Skip to content

NodeBB

Productivity & Wikis

NodeBB is a modern, real‑time forum platform built on Node.js with WebSocket support and plugin extensibility.

Track releases GitHub Website
JavaScript Latest v3.12.9 · 7d ago Security brief →

Features

  • Real‑time streaming discussions via WebSockets
  • Supports Redis, MongoDB, or PostgreSQL databases
  • Extensible through third‑party plugins

Recent releases

View all 15 releases →
Review required
v4.12.0 New feature
Auth RBAC

ActivityPub, UI, bugs, refactors, docs

Open
Review required
v4.11.3 Bug fix
Auth

AP errors page fixes

Open
v4.11.1 Bug fix

Fixed checkCache.get returning null when fetch is used directly.

Full changelog

Release build (patch) of NodeBB @ 2026-04-30T21:47:04.034Z

v4.11.1 (2026-04-30)

Bug Fixes
  • #14203, checkCache.get returns null when fetch is used directly (af504352)
View release on GitHub
v4.11.0 New feature
Notable features
  • ActivityPub analytics dashboard with filtering, hourly/daily terms, sent/received tracking
  • Third‑party blocklist integration for ActivityPub relays
  • Redirect limit and improved error handling for SSRF protection in fetchPublicKey
Full changelog

Release build (minor) of NodeBB @ 2026-04-30T14:53:15.781Z

v4.11.0 (2026-04-30)

Documentation Changes
  • tinycon in api/config (b313bff9)
New Features
  • #14186, tinycon config options in ACP (a46cc788)
  • hide read notifications toggle in UCP, #14191 (5adeb127)
  • handle announce(delete) (9c855794)
  • add redirect limit and improved error handling for SSRF protection (7d416fc7)
  • implement manual redirect handling in call() method (81ae8209)
  • extend topic recipients with main post announcers (dc5378a9)
  • extend pid handling to include main post announcers for non-root-level posts (f40582fd)
  • add domain blocklist check in activitypub middleware (8e5e2086)
  • ACP chart to show ap relay analytics (02ef509e)
  • begin tracking relay sends/receipts for ap analytics (b8216c3f)
  • show ap send error analytics in ACP (117736bc)
  • start recording ap send failures as well (55d7ab6f)
  • timestamp in ap errors page (55ce9c07)
  • ap/errors acp page (2699fd22)
  • cron job to clear out old ap errors (bfe0df73)
  • integrate ap.inErr analytics into federation analytics chart (188e2b10)
  • record AP parsing failures, save activity in db for 24h (f008a65e)
  • hourly and daily terms for ap analytics (54893c81)
  • track and show sent activities as well (0b80cf1c)
  • basic federation analytics with filtering by host (9e5312a1)
  • track user cids (#14114) (781ed344)
  • Third-party blocklists (#14115) (4b7be68d)
  • public/openapi/read.yaml: add analytics and errors routes (c4eeffc3)
  • public/openapi: add OpenAPI v3 specifications for admin/federation/analytics and errors routes (7f81b541)
Bug Fixes
  • uri in fetchPublicKey must be https (daeed7be)
  • cache failed requests to fetchPublicKey (515361e0)
  • use requests.get instead of activitypub.get for fetchPublicKey, no redirects (bc91ed7e)
  • parse emoji in remote DMs (ccc73357)
  • #14152, handle cases where cids are passed into getUsersFields (82ca09db)
  • proper ap undo verb called when unvoting, cc @panosda (47e7bfd9)
  • typo, cc @panosda (9d052d63)
  • handle Undo(Dislike), cc @panosda (479bb753)
  • missing await, cc @panosda (1da14052)
  • prevent skip link from being visibly focused for non-screen-reader users (585f81c2)
  • #13617 refocus skip link after template rendering (f0dfd070)
  • remove duplicate delete ap test helper (7f3dfce5)
  • deranged error (102b1215)
  • don't interrupt redirect handling when manual redirect is passed-in in configs (bb45c52a)
  • remove unused (also wrong) function (6d3d4fbf)
  • returned object type in ap test (f631c8b6)
  • #14181, don't remove relative_path from url if it's just prefix (8477b68c)
  • handle remote objects reporting a local context, #14188 (ffab31bd)
  • #14187, federate out note if no title, otherwise article. (a537e384)
  • old upgrade script (8e035440)
  • don't bubble up post-already-deleted error on inbox.delete (4ed6ef80)
  • #14185, assert note if Like received to a post that doesn't already exist (48bf54b9)
  • regression that caused likes to local content to fail parsing (cbd5a988)
  • fix db require in ap analytics test (0a9121ef)
  • hideSave no longer required, data prop (23a8af2e)
  • call proper relays.out method (be68e0da)
  • show activity type in ap errors acp page (3098836d)
  • #14182, handle direct likes to remote content (3b336807)
  • catch thrown errors in ap helpers._test (906ca044)
  • relay analytics chart filtering by relay (dbf28251)
  • bad export (cf231b65)
  • tpl error (ac239209)
  • properly log ap send errors to the appropriate analytics namespace (17b02574)
  • send type in api response, trim whitespace from stacktrace, escape stack trace (1b663d3e)
  • filter out expired errors, show error type (in or out) in template (e22d2e41)
  • more surprising shit from AI written test file (80589eb6)
  • leftover debug log (0cca729a)
  • qwen's shitty test suite (b7ba1125)
  • fucking ai (e751721a)
  • wrong var (c9a0c3ff)
  • memberPostCids saving, closes #14170 (4c0efe53)
  • changed args in activitypub.sign (490963fb)
  • failing test due to expected thrown exception (5f5fa093)
  • remove reference to hallucinated schema, fix hideSave definitions (ef2a17f2)
  • properly order the routes (28e173d6)
  • lint (080aac51)
  • rejig AP errors UX (21c4fbc5)
  • reverse args (621aaa0f)
  • revrange (f097901f)
  • wrong database key (818d621d)
  • analytics job (9a981145)
  • missing await (85cfcfa8)
  • alpha sort instances (684f03db)
  • remove commented-out lines (0956eba0)
  • closes #14151, handle null req.body (5d5490d3)
  • lint (7a0443c5)
  • remove optional (4dfbd8d5)
  • #14147, dont create wrong backlinks (a09192d4)
  • add in a deduplication guard after calling contexts.getItems (b3600e0b)
  • off-by-one error in helpers.generateCollection, fixed incorrect totalItems count between pages in Actors.topic (5a049168)
  • wrap batch processing behind setImmediate() so that it runs on the next iteration of the event loop (531d20af)
  • pre-calculate payload digest earlier in chain so that it is not unnecessarily done once per recipient (6371528f)
  • dynamically calculate batch size and interval when sending AP messages, based on CPU count, #14138 (be442473)
  • wrong set name (fa0b72e2)
  • bad args sent to activitypub.record.send (ab3c39eb)
  • rename 'activities' to 'received' in federation analytics (a58771ed)
  • encode nid in client-side when marking notifications read/unread (4c1f6b1f)
  • method name (e15b7ff7)
  • do not plumb req.uid into notes.assert (breaks getParentChain) (ce4549c5)
  • loosen actor-matching check in Undo activity (be347e67)
  • ActivityPub.fetchPublicKey to better handle key IDs that return CryptographicKey objects, #14130 (c37a9103)
  • #14130, set addressee on follow, undo(follow), and accept(follow) (f3eeec93)
  • try a save point in retry (2185f22a)
  • try upsert type if it fails (988f5136)
  • make 'show more' button not overlap existing text (3c411711)
  • #14045, automatically open category selector dropdown on move topic modal (2327cae7)
  • redis/psql (deca5e67)
  • failing test (833899d0)
  • broken test (8547fa9e)
  • regression where topic moves during Announce(Create(Note)) stopped working, added test for #14040, fix broken AP test helper mock (4d3211ca)
  • avoid db calls in upgrade scripts, just add blocklists to db, no refresh (24bd0029)
  • move AP pageviews middleware down the chain, after s2s assertion and http sig verification, so as to truly count AP requests (38901c0f)
  • #14112, federation/rules and relays ACP pages not refreshing table properly on changes, basic form validation (f5e2a0f4)
Other Changes
  • no ++ (f942a353)
  • minor wording change re: ap analytics disclaimer (8cf0aeb9)
  • remove unused (bc5457ef)
  • remove unused (d290aa56)
Performance Improvements
  • convert expireAt index to partial (e145330c)
  • use $or instead of double $in, in sortedSetIncrByBulk (202a99bb)
Refactors
  • remove from biweek sorted set as well (0a56c3ce)
  • use one startsWith/indexOf (53afa24d)
  • move ap analytics methods to its own file (20e17e63)
  • ap error recording to also capture stack trace, prettify json on output (098ee291)
  • activitypub inbox to throw errors directly, move reject to internal method, handle errors at controller level by calling internal reject method to bounce back an AP Reject, closes ##14150 (d74e5fab)
  • replace old createSign/createVerify methods with more modern sign/verify, called asynchronously, add lru cache to public key fetches so that a received activity does not kick off a network request unnecessarily (448a76e1)
  • some cleanup of dbal code (837d984b)
  • use topic data returned from getSortedTopics instead of getting topic data twice lol (78bdc4a1)
Tests
  • allow http uris in test mode (2e9417c4)
  • add hideReadNotifications to openapi spec (b3748e71)
  • add tests for Announce(Delete) handling in inbox (b8b25936)
  • add type determination tests for Mocks.notes.public based on generatedTitle flag (a99f1237)
  • fix up more ap tests (d724207e)
  • activitypub third-party blocklists (30774a84)
  • try undici 8 (#14166) (ae16a44a)
  • another delete after create (65c2c844)
  • fix unread deleted topic test (#14164) (39157907)
  • dont create users parallel (09183ac0)
  • remove leftover .only (25fb2969)
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
15,103
Forks
2,966
Languages
JavaScript Go Template Smarty
Downloads/week
92 ↑180%
NPM Maintainers
4
Contributors
100
View on GitHub View on npm Homepage Live demo Documentation

Install & Platforms

Install via
npm docker

Community & Support

Community

Similar tools

Misago
Simple Machines Forum
humhub
Talkyard
Vvveb CMS

Beta — feedback welcome: [email protected]