NodeBB

v4.12.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 7d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

community forum javascript mongodb nodejs nodebb

+4 more

postgresql redis socket-io websockets

Affected surfaces

auth rbac

Summary

AI summary

Broad release touches Bug Fixes, New Features, Refactors, and Tests.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Add privilege gate behind category outbox API route. Add privilege gate behind category outbox API route. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Add nbbRequire supporting both ESM and CJS. Add nbbRequire supporting both ESM and CJS. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Navigate thumbs using keyboard shortcuts. Navigate thumbs using keyboard shortcuts. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Link to thumb images within preview modal. Link to thumb images within preview modal. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Federate ActivityPub Delete events when chat messages are removed. Federate ActivityPub Delete events when chat messages are removed. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Handle remote chat message deletions gracefully. Handle remote chat message deletions gracefully. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Process incoming like, dislike, and follow Activity Intents via webfinger. Process incoming like, dislike, and follow Activity Intents via webfinger. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Implement server‑side rate limiting for intents.query endpoint. Implement server‑side rate limiting for intents.query endpoint. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Introduce Activity Intent trigger modal UI component. Introduce Activity Intent trigger modal UI component. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Allow owners to move misplaced topics. Allow owners to move misplaced topics. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Support array of privileges for categories.can checks. Support array of privileges for categories.can checks. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Show muted users in /users list and ACP page. Show muted users in /users list and ACP page. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Add Burmese (Myanmar) localisation. Add Burmese (Myanmar) localisation. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Add blocked file extensions blacklist to complement allowlist for uploads. Add blocked file extensions blacklist to complement allowlist for uploads. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Implement additional checks in fetchPublicKey function. Implement additional checks in fetchPublicKey function. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Add rate limiter to fetchPublicKey, allowing one failing request at a time. Add rate limiter to fetchPublicKey, allowing one failing request at a time. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Introduce moderators collection for categories. Introduce moderators collection for categories. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Implement naive full‑text search on chats list. Implement naive full‑text search on chats list. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Implement FEP-baf5 administrator collection and discovery in ActivityPub. Implement FEP-baf5 administrator collection and discovery in ActivityPub. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Add filtered execution by path keyword in schema.js. Add filtered execution by path keyword in schema.js. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Add hostname and type filtering to errors page in federation module. Add hostname and type filtering to errors page in federation module. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix cross‑post modal closing when navigating away from a topic. Fix cross‑post modal closing when navigating away from a topic. Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Low	Fix missing return statements causing early exits. Fix missing return statements causing early exits. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Correct handling of custom routes that bypass /admin checks. Correct handling of custom routes that bypass /admin checks. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Fix tests for Announce(Delete) to use remote category and post objects. Fix tests for Announce(Delete) to use remote category and post objects. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Allow file uploads on manage uploads page to the designated uploads folder. Allow file uploads on manage uploads page to the designated uploads folder. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Add additional validation checks for Announce(Delete) operations. Add additional validation checks for Announce(Delete) operations. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Fix RTL CSS issue with cropper.js in the admin interface. Fix RTL CSS issue with cropper.js in the admin interface. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Resolve resizable component issue for RTL layouts. Resolve resizable component issue for RTL layouts. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Low	Guard husky postinstall script with NODE_ENV check to avoid unintended execution. Guard husky postinstall script with NODE_ENV check to avoid unintended execution. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—

Full changelog

Release build (minor) of NodeBB @ 2026-05-27T15:34:05.321Z

v4.12.0 (2026-05-27)

Documentation Changes

open api schema for /intents/:intent (77819720)
openapi spec for new chat search API (aabe86d8)

New Features

add privilege gate behind category outbox AP route (8e98325e)
add a nbbRequire that works with esm/cjs (56606f3b)
navigate thumbs by keyboard (0b684d5b)
link to thumbs in preview modal (dbb75efe)
federate ActivityPub Delete when chat messages are deleted (f8d34d41)
#14277, handle remote chat message deletion (d69b6e8e)
handle incoming like/dislike/follow Activity Intents, publish support in webfinger (8f7cb7d9)
Create Activity Intent handler landing page controller + view (43e383a0)
send some content and inReplyTo for the Create intent (2a26a62e)
invoke intents.trigger() on guest topic creation and reply actions (965e0dd9)
invoke intents.trigger on guest vote attempt (f93f45d1)
server-side rate limiting in intents.query (ec232d32)
Activity Intent trigger modal (2aa97baa)
open intent registration modal in login and register pages (c4871938)
basic register() method and modal tpl (75424886)
expose object activity intent, #14253 (b76ef6a7)
restore note assertion on redirectToPost controller, update /ap route to redirect guests to login for 3b86 Object intent support, #14253 (b89b5d4e)
use separate bootstrap file to build schema data before api schema tests (8e818fd9)
closes #14251 (6f3d6884)
allow owners to move misplaced topics (#14227) (7fa7a714)
allow array of privileges for categories.can (7599a125)
show muted users in /users and acp page (85b980b5)
add new localisation, Burmese (Myanmar) :tada: (b082d971)
add blocked file extensions (blacklist) to complement the existing allowlist (#14229) (41675ecf)
implement additional checks to fetchPublicKey (6b3801fa)
add rate limiter to fetchPublicKey, one failing request at a time (d393de7a)
#13707, moderators collection for categories (c51a0ad6)
#14202, naive fulltext search on chats list (3f311050)
activitypub: implement FEP-baf5 administrator collection and discovery (6a0c4fd7)
schema.js: add filtered execution by path keyword (d85d4a1c)
federation: add hostname and type filtering to errors page (03660664)

Bug Fixes

add missing return (a6c4b86e)
module (08bf19b6)
more tx fixes (f08422a3)
don't escape [ & ] breaks nested translations (730e4dac)
relax tx escape/unescape (02ce0581)
delete tid/pid when post is coming from post queue (73f908b3)
tests, when removing the announce wrapper, resolve the sub-object (b1e516b9)
don't overwrite pid in POST /api/v3/topics (7f08fb95)
custom routes bypassing /admin checks (19c7473b)
correct Announce(Delete) tests to use remote category and post (ba9db006)
on the manage uploads page files can be uploaded to the uploads folder (8d060047)
additional checks for Announce(Delete) (2c5fe7e1)
#14293, close crosspost modal when navigating away from topic (29e09dd3)
#14292, rtl css fix for cropper.js (6922b23d)
relative_path test (6129c77e)
escape cover:url/picture (6b281edd)
closes #14289, index conflicts in createIndices (e73e0d1a)
rtl resizable issue, closes #13340 (0594bff8)
check xmldom dependency since it's required in file.js (44217a07)
quote filenames (4fb7f5b3)
download xml files (7142c008)
language keys for new intents feature (3e8f7798)
guard husky postinstall script behind NODE_ENV check (0ddec59e)
postinstall script (b640ba4a)
sanitize xml files in uploads (2bde875f)
#14274 - add postinstall script for husky auto-install (b291c4aa)
#14273 - clear ap:retry:queue entries without digest (b5809172)
update intent display map to include the square brackets (d7338d5d)
unworking code from an errant AI refactor (8fa6987a)
mapIntentNames calling wrong translation method (15ed75d0)
revert added code that did not do what it was meant to do (567fae09)
update redirectUidToUserslug to handle remote ids (a74f426a)
navigate to post directly (ce231176)
pass toPid to front-end too (1d90e53c)
invoke intents trigger on world page items (e7b1d73b)
handle registration not showing up in UI if there were no existing handlers registered (a96ffb8a)
interpolate parameters into template string, add schema for new route (15725b38)
use storage module instead of localStorage directly (ebd903f0)
save template in localStorage as well (b8ed48c3)
show supported intents in modal (5288f773)
update modal to stay open on handle registration (423e9d9d)
front-end logic (getters, setters, refresh code to call backend), backend code to query webfinger to get valid intents (8422ec26)
#14269, don't treat test.test.test as url in input-text (ea92fb97)
decode request path before checking for privateUploads (b3d6b2c6)
on user delete remove from users:muted (bec23aea)
add escaping to id/type/activityType in AP/errors ACP page to guard against improper user data (a0ffa2ec)
#14208, off-by-some error on getUsersFields (b8af9375)
add missing l10n file (4552c908)
#14219, show crossposted topics in unread (6cffd1c2)
'on' not 'true' (6d988c76)
simpler logic for parsing peertube objects, #14220 (2523d95b)
broken test, overly strict (and wrong) conditional, remove content-type check (3604452f)
add fixed-window rate limiter to fetchPublicKey (8d730de7)
add 50ms delay before checking activitypub._sent (03b56eac)
syntax error (5e2bcc31)
syntax error (6e1ecfbc)
wrap calls to activitypub.out methods in setImmediate so local methods have a chance to finish before requests start going out (814076e0)
test manual dispatcher (607defbb)
#14202 (4f71a0e7)
#14203, checkCache.get returns null when fetch is used directly (9c30f1d4)
activitypub:
- escape rule.value in Rules.list (68bd6137)
- regenerate topic title when post with generatedTitle is edited (359077a2)
- #14275, delete topic when Announce(Delete) targets last post (412dd61b)
- use /uid/{uid} for local user mention hrefs in Mocks.notes.public (26e595e1)
- save digest in retry queue for failed message delivery (4f58b3e4)
- skip actor resolution when federation is disabled (f0bf44fd)
- handle before cursor for upward infinite scroll navigation (699c3593)
ap: use correct key 'ap.errors' (dot) in pruning cron job (1e0ce6e5)

Refactors

don't log both messages (564185df)
use hooks to update thumb counts (16c43a4d)
remove Announce(Like) handler in favour of removing the wrapper and delegating to inbox.like directly (it has more checks). Preserve the actor assertion check as that is not done on sub-objects (0c37a496)
switch to globalThis.nodebb (04abb3e9)
use require (7c61cf15)
add more tags, normalize value (7d6522a1)
tests back into individual it() blocks (66d8029e)
fix typo in error message (ae2592ba)
add muted field to user (2f3b3ecf)
add guards against Error [ERR_IPC_CHANNEL_CLOSED] (18dd8125)
break apart helpers.generateCollection into two smaller methods for situations where you have the items already (76246949)
activitypub: simplify signature verification in middleware (f6b5cd82)

Tests

fix flag test (a0a9f2b2)
fix relative_path test (c4efdeb9)
fix more picture tests (446539fb)
fix user test (b5a77598)
add more tests for xml uploads (2c1dcfb4)
fix merge test (fbd8dbc4)
fix helpers.mocks.create to accept custom actor (681b5f94)
add inbox-cids test suite for uid::cids sorted set (902cdfb2)
set thumbs during topics.post (a66d98a5)
add missing await (0900ab24)
fix muted tests (8707f891)
fix nav tests (1fe4ab5d)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track NodeBB

Get notified when new releases ship.

About NodeBB

Node.js based forum software built for the modern web

All releases →