v5.3.0

What's Changed

• Add SECURITY.md and SUPPORTED_VERSIONS.md — vulnerability reporting via GitHub private reporting; 5.x fully supported, 3.x bug & security fixes only by @Erikmitk
• Split PHP Code Scanning CI into separate PHPStan and PHPUnit jobs by @Erikmitk
• Security: replace master-secret-in-URL with stateless HMAC preview tokens by @Erikmitk
• Refactor: extract DpfDocumentLoader trait and add Metadata landing-page plugin by @Erikmitk
• FIS-API POST: reject invalid enum values with descriptive error by @Erikmitk
• FIS-API GET: always return array for list-mapped fields by @Erikmitk
• Fix BibTeX author split for multiline and separators by @Erikmitk
• Fix undefined index notice in BibTeX mandatory field check by @Erikmitk
• Remove DOI and PPN when duplicating a document by @Erikmitk
• Fix Dependabot auto-merge: use --rebase instead of --merge by @Erikmitk
• Add Dependabot config and auto-merge CI by @Erikmitk
• Bump phpstan/phpstan from 2.1.51 to 2.2.1
• Bump galbar/jsonpath from 1.3.1 to 3.0
• Bump symfony/polyfill-intl-idn from 1.33.0 to 1.38.1

Full Changelog: v5.2.2...v5.3.0

v3.2.0

What's Changed

• Add PHPStan static analysis (level 5, PHP 7.3 target) with baseline of pre-existing errors by @Erikmitk
• Add CI workflow running PHPStan and PHPUnit as independent jobs on push and PRs
• Generate initial composer.lock

Full Changelog: v3.1.22...v3.2.0

v3.1.21

v3.1.21

• Fix XXE injection vulnerabilities across all XML parsing call sites: add XPath::loadXml() and XPath::loadSimpleXml() helpers (LIBXML_NONET + entity loader disabled) and route all 25 call sites in 11 files through them
• Fix Dependabot auto-merge workflow: use --rebase instead of --merge

v3.1.18

New CLI commands

• dpf:resend-notification — resend new-document notification email to submitter and admin for a given process number; supports --to override for testing
• dpf:replace-file — replace or add file attachments for documents where the original upload exceeded the size limit; downloads from any URL (including password-protected Nextcloud shares via WebDAV), validates PDF magic bytes, updates title and label in DB; --add flag creates new secondary file records

v3.1.17

Changes

Features

• Request exact hit count from Elasticsearch — sets track_total_hits=true so result counts above 10 000 are displayed accurately instead of being capped at 10 000
• Extended search covers more metadata fields — subtitle, alternative/translated titles, contributor, translator, and reviewer are now matched in extended search queries
• Normalize numeric-only search input to PID — entering a bare document number (e.g. 96119) automatically prepends qucosa: before querying

Bug Fixes

• Fix parent METS cache invalidation when URN matches multiple Fedora objects — resolveFedoraPid previously used a full-text DC search that returned both the parent and all child documents referencing it; now filters by exact dc:identifier match so the parent's cache entry is correctly deleted on child publish/update

v3.1.16

Changes

Features

• Migrate Elasticsearch client from 1.x to 7.x — replaces the elasticsearch/elasticsearch PHP client (incompatible with Composer 1 after Packagist shutdown) with direct HTTP calls via the existing httpful library; no new dependencies required
• AND operator for fulltext query_string — search terms are now combined with AND instead of OR, producing more precise results

Bug Fixes

• Resolve parent URN to Fedora PID when invalidating METS cache — fixes cache invalidation for documents referenced by URN rather than PID

v3.1.14

Changelog

• Invalidate parent METS cache when child document is published

v3.1.13

What's Changed

• Use Fedora datastream label as filename for secondary attachments
• Make FilenameGenerator constants public and normalize FID-Move label

v3.1.12

Performance

• Reduce Fedora round trips for attachment requests: SLUB-INFO was fetched twice per request (access check + filename generation) — now fetched once and reused
• Cache SLUB-INFO and MODS datastreams in Redis DB 4 alongside existing METS cache (same TTL and config)
• Extend cache invalidation to cover slub-info:{pid} and mods:{pid} keys on document update/delete
• Add explicit 90s timeout to all internal Fedora file_get_contents() calls
• Switch get_headers() calls to HEAD method to avoid discarding response body

Security

• Fix XPath injection in SLUB-INFO downloadable check: $dsid (user-supplied attachment parameter) was interpolated directly into XPath query string, allowing bypass of per-file access control. Logic extracted to SlubInfoHelper::isDownloadable() with PHP-level string comparison instead
• Add format validation for qid (Fedora PID) and attachment (datastream ID) parameters at API entry point — rejects malformed input before any URL construction or cache key use
• Use hash_equals() for deliverInactive secret key comparison (timing-safe)

v5.2.2

What's Changed

• #2037: Fix accepting API-created suggestions fails by @Erikmitk
• #2007: Fix document update failing for migrated Fedora 3 documents by @Erikmitk
• Fix WoS plain-text import corrupting special characters by @Erikmitk
• Fix attribute-mapped fields losing values containing double quotes by @Erikmitk
• [TASK] Upgrade PHPStan 0.12→2.1, add baseline for pre-existing errors by @Erikmitk

Full Changelog: v5.2.1...v5.2.2