Skip to content

Release history

ExcaliDash releases

A self-hosted dashboard and organizer for Excalidraw with multi-user collaboration and scoped sharing.

Back to tool Latest release

All releases

6 shown

v0.5.0 New feature
Notable features
  • ID token signing algorithm resolution with discovery fallback and explicit override
  • Admin JIT provisioning toggle and OIDC-only user invitation controls
  • Frontend resilience improvements with error retry and multi-image drag-and-drop import
Full changelog

Release date: 2026-04-17

| Area | Key Changes |
|------|-------------|
| OIDC hardening | ID token signing alg resolution with discovery fallback + explicit override (OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG), token endpoint auth method override (OIDC_TOKEN_ENDPOINT_AUTH_METHOD), HS-alg mismatch auto-retry in callback, Keycloak/Authentik preflight warnings, oidc-doctor.cjs diagnostic tool, provider-specific .env example files |
| Admin OIDC controls | Runtime JIT provisioning toggle via admin panel + DB (oidcJitProvisioningEnabled column + migration), OIDC-only invited user creation (oidcOnly flag), block self-registration toggle in oidc_enforced mode |
| HTTPS redirect policy | Refactored into pure httpsRedirectPolicy.ts module, new ENFORCE_HTTPS_REDIRECT env var, mixed http/https FRONTEND_URL support, IPv4 loopback healthchecks |
| Frontend resilience | AuthStatusErrorPanel with retry for backend connectivity failures, registrationEnabled propagation to hide register link/route, multi-image drag-and-drop import in Editor, Excalidraw asset copy script for dev + build |

Upgrading

Show upgrade steps

Data safety checklist

  • Back up backend volume (dev.db, secrets) before upgrading.
  • Let migrations run on startup (RUN_MIGRATIONS=true) for normal deploys.
  • Run docker compose -f docker-compose.prod.yml logs backend --tail=200 after rollout and verify startup/migration status.

Recommended upgrade (Docker Hub compose)

docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d

Pin images to this release (recommended for reproducible deploys)

Edit docker-compose.prod.yml and pin the release tags:

services:
  backend:
    image: zimengxiong/excalidash-backend:v0.5.0
  frontend:
    image: zimengxiong/excalidash-frontend:v0.5.0

Example:

docker compose -f docker-compose.prod.yml up -d
View release on GitHub
v0.4.28 Bug fix

Removed broken Save to menu entry, fixed shared-drawing undo to only roll back user's own changes, and resolved editor state issue affecting hand-tool and middle-mouse panning.

View release on GitHub
v0.4.27 New feature
Security fixes
  • CSRF hardening
  • Session token controls
Notable features
  • Local registration and login
  • OIDC support
  • User management
View release on GitHub
v0.3.2 Security relevant
Breaking changes
  • CSRF_SECRET environment variable now required for backend startup
Security fixes
  • CSRF (Cross-Site Request Forgery) protection implementation
Notable features
  • Comprehensive CSRF protection on all state-changing requests
  • Upload progress indicator with visual progress bar
View release on GitHub
v0.3.1 Security relevant
Breaking changes
  • CSRF_SECRET environment variable now required for backend startup
Security fixes
  • CSRF (Cross-Site Request Forgery) protection implementation
Notable features
  • Comprehensive CSRF protection on all state-changing requests
  • Upload progress indicator with visual progress bar
View release on GitHub
v0.3.0 Breaking risk
⚠ Upgrade required
  • Generate CSRF_SECRET (32+ character random string) using: openssl rand -base64 32
  • Configure CSRF_SECRET in Docker Compose environment variables or Kubernetes ConfigMap/Secret
Breaking changes
  • CSRF_SECRET environment variable (32+ character random string) is now required for backend startup
Security fixes
  • CSRF protection implemented to prevent cross-site request forgery attacks
Notable features
  • Upload progress indicator with real-time visual feedback during file uploads
  • Save status indicator when navigating back from editor
  • Improved error handling and recovery for failed uploads
Full changelog

CSRF Protection (8a78b2b)

  • Implemented comprehensive CSRF (Cross-Site Request Forgery) protection for enhanced security
  • Added new backend/src/security.ts module for security utilities
  • Frontend API layer now handles CSRF tokens automatically
  • Added integration tests for CSRF validation

Upload Progress Indicator (8f9b9b4)

  • Added a visual upload progress bar when users upload files
  • New UploadContext for managing upload state across components
  • New UploadStatus component displaying real-time upload progress
  • Save status indicator when navigating back from the editor
  • Improved error handling and recovery for failed uploads

Bug Fixes

  • Fixed broken e2e tests (cae8f3c)
  • Replaced deprecated substr() with substring()
  • Fixed stale state issues in error handling
  • Fixed missing useEffect dependencies
  • Fixed CSS class conflicts in progress bar styling
  • Added error recovery for save state in Editor

Infrastructure

  • Updated docker-compose configurations with new environment variables
  • E2E test suite improvements and reliability fixes
  • Added Kubernetes deployment note in README

Kubernetes

A CSRF_SECRET environment variable is now required for CSRF protection. Generate a secure 32+ character random string:

openssl rand -base64 32

Add it to your deployment:
- Docker Compose: Add CSRF_SECRET=<your-secret> to the backend service environment
- Kubernetes: Add to your ConfigMap/Secret and reference in the backend deployment

If not set, the backend will refuse to start.
View release on GitHub

Beta — feedback welcome: [email protected]