Skip to content

v0.44.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 17 May 04:12
· 772 commits to main since this release
v0.44.0
76e1b90
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Added

  • Spreadsheet undo/redo (per session). Spreadsheets now support undo/redo via toolbar buttons and keyboard shortcuts (Ctrl/Cmd+Z, Ctrl+Y / Cmd+Shift+Z), covering cell edits, paste, formatting, borders, column/row resize, freeze, and CSV/XLSX import. History is per user and per session and works whether collaboration is on or off; a peer's edits are never undone by you. Built on a new editor-agnostic useYjsHistory primitive (wrapping Y.UndoManager) that any future Yjs-backed editor can reuse with a small adapter.
  • Spreadsheet formatting and Excel import/export. Spreadsheet documents now support column widths and row heights (drag the header edges; double-click to reset), number formats (currency, percent, date, fixed decimals, adjustable decimal places, thousands separator, and negative styles including red and parentheses), frozen header rows/columns, text/fill styling (bold, italic, underline, strikethrough, font size, text color, background fill, horizontal and vertical alignment), and per-edge cell borders (thin/medium/thick/dashed/dotted/double, any color, with all/outer/side presets). Formatting applies to the current selection — a cell range, or whole columns/rows selected from the headers — via a responsive formatting toolbar (related controls grouped into popovers on desktop, collapsed into a single overflow panel on small screens; file import/export lives in a compact menu), and syncs in real time to collaborators. A new "Export Excel" action produces a styled .xlsx, and the import button now accepts .xlsx alongside CSV, preserving widths, styles, number formats, borders, and frozen panes on round-trip (CSV import/export is unchanged). Existing spreadsheets upgrade transparently on next save (content schema v1 → v2) — no migration or operator action required.

Security

  • Auto-sanitize HTML on all API inputs. Every Pydantic schema now extends SanitizedBaseModel, which runs nh3.clean() on every str field at validation time. Dangerous markup — <script>, <iframe>, on* event-handler attributes, javascript: URLs — is stripped before reaching services or the database. Safe formatting tags (<b>, <i>, <a>, <p>) pass through unchanged, and fields that must preserve user-authored content (descriptions, comments, document content, queue notes) opt out via the explicit RichTextStr type. Enum-typed fields are skipped automatically.
  • Limit image attachment uploads to 10 MB to prevent memory exhaustion
  • Block OIDC new-account creation when ENABLE_PUBLIC_REGISTRATION is disabled
  • Return opaque error codes from import parse endpoints instead of raw exception text
  • Add 5-minute TTL to OIDC discovery metadata cache
  • Add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers to all responses
  • Guard AI settings base_url against SSRF — validates against private/loopback/link-local IPs at both request time and write time for ollama and custom providers
  • Add CORS_ALLOWED_ORIGINS config variable to replace the allow_origins=["*"] placeholder
  • Stored XSS in legacy document embed nodes. The Lexical EmbedNode (kept around for backwards compatibility with documents that used the old generic embed type before YouTubeNode / TweetNode existed) rendered its stored html field via dangerouslySetInnerHTML without sanitization. A user able to write a document — i.e. any guild member with edit access — could craft a serialized JSON payload containing { "type": "embed", "html": "<script>…</script>" }, save the document, and have the script run in every other viewer's session. The constructor now passes the html through DOMPurify before storing it on __html, so all entry paths (importJSON of legacy data, paste-conversion via convertEmbedElement, programmatic creation) are sanitized at the same boundary. Default DOMPurify config strips <script>, event handler attributes, javascript: URLs, and <iframe>; legacy YouTube embeds may render empty after the fix and should be re-added with the dedicated YouTubeNode insert tool.
  • Migrate password hashing from passlib[bcrypt] to argon2-cffi. passlib's last release was Oct 2020; its bcrypt backend has been emitting (trapped) error reading bcrypt version ever since bcrypt 4.1 removed the __about__ module, and the project's bcrypt==4.0.1 pin existed only to keep passlib quiet. New password hashes are now argon2id (OWASP-aligned defaults), and existing bcrypt hashes are still verified directly through the bcrypt library so nobody is locked out. On the next successful login (standard form auth or device-token auth) any bcrypt hash is rewritten as argon2id transparently — no schema change, no migration, no operator action required. bcrypt itself bumps from 4.0.1 to 5.0.0 along the way, since the version pin was only there to dodge the passlib incompatibility.

Changed

  • Restrict Ollama AI provider to platform-level settings. Guild and user AI settings no longer offer Ollama as a provider option (it cannot reasonably be reached from outside the host's network anyway). A migration nulls out any pre-existing Ollama overrides on guild_settings and users, falling back to the inherited platform configuration.
  • Show an inline HTTP warning on the platform AI page when the Ollama base URL is configured with http://, reminding admins to use TLS in production.
  • Platform admins can now point Ollama / custom AI base URLs at http:// or private addresses. The SSRF guard still applies to guild/user-supplied URLs in the test-connection and fetch-models endpoints; it is bypassed only when the caller is a platform admin (who already controls the host). AI generation paths trust ollama URLs unconditionally now that ollama is platform-only.
  • Bump vite from v7 to v8. Decreases bundler step from 25s to 2s.
  • Migrate to typescript 7 beta. Decreases compile step from 25s to 5s.
  • Bump Dockerfile Node.js from v20 to v24.
  • Pin pnpm to 10.33.3 via the packageManager field in frontend/package.json. CI and the Dockerfile auto-detect it through corepack, so contributors no longer need to match versions manually — fresh clones with corepack enabled get the right pnpm on first invocation.

Downloads

Android App

Download the APK from the assets below and install on your Android device.

Docker Image

docker pull morelitea/initiative:0.44.0

Or use latest tag. View on Docker Hub.

Assets 3
Loading