All Versions
81
Latest Version
Avg Release Cycle
14 days
Latest Release
-

Changelog History
Page 5

  • v3.13.0 Changes

    Goals

    πŸš€ This release cycle we prioritized the completion of "access lists", a major feature that we're excited to introduce.

    ⚑️ Update notes

    πŸ‘€ Nearly every week (sometimes more than once) we end up taking time away from development to help administrators to configure their CryptPad instances. We're happy to see more instances popping up, but ideally we'd like to spend more of our time working on new features. With this in mind we devoted some time to simplify instance configuration and to clarify some points where people commonly have difficulty.

    πŸš€ If you review cryptpad/config.example.js you'll notice it is significantly smaller than it was last release.
    πŸ”§ Old configuration files should be backwards compatible (if you copied config.example.js to config.js in order to customize it).
    πŸ‘€ The example has been reorganized so that the most important parts (which people seemed to miss most of the time) are at the top.
    0️⃣ Most of the fields which were defined within the config file now have defaults defined within the server itself.
    🚚 If you supply these values they will override the default, but for the most part they can be removed.

    We advise that you read the comments at the top of the example, in particular the points related to httpUnsafeOrigin and httpSafeOrigin which are used to protect users' cryptographic keys in the event of a cross-site scripting (XSS) vulnerability.
    πŸ”’ If these values are not correctly set then your users will not benefit from all the security measures we've spent lots of time implemented.

    🚚 A lot of the fields that were present as modifiable defaults have been removed or commented out in the example config.
    0️⃣ If you supply them then they will override the default behaviour, however, you probably won't need to and doing so might break important functionality.
    πŸ”’ Content-Security Policy (CSP) definitions should be safe to remove, as should httpAddress, httpPort, and httpSafePort (unless you need to run the nodejs API server on an address other than localhost or port 3000.

    Up until now it's been possible for administrators to allow users to pay for accounts (on their server) via https://accounts.cryptpad.fr.
    Our intent was to securely handle payment and then split the proceeds between ourselves and the instance's administrator.
    πŸ‘ In practice this just created extra work for us because we ended up having to contact admins, all of whom have opted to treat the subscription as a donation to support development.
    As such we have disabled the ability of users to pay for premium subscriptions (on https://accounts.cryptpad.fr) for any instance other than our own.

    πŸ”§ Servers with premium subscriptions enabled were configured to check whether anyone had subscribed to a premium account by querying our accounts server on a daily basis.
    We've left this daily check in place despite premium subscriptions being disabled because it informs us how many third-party instances exist and what versions they are running.
    πŸ‘ We don't sell or share this information with anyone, but it is useful to us because it informs us what older data structures we have to continue to support.
    For instance, we retain code for migrating documents to newer data formats as long as we know that there are still instances that have not run those migrations.
    We also cite the number of third-party instances when applying for grants as an indicator of the value of funding our project.
    In any case, you can disable this daily check-in by setting blockDailyCheck to true in config/config.js.

    Finally, we've implemented the ability to set a higher limit on the maximum size of uploaded files for premium users (paying users on CryptPad.fr and users with entries in customLimits on other instances).
    Set this limit as a number (of bytes) with premiumUploadSize in your config file.

    πŸ”‹ Features

    • It is often difficult to fix problems reported as GitHub issues because we don't have enough information. The platform's repository now includes an issue template which includes a list of details that will probably be relevant to fixing bugs. Please read the list carefully, as we'll probably just close issues if information that we need was not included.
    • 🌲 We've made it easy to terminate all open sessions for your account. If you're logged in, you'll now see a log out everywhere button in the user admin menu (in the top-right corner of the screen).
      • You may still terminate only remote sessions while leaving your local session intact via the pre-existing button on the settings page's confidentiality tab.
    • ⚑️ You may have noticed that it takes progressively longer to load your account as you add more files to your drive, shared folders, and teams. This is because an integrity check is run on all your files when you first launch a CryptPad session. We optimized some parts of this check to speed it up. We plan to continue searching for similar processes that we can optimize in order to decrease loading time and run-time efficiency.
    • Lastly, this release introduces access lists, which you can use to limit who can view your documents even if they have the keys required to decrypt them. You can do so by using the Access modal for any given document, available in the ... dropdown menu in each app's toolbar or when right-clicking in the drive.
      • Enabling access restriction for a document will disallow anyone except its owners or allowed users from opening it. Anyone else who is currently editing or viewing the document will be disconnected from the session.

    πŸ› Bug fixes

    • A member of C3Wien reported some strange behaviour triggered by customizing some of Firefox's anti-tracking features. The settings incorrectly identified our cross-domain sandboxing system as a tracker and interfered with its normal functionality. As a result, the user was treated as though they were not logged in, even though pads from their account's drive were displayed within the "anonymous drive" that unregistered users normally see.
      • This was simple to fix, requiring only that we adjust our method of checking whether a user is logged in.
      • If you ever notice odd behaviour we do recommend that you review any customizations you've made to your browser, as we only test CryptPad under default conditions unless prompted to investigate an issue.
    • ⚑️ Users that take advantage of the Mermaid renderer in our markdown editor's preview pane may have noticed that the preview's scroll position was lost whenever mermaid charts were modified. We've updated our renderer such that it preserves scroll position when redrawing elements, making it easier to see the effects of your changes when editing large charts.

  • v3.12.0 Changes

    Goals

    πŸš€ As of our last release our 'history trim' functionality was almost ready to go. We took this release period to do some extensive testing and to prepare the 'allow list' functionality which will be included in our next release.

    🐎 In the meantime, we also aimed to improve performance, add a few small but nice features, and fix a number of bugs.

    ⚑️ Update notes

    πŸš€ This release includes updates to:

    1. the server and its dependencies πŸ”§ 2. the example nginx configuration which we recommend for production installations
    2. the client code and its dependencies

    πŸš€ Our ability to debug CryptPad's usage of shared workers (on the client) has been complicated by the fact that Firefox's shared worker debugging panel was not working for our instance. We finally traced the problem back to a Content-Security Policy setting in our configuration file. The issue can be addressed by adding a resource: entry in the connect-src header. We've updated the example nginx config to reflect this. You can deploy this version of CryptPad without this modification, but without it our ability to debug and fix issues related to shared worker will be extremely limited.

    ⚑️ Otherwise, updating from CryptPad v3.11.0 is pretty much the same as normal:

    1. stop your server βœ… 2. pull the latest code via git βœ… 3. npm i to get the latest server dependencies ⚑️ 4. bower update to get the latest client dependencies
    2. restart your server

    πŸ”‹ Features

    • πŸš€ The CryptPad server stores documents as a series of encrypted changes to a blank document. We have mechanisms in place that make it so clients only need the most recent changes to view the document, but the storage requirements on the server would only ever grow unless you deleted the entire document. As of this release, owners of document have the option to remove that unnecessary history. To do so: right-click a pad in a drive or shared folder and choose the properties option in the menu. The bottom of the properties popup will display the document's size. If there is any history that is eligible for removal, a button will be displayed to remove it.
      • This option is only available for the pad's owners. If it has no owners then it will not be possible to remove its history.
      • It is not yet possible to trim the history of spreadsheets, as they are based on a different system than the rest of our documents and it will take some additional work to add this functionality.
    • We've also added the ability to easily make copies of documents from your drive. Right-click on documents and select "make a copy" from the menu.
      • This feature doesn't work for files. Files can't be modified anyway, so there's little value in making copies.
      • We haven't added the ability to make a copy of a spreadsheet yet for the same reasons as above.
    • πŸ‘ We've improved the way our markdown renderer handles links to better support a variety of types of URLs:
      • anchors, like [bug fixes](#bug-fixes)
      • relative paths, like [cryptpad home page](/index.html) or [a rich text pad](/pad/#/pad/view/12151241241254123412451231231221)
      • absolute URLs without the protocol, like `[//github.com/xwiki-labs/cryptpad)
    • ⚑️ We've optimized a background process that iterates over a part of the database when you first launch the CryptPad server. It now uses less memory and should incur less load on the CPU when restarting the server. This should allow the server to spend its resources handling clients that are trying to reconnect.
    • ⚑️ We've also optimized some client-side code to prioritize loading your drive instead of some other non-essential resources used for notifications. Pages should load faster. We're working on some related improvements to address page load time which we'll introduce on an ongoing basis.
    • πŸš€ As noted above, we're finally able to debug shared workers in Firefox. We're investigating a few issues that were blocked by this limitation, and we hope to include a number of bug fixes in upcoming releases.
    • πŸ‘ We've continued some ongoing improvements to the instance admin panel and introduced the ability to link directly to a support ticket. The link will only be useful to users who would already be able to open the admin panel.
    • ⚑️ The code responsible for fetching and scanning the older history of a document has also been optimized to avoid handling messages for channels multiple times.
    • Finally, we've received contributions from our German and Italian translators via our weblate instance.
      • We're always looking for more help with localization. You can review the status of our translations and contribute to them here.

    πŸ› Bug fixes

    • πŸ‘€ After a lot of digging we believe we've identified and fixed a case of automatic text duplication in our rich text editor. We plan to wait a little longer and see if reports of the incorrect behaviour really do stop, but we're optimistic that this problem has been solved.
    • ⬆️ Another GitHub issue related to upgrading access for team members has been fixed. If you continue to have issues with permissions for team members, we recommend haging the team owner demote the affected users to viewers before promoting them to the desired access level.
    • πŸ›  We've fixed a number of small issues in our server:
      • The server did not correctly respond to unsupported commands for its SET_METADATA RPC. Instead of responding with an error it ignored the message. In practice this should not have affected any users, since our client only uses supported commands.
      • The server used to log for every entry in a document's metadata log that contained an unsupported command. As we develop we occasionally have to such logs with older versions of the code that don't support every command. To avoid filling the logs with errors, we now ignore any errors of a given type beyond the first one encountered for a given document.
    • πŸš€ We've fixed an issue with read-only spreadsheets that was introduced in our previous release. An overlay intended to prevent users from interacting with the spreadsheet while disconnected was incorrectly applied to spreadsheets in read-only mode, preventing users from copying their data.
    • ⚑️ Clients send "pin commands" to the server to instruct it to count a document against their quota and to preserve its data even if it's considered inactive. We realized that the client wasn't including todo-lists in its list of pads to pin and have updated the client to do so.

  • v3.11.0 Changes

    Goals

    πŸš€ For this release we aimed to phase in two major features that we've been anticipating for a while: "history trim" and "safe links".

    πŸš€ History trim will allow users to remove the old versions of their documents which continue to count against their storage quotas. It will be formally introduced in our next release, even though its server-side components are all ready. We had to reorganize and modify a lot of our server code, so we wanted to wait and make sure there were no regressions in our existing functionality before moving ahead.

    πŸ”€ We're introducing the concept of "safe links" in CryptPad. Users can continue to share links to documents which include the cryptographic secrets necessary to read or edit them, but whenever possible we will replace those secrets with a document id. This will make it less likely for encryption keys to be exposed to third parties through invasive browser extensions or passive behaviour like history synchronization across devices.

    ⚑️ Update notes

    πŸš€ This release features a few changes to the server:

    1. The "legal notice" feature which we included in the previous release turned out to be incorrect. We've since fixed it. We document this functionality here, but you'll need to implement the recommended changes in cryptpad/customize/application_config.js for best effect. πŸ”§ 2. We've dropped server-side support for the retainData attribute in cryptpad/config/config.js. Previously you could configure CryptPad to delete unpinned, inactive data immediately or to move it into an archive for a configurable retention period. We've removed the option to delete data outright, since it introduces additional complexity in the server which we don't regularly test. We also figure that administrators will appreciate this default in the event of a bug which incorrectly flags data as inactive. πŸ”’ 3. We've fixed an incorrect line in the example nginx configuration file. If you're using nginx as a reverse proxy for your CryptPad instance you should correct this line. It is used to set Content-Security Policy headers for the sandboxed-iframe which provides an additional layer of security for users in the event of a cross-site-scripting (XSS) vulnerability within CryptPad. If you find that your instance stops working after applying this change it is likely that you have not correctly configured your instance to use a secondary domain for its sandbox. See this section of cryptpad/config/config.example.js for more information.

    πŸš€ Otherwise, deploying the new code should be fairly simple:

    1. stop your server βœ… 2. fetch the latest code from the git repository ⚑️ 3. update your server dependencies with npm install ⚑️ 4. update your clientside dependencies with bower update
    2. start your server

    πŸ”‹ Features

    • We've slightly reorganized the settings page to include a new "Confidentiality" section. It includes a checkbox to enable "safe links", which will remove the cryptographic secrets from your documents' URLs whenever possible. It is currently off by default but will most likely default to true in the near future. Otherwise, the settings page has an updated layout which is generally easier to read.
    • 🚚 We've remove the "Owned pads" category from the CryptDrive application. It was included to provide an overview of pads that you could delete when we first introduced that functionality, however, we've realized that it is generally not very useful.
    • We implemented the ability to convert a regular folder in your drive into a shared folder several months ago, but disabled it when we discovered that it had some bugs. We finally got around to fixing those bugs and so it is officially ready for public use.
    • We've continued to make little changes to improve the discoverability of CryptPad's social features. Unregistered users that view another user's profile are now informed that they can send that profile's owner a contact request once they register.
    • You may remember that CryptPad's contacts used to be called "friends". We've changed this terminology to reflect that you might work with people with whom you do not have a close personal relationship.
    • We analyzed CryptPad for possible vectors for social abuse as a part of our Teams project, sponsored by NLnet foundation. During this audit we identified that the main method for abuse was through the direct messaging/notifications system. We added the ability to mute users, but realized it could be difficult to find the profile page of the person you want to mute. As of this release, any notification triggered by a remote user's actions will include their avatar and a link to their profile. If you find any user's behaviour abusive or annoying you can go straight to their profile and mute them.
    • πŸ‘ We've made a small improvements to the admin panel's support ticket view. Tickets which have not received a response are now highlighted in red.
    • The login/register pages had a minor bug where the loading screen was not correctly displayed the second time you tried to enter your password. This was because the key derivation function which unlocks the corresponding user credentials was keeping the CPU busy and preventing an animation from running. It has since been corrected.
    • We've continued to make some small but important changes to various UI elements that are reused throughout the platform. The password field in the pad properties dialog has been tweaked for better color contrast. Similarly, the small notice that pops up in the bottom right hand corner to prompt you to store a pad in your drive has been restyled. We've also implemented a second variation on this popup to display general information not directly related to the current pad. Both of these UI elements better match the general appearance of the rest of the platform and represent a continued effort to improve its visual consistency.
    • The spreadsheet editor has received some attention in the last few weeks as well. It is now able to gracefully resume a session when you reconnect to the server after an interruption. Likewise, the locking system which prevents two users from editing a cell at the same time is now significantly faster, and completely disabled if you're editing alone. Now that it's possible for unregistered users to edit spreadsheets we've had to improve the color contrast for the toolbar message which prompts users to register in order to ensure that a spreadsheet isn't deleted due to inactivity.
    • πŸ‘€ The "file upload status table" has received some attention as well, in response to issue 496. When you upload many files to CryptPad in a row you'll see them all displayed in a table which will include a scrollbar if necessary.

    πŸ› Bug fixes

    • πŸ›  Issue 441 has been fixed.
    • We found a bug that affected encrypted files saved to your CryptDrive via the right-click menu. The files were saved in an incorrect format and were unusable. They should behave normally now.
    • Finally, we identified a race condition whereby if two users sent each other contact requests at the same time the request might not be accepted correctly. This process should now be much more reliable.

  • v3.10.0 Changes

    Goals

    πŸš€ For this release we aimed to finish the last major feature of our CryptPad Teams project as well as some long-awaited features that we've planned to demo at FOSDEM 2020.

    ⚑️ Update notes

    πŸ“„ The CryptPad repository's docs directory now includes a systemd service file which you can use to ensure that CryptPad stays up and running. We're working on some step-by-step documentation to describe how to make use of it, but for now you can probably find some instructions by searching the web.

    ⚑️ We've also updated the provided example.nginx.conf to include a minor but important change to the CSP settings for our OnlyOffice spreadsheet integration.

    Up until now we have not been deleting unowned encrypted files from our server. As of this release cryptpad/scripts/evict-inactive.js includes logic to identify inactive, unpinned files. Identified files are first moved to your instance's archive directory for a configurable period, after which they are deleted. This script is not run automatically, so if you haven't configured a cron job to run periodically then inactive files will not be removed. We recommend running the script once per day at a time when you expect your server to be relatively idle, since it consumes a non-negligible amount of server resources.

    Finally, in case you live in a political jurisdiction that requires web site administrators to display their legal information, we've made it easier to add a link to a custom page. See cryptpad/www/common/application_config_internal.js for details, particularly the comments above config.imprint.

    ⚑️ To update from v3.9.0:

    ⚑️ 1. update the CSP settings in your reverse proxy's configuration file to match those in nginx.example.conf

    • πŸš€ don't forget to reload your server to ensure that your changes are deployed
    1. stop your API server βœ… 3. pull the latest server/client code with git pull origin master ⚑️ 4. install the latest clientside dependencies with bower update
    2. relaunch your server

    πŸ”‹ Features

    • Owned pads can now be shared in self-destruct mode as an additional option in the access rights section of the share menu.
      • to use self-destructing pads:
      • select View once and self-destruct
      • share the self-destructing pad link directly with a contact or create and copy a link
      • recipients who open the link will land on a warning page informing them about what is about to happen
      • once they click through the link, they'll see the content and automatically delete it from the server
      • opening the same link a second time will not yield any content
      • note that deletion affects the original document that you choose to share. It does not create a copy
    • We no longer consider spreadsheets to be a BETA application!
      • we've been using them for some time and while there are still points to improve we consider them stable enough for regular use
      • this change in status is due to a few big updates:
      • we've integrated a recent version of OnlyOffice in which a number of bugs were fixed
      • we've enabled the use of spreadsheets for unregistered users, though registration is still free and will provide a better experience
      • it's now possible to upload encrypted images into your spreadsheets, in case you're the type of person that puts images in spreadsheets
      • you can also import and export spreadsheets between CryptPad's internal format and XLSX. This conversion is run entirely in your browser, so your documents stay private. Unfortunately it relies on some new features that are not available in all browsers. Chrome currently supports it, and we expect Firefox to enable support as of February 11th, 2020
    • Finally, we've continued to receive contributions from our numerous translators (via https://weblate.cryptpad.fr) in the following languages (alphabetical order):
      • Catalan
      • Finnish
      • German
      • Italian
      • Spanish

    πŸ› Bug fixes

    • πŸ“Œ We found and fixed an incorrect usage of the pinned-data API in scripts/check-account-deletion.js.
    • ⚑️ We also updated an incorrect client-side test in /assert/.
    • A minor bug in our CSS caching system caused some content to be unnecessarily recompiled. We've implemented a fix which should speed up loading time.

  • v3.9.0 Changes

    Goals

    πŸ”§ Over time we've added many small configuration values to CryptPad's config/config.js.
    πŸ“š As the number of possible variations grew it became increasingly difficult to test the platform and to provide clear documentation.
    Ultimately this has made the platform more difficult to understand and consequently to host.

    πŸš€ This release features relatively few bug fixes or features.
    πŸ“š Instead, we took the calm period of the northern winter holidays to simplify the process of running a server and to begin working on some comprehensive documentation.

    ⚑️ Update notes

    πŸ‘ We have chosen to drop support for a number of parameters which we believe are not widely used.
    ⚑️ Read the following list carefully before updating, as you could be relying on behaviour which no longer exists.

    • 🐎 Due to reasons of security and performance we have long advised that administrators make their instance available only over HTTPS provided by a reverse proxy such as nginx instead of loading TLS certificates via the node process itself. We have removed the option of serving HTTPS traffic directly from node by removing all support for HTTPS in this process.
    • 0️⃣ Over the years many administrators have had to migrate their instance from one machine to another and have had difficulty identifying which directories were responsible for storing user data. We are beginning to migrate all user-generated data from the repository's root into the data directory as a new default, allowing for admins to migrate content by copying this single directory.
      • for the time being we have not moved anything which is exposed directly over HTTPS since that complicates the upgrade process by requiring all configuration changes to be made simultaneously.
      • the modifications we've made only affect the default configuration provided by config/config.example.js, existing instances which have copied this file to config/config.js will not be affected.
      • only the following values have been modified:
      • pinPath
      • taskPath
      • blobStagingPath
    • 🐳 We have modified the Dockerfile volume list to reflect the changes to these default paths. If you are using docker you will have to either:
      • revert their removal or
      • move the affected directories into the data directory and update your live config file to reflect their new location
    • 🐳 Please note that we do our team does not use docker, that it was included in the main repository as a community contribution, and that we are not committed to supporting its configuration since we do not test it.
      • Our official policy is to provide an up-to-date set of configuration files reflecting the state of our production installation on CryptPad.fr using Debian, nginx, and systemd.
      • we are actively working on improving our documentation for this particular configuration and we plan to close issues for other configurations as being outside of the project's scope.
    • ⚑️ We've updated our example nginx configuration file, located at cryptpad/docs/example.nginx.conf.
      • in addition to a great number of comments, it now makes use of variables configure the domains referenced by the CSP headers which are required to take advantage of all of CryptPad's security features.
    • ⚑️ Prompted by warnings from recent nodejs versions we are updating our recommended version to v12.14.0 which is at the time of this writing the latest Long Term Support version.
      • you may need to update to successfully launch your server.
      • as always, we recommend using nvm to manage nodejs installation.
    • πŸ‘ We have dropped support for a number of experimental features:
      • replify (which allowed admins to modify their server at runtime using a REPL connected via a named socket)
      • heapdump (which provided snapshots of the server's memory if it crashed)
      • configurable RPC files as a configuration parameter
    • πŸ‘€ Finally, we've replaced a number of websocket configuration values (websocketURL, websocketPath, useExternalWebsockets, and useSecureWebsockets) with one optional value (externalWebsocketURL) in config.js
      • if your instance is configured in the default manner you shouldn't actually need this value, as it will default to using /cryptpad_websocket.
      • if you have configured your instance to serve all static assets over one domain and to host your API server on another, set externalWebsocketURL to wss://your-domain.tld/cryptpad_websocket or whatever URL will be correctly forwarded to your API server.

    ⚑️ Once you have reviewed your configuration files and ensured that they are correct, update to 3.9.0 with the following steps:

    1. take your server down βœ… 2. get the latest code with git pull origin master ⚑️ 3. install some required serverside dependency with npm update ⚑️ 4. (optionally) update clientside dependencies with bower update
    2. bring your server back up

    πŸ”‹ Features

    • We made some minor improvements to the process of redeeming invitation links for teams.
      • invitation links can only be used once, so we remove the hash from the URL bar once you've landed on the redemption page so that reloading after redeeming doesn't indicate that you've used an expired link.
    • One of our Finnish-speaking contributors has translated a very large amount of the platform's text in the last few weeks, making Finnish our fifth most thoroughly translated language!

    πŸ› Bug fixes

    • πŸ’… We noticed and fixed a style regression which incorrectly removed the scrollbar from some textareas
    • We also found that it was possible to corrupt the href of an item in a team's drive if you first shared a pad with your team then transferred ownership, the link stored in the team's drive would have its domain concatenated together twice.
    • The type value of read-only pads displayed as search results in user and team drives was incorrect but is now correctly inferred.

  • v3.8.0 Changes

    We had some trouble finding an extinct animal whose name started with "I", and we had to resort to using a scientific name.
    πŸš€ Despite this long name, this was a very short release cycle.
    πŸš€ It's the last release of 2019, so we hope you like it!

    Goals

    πŸš€ During this release cycle we prioritized the mitigation of some social abuse vectors and the ability to invite users to a team via a link.
    πŸš€ We have more improvements planned for both features, but we wanted to release what we had before the end of the year as our team is taking a little time off to recharge for 2020.

    ⚑️ Update notes

    πŸš€ This is a small and simple release. We made a very minor improvement to the server which will require a restart, but everything will still work if you choose not to.

    ⚑️ Update from 3.7.0 to 3.8.0 with the following procedure:

    1. Take your server down βœ… 2. Get the latest code with git pull origin master
    2. Bring your server back up

    Or if you've set up your admin interface:

    βœ… 1. Pull the latest code

    1. Click the admin panel's "Flush cache" button

    πŸ”‹ Features

    • πŸ’… We updated a bunch of styles to improve the platform's visual consistency:
      • prettier buttons
      • elimination of rounded corners on buttons, text inputs, and password inputs
    • πŸ’… We've fixed the default styles on embedded media while their content is loading
    • The button to add a user as a contact on their profile page now has a more prominent position at the top of the page
    • πŸ‘‰ Users also have the option of muting other people via their profile page.
      • these users will not know that you've muted them.
      • you can review the complete list of all the people you've muted on your contacts page
      • you can mute or unmute from the contacts page as well as their profile
      • changes to a user's mute status propagate across pages in real-time
    • Some of our Finnish-speaking users have become contributors via our weblate instance (https://weblate.cryptpad.fr/)
      • we're always looking for more translators to help more people protect their data, so don't hesitate to contact us if you want to help
    • Finally, it's now possible to invite users to a team by creating and sharing a personalized one-time-use link.
      • team owners and admins can try it out via their teams' "Members" tab

    πŸ› Bug fixes

    • πŸ›  We've fixed a few subtle bugs where various contact status and our one-to-one chat functionality could get into a bad state.

  • v3.7.0 Changes

    Goals

    πŸš€ As we are getting closer to the end of our CryptPad Teams project we planned to spend this release addressing some of the difficulties that users have reported regarding the usage of our newer social features.

    ⚑️ Update notes

    πŸš€ This release includes an upgrade to a newer version of JQuery which mitigates a minor vulnerability which could have contributed to the presence of an XSS attack. We weren't using the affected methods in the library, but there's no harm in updating as it will protect against the vulnerability affecting user data in the future.

    πŸš‘ We've also made some non-critical fixes to the server code, so you'll need to restart after pulling the latest code to take advantage of these improvements.

    ⚑️ Update to 3.7.0 from 3.6.0 using the normal update procedure:

    1. stop your server βœ… 2. pull the latest code via git ⚑️ 3. run bower update
    2. restart your server

    ⚑️ If you're using an up-to-date version of NPM you should find that running npm update prints a notice that one of the packages you've installed is seeking funding. Entering npm fund will print information about our OpenCollective funding campaign. If you're running a slightly older version of NPM and you wish to support CryptPad's development you can do so by visiting https://opencollective.com/cryptpad .

    πŸ”‹ Features

    • πŸ’» Many users have contacted us via support tickets to ask how to add contacts on the platform. The easiest way is to share the link to your profile page. Once on that page registered users will be able to send a contact request which will appear in your notification tray. Because we believe you shouldn't have to read a manual to use CryptPad (and because we want to minimize how much time we spend answering support tickets) we've integrated this tip into the UI itself. Users that don't have any contacts on the platform will hopefully notice that the sharing menu's contacts tab now prompts them with this information, followed by a button to copy their profile page's URL to their clipboard.
    • We've made a lot of other small changes that we hope will have a big impact on the usability of the sharing menu:
      • the "Link" section of the modal which includes the URL generated from your chosen access rights has been restyled so that the URL is displayed in a multiline textarea so that users can better see the URL changing as they play with the other controls
      • both the "Contacts" and "Link" section include short, unintrusive hints about how passwords interact with the different sharing methods:
      • when sharing via a URL we indicate that the recipient will need to enter a password, allowing for the URL to be sent over an insecure channel without leaking your document's content
      • when sharing directly with a contact via their encrypted mailbox the password is transferred automatically, since it is assumed that you intend for the recipient to gain access and the platform provides a secure channel through which all the relevant information can be delivered
      • this information is only included in cases when the document is protected with a password to limit the amount of information the user has to process to complete their task
      • we include brief and dismissable warning within the menu which indicates that URLs provide non-revocable access to documents so that new users of the platform understand the consequences of sharing
      • in general we've tried to make the appearance of the modal more appealing and intuitive so that users naturally discover and adopt the workflows which are the most conducive to their privacy and security
    • πŸ’» Our premium accounts platform authenticates that you are logged in on a given CryptPad instance by loading it in an iframe and requesting that it use one of your account's cryptographic keys to sign a message. Unfortunately, this process could be quite slow as it would load your CryptDrive and other information related to account, and some users reported that their browser timed out on this process. We've addressed this by loading only the account information required to prove your identity.
    • 🌐 We've also included some changes to CryptPad's server to allow users to share quotas between multiple accounts, though we still have work to do to make this behaviour functional on the web client.
    • πŸ‘ Spreadsheets now support password change!
    • Kanban boards now render long column titles in a much more intuitive way, wrapping the text instead of truncating it.
    • ⚑️ Our code editor now features support for Gantt charts in markdown mode via an improved Mermaidjs integration. We've also slowed down the rendering cycle so that updates are displayed once you stop typing for 400ms instead of 150ms, and improved the rendering methods so that all mermaid-generated charts are only redrawn if they have changed since the last time they were rendered. This results in a smoother reading experience while permitting other users to continue to edit the document.
    • πŸ‘€ Finally, after a review of the code responsible for sanitizing the markdown code which we render as HTML, we've decided to remove SVG tags from our sanitizer's filter. This means that you can write SVG markup in the input field and see it rendered, in case you're into that kind of thing.

    πŸ› Bug fixes

    • πŸš€ It seems our "contacts" app broke along with the 3.5.0 release and nobody reported it. The regression was introduced when we made some changes to the teams chat integration. We've addressed the issue so that you can once again use the contacts app to chat directly with friends.
    • πŸš‘ We've found and fixed a "memory puddle" (a non-critical memory leak which was automatically mopped up every now and then). The fix probably won't have much noticeable impact but the server is now a little bit more correct
    • We stumbled across a bug which wiped out the contents of a Kanban board and caused the application to crash if you navigated to the affected version of the document in history mode. If you notice that one of your documents was affected please contact us and we'll write a guide instructing you how to recover your content.
    • πŸ›  We've found a few bugs lurking in our server which could have caused the amount of data stored in users' drives to be calculated incorrectly under very unlikely circumstances. We've fixed the issue and addressed a number of similar asynchrony-related code paths which should mitigate similar issues in the future.
    • Lastly, we spotted some flaws in the code responsible for encrypting pad credentials in shared folders and teams such that viewers don't automatically gain access to the editing keys of a document when they should only have view access. There weren't any access control vulnerabilities, but an error was thrown under rare circumstances which could prevent affected users' drives from loading. We've guarded against the cause and made it such that any affected users will automatically repair their damaged drives.

  • v3.6.0 Changes

    Goals

    πŸš‘ We're following up our last few releases of major core developments with an effort to improve reliability in some unstable areas and make some superficial tweaks to improve usability of some critical interfaces.

    ⚑️ Update notes

    ⚑️ Update to 3.6.0 from 3.5.0 using the normal update procedure:

    1. stop your server βœ… 2. pull the latest code via git ⚑️ 3. run bower update
    2. restart your server

    πŸ”‹ Features

    • We've introduced a word-count feature in our rich text editor.
    • The "share modal" which is accessible from both the "right-click menu" in the drive and the sharing button in the toolbar has been redesigned:
      • different means of sharing access to documents have been split into different tabs to present users with less information to process
      • each sharing method has an associated icon to make their actions easier to recognize at a glance
      • various UI elements have been restyled to make their purpose and importance more obvious
      • cancel buttons have a grey border to draw less attention
      • OK buttons have a blue or grey background depending on whether they are active
      • secondary buttons like "preview" have only a thin blue border so that they don't draw attention away from the primary button
      • read-only text fields have a subtler appearance since they are shown primarily for the purpose of previewing your action
      • text input fields (such as search) have a light background to suggest that you can use them
    • πŸ’… We've made a minor adjustment to some of our styles for small screen to detect when a screen is very short in addition to when it is very narrow. As a result it should be somewhat easier to use on-screen keyboards.

    πŸ› Bug fixes

    • πŸ›  We found and fixed a subtle race condition which caused teams' quotas to be calculated incorrectly in certain circumstances.
    • πŸ‘€ A minor bug in our login process caused users with premium accounts to incorrectly see an entry in their user menu as linking to our 'pricing' page instead of their 'subscription' management tools. This has since been fixed.
    • We noticed that some of the rendered messages in the history mode of the notifications panel could fail to display text for some message types. These incorrect messages will be hidden from view wherever it is impossible to decide what should be displayed. We plan to address the issue in a deeper way in the near future.
    • πŸ‘€ We've become aware of some odd behaviour in long-lived sessions where tabs seem to lose their connection to the sharedWorker which is common to all tabs open in a particular browser session. As far as we can tell the bug only affects Firefox browser. Unfortunately, debugging sharedWorkers in Firefox has been broken for a number of major versions, so we haven't been able to determine the cause of the issue. Until we're able to determine the underlying cause we've added extra checks to detect when particular features become isolated from the worker, where previously we assumed that if the worker was connected to the server then everything was behaving correctly. We recommend that you reload the tab if you notice that aspects of your shared folders or drives (for users or teams) display a read-only warning while your other tabs are behaving normally.

  • v3.5.0 Changes

    Goals

    πŸš€ This release features work that we've been planning for a long time centered around sharing collections of documents in a more granular way.

    πŸš€ This is our first release since David BenquΓ© joined our team, so in addition to these team-centric updates we also worked on integrating some UI/UX improvements.

    ⚑️ Update notes

    ⚑️ Updating to 3.5.0 from 3.4.0 is simple.

    1. stop your server βœ… 2. pull the latest code via git ⚑️ 3. run bower update
    2. restart your server

    πŸ”‹ Features

    • πŸ’… We restyled some elements throughout the platform:
      • our tooltips have a sleeker flat design
      • the quota bar which appears in the drive, teams, and settings pages has also been improved
      • we've begun improving the look and feel of various popup dialogs
    • πŸ‘ We've added support for password-change for owned uploaded files and owned shared folders:
      • changing passwords for encrypted files means that the original file will be removed from the server and a new file will be encrypted with a new key and uploaded to a new location on the server. References to the original file will be broken. This includes links, media-tags embedded within pads, and items in other users' drives or shared folders to which you do not have access.
      • the process is very similar for shared folders stored in users' CryptDrives, except that users will have the opportunity to enter the new password when they visit the platform.
    • We're very happy to finally introduce the notion of read-only shared folders. While we've had the capacity to make shared folders read-only for some time, it was only in the same sense as pads were read-only.
      • This is to say that while a viewer cannot modify the document, any links to encrypted documents within that document would confer their natural editing rights to viewers, making it possible to accidentally leak access when a single pad was shared.
      • Our new read-only shared folders encrypt the editing keys for the documents they contain, such that only those with the ability to change the folder structure itself have the inherent capacity to edit the documents contained within. We think this is more intuitive than the alternative, but it took a lot of work to make it happen!
      • Unfortunately, older shared folders created before this release will already contain the cryptographic keys which confer editing rights. Pads which are added to shared folders from this release onward will have the keys for their editing rights encrypted. We'll offer the ability for owners to migrate these shared folders in an upcoming release once we've added the ability to selectively trim document history.
    • Similarly, we've introduced the notion of viewers in teams. Viewers are listed in the team roster and have the ability to view the contents of the team's drive, but not to edit them or add new documents.
      • Unfortunately, the notion of viewers is also complicated by the fact that documents added to team drives or shared folders in team drives did not have their editing keys encrypted. The first team member to open the team drive since we've deployed this release will run a migration that will encrypt the keys saved within the team drive, however, the encryption keys will remain in the drive's history until we develop a means of selectively trimming history.

    πŸ› Bug fixes

    • πŸ›  We discovered and fixed some bugs in the serverside code responsible for handling some aspects of file upload related to starting a new upload after having cancelled a previous session.
    • We also identified a regression in Our slides app related to the rendering of <br> tags, such as you might create with a **** sequence in the corresponding markdown. This was introduced with some overly broad CSS that was intended to style our notifications page. We've since made the notifications styles more specific such that they can't interfere with other applications.
    • πŸš€ We've become aware of some mysterious behaviour in Firefox that seems to cause some tabs or functionality to reconnect to the server after going offline while other aspects of the platform did not. Until now we've always assumed that users were connected or not, and this partial connection has revealed some bugs in our implementation. Consequently, we've begun adding some measures to detect odd behaviour if it occurs. We expect to have determined the cause of this behaviour and to have proposed a solution by our next release.

  • v3.4.0 Changes

    Goals

    πŸš€ This is a small release, focused on bug fixes and UI improvements, while we're finalizing bigger team-centric features planned for the next release.

    ⚑️ Update notes

    πŸš€ This is a pretty basic release:

    1. stop your server βœ… 2. pull the latest source code
    2. restart your server

    πŸ”‹ Features

    • Media elements (images, videos, pdf, etc.) will now display a placeholder while they're being downloaded and decrypted.
    • Media elements deleted from the server by their owner will now display a "broken/missing" image.
    • The "auto-close brackets" option in the Code and Slide applications can now be disabled from the user settings.
    • 🚚 "Add item" and "Add board" buttons in Kanban have been moved to improve usability with small screens.
    • The "transfer ownership" feature for pads has been extended to shared folders. It is now possible to offer ownership of a shared folder to a friend.
    • For administrators
      • Better sorting of support tickets in the administration panel. Unanswered messages will be displayed first.
      • Add team configuration options in customize/application_config.js
      • maxTeamsSlots defines the maximum number of teams a user can join (default is 3). Teams may significantly increase the loading time of pages and we consider 3 to be a good balance between usability and performances.
      • maxOwnedTeams defines the number of teams a user can own (default is 1). This number prevent users to create many teams only to increase their storage limit.

    πŸ› Bug fixes

    • The "pad creation modal" (Ctrl+E) is now working everywhere in the drive.
    • πŸ›  We've fixed the share button for unregistered users (https://github.com/xwiki-labs/cryptpad/issues/457).
    • πŸ›  We've fixed an issue with newly created kanban items replacing existing ones.
    • Transfering/offering pad ownership from a team to yourself is now working properly.