diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 00000000..06154037
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "commitMessagePrefix": "[dependencies]",
+  "extends": [
+    "config:base",
+    ":disableRateLimiting"
+  ],
+  "baseBranches": ["dev-next"],
+  "enabledManagers": ["github-actions"],
+  "groupName": "github-actions"
+}
\ No newline at end of file
diff --git a/release/config/postinstall.sh b/release/config/postinstall.sh
index a1fa18b1..0fb0f05f 100755
--- a/release/config/postinstall.sh
+++ b/release/config/postinstall.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-mkdir "/var/lib/sing-box"
\ No newline at end of file
+mkdir -p /var/lib/sing-box
\ No newline at end of file
diff --git a/release/config/postremove.sh b/release/config/postremove.sh
index fd2cdd87..00fff784 100755
--- a/release/config/postremove.sh
+++ b/release/config/postremove.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-rm -rf "/var/lib/sing-box"
\ No newline at end of file
+rm -rf /var/lib/sing-box
\ No newline at end of file
diff --git a/release/config/sing-box.service b/release/config/sing-box.service
index 707efe5d..16ca0a32 100644
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@@ -5,8 +5,8 @@ After=network.target nss-lookup.target
 
 [Service]
 WorkingDirectory=/var/lib/sing-box
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s
diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service
index d6292a04..44925767 100644
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@@ -5,8 +5,8 @@ After=network.target nss-lookup.target
 
 [Service]
 WorkingDirectory=/var/lib/sing-box-%i
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
 Restart=on-failure
 RestartSec=10s
diff --git a/release/local/install.sh b/release/local/install.sh
index 24e9d006..4d5b9e1b 100755
--- a/release/local/install.sh
+++ b/release/local/install.sh
@@ -14,6 +14,7 @@ go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguar
 popd
 
 sudo cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
+sudo mkdir -p /var/lib/sing-box
 sudo mkdir -p /usr/local/etc/sing-box
 sudo cp $PROJECT/release/config/config.json /usr/local/etc/sing-box/config.json
 sudo cp $DIR/sing-box.service /etc/systemd/system
diff --git a/release/local/install_go.sh b/release/local/install_go.sh
index dea6b47e..b01b9817 100755
--- a/release/local/install_go.sh
+++ b/release/local/install_go.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 set -e -o pipefail
-curl -Lo go.tar.gz https://go.dev/dl/go1.19.3.linux-amd64.tar.gz
+curl -Lo go.tar.gz https://go.dev/dl/go1.20.linux-amd64.tar.gz
 sudo rm -rf /usr/local/go
 sudo tar -C /usr/local -xzf go.tar.gz
 rm go.tar.gz
\ No newline at end of file
diff --git a/release/local/sing-box.service b/release/local/sing-box.service
index 94fce13d..2ea74bf1 100644
--- a/release/local/sing-box.service
+++ b/release/local/sing-box.service
@@ -5,8 +5,8 @@ After=network.target nss-lookup.target
 
 [Service]
 WorkingDirectory=/var/lib/sing-box
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s
diff --git a/release/local/uninstall.sh b/release/local/uninstall.sh
index 11fa930a..d40107ba 100755
--- a/release/local/uninstall.sh
+++ b/release/local/uninstall.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 sudo systemctl stop sing-box
+sudo rm -rf /var/lib/sing-box
 sudo rm -rf /usr/local/bin/sing-box
 sudo rm -rf /usr/local/etc/sing-box
 sudo rm -rf /etc/systemd/system/sing-box.service
diff --git a/transport/hysteria/protocol.go b/transport/hysteria/protocol.go
index aa2eab30..beed65a3 100644
--- a/transport/hysteria/protocol.go
+++ b/transport/hysteria/protocol.go
@@ -293,6 +293,10 @@ func ParseUDPMessage(packet []byte) (message UDPMessage, err error) {
 	if err != nil {
 		return
 	}
+	if 6+int(hostLen) > len(packet) {
+		err = E.New("invalid host length")
+		return
+	}
 	message.Host = string(packet[6 : 6+hostLen])
 	err = binary.Read(reader, binary.BigEndian, &message.Port)
 	if err != nil {