All Versions
42
Latest Version
Avg Release Cycle
157 days
Latest Release
799 days ago

Changelog History
Page 4

  • v2.0.2 Changes

    November 13, 2016

    ๐Ÿ›  Fixed

    • ๐Ÿ“ฆ Jade client-side files are now included in registry packages
    • The Server: header now reports the correct pump.io version
  • v2.0.1 Changes

    November 10, 2016

    ๐Ÿ›  Fixed

    • ๐Ÿ“š Updated some documentation version numbers
  • v2.0.0 Changes

    November 10, 2016

    โž• Added

    • A pump(1) manpage is now included
    • ๐Ÿ’ป Any internal web UI link with a data-bypass attribute is now ignored by the routing logic (useful for e.g. custom pages added by the admin)
    • ๐Ÿ’ป YouTube links in posts are now shown as embeds by the web UI (#1158)

    ๐Ÿ”„ Changed

    • ๐Ÿ—„ Node.js 0.10 and 0.12 support is now deprecated (#1212)
    • TLS connections now use Mozilla's "intermediate" cipher suite and forces server cipher suite preferences (#1061)
    • Adjusted the XSS error page wording based on user feedback

    ๐Ÿ’ฅ Breaking

    • โฌ†๏ธ Upgrade to Express 3.x (affects plugins)
    • Templates are now based on Jade instead of utml (affects people who change the templates) (#1167)
  • v1.0.0 Changes

    August 26, 2016

    ๐Ÿš€ This release adds many security features. It's recommended that admins upgrade as soon as possible.

    Please note that while we're not doing so yet, we're planning to deprecate running under Node.js 0.10 and 0.12 very soon. Additionally, upgrading to Node.js 4.x early will enable the new, better XSS scrubber - however, be aware that pump.io is far less tested under Node.js 4.x and you are likely to run into more bugs than you would under 0.10 or 0.12.

    ๐Ÿ‘€ See #1184 for details.

    โž• Added

    • [API] Send the Content-Length header in Dialback requests
    • โž• Add support for [LibreJS]librejs
    • ๐Ÿ‘ Node.js 4.x is officially supported (#1184)
    • ๐Ÿ”’ Browser MIME type sniffing is disabled via X-Content-Type-Options: nosniff ([#1184][security-headers])
    • ๐Ÿ”’ Protect some versions of Internet Explorer from a confused deputy attack via X-Download-Options: noopen ([#1184][security-headers])
    • ๐Ÿ”’ Make sure Internet Explorer's built-in XSS protection is as secure as possible with X-XSS-Protection: 1; mode=block ([#1184][security-headers])
    • ๐Ÿ”– Versions of Internet Explorer the XSS scrubber can't protect are presented with a security error instead of any content (#1184)
    • ๐Ÿ”’ Clickjacking is prevented via X-Frame-Options: DENY header (in addition to Content Security Policy) ([#1184][security-headers])
    • ๐Ÿ”’ A Content-Security-Policy header is sent with every response (#1184)
      • Scripts are forbidden from everywhere except the application domain and (if CDNs are enabled) cdnjs.cloudflare.com and ajax.googleapis.com
      • Styles are forbidden from everywhere except the application domain and inline styles
      • <object>, <embed>, and <applet>, as well as all plugins, are forbidden
      • Embedding the web UI via <frame>, <iframe>, <object>, <embed>, and <applet> is forbidden
      • Connecting to anything other than the application domain via XMLHttpRequest, WebSockets or EventSource is forbidden
      • Loading Web Workers or nested browsing contexts (i.e. <frame>, <iframe>) is forbidden except from the application domain
      • Fonts are forbidden from everywhere except the application domain
      • Form submission is limited to the application domain

    ๐Ÿ”„ Changed

    • [API] Don't return displayName properties if they're empty (#1149)
    • โฌ†๏ธ Upgraded from Connect 1.x to Connect 2.x
    • โฌ†๏ธ Upgraded various minor dependencies
    • ๐Ÿ’… All files pass style checking and most pass JSHint
    • โž• Add links to the user guide on the homepage and welcome message (#1125)
    • โž• Add a new XSS scrubber implementation (#1184)
      • DOMPurify-based scrubber is used on Node.js 4.x or better
      • Otherwise, a more intrusive, less precise one is used

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix a crash upon access of an activity without any replies (#1135)
    • Disable registration link if registration is disabled (#853)
    • ๐Ÿ“ฆ package.json now uses a valid SPDX license identifier (#1112)
  • v0.3.0 Changes

    June 21, 2014

    TODO

  • v0.2.4 Changes

    July 24, 2013

    TODO

  • v0.2.3 Changes

    April 08, 2013

    TODO

  • v0.2.2 Changes

    April 03, 2013

    TODO

  • v0.2.1 Changes

    March 15, 2013

    TODO

  • v0.2.0 Changes

    February 28, 2013

    TODO