Prey for Mac

What's new in this version:

Prey 1.13.36
Fixed:
- Fixed an issue where the X-Prey-Status HTTP header could contain invalid characters (such as newlines) that violated RFC 7230, causing request failures when device status data included special characters
- Fixed the hostname trigger incorrectly firing a device_renamed event when location data (a JSON object) was stored as the hostname value in the local database, causing spurious rename notifications to the control panel
- Fixed edge cases in the Windows lock action where Task Manager windows opened during the lock session were not properly closed on unlock
- Removed an empty registry key created during installation that caused errors with the unattended (silent) installer on Windows
- Upgraded node-forge to 1.4.0 to address CVE-2026-33896 (BasicConstraints bypass vulnerability)
- Upgraded underscore to 1.13.8 to address a Denial of Service vulnerability in the flatten function
- Upgraded minimatch to address a ReDoS (Regular Expression Denial of Service) vulnerability (GHSA-3ppc-4f35-3m26)
- Upgraded plist to 3.1.1 to address a CVE in the bundled @xmldom/xmldom dependency
- New Windows Prey Lock guarding edge cases and solving focus on textbox issues
- Chore: Updated bundled Windows executables: Fenix 1.0.8, WpxSvc 2.0.34, and Updater 1.0.8
- Ensured the SQLite database connection is properly closed after every storage operation (set, del, update, all, query) and that initialization errors are propagated to callers, preventing connection leaks
- Replaced the firewall npm dependency with direct Windows API calls via the new winsvc module for managing firewall rules, with multi-level fallback (winsvc HTTP → CLI → PowerShell). Registry set/del operations also now prefer the Windows API with reg.exe fallback
- Registry keys are now cleaned up during full uninstallation (pre_uninstall), not only during dedicated cleanup tasks
- Fixed the Windows anchor location storage to perform an upsert (update if already exists) instead of silently failing on duplicate entries. Invalid cached locations are now cleared on load
- Fixed two connection leak edge cases in the storage layer: storage_fns.all and storage_fns.query were closing the SQLite connection on the success path but not on error paths. Also fixed a null dereference crash when the underlying dbComm.all callback returned (null, null), causing a TypeError reading err.code on a null value
- Fixed a double-callback and uncaught exception risk in the Wi-Fi geo location strategy: when the server returned HTTP 429 (rate limit), execution fell through to a second checkResponse call after the cache-query block completed, and a catch block was using throw inside an async callback instead of calling back with the error
- Fixed a double-callback during post_install on Windows where both setUpVersion and prey_user.create were invoked with the same ready callback, causing it to fire twice
- Fixed the Windows service version cache permanently storing null on a failed first attempt, preventing retries when the service binary was not yet present on disk
- Fixed command injection in the registry.js reg.exe fallback: path, key, and value parameters were unquoted in the shell exec string, allowing values with spaces or metacharacters to break the command or inject additional shell instructions
- Added NaN guards before process.kill() calls in utilinformation.js, tasks/os/windows.js, and panel/index.js: a corrupt or empty pidfile returning NaN from parseInt was passed directly to process.kill, causing unpredictable behavior
- Fixed force_new_config on Unix silently issuing kill -9 undefined when client_pid returned an error: a missing return caused execution to continue past the error log and schedule the kill command with an undefined PID
- Converted edr_log.js to a no-op module, removing synchronous fs.appendFileSync disk writes from production code paths
- Improved the hostname JSON guard to apply .trim() before checking the first character, preventing bypass when a stored hostname value has leading whitespace


Prey 1.13.35
Fixed:
- Fixed a crash in the Wi-Fi location strategy where a server-side body error response was incorrectly propagated as a null callback argument, causing callers to receive an undefined result and crash on property access (lat, accuracy)
- Fixed coordinate validation in the location trigger to accept lat/lng values returned as strings by the geo provider, parsing and validating them against valid geographic ranges instead of rejecting them outright


Prey 1.13.33
- Feat: Location methods (native, Wi-Fi, and IP-based) can now be individually disabled from the control panel. When a method is disabled, the agent automatically falls back to the next available source.


Prey 1.13.32
- Feat: New Windows location orchestration system that coordinates native and Wi-Fi location sources, with periodic validation and persistent recovery across restarts
- Feat: Disk encryption data is now only collected and reported when the control panel explicitly requests it via backend configuration

Fixed:
- Fixed a bug where a missing Wi-Fi location would cause the location strategy to fail entirely instead of falling back gracefully
- New MacSVC 1.0.9 with a fix for screenshot capture on macOS
- New WinSVC 2.0.33
- On Windows, the native location source is now restricted to WinRT only, improving reliability by avoiding incompatible sources
- Windows location orchestrator now uses a finer-grained change verification strategy instead of a broad jump-detection threshold, reducing false location updates
- Increased the native location accuracy threshold from 100 to 200 meters for better location acceptance on Windows
- The lock action on Windows now correctly restores the taskbar and re-applies the lock when a Fast User Switch occurs
- The unlock password is now masked in WebSocket communication logs to avoid exposing it
- WebSocket reconnection backoff maximum wait time was reduced to 2 minutes to recover faster after connectivity issues
- Added timeouts to system calls (PowerShell/exec) to prevent the agent from blocking indefinitely when a command hangs
- Prevents report gathering from stacking up when the agent is under degraded conditions (slow storage or hanging commands)
- Fixed a border case where multiple simultaneous timers could open more than one WebSocket connection for the same device
- Fixed an error that caused the alarm action to fail silently when the device session was inactive


Prey 1.13.31
- Merge branch 'fix/out-of-time-auto-update-macos' into 'develop'
- Fix/out of time auto update macos
- See merge request prey/js/prey-node-client!1391