github RocketChat/Rocket.Chat 8.5.0-rc.0
on GitHub

pre-release2 hours ago

Engine versions

  • Node: 22.22.3
  • Deno: 2.3.1
  • MongoDB: 8.0
  • Apps-Engine: 1.63.0-rc.0

Minor Changes

  • (#40343) Swap usage of internal @rocket.chat/apps-engine internal APIs to @rocket.chat/apps package

  • (#40408) Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel

  • (#39760) ## Phishing-Resistant Multi-Factor Authentication

    Introduces a more secure and reliable server-side OAuth authentication flow.

    What’s New

    • Improved OAuth login security
      OAuth authentication now happens fully on the server, reducing the risk of token theft, phishing attacks, and client-side credential interception.
    • Built-in CSRF, state validation, and PKCE protection
      OAuth logins now include stronger protection against CSRF attacks, request tampering, and authorization code interception through secure state validation and PKCE support.
    • Improved two-step verification with OAuth logins
      Users with email or TOTP two-factor authentication enabled will now be asked to complete 2FA even when signing in with providers like Google, GitHub, GitLab, and others.
    • Improved mobile & desktop app login
      Mobile and desktop apps now support a smoother and more secure deep-link OAuth login flow.

  • (#40341) Hides the room announcement, topic and description from the Administration > Rooms panel for ABAC managed rooms. In the channel sidebar Edit Channel form those fields stay visible to room members but are disabled, and the API rejects edits to them.

  • (#39617) Adds new API endpoints custom-sounds.create and custom-sounds.update to manage custom sounds with strict file validation for size and specific MIME types to ensure system compatibility.

  • (#40463) Allows apps with the right permission to read room's ABAC attributes.

  • (#40604) Adds the capability for fetching a user by their sip extension to the apps

  • (#38225) Adds a new "Drafts" group to the sidebar, providing quick access to all rooms with unfinished messages.

    This feature is available under the Drafts in sidebar feature preview and needs to be enabled in settings to be tested.

  • (#40397) Adds the USE_ROOM_SEARCH_INDEX environment variable. When set to true, the messages collection's text index is created as { rid: 1, msg: 'text' } instead of the default { msg: 'text' }. The compound shape lets per-room $text searches use rid as a prefix, dramatically reducing the portion of the index scanned on workspaces where global search is disabled.

    The index is reconciled on every startup: if the existing text index already matches the desired shape, nothing happens; otherwise the stale text index is dropped and the desired one is recreated. Unsetting the variable on a later boot reverts to the default shape.

  • (#40612) Adds freeSwitchExtension as a query parameter for api/v1/users.info

  • (#39858) Adds support to room information on ViewSubmit and ViewClose events for ContextualBar surface

  • (#40430) Adds a new admin setting Use_RC_SDK (General → Use Rocket.Chat SDK) that opts the workspace into the experimental SDK-over-DDP transport. When enabled, the client routes Meteor DDP traffic through @rocket.chat/ddp-client over a single WebSocket instead of the legacy Meteor stream. The flag is dormant by default; the server surfaces the value via a <meta name="rc-sdk-transport-enabled"> tag, and the client also honors a per-tab ?sdk_transport=on|off URL parameter and a rc-config-sdk_transport localStorage key (URL > localStorage > meta tag).

Patch Changes

  • (#39858) Fixes an issue that prevented BlockAction interactions from having room information when triggered in a ContextualBar surface

  • (#40524) Ensures OAuth tokens are cleaned up after user deactivation

  • (#40537) Fixes an issue that allowed a room converted from private to public (while abac is disabled) to retain its abac attributes (if any)

  • (#39859) Fixes an issue where thread content would disappear after clicking "Jump to recent messages".

  • (#40063) Fixes the missing edited indicator for the main parent message in the thread panel to ensure visual consistency with the main channel view.

  • (#40357) Adds an accessible label to the system-messages multi-select in the channel edit panel so screen readers announce its purpose.

  • (#40100) Fixes intermittent "Channel Not Joined" screen when opening rooms in embedded mode.

  • (#40513) Fixes the users.presence endpoint returning an empty array when called with multiple comma-separated IDs, caused by ajvQuery coercing the string into a single-element array after the OpenAPI migration

  • (#40496) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle

  • (#40405) Disables SAML login when it is set to validate signatures without the proper configuration for it

  • (#40423) Allows users to search for attribute values when assigning them to rooms

  • (#40335) Fixes test button not playing default sound in Notifications Preferences

  • (#40528) Ensures the Meteor method for translateMessage validates access and types

  • (#40420) Fixes Insert Timestamp relative time preview not updating on input changes and losing the user's locale after the first refresh tick.

  • (#40456) Fixes signed URL generation for S3 and Google Cloud Storage when the expiry setting is below 5 seconds, which previously caused expired or invalid preview URLs. Adds a dedicated URL expiry setting for Google Cloud Storage since it was incorrectly reusing the AWS S3 setting.

  • (#40501) Ensures the visitor token is not present in the visitors.info response

  • (#40405) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

  • (#40613) Sanitizes image URLs in rendered messages to block javascript:, data:, and vbscript: schemes — matching the protection already applied to markdown links. Defense-in-depth against XSS via crafted markdown like ![label](javascript:...).

  • (#40508) Ensures the autotranslate.translateMessage endpoint checks for room access

  • (#40448) Fixes action buttons added by apps being rendered in the Marketplace Menu rather than the User Menu

  • (#40499) Fixes an issue where some actions made by the abac service were not broadcasting to clients, which affected reactivity

  • (#40492) Fixes issue that displayed the 'Delete all closed chats' button when user lacks remove-closed-livechat-rooms permission

  • (#40393) Fixes a date-fns crash on routes that mount before the public settings stream finishes loading. useFormatDate was passing String(undefined) (the literal "undefined") to formatDate while Message_DateFormat was momentarily unloaded — date-fns rejects that token because it contains an unescaped n. The hook now uses 'LL' as the default token via useSetting's second argument, so the formatter always receives a valid format string.

  • Updated dependencies [90f15e3, f7d47dd, cdb264f, 2a927fa, bede0e2, bede0e2, bede0e2, 4c39845, 7f2bdf1, ae9f740, b6b04aa, ad7d424, 4704bf8, d427b80, ebc9bab, f392d5c, 2198d9e, fac6472, 12897e2, e45585b, 0b7a763, 5183306, 2d32e52, 2a927fa, b1c2668, 90f15e3, 22c8d32]:
    • @rocket.chat/ui-kit@1.1.0-rc.0
    • @rocket.chat/model-typings@2.3.0-rc.0
    • @rocket.chat/models@2.3.0-rc.0
    • @rocket.chat/i18n@3.1.0-rc.0
    • @rocket.chat/apps-engine@1.63.0-rc.0
    • @rocket.chat/ddp-client@1.1.0-rc.0
    • @rocket.chat/rest-typings@8.5.0-rc.0
    • @rocket.chat/ui-voip@21.0.0-rc.0
    • @rocket.chat/web-ui-registration@31.0.0-rc.0
    • @rocket.chat/core-typings@8.5.0-rc.0
    • @rocket.chat/gazzodown@31.0.0-rc.0
    • @rocket.chat/apps@0.7.0-rc.0
    • @rocket.chat/ui-client@31.0.0-rc.0
    • @rocket.chat/abac@0.2.1-rc.0
    • @rocket.chat/media-calls@0.5.0-rc.0
    • @rocket.chat/core-services@0.14.1-rc.0
    • @rocket.chat/fuselage-ui-kit@31.0.0-rc.0
    • @rocket.chat/omnichannel-services@0.3.54-rc.0
    • @rocket.chat/federation-matrix@0.1.4-rc.0
    • @rocket.chat/omni-core-ee@0.0.22-rc.0
    • @rocket.chat/presence@0.2.57-rc.0
    • @rocket.chat/cron@0.1.57-rc.0
    • @rocket.chat/instance-status@0.1.57-rc.0
    • @rocket.chat/omni-core@0.1.1-rc.0
    • @rocket.chat/server-fetch@0.2.1-rc.0
    • @rocket.chat/ui-contexts@31.0.0-rc.0
    • @rocket.chat/ui-composer@2.0.0-rc.0
    • @rocket.chat/network-broker@0.2.36-rc.0
    • @rocket.chat/ui-avatar@27.0.0-rc.0
    • @rocket.chat/ui-video-conf@31.0.0-rc.0
Check out latest releases or
releases around RocketChat/Rocket.Chat 8.5.0-rc.0

Don't miss a new Rocket.Chat release

NewReleases is sending notifications on new releases.

Get notifications