Skip to content

grist-core

v1.7.14 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 6d Relational Databases
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

database spreadsheet

Affected surfaces

auth breaking_upgrade

Summary

AI summary

Broad release touches New features, Translations, Contributions, and https://support.getgrist.com/accessibility/.

Changes in this release

Feature Medium

Guided first-run setup wizard becomes default for self‑hosted installs.

Guided first-run setup wizard becomes default for self‑hosted installs.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Adds `POST /records/list` endpoint for large queries via request body.

Adds `POST /records/list` endpoint for large queries via request body.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Applies custom CSS inside widgets via `APP_STATIC_INCLUDE_CUSTOM_CSS`.

Applies custom CSS inside widgets via `APP_STATIC_INCLUDE_CUSTOM_CSS`.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Loads built‑in calendar widget from bundled copy instead of GitHub CDN.

Loads built‑in calendar widget from bundled copy instead of GitHub CDN.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Adds new date formats and improves locale guessing/fallback logic.

Adds new date formats and improves locale guessing/fallback logic.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Screen‑reader support added for grid views, menus, and page widget picker; improved keyboard navigation.

Screen‑reader support added for grid views, menus, and page widget picker; improved keyboard navigation.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Action summaries now correctly mark genuinely unknown cell values instead of replacing them with wildcards.

Action summaries now correctly mark genuinely unknown cell values instead of replacing them with wildcards.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

OAuth Apps feature (registration, UI, API) under development for full edition.

OAuth Apps feature (registration, UI, API) under development for full edition.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

MCP (Model Context Protocol) endpoint under development for external AI clients in full edition.

MCP (Model Context Protocol) endpoint under development for external AI clients in full edition.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Dependency Low

Bumped multiple dependencies including @gristlabs/grist-widget, file-type, uuid, axios, webpack-dev-server, ws, multiparty, fast-uri, basic-ftp, node-forge, postcss, lodash, fast-xml-parser, svgo, flatted, follow-redirects, dompurify, @xmldom/xmldom.

Bumped multiple dependencies including @gristlabs/grist-widget, file-type, uuid, axios, webpack-dev-server, ws, multiparty, fast-uri, basic-ftp, node-forge, postcss, lodash, fast-xml-parser, svgo, flatted, follow-redirects, dompurify, @xmldom/xmldom.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Prevents anonymous users from forking documents.

Prevents anonymous users from forking documents.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Fixes edit‑through‑assistant security bypass that could corrupt the data engine.

Fixes edit‑through‑assistant security bypass that could corrupt the data engine.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Ensures editing from assistant forks template or unsaved documents instead of modifying originals.

Ensures editing from assistant forks template or unsaved documents instead of modifying originals.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Health check `/status` returns "starting" (HTTP 503) until server is ready.

Health check `/status` returns "starting" (HTTP 503) until server is ready.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Low

Prevents console error when pressing ctrl+alt+o on homepage.

Prevents console error when pressing ctrl+alt+o on homepage.

Source: llm_adapter@2026-05-28

Confidence: high
Refactor Low

Added filesystem‑based document storage backend for tests (`GRIST_FS_STORAGE_DIR`).

Added filesystem‑based document storage backend for tests (`GRIST_FS_STORAGE_DIR`).

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Full changelog

What's Changed

The first-run experience for self-hosted installations matures. The setup wizard previewed last release is now the default flow a fresh install lands on. It checks earlier which formula sandboxes are available, handles authentication changes more cleanly, and lets you edit the install-wide default permissions from the Admin Panel. Accessibility takes a big step forward too: screen-reader support and keyboard navigation now reach grid views, menus, and the page widget picker. There are also new date formats, a POST /records/list API endpoint for large queries, custom CSS inside widgets, and the usual dependency bumps and fixes. Two more features are under development in the full edition: OAuth Apps and an MCP (Model Context Protocol) endpoint. See "Full Grist edition extensions" below.

New features

  • Guided first-run setup wizard. The setup wizard previewed in v1.7.13 is now the flow fresh self-hosted installations land on. Sign in with the boot key (the GRIST_BOOT_KEY admin secret printed at startup), and the wizard walks you through /admin/setup to configure your instance. The "Quick setup" entry is now active in the admin sidebar. Refinements this release:
    • The wizard now checks which formula sandboxes are available as soon as it opens, not when you reach that step. No more waiting on a spinner (#2341)
    • Smoother entry into the wizard: cleaner redirects after an authentication change and after signing in with the boot key (#2340)
    • Set up "Sign in with getgrist.com" from the wizard, and returning from getgrist.com's registration page now brings you back into the wizard, not the main Admin Panel (#2310)
    • Signed-out and non-admin users can no longer open the Quick setup page. They get the same "unavailable" card as the Admin Panel (#2323)
    • Authentication changes are now staged like the wizard's other pending changes. Admins are sent back through sign-in after changing them (#2315, #2331)
    • The four install-wide default permissions (team sites, personal sites, anonymous access, anonymous playground) can now be changed from the Admin Panel's Security Settings, not just during the wizard (#2314)
  • POST /records/list endpoint. A POST companion to the records endpoint. Large queries can be sent in the request body instead of the URL (#2321).

Improvements

  • Accessibility (contributed by @manuhabitela)
    • Screen-reader support in grid views (#2114)
    • Open the row and column menus via keyboard shortcuts in a grid view (#2230)
    • Open the context menu via keyboard shortcuts when in widgets (#2226)
    • Page widget picker now works with keyboard and screen readers (#2273)
  • Custom widgets
    • A custom CSS file configured with APP_STATIC_INCLUDE_CUSTOM_CSS is now also applied inside widgets, not just the main app. Contributed by @manuhabitela (#2089)
    • The built-in calendar widget now loads from the copy bundled with Grist instead of the one hosted on GitHub. The GitHub copy pulled in external CDN files that ad blockers and privacy extensions sometimes blocked (#2262)
  • Localization
    • New date formats (#2347)
    • Improved locale guessing and locale fallback logic (#2313)
  • API
    • Action summaries (the change summaries used by features such as webhooks) now mark which cell values are genuinely unknown. Before, merging two summaries could replace a known value with a wildcard. Now it keeps the real value where it has one (#2361)
  • Internal / infrastructure
    • Added a filesystem-based document storage backend for tests, enabled with GRIST_FS_STORAGE_DIR. It implements Grist's external storage interface, normally backed by S3-compatible object storage (commit). It also gets a (test-only) card in the Admin Panel backups section (commit)

Fixes

  • Edit a document from the assistant popup, and Grist now copies (forks) it first if it is a template or an unsaved scratch document ("fiddle"). The original is no longer changed in place (commit)
  • Fixed a case where editing through the assistant could slip past access checks. It happened while previewing a document as owner, before the fork was made, and could leave the data engine in a bad state (commit)
  • Prevent anonymous users from forking documents (#2319)
  • On first startup, the /status health check now returns "starting" (HTTP 503) until the server is ready. Before, it could report healthy too early (#2322)
  • Prevent a console error when pressing ctrl+alt+o on the homepage (#2343)

Documentation

  • New accessibility documentation covering keyboard navigation, screen reader support, and the high-contrast theme. Contributed by @manuhabitela
  • Document how to run the browser-based end-to-end (nbrowser) tests locally (#2214)

Full Grist edition extensions

These features are under development in the full edition.

  • OAuth Apps. A way to register and manage OAuth apps, with a developer UI and REST API. Users can authorize an app, limit it to specific organizations, workspaces, or documents, and later review or revoke that access.
  • MCP (Model Context Protocol) endpoint. Lets external clients such as Claude or ChatGPT talk to Grist over JSON-RPC.

Dependency bumps

Thanks to the grist.gouv team for monitoring Grist dependencies.

  • Bump @gristlabs/grist-widget to 0.0.6 (#2329), file-type to 22.0.0 (#2209), uuid to 14.0.0 (#2290)
  • Bump axios (#2260, #2333), webpack-dev-server (#2357), ws (#2359), multiparty (#2355), fast-uri (#2342), basic-ftp (#2274, #2338), node-forge (#2210), postcss (#2316), lodash (#2238), fast-xml-parser (#2257), svgo (#2149), flatted (#2192), follow-redirects (#2264), dompurify (#2270), @xmldom/xmldom (#2289)

Contributions

  • Grist Labs: @berhalak, @dsagal, @paulfitz, @Spoffy
  • @manuhabitela: screen-reader support in grid views (#2114), keyboard access for row/column menus (#2230), keyboard access for the widget context menu (#2226), keyboard and screen-reader support in the page widget picker (#2273), custom CSS applied inside widgets (#2089), fine-tuning the experimental "New record" button (#2312), locale guessing and fallback improvements (#2313), console error fix on ctrl+alt+o (#2343)
  • @fflorent: prevent anonymous users forking documents (#2319), bump file-type (#2209), document running the browser-based (nbrowser) tests locally (#2214)
  • @cbontemps: add new date formats (#2347)
  • @wvengen: include package.json and yarn.lock for the Pyodide worker (#2297)
  • @machinelearningprodigy: tighten ISandbox types and resolve sort-spec lint/type-safety issues (#2211)

Translations

  • Arif Budiman
  • Igor Freire Rodrigues
  • Kévin DUPOND
  • Martin Harari Thuresson
  • Paul Janzen
  • Renato Portela
  • René Neumann
  • ssantos
  • xabirequejo
  • younger

Full Changelog: https://github.com/gristlabs/grist-core/compare/v1.7.13...v1.7.14

Join our Discord Community if you'd like to get into development of Grist.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track grist-core

Get notified when new releases ship.

Sign up free

About grist-core

Grist is the evolution of spreadsheets.

All releases →

Related context

Beta — feedback welcome: [email protected]