github Leantime/leantime v3.9.1
Leantime v3.9.1
on GitHub

latest release: latest
2 hours ago

Version: 3.9.1

Bug Fixes

  • Bearer API Authentication - Restored user context for Sanctum Bearer API requests, fixing a 3.9.0 regression (#3514)

Improvements

  • API Contract Tests - Added a Bearer-auth JSON-RPC contract test suite with a CI gate (#3513)

What's Changed

Other Changes

  • Security: comprehensive remediation across 7 vulnerability families by @marcelfolaron in #3399
  • Modernize all controllers from run() to get()/post() by @marcelfolaron in #3408
  • fix: Value Proposition Canvas 500 (Undefined variable $currentCanvas) (#3402) by @marcelfolaron in #3422
  • Refactor: thin controllers / fat services across all non-canvas domains by @marcelfolaron in #3420
  • refactor: consolidate canvas domains into a unified Blueprints domain (YAML-driven) by @marcelfolaron in #3421
  • feat(api): JSON-RPC migration foundation + Tickets pilot by @marcelfolaron in #3424
  • feat(api): JSON-RPC migration batch 2 — Submenu, Sessions, Reactions, Notifications by @marcelfolaron in #3425
  • Fix 500 on client detail page: undefined constant generalComment by @Roark1138 in #3423
  • fix(clients): show accurate discussion count on client detail page by @marcelfolaron in #3428
  • feat(api): JSON-RPC migration batch 3 — Calendar (+ delete dead Ideation) by @marcelfolaron in #3426
  • feat(api): JSON-RPC migration — Ideas (with project-access authorization) by @marcelfolaron in #3427
  • feat(api): JSON-RPC migration — Users JSON endpoints by @marcelfolaron in #3429
  • Retire the legacy Api REST controllers (binary/upload → domains, Projects sort → JSON-RPC, delete dead Tags/Timer) by @marcelfolaron in #3430
  • refactor(blueprints): native Laravel controllers, drop the dispatch bridge by @marcelfolaron in #3432
  • feat(core): typed exception hierarchy + JSON-RPC response types by @marcelfolaron in #3431
  • fix(tickets): guard undefined $groupBy/$newField in list views by @marcelfolaron in #3433
  • cleanup: remove dead $x = $x; Blade self-assign artifacts by @marcelfolaron in #3434
  • refactor: merge Strategy domain into Blueprints by @marcelfolaron in #3435
  • feature: RPC-only service methods throw typed exceptions on denial by @marcelfolaron in #3436
  • Fix #1099 by @duongynhi000005-oss in #3405
  • feat(tickets): finish collaborators feature — notifications, persistence & hardening (#1099) by @marcelfolaron in #3437
  • build(deps): bump @fullcalendar/luxon3 from 6.1.17 to 6.1.20 by @dependabot[bot] in #3409
  • build(deps): bump fullcalendar from 6.1.17 to 6.1.20 by @dependabot[bot] in #3417
  • build(deps): bump katex from 0.16.21 to 0.17.0 by @dependabot[bot] in #3410
  • build(deps-dev): bump webpack-cli from 5.1.4 to 7.0.3 by @dependabot[bot] in #3413
  • chore(deps): bump icalendar + dotlottie-wc, remove Dependabot by @marcelfolaron in #3438
  • perf: speed up dashboard & hot paths (session locking, query dedupe, event patterns) by @marcelfolaron in #3439
  • ci(phpstan): raise static analysis to level 1 by @marcelfolaron in #3440
  • fix(mobile): responsive stabilization sweep for phones & tablets by @marcelfolaron in #3442
  • perf(dashboard): stop full-page repaints & cross-widget loading-indicator churn by @marcelfolaron in #3443
  • feat(components): Blade component tiers + central HTMX event convention by @marcelfolaron in #3441
  • fix: restore data binding in milestone & wiki dialogs by @marcelfolaron in #3444
  • fix: repair #3441 regressions blocking acceptance (app.js bundle syntax + stale install step) by @marcelfolaron in #3453
  • fix(tickets): enforce editor role on save + honor milestone project change by @marcelfolaron in #3445
  • fix(plugins): stop marketplace 500s by coercing API data to typed model props by @marcelfolaron in #3446
  • fix(db): PostgreSQL compatibility (write limits, sequences, pdo_pgsql, JS escaping) by @marcelfolaron in #3447
  • fix(ldap): return a normal auth error instead of a 500 on bad credentials by @marcelfolaron in #3448
  • fix(comments): open the edit/reply box above the replies thread by @marcelfolaron in #3450
  • feat(tickets): add "Not assigned" milestone filter option (#3252) by @marcelfolaron in #3452
  • feat(core): WorkStructure meta-model infrastructure by @marcelfolaron in #3454
  • fix(timesheets): skip blank cells when saving the weekly grid by @marcelfolaron in #3449
  • fix(wiki): save notes from the All Notes grid into a default notebook by @marcelfolaron in #3451
  • feat(notifications): mobile push device tokens (Expo + FCM) + getUnreadCount RPC (#3398) by @gloriafolaron in #3401
  • feat(logicmodelcanvas): Logic Model board + WorkStructure orchestration by @marcelfolaron in #3455
  • feat(notifications): mobile push tokens on access_tokens + FCM/Expo dispatcher by @gloriafolaron in #3457
  • fix(comments): stop shadowing controller $comments array in Discussion template by @gloriafolaron in #3459
  • feat(core): native permission engine foundation (Phase 0) + console addCommand fix by @marcelfolaron in #3461
  • feat(permissions): enforce Tickets + Comments via the engine — full @api coverage by @marcelfolaron in #3469
  • feat(permissions): roll the engine across the Users domain (company-scope) by @marcelfolaron in #3471
  • feat(permissions): roll the engine across the Clients domain (company-scope) by @marcelfolaron in #3472
  • feat(permissions): roll the engine across the Setting domain (company + project scopes) by @marcelfolaron in #3473
  • feat(permissions): roll the engine across the Sprints domain (first content domain) by @marcelfolaron in #3474
  • feat(api): plugin gate attribute + capability discovery endpoint by @gloriafolaron in #3460
  • fix(tickets): ticket modal crashes on milestone type by @gloriafolaron in #3468
  • security(comments): scope comment authz to the host entity's real project by @marcelfolaron in #3476
  • security(ideas): gate Ideas domain on the native permission engine by @marcelfolaron in #3478
  • security(wiki+ideas): gate the Wiki and Ideas domains on the native permission engine by @marcelfolaron in #3479
  • security(blueprints): gate the consolidated canvas domain + close by-id IDORs by @marcelfolaron in #3483
  • security(goalcanvas): gate the Goals domain + close by-id IDORs by @marcelfolaron in #3485
  • security(canvas): gate the legacy Canvas-base controllers (Logicmodelcanvas) + Api\Canvas by @marcelfolaron in #3486
  • fix(helm): correct session expiration units in Helm chart (fixes #3378) by @dashitongzhi in #3487
  • fix(logicmodelcanvas): left-align status filter dropdown menu by @gloriafolaron in #3484
  • feat(stageflow): spotlight non-hovered stages on row hover by @gloriafolaron in #3481
  • feat(libs): npm-manage html2canvas + jsPDF by @gloriafolaron in #3482
  • security(timesheets): gate the Timesheets domain (own-time vs manage) + matrix edit by @marcelfolaron in #3490
  • security(files): gate the Files domain + close RPC IDORs by @marcelfolaron in #3492
  • chore(logicmodelcanvas): drop unused snapshot mount div by @gloriafolaron in #3491
  • security(reports): gate the Reports domain + de-expose system/telemetry RPC surface by @marcelfolaron in #3501
  • fix(deps): bump shell-quote 1.8.2 → 1.8.4 (clear critical advisory) by @marcelfolaron in #3502
  • security(calendar): gate the Calendar domain + close cross-user IDORs by @marcelfolaron in #3504
  • security(projects): gate the Projects god-service (recursion-safe, manager+ management) by @marcelfolaron in #3505
  • refactor(install): consolidate the 14 permission-engine migrations into one by @marcelfolaron in #3506
  • security(permissions): fail closed when a mandatory projectIdParam can't be resolved by @marcelfolaron in #3507
  • ci(release): one-dispatch release pipeline (version bump, AI changelog, PR gate, auto-publish) by @marcelfolaron in #3508
  • security(permissions): validate projectIdParam is a real positive integer by @marcelfolaron in #3509
  • ci(release): swap changelog generation from GitHub Models to the Claude API by @marcelfolaron in #3510
  • Release v3.9.0 by @marcelfolaron in #3511
  • ci(release): set up PHP before make package (fixes v3.9.0 release build) by @marcelfolaron in #3512
  • fix(auth): establish user context for Sanctum Bearer API requests (3.9.0 regression) by @marcelfolaron in #3514
  • test(api): Bearer-auth JSON-RPC contract suite + CI gate by @gloriafolaron in #3513
  • Release v3.9.1 by @marcelfolaron in #3515

New Contributors

Full Changelog: v3.8.0...v3.9.1

Check out latest releases or
releases around Leantime/leantime v3.9.1

Don't miss a new leantime release

NewReleases is sending notifications on new releases.

Get notifications