Release history
bugsink releases
Self-hosted Error Tracking
All releases
13 shown
2.1.3
Security relevant
Security fixes
- GHSA-fp53-qcf8-2xx2 — hardened webhook URL validation parsing rejects non-RFC characters to prevent mismatched host targeting.
Full changelog
2.1.3 (2 May 2026)
Security
Fix: harden webhook URL validation parsing and reject non-RFC characters.
In some malformed URLs, Python’s standard URL parser (urllib) and the HTTP
client stack (requests / urllib3) do not agree on which host is actually being
targeted. That could allow a webhook URL to pass Bugsink’s outbound-host checks
while the actual HTTP request is sent somewhere else. See:
https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2
Smaller fixes
- Add issue-level markdown, see #334.
- Fix installation quota counting across projects, see #359.
- When vacuuming files, don't load them in memory, and allow long-running totals queries, see #363, #373 and #372.
- Refuse to send email as [email protected] for self-hosters, see 3ff3a6fbeb6d.
- Fix
MultipleObjectsReturnedwhen user has unaccepted project memberships, see 653be6968f6e. - Cleanup lingering files for
MAX_EVENT_SIZEovershoots, see #370. - Fix some
.get(context, {})usages and an exception-path double-exception, see #369. - Upgrade
gunicornrequirement from==25.1.*to==25.3.*, see 2d5e0071cf66. - Upgrade monofy, see #367.
2.1.2
Mixed
Notable features
- Stored file count and byte caps for tracking and limiting usage
- Error message readability improvements in dark mode
Full changelog
2.1.2 (11 April 2026)
- Add stored file count and byte caps, see #355
- Error message readability in dark mode, see #362
2.1.1
Security relevant
patches GHSA-8hw4-fhww-273g
⚠ Upgrade required
- No migration steps required, but prompt upgrade is recommended due to the security fix.
Security fixes
- Unvalidated upload checksums were used in temporary filename path construction before validation, allowing an authenticated caller to trigger a write-before-checksum-mismatch during file assembly.
2.1.0
New feature
Notable features
- Outbound webhook destination policy with IP/CIDR filtering
- Object storage for uploaded files
Full changelog
2.1.0 (4 April 2026)
-
Show open issue counts on project list (skipping very large projects), see #228
-
Add outbound webhook destination policy: destinations can be filtered by hostname/IP/CIDR allow/deny lists and
non-global IPs are blocked by default. See #339 and the docs. -
Add object storage for uploaded files via
OBJECT_STORAGES, includingmigrate_to_current_objectstorageand
cleanup_objectstorage, see #354. -
File uploads and artifact bundle assembly now enforce server-side limits more strictly: chunk uploads are checked
server-side,MAX_FILE_SIZEapplies to assembled files too, and artifact bundles no longer need to be loaded fully
into memory during extraction, see #356. -
Add a synchronous
vacuumcommand as a single entry point for cleanup tasks, and addMAX_EVENT_AGE_DAYS/
delete_old_eventsfor age-based event cleanup, see #350 and #48. -
Docker config: add
USE_X_FORWARDED_HOSTandUSE_X_FORWARDED_FOR, see #336 and d3e743d. -
Sourcemaps: handle unmappable frames per-frame, so mixed mapped/unmapped stacktraces keep rendering, see #330.
-
Reject events at ingest when retention is configured as zero, see #341.
2.0.14
Maintenance
Notable features
- Chunk and file max days parameters for vacuum command
2.0.13
Security relevant
patches GHSA-vp6q-7m36-pq3w
Security fixes
- XSS vulnerability in pygments fallback fixed allowing arbitrary JavaScript injection
2.0.12
Bug fix
Notable features
- Command to delete oldest events until under retention max
2.0.9
Maintenance
Notable features
- Event URL for SDK-provided event IDs
- OpenAPI link in navigation
2.0.8
New feature
Notable features
- MAX_RETENTION and MAX_RETENTION_PER_PROJECT settings
- Site-wide monthly event ingestion maximum
- Enhanced admin disabling
2.0.7
New feature
Notable features
- Mattermost alert backend
- Discord alert backend
- Experimental Minidump API endpoint