Releases: Cockpit-HQ/Cockpit
Releases Β· Cockpit-HQ/Cockpit
Release list
v2.14.0
- Improve KISS components
- MongoLite: Restrict query callbacks (
$func,$fn,$f,$where, direct criteria callbacks) to anonymous closures only - Improve logging utility: validate log type and enhance context handling
- Add support for custom ACL permission expression (via ScriptLite)
- Content: Add
meta.computedScriptLite support for save-time computed fields - Fix Bucket path traversal vulnerability
- Enhance SVG file handling during uploads
- Improve Thumbhash class with enhanced validation and error handling
- MongoLite: Optimize sorting performance
- Content: Validate and enforce ACL permissions on
$lookupstages in aggregate pipeline - Harden session cookie handling: enforce
HttpOnly, auto-detectSecure, validateSameSite, and support configurable cookie params viasession.cookie - Sanitize display values in
field-selectandfield-tagscomponents to prevent XSS
v2.13.5
- Add support for PHP 8.5+ compatible custom SQLite functions (IndexLite lib)
- Add identi.callback.data event trigger
- MongoLite: Refactor equality checks with
matchesDirectValuehelper method - Add ScriptLite lib to support run sandboxed ECMA Script subset code
- MongoLite Aggregation Optimizer: Escape identifiers and JSON paths to ensure safe usage in SQL queries
- Tower: Prevent shell injection by using Process array form
- Fix stored XSS vulnerability in user profile twofa.secret field
v2.13.4
- Remove ReflectionMethod::setAccessible() calls (deprecated since PHP >=v8.5)
- Fix deprecated non-canonical cast usage
- Add a dry-run option to the CLI update command and add logging to the update process
- Refactor MongoLite + add support for more MongoDB aggregation operators
- Fix the possibility to delete files outside of Cockpit as super admin
- Fix Async code generation
v2.13.3
- Micro performance improvements by explicitly marking global functions in a namespace context
- Add
--translateoption toapp:i18n:createcommand and refactor string extraction - Improve JSON viewer dialog
- Enhance DotEnv parsing to support quoted, multiline, and typed values, and improve variable resolution with circular reference detection.
- Improve SVG sanitization on upload
- Fix vulnerabilities in MongoLite QueryOptimizer and content aggregation api @DQH1
Thanks to DQH1 for responsibly reporting critical security issues.
v2.13.2
- Fix Updater view
- Add support for multiple mailer accounts
- Add possibility to set parent folder for an asset folder
- Fix GraphQL error when field definition is missing
multipleproperty - Add
system:fix-mongolite-collection-jsoncommand to fix malformed JSON entries in a MongoLite collection
v2.13.1
v2.13.0
- Add system mailer test functionality
- Clean up inactive worker PIDs
- Add query optimizer to MongoLite
- Make IndexLite more compatible with Meilisearch
- Add group filtering to app search results
- Upgrade TipTap to v3
- Add parallel job processing to worker using the
parallelextension if available - Fix App.utils.selectAsset causing MongoDB error with empty filter
- Add parallel batch execution method to Async helper
- Add FrankenPHP worker mode support
- Fix PHP v8.5 MongoLite database compatibility by using Pdo\Sqlite if available.
- Add initial RTL support
v2.12.1
- Fix Identi module usage with spaces
- Fix video preview in assets manager spotlight
- Improve RedisLite and ESQL lib
- Fix missing fixToHeight method for image api
- Add image assets preset support
- Fix nested _id filtering (mongodb)
- Enhance field-object component to support strict JSON mode
- Enhance field-boolean component with integer mode support
- Update Uppy.js from v4 to v5
- Fix missing _id on assets folder creation (mongodb)
v2.12.0
- Trigger additional
app.user.logout.afteron user logout - Improve IndexLite lib
- Improve MongoLite compatibility with MongoDB
- Add chart.js lib + vue-chart component
- Add lightweight SQL pdo wrapper
ESQLlib - Add Identi module to enable OAuth based logins - sponsored by @unchainedshop
- Add custom folder icon support in assets manager
- Add
assets.before.removeevent - Added an experimental feature to filter content based on the attributes of its linked items. This allows for more granular queries using the
@{fieldname.property}syntax, such as@author.name: 'Ozzy'
v2.11.4
- Assets: add video transcoding helper function
- Assets: Improved HTTP caching when output parameter
ois used (image api) - Add color picker functionality to wysiwyg field
- Escape user-provided data to prevent XSS vulnerabilities in views (admin ui).
- Add config setting
tower.disabledto disable tower in admin ui - Update Vue to v3.5.17
