| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| docker-compose.yml | 2026-05-14 | 6.8 kB | |
| restore-airgapped.sh | 2026-05-14 | 4.6 kB | |
| restore.sh | 2026-05-14 | 3.6 kB | |
| setup.sh | 2026-05-14 | 22.9 kB | |
| swarm.sh | 2026-05-14 | 20.3 kB | |
| variables.env | 2026-05-14 | 2.2 kB | |
| README.md | 2026-05-14 | 2.9 kB | |
| v1.3.1 source code.tar.gz | 2026-05-14 | 33.1 MB | |
| v1.3.1 source code.zip | 2026-05-14 | 36.1 MB | |
| Totals: 9 Items | 69.2 MB | 6 | |
β¨ Improvements
- Scrollbar in keyboard shortcuts modal
- Skip role & use-case steps for self-hosted instances
π Bug Fixes
- Prevent ORM field injection via analytics segment parameter β
Security fix (GHSA-93x3-ghh7-72j3). Centralizes analytics field allowlists into
VALID_ANALYTICS_FIELDS/VALID_YAXISand adds defense-in-depth validation inbuild_graph_plot()andextract_axis()so no caller can pass arbitrary field references to DjangoF()expressions. Also adds missing segment validation toSavedAnalyticEndpoint. - Enforce workspace membership on V2 asset endpoints β
Security fix (GHSA-qw87-v5w3-6vxx). Adds
@allow_permissionto allWorkspaceFileAssetEndpointmethods and scopesDuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member. - Sanitize filenames in upload paths to prevent path traversal β Security fix (GHSA-v57h-5999-w7xp). Server-side filename sanitization across all file upload endpoints; defense-in-depth against S3 key pollution. Handles Windows-style paths and leading-dot/whitespace edge cases.
- Replace
IS_SELF_MANAGEDtoggle withWEBHOOK_ALLOWED_IPSallowlist β Webhook SSRF protection: blocks all private/internal IPs by default; only specific networks listed inWEBHOOK_ALLOWED_IPS(comma-separated IPs/CIDRs) are permitted. Re-validates URL at send time to prevent DNS rebinding, sanitizes error messages, and guards mixed IPv4/IPv6 allowlists. - Strip whitespace and handle null values in instance configuration β
Sanitizes patched instance config values: trims leading/trailing whitespace and converts
nullto""instead of the literal string"None". - Update border for project timezone β [WEB-6785]
- Update Twitter icon and links to X β
- Optimize sub-issue query performance β Adds optimized annotations and subqueries to the sub-issue listing path.
π§ Refactor & Chore
- Remove Intercom integration and chat support components Intercom is no longer used. Removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
- Add project context to relations API
- Suppress CodeQL file coverage deprecation warning Explicitly opts into the new default behavior where CodeQL skips computing file coverage on PRs for improved analysis performance.
- Update CODEOWNERS for apps and deployments
- Add Claude Code skills for PR descriptions and release notes
π¦ Dependencies
- Bump
axios1.15.0 β 1.15.2,uuid13.0.0 β 14.0.0; add pnpm overrides pinningpostcss>=8.5.10 andfollow-redirects>=1.16.0 - Bump
Django4.2.29 β 4.2.30,cryptography46.0.6 β 46.0.7,axios1.13.5 β 1.15.0,lodash4.17.23 β 4.18.1 - Bump
vite7.3.1 β 7.3.2 - Bump
pytest9.0.2 β 9.0.3 - Bump
lxml6.0.0 β 6.1.0