40 KiB
40 KiB
Changelog
All notable changes to CloakBrowser — wrapper and binary — are documented here.
Changes are tagged: [wrapper] for Python/JS wrapper, [binary] for Chromium patches.
[Unreleased]
- [wrapper] Authenticated HTTP/HTTPS proxies now use the browser's native proxy authentication on every platform whose binary supports it — resolved per platform and binary version — and fall back to the standard proxy path on older binaries that don't. Fixes credentialed HTTP/HTTPS proxies on macOS and ARM, which previously could not use the native path. Python, JavaScript, Puppeteer, and .NET.
[0.4.10] — 2026-07-09
- [wrapper] Fix JS CLI silently exiting with no output when run via
npx/node_modules/.bin(#427). The entry-point guard comparedimport.meta.urlto an unresolvedprocess.argv[1]; symlinked bin installs (npm/pnpm/npx) never matched, so no subcommand ran. Now realpath-resolves the invoked path before comparing. - [wrapper] Fix
humanize=Truebreaking interactions with elements inside iframes (#428).frame.locator("#btn").click()/fill()/hover()/ etc. (and the frame-levelframe.click(...)equivalents) now resolve the selector in the owning sub-frame's own document instead of misrouting to the top page, which previously raisedElementNotAttachedError. Humanized mouse motion is preserved inside iframes. Python only (the JS and .NET wrappers were already frame-correct).
[0.4.9] — 2026-07-09
- [wrapper] Free-tier launch banner and
cloakbrowser infoupgrade hint now surface the 7-day free Pro trial (Chromium 148). Python, JS, and .NET. - [wrapper]
info/updatenever diverge from the Pro build that actually launches —infonow shows both the cached build that will launch and the server's latest Pro version so the two can no longer silently disagree. Unpinned launches prefer the server's latest when it's newer than (or replaces a missing) cached build;updateis license-aware (a valid Pro key updates the Pro binary, everyone else updates free); the background Pro update check is now a rate-limited foreground check (one call/hour, honorsCLOAKBROWSER_AUTO_UPDATE=false); a valid Pro license never silently falls back to free; binary verification failures now surface verbatim instead of falling back to a cached build. Python, JS, and .NET. - [wrapper]
info/doctorWindows-font check now covers the full 8-font set (adds the two monospace fonts) and reports a strict N/8 count, with the launch-time warning firing on any incomplete set rather than only a fully-missing one. Adds a separate Office-font group (10 fonts) reported as informational N/10 with no install nudge. Python, JS, and .NET.
[0.4.8] — 2026-07-05
- [binary] Chromium 148.0.7778.215.5 (Pro, Windows + Linux; macOS follows) — the biggest fingerprint update yet. Pro license required; v146 stays free.
- More common, more coherent hardware identities — each
--fingerprintseed is built from the most common real-world hardware values (screen, GPU, RAM, CPU cores, color depth, fonts, audio), chosen together so they form a popular, self-consistent device with no internal contradictions. - Deeper, more consistent Windows persona — expanded and localized font populations, tighter graphics/display alignment, and seed-coherent screen size, color depth, and audio across browser- and OS-level signals.
- Expanded NVIDIA GPU profiles, each matched to a plausible CPU, RAM, and screen combination.
- Window and screen geometry coherence in both headed and headless modes (pairs with the wrapper's new maximized-window default).
- Greater WebGL and WebGPU realism, including consistent behavior under timing inspection.
- Cleaner proxy behavior — better proxy-auth handling and less proxy-specific reload and cache leakage.
- New pass-through debug mode (
--fingerprint=off) and a third-party-cookie compatibility flag (--fingerprint-allow-3p-cookies). - Runtime Pro license sessions — privacy-preserving groundwork for future session-limit enforcement (
--license-through-proxyopts these calls onto your proxy, Linux only for now).
- More common, more coherent hardware identities — each
- [wrapper]
geoip=Truenow works without a proxy — on a direct connection it resolves the machine's own public IP for timezone, locale, and the WebRTC exit IP (previously it no-oped without a proxy, leaving UTC +en-USin bare Docker/cloud launches). Locale coverage expanded from 50 to 132 countries. Python, JS, and .NET. - [wrapper] Headed and headless launches now open maximized on the newest Pro binaries (version-gated, same threshold as the headless no-viewport default), so the window fills the spoofed screen and window/screen geometry stays self-consistent. Suppressed when you set an explicit window size/position or viewport; older and free binaries are unchanged. Python, JS, and .NET.
- [docs] Documented the Chromium 148+ pass-through and compatibility flags you can pass via
args:--fingerprint=off(native pass-through debug mode),--fingerprint-allow-3p-cookies(third-party-cookie compatibility for reCAPTCHA v3 / SSO / payment challenges), and--license-through-proxy(route license/session calls through your proxy, Linux only for now).
[0.4.7] — 2026-07-02
- [docker] Update the public
cloaktestsuite to use free-tier-stable bot-detection checks while Pro continues to verify reCAPTCHA v3 at 0.9. The Docker smoke test now runs Sannysoft, Incolumitas, Rebrowser, deviceandbrowserinfo, BrowserScan, and CreepJS lies/noise=false; FingerprintJS and reCAPTCHA v3 are no longer hard-pass checks for the free v146 image.
[0.4.6] — 2026-07-02
- [wrapper] The resolved Pro license key is now passed to the browser process at launch (via
CLOAKBROWSER_LICENSE_KEY) so the Pro binary can authenticate itself, including when you supply a customenv. Fixes launch failures on the newest Pro binaries. Python, JS, and .NET. - [wrapper] Headless launches on the newest Pro binaries now track the real screen surface instead of a fixed emulated viewport, keeping window geometry self-consistent (version-gated — older and free binaries keep the deterministic headless viewport). Passing an explicit
viewport=/no_viewport(Python) orviewport/defaultViewport(JS) still overrides. Python, JS, and .NET.
[0.4.5] — 2026-06-29
- [wrapper]
infois now a full diagnostics command — it reports the binary that will actually launch given your license, runs a launch test (chrome --version, plus a missing-shared-library probe on Linux), validates the license key to show the real tier (free/solo/team/business, orinvalid), and checks Windows-font availability (Linux), the GeoIP database, and optional dependencies.--quickskips the launch test;--jsonemits machine-readable output. Python, JS, and .NET. - [wrapper] One-time startup notice when spoofing the Windows platform on a Linux host without Windows fonts installed, with guidance to install them for best results. Best-effort and silent on error; suppress with
CLOAKBROWSER_SUPPRESS_FONT_WARNING=1. Python, JS, and .NET. - [wrapper] The first-launch banner now re-shows to free users every 3 days (Pro users still see it once). Python, JS, and .NET.
[0.4.4] — 2026-06-27
- [wrapper] Exact version pinning / rollback — pin a specific Chromium build with
browser_version=(browserVersionin JS,BrowserVersionin .NET) or theCLOAKBROWSER_VERSIONenvironment variable, e.g.launch(browser_version="148.0.7778.215.2"). Works for both Free and Pro binaries and lets you roll back if a new build regresses on your site. A pin never overwrites the cached "latest" marker, so a later unpinned launch returns to the newest build. Python, JS, and .NET. - [wrapper] The Pro version check now sends the client platform so each OS resolves its own latest build independently — a new release for one platform no longer affects the others. Python, JS, and .NET.
- [binary] Chromium 148.0.7778.215.3 (Pro) — fingerprint fixes and alignment across Linux, Windows, and macOS (Apple Silicon + Intel). Pro license required; v146 stays free.
[0.4.3] — 2026-06-24
- [wrapper] .NET 8 / C# client — CloakBrowser now ships as a NuGet package (
CloakBrowser), mirroring the Python and JS wrappers. Contributed by @evelaa123 in PR #385. - [wrapper] macOS Pro is now available — the latest binary (Chromium 148.0.7778.215.2) downloads on macOS (Apple Silicon + Intel) with a Pro license, the same as Linux and Windows. v146 stays free.
- [wrapper] A valid Pro license now hard-fails on a Pro download error on every platform instead of silently downgrading to the free binary. The temporary macOS-only free fallback added in 0.4.2 is removed now that the macOS Pro build ships. Python, JS, and .NET.
[0.4.2] — 2026-06-23
- [wrapper] macOS Pro licenses now fall back to the free binary (macOS Pro build coming) instead of failing to launch. Transient and signature-verification failures still hard-fail. Python and JS.
[0.4.1] — 2026-06-23
- [wrapper] Humanize: fix "Viewport size not available" crash on headed launches. Headed mode defaults to
no_viewport(since 0.4.0), sopage.viewport_sizeisNone— human scroll now falls back to the livewindow.innerWidth/window.innerHeight. Covers Playwright (Python sync/async, JS) and Puppeteer. - [wrapper] [docker] Widevine: opt-in CDM auto-fetch for persistent contexts. Set
CLOAKBROWSER_FETCH_WIDEVINEand the Docker entrypoint pulls the Widevine CDM from Google's component server (arch-aware, SHA-256 verified, atomic, cached), so DRM playback works without a local Chrome to copy from. Off by default; bare-metal Linux users can runbin/fetch-widevine.pydirectly. - [meta] First-launch banner now promotes the Pro tier (header badge dropped); refreshed README test-results stamp to Jun 2026 / Chromium 148.
[0.4.0] — 2026-06-22
- [wrapper] CloakBrowser Pro: all launch functions now accept a
license_keyparameter (licenseKeyin JS); a key can also be supplied via theCLOAKBROWSER_LICENSE_KEYenvironment variable or a~/.cloakbrowser/license.keyfile. With a valid key the latest binary is downloaded from cloakbrowser.dev; without one, the free binary continues to download from GitHub Releases exactly as before. License validation is cached locally for 24h, and the Pro binary is authenticated with the same pinned Ed25519 signature as the free binary. A valid key whose Pro download or signature check fails surfaces a clear error rather than silently downgrading to the free binary. Addsvalidate_license/LicenseInfoexports and atierfield onbinary_info(). Details: https://cloakbrowser.dev - [wrapper] Security: downloaded binaries are now verified against a pinned Ed25519 signature on the published
SHA256SUMS(a detachedSHA256SUMS.sig), so a compromised download mirror can no longer certify a tampered binary — the previous same-origin checksum proved integrity but not authenticity (#308). The signed manifest also binds the release version, rejecting a forced downgrade to an older signed build. Verification is mandatory on the official download path; silent auto-update is preserved for everyone because only a constant public key is pinned, not per-version hashes. Older installed wrappers are unaffected. - [wrapper] Headed launches no longer apply a fixed emulated viewport on top of the real browser window — the page now tracks the actual window so window-geometry stays self-consistent. Headless keeps a deterministic viewport (unchanged). Applies across
launch,launch_context,launch_persistent_context(+ async) and the JS Playwright/Puppeteer wrappers. Passing an explicitviewport=/no_viewport(Python) orviewport/defaultViewport(JS) still works exactly as before. - [wrapper] Breaking: removed the optional
patchrightbackend. Thebackendparameter andCLOAKBROWSER_BACKENDenvironment variable no longer exist, and thecloakbrowser[patchright]extra is gone. Stock Playwright is now the only backend. The stealth binary handles automation-signal suppression at the C++ level — patchright added no measurable benefit on top of it (identical reCAPTCHA v3 score to plain Playwright) while breaking proxy auth andadd_init_script(#27). Callers passingbackend=...will get aTypeError; remove the argument. - [binary] CloakBrowser Pro — first Pro build: Chromium
148.0.7778.215.2for linux-x64, linux-arm64, and windows-x64 — 59 source-level fingerprint patches (up from 58 on 146). macOS builds to follow. Available to Pro subscribers at cloakbrowser.dev; v146 remains free on GitHub Releases. - [binary] Rebased the full patch set across two Chromium major versions — 146 → 147 → 148 — re-applying and adapting every patch to current Chromium internals
- [binary] Cross-API fingerprint consistency improvements for Chromium 148 profiles
- [binary] WebRTC fingerprint hardening — network signals matched to real Chrome
- [binary] Font metric alignment for Windows profiles via the opt-in
--fingerprint-windows-font-metricsflag — requires Windows fonts installed (see README "Font Setup on Linux")
[0.3.32] — 2026-06-20
- [wrapper] Security: Windows binary extraction — pass archive/destination paths to PowerShell via env vars instead of interpolating into the
-Commandstring, closing a code-injection shape on paths containing single quotes (e.g.C:\Users\O'Brien) - [wrapper] Widevine: auto-seed CDM hint file for persistent contexts on Linux, so DRM playback works without manual pre-seeding
- [wrapper]
cloakserve: rewrite CDP WebSocket URLs so clients connect through the proxy correctly (thanks @honor2030, #234) - [wrapper]
cloakserve: add idle cleanup for seeded profiles (thanks @Kumario1, #352) - [meta] Fix
recaptcha_score.pyexample — wait for the reCAPTCHA score to render before screenshot (thanks @igo for the report, #374) - [meta] Bump GitHub Actions in the actions group (#358)
[0.3.31] — 2026-05-26
- [wrapper] Route HTTP proxy credentials through
--proxy-serverflag, removing the need for Playwright's proxy auth handler on HTTP proxies - [wrapper] JS: export
buildContextOptionshelper for custom context creation (thanks @honor2030, #262) - [wrapper] Humanize: fix iframe coordinate offset in pointer-events check (thanks @eofreternal, #303)
- [wrapper] Humanize: use shared deadline for timeout budget in frame and ElementHandle methods (#307)
- [docker] Clean up stale Xvfb lock so container survives restarts (thanks @sparanoid, #284)
- [meta] Add pip and npm ecosystems to Dependabot, bump GitHub Actions (#309)
[0.3.30] — 2026-05-21
- [binary] New build 146.0.7680.177.5 for Linux x64 + Windows x64 — 58 source-level fingerprint patches (up from 57)
- [binary] Rendering consistency improvements across Linux and Windows — corrected GPU, display, and graphics parameters to match stock Chrome 146 profiles
- [binary] Windows: native GPU/rendering values now pass through directly instead of being spoofed, matching real hardware behavior
- [binary] Storage normalization fix for Windows
- [binary] HTTP proxy inline credential support at the network layer
- [wrapper] Update
PLATFORM_CHROMIUM_VERSIONSfor linux-x64 and windows-x64 to 146.0.7680.177.5
[0.3.29] — 2026-05-20
- [wrapper] Security:
cloakserve— guard WebSocket origins to prevent browser-origin CSRF via CDP proxy (thanks @0xlally for the report, @honor2030 for the fix, #239, #240) - [wrapper] Security: Lambda example — add URL scheme validation, SSRF protection, post-navigation re-validation, remove unsafe caller-controlled options (#233)
- [wrapper] Security: CI — isolate
workflow_dispatchinput to avoid shell injection in attest-release (thanks @aaronjmars, #223) - [wrapper] Security: JS — bump tar + transitive deps via npm audit fix (thanks @aaronjmars, #222)
- [wrapper] Add
extension_pathsparameter for loading Chrome extensions in all launch functions (thanks @zackycodes, #210) - [wrapper] Humanize: add Playwright-style actionability checks — auto-wait for visible, enabled, stable elements before humanized actions (#228)
- [wrapper] JS: export composable launch helpers —
buildLaunchOptions()andhumanizeBrowser()for custom Playwright integrations (thanks @honor2030, #244) - [wrapper] JS: add
launchPersistentContext()to Puppeteer wrapper (#261) - [wrapper] Add
flake.nixfor Nix/NixOS (thanks @Seryiza, #220) - [meta] JS: sync package-lock metadata (thanks @245678000000, #219)
[0.3.28] — 2026-05-11
- [wrapper] Security:
cloakserve— sanitize fingerprint seed to prevent path traversal, bind to127.0.0.1on bare metal, detect Podman containers (#217) - [wrapper] Fix GeoIP resolution hanging indefinitely — bounded with 10s timeout so
launch()cannot stall (thanks @manaskarra, #213) - [wrapper] JS: preserve iframe scope in humanized frame actions —
check(),uncheck(),selectOption()now execute in the correct frame (thanks @manaskarra, #201) - [wrapper] JS: add TypeScript types to humanized method options —
HumanActionOptionstype forhuman_configandtimeoutoverrides (thanks @eofreternal, #205) - [wrapper] Log when SOCKS5 credential auto-encoding rewrites a proxy URL (thanks @Youhai020616, #209)
- [wrapper] JS: bump
playwright-corepeer dependency minimum to >=1.53.0 (#200) - [meta] Bump sigstore/cosign-installer in CI (#214)
[0.3.27] — 2026-05-06
- [wrapper] Per-call
human_configoverride — passhuman_config={...}to individual humanized methods to override global HumanConfig on a per-action basis (#183) - [wrapper] Humanized
scrollIntoViewIfNeeded— auto-scrolls with human-like behavior whenhumanize=True(#183) - [wrapper] Forward
timeoutparameter through humanized Playwright methods (#183) - [wrapper] Fix humanize timeout default to align with Playwright's 30s auto-retry instead of custom 2s (#172)
[0.3.26] — 2026-04-28
- [binary] Windows x64 upgraded to Chromium 146.0.7680.177.4 — 57 source-level fingerprint patches (up from 33 on 145.0.7632.159.7), now matches Linux. Includes all binary improvements from 0.3.18–0.3.25: native SOCKS5 proxy with UDP ASSOCIATE (QUIC/HTTP3), WebRTC IP spoofing, proxy signal removal, CDP input stealth, storage quota normalization, WebAuthn/AAC/window position patches, WebGL and canvas consistency fixes, expanded GPU model database
- [wrapper] Auto URL-encode SOCKS5 credentials containing special characters in string URLs (#157)
- [wrapper] AWS Lambda integration example with cold-start hardening and handler-side retry orchestration (#177, thanks @AlexTech314)
- [docker] Add emoji and extended font packages to resolve Kasada/Akamai canvas fingerprint blocks (#179)
- [docs] Add Font Setup on Linux section to README (#179)
- [docs] Add Deployment Integrations section to README (#177)
- [meta] Bump GitHub Actions dependencies (#178)
[0.3.25] — 2026-04-16
- [wrapper] Python: add
launch_context_async()— async counterpart tolaunch_context(). Returns a BrowserContext with all kwargs forwarded tobrowser.new_context(), enablingstorage_state,permissions,extra_http_headers, etc. without a persistent profile folder. Closes #141. - [wrapper] JS:
launchContext()andlaunchPersistentContext()silently dropped unknown options (includingstorageState). NewcontextOptionsescape hatch forwards arbitrary options to Playwright'snewContext(). - [wrapper] Fix
humanConfigTypeScript typing (#151). - [binary] New build 146.0.7680.177.3 for Linux x64 + arm64 — 57 source-level fingerprint patches (up from 49): WebAuthn capabilities, AAC audio encoder, and window position spoofing; WebGL and canvas format consistency fixes; SOCKS5 warm connection pool auth fix for credentialed proxies.
- [docs] Add recommended anti-bot config and SOCKS5 tips to troubleshooting.
[0.3.24] — 2026-04-10
- [wrapper] Native SOCKS5 proxy support — pass
proxy="socks5://user:pass@host:port"directly. Credentials handled natively by Chrome. Works across all launch functions, Python + JS. - [wrapper] Add Playwright ElementHandle humanize support —
element_handle.click(),.fill(),.type()now use human-like behavior whenhumanize=True(thanks @evelaa123, #133) - [binary] Upgrade Linux arm64 to Chromium 146.0.7680.177.2 (49 patches) — now matches Linux x64
- [binary] New build 146.0.7680.177.2 for both Linux platforms: native SOCKS5 proxy with UDP ASSOCIATE (QUIC/HTTP3 over SOCKS5)
- [docs] Clarify humanize requires wrapper import over CDP (#126)
[0.3.23] — 2026-04-09
- [wrapper] Add full Puppeteer humanize support — human-like mouse, keyboard, and scroll behavior for
puppeteer-coreusers (thanks @evelaa123, #129) - [wrapper] Fix Playwright humanize gaps —
pressSequentially,tap,clearon pages and frames now use human-like behavior (#129) - [wrapper] Expose humanize module for CDP-connected browsers —
import from 'cloakbrowser/human'for manual patching of external Playwright instances (#126) - [docker] Fix
cloakservelocale/timezone mismatch — CLI args now route throughbuild_args()so the companion--langflag is added automatically (#130) - [meta] Use Node 24 in CI publish workflow to work around broken npm in Node 22.22.2
[0.3.22] — 2026-04-09
- [binary] Upgrade Linux x64 build to Chromium 146.0.7680.177.1 — 49 source-level C++ patches (up from 48), rebased from 145.0.7632.x
[0.3.21] — 2026-04-07
- [wrapper] Remove dead
--disable-blink-features=AutomationControlledflag -- binary patch 009 already handlesnavigator.webdriverat source level - [wrapper] Remove hardcoded GPU vendor/renderer flags -- binary auto-generates diverse, realistic GPU profiles from the fingerprint seed. Each seed gets a unique GPU instead of every user sharing the same one
- [wrapper] Allow
viewport=Noneto disable viewport emulation in both Python and JS wrappers (thanks @kitiho, #107) - [wrapper] Enable
geoip=Truein stealth test example to fix FingerprintJS detection - [meta] Remove npm self-upgrade step in CI -- Node 22 ships with compatible npm
- [docker] Install
geoip2in Docker image for GeoIP auto-detection support
[0.3.20] — 2026-04-06
- [binary] Upgrade Linux x64 build to 145.0.7632.159.9 — 48 source-level C++ patches (up from 42)
- [binary] 6 new patches: WebRTC IP spoofing, proxy signal removal, network timing normalization, WebGL accuracy improvements
- [binary] New
--fingerprint-webrtc-ipflag — spoof WebRTC ICE candidate IPs to match your proxy exit IP - [binary] Proxy detection signals eliminated — timing, headers, and network metadata normalized when proxy is active
- [binary] WebGL rendering accuracy improvements for headed mode
- [wrapper] Auto-inject
--fingerprint-webrtc-ipwhengeoip=True— uses resolved exit IP from GeoIP lookup - [wrapper] Rewrite
cloakserveas CDP multiplexer with per-connection fingerprint seeds and connection tracking - [wrapper] Humanize keyboard improvements — better behavioral stealth for typing interactions (thanks @evelaa123)
- [meta] Bump GitHub Actions dependencies
[0.3.19] — 2026-03-30
- [binary] Upgrade Linux x64 build to 145.0.7632.159.8 — 42 source-level C++ patches (up from 33)
- [binary] 9 new fingerprint patches covering additional browser APIs and cross-platform consistency
- [binary] New
--fingerprint-noiseflag — disable noise injection while keeping deterministic fingerprint seed active - [binary] Improved fingerprint noise reliability and determinism across all patched APIs
- [binary] Expanded platform-aware fingerprint spoofing for more realistic cross-platform profiles
- [binary] Font rendering and detection accuracy improvements for Windows profiles
- [binary] Removed experimental patches that caused compatibility issues with certain anti-bot systems
- [binary] Docker/VNC environment compatibility improvements
- [wrapper] Fix Playwright cleanup —
pw.stop()now runs even ifbrowser.close()raises or is cancelled (fixes #60, thanks @dgtlmoon) - [meta] Pin GitHub Actions to commit SHAs, add Dependabot for automated dependency updates
[0.3.18] — 2026-03-15
- [wrapper] Fix welcome banner printing to stdout — now writes to stderr so it won't corrupt JSON output in programmatic usage (fixes #59)
- [wrapper] Fix
cloakserveDocker WebGL by adding--ignore-gpu-blocklistflag - [docs] Add Crawlee integration example
- [meta] Add GitHub issue template for bug reports
[0.3.17] — 2026-03-15
- [binary] Windows x64 build upgraded to 145.0.7632.159.7 — 33 source-level C++ patches, matching Linux
- [wrapper] Auto-inject GPU blocklist bypass for headed mode and Windows — fixes WebGL/WebGPU on software GPUs in Docker/VNC (fixes #56)
- [wrapper] Add 8 framework integration examples (Scrapy, Crawlee, BrowserBase, etc.) and README integrations section
[0.3.16] — 2026-03-14
- [binary] Linux arm64 build available — Raspberry Pi, AWS Graviton, Oracle Ampere now supported
- [wrapper] Add donate link to first-launch welcome banner
[0.3.15] — 2026-03-13
- [binary] Upgrade Linux build to 145.0.7632.159.7 — 33 source-level C++ patches
- [binary] StorageBuckets API quota normalization — closes the last storage-based incognito detection vector
- [wrapper] Fix non-ASCII character support in humanized typing — Cyrillic, CJK, and emoji now type correctly (thanks @evelaa123)
[0.3.14] — 2026-03-12
- [binary] Upgrade Linux build to 145.0.7632.159.6 — fix persistent context detection by FingerprintJS
- [binary] Storage quota normalization for persistent context profiles
- [binary] Fix outerHeight calculation for non-incognito contexts
- [wrapper] Add CLI for binary management —
python -m cloakbrowser install/npx cloakbrowser installwith visible download progress (closes #43)
[0.3.13] — 2026-03-10
- [wrapper] Suppress Playwright's
--enable-unsafe-swiftshaderdefault arg — eliminates SwiftShader software renderer detection signal, letting the binary's GPU spoofing work cleanly - [binary] Upgrade Linux build to 145.0.7632.159.5 — fix WebGPU adapter limits and features for NVIDIA profiles
[0.3.12] — 2026-03-10
- [binary] Upgrade Linux build to 145.0.7632.159.4
- [binary] Native locale spoofing — new C++ patch replaces detectable CDP-level locale emulation
- [binary] WebGPU fingerprint hardening — spoof adapter features, limits, device ID, and subgroup sizes for cross-API consistency
- [binary] Restore WebGPU blocklist bypass auto-injection (safe now with full adapter spoofing)
- [binary] Fix WebGL renderer suffix — remove driver version string flagged by BrowserLeaks
- [wrapper] Use binary flags for timezone/locale instead of CDP emulation — eliminates a detection vector
- [wrapper] Support bare proxy format (
user:pass@host:port) without scheme prefix - [wrapper] Use ANGLE-wrapped GPU strings in default stealth args for realistic WebGL fingerprint
[0.3.11] — 2026-03-08
- [wrapper]
humanize=True— human-like mouse (Bézier curves, overshoot), keyboard (per-character timing, thinking pauses), scroll (accelerate/cruise/decelerate), and click behavior. Two presets:defaultandcareful. Works in Python and JS. (thanks @evelaa123) - [binary] CDP input stealth — 4 new source-level C++ patches removing automation signals from input events
- [binary] Support
--remote-debugging-addressflag for CDP bind address — eliminates the socat workaround incloakserveDocker mode - [wrapper]
cloakserveupdated to use--remote-debugging-address=0.0.0.0directly — socat dependency removed from Docker image - [binary] GPU fingerprint accuracy improvements — renderer suffix strings now match real Chrome output across Windows and Linux profiles
- [binary] GPU capability accuracy fix for NVIDIA profiles — spoofed values now reflect actual hardware limits
- [binary] macOS GPU accuracy fix — GPU model database reference corrected for Apple Silicon profiles
- [binary] Fix CDP input synthesis — a guard condition prevented the patch from activating; now fires correctly on all input events
- [binary] Code quality hardening across patches — correctness and reliability fixes
[0.3.10] — 2026-03-07
- [binary] Upgrade Linux build to 145.0.7632.159.2
- [binary] Fix detection regression caused by unnecessary browser flag (fixes #16)
- [binary] Fix fingerprint consistency in offline audio rendering
- [wrapper] Add
cloakserveCDP server mode for Docker — exposes Chrome DevTools Protocol on0.0.0.0:9222for external tool integration - [wrapper] Add wrapper regression tests: page.goto timing with stealth init (#9), add_init_script compatibility with proxy auth (#27)
[0.3.9] — 2026-03-05
- [binary] Upgrade Chromium base to 145.0.7632.159 (Linux x64). macOS and Windows remain on 145.0.7632.109.2
- [binary] WebGPU adapter spoofing for headless/Docker, timezone multi-context fix, stealth audit phase 2 (6 detection vector fixes), font auto-hide for cross-platform fingerprints
- [wrapper] Default Playwright backend switched from
patchrightto stockplaywright. Patchright broke proxy auth andadd_init_script(#27) and is redundant since the binary handles stealth at C++ level. Opt in withlaunch(backend="patchright")orCLOAKBROWSER_BACKEND=patchrightenv var. Install:pip install cloakbrowser[patchright] - [wrapper] Deduplicate CLI flags when user args overlap with stealth defaults — user values win cleanly instead of passing both to Chromium
- [wrapper] Extract shared
buildArgsintojs/src/args.ts(JS DRY fix), guard debug logging behindDEBUG=cloakbrowserenv var
[0.3.7] — 2026-03-05
- [wrapper] Unify timezone parameter: rename
timezone_idtotimezoneinlaunch_context(),launch_persistent_context(), andlaunch_persistent_context_async()(Python). Oldtimezone_idstill works with a deprecation warning. JS: deprecatetimezoneIdonLaunchContextOptions— usetimezone(inherited fromLaunchOptions) - [wrapper] Docker Hub image (
cloakhq/cloakbrowser) — pre-built with Python + JS wrappers, Xvfb for headed mode, andcloaktestCLI shortcut. One-liner:docker run --rm cloakhq/cloakbrowser cloaktest - [wrapper] Add "Launching stealth browser..." feedback to all examples for better UX in Docker/CI
- [wrapper] Comprehensive unit tests: 169 Python + 88 JS (up from 59 + 47)
- [docs] Streamline READMEs for launch — reorder for conversion, collapse fingerprint flags, update Docker section
[0.3.6] — 2026-03-04
- [wrapper]
proxyparameter now accepts a Playwright proxy dict ({server, bypass, username, password}) in addition to URL strings — enables bypass lists and separate auth fields (PR #24). TS note: type changed fromstringtostring | object— code that assumedproxyis always a string may need atypeofnarrowing check
[0.3.5] — 2026-03-04
- [wrapper] Add
launch_persistent_context()andlaunch_persistent_context_async()(Python) — persistent browser profiles with cookie/localStorage persistence across sessions, avoids incognito detection (thanks @evelaa123, @yahooguntu — PRs #22, #17) - [wrapper] Add
launchPersistentContext()(JS/TS) — same feature for JavaScript with full type support - [wrapper] Fix Windows zip extraction failure when primary download server is down — file handle leak caused
ERROR_SHARING_VIOLATIONon fallback download (thanks @evelaa123 — PR #23)
[0.3.4] — 2026-03-04
Binary v14: auto-spoof restored with seed, wrapper simplified to match.
- [binary] Restore full auto-spoof when
--fingerprint=seedis set — all randomized properties now derive from the seed consistently - [binary] Auto-inject random fingerprint seed at startup if none provided. Binary is stealthy with zero flags
- [binary] 26 source-level C++ patches (up from 25)
- [wrapper] Simplify default stealth args — remove flags the binary now auto-generates. Wrapper still sets platform profile on Linux and
--no-sandbox - [wrapper] Fix timezone in
launch_context()— use Playwright's per-context timezone instead of binary flag, fixing mismatch when creating new browser contexts with geoip - [wrapper] Clarify README platform detection behavior
[0.3.3] — 2026-03-03
All platforms now run Chromium 145 v2 with 25 patches. Windows x64 added.
- [binary] Auto-spoof by default — binary is stealthy with zero flags. Random fingerprint seed auto-generated at startup, no wrapper or configuration required
- [binary] Platform-aware auto-detection — GPU, screen dimensions, and User-Agent automatically match the real OS (macOS, Linux, Windows) without explicit flags
- [binary] Expanded GPU model database for realistic per-session diversity
- [binary] First macOS v145 builds (arm64 + x64) — 25 patches, up from 16 on v142
- [binary] First Windows x64 v145 build — 25 patches
- [wrapper] Add Windows x64 platform support — auto-download, binary path resolution, and platform detection
- [wrapper] Upgrade macOS (arm64 + x64) from Chromium 142 to 145 — all platforms now ship the same 25-patch build
- [wrapper] Add explicit Mac GPU flags (
Apple M3 Metalrenderer) to default stealth args for consistent WebGL fingerprints - [wrapper] Improve reCAPTCHA stealth test — wait for score element instead of blind sleep
- [wrapper] JS: add
win32-x64platform mapping, Windows binary path (chrome.exe)
[0.3.1] — 2026-03-03
- [wrapper] Auto-check for wrapper updates on startup (PyPI/npm). Notifies users when a newer wrapper version is available. Runs once per process, respects
CLOAKBROWSER_AUTO_UPDATE=false.
[0.3.0] — 2026-03-02
Chromium v145 upgrade. 25 fingerprint patches (up from 16). New download verification and fallback system. macOS v145 binary builds pending.
Breaking
- [wrapper] Python dependency changed from
playwrighttopatchright(CDP stealth fork). Patchright is API-compatible, but if you importplaywrightdirectly elsewhere, add it as a separate dependency. Replacefrom playwright.sync_apiwithfrom patchright.sync_api(or keep usingcloakbrowser.launch()which handles this automatically). - [wrapper]
launch_context()/launchContext()now defaults viewport to 1920×947 (realistic maximized Chrome on 1080p Windows with 48px taskbar) instead of Playwright's default 1280×720. Passviewport={"width": 1280, "height": 720}explicitly to restore old behavior.
2026-03-02
- [binary] Full stealth audit — multiple detection vectors eliminated, improved cross-API consistency
- [binary] Platform-aware fingerprint defaults: screen dimensions, taskbar, and layout auto-adjust per spoofed platform
- [binary] Stability and performance improvements across fingerprint patches
- [binary] New optional flags:
--fingerprint-fonts-dir,--fingerprint-taskbar-height - [wrapper] Sync wrapper with latest binary changes: updated flag names, viewport, and defaults
- [wrapper] Per-platform Chromium versioning — Linux and macOS can track different binary versions independently
- [wrapper] Improved SHA-256 checksum verification and version marker migration
2026-03-01
- [wrapper] Upgrade wrapper to Chromium v145.0.7632.109
- [wrapper] Add GitHub Releases fallback when primary download mirror is unavailable
- [wrapper] Add SHA-256 checksum verification for binary downloads
- [wrapper] Wire timezone and locale params to Chromium binary flags
- [wrapper] Add device memory to default stealth args
- [wrapper] JS: add
colorSchemesupport, guard download fallback against partial failures
2026-02-28
- [binary] Enforce strict flag discipline — patches only activate when explicitly configured via command-line flags
- [binary] Improved fingerprint consistency across multiple browser APIs
- [binary] 3 new fingerprint patches + bug fixes in existing patches
- [binary] New command-line flag for device memory spoofing
- [infra] Automated test matrix: 8 groups, 41+ tests across core stealth, fingerprint noise, bot detection, reCAPTCHA, TLS, Turnstile, residential proxy, and enterprise reCAPTCHA
- [infra] Docker-based test runner with subprocess isolation per test group
2026-02-25
- [binary] Reduced automation markers visible to detection scripts
- [binary] Added browser API support at build time
- [binary] Improved screen property consistency
2026-02-24
- [binary] Comprehensive fingerprint audit and hardening pass
- [binary] Fixed font rendering edge case on cross-platform spoofing
- [binary] 4 new fingerprint patches
2026-02-22
- [binary] Start Chromium v145 build (v145.0.7632.109)
- [binary] 24 fingerprint patches ported and adapted
[0.2.2] — 2026-03-01
2026-03-01
- [wrapper] Fix: replace
page.wait_for_timeout()withtime.sleep()to avoid timing leak - [wrapper] Add auto-detect timezone and locale from proxy IP via GeoIP lookup
- [binary] CDP detection vector audit and hardening
[0.2.0] — 2026-02-27
macOS platform release. JavaScript/TypeScript wrapper. Self-hosted binary mirror.
2026-02-27
- [wrapper] Add macOS support: Apple Silicon (arm64) and Intel (x64) binary downloads
- [wrapper] Add GPG-signed release workflow via GitHub Actions
- [wrapper] Fix macOS binary download: preserve
.appsymlinks, remove quarantine xattrs - [wrapper] Add real bot detection assertions to stealth tests
- [wrapper] Bump version to 0.2.0
2026-02-26
- [wrapper] Switch binary downloads to self-hosted mirror (
cloakbrowser.dev) as GitHub backup - [wrapper] Set up GitLab mirror at
gitlab.com/CloakHQ/cloakbrowser
2026-02-25
- [wrapper] Move binary releases from separate repo to wrapper repo
- [wrapper] Add auto-update check on launch
- [infra] Initial Docker test infrastructure + matrix test runner
2026-02-24
- [wrapper] Add JavaScript/TypeScript wrapper with Playwright + Puppeteer support (
npm install cloakbrowser) - [wrapper] Fix proxy authentication credentials support in URL (closes #4)
[0.1.4] — 2026-02-23
2026-02-23
- [wrapper] Stealth hardening: additional launch args and detection evasion improvements
- [wrapper] Full test suite rewrite with real detection site assertions
- [wrapper] Add Docker support with Dockerfile and compose config
- [wrapper] Add headed mode documentation
[0.1.0] — 2026-02-22
Initial release. Chromium v142 with 16 fingerprint patches.
2026-02-22
- [binary] Chromium v142.0.7444.175 with 16 source-level fingerprint patches
- [binary] Fix browser brand string to match Chrome 142 format
- [wrapper]
launch()andlaunch_async()— drop-in Playwright replacements - [wrapper] Auto-download binary from GitHub Releases, cached in
~/.cloakbrowser/ - [wrapper] Linux x64 platform support
- [wrapper] Passes 14/14 bot detection tests
- [wrapper] reCAPTCHA v3: 0.9 (server-verified), Cloudflare Turnstile: pass