Release 8.5.0#40640
Open
rocketchat-github-ci wants to merge 137 commits into
Open
Conversation
Signed-off-by: Abhinav Kumar <abhinav@avitechlab.com>
Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: Douglas Fabris <devfabris@gmail.com>
…tions/update-version-durability (#40267)
…-version-durability (#38189)
Co-authored-by: Tasso Evangelista <tasso.evangelista@rocket.chat> Co-authored-by: Douglas Fabris <devfabris@gmail.com>
…rser etc) and replace twit (#40294)
Co-authored-by: NightSkyHigh <thomas@Thomas.localdomain> Co-authored-by: juliajforesti <juliajforesti@gmail.com> Co-authored-by: Júlia Jaeger Foresti <60678893+juliajforesti@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Douglas Fabris <devfabris@gmail.com>
Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Douglas Fabris <devfabris@gmail.com>
…lists (#40105) Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Ricardo Garim <rswarovsky@gmail.com> Co-authored-by: Kevin Aleman <kaleman960@gmail.com>
⏭️ Hacktron Security Check — SkippedReason: This PR exceeds Hacktron's 200-file review cap and will not be scanned. Split the PR into smaller changes for review coverage.
|
🦋 Changeset detectedLatest commit: 6178156 The changes in this PR will be included in the next version bump. This PR includes no changesetsWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
Contributor
|
Important Review skippedToo many files! This PR contains 294 files, which is 144 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (6)
📒 Files selected for processing (294)
You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 1547 files
Note: This PR contains a large number of files. cubic only reviews up to 100 files per PR, so some files may not have been reviewed. cubic prioritizes the most important files to review.
On a pro plan you can use ultrareview for larger PRs.
Re-trigger cubic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
You can see below a preview of the release change log:
8.5.0
Engine versions
22.22.32.3.18.01.63.0-rc.0Minor Changes
(#40343) Swap usage of internal @rocket.chat/apps-engine internal APIs to @rocket.chat/apps package
(#40408) Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel
(#39760) ## Phishing-Resistant Multi-Factor Authentication
Introduces a more secure and reliable server-side OAuth authentication flow.
What’s New
OAuth authentication now happens fully on the server, reducing the risk of token theft, phishing attacks, and client-side credential interception.
OAuth logins now include stronger protection against CSRF attacks, request tampering, and authorization code interception through secure state validation and PKCE support.
Users with email or TOTP two-factor authentication enabled will now be asked to complete 2FA even when signing in with providers like Google, GitHub, GitLab, and others.
Mobile and desktop apps now support a smoother and more secure deep-link OAuth login flow.
(#40341) Hides the room announcement, topic and description from the Administration > Rooms panel for ABAC managed rooms. In the channel sidebar Edit Channel form those fields stay visible to room members but are disabled, and the API rejects edits to them.
(#39617) Adds new API endpoints
custom-sounds.createandcustom-sounds.updateto manage custom sounds with strict file validation for size and specific MIME types to ensure system compatibility.(#40463) Allows apps with the right permission to read room's ABAC attributes.
(#40604) Adds the capability for fetching a user by their sip extension to the apps
(#38225) Adds a new "Drafts" group to the sidebar, providing quick access to all rooms with unfinished messages.
(#40397) Adds the
USE_ROOM_SEARCH_INDEXenvironment variable. When set totrue, the messages collection's text index is created as{ rid: 1, msg: 'text' }instead of the default{ msg: 'text' }. The compound shape lets per-room$textsearches useridas a prefix, dramatically reducing the portion of the index scanned on workspaces where global search is disabled.The index is reconciled on every startup: if the existing text index already matches the desired shape, nothing happens; otherwise the stale text index is dropped and the desired one is recreated. Unsetting the variable on a later boot reverts to the default shape.
(#40612) Adds
freeSwitchExtensionas a query parameter forapi/v1/users.info(#39858) Adds support to room information on ViewSubmit and ViewClose events for ContextualBar surface
(#40430) Adds a new admin setting
Use_RC_SDK(General → Use Rocket.Chat SDK) that opts the workspace into the experimental SDK-over-DDP transport. When enabled, the client routes Meteor DDP traffic through@rocket.chat/ddp-clientover a single WebSocket instead of the legacy Meteor stream. The flag is dormant by default; the server surfaces the value via a<meta name="rc-sdk-transport-enabled">tag, and the client also honors a per-tab?sdk_transport=on|offURL parameter and arc-config-sdk_transportlocalStorage key (URL > localStorage > meta tag).Patch Changes
(#39858) Fixes an issue that prevented BlockAction interactions from having room information when triggered in a ContextualBar surface
(#40524) Ensures OAuth tokens are cleaned up after user deactivation
(#40537) Fixes an issue that allowed a room converted from private to public (while abac is disabled) to retain its abac attributes (if any)
(#39859) Fixes an issue where thread content would disappear after clicking "Jump to recent messages".
(#40063) Fixes the missing edited indicator for the main parent message in the thread panel to ensure visual consistency with the main channel view.
(#40357) Adds an accessible label to the system-messages multi-select in the channel edit panel so screen readers announce its purpose.
(#40100) Fixes intermittent "Channel Not Joined" screen when opening rooms in embedded mode.
(#40513) Fixes the
users.presenceendpoint returning an empty array when called with multiple comma-separated IDs, caused byajvQuerycoercing the string into a single-element array after the OpenAPI migration(#40496) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
(#40405) Disables SAML login when it is set to validate signatures without the proper configuration for it
(#40423) Allows users to search for attribute values when assigning them to rooms
(#40335) Fixes test button not playing default sound in Notifications Preferences
(#40528) Ensures the Meteor method for translateMessage validates access and types
(#40420) Fixes Insert Timestamp relative time preview not updating on input changes and losing the user's locale after the first refresh tick.
(#40456) Fixes signed URL generation for S3 and Google Cloud Storage when the expiry setting is below 5 seconds, which previously caused expired or invalid preview URLs. Adds a dedicated URL expiry setting for Google Cloud Storage since it was incorrectly reusing the AWS S3 setting.
(#40501) Ensures the visitor token is not present in the visitors.info response
(#40405) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
(#40613) Sanitizes image URLs in rendered messages to block
javascript:,data:, andvbscript:schemes — matching the protection already applied to markdown links. Defense-in-depth against XSS via crafted markdown like.(#40508) Ensures the autotranslate.translateMessage endpoint checks for room access
(#40448) Fixes action buttons added by apps being rendered in the Marketplace Menu rather than the User Menu
(#40499) Fixes an issue where some actions made by the abac service were not broadcasting to clients, which affected reactivity
(#40492) Fixes issue that displayed the 'Delete all closed chats' button when user lacks
remove-closed-livechat-roomspermission(#40393) Fixes a
date-fnscrash on routes that mount before the public settings stream finishes loading.useFormatDatewas passingString(undefined)(the literal"undefined") toformatDatewhileMessage_DateFormatwas momentarily unloaded —date-fnsrejects that token because it contains an unescapedn. The hook now uses'LL'as the default token viauseSetting's second argument, so the formatter always receives a valid format string.Updated dependencies [90f15e3, f7d47dd, cdb264f, 2a927fa, bede0e2, bede0e2, bede0e2, 4c39845, 7f2bdf1, ae9f740, b6b04aa, ad7d424, 4704bf8, d427b80, ebc9bab, f392d5c, 2198d9e, fac6472, 12897e2, e45585b, 0b7a763, 5183306, 2d32e52, 2a927fa, b1c2668, 90f15e3, 22c8d32]: