Download Latest Version v4.13.1 source code.tar.gz (5.5 MB)
Email in envelope

Get an email when there's a new version of NodeBB

Home / v4.13.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-06-10 7.2 kB
0
v4.13.0 source code.tar.gz 2026-06-10 5.5 MB
0
v4.13.0 source code.zip 2026-06-10 8.0 MB
0
Totals: 3 Items   13.5 MB 0

Release build (minor) of NodeBB @ 2026-06-10T13:48:28.761Z

v4.13.0 (2026-06-10)

New Features
  • activitypub:
  • add core blocklist for domain management (fe482229)
  • add filter option to categorization rules for post queue gating (dfb108e9)
  • add severity 3 (filter) queuing for blocklisted posts (80f40aeb)
  • cross-check received payload against received digest header if present (590ac686)
  • upgrade to fa7 (4eec1d76)
Bug Fixes
  • closes [#14321] (48831566)
  • dont allow installing plugins via plugins.upgrade (d2ceba6a)
  • ability to change crosspost prior to accepting as queued crosspost (3d7a4068)
  • notification bodyShort on crosspost item (cdf061dd)
  • proper queuing of incoming ap content when it is already in a remote category (5dca2408)
  • [#14332], don't set picture if it requires reputation (0ea997e6)
  • compare mimetype (e8b52591)
  • don't allow guests to accept/reject/edit queued guests posts (a481c8a6)
  • long room names (7e001aba)
  • tx string in room rename modal (316ff580)
  • dont set invalid strings into notificationType_ properties (c62bdddd)
  • unset crosspostCid if the post does not already have a cid (4e91175a)
  • update rules logic so cid is no longer required, assumes -1 (79b4a797)
  • when replacing rules, also update filter (4b624abd)
  • post queue conditionals (9e0762a5)
  • fixed redis broke everything else lol (abe9a332)
  • prefer destructure (c065dd77)
  • tests (135f7aaf)
  • accidental variable scoping by qwen (889f63c0)
  • nl2br (f82e6e6b)
  • send sourceContent in to addToQueue (97f4c283)
  • fix pid double-escape in /world, improper helper call in feed/item.tpl (1a04fc59)
  • about me not being parsed correctly on profile page (142b551f)
  • wrap user.url in String() sometimes it's an array from AP (64a427fa)
  • default cover and pictures (069696db)
  • properly enforce maxUserSessions (34adeb9c)
  • don't crash if allow/denyList is not array (b4817906)
  • missing middlewares on category inbox, gate email lookup behind user session (f9a51b2b)
  • translate category data on /world (4d86f316)
  • translator escape too (87583bb5)
  • escape remoteUrl in account tpl (8805843a)
  • fix topic moving privileges (d5a589d2)
  • dont allow returning notifications by nid (fb3a9050)
  • isUserInRoom bypass in chat api (0af0d97f)
  • closes [#14326], link-secondary on skins (b47e065c)
  • translate category name in summaries as well (ce79524b)
  • more tx fixes (5f0e877e)
  • explicitly set as:sensitive to false when federating out as:Article (edc85a91)
  • category name in purge modal (0f7d9df9)
  • escape translations in /outgoing query params (d21a705a)
  • decode HTML entities in picture and cover when mocking AP user (635a59b8)
  • add missing changes in category.js (22f055de)
  • upsert instead of add (5428abaa)
  • merge master (98d6f6cd)
  • closes [#14316] (8985e432)
  • armenian language string (602d56bb)
  • icon width for fa7 (d58ec0a7)
  • don't sign outgoing gets if id is 0 (c05179b8)
  • use visually-hidden up composer (a902ac36)
  • move favicon and og_image below touch icon and maskable image, [#14271] (e55454f5)
  • topics: remove crosspost queue entries when topic is deleted (1b678fe1)
  • activitypub:
  • prevent XSS via intent templates and plugin upgrade bypass (2ba41197)
  • reject POST requests without HTTP signature header (c4b9d03b)
  • anchor actor/uid passthrough regexes to prevent inbox bypass (6fcc3448)
  • coerce filter field from Redis string to boolean in Rules.list (6bfc0bb5)
  • separate crosspost queue from add to fix filter regression (d05e4ec1)
  • queue crossposts when category is pre-resolved (6d603864)
  • correct getOutbox pagination condition and partOf URL (3a0797a8)
  • respect severity in isAllowed and update tests (877a929e)
  • handle sourceContent for queued AP posts (9e6831fc)
  • handle instance list as blocklist or allowlist based on type (822250d7)
  • resolve lint errors in blocklists and instances (b88de0b0)
  • topic-events: escape user-controlled values in buildAvatar and renderUser (4c4bf76d)
  • posts/queue:
  • add crosspost type handling for notifications (5fe97688)
  • remove unnecessary user data override for crossposts (1d72827d)
  • populate crosspost topic, author, and content metadata (5bc47cb1)
  • feeds: replace user lockout with per-IP rate limit for RSS token failures (#14329) (bdac7a7d)
  • world: encode link to post in stretched-link (cc38c3ea)
  • activitypub/notes: use options.queue for auto-categorization filter (3e7cdfd8)
  • middleware: remove dead res.locals['ap:blocklist'] assignment (d0d52c6b)
  • posts: deduplicate queue items by pid on add (e4b68c10)
  • test:
  • enable postQueue config for severity 3 filter tests (d44fbc6b)
  • clear blocklists before test suite to ensure clean state (cf0777d1)
  • categorysearch: focus first list item on arrow down (f42b3d13)
  • categories: add rel=canonical link tag to home page (#14322) (2dd294c5)
  • admin/federation: filter out remote categories in rules modal (185a3d95)
  • chats: mark chat as read when clicking close button (3bcdc908)
Refactors
  • dont need decode anymore (91062d31)
  • get rid of old function. syntax (98fd0f31)
  • min/max validation in user/settings.js (cb1a1dcb)
  • notes.assert should call instances.isAllowed on each item prior to posting (a696e103)
  • blocklist tests and check/severity info methods (5faa853a)
  • notification tests to async/await (2ff3c07b)
  • more roomIds checks (68edde62)
  • backwards compat. for loadNotifications function (6a98b7e8)
  • change href arg validation (58a70e20)
  • change href arg validation (d8bb3f40)
  • remove dupe code (bafb719e)
  • custom reasons (751a1d86)
  • custom reasons (1fa3a124)
  • translate category names in selector (2a400bc8)
  • allow [#5848] (66c9239a)
  • tx.escape (c7368f22)
  • activitypub:
  • remove redundant actor/uid passthrough (abd9e27c)
  • consolidate blocklist severity logic into check() (80f4a224)
  • activitypub/rules: use upsert to prevent duplicate rules (bb895ff9)
Tests
  • fix tests (5abbe512)
  • fix only (7a1c2f10)
  • update tests (d8fd2aab)
  • update test for homePageRoute (657c3eae)
  • fix remaining user tests (23fdbe97)
  • fix one more test (77ccec29)
  • update about me test (0d536e01)
  • fix test failures (41084530)
  • fix all note tests that were not written well for testing inbox handling of severity 3 blocklist items (0c71c0f2)
  • remove check, its in canPin (e4e1dea2)
  • fix test maybe (ee4e9e08)
  • remove only (7504cd10)
  • refactor tests to async/await (8382efb9)
  • add nodebb.require to tests (8a16da18)
  • remove only (6b13a1e2)
  • fix tests, add missing return (16d176b6)
  • import deprecated (56be5a5c)
  • fix css tests (f893c46d)
  • posts: add queue deduplication tests (7f327672)
  • activitypub:
  • add crosspost-in-queue test with auto-categorization rule (67297b22)
  • add instances module tests (591acccd)
  • i18n: add validation for language code and dir fields (ff4fb690)
Source: README.md, updated 2026-06-10