Cloudron Forum

[3.4.0] Update Rocket.Chat to 8.5.0 Full Changelog Swap usage of internal @rocket.chat/apps-engine internal APIs to @rocket.chat/apps package Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel Adds new API endpoints custom-sounds.create and custom-sounds.update to manage custom sounds with strict file validation for size and specific MIME types to ensure system compatibility. Adds a new "Drafts" group to the sidebar, providing quick access to all rooms with unfinished messages. Ensures OAuth tokens are cleaned up after user deactivation Fixes an issue where thread content would disappear after clicking "Jump to recent messages". Fixes the users.presence endpoint returning an empty array when called with multiple comma-separated IDs, caused by ajvQuery coercing the string into a single-element array after the OpenAPI migration Ensures the visitor token is not present in the visitors.info response Sanitizes image URLs in rendered messages to block javascript:, data:, and vbscript: schemes matching the protection already applied to markdown links. Defense-in-depth against XSS via crafted markdown like . Fixes action buttons added by apps being rendered in the Marketplace Menu rather than the User Menu

[2.29.0] Update NodeBB to 4.13.0 Full Changelog add core blocklist for domain management (fe48222) add filter option to categorization rules for post queue gating (dfb108e) add severity 3 (filter) queuing for blocklisted posts (80f40ae) cross-check received payload against received digest header if present (590ac68) upgrade to fa7 (4eec1d7) prevent XSS via intent templates and plugin upgrade bypass (2ba4119) reject POST requests without HTTP signature header (c4b9d03) anchor actor/uid passthrough regexes to prevent inbox bypass (6fcc344) replace user lockout with per-IP rate limit for RSS token failures (#14329) (bdac7a7) dont allow returning notifications by nid (fb3a905)

[3.50.0] Update openproject to 17.5.0 Full Changelog Feature: Exclude certain work package types from automated backlog (per project) [#71305] Feature: Jira Migrator imports project-based semantic issue identifiers [#72427] Feature: Jira Migrator supports due date, estimated hours and remaining hours. [#74807] Feature: Meeting series: Add monthly scheduling options [#61522] Feature: Debounce emails for meetings [#66645] Feature: Workflows UX improvement: Allow multi-selection of roles in workflow [#72242] Feature: Bring sprint sharing (SAFe) to corporate plan [#74147] Bugfix: POST/PATCH/DELETE requests to APIv3 return unauthorized [#73499] Bugfix: Nextcloud integration shows "No connection to Nextcloud" for folders that have "&" in the name [#73855] Bugfix: Wrong calendar week in My time tracking [#68272]

[2.54.0] Update kimai to 2.60.0 Full Changelog Added options to allow watermark-text and watermark-image in PDF (not allowed for PDFa/PDFx) usable in twig templates e.g. to define a background image Translations update from Hosted Weblate (#5973) Added missing "default user" in invoice archive query (fixes invisible filter) (#5971) Improve whitespace handling in Search term parser (#5977) - thanks @tikket1

[3.14.3] Update metabase to 0.61.4.3 Full Changelog

[1.52.2] Update chatwoot to 4.14.2 Full Changelog Help Center search and per-locale portal branding. WhatsApp voice messages and improved Twilio call controls. Processing status for one-off SMS and WhatsApp campaigns. Contact filter for conversations and inline images in messages. Resizable table columns and article editor improvements. Companies enabled for Business cloud plans. Onboarding OAuth return flows and Help Center generation status. Inbox API docs, attachment docs, and richer webhook payloads. Reliability fixes across email, Facebook, Instagram, WhatsApp, widgets, and webhooks. Security and platform updates for Puma, OAuth dependencies, SafeFetch, and Vite.

[1.37.15] Update uv to 0.11.20

[1.25.0] Update evcc to 0.309.0 Full Changelog Add long-lived api key (BC) (#29431) Refactor dim/curtail handling- split hems and circuit (BC) (#30284) Add HoldCharge battery mode (#27906) Add OCPP forwarder (#29154) AlphaESS: add returnEnergy support (#30568) Vehicle: add climaterdisabled feature (#30610) Deye: fix energy and power, add returnenergy and voltages (#30691) GoodWe: fix wallbox RFID register and phase-type detection (#30667) Vehicle (SAIC/MG): fix missing SoC for idle vehicles (#30603) Warp: fix phase switching for WARP2+Energy Manager and WARP3 (#30460)

[1.5.17] Update mirotalkbro to 1.3.33

[1.2.2] Update forgejo to 15.0.3 Full Changelog

[4.10.1] Update etherpad-lite to 3.3.1 Full Changelog Pad editor escape and integer-coerce the numbered-list start attribute (GHSA-f7h5-v9hm-548j, #7937). A crafted <ol start> value flowed unescaped into domline.ts, a distinct client-side sink from the export-path fix in 3.3.0's #7905. The value is now integer-coerced and HTML-escaped before it reaches the DOM. A jsdom regression test covers the sink. Skin paint the root canvas so iOS dark mode has no white status bar (#7606 / #7931). iOS Safari paints the top safe area from the html root background, which theme-color (an Android address-bar hint) does not affect, so dark-mode pads showed a white status-bar strip on iOS. Colibris now sets the root background and color-scheme so the safe area matches the editor. Settings show the detected language in the dropdown (#7925 / #7928). The settings language <select> did not reflect the language Etherpad had actually auto-detected; it now shows the active selection. Pad don't issue a deletion token (or show its modal) when allowPadDeletionByAllUsers is on (#7929). With pad deletion open to all users the client still minted a deletion token and surfaced the confirm modal; both are now suppressed in that configuration. Admin one unreadable pad no longer empties the Manage-pads list (#7935 / #7938). A single pad that failed to read could throw out of the list-hydration path and blank the entire admin Manage-pads view; the read is now guarded per-pad so the rest of the list still renders. ueberdb2 6.1.8 6.1.9 PostgreSQL pool errors are now handled and TCP keep-alive is enabled (fixes #7878), and the Redis and RethinkDB drivers attach connection-error handlers so a dropped database connection no longer crashes the Etherpad process. semver 7.8.2 7.8.3 (#7933), rate-limiter-flexible 11.1.1 11.2.0 (#7934), plus a dev-dependencies group update (#7932).

[4.29.1] Update n8n to 2.25.7 Full Changelog editor: Use workflow-scoped credential fetch in node credential picker (#31989) (c67d1fc)

[1.116.2] Update gitlab-foss to 19.0.2 Make CI cache limit per job configurable by admins Allow job token basic auth for generic package upload Add fat manifest types to container registry Accept Ensure uploads.id has the correct default Patching deployment bigint swap for missing index