BookStack v24.12.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated export logic to have better temp file clean-up. (#5374, #5379)
• Updated in-app export endpoints to have rate limits. (#5379)
• Updated translations with latest Crowdin changes. (#5370)
• Updated PHP dependency package versions.
• Fixed markdown editor focus jumping on image insert. (#5384)

BookStack v24.12

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added new portable ZIP import/export format. (#5260, #43)
• Added support for concatenating multiple LDAP attributes in displayName. Thanks to @MatthieuLeboeuf. (#5295, #1684)
• Added book and chapter titles to search API results. Thanks to @rashadkhan359. (#5280, #5140)
• Added cover image details to book/shelf API list responses. (#5180)
• Updated dev dockerfile setup to simplify things. Thanks to @johnroyer. (#5293)
• Updated guest account form to hide language preference to prevent confusion. (#5356)
• Updated new WYSIWYG editor codebase to merge nodes & re-organise code. (#5349)
• Updated notification handling to not block user with errors on send failures. (#5315)
• Updated our JavaScript service files to TypeScript. (#5259)
• Updated project NPM package & SASS deprecations/changes. (#5354)
• Updated the new WYSIWYG editor with a range of fixes/updates. (#5365)
• Updated translations with latest Crowdin changes. (#5345)
• Fixed API attachment update issue when name not provided. (#5353)
• Fixed attachment actions showing when lacking permissions. (#5323)
• Fixed missing book description and formatting in markdown exports. Thanks to @czemu. (#5313)
• Fixed page indexing breaking with very large pages. (#5322)

BookStack v24.10.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated PHP dependency package versions.
• Updated translations with latest Crowdin changes. (#5331)
• Fixed attachment stream handling for better Chrome video support. (#5342, #5088)
• Fixed page include issue caused by PHP 8.3.14 bug. (#5341)
• Fixed OIDC userinfo handling when response included charset content type. Thanks to @wesbiggs. (#5337)
• Fixed differing code line height between dark/light modes. (#5146)

BookStack v24.10.2

Security Release

• Update Instructions
• Update details on blog

BookStack v24.10.2 has been released.

This is a security release to address a vulnerability in our dependencies where specifically formatted requests could be used to manipulate application configuration in environments where a certain PHP option (register_argc_argv) is enabled. This is not an option that's typically enabled in production web-serving environments, but it's advised to update where uncertain.

Full List of Changes

• Updated application PHP dependencies.
• Updated translations with latest Crowdin changes. (#5317)

BookStack v24.10.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated System CLI with fixes and updated dependencies. (#5312)
• Fixed update-url command not updating revisions & drafts. (#5292)
• Fixed the namespaces of some tests. Thanks to @LordSimal. (#5291, #5071)
• Fixed misaligned user input validation. (#5263)
• Updated setting categories to validate by for existing views, allowing custom categories to be used via the theme system. Thanks to @LachTrip. (#5255, #5251)
• Updated translations with latest Crowdin changes. (#5250)

BookStack v24.10

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added ability to configure the PDF export command timeout. (#5119)
• Added new Lexical based editor. (#5058)
• Added not operator to search. (#4536)
• Added OpenSearch support. Thanks to @maximilian-walter. (#5198)
• Added SAS and R code language support. (#5206)
• Added search term negation support. (#5239)
• Added Welsh language to language list. (#5240)
• Updated dompdf and bacon-qr-code libraries to new major versions. (#5222)
• Updated page editor type to always exist in API and database. (#5117)
• Updated translations with latest Crowdin changes. (#5188)
• Updated user account creation to provide better email failure feedback. (#5195)
• Fixed drifting search icon on smaller screen sizes. (#5204)

BookStack v24.05.4

Security Release

• Update Instructions
• Update details on blog

BookStack v24.05.4 has been released.

This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, and an issue with content visibility in "book-show" API responses which would not have permissions applied properly.

Upgrade is strongly advised for instances where LDAP authentication is used with group syncing, or where the REST API is used to fetch contents of books ("books-read" endpoint).

Thanks to Linus Nagel and their team at WorkSimple GmbH for reporting this API vulnerability.

Full List of Changes

• Updated API docs with consistent parameter types. (#5183)
• Updated default content iframe embed max-width to align with other content types. (#5130)
• Updated LDAP group sync to query via full DN.
• Updated translations with latest Crowdin changes. (#5118)
• Fixed books read API response not applying visibility control to chapter contents.
• Fixed API docs users response showing extra property. (#5178)
• Fixed database error thrown when using out dev docker setup. (#5124)
• Fixed RTL display issues with tasklist checkboxes. (#5134)

BookStack v24.05.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5065)
• Updated callouts with LTR text handling where supported. (#5104)
• Updated project PHP and JavaScript dependencies.
• Fixed blocked diagrams.net loading when using a custom URL that includes a port. (#5107)
• Fixed OIDC incorrectly calling userinfo endpoint when valid empty groups provided. (#5101)
• Fixed image replacement being case-sensitive when it should not be. Thanks to @DanielGordonIT. (#5096) (#5095)
• Fixed HTML code block highlighting when custom self-closing tags are used. (#5078)
• Fixed testing when custom ALLOWED_IFRAME_SOURCES is set. Thanks to @mueller-contria. (#5069) (#5068)

BookStack v24.05.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed initial page publish changelog message not being saved if set. (#5056)
• Fixed incorrect WYSIWYG code shortcut reference. Thanks to @bradenterpstra01. (#5036)
• Added role create/update validation to warn about too-long external auth ID values. (#5037)
• Updated GIF thumbnail generation to no support animation, to avoid issues with large-frame-count GIFs. (#5029)
• Updated translations with latest Crowdin changes. (#5022)
• Updated backup code description text to clarify their use. (#5017)
• Updated docker-compose.yml to remove deprecated version. Thanks to @michaelortnerit. (#5052)

BookStack v24.05.1

Security Release

• Update Instructions
• Update details on blog

BookStack v24.05.1 has been released.
This is a security release that adds extra rate-limiting to some forms that are accessible without authentication, while also implementing changes to prevent methods that could be used to indicate if specific user emails exist in the system.

Upgrade is advised for instances accessible on the public web.

Full List of Changes

• Updated PHP dependencies.
• Updated routes with IP-based rate limiting. (#4993)
• Updated email confirmation flow to not require email submission form.
• Updated translations with latest Crowdin changes. (#4994)
• Updated WYSIWYG alignment handling to also consider table align attributes. (#5011)
• Fixed attachment upload validation errors appearing as JSON. (#4996)
• Fixed incorrect notification preferences URL in email. Thanks to @KiDxS. (#5008, #5005)
• Fixed non-visible MFA setup titles in dark mode. (#5018)
• Fixed outdated path in visual theme system guidance. (#4998)
• Fixed potential cache permission issues by reverting cache location. (#4999)