Skip to content

Releases: hedgedoc/hedgedoc

HedgeDoc 1.9.6

06 Nov 22:13
Compare
Choose a tag to compare

Bugfixes

  • Fix migrations deleting all notes when SQLite is used

HedgeDoc 1.9.5

30 Oct 21:20
Compare
Choose a tag to compare

🚨 This release has a bug that leads to data-loss when using SQLite.
We advise users of SQLite databases to skip this release and use 1.9.6. 🚨

Enhancements

  • Add dark mode toggle in mobile view
  • Replace embedding shortcode regexes with more specific ones to safeguard against XSS attacks

Bugfixes

  • Fix a crash when using LDAP authentication with custom search attributes (thanks to @aboettger-tuhh for reporting)
  • Fix a crash caused by a long note history when the MySQL database is used
  • Fix breaks option not being respected in the publish-view
  • Fix missing syntax highlighting in the markdown editor

Contributors

  • Bateausurleau (translator)
  • Goncalo (translator)
  • Ívarr Vinter (translator)
  • Oein0219 (translator)
  • Pol Dellaiera

HedgeDoc 1.9.4

10 Jul 20:14
bb12c64
Compare
Choose a tag to compare

Please note: This release dropped support for Node 12, which is end-of-life since April 2022.
You now need at least Node 14.13.1 or Node 16 to run HedgeDoc. We don't support more recent versions of Node.

Enhancements

  • Remove unexpected shell call during migrations
  • More S3 config options: upload folder & public ACL (thanks to @lautaroalvarez)

Contributors

  • Al_x (translator)
  • Emmanuel Courreges (translator)
  • paranic (translator)
  • Quentin PAGÈS (translator)

HedgeDoc 1.9.3

10 Apr 20:24
7f09558
Compare
Choose a tag to compare

This release fixes a security issue. We recommend upgrading as soon as possible.

⚠️ Warning: If you deploy HedgeDoc and MariaDB with docker-compose using a checkout of our container repo, you will need to manually convert the character set of the database to utf8mb4 when updating. See the corresponding PR for more information.

Security Fixes

Enhancements

  • Libravatar avatars render as ident-icons when no avatar image was uploaded to Libravatar or Gravatar
  • Add database connection error message to log output
  • Allow SAML authentication provider to be named
  • Suppress error message when git binary is not found

Bugfixes

  • Fix error that Libravatar user avatars were not shown when using OAuth2 login
  • Fix bin/manage_users not accepting numeric passwords (thanks to @carr0t2 for reporting)
  • Fix visibility of modals for screen readers
  • Fix GitLab snippet export (thanks to @semjongeist for reporting)
  • Fix missing inline authorship colors (thanks to @EBendinelli for reporting)

Contributors

  • ced (translator)
  • deluxghost (translator)
  • Dennis Gaida
  • Michael Hauer (translator)
  • Moritz Schlarb
  • Mostafa Ahangarha (translator)
  • Sandro
  • Sergio Varela (translator)
  • Tạ Quang Khôi (translator)
  • Tiago Triques (translator)
  • tmpod (translator)
  • Uchiha Kakashi

HedgeDoc 1.9.2

03 Dec 20:13
0d8b251
Compare
Choose a tag to compare

Bugfixes

  • Fix error in the session handler when requesting /metrics or /status

HedgeDoc 1.9.1

02 Dec 21:24
d676008
Compare
Choose a tag to compare

This release increases the minimum required Node versions to 12.20.0, 14.13.1 and 16.
In general, only the latest releases of Node 12, 14 and 16 are officially supported by us, older minor versions can be dropped at any time.
We recommend you run HedgeDoc with the latest release of Node 16.

Bugfixes

  • Add workaround for incorrect CSP handling in Safari
  • Fix crash when an unexpected response from the GitLab API is encountered
  • Fix crash when using hungarian language

Contributors

  • AIAC (translator)
  • Danilo Bargen
  • Diem Duong (translator)
  • Gergely Polonkai (translator)
  • Nikola (translator)
  • ProttoyChakraborty
  • Sergio (translator)
  • Tiago Triques (translator)
  • Vincent Dusanek (translator)
  • Александр (translator)

HedgeDoc 1.9.0

13 Sep 20:29
98b0bf2
Compare
Choose a tag to compare

Security Fixes

  • CVE-2021-39175: XSS vector in slide mode speaker-view
  • This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
    If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
    See the docs for details

Features

  • HedgeDoc now automatically retries connecting to the database up to 30 times on startup
  • This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed.
    We strongly recommend disabling this option to reduce the risk of XSS attacks
  • This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of XSS attacks
  • Add additional environment variables to configure the database.
    This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

  • Further improvements to the frontend build process, reducing the initial bundle size by 60%
  • Improve the error handling of the filesystem upload method
  • Improve the error message of failing migrations

Bugfixes

  • Fix crash when trying to read the current Git commit on startup
  • Fix endless loop on shutdown when HedgeDoc can't connect to the database
  • Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
  • Fix session cookies being created on calls to /metrics and /status
  • Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
  • Remove CDN support, fixing inconsistencies in library versions delivered to the client
  • Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
  • Fix links between slides not working
  • Fix Vimeo integration using a deprecated API

Miscellaneous

  • Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it

Contributors

  • Bogdan Cuza (translator)
  • Heimen Stoffels (translator)
  • igg17 (translator)
  • Klorophatu (translator)
  • Martin (translator)
  • Matija (translator)
  • Matthieu Devillers (translator)
  • Mindaugas (translator)
  • Quentin Pagès (translator)

HedgeDoc 1.9.0 Release Candidate 1

29 Aug 16:06
ea7f21e
Compare
Choose a tag to compare
Pre-release

Security Fixes

  • CVE-2021-39175: XSS vector in slide mode speaker-view
  • This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
    they were repeatedly used to exploit security vulnerabilities.
    If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
    See the docs for details

Features

  • HedgeDoc now automatically retries connecting to the database up to 30 times on startup
  • This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance
    in other webpages is allowed. We strongly recommend disabling this option to reduce the risk of XSS attacks
  • This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc
    notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
    XSS attacks
  • Add additional environment variables to configure the database.
    This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

  • Further improvements to the frontend build process, reducing the initial bundle size by 60%
  • Improve the error handling of the filesystem upload method
  • Improve the error message of failing migrations

Bugfixes

  • Fix crash when trying to read the current Git commit on startup
  • Fix endless loop on shutdown when HedgeDoc can't connect to the database
  • Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
  • Fix session cookies being created on calls to /metrics and /status
  • Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
  • Remove CDN support, fixing inconsistencies in library versions delivered to the client
  • Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
  • Fix links between slides not working
  • Fix Vimeo integration using a deprecated API

Miscellaneous

  • Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it

HedgeDoc 1.8.2

11 May 19:43
8b374d8
Compare
Choose a tag to compare

This release fixes two security issues. We recommend upgrading as soon as possible.

Security Fixes

HedgeDoc 1.8.1

06 May 20:41
3e836d8
Compare
Choose a tag to compare

Enhancements

  • Speed up yarn install in production mode (as performed by bin/setup) by marking frontend-only dependencies as dev-dependencies.
    This also reduces the size of the docker container
  • Speed up the frontend-build by using esbuild instead of terser to minify JavaScript
  • Improve behavior of the 'Quote', 'List', 'Unordered List' and 'Check List' buttons in the editor to automatically
    apply to the complete first and last line of the selection

Bugfixes

  • Correct the 1.8.0 release notes to state that CVE-2021-29475 has been fixed since HedgeDoc 1.5.0.
  • Fix crash on startup when useSSL or csp.upgradeInsecureRequests is enabled (thanks to @mdegat01 for reporting)
  • Automatically enable protocolUseSSL when useSSL is also enabled
  • Fix the 'Quote', 'List', 'Unordered List' and 'Check List' buttons in the editor to not duplicate content
    when only parts of a line are selected (thanks to @AnomalRoil for reporting)
  • Fix click handler for numbered task lists (thanks to @xoriade for reporting)