openemr

v8_1_0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ehr emr fhir global-health health healthcare

+14 more

hit international linux medical medical-informatics medical-information medical-records openemr osx php practice-management proprietary-counterparts sponsors windows

Affected surfaces

auth

Summary

AI summary

Broad release touches PHP, DevOps, Backend Modernization Project, and Reports.

Full changelog

8.1.0 - 2026-05-29

Fixed

accept bare image tag in docker-compose mutator (rel-810 backport) (#12284)
add missing release-prep PR template (rel-810) (#12272)
add space separator between SQL lines in load_file() (#10935) (#11003)
default login_page_layout when globals row is missing (backport #11949 to rel-810) (#11971)
dispatch PatientCreatedEvent from legacy new_patient_save.php (backport #12083 to rel-810) (#12087)
Fix ethnicity decline setting (#12188)
gate openemr on mysql service_healthy to avoid race (#11756)
handle table-qualified columns in escape_sql_column_name() (backport #12019 to rel-810) (#12047)
other payer claim control number for secondary claims (#11150)
PHP Fatal error: Uncaught TypeError: receiptDetailLine(): Argume… (#10292)
prepend release-notes section to CHANGELOG (rel-810) (#12299)
preserve patient context in EHR launch skip-auth flow (#11115)
Restore windows webserver_root normalization. (#12140) (#12186)
stop bumping docker-version files (rel-810) (#12297)

Authentication

#10436 redis session storage (#10437)
#10481 EHR launch skip login screen (#10482)
breakage when add new patient via new patient UI (#10530)
correct assignment typo in AuthHash SHA512 fallback (#11019)
create certificates directory before writing key files (#10888)
stop rotating CSRF private key on every main_screen.php load (backport #11888 to rel-810) (#11891)
wait for post-login title transition to avoid race (#11755)

Backend Modernization Project

add order-independent routing via dispatch() method (#11163)
drop fgets() length limit and insert line separator (#11466)
fix issue with loading Juggernaut\OpenEMR\Modules\PriorAuthModule\ (#10425)
Fix returned value of InTransaction (#10524)
remove OEGlobalsBag dependency from version.php (#11053)
restore @throws tag on KeyVersion::fromPrefix() (#10476)
use newline separator in SQL statement concatenation (#11511)

CCDA Service

10456 ccda author session fix (#10470)
register-conditional list XPath in CdaTextParser (#11601)
use escaped Mustache variables in XML attribute positions (#10464)

Calendar

accept #RRGGBB in status color field (#10984)
avoid HTML-encoded status text in demographics widgets (#10985)
dedup recurring appointment notifications via notification_log (#11588)
hide appointments card when user lacks permission (#10647)
remove 0000-00-00 date defaults from postcalendar events (#11245)
Render restoreSession JS inside of script tag (#11418)
route freq_type 5 to REPEAT_ON branch to prevent infin… (#11407)

Clinical Decision Support

stop translating DB identifiers in render_select (#11515)

Database Layer

Ensure legacy DB connection is established (#11282)
Error: Object of class Closure could not be converted to st… (#10663)
qualify column reference in CareTeamService::getCareTeamData() (#10899)
remove dynamically created onsite_activity_view (#10998)
rename misspelled 'declne_to_specfy' value in race (#10762)
resolve PHP 8.5 PDO MySQL attribute deprecations (#11288)
return falsy column values from fetchSingleValue instead of null (#10813)
wrap scalar values in arrays for SQL function params (#10664)

Database Migrations & Schema Changes

Change OSCONJ column type on form_eye_antseg table (#11502)
convert declne_to_specfy in patient_data language and ethnicity (rel-810 backport) (#11893)
correct empty string in list_options integer columns (#11211)
detect database.sql schema changes missing upgrade SQL (#10854) (#10908)
disable audit logging before globals.php loads (#11134)
fix multiple bugs in ORDataObject::_load_enum (#11700)
reduce onetime_auth index prefix length (#11210)
remove 0000-00-00 values from document_templates inserts (#11251)
rename misspelled 'interpretter' column to 'interpreter' (#10846)
set uor=0 for deprecated care_team layout fields (#10849)
use CURRENT_TIMESTAMP default for medex_recalls.r_created (#11212)
use tinyint(1) for questionnaire_repository.active boolean (#11690)

DevOps

add generate_select_list and json_encode as sanitizers (#10839)
add path fixes for Codecov coverage reports (#10677)
add types and fix errors in ClientAdminController (#11007)
Adjust PHPStan to only scan the critical vendor paths (#10439)
assert $pid is defined in portal_payment.php (#10447)
correct custom rule implementations (#10791)
correct misleading docblock @return/@param types (#11455)
disable coverage for PHP 8.6 in scheduled tests (#10378)
emit ADOdb-accurate types in TableTypes generator (#11362)
exclude PHPStan baseline files from analysis hooks (#10672)
Fail if baseline doesn't match generator (#10703)
fix invalid return type annotations (#10804)
Geo Location and population data placement (#10429)
prevent PHPStan pre-commit hook baseline mismatch (#10868) (#10905)
quote time values in dependabot.yml (#11246)
read commit message content instead of file path (#11420)
rector cache masks violations on unchanged files (#10871)
Remove merge_coverage call from inferno tests (#10356)
run coverage conversion inside container for correct path resolution (#10443)
Update path for phpstan baseline artifacts (#10242)
use correct matrix variable for isolated-tests composer cache (#10469)
use files pattern for PHP pre-commit hooks (#10492)
use forward slashes in autoload-dev path (#11166)

Documentation

correct collate field id attribute and add default value (#10472)
correct spelling errors caught by codespell (#10999)
nginx config doc path fix. (#10526)

EHI Export

initialize variables in createExportTasksFromJobWith… (#10830)

Hardening

add input validation for ERA ID parameter (#10758)
recover stuck leases from crashed workers (#11678)
Remove error-suppressing catch block (#11603)
replace addslashes() with RFC 4180 CSV double-quote escaping (#11363)
restrict file permissions for EDI downloads (#10757)
stop suppressing E_USER_WARNING and E_USER_DEPRECATED (#11430)

Infrastructure

predis 3.4.0 fix (#10856)
remove OEGlobalsBag dependency from sql_upgrade.php (#11111)

Internationalization

correct "Dislay" typo in main menu logo description (#10988)
Use correct locale-aware formatting for phone number display (#10772)

Labs

PHP warnings interface/orders (#10788)

Module Support

lazy-init AppDispatch session to survive static factory path (rel-810 backport) (#12228)
Telehealth fatal error (#10580)

Ophthalmology

add state license number to prescription popup (#10894)
correct Schirmer field name typos in copy_forward ANTSEG zone (#10814)
Dispense glasses Rx: manifest/dispensed refraction (#10882)
pass encounter/pid in navbar form URLs to prevent stale session (#10865)
use correct PMSFH key for PMH diagnoses in Diagnosis Builder (#11510)

PHP

#10323 care team upgrade optimization (#10347)
#10332 uuid generation large dataset (#10346)
#10454 webroot session fix (#10455)
add @var annotations to reduce variable.undefined baseline (#10693)
Add missing $form_return variable assignment in eye_mag save.php (#10651)
add missing api.inc.php require (#8394)
checks broken in previous merge (#10230)
Comlink module (#10511)
correct typo 'bootrap' to 'bootstrap' in config.yaml (#10353)
correct typos in CCR/CCDA templates and misc files (#10333)
correct typos in clinical notes and track_anything forms (#10457)
correct typos in contrib, controllers, and misc files (#10336)
correct typos in interface files (#10370)
correct typos in interface/forms (#10342)
correct typos in interface/modules (#10341)
correct typos in library files (#10339)
correct typos in miscellaneous files (#10345)
correct typos in portal files (#10340)
correct typos in sites and templates (#10337)
correct typos in src/ files (#10343)
correct typos in test files (#10344)
Fixes #11142 employer data not saving (#11156)
Improper empty column warnings in layout-based forms (#7071)
include port in PDO DSN for non-default database ports (#10636)
move custom rules into analysed paths to fix result cache warning (#10622)
normalize line endings to LF in 16 files (#10349)
prevent sending blank statement emails (#10486)
Remove accidental override of OEGlobalsBag::getString (#11008)
remove dead code and fix @param false docblocks (#10624)
remove duplicate property in rcfaxclient (#10254)
rename 'uncomplete' mode to 'incomplete' in AMC tracking (#10698)
Revert prior predis 3.4.0 fix (#10977)
separate password from encryption for C_Document.clas… (#11155)
SingletonTrait (#10673)
SystemLogger PSR-3 compliance and simplification (#11130)
trim leading '#' from color setting in PatientTrackerService (#9485)
update broken CDC VIS link (#10632)
use https in @link header tags (#10869)

Patient Portal

fix leftover issue with _documents.html.twig in portal_patient_report.html.twig (#10267)
Fixed the onetime token notification. (#10547)
pass HttpRestRequest to PatientRestController::getOne() in portal route (#10823)
portal messaging display fix for #11202 (#11215)
remove dead $payment_key code in portal_payment.php (#11396)
Save when using dd/mm/yyyy (#10229)
set portal login username when enabling portal access (#7667)

REST API

#10358 care team patient compartment (#10363)
align allergy begdate validation with YYYY-MM-DD docs (#10993)
bootstrap missing user UUID to prevent 500 on fresh installs (#11735)
Clinical Notes FHIR mismatched join #10168 (#10281)
correct typos in FHIR resources and services (#10338)
fix per-patient allergy and condition endpoints returning empty (#10827) (#10901)
include provider first/last name in appointment API responses (#10824)
use isPortalRequest() for portal route detection in RoutesExtensionListener (#10822)
wrap DATETIME empty-string comparisons with CAST (#10891)

Reports

include custom LBF layout forms in patient report (#11146)
prevent inflated totals in Financial Summary by Service Code (#10438)

Security

add ACL check to claim file tracker endpoint (#11091)
add allowed_classes to unprotected unserialize calls (#10896)
add authorization to dated reminders log (#11192)
add authorization to FaxSMS AppDispatch (#11193)
add CSRF protection and parameterize SQL in new_payment.php (#11219)
add CSV formula escaping to League\Csv exports (#10415) (#10903)
add guards to prevent direct HTTP access (#9537)
add LIBXML_NONET to all simplexml_load_string calls (#11388)
add OpenEMR sanitizers to Semgrep echoed-request rule (#10316)
add safe_href URL scheme validation for Twig href attributes (#10897)
centralize XML parsing to enforce LIBXML_NONET across all call sites (#11442)
check sensitivity from correct table for group encounters (#11097)
enforce encounter ownership on vitals (#11189)
escape code descriptions in dynamic code picker (#11096)
escape inline script values in portal payment (#11194)
escape patient data in prescription print view (#11092)
escape portal credential print output (#11191)
escape tab label in TabsWrapper to prevent XSS (#11512)
escape Track Anything graph titles and labels (#11095)
escape unescaped URL attributes in Twig templates (#10474)
escape user data in Eye Exam report (#11186)
fix leftovers from porting core session (#11208)
harden escape_sql_column_name() with backtick-quoting (#11280)
harden escape_table_name() with backtick-quoting (#11297)
increase app cookie expire time and better wrapper selection logic (#10227)
negate ACL condition in CDR ControllerRouter (#11094)
parameterize all SQL in deleter.php via root-cause refactor (#11220)
parameterize SQL and filter request inputs in add_edit_event (#11199)
parameterize SQL in patient.inc.php and harden column name escaping (#11214)
parameterize SQL, add CSRF, and fix serialization injection in portal appointment (#11218)
parameterize SQL, remove dead code, and migrate to QueryUtils in pnotes.inc.php (#11216)
prevent open redirect in portal messaging (#11217)
prevent session conflict for API requests with portal c… (#10404)
prevent XSS in clickmap annotation legend (#11089)
prevent XSS in portal signer modal (#11090)
protect bin/ directory from web access (#10895)
reduce ~111 false positive Semgrep code scanning alerts (#10462)
remove eval() from application JavaScript files (#2010) (#10902)
remove user input from SQL alias in graphs (#11093)
replace addslashes() with js_escape() in JS contexts (#11347)
replace direct $_SESSION writes with SessionUtil::setSession() (#10939)
require check reference number server-side (#7353)
resolve 7 printed-request Semgrep alerts (#10466)
respect explicit ACL denies in zhAclCheck (#11187)
respect sessionAllowWrite global in PHPSessionWrapper (#10931) (#11072)
sanitize backup export command arguments (#11185)
sanitize SearchHighlight input (#11190)
Set cookie secure flag based on install settings (#10203)
set HTTP 403 in csrfNotVerified() (#10567)
skip audit logging for health check endpoints (#10176)
Tighten standard encryption test (#10452)
use DOM construction for iframe in twAddFrameTab (#11551)
validate DICOM zip entry paths (#11188)
validate formdir before using in include paths (#11597)
validate menu role filenames to prevent path traversal (#11513)
validate require_once paths loaded from database (#11592)

UI Modernization

allow clearing email field in user admin update (#11198)

UI/UX

detect duplicates when lower-PID patient matches higher-PID (#10644)
disable patient birthday alert in e2e compose stack (backport #11983 to rel-810) (#11984)
remove pre-escaping of FORM_ACTION to prevent double-escaping (#10539)
respect default value for checkboxes (#10733)
sync Custom.json with standard.json for email send test entry (#11383)
use theme-stable colors for receipt background contrast (#10851)
user dropdown width restricted (#10206)

billing & payments

add mailto: protocol to email links (#10760)
create ERA directory and add overwrite confirmation (#10728)
email statement generation one patient at a time (#8327)
Fix double-escaping and some raw SQL (#10362)
fix saving in collection on auto create encounter (#11625)
post payment from portal in portal dash (#11450)
prevent HTML escaping of ERA file downloads (#10754)
remove dead methods referencing undefined constants (#10755)
replace hardcoded dev URLs with configurable settings (#10759)
save all subscribers in eligibility request (#10750)
sql query error modifier can not be null (#10199)
SQL Query Error: Column 'session_id' cannot be null (#10661)
throw exceptions on API failures instead of returning error values (#10752)
use $postData parameter instead of $_POST (#10763)
validate required settings in isConfigured() (#10756)
Widen param types for payment sequence number generation (#10548)

code set update

skip UPDATE when CPT4 code lookup returns empty (#11499)

communications

allow SMTP without username/password (#10280)
catch up missed appointment-reminder ticks (backport #11907 to rel-810) (#11913)
decouple background service from legacy AJAX entry point (#11680)
drop fgets() length limits in phiMail protocol parsers (#11470)
hardcode UTF-8 CharSet to avoid null from missing global (#11688)
notification cron fixes (backport #11846 + #11922 to rel-810) (#11941)
read cron interval from background_services instead of hardcoding 150 (#11587)
remove SMTP_SECURE from isConfigured required keys (#11381)
replace misleading unauthorized template with silent return (#10686) (#11004)
stop overwriting pc_apptstatus during notification dedup (#11589)
stop resending appointment reminder emails every hour (#11484)
use 24-hour clock for notification window math (#11509)

docker

add xdebug support to dev-php-fpm images (#10369)
fix OPENEMR__NO_BACKGROUND_TASKS env var reliability and scope (#11331)
remove obsolete --with-pic from dev-php-fpm 8.6 build (#11767)
resolve Dependabot overlapping directory error (#11543)
selenium dependabot updates for development-easy-redis (#11061)
set production docker-compose.yml to use latest tag on master branch (#11059)

e-Prescribe

add title for eRx tab (#9130)
allow allergy entry without eRx role (#10680)
set linkMethod for Ensora eRx prescription button (backport #11882 to rel-810) (#11908)

encounter

add translation support for BMI status display (#10406)
enforce newest-first sort in encounters report (#10991)
Fix clinical notes date formatting (Fixes #11290). (#11291)
Fixes #11161 #11492 encounter nav issues (#11503)
Fixes #11493 observation form report embed fix (#11504)
handle missing row and null uuid in encounter view form (backport #11883) (#11886)
hide dispensed medications section when inhouse_pharmacy is disabled (#11144)

installer

require igroup field during installation (#11693)

javascript

Add cache-busting query parameter to payment script (#10231)
uncaught syntax error prevents CDR alert popup (#10441)

multi-site

add missing site parameter to SDOH assessment URLs (#10949)

patient admin

improve recall board filtering and form validation (#10557)

selenium

add diagnostics and retry for modal close timeout in testUserAdd (#10652)
add fresh session retry when JS fails to initialize after login (#10595)
handle optional alert in Create Visit test (#10619)
replace sleep/retry with proper WebDriver wait conditions (#10500)

testing

add CI full test mode and fix stale element in assertActiveTab (#10765)
Add directory to isolated tests (#10574)
add integration tests to phpunit.xml and CI suite list (#11372)
ccda test breaking in docker build on devops (#10225)
Detect PHPUnit exiting without finishing (#11615)
ensure xdebug.mode=coverage for PHPUnit test file coverage (#10687) (#10909)
Fix flaky testUserAdd by properly waiting for page reload (#10287)
handle duplicate visit alert immediately after menu click (#10685)
handle UnexpectedAlertOpenException in assertActiveTab (#10799)
make dupscore unique-flag test robust against demo data (#10922)
prevent cross-Node-version cache contamination in test workflow (#11728)
replace no-op wait() calls with proper WebDriver waits (#10400)
replace Panther crawler clicks with direct WebDriver clicks (#10560)
resolve deprecations in services test suite (#11647)
resolve flaky User add test under coverage (#11300)
set implicit wait to 0 to fix explicit wait retries (#10556)
stop overriding implicit wait in coverage config (#10570)
verify app initialization after login with refresh recovery (#10564)
wait for active tab element before checking content (#10749)
wait for Knockout.js menu render before navigating (#10536)

translation

apply xlt filter in patient verify success email templates (#10983)
use unconditional xl() for dynamic strings, not xl_list_label (#11500)

Added

backport release-prep conductor onto rel-810 (#12269)

Authentication

porting core and portal apps to HttpSessionFactory (#10244)

Backend Modernization Project

add CsrfUtils::checkCsrfInput() convenience method (#11379)
add event hooks for module content injection (#10592)
add rule to forbid CoversClass/CoversFunction attributes (#11594)
add ServiceContainer for centralized service access (#10674)
add typed getKernel() method to OEGlobalsBag (#10679)
forbid shell execution functions and eval() (#11650)
forbid unsafe catch blocks and exit/die inside them (#11621)
Initial front-controller implementation (#9943)
Migrate ADODB setup in sql.inc to new factory method (#10777)
Start to set up PSR-11 DI container (#11001)

Calendar

add missing appointment fields and auto-set pc_time/pc_informant (#8932)

Database Layer

Add ConnectionManager for named database connections (#11138)
Introduce DBAL-based wrapper (#10279)
Migrate ADODB setup in Gacl to new factory method (#10778)
Prepare central ADODB setup (#10776)

Database Migrations & Schema Changes

add structure to connection parsing, prepare reading socket option (#10719)
Base-level ORM installation (#11742)
Support Doctrine migrations for new schema migrations (#10704)

DevOps

Add deprecation rules for PHPStan (#10715)
Add doctrine/migrations to cli (#10943)
add generator for database table type aliases (#10720)
add pre-commit workflow to run actionlint on GitHub Actions workflows (#10212)
Add rule for blocking direct instantiation of certain classes (#10795)
add run-all-due REST and CLI entry points (#11687)
Add workflow summaries for PHPStan failures (#10723)
Disallow global keyword (#10426)
Enhance telemetry (#10302)
Expose installer in symfony/console command (#11631)
forbid direct access to request superglobals (#11250)
support worktrees in the easy dev environments (#11410)

Documentation

add php-fpm web server instructions to Step 5 (#10478)

Infrastructure

add CLI tooling for listing, running, and crontab generation (#11335)
add REST API endpoints for listing and triggering services (#11337)
Flysystem setup; first example integration (#11519)
support redis session locking and fix redis encryption support over wire (#11559)

PHP

add rule to forbid empty() in favor of explicit checks (#10616)
add rule to forbid error_log() in favor of SystemLogger (#10612)
enforce literal-string for translation functions (#10697)
Fixes #10233 cqm reporting period and deps updates (#10234)

REST API

add optional encounter ID to document upload (#10148)
add prescription REST API endpoints with tests (#10837)
Added Bearer token to Swagger UI (#10295)
Fixes #10251 Related Person save existing patient when locale date format is not YYYY-MM-DD. (#10253)
Run API tests through Front Controller (#11705)

Reports

Create 2026 Real World Testing report (#10285)

Security

add AccessDeniedHelper for standardized denial responses (#10568)
Add encrypt methods to new ciphers (#11294)
CryptoInterface and modern Encryption compatibility bridge (#11452)
extend Semgrep SAST coverage to JavaScript, Twig, and XSL (#10467)
Key material storage APIs (#11448)
New core API - CipherSuiteInterface (#11475)
PHPStan rule to require use of query bindings (#10288)
Separate password encryption (1/2) (#11135)
Separate password encryption (2/2) (#11139)

UI/UX

add email field to user admin UI (#11056)
add success alert on patient form submission (#8351)
display software version in fixed footer (#11424)
make main menu logo link and title configurable (#10986) (#11002)

billing & payments

Add support for Rainforest as a payment gateway (#10445)
other payer claim control number for secondary claims (#11075)

communications

add email send test to admin interface (#11378)
add SignalWire integration (#10171)

encounter

Additional datapoint collections. (#10497)

patient admin

add organization type field (#10643)
add pronouns and fix other layout oddities (#10202)
optionally generate csv file of duplicate patients (#10806)

Changed

8.1.0 (#12187)
add force-dispatch input to release-prep (#12286)
add force-dispatch input to release-prep workflow (rel-810) (#12289)
bump codecov/codecov-action from 5 to 6 (#11351)
bump master dev version to 8.1.1 (#11296)
bump redis from 8.6 to 8.6 in /ci/compose-shared-redis-sentinel (backport #11808 to rel-810) (#11974)
include composer.json in vendor cache key (#11617)
prep 8.1.0 (#12285)
prep 8.1.0 (#12300)
prep for 8.1.0 and 8.1.1 (#11310)
rel-810 fix(billing): session crashes on posting page (#11691) (#12202)
rel-810 fix(upgrade) normalize categories_seq instead of unsafe multi-row (#12207)
rel-810: fix(billing): cast 835 monetary fields to float for type-strict comparisons (#11868) (#12205)
rel-810: fix(edihistory): move use statement out of docblock (#12223) (#12226)
rel-810: fix(encounter): use getBoolean for inhouse_pharmacy check in visit summary (#11987) (#12220)
release 8.1.0 misc (#12190)
Revert "chore(release): prep 8.1.0" (#12296)
upgrade Symfony components to 7.x (#11517)

ACL & Permissions

Narrow scope and apply correct type to Gacl properties (#10761)
throw exceptions instead of exit() in controller ACL checks (#11244)

ASTP/ONC Certification

FHIR API documentation minor fixes (#11104)

Authentication

remove obsolete constructor argument from AuthHash calls (#10410)
replace die() with RuntimeException in generatePortal… (#10942)
replace raw SQL parameter in AuthUtils::updatePassword() (#11229)

Backend Modernization Project

Add and initialize basic fallback exception handler (#11411)
add AppointmentService test coverage (#10915)
add array type to $search parameter (#11555)
add isolated tests for MeasurementUtils and StringUtils (#10825)
add LayoutOptionsRow type to TableTypes (#11556)
add native types to Prescription properties (#11318)
add native types to well-covered source files (#11067)
Add type annotations to CCR (#10692)
add type safety to AddressService (#10421)
add typed path accessors to Kernel and migrate src/ (#11570)
Cache service instances in ServiceContainer (#11520)
consolidate base64url encode/decode to HttpUtils (#10543)
Consolidate duplicate function definitions (#10402)
Consolidate float validation using ValidationUtils (#10318)
Consolidate integer validation using ValidationUtils (#10317)
Consolidate IP address validation using filter_var (#10306)
Consolidate more duplicate functions/symbols (#10405)
Consolidate NPI validation using ValidationUtils (#10319)
Consolidate postal code validation using ValidationUtils (#10320)
Consolidate UUID validation using ValidationUtils (#10322)
Consolidate validations using ValidationUtils (#10321)
Continue global function de-duplication (#10588)
Convert legacy Phreeze to updated connection handling (#10802)
convert remaining $GLOBALS existence checks to OEGlobalsBag (#11048)
Deduplicate more global functions (#10790)
Deduplicate more global functions (#10729)
Doctrine/DBAL initial integration (#9980)
drop 1024-byte fgets() buffer in Installer::getLine() (#11461)
enable getInt() and getString() typed getters (#11257)
Fix most duplicate class definitions (#10779)
Improve handling for Symfony HTTP errors (#11501)
inject PSR Clock into EventAuditLogger (#11309)
inline and remove trivial duplicate functions (#10589)
Make QueryUtils the canonical implementation (#10516)
migrate deprecated sqlQ() calls to QueryUtils (#10545)
migrate interface/forms path reads to typed Kernel accessors (#11757)
migrate interface/modules path reads to typed Kernel accessors (#11759)
migrate interface/patient_file path reads to typed Kernel accessors (#11758)
migrate interface/reports path reads to typed Kernel accessors (#11760)
migrate library/ path reads to typed Kernel accessors (#11263)
migrate module installers to Registry (#11682)
migrate remaining interface/ subdirs to typed Kernel path accessors (#11761)
migrate sqlBeginTrans call sites to QueryUtils::inTransaction (#11488)
modernize auto_prepend.php (#11571)
modernize CAMOS form code and eliminate PHPStan baseline entries (#11313)
Move function definitions out of globals.php (#11412)
Move more logic from sql.inc to QueryUtils (#10520)
Move sqlInsert to QueryUtils (#10621)
parameterize SQL, fix loose comparisons, remove dead code (#11349)
reduce PHPStan baseline — QueryUtils, PSR-3 logging, inTransaction (#11269)
Refactor and add tests for fixDate (#11417)
remove 19 unused global definitions (#10929)
Remove generic sql functions (#10519)
Remove getSqlLastError() global function, improve types (#10596)
remove js_escape_protected() -- convert literal escapes at source (#11371)
Remove legacy de-identification tooling (#10534)
Remove legacy non-utf8 connection support (#10789)
remove mitigateSqlTableUpperCase() wrapper (#11299)
remove more duplicate function definitions (#10433)
Remove most of ApplicationTable & Laminas DB coupling (#10930)
remove redundant global $GLOBALS declarations (#11266)
remove unused PredisSessionHandler class (#10528)
replace $GLOBALS access with OEGlobalsBag across the codebase (#11017)
replace allow_cronjobs.php with Symfony console commands (#11707)
replace catch (Exception) with catch (Throwable) (#10620)
replace escaped HTML strings in EDI270 with heredoc (#11583)
replace getSearchClass with SearchClass enum (#11557)
replace repeat-type if/elseif chain with date arithmetic (#11270)
replace VersionService::asString() with SoftwareVersion DTO (#11428)
return booleans instead of string values in connectivity checks (#10850)
reused SingletonTrait at OEGlobalsBag (#10515)
Separate "beta" CLI commands (#11702)
Sort functions in autoloaded function file (#11406)
stop constructing throwaway Kernel instances (#11262)
Support CipherSuiteInterface in EventAuditLogger (#11704)
Switch from error_log to standard system logger, fix status codes (#10690)
use centralized database connection factory (#10805)
use getBoolean() for boolean OEGlobalsBag settings (#11050)
use getInt() for numeric OEGlobalsBag settings (#11068)
use OEGlobalsBag::getKernel() instead of ->get('kernel') (#11014)

CCDA Service

add isolated unit tests for CdaTemplateParse (#10873)
remove dead code and fix undefined variables (#10689)
rename cache key to invalidate stale v127 binaries (backport #11862) (#11890)

Calendar

replace hardcoded day/month arrays with int-backed enums (#11427)
Update PostNuke internals to DBAL (#10773)

Database Layer

centralize connection persistence detection (#10803)
change $_db property from public to protected (#10889)
migrate get_db() calls to QueryUtils (#10884)
Move dbal connection into factory (#11082)
Remove charset option (#10801)
Remove multipledb module (#10927)
Remove sqlconfig event (#10920)
Remove support for secure_sqlconf.php (#10883)
rename Audit connection to NonAudited (#11376)
Simplify config file reading (#10972)
Update backup script to central config reads; exclude phpstan info (#10966)
use BC\Utilities::isDateEmpty() for zero-date checks (#11320)

Database Migrations & Schema Changes

Baseline tooling for doctrine/migrations conversion (#11653)
Pre-create Doctrine migrations table (#11771)
Remove forward upgrade from release (#11773)

Dependency Upgrade Broken

Remove laminas-db package dependency (#10965)

DevOps

Add and correct missing type info (#10967)
add Build Patch Release workflow (#11079)
add check for v_database alignment between version.php and database.sql (#10768)
add codespell spell checking for CI and local development (#10327)
add codespell to local development tooling (#10389)
add export-ignore rules to .gitattributes (#11213)
add pcov support for faster code coverage (#10375)
add rector and shipmonk to dependabot development group (#11239)
Add scheduled nightly tests with full coverage (#10360)
add script to analyze flaky test patterns (#10601)
add Semgrep security scanning for PHP code (#10264)
add shell-out CLI integration test (#11699)
Add unused use statement linting (#10938)
Avoid duplicate function definitions (#10713)
bump actions/checkout from 4 to 6 (#10272)
bump actions/checkout from 4 to 6 (#10391)
bump actions/download-artifact from 4 to 8 (#11062)
bump actions/setup-python from 5 to 6 (#10390)
bump actions/upload-artifact from 4 to 6 (#10271)
bump actions/upload-artifact from 4 to 6 (#10653)
bump actions/upload-artifact from 6 to 7 (#10956)
bump docker/build-push-action from 6 to 7 (#11038)
bump docker/login-action from 3 to 4 (#11040)
bump docker/setup-buildx-action from 3 to 4 (#11037)
bump docker/setup-qemu-action from 3 to 4 (#11039)
bump immutable 4.3.7 → 4.3.8 in ccdaservice (#11033)
bump j178/prek-action from 1 to 2 (#11232)
bump mariadb to 12.2 (#11534)
bump minimatch to fix ReDoS (CVE-2026-26996) (#10932)
Conditional directory creation for patch files (#11170)
consolidate PHPCS config into phpcs.xml.dist (#10593)
delegate to composer scripts instead of hard-coding commands (#10533)
delete .github/workflows/build-patch.yml (#11175)
drop direct laminas/laminas-json requirement (#11133)
exclude uncoverable test infrastructure from coverage (#10641)
Group and sort use statements (#10994)
normalize config.yaml indentation to 2 spaces (#10352)
parallelize PHP syntax checking with problem matcher (#10376)
parallelize test suites within each configuration (#11051)
pin Docker images by digest and add Dependabot for CI images (#11518)
pin Docker images by digest in docker/* development environments (#11541)
Reduce PR test matrix to PHP 8.2 only (#10365)
Remove PHPUnit --testdox format from CI (#11306)
Remove redundant local coverage merge (#10354)
Remove stray legacy PHPStan baseline file (#10289)
remove unused PHP setup and cs2pr tool (#10625)
Replace MySQL sleep 60 with health check (#10357)
report every time (#10648)
Restrict new function additions to global namespace (#10297)
Run PHPStan on 8.5 (#11292)
simplify phpstan workflow using failure() condition (#10551)
support for alpine 3.23 with php 8.5 and nodejs 24 (#11495)
Tell composer phpstan to prefer dist config (#10916)
Update fetch-depth in build-patch.yml (#11173)
Upgrade swagger-php to 6.x with PHP 8 attributes (#10921)
use manual_trigger to prevent partial coverage reports (#10480)

Documentation

add 8.0.0.3 changelog (#11276)
add CLI testing tip for special characters in passwords (#10484)
add guidance on proposing changes and repo selection (#10953)
add OpenAPI attributes to BackgroundServiceRestController (#11595)
Adjust changelog so it doesn't trigger spellcheck errors on all PRs (#11283)
changelog 8.0.0.1 (#11081)
clarify register() active-flag policy (#11681)
expand CLAUDE.md with PHP coding standards (#11342)
remove 2015 reference (#11083)
update AI guidelines files for commit trailers (#11301)
Update changelog for 8.0.0.2 (#11176)
update CLAUDE.md for recent codebase changes (#10979)
update outdated documentation (#10582)
update PR and contribution guidelines (#11277)
Update swagger schema (#11703)

FHIR

fix literal-string violations in xl/xlt calls (#11429)

Hardening

document OEGlobalsBag typed getters from ParameterBag (#11010)
migrate main-tab poll to REST API (#11727)
replace exec(unzip) with ZipArchive for ERA file uploads (#11422)
use symfony/process for print command (#11414)

Infrastructure

add BackgroundServiceRegistry for module registration (#11336)
Adjust phpstan config to improve cache interaction (#10615)
distinguish lock failure reasons in BackgroundServiceRunner (#11423)
extract common PHP/Composer setup into reusable action (#10576)
extract orchestration into BackgroundServiceRunner (#11334)
key phpstan and rector caches on tool version, not composer.lock (#11724)
upload regenerated docs as artifact on failure (#10630)

Module Support

remove abandoned sms_email_reminder (#11679)

PHP

Add/fix common type hints (#10816)
Avoid errorLogCaller() where exception context available (#11100)
bug: Fixes #10250 default lists option for new patient save (#10252)
bump bacon/bacon-qr-code from 3.0.3 to 3.0.4 (#11122)
bump bacon/bacon-qr-code from 3.0.4 to 3.1.1 (#11435)
bump digitickets/lalit from 3.4.0 to 3.4.1 (#11433)
bump doctrine/dbal from 4.4.1 to 4.4.2 (#10964)
bump doctrine/dbal from 4.4.2 to 4.4.3 (#11238)
bump dompdf/dompdf from 3.1.4 to 3.1.5 (#11042)
bump ergebnis/composer-normalize from 2.48.2 to 2.49.0 (#10505)
bump ergebnis/composer-normalize from 2.49.0 to 2.50.0 (#10781)
bump ergebnis/composer-normalize from 2.50.0 to 2.51.0 (#11715)
bump giggsey/libphonenumber-for-php from 9.0.22 to 9.0.23 (#10508)
bump giggsey/libphonenumber-for-php from 9.0.23 to 9.0.25 (#10959)
bump giggsey/libphonenumber-for-php from 9.0.25 to 9.0.26 (#11120)
bump giggsey/libphonenumber-for-php from 9.0.26 to 9.0.27 (#11436)
bump giggsey/libphonenumber-for-php from 9.0.27 to 9.0.28 (#11720)
bump google/apiclient from 2.19.0 to 2.19.1 (#11353)
bump google/apiclient from 2.19.1 to 2.19.2 (#11434)
bump guzzlehttp/psr7 from 2.8.0 to 2.9.0 (#11119)
bump knplabs/knp-snappy from 1.5.1 to 1.6.0 (#10782)
bump laminas/laminas-config from 3.10.1 to 3.11.0 in the laminas group (#10502)
bump laminas/laminas-json from 3.7.1 to 3.8.0 in the laminas group (#10394)
bump laminas/laminas-soap from 2.14.0 to 2.15.0 in the laminas group (#11118)
bump mpdf/mpdf from 8.2.7 to 8.3.1 (#11124)
bump phpoffice/phpspreadsheet from 5.4.0 to 5.5.0 (#10963)
bump phpoffice/phpspreadsheet from 5.5.0 to 5.6.0 (#11527)
bump phpoffice/phpspreadsheet from 5.6.0 to 5.7.0 (#11714)
bump phpseclib/phpseclib from 3.0.48 to 3.0.49 (#10504)
bump phpseclib/phpseclib from 3.0.49 to 3.0.50 (#11195)
bump phpseclib/phpseclib from 3.0.50 to 3.0.51 (#11529)
bump phpstan/phpstan from 2.1.37 to 2.1.38 in the development group (#10503)
bump phpstan/phpstan from 2.1.39 to 2.1.40 in the development group (#10958)
bump phpstan/phpstan from 2.1.42 to 2.1.44 in the development group (#11352)
bump phpunit/phpunit from 11.5.46 to 11.5.48 in the development group (#10273)
bump phpunit/phpunit from 11.5.49 to 11.5.50 (#10413)
bump phpunit/phpunit from 11.5.50 to 11.5.52 in the development group (#10654)
bump phpunit/phpunit from 11.5.53 to 11.5.55 in the development group (#10874)
bump predis/predis from 3.3.0 to 3.4.0 (#10783)
bump predis/predis from 3.4.0 to 3.4.1 (#10962)
bump predis/predis from 3.4.1 to 3.4.2 (#11064)
bump ramsey/conventional-commits from 1.6.0 to 1.7.0 (#11044)
bump rector/rector from 2.3.1 to 2.3.4 (#10397)
bump rector/rector from 2.3.4 to 2.3.5 (#10506)
bump rector/rector from 2.3.5 to 2.3.6 (#10656)
bump rector/rector from 2.3.6 to 2.3.8 (#10876)
bump rector/rector from 2.3.8 to 2.3.9 (#11236)
bump rector/rector from 2.4.0 to 2.4.1 in the development group across 1 directory (#11523)
bump slevomat/coding-standard from 8.28.0 to 8.28.1 (#11235)
bump symfony/process from 7.4.3 to 7.4.5 (#10428)
bump the development group across 1 directory with 2 updates (#10398)
bump the development group across 1 directory with 2 updates (#11713)
bump the development group with 2 updates (#11432)
bump the development group with 5 updates (#10780)
bump the symfony group with 4 updates (#10501)
bump the symfony group with 4 updates (#11041)
bump the symfony group with 5 updates (#11431)
bump the symfony group with 7 updates (#10957)
bump the symfony group with 9 updates (#10393)
bump twig/twig from 3.22.2 to 3.23.0 (#10396)
bump twig/twig from 3.23.0 to 3.24.0 (#11237)
bump twilio/sdk from 8.10.1 to 8.11.0 (#10655)
bump twilio/sdk from 8.11.0 to 8.11.1 (#10877)
bump twilio/sdk from 8.11.1 to 8.11.2 (#11121)
bump twilio/sdk from 8.11.2 to 8.11.3 (#11354)
bump twilio/sdk from 8.11.3 to 8.11.4 (#11716)
bump zircote/swagger-php from 6.0.5 to 6.0.6 (#10961)
bump zircote/swagger-php from 6.0.6 to 6.1.0 (#11526)
bump zircote/swagger-php from 6.1.0 to 6.1.1 (#11718)
consolidate email validation to use ValidationUtils (#10304)
consolidate phone number handling using PhoneNumberService (#10326)
drop unnecessary fgets() length limits (#11514)
Fix a few missing/incorrect types (#10691)
improve isolated test suite and remove error_log output (#10575)
migrate oeFormatDateTime to DateFormatterUtils and add tests (#10847)
Raise PHPStan level to 10; baseline new errors (#10444)
Remove completely empty files (#10591)
remove legacy .inc redirect stubs (#10495)
Remove most remaining coupling to SystemLogger (#11108)
remove parens from require/include and apply PHPCBF fixes (#10460)
Remove remaining dependence on errorLogCaller (#11106)
removed no longer used phpstan-remaining-baseline.neon file (#10514)
resolve composer dependency blockers for PHP 8.4 (#11204)
Update many SystemLogger to Psr LoggerInterface (#11088)
use QueryUtils in DatabaseCheck (#10688)

Patient Portal

remove dead verysimple DB drivers (#10639)

REST API

add PHPUnit coverage for api test files (#10634)
fix copy-paste errors in OpenAPI annotations (#10940)
Multilined scopes at ApiTestClient (#10296)
replace $_GET with $request->query in REST routes (#11252)

Release

backport milestone 8.1.0 to rel-810 (#12008)
bump v_database (#10766)
change master dev version to 8.0.1 (#10222)
Move 8.1.1 SQL changes back into 8.1.0 (#11772)
prep changelog for 8.0.0 release (#10695)
prep upgrade mechanism for docker 8.0.0 release (#10269)

Security

Add and integrate ciphertext wrapper (#11289)
add integration tests for CryptoGen decryption (#11158)
Add keychain component (#11303)
Adjust wrapped values in primitives (#11447)
Encapsulate legacy decryption methods (#10981)
expand isolated tests for unserialize allowed_classes (#11584)
Extract ATNA logging (#11069)
Extract DB loggers from EventAuditLogger (#11078)
Get most global state out of the instance path (#11113)
Have log table and ATNA implement common interface (#11102)
Make audit destinations ("sinks") configurable (#11105)
Message parser and format tooling (#11302)
Migrate CryptoGen to CryptoInterface (#10982)
Modularize cryptographic ciphers (#11247)
Move KeyId primitive up to top namespace (#11445)
Pass enums instead of strings (#10995)
remove QuotedOrNull and convert to prepared statements (#10573)
remove silent failure handling from RandomGenUtils (#10913)
replace encrypted more_secure globals with constants (#11404)
replace mb_substr/mb_strlen with substr/strlen in binary operations (#11373)
scope auth-path UUID bootstrap to single row (#11736)
simplify collectCsrfToken() usage across codebase (#11240)
Simplify the modern key format handling, prepare for explicit key ids (#11305)
Start to add DI support to CryptoGen (#11131)
use AccessDeniedHelper for ACL denial patterns (#10683)

Twig Migration

add compilation test for all 268 Twig templates (#10477)
add render tests for Twig templates (#10493)

UI/UX

add isolated tests for MenuItems and BaseMenuItem (#10831)
Relabel everything that is public facing from NewCrop to Ensora. (#9891)

billing & payments

Centralize some of the data insertion logic (#10246)
Streamline table/form in UIs (#10420)
use OEGlobalsBag and add isolated tests (#10840)
use PSR-18 HTTP client (#10770)

communications

remove dead variables from notification script (#11553)
replace magic vendor IDs with ServiceType enum (#10948)
Split conflicting class name definitions (#10408)
wrap phiMail socket lifecycle in try/finally (#11476)

docker

allow patch updates for CI docker images (#11536)
bump alpine from 3.21 to 3.23 in /ci/apache_82_118_redis_sentinel_mtls (#11732)
bump alpine from 3.21 to 3.23 in /ci/apache_85_118_redis_sentinel_mtls (#11733)
bump alpine from 3.21 to 3.23 in /ci/apache_85_118_redis_sentinel_tls (#11734)
bump axllent/mailpit from v1.29.6 to v1.29.7 in /ci/compose-shared-mailpit in the mailpit group across 1 directory (#11697)
bump axllent/mailpit from v1.29.6 to v1.29.7 in /docker/development-insane in the mailpit group across 1 directory (#11696)
bump couchdb from 3.4.3 to 3.5.1 in /ci/inferno in the couchdb group across 1 directory (#11540)
bump couchdb from 3.4.3 to 3.5.1 in /docker/development-insane in the couchdb group across 1 directory (#11546)
bump couchdb from 3.5.1 to 3.5.1 in /ci/inferno in the couchdb group across 1 directory (#11746)
bump couchdb from 3.5.1 to 3.5.1 in /docker/development-insane in the couchdb group across 1 directory (#11752)
bump jodogne/orthanc-plugins from latest to latest in /docker/development-insane (#11636)
bump mariadb from 10.6.25 to 10.6.25 in /docker/development-insane in the mariadb group across 1 directory (#11656)
bump mysql from 5.7.44 to 5.7.44 in /docker/development-insane in the mysql group across 1 directory (#11634)
bump mysql from 5.7.44 to 5.7.44 in /docker/development-insane in the mysql group across 1 directory (#11709)
bump mysql from 8.0.45 to 8.0.46 in /ci/apache_85_80 in the mysql group across 1 directory (#11745)
bump mysql from 8.4.8 to 8.4.9 in /ci/apache_85_84 in the mysql group across 1 directory (#11731)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11606)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11635)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11658)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11695)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11729)
bump openemr/openemr from flex-3.17 to flex-3.17 in /docker/development-insane in the openemr-images group across 1 directory (#11751)
bump phpmyadmin from latest to latest in /docker/development-insane in the phpmyadmin group across 1 directory (#11577)
bump phpmyadmin from latest to latest in /docker/development-insane in the phpmyadmin group across 1 directory (#11754)
bump redis from 7.2 to 8.6 in /docker/development-easy-redis in the redis group across 1 directory (#11545)
bump redis from 8.6 to 8.6 in /ci/compose-shared-redis-sentinel in the redis group across 1 directory (#11747)
bump redis from 8.6 to 8.6 in /docker/development-easy-redis in the redis group across 1 directory (#11749)
bump redis from latest to latest in /docker/development-insane in the redis group across 1 directory (#11753)
bump selenium/standalone-chromium from 145.0.7632.109 to 147.0.7727.55 in /docker/development-insane in the selenium group across 1 directory (#11576)
bump selenium/standalone-chromium from 147.0.7727.55 to 147.0.7727.55 in /ci/compose-shared-selenium in the selenium-updates group across 1 directory (#11604)
bump selenium/standalone-chromium from 147.0.7727.55 to 147.0.7727.55 in /docker/development-insane in the selenium group across 1 directory (#11607)
bump selenium/standalone-chromium from 4.40.0 to 4.41.0 in /docker/development-easy-redis in the selenium-updates group across 1 directory (#11065)
bump selenium/standalone-chromium from 4.41.0 to 147.0.7727.55 in /ci/compose-shared-selenium in the selenium-updates group across 1 directory (#11572)
bump the couchdb group across 2 directories with 1 update (#11544)
bump the couchdb group across 2 directories with 1 update (#11748)
bump the mailpit group across 2 directories with 1 update (#11694)
bump the mariadb group across 14 directories with 1 update (#11657)
bump the mariadb group across 4 directories with 1 update (#11655)
bump the mariadb group across 4 directories with 1 update (#11730)
bump the mysql group across 2 directories with 1 update (#11633)
bump the mysql group across 2 directories with 1 update (#11711)
bump the openemr-images group across 1 directory with 2 updates (#11575)
bump the openemr-images group across 1 directory with 2 updates (#11710)
bump the openemr-images group across 5 directories with 1 update (#11578)
bump the openemr-images group across 5 directories with 1 update (#11712)
bump the phpmyadmin group across 3 directories with 1 update (#11574)
bump the phpmyadmin group across 3 directories with 1 update (#11750)
bump the selenium group across 2 directories with 1 update (#11573)
bump the selenium group across 2 directories with 1 update (#11605)
bump the selenium-updates group across 3 directories with 1 update (#10367)
bump the selenium-updates group across 3 directories with 1 update (#10946)
bump the selenium-updates group across 4 directories with 2 updates (#11539)
correct duplicate MYSQL_PASS in comments (#10419)
ignore version bumps for CI images pinned to specific versions (#11535)
prep for rel-810 (#11341)
use patch-level tags and refine Dependabot ignore rules (#11537)

javascript

bump @ckeditor/ckeditor5-html-support and ckeditor5 (#10980)
bump @xmldom/xmldom from 0.9.8 to 0.9.9 in /ccdaservice (#11356)
bump autoprefixer from 10.4.23 to 10.4.24 (#10507)
bump autoprefixer from 10.4.24 to 10.4.27 (#10960)
bump autoprefixer from 10.4.27 to 10.5.0 (#11717)
bump brace-expansion from 2.0.2 to 2.0.3 in /ccdaservice (#11322)
bump ckeditor5 from 47.6.0 to 47.6.1 (#11125)
bump ckeditor5 from 47.6.1 to 47.6.2 (#11530)
bump dompurify from 3.3.1 to 3.3.2 (#11000)
bump dompurify from 3.3.2 to 3.3.3 (#11123)
bump dompurify from 3.3.3 to 3.4.0 (#11654)
bump eslint from 9.39.2 to 9.39.3 in the build-tools group (#10878)
bump eslint from 9.39.3 to 9.39.4 in the build-tools group (#11043)
bump flatted from 3.3.3 to 3.4.2 (#11196)
bump i18next-browser-languagedetector from 8.2.0 to 8.2.1 (#10785)
bump immutable from 5.1.1 to 5.1.5 (#10990)
bump jquery-validation from 1.21.0 to 1.22.0 in the jquery-bootstrap group (#10392)
bump jquery-validation from 1.22.0 to 1.22.1 in the jquery-bootstrap group (#10875)
bump jspdf from 4.0.0 to 4.1.0 (#10521)
bump jspdf from 4.1.0 to 4.2.0 (#10817)
bump jspdf from 4.2.0 to 4.2.1 (#11148)
bump knockout from 3.5.1 to 3.5.2 (#11045)
bump knockout from 3.5.2 to 3.5.3 (#11355)
bump lodash from 4.17.21 to 4.17.23 in /ccdaservice (#10299)
bump lodash from 4.17.23 to 4.18.1 in /ccdaservice (#11415)
bump minimatch (#10933)
bump path-to-regexp from 0.1.12 to 0.1.13 in /ccdaservice (#11324)
bump picomatch from 2.3.1 to 2.3.2 (#11287)
bump picomatch from 4.0.3 to 4.0.4 in /ccdaservice (#11285)
bump postcss from 8.5.6 to 8.5.8 (#11046)
bump postcss from 8.5.8 to 8.5.9 (#11531)
bump postcss from 8.5.9 to 8.5.10 (#11719)
bump qs from 6.14.1 to 6.14.2 in /ccdaservice (#10732)
bump serialize-javascript and terser-webpack-plugin in /interface/modules/custom_modules/oe-module-comlink-telehealth/public/assets/js (#11323)
bump sortablejs from 1.15.6 to 1.15.7 (#10784)
bump tar from 7.5.10 to 7.5.11 in /ccdaservice (#11071)
bump tar from 7.5.2 to 7.5.3 in /ccdaservice (#10258)
bump tar from 7.5.3 to 7.5.6 in /ccdaservice (#10298)
bump tar from 7.5.6 to 7.5.7 in /ccdaservice (#10430)
bump tar from 7.5.7 to 7.5.9 in /ccdaservice (#10793)
bump tar from 7.5.9 to 7.5.10 in /ccdaservice (#10996)
bump underscore from 1.13.7 to 1.13.8 (#10880)
bump webpack from 5.94.0 to 5.105.0 in /interface/modules/custom_modules/oe-module-comlink-telehealth/public/assets/js (#10590)
extract inline JS from add_edit_event.php (#11077)
remove syncAlertMsg and modernize asyncAlertMsg (#10412)

licensing

standardize OpenCoreEMR copyright headers (#11569)

testing

add @codeCoverageIgnore to data provider methods (#10498)
add composer script for isolated PHPUnit tests (#10325)
add coverage for 7 previously untested classes (#10974)
add CSRF token round-trip tests with Symfony session (#11028)
add EncounterRestController tests (#10987)
add integration tests for BackgroundServiceRegistry (#11366)
add isolated tests for BmiCategory and ScopePermissionObject (#10832)
add isolated tests for EDI270, event DTOs, Metadata, and oeHttpResponse (#10872)
add isolated tests for KeyVersion and PhoneNumber (#10838)
add isolated tests for NetworkUtils, FileUtils, HttpUtils, and DbUtils (#10852)
add isolated tests for PlaceOfServiceEnum and DateHelper (#10836)
add isolated tests for QDM AbstractType (#10835)
add isolated tests for QueryPagination and BoundFilter (#10828)
add isolated tests for search query subsystem (#10853)
add native PHP types to ApiTestClient and BulkAPITestClient (#11023)
add PHPUnit coverage for e2e test files (#10628)
convert non-FHIR JSON fixtures to PHP files (#11025)
Default to NullLogger in tests (#11107)
enable isolated SiteSetupListener tests (#11030)
exclude config/ from test coverage (#11744)
fail on deprecations in all test suites (#11638)
Improve code coverage reporting for isolated tests (#11159)
migrate @dataProvider annotations to PHP 8 attributes (#11230)
move database-independent tests to isolated suite (#11637)
raise codecov coverage targets (#10571) (#10900)
show PHPUnit deprecation details in test output (#11181)

translation

fix literal-string violations in clinical decision rules (#11444)
fix literal-string violations in xl wrappers (#11454)
fix literal-string violations in xl/xlt calls (#11456)
fix literal-string violations in xl/xlt calls (#11457)
fix literal-string violations in xl/xlt/xla calls (#11443)
fix scattered xl literal-string violations (Part 7, final) (#11460)

Security Fixes

CVE-2026-26996

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track openemr

Get notified when new releases ship.

About openemr

The most popular open source electronic health records and medical practice management solution.

All releases →