CI Report:
N/A
LinuxServer Changes:
Full Changelog: 2.57.0-ls178...2.58.0-ls179
Remote Changes:
Compatible with PHP 8.2 to 8.5
- Adds a setting to disable first time wizard for new users (#5938) - thanks @tofuSCHNITZEL
- Switch to PNPM for frontend dependencies (#5953)
- New wizard images (#5952)
- Split
wizardsandpassword resetsubscriber into two classes (#5952) - Relax upper PHP version (#5952)
- Fix: sticky tooltip survives page reload (#5952)
- Fix: actions could trigger GET requests to the API (#5952)
- Fix: formatting locale reset after embedded controller sub-requests (#5944) - thanks @cheriimoya
- Split CI lint and test jobs in separate workflows (#5952)
- Docker: use tag as ref for checkout and build from local code (#5952)
- Docker: new docker image version name (#5952)
Security
This release contains quite a few security related improvements and fixes (yep, LLMs are pretty strong nowadays).
- User permissions
<name>_other_profilenow respect teams - CI: Added audit job to scan frontend deps for known vulnerabilities
- CI: Added zizmor for GitHub action workflow security
- Verify Project permissions in Timesheet Restart and Duplicate - thanks @Mitchell45
- Prevent re-use of Password-Reset link - thanks @AzureADTrent
- Auto generated
APP_SECRETin Docker images - thanks @AzureADTrent - Removed API timesheet stop/restart GET endpoints to prevent CSRF - thanks @Mitchell45
- Teamleads could create ExportTemplate besides hidden button - thanks @AzureADTrent
- Prevent rendering images via markdown in custom templates - thanks @Mitchell45
- Use a safe network client for fetching eternal sources in custom templates - thanks @Mitchell45
- Verify current user can see user/activity when editing team via API - thanks @Mitchell45
- Move create default team routes to API to prevent CSRF - thanks @Mitchell45
Involved in this release: @kevinpapst and @cheriimoya and @tofuSCHNITZEL and @Mitchell45 and @AzureADTrent