v0.102.2
Important
This release contains important security fixes. All users are strongly encouraged to update immediately.
Several vulnerabilities affecting content handling and the desktop application have been addressed. We recommend upgrading before the next scheduled release to ensure your installation is protected.
Note
If you enjoyed this release, consider showing a token of appreciation by:
- Pressing the “Star” button on GitHub (top-right).
- Considering a one-time or recurrent donation to the lead developer via GitHub Sponsors or PayPal.
- If you are interested in an official mobile application (#7447) or multi-user support (#4956), consider offering financial support via IssueHunt (see links).
🔒️ Security improvements
-
Content Handling
- Improved request handling for SVG content in share routes
- Improved request handling for SVG content in the main API
- Enhanced content rendering in the Mermaid diagram editor
- Fixed toast notifications to properly escape content
- Added validation for the
docNameattribute in the document renderer - Marked
docNameas a sensitive attribute in the commons module
-
Desktop Application (Electron)
- Added Electron fuses to harden the desktop application against external abuse
- Improved application integrity checks
-
API & Import
- Added MIME type validation for image uploads via ETAPI
- Aligned attachment upload validation with note upload validation
- Import no longer preserves named note IDs to prevent potential conflicts
-
Authentication
- OpenID Connect now uses a more secure random number generator
We've also updated our SECURITY.MD file to detail our security practices and how to report vulnerabilities.