Wekan - Package Updates
-
[4.108.0]
- Update wekan to 9.06
- Full Changelog
- Docs: Update lxc commands.
- Docs: Added firewall config for Internet access from LXD Ubuntu container at Fedora Asahi Linux Remix, because building Linux arm64 .zip bundle of WeKan.
- Docs: Added Manual Parallel Snap.
- Fix Snap Candidate WRITABLE_PATH directory permissions at Parallel Snap file path /var/snap/wekan_SOMENAME/common/files/.
- Update version script and dependencies.
-
[4.109.0]
- Update wekan to 9.07
- Full Changelog
- This release fixes the following CRITICAL SECURITY ISSUES of AvatarBleed:
- Fix avatars rce. Thanks to Trung Nguyen from CyStack Security and xet7.
- Fix CleanDark theme. Thanks to stegoh.
- Thanks to above GitHub users for their contributions and translators for their translations.
-
[4.110.0]
- Update wekan to 9.34
- Move back to upstream release builds instead of source build
- Full Changelog
-
[4.111.0]
- Update wekan to 9.64
- Full Changelog
- Fixed ChecklistBleed: any authenticated user can write checklist data into a private board they are not a member of (cross-board write via collection allow rule)
- Fixed ProxyBleed: Header-login IP allowlist bypass via X-Forwarded-For spoofing allows unauthenticated full account takeover (incl. admin)
- Fixed TokenBleed: unauthenticated login-token minting via un-awaited auth check in
POST /api/createtoken/:userId - Fixed BoardBleed: Broken access control lets any authenticated user move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)
- Added card dependency "Red Strings" / PI program board
- Greatly expanded board automation Rules
- Added Jira import
- Full right-to-left (RTL) UI for every page when an RTL language is selected
- Greatly improved import from Trello to WeKan
- Fixed SyncedCron crash
-
[4.112.0]
- Update wekan to 9.67
- Full Changelog
- Updated to Meteor 3.5-rc.2.
- Reworked confusing and unreliable list widths, #6409: a list now has one width instead of the old "min width / max width / automatic" trio, and it reliably persists across reloads (the render now drives the
--list-widthCSS variable the styles actually use, so a width no longer reverts toautoafter reload). - Fixed editing the 2nd/3rd organization or team in Admin Panel People always showing the FIRST one, #6411: on
/people, clicking Edit on any organization or team filled the form with the first one's values (so you could never edit the others). - Fixed REST API returning HTTP 500 with a stack trace for an invalid request, #5804: posting a comment without the required
commentparameter (or to a board that does not exist) returned an HTTP 500 error page. - Fixed selecting text in a checklist closing the card, #5686: selecting the text of a checklist item and releasing the mouse outside the card detail pane closed the card.
- Fixed list reordering throwing
403 Access deniedfor read-only members, #5462: read-only / comment-only board members could still drag-reorder lists, which fired a server write that allow/deny rejected with403 Access denied(the list then snapped back). - Threaded comment replies: card comments gain an optional
parentId; a "Reply" link links a new comment to its parent, rendered with an "in reply to" quote. Initial MVP (single-level visual threading). - Restrict board admins from editing/deleting other users' comments: new board setting
restrictCommentEditing(default off). When on, only a comment's author may edit/delete it; enforced server-side via collection hooks. - Fixed OIDC/OAuth2 "Log Out" redirecting to the identity provider home page instead of back to Wekan.
- Fixed boards not rendering at all (blank board view) after the mongodb/bson 7.3.0 dependency bump.
-
[4.113.0]
- Update wekan to 9.70
- Full Changelog
- Copying a card to or from a board with no labels threw
- Copying a board did not copy its webhooks, #5592
- Disabled user accounts could be added to boards, #1894
- Admin Panel boards report listed removed members as current members, #5122
- Could not remove a deleted user from a card's members, #4847
- A newly added board member was missing from the card members popup, #4965
- Performance: copying a card with many checklist items took minutes (#5688)
- Error when clicking the notification icon, #5325
- Board "show checklists on minicard" setting had no effect, #5565
- Can't edit a card's members in the UI after removing them via the REST API, #3697
-
[4.114.0]
- Update wekan to 9.73
- Full Changelog
- Mobile UI still too large at All Boards / iPhone 12 mini, #6426: the first revert only cleaned
boardsList.css, leaving the same forced "2x/3x bigger on mobile" rules inheader.cssandboardBody.cssand the iPhone card-details body text. Those are now neutralized to normal size too. Fixed in 219ee659e. - Drag-to-scroll (dragscroll) not working on the Login, Register and All Boards pages. Fixed in 219ee659e.
- Drag-to-scroll now works on every whole-page layout in both mobile and desktop modes. Fixed in 88f353dc1.
- Login / Register pages not scrollable on phones. Fixed in 4a7df3745.
- Fixed
api.pyaddcustomfieldtoboardcrashing on an emptysettingsargument. Fixed in 487cf3f96. - Sort, search and paginate the All Boards page, #5799: Added a Sort button, a board-name search box, and pagination of the board icons. Fixed in f74ccbc8f and c1da7a4a3.
- Fixed (same) width for all lists, #5729: the Set width popup now has a "Same width for all lists" toggle.
- Due date does not work when the language uses non-Latin (e.g. Persian/Farsi) digits, #5752: Added a
normalizeDigits()helper inimports/lib/dateUtils.js. - REST API: moving a card to another list (PUT .../cards/:cardId with listId) returned HTTP 500 "fieldNames.includes is not a function", #6423. Fixed in 69c899f1f.
- Notification emails were sent in English despite the user's language setting, #5875. Fixed in 22f996903.
-
[4.115.0]
- Update wekan to 9.77
- Full Changelog
- ScannerBleed: shell injection (RCE) via a malicious upload filename in the external antivirus scanner command path (GHSA-x3xm-pxrv-jg7p, CWE-78 OS Command Injection).
- DnsBleed SSRF filter bypass via DNS-resolving hostname in outgoing webhooks (GHSA-66m2-4wfr-c45p, CWE-918).
- ExcelBleed broken access control in the Excel-export REST route lets any authenticated user export any private board (GHSA-mwq8-ccpm-r533, CWE-862 / CWE-639).
- Fix notification emails linked to
/b/undefined/board/<cardId>instead of the real board - Fix thousands of unsolicited empty "Default" swimlanes created on some boards
- Reduce card flicker on drag by only writing changed fields on a card move
- Fix
DEFAULT_AUTHENTICATION_METHODenv var ignored, and Admin Panel Layout save hanging - Fix #5808: linking a card to another linked card made both cards inaccessible
- Fix the "Board not found" flicker (stale-while-revalidate for the client board cache)
- Update to Meteor 3.5.
-
[4.116.0]
- Update wekan to 9.79
- Full Changelog
- Fix #6439: Custom (drag order) sort on All Boards page now reorders via drag-and-drop
- Fix #6440: '+' add-item button on minicard checklist does nothing
- Fix #6441: label filter now applies board-wide across all swimlanes
- Fix flaky server-side Mocha test (i18n zh-CN "is not a spy")
- Fix "Internal Server Error" when signing up despite the account being created
- Fix can not add members to a Linked Card
- Fix can't search numbers in custom fields
- Fix "Removed nonexistent document" crash during notification_cleanup
- Fix impossible to select another board in rules
- Fix board disappeared after adding another user
-
[4.117.0]
- Update wekan to 9.80
- Full Changelog
- Admin Panel Domains table: pagination, column sort and search (like the Board Table view): The Admin Panel > People > Domains table loaded every domain (aggregated from all users) into the browser at once, with a fixed order and no search. It now behaves like the Board Table view: the server aggregates the domains and returns only one small page, so the whole list is never sent to the browser. You can order by the Domain or Users column (click the header to toggle ascending / descending, with a / indicator) and filter with a search box; prev/next controls page through the results. The search + sort + slice runs in the new pure, unit-tested
models/lib/domainTablePage.jsbehind a newgetDomainsWithUserCountsPageadmin method (server/models/users.js), and thedomainGeneraltemplate (client/components/settings/peopleBody.{jade,js,css}) is now self-contained and fetches only the current page. Covered bytests/domainTablePage.test.cjs. Thanks to xet7. - Verified and added a regression test for the board-invitation email language: Confirmed that a board-invitation email is localised in the existing recipient's own profile language, or when the invitee is a new account created by the invite in the inviter's profile language, defaulting to
en(en.i18n.json) when none is set. The behaviour was already correct; the language choice is now extracted into the pure, unit-testedmodels/lib/inviteEmailLanguage.jsused byinviteUserToBoard, and locked in bytests/inviteEmailLanguage.test.cjs. Thanks to xet7. - Linked-card minicard now shows the cover image of the real card: A linked card (created by "Link card to this card") on one board did not show the cover image of the real card it points at on another board, even though the card's other fields did. A linked card is only a placeholder its real content lives on the card at
linkedIdand every other minicard getter resolves through the real card (getTitle/getReceived/getDue/), but the cover helpers readthis.coverIddirectly, and a linked card has nocoverIdof its own. The real card's cover attachment is already published to the linking board (see the "linked cards" / "attachments for linked cards" children of theboardpublication), so this was purely a client-side resolution gap.Card.cover()and the minicardcover()helper now resolve the cover id through the real card via the pure, unit-testedmodels/lib/linkedCardCover.js; normal cards are unaffected. Covered bytests/linkedCardCover.test.cjs. Thanks to 32Dexter and xet7. - Fix date-picker calendar stays fully visible when opened low on a scrolled page: Opening a date field (due/start/end date, or a date custom field) low on the screen showed the calendar popup extending past the visible area, and because the pop-over is
position: absolute(document coordinates) scrolling to reach it moved the calendar along with the page, so the full calendar could never be seen (the workaround was to close it, drag the field to the center and reopen).Popup._getOffsetcomputed the space above/below the opener and the clampedtopfrom the opener's DOCUMENT offset mixed with the VIEWPORT height, ignoring the page scroll, so on a scrolled page the anchored popup landed outside the visible viewport. The geometry now runs in viewport coordinates (subtracting the page scroll) and clamps the popup fully within the visible viewport, then converts back to document coordinates for the absolute style; when the page is not scrolled the output is unchanged. Extracted the math into the pure, unit-testedclient/lib/popupOffset.js, used byclient/lib/popup.js. Covered bytests/popupOffset.test.cjs. Thanks to MarcusDger and xet7.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login