releases

Release history

Each release lists the version, date, dependencies, hash, and audit notes. Security patches land here when CVEs emerge in dependencies — bookmark this page if you're deployed. verify the hash before you run anything.

policy

What's in scope for a new release

As of 0.2.0-alpha.1, the bot is feature-complete relative to its original four-chain, four-platform design. The plan from day one was: four chains (XRPL, Base, Arbitrum, Solana) and four chat platforms (Discord, Telegram, Twitch, X). 0.1.0-alpha.7 shipped two platforms; 0.2.0-alpha.1 added the other two. The chain list, the platform list, the adapter pattern, and the architecture are all stable.

Security patches — triggered by CVEs in dependencies — get cut, re-audited, and published here. We don't intend to add new chains or platforms to the canonical release. This gives you a stable target: when a patch lands, you can update with confidence that nothing else changed.

Forks for new chains or platforms are explicitly welcome under BSL 1.1. The adapter pattern is chain-agnostic and platform-agnostic by design — adding a fifth chain is a matter of writing one new file, not rewriting the bot.

Check this page periodically if you've deployed. No email list, no push, no RSS — we deliberately keep it quiet. If you've been running for more than 30 days without checking, now is a good time.

v0.2.0-alpha.1 April 20, 2026 current · stable
~ completing the four-platform surface ~

Summary

Adds the final two chat platforms from the originally-scoped design: Twitch and X (Twitter). The bot now serves any combination of Discord, Telegram, Twitch, and X from a single deployment — same chain watchers, four potential platform adapters, one process.

As of this release the canonical bot is feature-complete relative to its original four-chain, four-platform design. Security patches only going forward; forks for new chains or platforms welcome under BSL 1.1.

Download

justthetips-0.2.0-alpha.1.tar.gz · ~94 KB
Download
SHA-256 f225b855707bdae5177ede295754d8b8ee775dd7575e08ebd9decad5c2f28de6

How to verify

After downloading, run one of these from the same directory as the tarball:

sha256sum justthetips-0.2.0-alpha.1.tar.gz    # Linux
shasum -a 256 justthetips-0.2.0-alpha.1.tar.gz  # macOS

The output should match the hash above, character for character. If it doesn't match, don't run the code — re-download from this page.

The hash file is also published separately at /downloads/justthetips-0.2.0-alpha.1.tar.gz.sha256.

What's new since 0.1.0-alpha.7

  • Twitch adapter — EventSub WebSocket + Helix API, zero new npm dependencies (uses Node 22 native WebSocket and fetch). Fails loud on auth errors like the Discord/Telegram adapters.
  • X (Twitter) adapter — polling-based mention monitor + reply/tweet posting, pinned at twitter-api-v2@1.29.0. Graceful-degrading on startup: logs and continues if X access tier lacks mention-read, so a partial X setup doesn't take down the rest of the bot.
  • Configurator UI extended — Twitch gets four form fields (Client ID, OAuth, bot user ID, channel user ID); X gets a checkbox-only UI (no credentials in the browser) that emits a commented-out config.env section the creator fills in locally.
  • Two new setup guides/twitch-setup walks through registering a Twitch app, generating a User Access Token with the right scopes, and finding numeric user IDs. /x-setup covers X Developer account application, Read+Write app permissions, and the five credentials.
  • /check page extended — Twitch and X rows added with component-specific error messages.
  • 147 tests (up from 132), typecheck clean, lint clean, 0 vulnerabilities.

Upgrade from 0.1.0-alpha.7

  1. Download the new tarball, verify the SHA.
  2. Unpack over your existing deployment — or re-run the configurator to rebuild your bundle with Twitch/X enabled.
  3. Your existing config.env stays valid; the new Twitch/X env vars are additive. Leave them blank to keep the bot running exactly as before.
  4. npm install to pick up twitter-api-v2 (only needed if you're enabling X).
  5. Restart. Open /check — the new Twitch and X rows show "disabled" unless you configured them.

Breaking changes

None. 0.2.0-alpha.1 is additive over 0.1.0-alpha.7; existing configs keep working.

Dependencies

Added: twitter-api-v2@1.29.0 (pinned, no ^). All other dependencies unchanged from 0.1.0-alpha.7. npm audit: 0 vulnerabilities.

v0.1.0-alpha.7 April 17, 2026 previous
~ the MVP ~

Summary

First stable public release. Four-chain support (XRPL, Base, Arbitrum, Solana), two chat platforms (Discord, Telegram), in-browser configurator, four deploy guides, full docs set.

Despite the "alpha" label, this was a production-quality release of the originally-scoped MVP. The "alpha" label was conservative — alpha meant "first public version" not "unstable." 0.2.0-alpha.1 (above) added the final two platforms from the original design.

Download

justthetips-0.1.0-alpha.7.tar.gz · ~58 KB
Download
SHA-256 0178c6595b91f03eb13cbfd1fe208700a58cb534b9cee3aa7061240eafa0e9ec

How to verify

After downloading, run one of these from the same directory as the tarball:

sha256sum justthetips-0.1.0-alpha.7.tar.gz    # Linux
shasum -a 256 justthetips-0.1.0-alpha.7.tar.gz  # macOS

The output should match the hash above, character for character. If it doesn't match, don't run the code — re-download from this page.

The hash file is also published separately at /downloads/justthetips-0.1.0-alpha.7.tar.gz.sha256.

What's included

  • Four-chain watcher support: XRPL, Base, Arbitrum, Solana
  • Two chat platform adapters: Discord, Telegram
  • Three HTTP routes: /healthz, /tip, /check
  • Customizable thank-you messages with {name} substitution
  • ENS reverse-resolution support (optional, EVM chains)
  • 60-second RecentMessageBuffer for EVM memo-pairing
  • Status registry surfacing state of every component at /check
  • Plain-English error messages on misconfiguration
  • 132 tests, typecheck clean, lint clean

Dependencies

All direct dependencies pinned to specific versions audited clean against published CVEs as of April 17, 2026. The full list:

PackageVersionPurpose
fastify5.8.5HTTP server
discord.js14.26.3Discord platform adapter
telegraf4.16.3Telegram platform adapter
xrpl4.6.0XRPL chain watcher
viem^2.48.1Base + Arbitrum chain watcher
@solana/web3.js^1.98.4Solana chain watcher
pino10.3.1Structured logging
pino-pretty13.1.3Dev-mode log prettifier
dotenv17.4.2Environment loader

Audit notes

  • npm audit at release: 0 vulnerabilities
  • Dependencies audited against GitHub Security Advisories
  • No postinstall or install scripts in any dependency (inspected manually)
  • Compatible with Node.js 22.6.0 and newer
  • No network calls except: chain RPC endpoints (configurable), Discord Gateway, Telegram Bot API, ENS mainnet RPC (optional, only if ENS_MAINNET_RPC_URL set)

Known considerations

  • XRPL accounts accepting USDC or RLUSD require trust-line setup — see wallet guide
  • Public RPCs (Solana mainnet-beta, Base/Arbitrum default endpoints) are rate-limited — configure dedicated RPCs for heavy use
  • EVM memo-pairing uses a 60-second in-memory buffer; the bot will miss cases where users type a message more than 60 seconds before they tip
  • Deliberately no database — all state is in-memory or on-chain

Upgrade notes

First public release. No upgrade path applicable.

~ more releases will appear here ~

when security patches ship. subscribe to this page (there's no feed — you just check).

How release numbers work

Just The Tips uses semantic versioning:

The version number in package.json always matches the file you downloaded. The SHA-256 in the filename matches the hash on this page. Nothing is mutable — if the version is 0.2.0-alpha.1, the file you have is exactly what was released.

Related