This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
ReleasePort's take
Light signalThe release prevents comment authors from editing or restoring admin‑discarded comments and adds trusted ingress IP allowlisting with exec‑based Docker startup.
Why it matters: Patch to v3.0.24 immediately; the security changes block unauthorized comment restoration and tighten ingress controls, reducing attack surface.
Summary
AI summaryFixed comment editing when admins discard comments.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Prevent comment authors from editing or restoring admin-discarded comments. Prevent comment authors from editing or restoring admin-discarded comments. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Add trusted ingress IP allowlisting and exec-based Docker startup. Add trusted ingress IP allowlisting and exec-based Docker startup. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
Update Devise, Vite, Bootsnap, Rollup, Sentry, Nokogiri, Puma, tzinfo-data. Update Devise, Vite, Bootsnap, Rollup, Sentry, Nokogiri, Puma, tzinfo-data. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
Update Nokogiri and Puma dependencies. Update Nokogiri and Puma dependencies. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Raise global request-per-IP throttle from 300 to 900 per 5 minutes. Raise global request-per-IP throttle from 300 to 900 per 5 minutes. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Retry mark-as-seen on unique-constraint race conditions. Retry mark-as-seen on unique-constraint race conditions. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Background jobs avoid infinite retries for already-deleted records. Background jobs avoid infinite retries for already-deleted records. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Preserve group ownership when creating discussions from templates. Preserve group ownership when creating discussions from templates. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Guard transcription analysis against detached blobs and non-rich-text. Guard transcription analysis against detached blobs and non-rich-text. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Prevent notifications when users @mention their own group. Prevent notifications when users @mention their own group. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Improve demo cloning reliability by skipping Rails Pulse. Improve demo cloning reliability by skipping Rails Pulse. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Make received-email allow/block actions idempotent. Make received-email allow/block actions idempotent. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Improve German context-menu translations and document translation traps. Improve German context-menu translations and document translation traps. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Do not notify the actor when they @mention their own group. Do not notify the actor when they @mention their own group. Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Make demo cloning more reliable by skipping Rails Pulse and bulk‑writing translations. Make demo cloning more reliable by skipping Rails Pulse and bulk‑writing translations. Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Refactor | Medium |
Migrate legacy Document records to ActiveStorage attachments. Migrate legacy Document records to ActiveStorage attachments. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Remove obsolete hocuspocus SQLite persistence and legacy template calls. Remove obsolete hocuspocus SQLite persistence and legacy template calls. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Remove Rails Pulse and related schema/dependency leftovers. Remove Rails Pulse and related schema/dependency leftovers. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Remove legacy loomio_channel_server setup. Remove legacy loomio_channel_server setup. Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
2026-05-11 (Loomio 3.0.24)
- Fixed: Prevent comment authors from editing or restoring comments that an admin has discarded.
- Fixed: Preserve group ownership when creating discussions from templates in grouped contexts.
- Improved: Hardened deployment/runtime behavior with trusted ingress IP allowlisting and exec-based Docker startup processes.
- Improved: Removed obsolete hocuspocus SQLite persistence and legacy document-list template calls.
- Improved: Background jobs now avoid retrying forever for records that have already been deleted.
- Maintenance: Updated dependencies including Devise, Vite, Bootsnap, Rollup, Sentry, Nokogiri, Puma, and tzinfo-data.
2026-05-06 (Loomio 3.0.23)
- Fixed: Do not notify the actor when they @mention their own group.
- Fixed: Improved German discussion context-menu translations and documented known translation traps.
- Fixed: Make received-email allow/block actions idempotent.
- Fixed: Retry mark-as-seen when concurrent requests hit a unique-constraint race.
- Fixed: Guard transcription analysis against detached blobs and non-rich-text records.
- Improved: Migrated legacy Document records to ActiveStorage attachments and removed the legacy Document model/workers.
- Improved: Removed Rails Pulse and related schema/dependency leftovers.
- Improved: Removed legacy
loomio_channel_serversetup. - Improved: Raised the global request-per-IP throttle from 300 to 900 per 5 minutes.
- Improved: Made demo cloning more reliable by skipping Rails Pulse and bulk-writing translations.
- Maintenance: Updated dependencies including Nokogiri and Puma.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Loomio
Collaborative decision-making tool that makes it easy for anyone to participate in decisions which affect them.
Related context
Related tools
Beta — feedback welcome: [email protected]