Skip to content

leantime

v3.8.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 7d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agile asana calendar clickup gantt jira
+13 more
kanban lean leantime notion php project-management projects retrospective scrum sql strategy timesheets trello

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 7d

Leantime v3.8.0 migrated all legacy .tpl.php, .sub.php, and .inc.php templates to Laravel Blade, modernizing the frontend template system.

Why it matters: The refactor (severity 70) eliminates outdated PHP‑based templating, reducing maintenance overhead for developers and SREs managing Leantime deployments.

Summary

AI summary

Broad release touches Other Changes, Bug Fixes, Highlights, and fix.

Changes in this release

Feature Medium

Added full multi-collaborator support for task assignment with UI updates.

Added full multi-collaborator support for task assignment with UI updates.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Added Arabic (ar-SA) language support.

Added Arabic (ar-SA) language support.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Medium

Implemented backend API changes for Leantime Mobile app (TestFlight beta).

Implemented backend API changes for Leantime Mobile app (TestFlight beta).

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Updated Korean (ko-KR) translations.

Updated Korean (ko-KR) translations.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Added server‑authoritative session resolution for mobile clients (Users::getUser defaults to session user).

Added server‑authoritative session resolution for mobile clients (Users::getUser defaults to session user).

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Exposed Users::getUsersWithProjectAccess and Projects::getProjectsUserHasAccessTo resolving userId server‑side.

Exposed Users::getUsersWithProjectAccess and Projects::getProjectsUserHasAccessTo resolving userId server‑side.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Added Auth/**AccessToken**::revokeCurrentToken() for secure client‑side sign‑out.

Added Auth/**AccessToken**::revokeCurrentToken() for secure client‑side sign‑out.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Exposed Projects::getProjectsByUserActivity for recency‑sorted project lists.

Exposed Projects::getProjectsByUserActivity for recency‑sorted project lists.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Added Tickets endpoints: markTicketDone, markTicketReopen, getAllDoneUserTickets, quickAddTicket (respects per‑project default status), getAllOpenUserTickets (includes statusClass and statusType).

Added Tickets endpoints: markTicketDone, markTicketReopen, getAllDoneUserTickets, quickAddTicket (respects per‑project default status), getAllOpenUserTickets (includes statusClass and statusType).

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Made Calendar::mapEventData tolerate NULL description, colors, and dates.

Made Calendar::mapEventData tolerate NULL description, colors, and dates.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Made Comments::addComment RPC‑friendly with optional entity and default father.

Made Comments::addComment RPC‑friendly with optional entity and default father.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Enforced JSON‑RPC @api annotation – only explicitly marked service methods are callable; stopped wrapping scalar returns in single‑element arrays.

Enforced JSON‑RPC @api annotation – only explicitly marked service methods are callable; stopped wrapping scalar returns in single‑element arrays.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Dependency Low

Bumped brace-expansion dependency.

Bumped brace-expansion dependency.

Source: llm_adapter@2026-05-28

Confidence: high
Dependency Low

Updated yauzl from 3.2.0 to 3.2.1.

Updated yauzl from 3.2.0 to 3.2.1.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixed Commenter role submit buttons remaining disabled after form actions.

Fixed Commenter role submit buttons remaining disabled after form actions.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Guarded MySQL‑specific PDO constants with defined() checks to prevent fatal crashes on shared hosting.

Guarded MySQL‑specific PDO constants with defined() checks to prevent fatal crashes on shared hosting.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Corrected Wiki `createArticle()` to use lowercase `sortindex` column, fixing Postgres failures.

Corrected Wiki `createArticle()` to use lowercase `sortindex` column, fixing Postgres failures.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Added missing `error403.blade.php` template to prevent crash on permission‑gated pages.

Added missing `error403.blade.php` template to prevent crash on permission‑gated pages.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Fixed Wiki sidebar width, dark‑mode editor dropdowns, and emoji picker ESC propagation.

Fixed Wiki sidebar width, dark‑mode editor dropdowns, and emoji picker ESC propagation.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Fixed password reset and canvas queries on PostgreSQL, plus plugin install null‑safety.

Fixed password reset and canvas queries on PostgreSQL, plus plugin install null‑safety.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Fixed Resend Invite button silently no‑op due to isset(null) check.

Fixed Resend Invite button silently no‑op due to isset(null) check.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Made kanban boards horizontally scrollable when they have 8+ columns.

Made kanban boards horizontally scrollable when they have 8+ columns.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Restored moveTicket functionality, KPI milestone linking, backlog filter on Postgres, and tiptap list rendering.

Restored moveTicket functionality, KPI milestone linking, backlog filter on Postgres, and tiptap list rendering.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Fixed case sensitivity issue in the secondary color setting.

Fixed case sensitivity issue in the secondary color setting.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Corrected syntax error in Referrer‑Policy header assignment.

Corrected syntax error in Referrer‑Policy header assignment.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Stopped favorites star from spinning indefinitely after click on Project Hub.

Stopped favorites star from spinning indefinitely after click on Project Hub.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Skipped events with MySQL zero‑date sentinel in getCalendar to avoid calendar feed crash.

Skipped events with MySQL zero‑date sentinel in getCalendar to avoid calendar feed crash.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Ensured Milestones::getAllMilestones() filters to type='milestone'.

Ensured Milestones::getAllMilestones() filters to type='milestone'.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Refactor High

Migrated all legacy .tpl.php, .sub.php, .inc.php templates to Laravel Blade.

Migrated all legacy .tpl.php, .sub.php, .inc.php templates to Laravel Blade.

Source: llm_adapter@2026-05-28

Confidence: high
Refactor Low

Made MarketplacePlugin model properties nullable for PHP 8.x strict type compatibility.

Made MarketplacePlugin model properties nullable for PHP 8.x strict type compatibility.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Full changelog

Highlights

Complete Blade Template Migration

All remaining legacy .tpl.php, .sub.php, and .inc.php templates have been converted to Laravel Blade, completing the frontend template unification. 272 legacy files removed, 200 Blade files added (net reduction of 72 files). This covers all 16 canvas domains, shared submodules (Tickets, Comments, Files, Projects), simple domains (Auth, Install, Settings, etc.), and complex domains (Calendar, Clients, Ideas, Timesheets, Users, Wiki). (#3362)

Mobile API Surface

Backend API changes to support the Leantime Mobile app (first TestFlight beta). Includes server-authoritative session resolution so mobile clients authenticated via Bearer token can resolve "who am I" without pre-knowing their user id. (#3395)

  • Users::getUser() defaults to session user when no id passed
  • Users::getUsersWithProjectAccess and Projects::getProjectsUserHasAccessTo resolve userId server-side
  • Auth\AccessToken::revokeCurrentToken() for secure client-side sign-out
  • Projects::getProjectsByUserActivity for recency-sorted project lists
  • Tickets::markTicketDone / markTicketReopen / getAllDoneUserTickets for quick-complete flows
  • Tickets::getAllOpenUserTickets now ships statusClass and statusType fields
  • Tickets::quickAddTicket respects per-project default status configuration
  • Milestones::getAllMilestones() correctly filters to type='milestone'
  • Calendar::mapEventData tolerates NULL description, colors, and dates
  • Comments::addComment is now RPC-friendly with optional entity and default father
  • JSON-RPC no longer wraps scalar return values into single-element arrays
  • JSON-RPC enforces @api annotation — only explicitly marked service methods are callable

Task Collaborators

Full multi-collaborator support for task assignment. Tasks can now have multiple collaborators in addition to the primary assignee, with updated UI in both list and kanban views showing collaborator avatars. (#3337)

Bug Fixes

  • PDO Constant Crash on Shared Hosting — Guarded all MySQL-specific PDO constants (MYSQL_ATTR_SSL_VERIFY_SERVER_CERT, etc.) with defined() checks in the database config; some cPanel/EasyApache PHP builds load pdo_mysql without these constants, causing a fatal error on all pages (#3371)
  • Commenter Role Cannot Comment — Fixed enableCommenterForms() not re-enabling submit buttons inside reply comment boxes after makeInputReadonly() disabled all form elements; the commenter role was completely non-functional (#3194, #3186)
  • Wiki Article Creation Fails on Postgres — Fixed createArticle() using camelCase sortIndex column name which Postgres rejects; schema and all other repos use lowercase sortindex (#3382)
  • Wiki 500 on Postgres (Milestone JOIN) — Added DatabaseHelper::castAs() to the milestone leftJoin in getArticle(), matching the pattern used in Canvas, Ideas, and Goalcanvas repositories; also removed limit(1) from UPDATE/DELETE queries that fail on Postgres (#3383)
  • Ideas Saved to canvasId 0 — POST handler in IdeaDialog now reads canvasId from the submitted form with session as fallback, preventing ideas from being invisibly saved to canvas 0 (#3181)
  • Kanban Board Cannot Scroll with 8+ Columns — Added overflow-x: auto to the kanban row container and set columns to flex-shrink: 0 with min-width: 200px so boards with many status columns are horizontally scrollable (#3394)
  • Calendar Zero-Date CrashgetCalendar() now skips events with MySQL zero-date sentinels (0000-00-00) instead of crashing the entire calendar feed (#3396)
  • Resend Invite Button No-Op — Fixed isset(null) check that silently prevented the resend invite action from executing (#3392)
  • Three Bugs: isset, limit(1), URL — Fixed isset on null parameter, removed redundant limit(1) on DELETE (Postgres compat), and corrected a malformed URL (#3393)
  • 403 Permission Page Crash — Added missing error403.blade.php template so permission-gated pages render an error page instead of crashing (#3365)
  • Favorites Star Infinite Spinner — Fixed the star button on Project Hub spinning indefinitely after click by removing the loading class after the request completes (#3364)
  • Wiki Sidebar Width & Dark Mode — Fixed wiki sidebar width, dark-mode editor dropdown rendering, and emoji picker ESC key propagation (#3361)
  • moveTicket, KPI, Backlog, Tiptap — Restored moveTicket functionality, KPI milestone linking, backlog filter on Postgres, and tiptap list rendering (#3360)
  • Postgres Compat & Plugin Install — Fixed password reset and canvas queries on Postgres, plus plugin install null-safety (#3359)
  • MarketplacePlugin Nullable Properties — Made MarketplacePlugin model properties nullable for PHP 8.x strict type compatibility (#3356)
  • Secondary Color Case Sensitivity — Fixed case sensitivity issue in the secondary color setting (#3348)
  • Referrer-Policy Header Syntax — Fixed syntax error in the Referrer-Policy header assignment (#3347)

Localization

  • Added Arabic (ar-SA) language support (#3370)
  • Updated Korean (ko-KR) translations (#3326)

Dependency Updates

  • Bumped brace-expansion (#3340)
  • Bumped yauzl from 3.2.0 to 3.2.1 (#3320)

What's Changed

Other Changes

  • fix: PostgreSQL ROUND error, missing zp_canvas.color migration, and 3.7.2 changelog by @marcelfolaron in https://github.com/Leantime/leantime/pull/3318
  • Fix case sensitivity in secondary color setting by @Delvar in https://github.com/Leantime/leantime/pull/3348
  • Fix syntax for Referrer-Policy header assignment by @Delvar in https://github.com/Leantime/leantime/pull/3347
  • build(deps): bump brace-expansion by @dependabot[bot] in https://github.com/Leantime/leantime/pull/3340
  • Update ko-KR.ini — complete Korean translation by @madrobotnet in https://github.com/Leantime/leantime/pull/3326
  • build(deps-dev): bump yauzl from 3.2.0 to 3.2.1 by @dependabot[bot] in https://github.com/Leantime/leantime/pull/3320
  • make MarketplacePlugin model properties nullable for PHP 8.x by @shaunchokshi in https://github.com/Leantime/leantime/pull/3356
  • Add collaborator support to task assignment and UI (list + kanban) by @juarezsousa-ctrl in https://github.com/Leantime/leantime/pull/3337
  • fix: Postgres compat + plugin install null-safety (bundles 4 issues) by @marcelfolaron in https://github.com/Leantime/leantime/pull/3359
  • fix: moveTicket, KPI linking, backlog filter on Postgres, tiptap list rendering by @marcelfolaron in https://github.com/Leantime/leantime/pull/3360
  • fix: wiki sidebar width, dark-mode editor dropdowns, emoji ESC propagation by @marcelfolaron in https://github.com/Leantime/leantime/pull/3361
  • Backend API surface for Leantime Mobile (TestFlight) by @gloriafolaron in https://github.com/Leantime/leantime/pull/3395
  • Fix three bugs: isset on null param, redundant limit(1), malformed URL by @YoussefMansour9 in https://github.com/Leantime/leantime/pull/3393
  • Implement Arabic language by @Mohd-PH in https://github.com/Leantime/leantime/pull/3370
  • fix: add error403.blade.php to resolve crash on permission-gated pages by @Copilot in https://github.com/Leantime/leantime/pull/3365
  • fix: Resend Invite button silently no-ops due to isset(null) check by @mojotaker in https://github.com/Leantime/leantime/pull/3392
  • Fix favorites star spinning indefinitely after click on Project Hub by @Copilot in https://github.com/Leantime/leantime/pull/3364
  • refactor: migrate all .tpl.php/.sub.php/.inc.php templates to Blade by @marcelfolaron in https://github.com/Leantime/leantime/pull/3362
  • fix: 6 high-impact bugs — PDO crash, commenter role, Wiki Postgres, Ideas canvasId, Kanban scroll by @marcelfolaron in https://github.com/Leantime/leantime/pull/3397
  • fix(calendar): tolerate MySQL zero-date sentinel in getCalendar by @gloriafolaron in https://github.com/Leantime/leantime/pull/3396

New Contributors

  • @Delvar made their first contribution in https://github.com/Leantime/leantime/pull/3348
  • @madrobotnet made their first contribution in https://github.com/Leantime/leantime/pull/3326
  • @shaunchokshi made their first contribution in https://github.com/Leantime/leantime/pull/3356
  • @juarezsousa-ctrl made their first contribution in https://github.com/Leantime/leantime/pull/3337
  • @YoussefMansour9 made their first contribution in https://github.com/Leantime/leantime/pull/3393
  • @Mohd-PH made their first contribution in https://github.com/Leantime/leantime/pull/3370
  • @Copilot made their first contribution in https://github.com/Leantime/leantime/pull/3365
  • @mojotaker made their first contribution in https://github.com/Leantime/leantime/pull/3392

Full Changelog: https://github.com/Leantime/leantime/compare/v3.7.2...v3.8.0

Breaking Changes

  • All legacy .tpl.php, .sub.php, and .inc.php templates removed; migration to Laravel Blade is now mandatory.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track leantime

Get notified when new releases ship.

Sign up free

About leantime

Leantime is a goals focused project management system for non-project managers. Building with ADHD, Autism, and dyslexia in mind.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]