HedgeDoc - Package Updates
-
Latest release was reverted https://community.hedgedoc.org/t/new-hedgedoc-1-x-release/1908
-
Turns out it was a false alarm , so the release is back
-
[1.20.1]
- CLOUDRON_OIDC_PROVIDER_NAME implemented
-
[1.20.2]
- Update hedgedoc to 1.10.1
- Full Changelog
- Add fixed rate-limiting to the login and register endpoints
- Add configurable rate-limiting to the new notes endpoint
- Fix a crash when cannot read user profile in OAuth (#5850 by @lautaroalvarez)
- Fix CSP Header for mermaid embedded images (#5887 by @domrim)
- Change default of HSTS preload to false for compliance with the HSTS preload list requirements (#5913 by @SvizelPritula)
- Dominik Rimpf
- Lautaro Alvarez
-
[1.20.3]
- Update hedgedoc to 1.10.2
- Full Changelog
- Check if a valid user id is present when using OAuth2
- Abort SAML login if NameID is undefined instead of logging in with a user named "undefined" (Thanks @Haanifee)
- Set default values for username and email attribute mapping in SAML configuration
-
[1.21.0]
- Update base image to 5.0.0
-
[1.21.1]
- Update hedgedoc to 1.10.3
- Full Changelog
- This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.
- See GHSA-3983-rrqh-mvx5 for more details
- Add config options
CMD_SAML_WANT_ASSERTIONS_SIGNEDandCMD_SAML_WANT_AUTHN_RESPONSE_SIGNEDfor SAML auth, since - some instances didn't comply with the new defaults of
@node-saml/passport-saml
-
[1.21.2]
- Update hedgedoc to 1.10.5
- Full Changelog
- Fix the bundled healthcheck in the docker container
- GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
- GHSA-6wm6-3vpq-6qvv reports a possible CSRF vulnerability when using certain social login providers because the
stateparameter is not used and checked. - Add
enableUploads(CMD_ENABLE_UPLOADS) config option to restrict uploads toregisteredusers,allusers or - Allow links to protocols such as xmpp, webcal or geo
- Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
- Ensure compatibility with Node 24
- Protect user history from accidental or malicious deletion by adding a CSRF-like token
- Many enhancements in the documentation at docs.hedgedoc.org
- Ignore the healthcheck endpoint in the "too busy" limiter
- Send the referrer origin for YouTube embeddings due to their requirement
-
[1.21.3]
- Update hedgedoc to 1.10.6
- Full Changelog
- GHSA-x74j-jmf9-534w reports a bug where security headers for upload files were not set correctly.
- GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files.
-
[1.21.4]
- Update hedgedoc to 1.10.7
- Full Changelog
- Random colors for user's cursors and selections are now always in hex format to avoid conversion errors
- Correctly close realtime connections if they disconnect during connection creation
- manage_users CLI does not silently drop errors
