This release includes 2 security fixes for security teams reviewing exposed deployments.
Published 9d
Productivity & Wikis
✓ No known CVEs patched
This release patches 2 known CVEs
Topics
collaboration
docker
documentation
knowledge-base
markdown
note-taking
+8 more
notes
php
privacy
productivity
pwa
self-hosted
spa
wiki
Affected surfaces
rce_ssrf
Summary
AI summaryUpdates File support updates, Tree view component, and New features across a mixed release.
Full changelog
Security
- Fix path traversal vulnerability reported by @Pirrandi
- Add strict MIME type validation for file uploads
New features
- Add PKCE support for PocketID provider (#123)
- Add queue configuration to s6 overlay
Tree view component
- Loading only visible nodes, improving performance especially in large vaults
- Opened file is now highlighted (#97)
- Files and folders can now be moved via drag and drop
- Files can be imported by dragging them directly into the tree view (#73, #117)
- Links can be created by dragging files from the tree view into the editor
- Add a dedicated context menu action button
- Add file type icons to nodes
Frontend
- Migrate frontend to Vue + Inertia + TypeScript
- Improve overall UI and UX
File support updates
- Audio: add M4A, AAC, WAV, OGG, Opus
- Image: add AVIF; remove SVG
- Video: add M4V, MOV, WebM, MKV; remove AVI
Improvements
- Improve broadcasting events
Fixes
- Remove single quote from the auto close Tiptap extension
Maintenance
- Update dependencies
Thanks to Diego Valencia (@Pirrandi) for responsibly disclosing the path traversal vulnerability and assisting in testing the fix.
Security Fixes
- Fix path traversal vulnerability reported by @Pirrandi
- Add strict MIME type validation for file uploads
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]