This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+8 more
Summary
AI summaryProfile name save now preserves the user's avatar.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Attribute picker defaults Object type to the active tab. Attribute picker defaults Object type to the active tab. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Low |
Event dialogs' attribute picker scrolls inside dialog, searches by display name, and hides already‑selected items. Event dialogs' attribute picker scrolls inside dialog, searches by display name, and hides already‑selected items. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Performance | Low |
/settings/events page loads faster by avoiding per-row listAttributeOnEvents fetch on mount. /settings/events page loads faster by avoiding per-row listAttributeOnEvents fetch on mount. Source: granite4.1:30b@2026-05-27-audit Confidence: low |
— |
| Bugfix | Medium |
Profile name save no longer wipes the user's avatar. Profile name save no longer wipes the user's avatar. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Attribute delete handles AttributeOnEvent foreign key instead of throwing Prisma error. Attribute delete handles AttributeOnEvent foreign key instead of throwing Prisma error. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Salesforce-sandbox writes to its own integration row rather than aliasing production. Salesforce-sandbox writes to its own integration row rather than aliasing production. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Toggling "Stream events" off no longer commits unsaved API key edits. Toggling "Stream events" off no longer commits unsaved API key edits. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Destructive dialogs remain locked while mutation is in flight; 2FA and session dialogs reset on Cancel; they no longer hang on soft-failure. Destructive dialogs remain locked while mutation is in flight; 2FA and session dialogs reset on Cancel; they no longer hang on soft-failure. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Segment edit dialogs and theme variation rename preserve user typing during Apollo cache updates. Segment edit dialogs and theme variation rename preserve user typing during Apollo cache updates. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
PostHog "Personal API key" and HubSpot "Private App access token" labels restored from generic "API Key". PostHog "Personal API key" and HubSpot "Private App access token" labels restored from generic "API Key". Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Refactor | Low |
Settings module refactor introduces shared primitives (NewItemButton, DestructiveConfirmDialog managed mode, useSettingsForm) and consistent "New X" copy across create dialogs. Settings module refactor introduces shared primitives (NewItemButton, DestructiveConfirmDialog managed mode, useSettingsForm) and consistent "New X" copy across create dialogs. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Refactor | Low |
Consistent "New X" copy across create dialogs in Settings. Consistent "New X" copy across create dialogs in Settings. Source: granite4.1:30b@2026-05-27-audit Confidence: low |
— |
Full changelog
Wraps up the Settings module hygiene pass, codifies two project-wide React component conventions, and lands a batch of audit-discovered fixes.
✨ Highlights
- Settings refactor wraps up. Shared primitives (NewItemButton, DestructiveConfirmDialog managed mode, useSettingsForm), consistent "New X" copy across create dialogs, and faster /settings/events (no per-row listAttributeOnEvents fetch on mount).
- Component-style conventions. Two new rules under docs/conventions/react-components.md — Radix-style named *Props + body destructure, and const over function for component declarations — applied across @usertour/ui, theme builder, and settings.
- Attribute & event picker overhaul. + New attribute defaults Object type to the active tab; the event dialogs' attribute picker now scrolls inside the dialog, searches by display name (not UUID), and hides already-selected items.
🐛 Fixes
- Profile name save no longer wipes the user's avatar.
- Attribute delete handles the AttributeOnEvent foreign key instead of throwing a Prisma error.
- Salesforce-sandbox now writes to its own integration row (was silently aliasing production).
- Toggling an integration's "Stream events" switch off no longer commits unsaved API key edits.
- Destructive dialogs stay locked while their mutation is in flight; 2FA Setup / Regenerate dialogs reset on Cancel; session delete / end dialogs no longer hang on soft-failure.
- Segment edit dialogs and theme variation rename no longer clobber the user's typing on Apollo cache updates.
- PostHog "Personal API key" and HubSpot "Private App access token" labels restored (had regressed to generic "API Key").
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About usertour
Usertour is an open-source user onboarding platform. It allows you to create in-app product tours, checklists, and surveys in minutes—effortlessly and with full control.The open-source alternative to Userflow and Appcues
Related context
Related tools
Beta — feedback welcome: [email protected]