chore: update CHANGELOG for v1.6.9 with security enhancements, bug fixes, UI improvements, and documentation updates

CHANGELOG.md

@@ -2,9 +2,17 @@
 
 ## v1.6.9 - 2026/03/??
 
+- [SECURITY] Implement `SafeFileSystemCache` for Web UI session storage with token regeneration on privilege changes, preventing session fixation attacks.
 - [SECURITY] Sanitize uploaded filenames in the Web UI to strip path separators, null bytes, and control characters, preventing path traversal attacks.
 - [SECURITY] Add tar extraction path filtering in `Let's Encrypt` certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables.
 - [SECURITY] Validate IP addresses and service names across all ban management endpoints (API, Lua, UI, CLI) to prevent invalid data injection. Fix Redis key parsing for service names containing underscores.
+- [BUGFIX] Close local database connections before forking worker processes to prevent file descriptor leaks and connection pool corruption.
+- [BUGFIX] Fix race condition in instance update logic by using direct SQL `UPDATE` statements instead of ORM session operations.
+- [BUGFIX] Ensure thread safety when managing the session factory by moving instance update operations outside the synchronization lock.
+- [BUGFIX] Handle empty or unreadable certificates gracefully in Let's Encrypt `retrieve_certificates` and `retrieve_certificates_info` functions to prevent crashes during certificate enumeration.
+- [BUGFIX] Enhance error handling for missing server name in SSL certificate functions to avoid crashes when the server name is not yet configured.
+- [BUGFIX] Improve backup cleanup logic when replacing destination files to correctly remove leftover backups after a successful replacement.
+- [BUGFIX] Mark the Flask session as modified when adding flash messages to ensure session data is correctly persisted across redirects.
 - [BUGFIX] Fix Domeneshop DNS provider in the `Let's Encrypt` plugin to use the correct credential keys and ensure proper certificate generation.
 - [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data.
 - [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications.
@@ -13,10 +21,12 @@
 - [BUGFIX] Add backup and rollback mechanism when deploying new configurations to BunkerWeb instances, preventing data loss if the file copy operation fails.
 - [BUGFIX] Generate and deploy initial configuration on first start before running plugin jobs, ensuring API endpoints are available when jobs execute.
 - [BUGFIX] Skip Content-Security-Policy header override in the antibot plugin when nonces are not available (e.g., HEAD requests), preventing malformed CSP headers.
+- [UI] Add confetti animation and visual unlock effect when activating a PRO License Key in the Web UI.
 - [UI] Fix service cloning to correctly strip the source service prefix from configuration keys, preventing settings from being ignored during import.
 - [UI] Rate-limit worker restarts to prevent excessive restarts when multiple plugin reload triggers fire in quick succession.
 - [UI] Fix crashes when CSRF validation or request teardown occurs outside a valid user context, improving stability during edge-case scenarios.
 - [API] Add lifespan handler to properly close database connections on shutdown, preventing connection leaks.
+- [DOCS] Update documentation and default configurations to remove the deprecated nightly CRS version and ensure full compatibility with CRS v4.
 - [DOCS] Update Domeneshop DNS provider credential key names in documentation to match the corrected `client_token`/`client_secret` keys.
 - [DOCS] Add documentation for the Cache PRO plugin covering response caching configuration and settings.
 - [DEPS] Update coreruleset-v4 version to v4.24.1