Update changelog

changelog

@@ -1,22 +1,31 @@
-# [1.18.0] - 2025-08-27
+### 🛡️ **\[1.18.1] – Security Patch & Hysteria Settings Tab**
 
-#### ⚡ Performance
+*Released: 2025-08-30*
 
-* ⚡ **Optimized bulk user URI fetching**:
+#### 🔒 Security
 
-  * New API endpoint `/api/v1/users/uri/bulk` to fetch multiple user links in a single call
+* 🛡️ **Open Redirect Fix**:
-  * Eliminates N separate script executions → **huge speedup** 🚀
+  Removed `next_url` parameter from login flow to prevent **open redirect vulnerability**.
-* ⚡ Refactored `wrapper_uri.py` for faster bulk processing & maintainability
+  
+  Special thanks to [**@HEXER365**](https://github.com/HEXER365) for responsible disclosure 🙏
 
 #### ✨ Features
 
-* 📤 **Bulk user link export** directly from the **Users Page**
+* ⚙️ **New Hysteria Settings tab** in Web Panel (with **geo update support**)
-* 🎨 Distinct **color coding** for user statuses in Web Panel
+* 🎨 Redesigned **Login Page** for better UI/UX
-* ⏸️ **On-Hold User Activation** logic introduced in `traffic.py` (with `creation_date=None` default)
 
-#### 🐛 Fixes & Refactors
+#### 🛠️ Fixes
 
-* 🤖 **Bot**: Properly handle escaped underscores in usernames
+* 📦 Backup `extra.json` during upgrades
-* 🛠️ **Webpanel**: Improved handling of malformed user data & more accurate status for on-hold users
+* 📱 Improved responsive design across web panel
-* 🐛 Show Go installation correctly
+* 🧩 Relaxed conflict check in user viewmodel
-* 🔄 Refactored on-hold user logic into `traffic.py` for central management
+* 🧹 Removed `/dev/null` redirects for cleaner logging
+
+#### 📦 Chore & Dependencies
+
+* ⬆️ Updated dependencies:
+
+  * `typing-extensions` → 4.15.0
+  * `starlette` → 0.47.3
+  * `requests` → 2.32.5
+* 🧹 Removed **deprecated `user.sh`** script (legacy auth)