Rocket.Chat - Package Updates

Package Updates

[2.75.2]

• Update Rocket.Chat to 7.12.2
• Full Changelog
• Bump @rocket.chat/meteor version.
• (#37540 by @dionisio-bot) Fixes an issue where user-agent is not properly extracted from the DDP connection headers
• (#37520 by @dionisio-bot) Fixes client slowdown for users with large amount of channels

Package Updates

[2.76.0]

• Update Rocket.Chat to 7.13.1
• Full Changelog
• This release introduces foundational infrastructure for upcoming Attribute-Based Access Control (ABAC), with the key addition being the ability for admins to create, edit, and delete room attributes that will later power ABAC rules.
• The batch of fixes in this release improves stability across voice, teams, security, and UI.
• (#​37327) Adds complexity requirements to end-to-end encryption passphrase
• (#​36807 by @​tiagoevanp) Adds a deletedRooms field to the users.delete endpoint response, indicating which rooms were deleted as part of the user deletion process.
• (#​37547) Adds the getUserRoomIds method to the UserRead accessor in the Apps-Engine, graduating it from the experimental bridge to the stable user bridge.
• (#​37368) Allows users to enable TOTP-based two factor authentication without requiring a verified email address.
• (#​37119 by @​ergot-rp) Adds missing legend for fieldset in profile page to meet WCAG compliance
• (#​37524) Moves the expandable message composer out of feature preview
• (#​37378) Introduces in-chat messages for when a voice call ends
• (#​37276) Disables the delete message confirmation button to prevent the action from being triggered while the request is in progress

Package Updates

[2.76.1]

• Update Rocket.Chat to 7.13.2
• Full Changelog
• Bump @​rocket.chat/meteor version.
• (#​37876 by @​dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
• (#​37883 by @​dionisio-bot) Ensures presence stays accurate by refreshing connections on heartbeats and removing stale sessions.

Package Updates

[2.76.2]

• Update Rocket.Chat to 7.13.3
• Full Changelog
• Bump @rocket.chat/meteor version.

Package Updates

[3.0.0]

• Update Rocket.Chat to 8.1.1
• Full Changelog
• This release introduces a wide set of breaking changes focused on removing deprecated, end-of-life, and legacy functionality.
• Support for MongoDB 5.0 and 6.0 has been discontinued, and workspaces must upgrade to MongoDB 8.2 before moving to Rocket.Chat v8.0.0, with a full backup strongly recommended.
• Several services, settings, and integrations have been removed, including Streamhub, database watchers, Tokenpass OAuth, Mobex and VoxTelesys SMS integrations, second-layer transport encryption, built-in logging tools, legacy Game Center and WebRTC Livechat calls, Off-the-Record messaging, Omnichannel Voice and Current Chats, and the old FreeSwitch-based VoIP architecture.
• Twilio is now the only supported SMS provider, and admins are expected to rely on the official Prometheus and Grafana monitoring stack for observability.
• On the API side, the /v1/users.createToken and /v1/e2e.updateGroupKey endpoints have been undeprecated, with added security requirements for token creation.
• Overall, this release cleans up long-standing deprecated features and shifts workspaces toward modern, supported alternatives, with full details available in the Deprecated and phasing out features documentation.

girish

Update to 8.2.0 is blocked by https://github.com/rocketchat/rocket.chat/issues/39328 . Submitted a PR - https://github.com/RocketChat/Rocket.Chat/pull/39497

Package Updates

[3.1.0]

• Update Rocket.Chat to 8.2.1
• Full Changelog
• (#​39508 by @​dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
• (#​39517 by @​dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.
• This release focuses on security, stability, and usability improvements.
• SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports.
• The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability.
• Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain.
• OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path.
• Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @​ prefix.
• The release also delivers a broad set of reliability and security fixes. It resolves a persistent Enterprise plan active pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth.
• Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters.