Release history
note-mark releases
Note Mark is a lighting fast, web-based Markdown notes app.
All releases
6 shown
v0.19.4
Breaking risk
Breaking changes
- Minimum required `JWT_SECRET` length increased to 32 characters
Security fixes
- GHSA-j88v-2chj-qfwx
- GHSA-q6mh-rqwh-g786
- GHSA-g49p-4qxj-88v3
Full changelog
⛔ Security Fixes ⛔
- security vulnerability GHSA-j88v-2chj-qfwx
- security vulnerability GHSA-q6mh-rqwh-g786
- security vulnerability GHSA-g49p-4qxj-88v3
Due to one of these security fixes, there is a now a minimum required JWT_SECRET length of 32. Note Mark will not start until this is met.
Thanks to @rvizx and @osageling for their reports.
Announcement
Note Mark V1 is almost ready for release! Just final testing and documentation is needed.
Changes
Fixed
- security vulnerability GHSA-j88v-2chj-qfwx
- security vulnerability GHSA-q6mh-rqwh-g786
- security vulnerability GHSA-g49p-4qxj-88v3
Full Changelog: https://github.com/enchant97/note-mark/compare/v0.19.3...v0.19.4
v0.19.3
Security relevant
Security fixes
- GHSA-3gr9-485j-v4xf
- GHSA-pxf8-6wqm-r6hh
- GHSA-39q2-94rc-95cp (dependency)
Full changelog
⛔ Security Fixes ⛔
A critical security vulnerability has been discovered, added in version 0.19.2. They will be published when a CVE has been added.
Thanks to @adrgs for reporting these
Changes
Fixed
- security vulnerability GHSA-3gr9-485j-v4xf
- security vulnerability GHSA-pxf8-6wqm-r6hh
- security vulnerability GHSA-39q2-94rc-95cp (dependency)
Full Changelog: https://github.com/enchant97/note-mark/compare/v0.19.2...v0.19.3
v0.19.2
Security relevant
Security fixes
- Stored XSS via unrestricted asset upload (CVE-2026-40262)
- Broken access control on asset download (CVE-2026-40265)
- Username enumeration via login endpoint (CVE-2026-40263)
v0.19.1
Security relevant
Security fixes
- CVE-2026-0540 - Cross-site Scripting in DOMPurify (GHSA-v2wj-7wpq-c8vv)
v0.19.0
Breaking risk
Breaking changes
- CORS_ORIGINS renamed to PUBLIC_URL and is now required
Notable features
- Migration utility for V1 compatibility