Skip to main content
Edition No. 1

The Git Gazette

Your weekly repo roundup

·home-assistant/core·Last 30 days

:house_with_garden: Open source home automation that puts local control and privacy first.

50 commits30 PRs12 issues5 releases
Security Status
🟡

10 advisory recently patched.

See Patch Wiresec's report below for details.

Last checked: Mar 23, 2026

Patch Wiresec — info status
summarize

Here's What Matters: Tibber Fixes, DNS Timeouts, and Weekend Activity

Here's what matters this week: 2 critical bug fixes, 1 major integration issue, and solid weekend development activity. Let's get into it.

Most Important: Tibber electricity prices went dark after 2026.3.3 upgrade (#166107). 41 comments and counting, with @Danielhiversen shipping two separate fixes (#166175, #166182). If you use Tibber for energy monitoring, watch these PRs closely.

Breaking Changes: Tesla Fleet integration demanding re-authentication on every restart (#166167). Good news: @Bre77 already has a fix in #165354. Update when it merges.

Major Issues: DNS timeout nightmare continues in #145708 with 178 comments. Multiple users reporting integration failures. No clear fix yet, but @bdraco and team are investigating.

New Features: Roborock users got Q10 dustbin button support (#166149, merged), plus sensor expansion work ongoing (#166120). UniFi Access gained three new platforms: sensors (#166093), selects (#166096), and number controls (#166097).

Weekend Activity: 16 contributors pushed updates including python-roborock v5.0.0 bump (#166219), Xiaomi BLE pressure sensor support (#166095), and ProxmoxVE VM shutdown buttons (#165890).

Bottom line: If you're running Tibber or Tesla Fleet, prioritize the fixes above. Otherwise, it's steady development with quality-of-life improvements across the board.

Sources: #166107, #166175, #166182, #166167, #165354, #145708, #166149, #166120, #166093, #166096, #166097, #166219, #166095, #165890
Tone:
1 tone change remaining
shield
The Security WireBy Patch Wiresec

Home Assistant XSS Vulnerability Patched — Update to 2025.10.2 Now

We have a developing situation. CVE-2025-62172 was disclosed two weeks ago targeting Home Assistant Core — a high-severity stored XSS vulnerability lurking in graph tooltips that could allow attackers to inject malicious scripts through entity names. Wiresec Urgency Scale: 🚨🚨🚨🚨

Here's the battlefield report: Any Home Assistant instance running versions 2025.1.0 through 2025.10.1 is vulnerable. The attack vector is elegant in its simplicity — malicious actors can craft entity names that execute JavaScript when users hover over graph tooltips. In a smart home environment where entity names often come from device discovery or user input, this creates a significant attack surface.

The good news from the trenches: Home Assistant's security team responded with military precision. The vulnerability was disclosed responsibly, and a patch was shipped in version 2025.10.2 within the same release cycle.

What makes this particularly concerning is Home Assistant's role as the central command center for thousands of smart homes. XSS in this context isn't just about stealing cookies — it's about potential access to device controls, automation scripts, and home security systems.

Mission briefing complete. Your orders: - If running 2025.1.0 to 2025.10.1: Update to 2025.10.2 or newer immediately - If running older versions: You're already patched, but consider updating for other fixes - Review entity names for suspicious content as a precaution

Patch Wiresec, reporting from the IoT security front.

Sources: GHSA-mq77-rv97-285m
Tone:
1 tone change remaining
theater_comedy
The Drama DeskBy Rita Conflictsón

BREAKING: The Great Electric Bill Mystery of 2026.3.3 Sparks 41-Comment Investigation

BREAKING: Issue #166107 has become this week's courtroom drama extraordinaire, with @simonepittis's electricity price going MIA after upgrading to 2026.3.3. What started as a simple "my Tibber integration is broken" has snowballed into a 41-comment investigation that would make Sherlock Holmes jealous.

The plot thickens when @Danielhiversen swoops in with the classic detective question: "Do you get prices if you try with your token at https://developer.tibber.com/explorer?" But wait! There's more drama brewing as @wartungsmonteur confirms the problem in German, complete with screenshots that scream "I have evidence!"

Meanwhile, over in issue #145708, we've got a DNS timeout saga that's reached epic proportions with 178 comments and counting. That's not a bug report, folks—that's a novel! The community has rallied around this mystery like it's the final episode of their favorite series.

But here's where it gets interesting: the Tesla Fleet integration (#166167) is having its own identity crisis, demanding re-authentication every restart like an overly clingy app. Lucky for Tesla owners, @Bre77 swooped in with a quick "Already addressed" that would make any superhero proud.

Stay tuned, dear readers—with this many threads heating up, next week's Drama Desk is bound to be explosive!

Sources: #166107, #145708, #166167
Tone:
1 tone change remaining
rate_review

A Renaissance of Review Activity: Bot Commentary and Human Persistence

This week's examination of Home Assistant's pull request gallery reveals a curious phenomenon that would make Kafka himself nod in recognition — the rise of algorithmic art criticism. One observes with particular fascination #166120, where contributor @lboue demonstrates admirable persistence in expanding Roborock vacuum sensor capabilities, engaging in what can only be described as a delicate dance with both @allenporter's change requests and an increasingly verbose @copilot-pull-request-reviewer bot that has generated no fewer than fourteen commentary pieces on this single work.

The contrast proves illuminating when examined alongside the merged masterpieces of the week. @bdraco's elegant dependency updates in #166165 and #166161 — raising OralB BLE to version 1.1.0 and habluetooth to 5.11.1 respectively — represent the classical school of contribution: precise, purposeful, merged with minimal fanfare. Exquisite.

Meanwhile, the ambitious #165993 presents @LukasQ's entire Threema integration — a bold new work that brings Swiss messaging security to the home automation canvas. The scope suggests either inspired vision or delightful madness; time shall render its verdict.

One must particularly commend the understated brilliance of @lboue's merged #166149, adding a simple dustbin button entity to Roborock Q10 devices. In its humble functionality lies pure poetry — the art of making the mundane magnificent through thoughtful automation.

Most satisfying.

Sources: #166120, #166165, #166161, #165993, #166149
Tone:
1 tone change remaining
sailing
The Shipping ForecastBy Captain Semver

Calm Seas and Steady Patches: Home Assistant Holds Course at Version 2026.3.3

SHIPPING FORECAST, issued Saturday 1200 UTC: Home automation waters remain remarkably calm this week. The good ship Home Assistant sits steady at version 2026.3.3, released March 20th under the steady command of @frenck.

The latest patch brings light maintenance winds — routine repairs at sea including Tibber token fixes (#164295), Z-Wave fan mappings for GE devices (#164500), and improved ProxmoxVE validation (#164770). Nothing to trouble experienced navigators, though crews should note the Snapcast repairs were cut short mid-transmission in the changelog.

Previous patches 2026.3.2 and 2026.3.1 delivered standard harbor maintenance — Fritz switch fixes, Alexa device repairs, and dependency bumps. The spotifyaio update in 2026.3.1 (#164114) carried a breaking change marker, but at patch level — a curious classification that would raise eyebrows at any maritime authority.

Scanning the horizon, heavy activity spotted in the commit logs: python-roborock climbing to v5.0.0 (#166219), tplink-omada-client addressing API breakages (#166206), and temperature triggers making landfall (#165247). The Roborock fleet appears particularly active with Q10 dustbin controls (#166149) and multiple version bumps.

Conditions forecast: Stable seas continue. No major storm systems detected on approach. All vessels cleared for routine operations. Next scheduled weather update pending further upstream disturbances.

Sources: #164295, #164500, #164770, #164815, #165009, #164114, #166219, #166206, #165247, #166149
Tone:
1 tone change remaining
group
Community PulseBy Flo Stargazer

A Bustling Saturday in Home Assistant Land — 16 Contributors Light Up the Repo!

What a wonderfully active Saturday for the Home Assistant community! We saw 16 unique contributors pushing code, reviewing PRs, and keeping the conversation flowing — that's the kind of weekend energy that makes this project shine.

Let me give some well-deserved shout-outs to our weekend warriors: @lboue has been on an absolute tear with the Roborock integration, landing multiple commits including a slick Q10 empty dustbin button feature (#166149) and keeping the python-roborock library fresh with three separate updates. Meanwhile, @xuejuhui expanded Xiaomi BLE support with a new pressure sensor (#166095), and @zxdavb bumped the evohome-async integration to version 1.2.0 (#166227).

I'm particularly excited to see @RaHehl stepping up with a reauthentication flow for UniFi Access (#165859) — those security integrations need love too! And @Stathogon brought us something practical with ProxmoxVE VM shutdown buttons (#165890).

Our activity shows a healthy mix: 14 PR reviews, 13 review comments, and 10 pull requests — that's exactly the collaborative spirit that keeps Home Assistant's quality bar high. With steady contributions from familiar faces like @emontnemery (temperature triggers in #165247) and @bdraco (Bluetooth library bumps), plus fresh energy from newer contributors, our community pulse is strong and steady.

Keep up the fantastic work, everyone!

Sources: #166095, #166227, #166149, #165859, #165890, #165247
Tone:
1 tone change remaining