umputun/remark42 v1.16.0

Version 1.16.0

on GitHub

New Features

• custom oauth2 provider #2006 @alexma233
• make Microsoft Entra ID tenant configurable #1999 @paskal

Improvements

• build release artifacts with GoReleaser #2070 @umputun
• use testing/synctest to eliminate wall-clock sleeps #2048 @paskal
• use time.UTC in test fixtures to be timezone-agnostic #2047 @paskal
• modernise Go code with go fix #2027 @paskal
• add node dependency caching #2020 @paskal
• document loading placeholder support in remark42 div #2009 @paskal
• offer github private vulnerability reporting in security policy f3a7dea
• bump go modules in backend and example #2065 @paskal
• update Go modules #2042 @paskal

Bug Fixes

• reject non-image content-types in image proxy and /picture/ to prevent stored XSS #2067 @paskal
• reject decompression-bomb dimensions before raster decode #2064 @paskal
• close OAuth open-redirect by wiring AllowedRedirectHosts #2049 @paskal
• require explicit ?site= in matchSiteID middleware #2046 @paskal
• reject path traversal in /picture/{user}/{id} #2045 @paskal
• apply ssrf-safe transport to TitleExtractor + restore gosec G70x rules #2044 @paskal
• IPv6 address truncation and image proxy SSRF vulnerabilities #2016 @umputun
• preserve orig verbatim in edit textarea #2041 @paskal
• Fix Firefox dark mode white background on comment iframe #2023 @amdevz
• Fix frontend not respecting ADMIN_EDIT config #2001 @paskal
• Fix email encoding, image cleanup CPU spin, and demo template paths #2000 @paskal
• Fix site rebuild on release #1993 @paskal
• fix type check failure in @remark42/api package ab9e667

Other

• Migrate remaining BEM components to CSS Modules (final batch) #2015 @paskal
• Migrate batch 1 components from BEM to CSS Modules #2014 @paskal
• Migrate 4 BEM components to CSS Modules #2013 @paskal
• Clean up deprecated CSS and fix silent CSS bugs in frontend #2012 @paskal
• Document EDIT_TIME=0 disables comment editing and image cleanup #2010 @paskal
• Add X-Content-Type-Options and Referrer-Policy security headers #2008 @paskal
• Drop GitHub token permissions on deploy jobs #2007 @paskal
• Sync example dependencies after go-modules-updates bump #2005 @app/copilot-swe-agent
• Document email template variables and plain-text email setup #2003 @paskal
• Clear user placeholder content when comments iframe loads #2002 @paskal
• Fix typo in Spanish localization for sort-by #2043 @aroman-arvo
• Probe /auth/status from frontend to avoid 401 on /user a4c5e17
• Update backend base image to buildgo-v1.17.0 in Dockerfile cdad560
• dependency bumps (dependabot): #2053 #2052 #2050 #2034 #2032 #2030 #2028 #1997 #1995 #1994 #1984