github fccview/jotty 1.22.0
Stable 1.22.0
on GitHub

11 hours ago



Join our communities

dev note

Hi all, sorry been a while, as you all know from previous releases my kid had a liver transplant and things are actually going pretty well for once, we are finally back home in quarantine for the next few months. He's doing amazingly but we're obviously still in the honeymoon phase, there will likely be complications (there always are, we've been through all this before) but we take things one day at the time, for now i'm back at full force.

This release will be fairly huge, been working on this for a month almost, it's a whole refactor on how the tasks used to work. Tasks have been renamed to kanban, they have a bit more of a usage now, with priorities, end date, estimations, priority and assignees.

There's also a shiny new calendar mode which shows tasks you have added a due date of, and in site notifications which work across users if tasks have been shared. Notifications are only internal for now and I have no plan to integrate them externally, that'd require some way to track time and it's a ton of overhead for something that may be a bit out of scope for Jotty, I hope you understand.

changelog

Kanban refactor

  • Refactored the tasks at its core, the whole codebase had a bit of a re-haul, making sure things were more logical and separated from checklists, kanban are slowly becoming their own entity even tho they still use the same markdown file as checklists
  • Task view now shows a bunch of new fields such as assignee, due date, reminders, priority and so on
  • There's now a calendar view showing tasks with a due date #82 #53
  • You can filter the board by task priorities
  • Certain events across the site will trigger notifications, for example user sharing items with you, task statuses assigned to you being updated, expired tasks reminders and whatnot. This is an initial MVP, it'll be improved upon but it's a slick system already, pretty excited to hear your opinions on the matter

LDAP Support

  • Allows users to login via LDAP to Jotty, works exactly like SSO in the sense that if your ldap username matches the jotty username it'll just use your jotty user from the point onwards (but logs you in via ldap).
  • I changed the SSO_MODE env variable to AUTH_MODE (SSO_MODE will still work for the forseeable future, but i'd suggest you swap it in case it eventually gets fully deprecated).
  • Please check the dedicated LDAP howto to learn how it all works in details ❤️

Huge shout out to @h-2 for doing 90% of the work on this and be a good sport on the whole fake CLAUDE.md joke ❤️

bugfixes

  • replace hardcoded strings with translation keys and add ICU plurals #481 - thank you @w00fmeow
  • Fixed note api missing the getting note by uuid #451
  • When there's less than 4 statuses columns should still fill the whole screen #436
  • Subtasks getting unchecked on task progress #420
  • Zoom in PWA #405

security

  • Fixed a high advisory raised by @QiaoNPC (thank you so much for helping keeping Jotty safe) as per security standards I'll request a CVE in a week and edit this release with the actual details of the vulnerability. I suggest you update your instance to the latest version if it's public facing.
  • Been a while since last release so third party dependency vulnerabilities stacked up a little, sorry, soon enough releases will start happening consistently again ❤️ here's the list of what was sorted, just fyi

dompurify - ADD_ATTR predicate skips URI validation | Moderate
dompurify - USE_PROFILES prototype pollution allows event handlers | Moderate
dompurify - contains a Cross-site Scripting vulnerability | Moderate
next - null origin can bypass dev HMR websocket CSRF checks | Low
vite - server.fs.deny bypassed with queries | High
vite - Vulnerable to Path Traversal in Optimized Deps .map Handling | Moderate
simple-git - blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE | Critical
flatted - Prototype Pollution via parse() in NodeJS | High
immutable - is vulnerable to Prototype Pollution | High
vite - Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket | High
lodash - vulnerable to Code Injection via _.template imports key names | High
lodash-es - vulnerable to Code Injection via _.template imports key names | High
simple-git - Affected by Command Execution via Option-Parsing Bypass | High
picomatch - has a ReDoS vulnerability via extglob quantifiers | High
next - has a Denial of Service with Server Components | High
next - Unbounded next/image disk cache growth can exhaust storage | Moderate
next - Unbounded postponed resume buffering can lead to DoS | Moderate
next-intl - has an open redirect vulnerability | Moderate
dompurify - is vulnerable to mutation-XSS via Re-Contextualization | Moderate
lodash - vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit | Moderate
lodash-es - vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit | Moderate
brace-expansion - Zero-step sequence causes process hang and memory exhaustion | Moderate
next - HTTP request smuggling in rewrites | Moderate
picomatch - Method Injection in POSIX Character Classes causes incorrect Glob Matching | Moderate
next - null origin can bypass Server Actions CSRF checks | Moderate
dompurify - ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation | Moderate

Check out latest releases or
releases around fccview/jotty 1.22.0

Don't miss a new jotty release

NewReleases is sending notifications on new releases.

Get notifications