HedgeDoc 1.9.6
Released onThis is the latest release
Click here to read the release notes
Bugfixes
- Fix migrations deleting all notes when SQLite is used
🚨 This release has a bug that leads to data-loss when using SQLite. We advise users of SQLite databases to skip this release and use 1.9.6. 🚨
breaks
option not being respected in the publish-viewPlease note: This release dropped support for Node 12, which is end-of-life since April 2022. You now need at least Node 14.13.1 or Node 16 to run HedgeDoc. We don’t support more recent versions of Node.
This release fixes a security issue. We recommend upgrading as soon as possible.
⚠️ Warning: If you deploy HedgeDoc and MariaDB with docker-compose using a checkout of our container repo, you will need to manually convert the character set of the database to utf8mb4 when updating. See the corresponding PR for more information.
git
binary is not foundbin/manage_users
not accepting numeric passwords (thanks to @carr0t2 for reporting)/metrics
or /status
This release increases the minimum required Node versions to 12.20.0
, 14.13.1
and 16
.
In general, only the latest releases of Node 12, 14 and 16 are officially supported by us, older minor versions can be dropped at any time.
We recommend you run HedgeDoc with the latest release of Node 16.
csp.allowFraming
config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed.
We strongly recommend disabling this option to reduce the risk of XSS attackscsp.allowPDFEmbed
config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don’t use the feature, to reduce the attack surface of XSS attacksfilesystem
upload methodsecure
flag, if HedgeDoc is loaded via HTTPS/metrics
and /status
This release fixes two security issues. We recommend upgrading as soon as possible.
yarn install
in production mode (as performed by bin/setup
) by marking frontend-only dependencies as dev-dependencies.
This also reduces the size of the docker containeresbuild
instead of terser
to minify JavaScriptuseSSL
or csp.upgradeInsecureRequests
is enabled (thanks to @mdegat01 for reporting)protocolUseSSL
when useSSL
is also enabledThis release fixes multiple security issues. We recommend upgrading as soon as possible.
Please note: This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running the latest LTS release.
marked
libraryWe also published an advisory for CVE-2021-29475: PDF export allows arbitrary file reads,
which has already been fixed since HedgeDoc 1.5.0.
.sequelizerc
configuration file is no longer necessary and can be safely deleted/metrics
, exposing the same stats as /status
in addition to various Node.js performance figuresyahoo.com
from the default content security policyslideOptions
are present in the frontmatter/download
route for non-existent notes in FreeURL mode/new/<alias>
in FreeURL modeThis release fixes a security issue. We recommend upgrading as soon as possible.
This release fixes two security issues. We recommend upgrading as soon as possible.
We have renamed to HedgeDoc! 🎉
Many thanks to Éric Gaspar who designed our new logo!
Have a look at our new website (which also explains the reasoning behind the renaming) at https://hedgedoc.org
This is probably the last release in the 1.x series. Stay tuned for 2.0, scheduled for release next year.
Please note: This release dropped support for Node 8, which is end-of-life since January 2020. You now need at least Node 10.13 to run HedgeDoc, but we recommend running the latest LTS release.
Please note: If you use a reverse proxy and TLS, make sure it sets the X-Forwarded-Proto
header correctly,
otherwise you will encounter login-issues.
Our docs have example configs for common reverse proxies.
state
parameter (#407 & #541 by @dalcde & @haslersn)null
as contentSequelizeMeta
table on MySQL/MariaDB (thanks to @titulebolide for reporting!)useCDN
is now false
by default. This feature is deprecated already and will be removed in 2.0../public/docs/imprint.md
/
dbURL
config as docker secretuseCDN
will be deprecated and will disappear in favor of locally served resources. (https://community.codimd.org/t/poll-on-cdn-usage/28)both
viewserverURL
npm start
rel="noopener"
to all linksmanage_users
script./tmp
directory to system temp directoryto-markdown
with turndown
(successor library)data:
URL in CSPws
instead of the the no longer supported uws
manage_users
script/new
/features
pagefilesystem
as imageUploadType
allowFreeURL=true
useCDN=false
setups