HedgeDoc 1.9.8

Please note: This release dropped support for Node 14, which is end-of-life since May 2023.
You now need at least Node 16 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

This release switches to Yarn 3 for dependency management, as Yarn 1 has bugs preventing us from upgrading some dependencies.
If you install HedgeDoc manually, run bin/setup again for instructions. Other installation methods should not require
special actions.

Enhancements

• Extend boolean environment variable parsing with other positive answers and case insensitivity
• Allow setting of documentMaxLength via CMD_DOCUMENT_MAX_LENGTH environment variable (contributed by @jmallach)
• Add dedicated healthcheck endpoint at /_health that is less resource intensive than /status
• Compatibility with Node.js 18 and later
• Add support for the arm64 architecture in the docker image
• Add a config option to disable the /status and /metrics endpoints

Bugfixes

• Fix that permission errors can break existing connections to a note, causing inconsistent note content and changes not being saved (contributed by @julianrother)
• Fix speaker notes not showing up in the presentation view
• Fix issues with upgrading some dependencies by upgrading to Yarn 3
• Fix macOS compatibility of bin/setup script

Contributors

• UwYFmLpoKtYn (translator)
• Pub (translator)
• SnowCode (translator)

HedgeDoc 1.9.7

Bugfixes

• Fix note titles with special characters producing invalid file names in user export zip file
• Fix night-mode toggle not working when page is loaded with night-mode enabled

Contributors

• Francesco (translator)
• Gabriel Santiago Macedo (translator)

HedgeDoc 1.9.6

Bugfixes

• Fix migrations deleting all notes when SQLite is used

HedgeDoc 1.9.5

🚨 This release has a bug that leads to data-loss when using SQLite.
We advise users of SQLite databases to skip this release and use 1.9.6. 🚨

Enhancements

• Add dark mode toggle in mobile view
• Replace embedding shortcode regexes with more specific ones to safeguard against XSS attacks

Bugfixes

• Fix a crash when using LDAP authentication with custom search attributes (thanks to @aboettger-tuhh for reporting)
• Fix a crash caused by a long note history when the MySQL database is used
• Fix breaks option not being respected in the publish-view
• Fix missing syntax highlighting in the markdown editor

Contributors

• Bateausurleau (translator)
• Goncalo (translator)
• Ívarr Vinter (translator)
• Oein0219 (translator)
• Pol Dellaiera

HedgeDoc 1.9.4

Please note: This release dropped support for Node 12, which is end-of-life since April 2022.
You now need at least Node 14.13.1 or Node 16 to run HedgeDoc. We don't support more recent versions of Node.

Enhancements

• Remove unexpected shell call during migrations
• More S3 config options: upload folder & public ACL (thanks to @lautaroalvarez)

Contributors

• Al_x (translator)
• Emmanuel Courreges (translator)
• paranic (translator)
• Quentin PAGÈS (translator)

HedgeDoc 1.9.3

This release fixes a security issue. We recommend upgrading as soon as possible.

⚠️ Warning: If you deploy HedgeDoc and MariaDB with docker-compose using a checkout of our container repo, you will need to manually convert the character set of the database to utf8mb4 when updating. See the corresponding PR for more information.

Security Fixes

• CVE-2022-24837: Enumerable upload file names

Enhancements

• Libravatar avatars render as ident-icons when no avatar image was uploaded to Libravatar or Gravatar
• Add database connection error message to log output
• Allow SAML authentication provider to be named
• Suppress error message when git binary is not found

Bugfixes

• Fix error that Libravatar user avatars were not shown when using OAuth2 login
• Fix bin/manage_users not accepting numeric passwords (thanks to @carr0t2 for reporting)
• Fix visibility of modals for screen readers
• Fix GitLab snippet export (thanks to @semjongeist for reporting)
• Fix missing inline authorship colors (thanks to @EBendinelli for reporting)

Contributors

• ced (translator)
• deluxghost (translator)
• Dennis Gaida
• Michael Hauer (translator)
• Moritz Schlarb
• Mostafa Ahangarha (translator)
• Sandro
• Sergio Varela (translator)
• Tạ Quang Khôi (translator)
• Tiago Triques (translator)
• tmpod (translator)
• Uchiha Kakashi

HedgeDoc 1.9.2

Bugfixes

• Fix error in the session handler when requesting /metrics or /status

HedgeDoc 1.9.1

This release increases the minimum required Node versions to 12.20.0, 14.13.1 and 16.
In general, only the latest releases of Node 12, 14 and 16 are officially supported by us, older minor versions can be dropped at any time.
We recommend you run HedgeDoc with the latest release of Node 16.

Bugfixes

• Add workaround for incorrect CSP handling in Safari
• Fix crash when an unexpected response from the GitLab API is encountered
• Fix crash when using hungarian language

Contributors

• AIAC (translator)
• Danilo Bargen
• Diem Duong (translator)
• Gergely Polonkai (translator)
• Nikola (translator)
• ProttoyChakraborty
• Sergio (translator)
• Tiago Triques (translator)
• Vincent Dusanek (translator)
• Александр (translator)

HedgeDoc 1.9.0

Security Fixes

• CVE-2021-39175: XSS vector in slide mode speaker-view
• This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
  See the docs for details

Features

• HedgeDoc now automatically retries connecting to the database up to 30 times on startup
• This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed.
  We strongly recommend disabling this option to reduce the risk of XSS attacks
• This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of XSS attacks
• Add additional environment variables to configure the database.
  This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

• Further improvements to the frontend build process, reducing the initial bundle size by 60%
• Improve the error handling of the filesystem upload method
• Improve the error message of failing migrations

Bugfixes

• Fix crash when trying to read the current Git commit on startup
• Fix endless loop on shutdown when HedgeDoc can't connect to the database
• Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
• Fix session cookies being created on calls to /metrics and /status
• Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
• Remove CDN support, fixing inconsistencies in library versions delivered to the client
• Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
• Fix links between slides not working
• Fix Vimeo integration using a deprecated API

Miscellaneous

• Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it

Contributors

• Bogdan Cuza (translator)
• Heimen Stoffels (translator)
• igg17 (translator)
• Klorophatu (translator)
• Martin (translator)
• Matija (translator)
• Matthieu Devillers (translator)
• Mindaugas (translator)
• Quentin Pagès (translator)

HedgeDoc 1.9.0 Release Candidate 1

Security Fixes

• CVE-2021-39175: XSS vector in slide mode speaker-view
• This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
  they were repeatedly used to exploit security vulnerabilities.
  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
  See the docs for details

Features

• HedgeDoc now automatically retries connecting to the database up to 30 times on startup
• This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance
  in other webpages is allowed. We strongly recommend disabling this option to reduce the risk of XSS attacks
• This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc
  notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
  XSS attacks
• Add additional environment variables to configure the database.
  This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

• Further improvements to the frontend build process, reducing the initial bundle size by 60%
• Improve the error handling of the filesystem upload method
• Improve the error message of failing migrations

Bugfixes

• Fix crash when trying to read the current Git commit on startup
• Fix endless loop on shutdown when HedgeDoc can't connect to the database
• Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
• Fix session cookies being created on calls to /metrics and /status
• Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
• Remove CDN support, fixing inconsistencies in library versions delivered to the client
• Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
• Fix links between slides not working
• Fix Vimeo integration using a deprecated API

Miscellaneous

• Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it