[3.1.0]
Update Rocket.Chat to 8.2.1
Full Changelog
(#39508 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
(#39517 by @dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.
This release focuses on security, stability, and usability improvements.
SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports.
The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability.
Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain.
OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path.
Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @ prefix.
The release also delivers a broad set of reliability and security fixes. It resolves a persistent Enterprise plan active pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth.
Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters.
