# v0.15.0
## Highlights
- **Updated to Nushell 0.112.1 and cross.stream 0.12.0.** Nushell removed the `--merge` flag from `metadata set`. If you were using `metadata set --merge {...}`, switch to the closure form: `metadata set { merge {'http.response': {status: 404}} }`. The `{ merge {...} }` form that was already used in examples and docs continues to work unchanged.
- **Security hardening for HTML output.** Minijinja templates now autoescape by default. The `.md` command escapes code fence language attributes. HTML DSL attribute values are properly escaped. The `escape-html` utility consistently escapes all five HTML-significant characters (`& < > " '`) everywhere.
- **SSRF fix in reverse proxy.** The `strip_prefix` logic now rejects URLs with authority components (e.g. `//evil.com`) that could confuse downstream routing.
## Raw commits
* deps: update nushell to 0.112.1 and cross-stream to 0.12.0 (2026-04-13)
* refactor: unify escape-html to escape all 5 chars everywhere (2026-04-13)
* fix: consolidate HTML escaping, add attribute escaping to HTML DSL (2026-04-13)
* fix: escape code fence language in .md to prevent XSS (2026-04-08)
* fix: enable HTML autoescape in minijinja templates to prevent XSS (2026-04-08)
* fix: prevent SSRF via URL authority confusion in reverse proxy strip_prefix (2026-04-08)
* feat: add cargo-docs example (2026-04-07)
* docs: update v0.14.0 release notes (2026-04-04)
* fix: rename const to avoid collision when sourced from www/serve.nu (2026-04-04)
* fix: use path self for cwd-independent path resolution in templates example (2026-04-03)
* docs: rewrite v0.14.0 release notes (2026-04-04)
* chore: bump to v0.14.1-dev (2026-04-03)