# Release Notes ## <i class="fa fa-tag"></i> 1.9.5 <i class="fa fa-calendar-o"></i> 2022-10-30 ### Enhancements - Add dark mode toggle in mobile view - Replace embedding shortcode regexes with more specific ones to safeguard against XSS attacks ### Bugfixes - Fix a crash when using LDAP authentication with custom search attributes (thanks to [@aboettger-tuhh](https://github.com/aboettger-tuhh) for reporting) - Fix a crash caused by a long note history when the MySQL database is used - Fix `breaks` option not being respected in the publish-view - Fix missing syntax highlighting in the markdown editor ### Contributors - Bateausurleau (translator) - Goncalo (translator) - Ívarr Vinter (translator) - Oein0219 (translator) - [Pol Dellaiera](https://github.com/drupol) ## <i class="fa fa-tag"></i> 1.9.4 <i class="fa fa-calendar-o"></i> 2022-07-10 **Please note:** This release dropped support for Node 12, which is end-of-life since April 2022. You now need at least Node 14.13.1 or Node 16 to run HedgeDoc. We don't support more recent versions of Node. ### Enhancements - Remove unexpected shell call during migrations - More S3 config options: upload folder & public ACL (thanks to [@lautaroalvarez](https://github.com/lautaroalvarez)) ### Contributors - Al_x (translator) - Emmanuel Courreges (translator) - paranic (translator) - Quentin PAGÈS (translator) ## <i class="fa fa-tag"></i> 1.9.3 <i class="fa fa-calendar-o"></i> 2022-04-10 This release fixes a security issue. We recommend upgrading as soon as possible. ⚠️ **Warning:** If you deploy HedgeDoc and MariaDB with docker-compose using a checkout of our [container repo](https://github.com/hedgedoc/container), you will need to manually convert the character set of the database to utf8mb4 when updating. See the [corresponding PR](https://github.com/hedgedoc/container/pull/287) for more information. ### Security Fixes - Fix [Enumerable upload file names](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-q6vv-2q26-j7rx) ### Enhancements - Libravatar avatars render as ident-icons when no avatar image was uploaded to Libravatar or Gravatar - Add database connection error message to log output - Allow SAML authentication provider to be named - Suppress error message when `git` binary is not found ### Bugfixes - Fix error that Libravatar user avatars were not shown when using OAuth2 login - Fix `bin/manage_users` not accepting numeric passwords (thanks to [@carr0t2](https://github.com/carr0t2) for reporting) - Fix visibility of modals for screen readers - Fix GitLab snippet export (thanks to [@semjongeist](https://github.com/semjongeist) for reporting) - Fix missing inline authorship colors (thanks to [@EBendinelli](https://github.com/EBendinelli) for reporting) ### Contributors - ced (translator) - deluxghost (translator) - [Dennis Gaida](https://github.com/DennisGaida) - Michael Hauer (translator) - [Moritz Schlarb](https://github.com/moschlar) - Mostafa Ahangarha (translator) - [Sandro](https://github.com/SuperSandro2000) - Sergio Varela (translator) - Tạ Quang Khôi (translator) - Tiago Triques (translator) - tmpod (translator) - [Uchiha Kakashi](https://github.com/licy183) ## <i class="fa fa-tag"></i> 1.9.2 <i class="fa fa-calendar-o"></i> 2021-12-03 ### Bugfixes - Fix error in the session handler when requesting `/metrics` or `/status` ## <i class="fa fa-tag"></i> 1.9.1 <i class="fa fa-calendar-o"></i> 2021-12-02 This release increases the minimum required Node versions to `12.20.0`, `14.13.1` and `16`. In general, only the latest releases of Node 12, 14 and 16 are officially supported by us, older minor versions can be dropped at any time. We recommend you run HedgeDoc with the latest release of Node 16. ### Bugfixes - Add workaround for incorrect CSP handling in Safari - Fix crash when an unexpected response from the GitLab API is encountered - Fix crash when using hungarian language ### Contributors - AIAC (translator) - [Danilo Bargen](https://github.com/dbrgn) - Diem Duong (translator) - Gergely Polonkai (translator) - Nikola (translator) - [ProttoyChakraborty](https://github.com/ProttoyChakraborty) - Sergio (translator) - Tiago Triques (translator) - Vincent Dusanek (translator) - Александр (translator) ## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13 ### Security Fixes - [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697) - This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities. If you want to continue using Google Analytics or Disqus, you can re-enable them in the config. See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details ### Features - HedgeDoc now automatically retries connecting to the database up to 30 times on startup - This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks - This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of XSS attacks - Add additional environment variables to configure the database. This allows easier configuration in containerized environments, such as Kubernetes ### Enhancements - Further improvements to the frontend build process, reducing the initial bundle size by 60% - Improve the error handling of the `filesystem` upload method - Improve the error message of failing migrations ### Bugfixes - Fix crash when trying to read the current Git commit on startup - Fix endless loop on shutdown when HedgeDoc can't connect to the database - Ensure that all cookies are set with the `secure` flag, if HedgeDoc is loaded via HTTPS - Fix session cookies being created on calls to `/metrics` and `/status` - Fix incorrect creation of S3 endpoint domain (thanks to [@matejc](https://github.com/matejc)) - Remove CDN support, fixing inconsistencies in library versions delivered to the client - Fix font display issues when having some variants of fonts used by HedgeDoc installed locally - Fix links between slides not working - Fix Vimeo integration using a deprecated API ### Miscellaneous - Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it ### Contributors - Bogdan Cuza (translator) - Heimen Stoffels (translator) - igg17 (translator) - Klorophatu (translator) - Martin (translator) - Matija (translator) - Matthieu Devillers (translator) - Mindaugas (translator) - Quentin Pagès (translator) ## <i class="fa fa-tag"></i> 1.8.2 <i class="fa fa-calendar-o"></i> 2021-05-11 This release fixes two security issues. We recommend upgrading as soon as possible. ### Security Fixes - [CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq) - Fix a potential XSS-vector in the handling of usernames and profile pictures ## <i class="fa fa-tag"></i> 1.8.1 <i class="fa fa-calendar-o"></i> 2021-05-06 ### Enhancements - Speed up `yarn install` in production mode (as performed by `bin/setup`) by marking frontend-only dependencies as dev-dependencies. This also reduces the size of the docker container - Speed up the frontend-build by using `esbuild` instead of `terser` to minify JavaScript - Improve behavior of the 'Quote', 'List', 'Unordered List' and 'Check List' buttons in the editor to automatically apply to the complete first and last line of the selection ### Bugfixes - Correct the 1.8.0 release notes to state that CVE-2021-29475 has been fixed since HedgeDoc 1.5.0. - Fix crash on startup when `useSSL` or `csp.upgradeInsecureRequests` is enabled (thanks to [@mdegat01](https://github.com/mdegat01) for reporting) - Automatically enable `protocolUseSSL` when `useSSL` is also enabled - Fix the 'Quote', 'List', 'Unordered List' and 'Check List' buttons in the editor to not duplicate content when only parts of a line are selected (thanks to [@AnomalRoil](https://github.com/AnomalRoil) for reporting) - Fix click handler for numbered task lists (thanks to [@xoriade](https://github.com/xoriade) for reporting) ## <i class="fa fa-tag"></i> 1.8.0 <i class="fa fa-calendar-o"></i> 2021-05-03 This release fixes multiple security issues. We recommend upgrading as soon as possible. **Please note:** This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running [the latest LTS release](https://nodejs.org/en/about/releases/). ### Security Fixes - [CVE-2021-29474: Relative path traversal Attack on note creation](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87) - [CVE-2021-21306: Underscore ReDoS](https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96) in the `marked` library This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting! We also published an advisory for [CVE-2021-29475: PDF export allows arbitrary file reads](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3), which has already been fixed since HedgeDoc 1.5.0. ### Features - Database migrations are now automatically applied on application startup The separate `.sequelizerc` configuration file is no longer necessary and can be safely deleted - A Prometheus-endpoint is now available at `/metrics`, exposing the same stats as `/status` in addition to various Node.js performance figures - Add a config option to require authentication in FreeURL mode ([#755](https://github.com/hedgedoc/hedgedoc/pull/755) by [@nidico](https://github.com/nidico)) ### Enhancements - Removed dependency on external imgur library - HTML language tags are now set up in a way that stops Google Translate from translating note contents while editing - Removed `yahoo.com` from the default content security policy - New translations for Bulgarian, Persian, Galician, Hebrew, Hungarian, Occitan and Brazilian Portuguese Updated translations for Arabic, English, Esperanto, Spanish, Hindi, Japanese, Korean, Polish, Portuguese, Turkish and Traditional Chinese Thanks to all translators! - Various dependency updates ### Bugfixes - Improve readability of diagrams & embeddings in night-mode - Use the default template for new notes in FreeURL mode - Fix frontend-crash in slide-mode if no `slideOptions` are present in the frontmatter - Return 404 on the `/download` route for non-existent notes in FreeURL mode - Properly clean up the UNIX socket on application exit - Don't overwrite existing notes on POST-requests to `/new/<alias>` in FreeURL mode ### Contributors - Amit Upadhyay (translator) - Atef Ben Ali (translator) - Edi Feschiyan (translator) - Gabriel Santiago Macedo (translator) - Longyklee (translator) - Nika. zhenya (translator) - [Nicolas Dietrich](https://github.com/nidico) - Nis (translator) - rogerio-ar-costa (translator) - sanami (translator) - Tom Dereszynski (translator) - 상규 (translator) - uıʞǝʇuɐϽ (translator) - UwYFmLpoKtYn (translator) ## <i class="fa fa-tag"></i> 1.7.2 <i class="fa fa-calendar-o"></i> 2021-01-15 This release fixes a security issue. We recommend upgrading as soon as possible. ### Security Fixes - [CVE-2021-21259: Stored XSS in slide mode](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw) An attacker can inject arbitrary JavaScript into a HedgeDoc note. ### Bugfixes - Ensure the last line of the markdown editor is not covered by the status bar (thanks to [@mhdrone](https://github.com/mhdrone) for reporting!) ## <i class="fa fa-tag"></i> 1.7.1 <i class="fa fa-calendar-o"></i> 2020-12-27 This release fixes two security issues. We recommend upgrading as soon as possible. ### Security Fixes - [CVE-2020-26286: Arbitrary file upload](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc) An unauthenticated attacker can upload arbitrary files to the upload storage backend. - [CVE-2020-26287: Stored XSS in mermaid diagrams](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p) An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams. ## <i class="fa fa-tag"></i> 1.7.0 <i class="fa fa-calendar-o"></i> 2020-12-21 We have renamed to HedgeDoc! Many thanks to [Éric Gaspar](https://github.com/ericgaspar/) who designed our new logo! Have a look at our new website (which also explains the reasoning behind the renaming) at https://hedgedoc.org This is probably the last release in the 1.x series. Stay tuned for 2.0, scheduled for release next year. **Please note:** This release dropped support for Node 8, which is end-of-life since January 2020. You now need at least Node 10.13 to run HedgeDoc, but we recommend running [the latest LTS release](https://nodejs.org/en/about/releases/). **Please note:** If you use a reverse proxy and TLS, make sure it sets the `X-Forwarded-Proto` header correctly, otherwise you will encounter login-issues. [Our docs](https://github.com/hedgedoc/hedgedoc/blob/72734690225bb431908b0d4bd8edf38576a95f2f/docs/setup/reverse-proxy.md#reverse-proxy-config) have example configs for common reverse proxies. ### Enhancements - Our release tarballs now contain the frontend bundle. This saves users from building the frontend themselves, which was an issue on memory-constrained systems. - Add OIDC scopes for email & profile retrieval ([#278](https://github.com/hedgedoc/hedgedoc/pull/278) & [#419](https://github.com/hedgedoc/hedgedoc/pull/419) by [@elespike](https://github.com/elespike) & [@vberger](https://github.com/vberger)) - Allow to set a SAML client certificate ([#350](https://github.com/hedgedoc/hedgedoc/pull/350) by [@n0emis](https://github.com/n0emis) & [@em0lar](https://github.com/em0lar)) - Add YunoHost docs ([#431](https://github.com/hedgedoc/hedgedoc/pull/431) by [@ericgaspar](https://github.com/ericgaspar)) - Set OAuth2 `state` parameter ([#407](https://github.com/hedgedoc/hedgedoc/pull/407) & [#541](https://github.com/hedgedoc/hedgedoc/pull/541) by [@dalcde](https://github.com/dalcde) & [@haslersn](https://github.com/haslersn)) - Various documentation improvements (by [@oupala](https://github.com/oupala), [@autra](https://github.com/autra) & [@AdamWorley](https://github.com/AdamWorley)) - Add migration script for minio ([#499](https://github.com/hedgedoc/hedgedoc/pull/499) by [@pierreozoux](https://github.com/pierreozoux)) - Add authorization for OAuth ([#595](https://github.com/hedgedoc/hedgedoc/pull/595) by [@joachimmathes](https://github.com/joachimmathes)) - Improvements to our cookie handling - Compatibility with Node 14 - Translation updates - Various dependency updates ### Bugfixes - Fix compatibility with upper-case MIME-types ([#509](https://github.com/hedgedoc/hedgedoc/pull/509) by [@pierreozoux](https://github.com/pierreozoux)) - Add fix for missing deletion of notes on user-deletion request - Fix relative path for fetching the style when set - Fix broken redirect on login - CSS fixes for slide mode - Do not create new notes with `null` as content - Fix crash when OAuth2 config parameters are missing (thanks to [@vberger](https://github.com/vberger) for reporting!) - Handle broken `SequelizeMeta` table on MySQL/MariaDB (thanks to [@titulebolide](https://github.com/titulebolide) for reporting!) ### Contributors - [Adam Worley](https://github.com/AdamWorley) - andreas koidis (translator) - [Augustin Trancart](https://github.com/autra) - Benjamin Bett (translator) - Butterflyoffire (translator) - civic john (translator) - [Daniel Lublin](https://github.com/quite) - [David Mehren](github.com/davidmehren) - [david-sawatzke](https://github.com/david-sawatzke) - deluxghost (translator) - [Dexter Chua](https://github.com/dalcde) - Dimitri (translator) - [em0lar](https://github.com/em0lar) - [Éric Gaspar](https://github.com/ericgaspar) - [Erik Michelson](https://github.com/ErikMichelson) - Giacomo lanza (translator) - [Girish Ramakrishnan](https://github.com/gramakri) - Grzegorz (translator) - [haslersn](https://github.com/haslersn) - Igor Kerstges (translator) - Info (translator) - Jleeothon (translator) - Johannes Nilsso (translator) - Jolly Jumper (translator) - [Jonas Zohren](https://github.com/jfowl) - Jothish (translator) - Julien lebranch (translator) - [Marvin Gaube](https://github.com/margau) - Mdhm (translator) - Mostafa Ahangarha (translator) - [Nick Hahn](https://github.com/codingHahn) - [Nils van Zuijlen](https://github.com/nils-van-zuijlen) - Nithin Prabhakaran (translator) - numéro6 (translator) - [n0emis](https://github.com/n0emis) - [oupala](https://github.com/oupala) - [Philip Molares](https://github.com/DerMolly) - [Pierre Ozoux](https://github.com/pierreozoux) - Quentin Pages (translator) - [Renan Rodrigues](https://github.com/renanqts) - Renne (translator) - [Sandro](https://github.com/SuperSandro2000) - Smaran (translator) - Sooraj Kenoth (translator) - themedleb (translator) - [Tilman Vatteroth](https://github.com/mrdrogdrog) - Tomasz (translator) - [Victor Berger](https://github.com/vberger) - XoseM (translator) - [Yannick Bungers](https://github.com/InnayTool) - zgroska (translator) ## <i class="fa fa-tag"></i> 1.6.0 <i class="fa fa-calendar-o"></i> 2020-02-17 ### Announcements - After the 1.6 release we will start to develop Version 2.0, which will introduce breaking changes. But we will take care of making your way to 2.0 easy. - Since Node version 8 is EOL since January 2020, 1.6 will be the last version with support for Node version 8 - `useCDN` is now `false` by default. This feature is deprecated already and will be removed in 2.0. ### Enhancements - Add AWS endpoint configuration options - Add ability to add an imprint using `./public/docs/imprint.md` - Improve documentation in various sections - Add ability to create note based on alias in free-url-mode - Add security note describing the preferred way for responsible disclosures - Extend forbiddenNoteIds to prevent conflicts with resource directories - Add OpenGraph metadata support - Add slovak language - Add API documentation - Allow different reference-url styles - Add automatic focus username field in login modal - Add ability to limit google-auth to own domain - Upgrade revealJS to version 3.9.2 - Upgrade mermaid to version 8.4.6 - Update translations (zh-cn, zh-TW, en, de, id, pl, ar, ca, fr, it, sk, sv, ja, nl, pt, ru, es) ### Fixes - Fix docker secrets support - Fix sequlize-cli dependency location - Fix crash in lutim integration - Fix manage_users CLI handling of non-existing user - Fix ability to serve CodiMD from different urlpath than `/` - Fix change from gravatar to libravatar in privacy policy example - Fix missing browser icons in README ### Refactors - Refactor note creation handling - Improve webpack documentation - Split note actions into own files - Refactor returnTo handling for auth ### Removals - Legacy handling of socket.io connections - Node 8 CI jobs ### Contributors - [Amolith](https://github.com/Amolith) - Andrea Rossi (translator) - CasperS (translator) - Cpp.create (translator) - [David Mehren](https://github.com/davidmehren) - Deluxghost (translator) - em_crx (translator) - [Enrico Guiraud](https://github.com/bluehood) - Epson12332 (translator) - [Erik Michelson](https://github.com/ErikMichelson) - Fajar Maulana (translator) - [Fonata](https://github.com/Fonata) - [foobarable](https://github.com/foobarable) - [Girish Ramakrishnan](https://github.com/gramakri) - Grzegorz (translator) - [hoijui](https://github.com/hoijui) - [Ian Tsai](https://github.com/b10102016) - id7xyz (translator) - [ike](https://github.com/ikewat) - Info (translator) - Javier Leandro (translator) - [Jonas Thelemann](https://github.com/dargmuesli) - [Jonas Zohren](https://github.com/jfowl) - kazutomo.waragai (translator) - [MartinT](https://github.com/MartinTuroci) - [Mathias Merscher](https://github.com/madddi) - [Matthias Lindinger](https://github.com/morpheus-87) - Mdhm (translator) - Me (translator) - mondstern (translator) - Patrick (translator) - Rafael Gauna Trindade (translator) - Ramon van Biljouw (translator) - [RyotaK](https://github.com/Ry0taK) - [Sandro](https://github.com/SuperSandro2000) - [Sören Wegener](https://github.com/soerface) - [Stefan Peters](https://github.com/stefandesu) - [Yukai Huang](https://github.com/Yukaii) ## <i class="fa fa-tag"></i> 1.5.0 <i class="fa fa-clock-o"></i> 2019-08-15 00:00 ### Announcements - There is a new docker image available by LinuxServer.io providing an ARM container - Disabling PDF export due to security problems ### Enhancements - Add migration guide for Node version 6 - Add functionality to respect Do-Not-Track header - Add Arabian translation ### Fixes - Fix styling in slide preview - Fix some lint warning - Upgrade Sequelize to version 5 - Add Linuxserver.io setup instructions for CodiMD - Update translations for DE, SV, ID - Add ability to upload SVGs - Add `dbURL`config as docker secret - Upgrade meta-marked - Fixes DOS capability in CodiMD (<https://github.com/codimd/server/commit/ba6a24a673c24db25969de2a59b9341247f3f722>) - Fix variable names in docker secrets config library ### Refactors - Refactor debug logging in various places ### Deprecations - `useCDN` will be deprecated and will disappear in favor of locally served resources. (<https://community.codimd.org/t/poll-on-cdn-usage/28>) ### Contributors - [Amolith](https://github.com/Amolith) (social media) - Aro Row (translator) - bitinerant (security) - Butterflyoffire (translator) - [Claudius Coenen (ccoenen)](https://github.com/ccoenen) - Erik (translator) - Fajar Maulana (translator) - id7xyz (translator) - joohoi (security) - [Jonas Thelemann (dargmuesli)](https://github.com/dargmuesli) - [Lennart Weller (lhw)](https://github.com/lhw) - [chbmb](https://github.com/CHBMB) - [Raccoon (a60814billy)](https://github.com/a60814billy) - RS232 (translator) - [Toma Tasovac (ttasovac)](https://github.com/ttasovac) ## <i class="fa fa-tag"></i> 1.4.0 <i class="fa fa-clock-o"></i> 2019-05-31 00:00 ### Announcements - CodiMD now has a [Mastodon account](https://social.codimd.org/mastodon) - CodiMD now has a [community forum](https://community.codimd.org) - With CodiMD 1.4.0 we're dropping node 6 support. That version of node.js is discontinued and no longer receives any security updates. We would like to encourage you to upgrade node 8 or later. Node 8 will continue to be supported at least until its end-of-life in January 2020. ### Enhancements - Use libravatar instead of Gravatar - Fix language description capitalization - Move upload button into the toolbar - Clean up Heroku configurations - Add new screenshot to README and index page - Add link to community call to README - Update languages (pl, sr, zh-CN, fr, it, ja, zh-TW, de, sv, es) - Change edit link to `both` view - Hide minio default ports - Add missing passport-saml configuration - Add lutim support - Update dependencies - Add documentation for keycloak - Add tests for user model - Add Mastodon link - Add config for toobusy middleware - Add vietnamese language ### Fixes - Fix missing space in footer - Fix various possible security vulnerabilities in dependencies - Fix broken dependency js-sequence-diagrams - Fix XSS in graphviz error message rendering - Fix toolbar night mode - Fix hidden header on scroll - Fix missing pictures for OpenID - Fix statusbar hiding text in edit view ### Refactors - Refactor README and documentation - Integrate the old wiki into documentation section - Refactor headers on Features page - Replace js-url with wurl - Refactor scrypt integration ### Removals - Remove sass-loader ### Contributors - [Amolith](https://github.com/Amolith) - CasperS (translator) - Cedric.couralet (translator) - [Claudius Coenen (ccoenen)](https://github.com/ccoenen) - Daniel (translator) - Deluxghost (translator) - [Dylan Dervaux (Dylanderv)](https://github.com/Dylanderv) - [Emmanuel Ormancey (nopap)](https://github.com/nopap) - Grzegorz (translator) - [Henrik Hüttemann (HerHde)](https://github.com/HerHde) - Hồng (translator) - [Mauricio Robayo (archemir