Security fixes
This release addresses one security issue:
- CVE-2024-45594
The details regarding the security vulnerability will be published on September 16th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.
Upgrade notes
As usual, we recommend that you have a full backup, of the database, application code and static files.
To update, follow these steps:
- Update your Gemfile:
gem "decidim", "0.28.3"
gem "decidim-dev", "0.28.3"- Run these commands to upgrade and make sure you get all the latest migrations:
wget https://raw.githubusercontent.com/decidim/decidim/c626489ea235e644e281ecf4bdbcdf112ca6b3d7/decidim-core/db/migrate/20181025082245_add_timestamps_to_components.rb -O $(ls db/migrate/*_add_timestamps_to_components.decidim.rb) # see "2.7. Clean-up invalid resources"
sudo apt install p7zip # or the alternative installation process for your operating system. See "2.1. 7zip dependency introduction"
bundle remove spring spring-watcher-listen # see "3.1. Remove spring and spring-watcher-listen from your Gemfile"
bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate
bin/rails decidim:upgrade:clean:invalid_records # see "2.2. Cleanup invalid resources"2. General notes
2.1. 7zip dependency introduction
We had to migrate from an unmaintained dependency and do a wrapper for the 7zip command line. This means that you need to install 7zip in your system. You can do it by running:
sudo apt install p7zipThis works for Ubuntu Linux, other operating systems would need to do other command/package.
You can read more about this change on PR #13185.
2.2. Cleanup invalid resources
While upgrading various instances to latest Decidim version, we have noticed there are some records that may not be present anymore. As a result, the application would generate a lot of errors, in both frontend and Backend.
In order to fix these errors, we have introduced a new rake task, aiming to fix the errors by removing invalid data.
In your console you can run:
bin/rails decidim:upgrade:clean:invalid_recordsIf you have a big installation having multiple records, many users etc, you can split the clean up task as follows:
bin/rails decidim:upgrade:clean:searchable_resources
bin/rails decidim:upgrade:clean:notifications
bin/rails decidim:upgrade:clean:follows
bin/rails decidim:upgrade:clean:action_logsYou can read more about this change on PR #13237.
3. One time actions
3.1. Remove spring and spring-watcher-listen from your Gemfile
To simplify the upgrade process, we have decided to add spring and spring-watcher-listener as hard dependencies of decidim-dev.
Before upgrading to this version, make sure you run in your console:
bundle remove spring spring-watcher-listenYou can read more about this change on PR #13235.
4. Scheduled tasks
Nothing.
5. Changes in APIs
Nothing.
Changelog
Added
Nothing.
Changed
Nothing.
Fixed
- decidim-core: Backport 'Prevent cached signed global IDs from expiring' to v0.28 #13232
- decidim-accountability, decidim-admin, decidim-budgets, decidim-conferences, decidim-initiatives, decidim-meetings, decidim-proposals: Backport 'Fix clickable area in dropdowns' to v0.28 #13233
- decidim-core, decidim-elections, decidim-generators: Backport 'Implements 7zip as a CLI wrapper' to v0.28 #13234
- decidim-core: Backport 'Send welcome notifications for omniauth users' to v0.28 #13240
- decidim-admin: Backport 'Pagination and search on conflicts page' to v0.28 #13242
- decidim-meetings: Backport 'Allow admin tags in meeting minutes' to v0.28 #13241
- decidim-admin, decidim-assemblies, decidim-blogs, decidim-conferences, decidim-core, decidim-initiatives, decidim-participatory processes, decidim-system: Backport 'Improve ActiveStorage asset linking performance' to v0.28 #13228
- decidim-admin: Backport 'Overwrite admin "Cell" -helper method' to v0.28 #13262
- Backport 'Lock Chrome and ChromeDriver to 126.0.6478.182' to v0.28 #13309
- Backport 'Fix google-chrome-stable installation in CI' to v0.28 #13327
- decidim-core: Backport 'Fix deprecation warnings from SASS' to v0.28 #13320
- decidim-proposals: Backport 'Fix proposals' preview spacing' to v0.28 #13326
- decidim-core, decidim-proposals: Backport 'Fix character counter disposition and spacing with WYSIWYG' to v0.28 #13325
- decidim-admin, decidim-generators, decidim-proposals, decidim-templates: Backport 'Fix exceptions with
decidim-templateswhen not added explicitly ' to v0.28 #13324 - Backport 'Add overwrite parameter to upload-artifact' to v0.28 #13323
- decidim-admin: Backport 'Fix deleting a component which has reminders associated with it' to v0.28 #13329
- decidim-dev: Backport 'Disable search engine choice window for ChromeDriver in system specs' to v0.28 #13330
- decidim-core: Backport 'Prevent malformed URLs in online/hybrid meetings' to v0.28 #13331
- decidim-dev, decidim-generators: Backport 'Add spring as dependency' to v0.28 #13322
- decidim-assemblies, decidim-budgets, decidim-conferences, decidim-core, decidim-debates, decidim-initiatives, decidim-meetings, decidim-participatory processes, decidim-proposals: Backport 'Fix flaky spec with follow button in participatory spaces' to v0.28 #13346
- decidim-core: Backport 'Fix exporting of the open data file' to v0.28 #13345
- decidim-admin, decidim-assemblies, decidim-blogs, decidim-comments, decidim-conferences, decidim-core, decidim-initiatives, decidim-participatory processes, decidim-proposals: Backport 'Remove pagination configuration initializer' to v0.28 #13321
- decidim-core: Backport 'Fix results per page display in pagination' to v0.28 #13347
- decidim-core, decidim-dev: Backport 'Add manifest name check for spaces and components' to v0.28 #13359
Removed
Nothing.
Developer improvements
- Backport 'Fix clickable area in dropdowns' to v0.28 #13233
Internal
Nothing.
Full Changelog: v0.28.2...v0.28.3