HedgeDoc - Package Updates
-
You can use this thread to track updates to the HedgeDoc package.
Please open issues in a separate topic instead of replying here.
-
Pushed package v1.9.0 which updates the base image to 2.0.0
-
[1.10.0]
- Add forum url in manifest
-
[1.11.0]
- CodiMD is now HedgeDoc
- Update HedgeDoc to 1.7.0
- Full changelog
- Improvements to our cookie handling
- Compatibility with Node 14
- Translation updates
- Various dependency updates
-
[1.11.1]
- Update HedgeDoc to 1.7.1
- Full changelog
- CVE-2020-26286: Arbitrary file upload
- CVE-2020-26287: Stored XSS in mermaid diagrams
-
[1.11.2]
- Update HedgeDoc to 1.7.2
- Full changelog
- CVE-2021-21259: Stored XSS in slide mode - An attacker can inject arbitrary JavaScript into a HedgeDoc note.
-
[1.12.0]
- Update base image to v3
-
[1.12.1]
- Rename HMD env vars to CMD
- Move package files to
/app/pkg
-
[1.13.0]
- Update HedgeDoc to 1.8.0
- Full changelog
- CVE-2021-29474: Relative path traversal Attack on note creation
- Removed dependency on external imgur library
- HTML language tags are now set up in a way that stops Google Translate from translating note contents while editing
- Removed yahoo.com from the default content security policy
- New translations for Bulgarian, Persian, Galician, Hebrew, Hungarian, Occitan and Brazilian Portuguese
- Updated translations for Arabic, English, Esperanto, Spanish, Hindi, Japanese, Korean, Polish, Portuguese, Turkish and Traditional Chinese
- CVE-2021-21306: Underscore ReDoS in the marked library
-
[1.13.1]
- Update HedgeDoc to 1.8.1
- Full changelog
- Improve behavior of the 'Quote', 'List', 'Unordered List' and 'Check List' buttons in the editor to automatically apply to the complete first and last line of the selection
- Fix click handler for numbered task
-
[1.13.2]
- Update HedgeDoc to 1.8.2
- Full changelog
- CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes
- Fix a potential XSS-vector in the handling of usernames and profile pictures
-
[1.14.0]
- Change default note permission for new installs to be
editable(matches upstream defaults)
- Change default note permission for new installs to be
-
[1.15.0]
- Update HedgeDoc to 1.9.0
- Full changelog
- CVE-2021-39175: XSS vector in slide mode speaker-view
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
-
The next version is blocked by a known passport node module issue. Upstream already has a branch with fixes but we will just wait for a fixed official release.
-
[1.15.1]
- Update HedgeDoc to 1.9.2
- Full changelog
- Add workaround for incorrect CSP handling in Safari
- Fix crash when an unexpected response from the GitLab API is encountered
- Fix crash when using hungarian language
-
[1.15.2]
- Update base image to 3.2.0
-
[1.15.3]
- Update HedgeDoc to 1.9.3
- Full changelog
- Fix Enumerable upload file names
- Libravatar avatars render as ident-icons when no avatar image was uploaded to Libravatar or Gravatar
- Add database connection error message to log output
- Allow SAML authentication provider to be named
- Suppress error message when git binary is not found
-
[1.15.4]
- Update HedgeDoc to 1.9.4
- Full changelog
- Remove unexpected shell call during migrations
- More S3 config options: upload folder & public ACL (thanks to @lautaroalvarez)
-
[1.15.5]
- Change
allowFreeUrltoallowFreeURLin default config
- Change
-
[1.15.6]
- Update HedgeDoc to 1.9.5
- Full changelog
- Add dark mode toggle in mobile view
- Replace embedding shortcode regexes with more specific ones to safeguard against XSS attacks
-
[1.15.7]
- Update HedgeDoc to 1.9.6
- Full changelog
- Fix migrations deleting all notes when SQLite is used
-
[1.16.0]
- Update base image to 4.0.0
-
[1.16.1]
- Update HedgeDoc to 1.9.7
- Full changelog
- Fix note titles with special characters producing invalid file names in user export zip file
- Fix night-mode toggle not working when page is loaded with night-mode enabled
