Releases: hedgedoc/hedgedoc
HedgeDoc 1.10.7
Bugfixes
- Random colors for user's cursors and selections are now always in hex format to avoid conversion errors
- Correctly close realtime connections if they disconnect during connection creation
- manage_users CLI does not silently drop errors
HedgeDoc 1.10.6
Security fixes
This release contains two medium severity security fixes:
- CVE-2026-25642 reports a bug where security headers for upload files were not set correctly.
- GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files.
Thanks to @HUSEYNKHANLI and @drkim-dev for reporting!
Maintenance
- Dependency updates
- Enhancements in the documentation at docs.hedgedoc.org
Contributors
HedgeDoc 1.10.5
This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.
Bugfixes
- Fix the bundled healthcheck in the docker container
HedgeDoc 1.10.4
Security fixes
This release contains two low severity security fixes:
- GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
- CVE-2025-66629 reports a possible CSRF vulnerability when using certain social login providers because the
stateparameter is not used and checked.
Enhancements
- Add
enableUploads(CMD_ENABLE_UPLOADS) config option to restrict uploads toregisteredusers,allusers or
noneto completely disable uploads. - Allow links to protocols such as xmpp, webcal or geo
- Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
- Ensure compatibility with Node 24
- Protect user history from accidental or malicious deletion by adding a CSRF-like token
- Many enhancements in the documentation at docs.hedgedoc.org
Bugfixes
- Ignore the healthcheck endpoint in the "too busy" limiter
- Send the referrer origin for YouTube embeddings due to their requirement
- Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
- Secure iframes with
credentiallessandsandboxattributes - Fix regexes for
[time=...],[name=...]and[color=...]shortcodes in lists - Use
stateparameter for OAuth2 flows and PKCE where applicable
Node compatibility
- Support for Node 24 was verified. The docker image now uses Node 24 as its base image.
Contributors
HedgeDoc 1.10.3
d8b9402
ErikMichelson
Erik Michelson
Security fixes
This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.
See CVE-2025-32391 for more details
Enhancements
- Add config options
CMD_SAML_WANT_ASSERTIONS_SIGNEDandCMD_SAML_WANT_AUTHN_RESPONSE_SIGNEDfor SAML auth, since
some instances didn't comply with the new defaults of@node-saml/passport-saml
HedgeDoc 1.10.2
PLEASE CHECK THIS IF YOU USE SAML AUTHENTICATION:
This release had to set default values for the username and email address attribute mapping for SAML authentication for
security reasons.
If you use SAML authentication, please make sure to update your SAML configuration accordingly.
See: https://docs.hedgedoc.org/configuration/#saml-login CMD_SAML_ATTRIBUTE_USERNAME or CMD_SAML_ATTRIBUTE_EMAIL
Bugfixes
- Check if a valid user id is present when using OAuth2
- Abort SAML login if NameID is undefined instead of logging in with a user named "undefined" (Thanks @Haanifee)
- Set default values for username and email attribute mapping in SAML configuration
HedgeDoc 1.10.1
This release fixes a security issue where brute-forcing local email/passwords is possible because of missing rate-limits.
We recommend upgrading as soon as possible, if you use local logins.
See also GHSA-6w39-x2c6-6mpf
This release changes the default configuration of the HSTS preload attribute to false for compliance with the
HSTS preload list requirements. This shouldn't impact any instance. However, if you intend to use HSTS preloading
you should enable the config setting hsts.preload to true or set environment variable CMD_HSTS_PRELOAD=true.
This release deprecates support for Node 18.
As the LTS support for 18 runs out in April 2025, the next release will only work with Node 20 and upwards.
Consider this your early warning to upgrade any running instances to at least Node 20.
Enhancements
- Add fixed rate-limiting to the login and register endpoints
- Add configurable rate-limiting to the new notes endpoint
Bugfixes
- Fix a crash when cannot read user profile in OAuth (#5850 by @lautaroalvarez)
- Fix CSP Header for mermaid embedded images (#5887 by @domrim)
- Change default of HSTS preload to false for compliance with the HSTS preload list requirements (#5913 by @SvizelPritula)
Contributors
HedgeDoc 2 Alpha 3
- This release requires at least Node 20.
- This release changed the database schema, so unfortunately you can't migrate directly from Alpha 2 to Alpha 3. We'll provide migrations from the 2.0 release onwards.
These are the most noteworthy changes in comparison to Alpha 2, but we worked on many more things under the hood too.
Features
- Allow to keep media uploads while deleting an owned note
- Support OpenID Connect/OAuth2 with or without auto-discover
- Support private S3/Azure buckets for media storage
- Media browser for uploads attached to a note
- Exports to GitHub Gist and GitLab snippets
Enchancements
- Show guest avatar when note owner is anonymous
- Re-add the editor mode buttons (view/both/edit)
- Use stronger password hashing algorithm (argon2id)
- Better handling of revisions
- Better in-app notifications
- More editor settings (spellcheck, indentation)
Bugfixes
- Use more consistent dark-mode theme
- Title gets correctly deleted, if the relevant information in the note are deleted
- Prevent a problem with emojis and the usage of
: - Fixed problems with the alias selection modal
If you're interested in the actual commits then take a look at
/v2.0.0-alpha.2.../v2.0.0-alpha.3
HedgeDoc 1.10.0
This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.
Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.
Security Fixes
Features
- Add
disableNoteCreationconfig option for read-only instances
Enhancements
- Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
- Compatibility with Node.js 22 is now checked in CI
Bugfixes
- Fix a crash when having numeric-only values in opengraph frontmatter
- Fix unnecessary session creation on healthcheck endpoint
- Fix invalid metadata being sent for minio uploads
- Fix screen readers announcing headings twice
- Fix a crash when receiving unexpected OAuth profile data
- Fix some cases of HedgeDoc not redirecting to the previous page after login
- Fix heading anchor links referencing an invalid URL
- Our
meta-markedpackage is now published to NPM, fixing some installation issues
Contributors
- Axel (translator)
- Eduard (translator)
- Jordi Mallach (translator)
- José M. (translator)
- Meskó Balázs (translator)
- TheInfamousToTo (translator)
- Tobias (translator)
- Úr Balázs (translator)
HedgeDoc 2 Alpha 2
Alpha 2 contains many fixes. The most notable ones are
- Fixed the loading of the markdown renderer in chromium based browsers
- Show an alert when a permission is overridden by another permission
- Guest Users are explicitly marked in the user list
- Code suggestions don't default to abc anymore
- Fixed the "maximum length exceeded" dialog not showing the maximal length
- Revision Viewer does not show a bug on the initial opening anymore
- Fixed text color on "note doesn't exist" screen in light mode
- Prevent automatic reload tries when a user looses permissions to access a note
Updating from Alpha 1 to Alpha 2 should be safe.
To update your setup, change the image tag for the frontend and the backend container in your docker-compose.yml to "2.0.0-alpha.2"
If you're interested in the actual commits then take a look at
/v2.0.0-alpha.1.../v2.0.0-alpha.2