Releases: alephdata/aleph
3.15.6
During a routine security audit of Aleph we’ve become aware of
Please find detailed information about the patched vulnerabilities below:
Downloaded source files are opened automatically
Summary
As part of the investigations feature, users can upload files to Aleph. The detail view in Aleph offers a sanitized preview of a file, but Aleph also allows users to download (unsanitized) source files. When downloading a source file, Aleph displays a confirmation prompt warning that source files may contain malware or notify the originator of the file.
After downloading a source file, files are opened automatically in the same browser window if the file’s MIME type is supported by the browser. This contradicts the warning that is displayed before downloading the file and potentially enables phishing attacks. For instance, an HTML file resembling the Aleph login interface could be uploaded for this purpose.
Affected versions
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have configured your Aleph instance to use Google Cloud Storage or AWS S3 (or a service compatible with S3) as a storage backend for files uploaded to Aleph via the “ARCHIVE_TYPE” configuration option. The default storage backend that stores files on the local file system is not affected.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions set the “Content-Disposition” header to instruct browsers to download files as an attachment instead of opening them after the download has completed.
HTML injection in notification emails
Summary
Aleph sends a daily notification digest via email to users. Notification digests are enabled by default and can be disabled by users.
When a user creates an investigation and then shares it with another user who has daily notification digests enabled, the name of the user who created the investigation and the name of the investigation aren’t properly sanitized or encoded.
This means that links and other HTML markup included in the user’s name or in the investigation name will be rendered as is in the notification email which can enable (targeted) phishing campaigns.
Affected versions
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have set up email sending for your Aleph instance via the “ALEPH_MAIL_*” configuration options.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly encode user-controlled data in notification emails.
Unauthorized access to mapping metadata
Summary
Aleph allows users to create entity mappings for uploaded spreadsheets. Using this feature, rows in a spreadsheet can be converted to FollowTheMoney entities in an investigation.
The access controls in the API endpoints for the mappings feature contain a bug that allows users without read or write access to the collection to view, update, trigger, and delete mappings as well as to delete or modify entities generated using a mapping.
The bug allows unauthorized access to the following mapping metadata:
- Mapping definition (this includes column names in the source spreadsheet)
- ID of the investigation a mapping belongs to
- User ID of the user who created the mapping
- Creation and update timestamps
- Mapping status (“pending”/”successful”/”error” and the error message in case the status is “error”)
- Entity ID of the source table
The bug does not allow users to view the entities generated from the mappings or the contents of the source spreadsheet.
Affected versions
Aleph versions up to and including 3.15.5.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when sending requests to the API endpoints for the mappings feature.
Unauthorized overrides of investigation and dataset metadata
Summary
Aleph allows users to manage metadata for investigations and datasets, including a label and a description as well as URLs to the publisher and source of the data. The metadata is displayed in the Aleph UI when viewing investigations and datasets.
Aleph allows users to specify a “foreign_id” when creating new investigations or datasets. The “foreign_id” can be used to reference the investigation or dataset when using the Aleph API or the alephclient CLI.
Due to a bug, when creating a new investigation or dataset with a “foreign_id” that is already used by another investigation or dataset, Aleph updates the metadata of the existing investigation/dataset instead of failing.
This bug allows users without the necessary permissions to update investigation and dataset metadata.
However, the bug does not allow unauthorized users to view investigation and dataset metadata or data added or uploaded to the investigation or dataset.
Affected versions
Aleph versions up to and including 3.15.5.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when creating or updating investigations or datasets.
Unauthorized access to uploaded files
Summary
Aleph allows uploading files to investigations and datasets. When a file is uploaded Aleph computes a checksum of the file contents and stores the checksum in the database. The uploaded file can later be retrieved using checksum as a reference. File checksums are represented as strings of hexadecimal characters, for example “ae9ce53fa78166704f5990601ec412d73fb1698a”.
Due to a bug in ingest-file users are able to upload specifically crafted files in order to create file records in the database with arbitrary checksums. This allows users to download files they do not have access to if they know the checksum of the file contents.
Affected versions
ingest-file versions up to and including 3.20.2. ingest-file is the component responsible for handling files you upload to Aleph.
Solution
ingest-file versions 3.20.3 and newer contain a patch for this vulnerability. The patch removes the ability to upload JSONL files that contain entities in the FollowTheMoney format to Aleph. If you have previously used this feature to create FollowTheMoney entities in Aleph in bulk, we recommend that you use the bulk endpoint of the Aleph API instead.
3.15.5
What's Changed
- Bump
followthemoney
to3.5.8
- Bump
ingest-file
to3.20.0
(also usingfollowthemoney 3.5.8
)
Full Changelog: 3.15.4...3.15.5
3.15.4
What's Changed
- Helm chart: use
autoscaling/v2
API instead ofautoscaling/v2beta1
by @richardjennings-occrp in #3327 (fixes #2998)
- Github Actions: use auth action before setup-gcloud in #3415
Full Changelog: 3.15.3...3.15.4
3.15.3
What's Changed
- Improved Dockerfile to reduce image size by @tdurieux in #2801
- Updated SECURITY.md by @tillprochaska in #3218
- New user guide by @tillprochaska in #3223
- Make it possible to manually trigger a docs deployment by @tillprochaska in #3226
- Add redirects for old user guide links by @tillprochaska in #3229
- Updated dev environment by @monneyboi in #3205
⚠️ NOTE⚠️ : this will upgrade the postgres container in the development environment from version 10 to 15 and since the data files are binary incompatible you need to either manually update them (for instance using this) or by cleaning out your local postgres volumes (docker volume rm aleph_postgres-data aleph_postgres-data-e2e
followed bymake upgrade
) - Remove query_string_query function, remove fields from highlight query by @monneyboi in #3280
- Add
make format-check
as pull request "check" by @monneyboi in #3282
Dependency upgrades
- Bump semver from 6.3.0 to 6.3.1 in /docs by @dependabot in #3212
- Bump followthemoney from 3.4.4 to 3.5.2 by @dependabot in #3305
- Bump sentry-sdk[flask] from 1.21.0 to 1.30.0 by @dependabot in #3306
- Bump pytest-playwright from 0.3.3 to 0.4.2 by @dependabot in #3308
- Bump flask-talisman from 1.0.0 to 1.1.0 by @dependabot in #3303
- Bump fingerprints from 1.0.3 to 1.1.1 by @dependabot in #3298
- Bump ruff from 0.0.270 to 0.0.287 by @dependabot in #3319
- Bump playwright from 1.32.1 to 1.37.0 by @dependabot in #3304
- Bump jsonschema from 4.17.3 to 4.19.0 by @dependabot in #3310
- Bump flask from 2.3.2 to 2.3.3 by @dependabot in #3297
- Bump babel from 2.11.0 to 2.12.1 by @dependabot in #2900
- Bump pyyaml from 6.0 to 6.0.1 by @dependabot in #3270
- Bump pantomime from 0.5.3 to 0.6.1 by @dependabot in #3261
- Bump black from 23.3.0 to 23.7.0 by @dependabot in #3259
- Bump flask-cors from 3.0.10 to 4.0.0 by @dependabot in #3202
- Bump sqlalchemy from 2.0.17 to 2.0.20 by @dependabot in #3296
- Bump followthemoney-store[postgresql] from 3.0.5 to 3.0.6 by @dependabot in #3307
- Bump servicelayer[amazon,google] from 1.21.0 to 1.21.2 by @dependabot in #3300
- Bump gunicorn[eventlet] from 20.1.0 to 21.2.0 by @dependabot in #3268
- Bump authlib from 0.15.5 to 1.2.1 by @dependabot in #3201
- Bump alembic from 1.8.1 to 1.12.0 by @dependabot in #3311
- Bump flask-migrate from 3.1.0 to 4.0.4 by @dependabot in #2868
- Update cryptography requirement from <38.0.0,>=36.0.0 to >=36.0.0,<42.0.0 by @dependabot in #3110
- Update pyjwt requirement from <2.6.0,>=2.0.1 to >=2.0.1,<2.9.0 by @dependabot in #3269
New Contributors
Full Changelog: 3.15.1...3.15.3
3.15.1
What's Changed
- Document how to enable IAM role-based auth between EC2 and S3 by @zekehuntergreen in #3206
- Add simple script to generate test emails by @tillprochaska in #3207
- Derive "safeHtml" from all "bodyHtml" values by @tillprochaska in #3168
- Fix user guide link by @tillprochaska in #3228
- Recommend ingest-file 3.19.2
Dependency upgrades
- Bump @types/node from 18.16.16 to 18.16.19 in /ui by @dependabot in #3198
- Bump @alephdata/followthemoney from 3.4.0 to 3.4.3 in /ui by @dependabot in #3193
- Bump sass from 1.62.1 to 1.63.6 in /ui by @dependabot in #3192
- Bump react-router-dom from 6.11.2 to 6.14.1 in /ui by @dependabot in #3191
- Bump recharts from 2.6.2 to 2.7.2 in /ui by @dependabot in #3189
- Bump react-intl from 6.4.2 to 6.4.4 in /ui by @dependabot in #3147
- Bump @formatjs/intl-locale from 3.3.0 to 3.3.2 in /ui by @dependabot in #3146
- Bump @formatjs/intl-relativetimeformat from 11.2.2 to 11.2.4 in /ui by @dependabot in #3143
- Bump @formatjs/cli from 6.1.1 to 6.1.3 in /ui by @dependabot in #3140
- Bump @formatjs/intl-pluralrules from 5.2.2 to 5.2.4 in /ui by @dependabot in #3137
- Bump semver from 6.3.0 to 6.3.1 in /ui by @dependabot in #3210
- Bump tough-cookie from 4.1.2 to 4.1.3 in /ui by @dependabot in #3208
New Contributors
- @zekehuntergreen made their first contribution in #3206
Full Changelog: 3.15.0...3.15.1
3.15.0
What's Changed
- User group management in the aleph command-line tool by @micahflee in #3127
- Implement server-side bookmarks by @tillprochaska in #2843
- Add Sentry support for ingest-file and worker by adding the SENTRY_DSN secret to the helm chart by @stchris in #3181
- Use fuzzy search for collections search by @tillprochaska in #3092
- Show timeline items with invalid dates by @tillprochaska in #2963
- Add existing entities to timelines by @tillprochaska in #3005
- Allow users to add timeline items with times by @tillprochaska in #3014
- Fix whitespace in timelines chart view by @tillprochaska in #3102
- Add additional confirmation UI before destructive actions by @tillprochaska in #3006
- Send null value if collection metadata fields are empty by @tillprochaska in #3061
- Updated followthemoney documentation links by @stchris in #2951
- Fix flaky test by @tillprochaska in #3011
- Fix incorrect concurrency settings for docs workflow by @tillprochaska in #3054
- Fix search highlights disappearing when opening entity previews by @tillprochaska in #3093
- Delete workflow that adds new issues and PRs to a project by @tillprochaska in #3101
- In-app feedback for document previews and OCR by @tillprochaska in #3096
- Fixes for the UI docker image (remove the python package) by @stchris in #3129
- Remove convert document by @stchris in #2755
- Use Ruff for linting by @stchris in #3089
- Hotfix/UI docker remove python by @stchris in #3158
- Disable ES security in the development docker setup by @catileptic in #3134
- Make code reloading work by @stchris in #3169
- Remove deprecated --eager-loading parameter by @stchris in #3175
- Update migrations to SQLAlchemy 2.x by @stchris in #3177
- Push Docker images for tags only by @tillprochaska in #3008
Dependency upgrades
- Bump react-intl from 6.2.10 to 6.3.2 in /ui by @dependabot in #2981
- Bump @blueprintjs/icons from 4.14.3 to 4.14.5 in /ui by @dependabot in #2980
- Bump sass from 1.58.3 to 1.60.0 in /ui by @dependabot in #2978
- Bump @types/lodash from 4.14.191 to 4.14.192 in /ui by @dependabot in #2974
- Bump prettier from 2.8.4 to 2.8.7 in /ui by @dependabot in #2972
- Bump react-countup from 6.4.1 to 6.4.2 in /ui by @dependabot in #2970
- Bump react-markdown from 8.0.5 to 8.0.6 in /ui by @dependabot in #2971
- Bump @craco/craco from 7.0.0 to 7.1.0 in /ui by @dependabot in #2968
- Bump yaml from 2.2.1 to 2.2.2 in /ui by @dependabot in #3012
- Bump react-markdown from 8.0.6 to 8.0.7 in /ui by @dependabot in #3018
- Bump yaml from 2.2.1 to 2.2.2 in /ui by @dependabot in #3019
- Bump prettier from 2.8.7 to 2.8.8 in /ui by @dependabot in #3020
- Bump json5 from 2.2.1 to 2.2.3 in /docs by @dependabot in #2991
- Bump @formatjs/intl-pluralrules from 5.1.10 to 5.2.2 in /ui by @dependabot in #3021
- Bump sass from 1.60.0 to 1.62.1 in /ui by @dependabot in #3023
- Bump @formatjs/intl-locale from 3.1.1 to 3.3.0 in /ui by @dependabot in #3022
- Bump react-router-dom from 6.8.2 to 6.11.0 in /ui by @dependabot in #3038
- Bump react-intl from 6.3.2 to 6.4.2 in /ui by @dependabot in #3034
- Bump date-fns from 2.29.3 to 2.30.0 in /ui by @dependabot in #3035
- Bump @formatjs/cli from 6.0.4 to 6.1.1 in /ui by @dependabot in #3043
- Bump @types/lodash from 4.14.192 to 4.14.194 in /ui by @dependabot in #3042
- Bump @blueprintjs/icons from 4.14.5 to 4.15.0 in /ui by @dependabot in #3037
- Bump @blueprintjs/core from 4.17.5 to 4.18.0 in /ui by @dependabot in #3017
- Bump @blueprintjs/table from 4.9.0 to 4.10.1 in /ui by @dependabot in #3036
- Bump @formatjs/intl-relativetimeformat from 11.1.10 to 11.2.2 in /ui by @dependabot in #3039
- Bump blinker from 1.5 to 1.6.2 by @dependabot in #3033
- Bump react-router-dom from 6.11.0 to 6.11.1 in /ui by @dependabot in #3046
- Bump playwright from 1.31.1 to 1.32.1 by @dependabot in #3030
- Bump pytest-playwright from 0.3.1 to 0.3.3 by @dependabot in #3031
- Bump apispec from 5.2.2 to 6.3.0 by @dependabot in #2941
- Bump flake8-bugbear from 23.1.20 to 23.3.23 by @dependabot in #2955
- Bump papaparse from 5.3.2 to 5.4.1 in /ui by @dependabot in #2969
- Bump recharts from 2.4.3 to 2.5.0 in /ui by @dependabot in #2966
- Bump @blueprintjs/select from 4.8.12 to 4.9.14 in /ui by @dependabot in #3048
- Bump @types/node from 18.11.18 to 18.16.14 in /ui by @dependabot in #3088
- Bump @blueprintjs/table from 4.10.1 to 4.10.4 in /ui by @dependabot in #3073
- Bump @blueprintjs/icons from 4.15.1 to 4.16.0 in /ui by @dependabot in #3098
- Bump @blueprintjs/select from 4.9.14 to 4.9.20 in /ui by @dependabot in #3099
- Bump @alephdata/followthemoney from 3.3.0 to 3.4.0 in /ui by @dependabot in #3084
- Bump react-router-dom from 6.11.1 to 6.11.2 in /ui by @dependabot in #3083
- Bump recharts from 2.5.0 to 2.6.2 in /ui by @dependabot in #3076
- Bump react-redux from 8.0.5 to 8.0.7 in /ui by @dependabot in #3119
- Bump yaml from 2.2.2 to 2.3.1 in /ui by @dependabot in #3109
- Bump @blueprintjs/select from 4.9.20 to 4.9.21 in /ui by @dependabot in #3111
- Bump @types/lodash from 4.14.194 to 4.14.195 in /ui by @dependabot in #3112
- Bump @types/node from 18.16.14 to 18.16.16 in /ui by @dependabot in #3113
- Bump @blueprintjs/table from 4.10.4 to 4.10.8 in /ui by @dependabot in #3114
- Bump vite from 3.2.4 to 3.2.7 in /docs by @dependabot in #3122
- Bumps version of FTM libs, SQLAlchemy, Flask and related to latest by @catileptic in #3160
- Bump ingest-file and FTM versions by @catileptic in #3182
New Contributors
- @micahflee made their first contribution in #3127
Full Changelog: 3.14.1-rc15...3.15.0-rc2
3.15.1-rc1
What's Changed
- Derive "safeHtml" from all "bodyHtml" values by @tillprochaska in #3168
- Document how to enable IAM role-based auth via environment variable configuration (thanks, @zekehuntergreen !) in #3206
- Add simple script to generate test emails by @tillprochaska in #3207
Dependency upgrades
- Bump @alephdata/followthemoney from 3.4.0 to 3.4.4
- Bump semver from 6.3.0 to 6.3.1 in /ui by @dependabot in #3210
- Bump tough-cookie from 4.1.2 to 4.1.3 in /ui by @dependabot in #3208
- Bump @types/node from 18.16.16 to 18.16.19 in /ui by @dependabot in #3198
- Bump sass from 1.62.1 to 1.63.6 in /ui by @dependabot in #3192
- Bump react-router-dom from 6.11.2 to 6.14.1 in /ui by @dependabot in #3191
- Bump recharts from 2.6.2 to 2.7.2 in /ui by @dependabot in #3189
- Bump react-intl from 6.4.2 to 6.4.4 in /ui by @dependabot in #3147
- Bump @formatjs/intl-locale from 3.3.0 to 3.3.2 in /ui by @dependabot in #3146
- Bump @formatjs/intl-relativetimeformat from 11.2.2 to 11.2.4 in /ui by @dependabot in #3143
- Bump @formatjs/cli from 6.1.1 to 6.1.3 in /ui by @dependabot in #3140
- Bump @formatjs/intl-pluralrules from 5.2.2 to 5.2.4 in /ui by @dependabot in #3137
New Contributors
- @zekehuntergreen made their first contribution in #3206
Full Changelog: 3.14.1-rc15...3.15.1-rc1
3.15.0-rc2
What's Changed
- User group management in the aleph command-line tool by @micahflee in #3127
- Implement server-side bookmarks by @tillprochaska in #2843
- Add Sentry support for ingest-file and worker by adding the SENTRY_DSN secret to the helm chart by @stchris in #3181
- Use fuzzy search for collections search by @tillprochaska in #3092
- Show timeline items with invalid dates by @tillprochaska in #2963
- Add existing entities to timelines by @tillprochaska in #3005
- Allow users to add timeline items with times by @tillprochaska in #3014
- Fix whitespace in timelines chart view by @tillprochaska in #3102
- Add additional confirmation UI before destructive actions by @tillprochaska in #3006
- Send null value if collection metadata fields are empty by @tillprochaska in #3061
- Updated followthemoney documentation links by @stchris in #2951
- Fix flaky test by @tillprochaska in #3011
- Fix incorrect concurrency settings for docs workflow by @tillprochaska in #3054
- Fix search highlights disappearing when opening entity previews by @tillprochaska in #3093
- Delete workflow that adds new issues and PRs to a project by @tillprochaska in #3101
- In-app feedback for document previews and OCR by @tillprochaska in #3096
- Fixes for the UI docker image (remove the python package) by @stchris in #3129
- Remove convert document by @stchris in #2755
- Use Ruff for linting by @stchris in #3089
- Hotfix/UI docker remove python by @stchris in #3158
- Disable ES security in the development docker setup by @catileptic in #3134
- Make code reloading work by @stchris in #3169
- Remove deprecated --eager-loading parameter by @stchris in #3175
- Update migrations to SQLAlchemy 2.x by @stchris in #3177
- Push Docker images for tags only by @tillprochaska in #3008
Dependency upgrades
- Bump react-intl from 6.2.10 to 6.3.2 in /ui by @dependabot in #2981
- Bump @blueprintjs/icons from 4.14.3 to 4.14.5 in /ui by @dependabot in #2980
- Bump sass from 1.58.3 to 1.60.0 in /ui by @dependabot in #2978
- Bump @types/lodash from 4.14.191 to 4.14.192 in /ui by @dependabot in #2974
- Bump prettier from 2.8.4 to 2.8.7 in /ui by @dependabot in #2972
- Bump react-countup from 6.4.1 to 6.4.2 in /ui by @dependabot in #2970
- Bump react-markdown from 8.0.5 to 8.0.6 in /ui by @dependabot in #2971
- Bump @craco/craco from 7.0.0 to 7.1.0 in /ui by @dependabot in #2968
- Bump yaml from 2.2.1 to 2.2.2 in /ui by @dependabot in #3012
- Bump react-markdown from 8.0.6 to 8.0.7 in /ui by @dependabot in #3018
- Bump yaml from 2.2.1 to 2.2.2 in /ui by @dependabot in #3019
- Bump prettier from 2.8.7 to 2.8.8 in /ui by @dependabot in #3020
- Bump json5 from 2.2.1 to 2.2.3 in /docs by @dependabot in #2991
- Bump @formatjs/intl-pluralrules from 5.1.10 to 5.2.2 in /ui by @dependabot in #3021
- Bump sass from 1.60.0 to 1.62.1 in /ui by @dependabot in #3023
- Bump @formatjs/intl-locale from 3.1.1 to 3.3.0 in /ui by @dependabot in #3022
- Bump react-router-dom from 6.8.2 to 6.11.0 in /ui by @dependabot in #3038
- Bump react-intl from 6.3.2 to 6.4.2 in /ui by @dependabot in #3034
- Bump date-fns from 2.29.3 to 2.30.0 in /ui by @dependabot in #3035
- Bump @formatjs/cli from 6.0.4 to 6.1.1 in /ui by @dependabot in #3043
- Bump @types/lodash from 4.14.192 to 4.14.194 in /ui by @dependabot in #3042
- Bump @blueprintjs/icons from 4.14.5 to 4.15.0 in /ui by @dependabot in #3037
- Bump @blueprintjs/core from 4.17.5 to 4.18.0 in /ui by @dependabot in #3017
- Bump @blueprintjs/table from 4.9.0 to 4.10.1 in /ui by @dependabot in #3036
- Bump @formatjs/intl-relativetimeformat from 11.1.10 to 11.2.2 in /ui by @dependabot in #3039
- Bump blinker from 1.5 to 1.6.2 by @dependabot in #3033
- Bump react-router-dom from 6.11.0 to 6.11.1 in /ui by @dependabot in #3046
- Bump playwright from 1.31.1 to 1.32.1 by @dependabot in #3030
- Bump pytest-playwright from 0.3.1 to 0.3.3 by @dependabot in #3031
- Bump apispec from 5.2.2 to 6.3.0 by @dependabot in #2941
- Bump flake8-bugbear from 23.1.20 to 23.3.23 by @dependabot in #2955
- Bump papaparse from 5.3.2 to 5.4.1 in /ui by @dependabot in #2969
- Bump recharts from 2.4.3 to 2.5.0 in /ui by @dependabot in #2966
- Bump @blueprintjs/select from 4.8.12 to 4.9.14 in /ui by @dependabot in #3048
- Bump @types/node from 18.11.18 to 18.16.14 in /ui by @dependabot in #3088
- Bump @blueprintjs/table from 4.10.1 to 4.10.4 in /ui by @dependabot in #3073
- Bump @blueprintjs/icons from 4.15.1 to 4.16.0 in /ui by @dependabot in #3098
- Bump @blueprintjs/select from 4.9.14 to 4.9.20 in /ui by @dependabot in #3099
- Bump @alephdata/followthemoney from 3.3.0 to 3.4.0 in /ui by @dependabot in #3084
- Bump react-router-dom from 6.11.1 to 6.11.2 in /ui by @dependabot in #3083
- Bump recharts from 2.5.0 to 2.6.2 in /ui by @dependabot in #3076
- Bump react-redux from 8.0.5 to 8.0.7 in /ui by @dependabot in #3119
- Bump yaml from 2.2.2 to 2.3.1 in /ui by @dependabot in #3109
- Bump @blueprintjs/select from 4.9.20 to 4.9.21 in /ui by @dependabot in #3111
- Bump @types/lodash from 4.14.194 to 4.14.195 in /ui by @dependabot in #3112
- Bump @types/node from 18.16.14 to 18.16.16 in /ui by @dependabot in #3113
- Bump @blueprintjs/table from 4.10.4 to 4.10.8 in /ui by @dependabot in #3114
- Bump vite from 3.2.4 to 3.2.7 in /docs by @dependabot in #3122
- Bumps version of FTM libs, SQLAlchemy, Flask and related to latest by @catileptic in #3160
- Bump ingest-file and FTM versions by @catileptic in #3182
New Contributors
- @micahflee made their first contribution in #3127
Full Changelog: 3.14.1-rc15...3.15.0-rc2
3.14.3
3.14.3
What's changed
-
Introduced two new Settings which controll the scroll window of ElasticSearch queries made during xref operations:
ALEPH_XREF_SCROLL
(defaults to5m
) is the 'scroll' parameter used on ES scan() calls for xref operations and configures how long a consistent view of the index should be maintained for scrolled searchALEPH_XREF_SCROLL_SIZE
(defaults to1000
) is the 'size' parameter used on ES scan() calls for xref operations
and configures the size (per shard) of the batch sent for each iteration of a scan
-
Removed unnecessary packages from the UI docker image in #3129
-
Update Transifex config to work with the latest version of the tx CLI
Full Changelog: 3.14.1...3.14.3
3.14.1
What's Changed
-
Sentry support
This release adds support for sending error tracebacks to sentry.io (or a self-hosted instance). This is controlled by two environment variables:
SENTRY_DSN
andSENTRY_ENVIRONMENT
. -
Fixed a flaky UI test (#3011)
-
ingest-file
version bumped to 3.18.4 -
Use
bump2version
for the docker-compose files incontrib/
to automatically keep them up to date.
Dependency upgrades
- Bump loader-utils from 2.0.2 to 2.0.4 in /ui by @dependabot in #2699
- Bump decode-uri-component from 0.2.0 to 0.2.2 in /ui by @dependabot in #2762
- Bump json5 from 1.0.1 to 1.0.2 in /ui by @dependabot in #2803
- Bump webpack from 5.74.0 to 5.76.1 in /ui by @dependabot in #2944
Full Changelog: 3.14.0...3.14.1