This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
Summary
AI summaryUpdates @excalidraw/excalidraw, mermaid, and next across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Add a '+' button on kanban columns to quickly create an item within a status Add a '+' button on kanban columns to quickly create an item within a status Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Option to hide redundant statuses from kanban card items added in settings Option to hide redundant statuses from kanban card items added in settings Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Indent button and numbered list button added to editor toolbar Indent button and numbered list button added to editor toolbar Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Dependency | Medium |
uuid upgraded from 11.1.0 to 11.1.1 (buffer bounds check) uuid upgraded from 11.1.0 to 11.1.1 (buffer bounds check) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Dependency | Medium |
brace-expansion forced patched version >=5.0.6 (DoS via large numeric range) brace-expansion forced patched version >=5.0.6 (DoS via large numeric range) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Dependency | Medium |
@excalidraw/excalidraw upgraded from 0.18.0 to 0.18.1 (XSS via Mermaid/KaTeX) @excalidraw/excalidraw upgraded from 0.18.0 to 0.18.1 (XSS via Mermaid/KaTeX) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
mermaid upgraded from 10.9.4 to 10.9.6 (Gantt chart infinite loop DoS) mermaid upgraded from 10.9.4 to 10.9.6 (Gantt chart infinite loop DoS) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
next upgraded from 16.2.3 to 16.2.6 (high-severity: DoS + middleware bypass) next upgraded from 16.2.3 to 16.2.6 (high-severity: DoS + middleware bypass) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
next-intl upgraded from 4.9.1 to 4.9.2 (prototype pollution) next-intl upgraded from 4.9.1 to 4.9.2 (prototype pollution) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
ws upgraded from 8.19.0 to 8.20.1 (uninitialized memory disclosure) ws upgraded from 8.19.0 to 8.20.1 (uninitialized memory disclosure) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
postcss upgraded to >=8.5.10 (XSS via unescaped </style>) postcss upgraded to >=8.5.10 (XSS via unescaped </style>) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Bugfix | Medium |
Fix layout issue around kanban status manager Fix layout issue around kanban status manager Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Cannot archive checklists fixed Cannot archive checklists fixed Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Table of contents (TOC) working while editing a note Table of contents (TOC) working while editing a note Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Fix diagram modals embedded in note body, improving UX Fix diagram modals embedded in note body, improving UX Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Fix timer state persisting during kanban changes Fix timer state persisting during kanban changes Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Fix checklist duplicate ids after file drop import Fix checklist duplicate ids after file drop import Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Add new line at end of notes when saving to avoid [noeol] on opinionated editors Add new line at end of notes when saving to avoid [noeol] on opinionated editors Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
Full changelog
Changelog
I was going to do a bit more work before releasing but Nextjs ruined everything by having a shit tons of CVE and I had to be a responsible adult and fix them all. Also disclaimer, you'll notice a Claude icon popping in the contributors tab, that's not done by me but by a lovely contributor who actually added some seriously good improvements to this release. They used Claude quite heavily and I don't mind as I went through the code, tested and adjusted things accordingly when they weren't meeting the project standards (frankly these pull requests were almost perfect). My stance on AI is still the same, if the code is good and you reviewed it, I welcome it.
features
- Add a
+button on the kanban columns to quickly create an item within a status (thank you @nikolai-andree) - Add option to hide redundant statuses from kanban card items (settings -> personal preferences -> kanban) (thank you @nikolai-andree)
- Add indent button and numbered list button to the editor toolbar #503 (thank you @nikolai-andree )
bufixes
- Fix layout issue around kanban status manager (thank you @nikolai-andree)
- Cannot archive checklists #499
- TOC not working while editing a note #510
- Fix diagram modals being suddenly embedded in the note body, this was caused by the recent IOS fixes, test suite didn't catch it because it technically works, it's just shit UX 😆
- Add new line at the end of notes when saving to avoid
[noeol]on opinionated editors (e.g. vim) - Fix timer state not persisting during changes on kanban #512
- Fix checklist duplicate ids after file drop import #501
direct dependency upgrades
- @excalidraw/excalidraw: 0.18.0 -> 0.18.1 (XSS via Mermaid/KaTeX)
- mermaid: 10.9.4 -> 10.9.6 (Gantt chart infinite loop DoS)
- next: 16.2.3 -> 16.2.6 (2x high-severity: DoS + middleware bypass)
- next-intl: 4.9.1 -> 4.9.2 (prototype pollution)
- uuid: 11.1.0 -> 11.1.1 (buffer bounds check)
- ws: 8.19.0 -> 8.20.1 (uninitialized memory disclosure)
resolutions added/updated
- **/mermaid: 10.9.4 -> 10.9.6 (force patched version for transitive deps)
- brace-expansion: >=5.0.6 (DoS via large numeric range, pulled in by multiple deps)
- postcss: >=8.5.10 (XSS via unescaped , pulled in by next)
Security Fixes
- next: 16.2.3 -> 16.2.6 fixes two high‑severity issues (DoS + middleware bypass)
- @excalidraw/excalidraw: 0.18.0 -> 0.18.1 patches XSS via Mermaid/KaTeX
- mermaid: 10.9.4 -> 10.9.6 resolves Gantt chart infinite‑loop DoS
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About jotty
Lightweight but powerful alternative for managing your personal, file based, notes and checklists.
Beta — feedback welcome: [email protected]