          fi
+          for f in "${files[@]}"; do
+            if readelf -l "$f" | grep -q "Requesting program interpreter"; then
+              echo "Dynamic binary detected: $f"
+              readelf -l "$f" | grep "Requesting program interpreter" || true
+              exit 1
+            fi
+          done
 
       - name: Compress
         run: |

.github/workflows/build.yml

@@ -40,6 +40,8 @@ jobs:
         uses: OpenListTeam/cgo-actions@v1.2.2
         with:
           targets: ${{ matrix.target }}
+          flags: ${{ contains(matrix.target, '-musl') && '-ldflags=-linkmode external -extldflags ''-static -fpic''' || '-ldflags=' }}
+          static-link-for-musl: true
           musl-target-format: $os-$musl-$arch
           github-token: ${{ secrets.GITHUB_TOKEN }}
           out-dir: build
@@ -51,6 +53,16 @@ jobs:
             github.com/OpenListTeam/OpenList/v4/internal/conf.WebVersion=rolling
           output: openlist$ext
 
+      - name: Verify musl binary is static
+        if: contains(matrix.target, '-musl')
+        run: |
+          set -e
+          if readelf -l build/openlist | grep -q "Requesting program interpreter"; then
+            echo "Dynamic binary detected: build/openlist"
+            readelf -l build/openlist | grep "Requesting program interpreter" || true
+            exit 1
+          fi
+
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:

.github/workflows/issue_pr_comment.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           script: |
             const issueBody = context.payload.issue.body || "";
-            const unchecked = /- \[ \] /.test(issueBody);
+            const unchecked = /- \[ \] (?!我没有阅读这个清单|I have not read these checkboxes)/.test(issueBody);
             let comment = "感谢您联系OpenList。我们会尽快回复您。\n";
             comment += "Thanks for contacting OpenList. We will reply to you as soon as possible.\n\n";
             if (unchecked) {

SECURITY.md

@@ -0,0 +1,89 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest stable release receives security patches. We strongly recommend always keeping OpenList up to date.
+
+| Version              | Supported          |
+| -------------------- | ------------------ |
+| Latest stable (v4.x) | :white_check_mark: |
+| Older versions       | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do NOT report security vulnerabilities through public GitHub Issues.**
+
+If you discover a security vulnerability in OpenList, please report it responsibly by using one of the following channels:
+
+- **GitHub Private Security Advisory** (preferred): [Submit here](https://github.com/OpenListTeam/OpenList/security/advisories/new)
+- **Telegram**: Contact a maintainer privately via [@OpenListTeam](https://t.me/OpenListTeam)
+
+When reporting, please include as much of the following as possible:
+
+- A description of the vulnerability and its potential impact
+- The affected version(s)
+- Step-by-step instructions to reproduce the issue
+- Any proof-of-concept code or screenshots (if applicable)
+- Suggested mitigation or fix (optional but appreciated)
+
+## Security Best Practices for Users
+
+To keep your OpenList instance secure:
+
+- Always update to the latest release.
+- Use a strong, unique admin password and change it after first login.
+- Enable HTTPS (TLS) for your deployment — do **not** expose OpenList over plain HTTP on the public internet.
+- Limit exposed ports using a reverse proxy (e.g., Nginx, Caddy).
+- Set up access controls and avoid enabling guest access unless necessary.
+- Regularly review mounted storage permissions and revoke unused API tokens.
+- When using Docker, avoid running the container as root if possible.
+
+## Acknowledgments
+
+We sincerely thank all security researchers and community members who responsibly disclose vulnerabilities and help make OpenList safer for everyone.
+
+---
+
+# 安全政策
+
+## 支持的版本
+
+我们仅对最新稳定版本提供安全补丁。强烈建议始终保持 OpenList 为最新版本。
+
+| 版本               | 是否支持           |
+| ------------------ | ------------------ |
+| 最新稳定版（v4.x） | :white_check_mark: |
+| 旧版本             | :x:                |
+
+## 报告漏洞
+
+**请勿通过公开的 GitHub Issues 报告安全漏洞。**
+
+如果您在 OpenList 中发现安全漏洞，请通过以下渠道之一负责任地进行报告：
+
+- **GitHub 私密安全公告**（推荐）：[点击提交](https://github.com/OpenListTeam/OpenList/security/advisories/new)
+- **Telegram**：通过 [@OpenListTeam](https://t.me/OpenListTeam) 私信联系维护者
+
+报告时，请尽量提供以下信息：
+
+- 漏洞描述及其潜在影响
+- 受影响的版本
+- 复现问题的详细步骤
+- 概念验证代码或截图（如有）
+- 建议的缓解措施或修复方案（可选，但非常欢迎）
+
+## 用户安全最佳实践
+
+为保障您的 OpenList 实例安全：
+
+- 始终更新至最新版本。
+- 使用强且唯一的管理员密码，并在首次登录后立即修改。
+- 为您的部署启用 HTTPS（TLS）—— **请勿**在公网上以明文 HTTP 方式暴露 OpenList。
+- 使用反向代理（如 Nginx、Caddy）限制对外暴露的端口。
+- 配置访问控制，非必要情况下不要开启访客访问。
+- 定期检查已挂载存储的权限，并撤销未使用的 API 令牌。
+- 使用 Docker 部署时，尽可能避免以 root 用户运行容器。
+
+## 致谢
+
+我们衷心感谢所有负责任地披露漏洞、帮助 OpenList 变得更加安全的安全研究人员和社区成员。