Release v2.5.14

What's Changed

• Bump github/codeql-action from 4.31.2 to 4.31.3 by @dependabot[bot] in #1878
• Add Aditya Srivastava to the contributors list by @techieadi4703 in #1880
• Bump hexpm/elixir from 1.19-erlang-28.1-debian-bullseye-20251103 to 1.19-erlang-28.1-debian-bullseye-20251117 in /copi.owasp.org by @dependabot[bot] in #1887
• Bump svelte from 5.43.6 to 5.43.10 in /cornucopia.owasp.org by @dependabot[bot] in #1886
• Bump hexpm/elixir from 1.19-erlang-28.1-debian-bullseye-20251117 to 1.19-erlang-28.2-debian-bullseye-20251117 in /copi.owasp.org by @dependabot[bot] in #1899
• Bump github/codeql-action from 4.31.3 to 4.31.5 by @dependabot[bot] in #1896
• Bump actions/setup-python from 6.0.0 to 6.1.0 by @dependabot[bot] in #1895
• Bump coverage from 7.10.7 to 7.12.0 by @dependabot[bot] in #1889
• Bump svelte from 5.43.10 to 5.44.0 in /cornucopia.owasp.org by @dependabot[bot] in #1898
• Bump @sveltejs/kit from 2.48.4 to 2.49.0 in /cornucopia.owasp.org by @dependabot[bot] in #1892
• Bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #1891
• Bump glob from 10.4.5 to 10.5.0 in /cornucopia.owasp.org in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1883
• Bump mvdan/shfmt from 0c4be5d to d4e2f62 by @dependabot[bot] in #1900
• Bump svelte from 5.44.0 to 5.45.2 in /cornucopia.owasp.org by @dependabot[bot] in #1906
• Bump phoenix from 1.8.1 to 1.8.2 in /copi.owasp.org by @dependabot[bot] in #1904
• Bump want from 1.21.1 to 1.22.0 in /copi.owasp.org by @dependabot[bot] in #1903
• Update OWASP backronym: Web -> Worldwide by @arkid15r in #1908
• Bump mypy from 1.15.0 to 1.19.0 by @dependabot[bot] in #1912
• Bump softprops/action-gh-release from 2.4.2 to 2.5.0 by @dependabot[bot] in #1911
• Bump mvdan/shfmt from d4e2f62 to d4d1b28 by @dependabot[bot] in #1910
• Bump svelte from 5.45.2 to 5.45.3 in /cornucopia.owasp.org by @dependabot[bot] in #1918
• Bump credo from 1.7.13 to 1.7.14 in /copi.owasp.org by @dependabot[bot] in #1917
• Bump github/codeql-action from 4.31.5 to 4.31.6 by @dependabot[bot] in #1916
• Bump mvdan/shfmt from d4d1b28 to 20597e9 by @dependabot[bot] in #1913
• Bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #1914
• Refactor cardNotFound component to use onMount by @sydseter in #1919
• Bump actions/setup-node from 6.0.0 to 6.1.0 by @dependabot[bot] in #1921
• Bump @sveltejs/kit from 2.49.0 to 2.49.1 in /cornucopia.owasp.org by @dependabot[bot] in #1924
• Bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #1922
• Bump svelte from 5.45.3 to 5.45.4 in /cornucopia.owasp.org by @dependabot[bot] in #1923
• Update acknowledgements on index.md by @cw-owasp in #1926
• Remove duplicate 'nl' from languages list by @sydseter in #1928
• Bump svelte from 5.45.5 to 5.45.6 in /cornucopia.owasp.org by @dependabot[bot] in #1933
• Bump black from 25.1.0 to 25.12.0 by @dependabot[bot] in #1932
• Bump github/codeql-action from 4.31.6 to 4.31.7 by @dependabot[bot] in #1930
• Bump pipenv from 2025.0.4 to 2025.1.1 by @dependabot[bot] in #1929
• Bump pytest from 8.3.5 to 9.0.2 by @dependabot[bot] in #1931
• Bump urllib3 from 2.5.0 to 2.6.0 in the pip group across 1 directory by @dependabot[bot] in #1927
• Bump coverage from 7.10.7 to 7.13.0 by @dependabot[bot] in #1937
• Bump mvdan/shfmt from 20597e9 to e414177 by @dependabot[bot] in #1934
• Bump platformdirs from 4.4.0 to 4.5.1 by @dependabot[bot] in #1938
• Bump urllib3 from 2.5.0 to 2.6.1 by @dependabot[bot] in #1936
• Bump black from 25.1.0 to 25.12.0 by @dependabot[bot] in #1935
• Bump pytest from 8.3.5 to 9.0.2 by @dependabot[bot] in #1939
• Bump urllib3 from 2.5.0 to 2.6.0 in the pip group across 1 directory by @dependabot[bot] in #1947
• Bump hexpm/elixir from 1.19-erlang-28.2-debian-bullseye-20251117 to 1.19-erlang-28.3-debian-bullseye-20251208 in /copi.owasp.org by @dependabot[bot] in #1958
• Bump @types/node from 24.10.1 to 25.0.1 in /cornucopia.owasp.org by @dependabot[bot] in #1957
• Bump actions/cache from 4.3.0 to 5.0.0 by @dependabot[bot] in #1955
• Bump swoosh from 1.19.8 to 1.19.9 in /copi.owasp.org by @dependabot[bot] in #1953
• Bump urllib3 from 2.5.0 to 2.6.1 by @dependabot[bot] in #1952
• Bump svelte from 5.45.6 to 5.45.10 in /cornucopia.owasp.org by @dependabot[bot] in #1956
• Bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #1950
• Bump ecto_sql from 3.13.2 to 3.13.3 in /copi.owasp.org by @dependabot[bot] in #1942
• Bump phoenix from 1.8.2 to 1.8.3 in /copi.owasp.org by @dependabot[bot] in #1940
• Bump phoenix_live_reload from 1.6.1 to 1.6.2 in /copi.owasp.org by @dependabot[bot] in #1944
• Bump @sveltejs/kit from 2.49.1 to 2.49.2 in /cornucopia.owasp.org by @dependabot[bot] in #1943
• Bump actions/cache from 5.0.0 to 5.0.1 by @dependabot[bot] in #1962
• Bump actions/download-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #1961
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #1960
• Bump bandit from 1.8.0 to 1.9.0 in /copi.owasp.org by @dependabot[bot] in #1967
• Bump svelte from 5.45.10 to 5.46.0 in /cornucopia.owasp.org by @dependabot[bot] in #1970
• Bump github/codeql-action from 4.31.7 to 4.31.8 by @dependabot[bot] in #1964
• Bump mypy from 1.15.0 to 1.19.1 by @dependabot[bot] in #1965
• Bump @types/node from 25.0.1 to 25.0.2 in /cornucopia.owasp.org by @dependabot[bot] in #1969
• Our threat models by @sydseter in #1971
• Bump mvdan/shfmt from e414177 to 0b66e98 by @dependabot[bot] in #1973
• Update threat model with the «Did we do a good job»? question by @sydseter in #1972
• Bump @types/node from 25.0.2 to 25.0.3 in /cornucopia.owasp.org by @dependabot[bot] in #1979
• Bump github/codeql-action from 4.31.8 to 4.31.9 by @dependabot[bot] in #1978
• Mapping CAPEC to ASVS 5.0 for the Authorization suite by @sydseter in #1980
• Adding mapping between capec and asvs5 for the Crypography suite by @sydseter in #1981

New Contributors

• @arkid15r made their first contribution in #1908

Full Changelog: v2.5.13...v2.5.14

Release v2.5.10

What's Changed

• Bump svelte from 5.41.1 to 5.41.2 in /cornucopia.owasp.org by @dependabot[bot] in #1825
• Bump mvdan/shfmt from 7737ad1 to 2f58e73 by @dependabot[bot] in #1823
• Bump @sveltejs/kit from 2.47.2 to 2.47.3 in /cornucopia.owasp.org by @dependabot[bot] in #1824
• Bump want from 1.18.0 to 1.21.1 in /copi.owasp.org by @dependabot[bot] in #1831
• Bump svelte from 5.41.2 to 5.41.3 in /cornucopia.owasp.org by @dependabot[bot] in #1830
• Bump mvdan/shfmt from 2f58e73 to 7c5ffc9 by @dependabot[bot] in #1827
• Bump tailwind from 0.4.0 to 0.4.1 in /copi.owasp.org by @dependabot[bot] in #1829
• Bump @sveltejs/kit from 2.47.3 to 2.48.0 in /cornucopia.owasp.org by @dependabot[bot] in #1836
• Bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #1835
• Bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #1833
• Bump github/codeql-action from 4.30.9 to 4.31.0 by @dependabot[bot] in #1832
• Bump svelte from 5.41.3 to 5.42.2 in /cornucopia.owasp.org by @dependabot[bot] in #1834
• Bump svelte from 5.42.2 to 5.42.3 in /cornucopia.owasp.org by @dependabot[bot] in #1838
• Bump @sveltejs/kit from 2.48.0 to 2.48.1 in /cornucopia.owasp.org by @dependabot[bot] in #1837
• Bump @sveltejs/kit from 2.48.2 to 2.48.3 in /cornucopia.owasp.org by @dependabot[bot] in #1842
• Bump @types/node from 24.9.1 to 24.9.2 in /cornucopia.owasp.org by @dependabot[bot] in #1840
• Bump svelte from 5.42.3 to 5.43.2 in /cornucopia.owasp.org by @dependabot[bot] in #1845
• Bump @sveltejs/kit from 2.48.3 to 2.48.4 in /cornucopia.owasp.org by @dependabot[bot] in #1844
• Bump github/codeql-action from 4.31.0 to 4.31.2 by @dependabot[bot] in #1843
• Bump vite-plugin-restart from 1.0.0 to 2.0.0 in /cornucopia.owasp.org by @dependabot[bot] in #1846
• Bump @types/node from 24.9.2 to 24.10.0 in /cornucopia.owasp.org by @dependabot[bot] in #1847
• Add ASVS mapping for each capec for the 3.0 version by @sydseter in #1848
• Update iframe referrer policy for embedded videos by @sydseter in #1849

Full Changelog: v2.5.8...v2.5.10

Release v2.5.7

What's Changed

• Bump @sveltejs/kit from 2.47.1 to 2.47.2 in /cornucopia.owasp.org by @dependabot[bot] in #1813
• Bump github/codeql-action from 4.30.8 to 4.30.9 by @dependabot[bot] in #1810
• Bump mvdan/shfmt from c4140ca to 3f65a9a by @dependabot[bot] in #1809
• Bump svelte from 5.40.2 to 5.41.0 in /cornucopia.owasp.org by @dependabot[bot] in #1812
• CAPEC 268 by @sydseter in #1814

Full Changelog: v2.5.6...v2.5.7

Release v2.5.6

What's Changed

• Bump credo from 1.7.12 to 1.7.13 in /copi.owasp.org by @dependabot[bot] in #1796
• Bump svelte from 5.39.12 to 5.40.0 in /cornucopia.owasp.org by @dependabot[bot] in #1797
• Bump charset-normalizer from 3.4.3 to 3.4.4 by @dependabot[bot] in #1795
• Bump svelte from 5.40.0 to 5.40.2 in /cornucopia.owasp.org by @dependabot[bot] in #1806
• Bump mvdan/shfmt from f045b41 to c4140ca by @dependabot[bot] in #1803
• Bump vite-plugin-static-copy from 3.1.3 to 3.1.4 in /cornucopia.owasp.org by @dependabot[bot] in #1801
• Bump coverage from 7.10.7 to 7.11.0 by @dependabot[bot] in #1799
• Bump @sveltejs/adapter-auto from 6.1.1 to 7.0.0 in /cornucopia.owasp.org by @dependabot[bot] in #1805
• Bump @types/node from 24.7.2 to 24.8.1 in /cornucopia.owasp.org by @dependabot[bot] in #1804
• Bump @sveltejs/kit from 2.46.5 to 2.47.0 in /cornucopia.owasp.org by @dependabot[bot] in #1800
• Fix link to GitHub issues in index.md by @sydseter in #1807

Full Changelog: v2.5.5...v2.5.6

Release v2.5.5

• Fix so that the Trump act as trump when playing Copi.
• Improve the landing page.

What's Changed

• Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @dependabot[bot] in #1768
• Bump svelte from 5.39.10 to 5.39.11 in /cornucopia.owasp.org by @dependabot[bot] in #1771
• Bump @sveltejs/kit from 2.46.2 to 2.46.4 in /cornucopia.owasp.org by @dependabot[bot] in #1772
• Bump svelte-check from 4.3.2 to 4.3.3 in /cornucopia.owasp.org by @dependabot[bot] in #1773
• defined the title header field by @techieadi4703 in #1777
• Bump @types/node from 24.7.0 to 24.7.1 in /cornucopia.owasp.org by @dependabot[bot] in #1776
• Bump hexpm/elixir from 1.18.4-erlang-28.1-debian-bullseye-20250929 to 1.19-erlang-28.1-debian-bullseye-20250929 in /copi.owasp.org by @dependabot[bot] in #1775
• Bump virtualenv from 20.33.1 to 20.35.1 by @dependabot[bot] in #1774
• Added suggested SBOM generation. by @rewtd in #1778
• Bump @types/node from 24.7.1 to 24.7.2 in /cornucopia.owasp.org by @dependabot[bot] in #1786
• Bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #1784
• Bump mvdan/shfmt from eaf1857 to f045b41 by @dependabot[bot] in #1781
• Bump softprops/action-gh-release from 2.4.0 to 2.4.1 by @dependabot[bot] in #1780
• Bump github/codeql-action from 4.30.7 to 4.30.8 by @dependabot[bot] in #1782
• Bump idna from 3.10 to 3.11 by @dependabot[bot] in #1783
• Bump @sveltejs/kit from 2.46.4 to 2.46.5 in /cornucopia.owasp.org by @dependabot[bot] in #1791
• Bump charset-normalizer from 3.4.3 to 3.4.4 by @dependabot[bot] in #1789
• Bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #1787
• Bump svelte from 5.39.11 to 5.39.12 in /cornucopia.owasp.org by @dependabot[bot] in #1790
• #1350: Make sure the trump suits trumps by @sydseter in #1793
• Improve the layout to make it easier to find the start a game button by @sydseter in #1794

New Contributors

• @techieadi4703 made their first contribution in #1777

Full Changelog: v2.5.4...v2.5.5

Release v2.5.4

What's Changed

• Bump softprops/action-gh-release from 2.3.4 to 2.4.0 by @dependabot[bot] in #1756
• Bump @types/node from 24.6.2 to 24.7.0 in /cornucopia.owasp.org by @dependabot[bot] in #1759
• Bump @sveltejs/kit from 2.44.0 to 2.45.0 in /cornucopia.owasp.org by @dependabot[bot] in #1758
• Bump mvdan/shfmt from 7fa013c to a9fbb23 by @dependabot[bot] in #1755
• Bump mvdan/shfmt from a9fbb23 to eaf1857 by @dependabot[bot] in #1760
• Bump @sveltejs/kit from 2.45.0 to 2.46.2 in /cornucopia.owasp.org by @dependabot[bot] in #1765
• Bump github/codeql-action from 3.30.6 to 4.30.7 by @dependabot[bot] in #1761
• Bump svelte from 5.39.9 to 5.39.10 in /cornucopia.owasp.org by @dependabot[bot] in #1764
• #1431 Add button to be able to more easily copy the url by @sydseter in #1754
• Update for the copy button to prevent 404 by @sydseter in #1766

Full Changelog: v2.5.3...v2.5.4

Release v2.5.3

Copi Mobile release

What's Changed

• Update robots.txt by @sydseter in #1746
• Bump @sveltejs/kit from 2.43.8 to 2.44.0 in /cornucopia.owasp.org by @dependabot[bot] in #1751
• Bump svelte from 5.39.8 to 5.39.9 in /cornucopia.owasp.org by @dependabot[bot] in #1750
• Bump mvdan/shfmt from dc9f10c to 7fa013c by @dependabot[bot] in #1749
• Bump softprops/action-gh-release from 2.3.3 to 2.3.4 by @dependabot[bot] in #1747
• Responsive design for Copi by @sydseter in #1752
• Seo by @sydseter in #1753

Full Changelog: v2.5.2...v2.5.3

Release v2.5.2

What's Changed

• Bump @sveltejs/adapter-auto from 6.1.0 to 6.1.1 in /cornucopia.owasp.org by @dependabot[bot] in #1743
• Bump @sveltejs/kit from 2.43.6 to 2.43.7 in /cornucopia.owasp.org by @dependabot[bot] in #1734
• Bump @types/node from 24.6.1 to 24.6.2 in /cornucopia.owasp.org by @dependabot[bot] in #1733
• Bump svelte from 5.39.7 to 5.39.8 in /cornucopia.owasp.org by @dependabot[bot] in #1732
• shorten description by @sydseter in #1744
• Seo by @sydseter in #1745

Full Changelog: v2.5.1...v2.5.2

Release v2.5.1

What's Changed

• Bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in #1741
• Adding instructions to copi by @sydseter in #1740
• Adding new v2.2 zips by @sydseter in #1739
• Bump @sveltejs/adapter-static from 3.0.9 to 3.0.10 in /cornucopia.owasp.org by @dependabot[bot] in #1742

Full Changelog: v2.5.0...v2.5.1

Release v2.5.0

How do you get your dev team to shift left for real?
Shift-left doesn't start with scanning code for security vulnerabilities; it begins with designing it.
Play yourself secure with the latest release of OWASP Cornucopia Website Edition v2.2!

In our next version of OWASP Cornucopia Website App Edition version 2.2 we have a special treat for you.
We have gathered all our threat modeling expertise, created threat modeling scenarios for each card, and analyzed which STRIDE categories each scenario belongs to. Much of this material has been contributed to the project from @jefmeijvis and dotNET Lab.
If you have bought an OWASP Cornucopia deck with QR codes, you can now give your team advice on threat scenarios, threat vectors, attack patterns, mitigation strategies, and STRIDE when playing the game by letting them scan the QR codes on each card. Each scenario follows "Shostack's Four Question Frame for Threat Modeling", making it easy for your security champions to come up with the threats and mitigations themselves.
In addition, we have added additional CAPECs that correspond to each card and added references to the OWASP Developer Guide's Web Application Checklist that will link your threat modeling to OWASP secure coding practices and the OWASP Top 10 Proactive controls, this, thanks to @jgadsden
from the OWASP Developer Guide project.