Skip to content

8.5.0

Latest
Latest

Choose a tag to compare

View all tags
@rocketchat-github-ci rocketchat-github-ci released this 10 Jun 21:19
· 82 commits to develop since this release
8.5.0
d0230e1

Summary

Security and Compliance

Security improvements, authentication changes, data protection, and vulnerability fixes.

This security update hardens access controls and token handling across translation, OAuth, Livechat, images, SAML/CAS login, and file uploads. It now enforces room membership before translated message content is returned, revokes OAuth tokens when users are deactivated, removes visitor tokens from livechat/visitors.info, blocks unsafe inline image URLs, and applies stricter validation across SAML SSO, CAS login, OAuth token scoping, and file upload ownership/MIME checks. Integrations calling autotranslate.translateMessage without proper room access will now receive 401 or 403 responses. Integrations that relied on the token field from livechat/visitors.info must now get the token through the visitor-creation flow.

Messaging and Collaboration

Features and fixes related to messaging, channels, discussions, and communication workflows.

This update improves usability, performance, accessibility, and calling stability across the workspace. It adds a new sidebar Drafts group for rooms with unsent messages, virtualizes the message list to improve performance in long conversations and threads, and fixes several thread navigation and scrolling issues. It also restores and stabilizes voice-call behavior, improves keyboard and assistive-tech support across exports, modals, and forms, and allows users to start audio or video recordings even after typing in the composer.
Omnichannel permissions and room details were also tightened by hiding the Delete all closed chats action from unauthorized users and restoring room-scoped custom fields in the Room Information sidebar. Additional fixes cover presence lookup, signed URL expiry fallback, timezone-aware timestamps, embedded mode entry behavior, portal/iframe rendering, and safe fallback for invalid message date formats.

Platform and Extensibility

Developer platform, APIs, integrations, and application framework improvements.

This update adds new REST APIs for custom sound creation and updates with upload validation, while deprecating the older custom sound Meteor methods. It also adds FreeSwitch extension lookup support, exposes room context in more UIKit interactions, and moves internal app-management code to a new package without changing the public Apps Engine API. Minor fixes include the default notification sound test button and User Dropdown UIKit button placement.

Data, Storage, and Infrastructure

Database, performance, storage, and system-level improvements.

This update improves performance and observability for large deployments. It adds optional room-scoped message search indexing, configurable markdown parse limits for very large messages, updated runtime and Docker base versions, cached user records for faster DDP permission checks, and expanded Prometheus metrics for HTTP, DDP, and queues. Runtime baseline updated to Node.js 22.22.3 and Meteor 3.4.1.

Admin, Configuration, and Workspace Management

Administrative controls, configuration settings, and workspace management improvements.

This update improves ABAC administration with a new tabbed admin page, granular per-tab permissions, better room lookup, and safer handling of ABAC-managed rooms. It also exposes ABAC attributes to apps through a new secure-fields permission and adds an experimental setting to route real-time communication through the Rocket.Chat SDK DDP client.

For further details, check out the release notes.

Engine versions

  • Node: 22.22.3
  • Deno: 2.3.1
  • MongoDB: 8.0
  • Apps-Engine: 1.63.0

Minor Changes

  • (#40343) Swap usage of internal @rocket.chat/apps-engine internal APIs to @rocket.chat/apps package

  • (#40408) Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel

  • (#40341) Hides the room announcement, topic and description from the Administration > Rooms panel for ABAC managed rooms. In the channel sidebar Edit Channel form those fields stay visible to room members but are disabled, and the API rejects edits to them.

  • (#39617) Adds new API endpoints custom-sounds.create and custom-sounds.update to manage custom sounds with strict file validation for size and specific MIME types to ensure system compatibility.

  • (#40463) Allows apps with the right permission to read room's ABAC attributes.

  • (#40604) Adds the capability for fetching a user by their sip extension to the apps

  • (#38225) Adds a new "Drafts" group to the sidebar, providing quick access to all rooms with unfinished messages.

    This feature is available under the Drafts in sidebar feature preview and needs to be enabled in settings to be tested.

  • (#40397) Adds the USE_ROOM_SEARCH_INDEX environment variable. When set to true, the messages collection's text index is created as { rid: 1, msg: 'text' } instead of the default { msg: 'text' }. The compound shape lets per-room $text searches use rid as a prefix, dramatically reducing the portion of the index scanned on workspaces where global search is disabled.

    The index is reconciled on every startup: if the existing text index already matches the desired shape, nothing happens; otherwise the stale text index is dropped and the desired one is recreated. Unsetting the variable on a later boot reverts to the default shape.

  • (#40612) Adds freeSwitchExtension as a query parameter for api/v1/users.info

  • (#39858) Adds support to room information on ViewSubmit and ViewClose events for ContextualBar surface

  • (#40430) Adds a new admin setting Use_RC_SDK (General → Use Rocket.Chat SDK) that opts the workspace into the experimental SDK-over-DDP transport. When enabled, the client routes Meteor DDP traffic through @rocket.chat/ddp-client over a single WebSocket instead of the legacy Meteor stream. The flag is dormant by default; the server surfaces the value via a <meta name="rc-sdk-transport-enabled"> tag, and the client also honors a per-tab ?sdk_transport=on|off URL parameter and a rc-config-sdk_transport localStorage key (URL > localStorage > meta tag).

Patch Changes

  • (#39858) Fixes an issue that prevented BlockAction interactions from having room information when triggered in a ContextualBar surface

  • (#40524) Ensures OAuth tokens are cleaned up after user deactivation

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • (#40537) Fixes an issue that allowed a room converted from private to public (while abac is disabled) to retain its abac attributes (if any)

  • (#39859) Fixes an issue where thread content would disappear after clicking "Jump to recent messages".

  • (#40063) Fixes the missing edited indicator for the main parent message in the thread panel to ensure visual consistency with the main channel view.

  • (#40357) Adds an accessible label to the system-messages multi-select in the channel edit panel so screen readers announce its purpose.

  • (#40100) Fixes intermittent "Channel Not Joined" screen when opening rooms in embedded mode.

  • (#40513) Fixes the users.presence endpoint returning an empty array when called with multiple comma-separated IDs, caused by ajvQuery coercing the string into a single-element array after the OpenAPI migration

  • (#40496) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle

  • (#40405) Disables SAML login when it is set to validate signatures without the proper configuration for it

  • (#40423) Allows users to search for attribute values when assigning them to rooms

  • (#40335) Fixes test button not playing default sound in Notifications Preferences

  • (#40528) Ensures the Meteor method for translateMessage validates access and types

  • (#40420) Fixes Insert Timestamp relative time preview not updating on input changes and losing the user's locale after the first refresh tick.

  • (#40456) Fixes signed URL generation for S3 and Google Cloud Storage when the expiry setting is below 5 seconds, which previously caused expired or invalid preview URLs. Adds a dedicated URL expiry setting for Google Cloud Storage since it was incorrectly reusing the AWS S3 setting.

  • (#40501) Ensures the visitor token is not present in the visitors.info response

  • (#40405) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

  • (#40613) Sanitizes image URLs in rendered messages to block javascript:, data:, and vbscript: schemes — matching the protection already applied to markdown links. Defense-in-depth against XSS via crafted markdown like ![label](javascript:...).

  • (#40508) Ensures the autotranslate.translateMessage endpoint checks for room access

  • (#40448) Fixes action buttons added by apps being rendered in the Marketplace Menu rather than the User Menu

  • (#40635 by @copilot-swe-agent) Fixes the Chat Limits locking mechanism to allow bot agents to skip the lock as they aren't limited

  • (#40499) Fixes an issue where some actions made by the abac service were not broadcasting to clients, which affected reactivity

  • (#40492) Fixes issue that displayed the 'Delete all closed chats' button when user lacks remove-closed-livechat-rooms permission

  • (#40393) Fixes a date-fns crash on routes that mount before the public settings stream finishes loading. useFormatDate was passing String(undefined) (the literal "undefined") to formatDate while Message_DateFormat was momentarily unloaded — date-fns rejects that token because it contains an unescaped n. The hook now uses 'LL' as the default token via useSetting's second argument, so the formatter always receives a valid format string.

  • Updated dependencies [90f15e3, f7d47dd, cdb264f, 2a927fa, bede0e2, bede0e2, bede0e2, 4c39845, 7f2bdf1, b6b04aa, ad7d424, 4704bf8, d427b80, ebc9bab, f392d5c, 2198d9e, fac6472, 12897e2, e45585b, 0b7a763, 5183306, 2d32e52, 2a927fa, b1c2668, 90f15e3, 22c8d32]:
    • @rocket.chat/ui-kit@1.1.0
    • @rocket.chat/model-typings@2.3.0
    • @rocket.chat/models@2.3.0
    • @rocket.chat/i18n@3.1.0
    • @rocket.chat/apps-engine@1.63.0
    • @rocket.chat/ddp-client@1.1.0
    • @rocket.chat/rest-typings@8.5.0
    • @rocket.chat/ui-voip@21.0.0
    • @rocket.chat/gazzodown@31.0.0
    • @rocket.chat/apps@0.7.0
    • @rocket.chat/ui-client@31.0.0
    • @rocket.chat/core-typings@8.5.0
    • @rocket.chat/abac@0.2.1
    • @rocket.chat/media-calls@0.5.0
    • @rocket.chat/ui-composer@2.0.0
    • @rocket.chat/federation-matrix@0.1.4
    • @rocket.chat/network-broker@0.2.36
    • @rocket.chat/omni-core-ee@0.0.22
    • @rocket.chat/omnichannel-services@0.3.54
    • @rocket.chat/presence@0.2.57
    • @rocket.chat/core-services@0.14.1
    • @rocket.chat/cron@0.1.57
    • @rocket.chat/fuselage-ui-kit@31.0.0
    • @rocket.chat/instance-status@0.1.57
    • @rocket.chat/omni-core@0.1.1
    • @rocket.chat/server-fetch@0.2.1
    • @rocket.chat/ui-avatar@27.0.0
    • @rocket.chat/ui-contexts@31.0.0
    • @rocket.chat/ui-video-conf@31.0.0
    • @rocket.chat/web-ui-registration@31.0.0
Assets 2
Loading