Release 2.5.0 #1835

stanley2058 · 2023-12-26T09:27:23Z

CodiMD 2.5.0

Security Fixes

Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue] #1691 [Security Issue] Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue]
Upgrade mermaid to version 8.10.2 to avoid prototype pollution #1690 [Security Issue] Upgrade mermaid to version 8.10.2 to avoid prototype pollution
potential XSS in vimeo embed #1792 [Security Issue] potential XSS in vimeo embed
FIX: pandoc security issue #1790 [Security Issue] FIX: pandoc security issue
fix: sanitize pdf url to prevent XSS on inline PDFs #1832 [Security Issue] fix: sanitize pdf url to prevent XSS on inline PDFs

Fixes

Avoid append zero suffix on exporting user data #1680 Avoid append zero suffix on exporting user data
Handle when request url has no valid referer #1679 Handle when request url has no valid referer
Fix S3 client config passing for image upload #1683 Fix S3 client config passing for image upload
Set a proper "lang" attribute on <html> #1481 Set a proper "lang" attribute on
Fix matchInContainer false positives #1605 Fix matchInContainer false positives
Convert "include" directives to functions #1580 Convert "include" directives to functions
Move HTML-related code from JS to EJS to enable more i18n #1587 Move HTML-related code from JS to EJS to enable more i18n
fix: may referernce out of bound index in clearDuplicatedHistory #1706 fix: may referernce out of bound index in clearDuplicatedHistory
Feat/csrf export user data #1695 Feat/csrf export user data
sequelize.import deprecation #1724 sequelize.import deprecation
chore: remove unused uglifyjs-webpack-plugin dep #1723 chore: remove unused uglifyjs-webpack-plugin dep
fix: should not clear guest history when guest pin note #1697 fix: should not clear guest history when guest pin note
Fix: s3 api supported multiple cloud providers. fixes: https://github.com/hackmdio/codimd/issues/1761 #1762 Fix: s3 api supported multiple cloud providers. fixes: Error happened when s3's provider is not aws "Unable to connect to instance metadata service" #1761
Fix: Code Fence parameter parsing #1739 Fix: Code Fence parameter parsing
Update README.md to remove IE from supporting list #1729 Update README.md to remove IE from supporting list
FIX: server crash when filename too long #1789 FIX: server crash when filename too long
fix: use encoded note id to update history #1804 fix: use encoded note id to update history
🐛 [fix] modify replacement rule for disqus short-name #1750 🐛 [fix] modify replacement rule for disqus short-name
Fix history page nav #1808 Fix history page nav
Fix the uploadimage form #1814 Fix the uploadimage form
bugfix/uploadimage form #1836 bugfix/uploadimage form
Add the logout callback to prevent exception. #1813 Add the logout callback to prevent exception.
Add the logout callback to prevent exception #1837 Add the logout callback to prevent exception

Enhancements

Add TeX mhchem extensions for MathJax #1684 Add TeX mhchem extensions for MathJax
Upgrade flowchart.js to version 1.15.0 #1685 Upgrade flowchart.js to version 1.15.0
Upgrade codemirror to 5.63.2 #1716 Upgrade codemirror to 5.63.2
Update de.json #1741 Update de.json
Documentation - add Music section and move abc abd fretboard to this section #1715 Documentation - add Music section and move abc abd fretboard to this section
chore: bump meta-marked to 0.5.0 #1722 chore: bump meta-marked to 0.5.0
Typos + Better translation for "Externals" #1793 Typos + Better translation for "Externals"
feat: Migrate to gtag and support GA4 #1798 feat: Migrate to gtag and support GA4
【fix】reword japanese #1802 【fix】reword japanese
upgrading pg to 8.8.0 to support new scram-sha-256 authentication #1784 upgrading pg to 8.8.0 to support new scram-sha-256 authentication
feat: add organizations whitelist to GitHub OAuth #1710 feat: add organizations whitelist to GitHub OAuth
Add oauth2 authorization #1626 Add oauth2 authorization
Update both Traditional and Simplified Chinese locales #1815 Update both Traditional and Simplified Chinese locales

DX

Run CI with GitHub Actions #1694 Run CI with GitHub Actions
Add dev container for GitHub Codespaces and VSCode remote container #1688 Add dev container for GitHub Codespaces and VSCode remote container
Add arm64 docker image build. #1701 Add arm64 docker image build.
fix(buildpacks): replace custom buildpack with APT buildpack #1797 fix(buildpacks): replace custom buildpack with APT buildpack
Update minimum required node.js version to v12 with npm package dependencies #1799 Update minimum required node.js version to v12 with npm package dependencies
Upgrade Node.js version #1767 Upgrade Node.js version
Update node.js version in .nvmrc #1816 Update node.js version in .nvmrc
Update npm dependencies #1817 Update npm dependencies

Thank you

Thank you guys for being here and making CodiMD awesome ❤️

Signed-off-by: Joachim Mathes <joachim_mathes@web.de>

Signed-off-by: Raccoon <raccoon@hackmd.io>

Currently CodiMD does not support limiting access of GitHub OAuth users based on their organization membership. This is a very useful functionality for teams that want to limit write access to their notes. I've implemented a crude solution to this problem, which most probably requires some adjusments to make it better. I'm not sure if this implementation is kosher, but it definitely works on my deployment. Open to suggestions on how I can improve it. Signed-off-by: Jakub Sokołowski <jakub@status.im>

…section Signed-off-by: Bruno Duyé <brunetton@brunetton.org>

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Signed-off-by: Max Wu <jackymaxj@gmail.com>

Signed-off-by: Vincent Nadoll <vincent.nadoll@googlemail.com>

Signed-off-by: chenxuanzzy <chenxsuan019@gmail.com>

Signed-off-by: blademainer <blademainer@gmail.com>

Signed-off-by: inductor <kela@inductor.me>

this fixes "error: uncaughtException: Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }" Signed-off-by: Anton Wolkov <7001904+phntom@users.noreply.github.com>

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

fixes #1761

closes #1738

Update README.md to remove IE from supporting list

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

…bility

…e-crash FIX: server crash when filename too long

Signed-off-by: Cédric Eyssette <cedric.eyssette@gmail.com>

…-5-0

Signed-off-by: Étienne Michon <etienne@scalingo.com>

Signed-off-by: Sean Young <assanges@icloud.com>

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Try to simply update the npm packages without any additional changes. Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

npm found 160 vulnerabilities (6 low, 75 moderate, 63 high, 16 critical) from the original dependencies. Using `npm audit fix` to update most of the dependencies will eliminate 37 of the 160 vulnerabilities. markmap-lib was excluded in this update because it actually contains breaking changes. Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Reference: e6d2b7a Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Signed-off-by: Michael Wang <michael19920327@gmail.com>

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Update npm dependencies

…-xss fix: sanitize pdf url to prevent XSS on inline PDFs

Update both Traditional and Simplified Chinese locales

Signed-off-by: hcyuser <user@hcy.idv.tw>

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Signed-off-by: stanley2058 <stanley2058@yahoo.com.tw>

jackycute · 2023-12-26T10:12:39Z

Thanks @stanley2058 @Yukaii

Neustradamus · 2024-01-06T20:51:01Z

@stanley2058: Nice version with SCRAM-SHA-256 support!

Linked to:

State of Play scram-sasl/info#1

Joachim Mathes and others added 30 commits November 21, 2020 20:41

Add oauth2 authorization

0ec949d

Signed-off-by: Joachim Mathes <joachim_mathes@web.de>

fix: should not clear guest history when guest pin note

b6d5db3

Signed-off-by: Raccoon <raccoon@hackmd.io>

Documentation - add Music section and move abc abd fretboard to this …

d627d9f

…section Signed-off-by: Bruno Duyé <brunetton@brunetton.org>

chore: bump meta-marked to 0.5.0

c013c22

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Update README.md to remove IE from supporting list

54e5b93

Signed-off-by: Max Wu <jackymaxj@gmail.com>

Fix fence class array initialization

adb0dd5

Signed-off-by: Vincent Nadoll <vincent.nadoll@googlemail.com>

🐛 [fix] modify replacement rule for disqus short-name

07cfb29

Signed-off-by: chenxuanzzy <chenxsuan019@gmail.com>

s3 support multiple cloud providers: #1761

1a38aaa

Signed-off-by: blademainer <blademainer@gmail.com>

s3 support multiple cloud providers: #1761

7b1e4e3

Signed-off-by: blademainer <blademainer@gmail.com>

Upgrade Node.js version

e6d2b7a

Signed-off-by: inductor <kela@inductor.me>

upgrading pg to 8.8.0 to support new scram-sha-256 authentication

03f8649

this fixes "error: uncaughtException: Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }" Signed-off-by: Anton Wolkov <7001904+phntom@users.noreply.github.com>

fix: restrict export type and use sandbox to prevent potential attack

5d72fae

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

fix: sanitize vimeo video id to prevent XSS

9df1c34

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

Merge pull request #1697 from hackmdio/fix/guest-history-pin

a7564e7

Merge pull request #1762 from blademainer/develop

3ab0b7e

fixes #1761

Merge pull request #1715 from brunetton/develop

21345ed

Merge pull request #1739 from V1ncNet/hotfix/fence-class

a2565bd

closes #1738

Merge pull request #1729 from hackmdio/feature/readme-remove-IE-support

8b29d05

Update README.md to remove IE from supporting list

chore: update formidable to 2.1.1

8efc2d0

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

fix: handle error when check is image valid

1ab2a36

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>

Merge pull request #1792 from galaxian85/bugfix/potential-xss-vulnera…

30fe18d

…bility

Merge pull request #1789 from galaxian85/bugfix/invalid-filename-caus…

19f494d

…e-crash FIX: server crash when filename too long

Typos + Better translation for "Externals"

6a5da1e

Signed-off-by: Cédric Eyssette <cedric.eyssette@gmail.com>

Merge pull request #1722 from hackmdio/chore/upgrade-meta-marked-to-0…

3a3e892

…-5-0

Merge pull request #1793 from eyssette/patch-2

c78bb69

fix(buildpacks): replace custom buildpack with APT buildpack

ee47c6c

Signed-off-by: Étienne Michon <etienne@scalingo.com>

feat: Migrate to gtag and support GA4

6ff5a3a

Signed-off-by: Sean Young <assanges@icloud.com>

Update minimum required node.js version to v12

3ea10a6

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Update npm package dependencies

500fe78

Try to simply update the npm packages without any additional changes. Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

jackycute and others added 12 commits June 5, 2023 16:12

Merge pull request #1808 from hackmdio/bugfix/fix-history-nav-ui

c4f607f

Update both Traditional and Simplified Chinese locales

b6078a6

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Update npm dependency markmap-lib to ^0.9.3

976bca3

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Update npm dependencies with npm audit fix after markmap-lib update

3f7d202

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Update node.js version in .nvmrc

8efa75e

Reference: e6d2b7a Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>

Merge pull request #1816 from PeterDaveHello/node.js-14

b6eba05

fix: sanitize pdf url to prevent xss

11cd200

Signed-off-by: Michael Wang <michael19920327@gmail.com>

fix: markmap api changes in 0.9.3

2a977bc

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Merge pull request #1817 from PeterDaveHello/updateDependenciesBaseline

6d95fd1

Update npm dependencies

Merge pull request #1832 from hackmdio/bugfix/sanitize-url-to-prevent…

dca7f8c

…-xss fix: sanitize pdf url to prevent XSS on inline PDFs

Merge pull request #1815 from PeterDaveHello/updateLocales

070808b

Update both Traditional and Simplified Chinese locales

stanley2058 force-pushed the release/2.5.0 branch from a4b9586 to b9fcdce Compare December 26, 2023 09:35

hcyuser and others added 9 commits December 26, 2023 17:44

fix the uploadimage form

027a4b4

Signed-off-by: hcyuser <user@hcy.idv.tw>

add newline here to pass the standard lint.

96a589d

Signed-off-by: hcyuser <user@hcy.idv.tw>

fix: formidable option API changes

1b1ff89

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Merge pull request #1836 from hackmdio/bugfix/uploadimage-form

f58c669

fix: logout api should add callback

c436af1

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>

Merge pull request #1837 from hackmdio/bugfix/logout-callback

9790586

doc(release-note): release 2.5.0

f8b0301

Signed-off-by: stanley2058 <stanley2058@yahoo.com.tw>

Merge branch 'master' into release/2.5.0

9b8a2de

doc(release-note): update release code name

86bf44f

Signed-off-by: stanley2058 <stanley2058@yahoo.com.tw>

stanley2058 force-pushed the release/2.5.0 branch from b9fcdce to a15ca48 Compare December 26, 2023 10:05

doc(release-note): update release note

afe49f4

Signed-off-by: stanley2058 <stanley2058@yahoo.com.tw>

stanley2058 force-pushed the release/2.5.0 branch from a15ca48 to afe49f4 Compare December 26, 2023 10:06

Yukaii approved these changes Dec 26, 2023

View reviewed changes

jackycute approved these changes Dec 26, 2023

View reviewed changes

jackycute merged commit 78e6663 into master Dec 26, 2023
7 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 2.5.0 #1835

Release 2.5.0 #1835

stanley2058 commented Dec 26, 2023 •

edited

Loading

jackycute commented Dec 26, 2023

Neustradamus commented Jan 6, 2024

Release 2.5.0 #1835

Release 2.5.0 #1835

Conversation

stanley2058 commented Dec 26, 2023 • edited Loading

CodiMD 2.5.0

Security Fixes

Fixes

Enhancements

DX

Thank you

jackycute commented Dec 26, 2023

Neustradamus commented Jan 6, 2024

stanley2058 commented Dec 26, 2023 •

edited

Loading