Merge pull request #1562 from hedgedoc/release/1.9.0-rc1

Release 1.9.0-rc1
2025-04-22 23:27:49 +00:00 · 2021-08-29 17:58:57 +02:00 · 2021-08-29 17:58:57 +02:00 · ea7f21e239
commit ea7f21e239
parent fdac51dd4b 8ccbe9b3a3
4 changed files with 95 additions and 49 deletions
--- a/docs/content/dev/openapi.yml
+++ b/docs/content/dev/openapi.yml
@ -3,7 +3,7 @@ openapi: 3.0.1
 info:
  title: HedgeDoc
  description: HedgeDoc is an open source collaborative note editor. Several tasks of HedgeDoc can be automated through this API.
-  version: 1.8.2
+  version: 1.9.0-rc1
  contact:
    name: HedgeDoc on GitHub
    url: https://github.com/hedgedoc/hedgedoc
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "HedgeDoc",
-  "version": "1.8.2",
+  "version": "1.9.0-rc1",
  "description": "The best platform to write and share markdown.",
  "main": "app.js",
  "license": "AGPL-3.0",
@ -21,7 +21,7 @@
    "Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
    "archiver": "^5.0.2",
    "async": "^3.0.0",
-    "aws-sdk": "^2.888.0",
+    "aws-sdk": "^2.977.0",
    "azure-storage": "^2.7.0",
    "base64url": "^3.0.0",
    "body-parser": "^1.15.2",
@ -65,7 +65,7 @@
    "meta-marked": "git+https://github.com/hedgedoc/meta-marked",
    "method-override": "^3.0.0",
    "minimist": "^1.2.0",
-    "minio": "^7.0.0",
+    "minio": "^7.0.19",
    "moment": "^2.17.1",
    "morgan": "^1.7.0",
    "mysql2": "^2.0.0",
@ -79,7 +79,7 @@
    "passport-ldapauth": "^3.0.0",
    "passport-local": "^1.0.0",
    "passport-oauth2": "^1.4.0",
-    "passport-saml": "^3.0.0",
+    "passport-saml": "^3.1.2",
    "passport-twitter": "^1.0.4",
    "passport.socketio": "^3.7.0",
    "pdfobject": "^2.0.201604172",
@ -166,7 +166,7 @@
    "file-loader": "6.2.0",
    "file-saver": "2.0.5",
    "flowchart.js": "1.15.0",
-    "fork-awesome": "1.1.7",
+    "fork-awesome": "1.2.0",
    "gist-embed": "2.6.0",
    "highlight.js": "10.7.3",
    "html-webpack-plugin": "4.5.2",
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@ -1,24 +1,37 @@
 # Release Notes
-## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> UNRELEASED
+## <i class="fa fa-tag"></i> 1.9.0-rc1 <i class="fa fa-calendar-o"></i> 2021-08-29
 ### Security Fixes
+- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
 - This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
  they were repeatedly used to exploit security vulnerabilities.  
  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
-  See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details.
+  See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details

 ### Features
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup.
+- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
 - This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
-  in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks.
+  in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks
 - This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
  notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
-  XSS attacks.
+  XSS attacks
+- Add additional environment variables to configure the database.
+  This allows easier configuration in containerised environments, such as Kubernetes
+
+### Enhancements
+- Further improvements to the frontend build process, reducing the initial bundle size by 60%
+- Improve the error handling of the `filesystem` upload method
+- Improve the error message of failing migrations

 ### Bugfixes
 - Fix crash when trying to read the current Git commit on startup 
 - Fix endless loop on shutdown when HedgeDoc can't connect to the database
 - Ensure that all cookies are set with the `secure` flag, if HedgeDoc is loaded via HTTPS
+- Fix session cookies being created on calls to `/metrics` and `/status`
+- Fix incorrect creation of S3 endpoint domain (thanks to [@matejc](https://github.com/matejc))
+- Remove CDN support, fixing inconsistencies in library versions delivered to the client
 - Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
+- Fix links between slides not working
+- Fix Vimeo integration using a deprecated API

 ### Miscellaneous
 - Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it
--- a/yarn.lock
+++ b/yarn.lock
@ -555,6 +555,11 @@
  resolved "https://registry.yarnpkg.com/@webpack-cli/serve/-/serve-1.5.2.tgz#ea584b637ff63c5a477f6f21604b5a205b72c9ec"
  integrity sha512-vgJ5OLWadI8aKjDlOH3rb+dYyPd2GTZuQC/Tihjct6F9GpXGZINo3Y/IVuZVTM1eDQB+/AOsjPUWH/WySDaXvw==

+"@xmldom/xmldom@^0.7.0", "@xmldom/xmldom@^0.7.2":
+  version "0.7.2"
+  resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.7.2.tgz#d920079e66806b2626b5311955f6a7c4bed1cba8"
+  integrity sha512-t/Zqo0ewes3iq6zGqEqJNUWI27Acr3jkmSUNp6E3nl0Z2XbtqAG5XYqPNLdYonILmhcxANsIidh69tHzjXtuRg==
+
 "@xtuc/ieee754@^1.2.0":
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/@xtuc/ieee754/-/ieee754-1.2.0.tgz#eef014a3145ae477a1cbc00cd1e552336dceb790"
@ -565,6 +570,11 @@
  resolved "https://registry.yarnpkg.com/@xtuc/long/-/long-4.2.2.tgz#d291c6a4e97989b5c61d9acf396ae4fe133a718d"
  integrity sha512-NuHqBY1PB/D8xU6s/thBgOAiAP7HOYDQ32+BFZILJ8ivkUkAHQnWfn6WhL79Owj1qmUnoN/YPhktdIoucipkAQ==

+"@zxing/text-encoding@0.9.0":
+  version "0.9.0"
+  resolved "https://registry.yarnpkg.com/@zxing/text-encoding/-/text-encoding-0.9.0.tgz#fb50ffabc6c7c66a0c96b4c03e3d9be74864b70b"
+  integrity sha512-U/4aVJ2mxI0aDNI8Uq0wEhMgY+u4CNtEb0om3+y3+niDAsoTCOB33UF0sxpzqzdqXLqmvc+vZyAt4O8pPdfkwA==
+
 "Idle.Js@git+https://github.com/shawnmclean/Idle.js":
  version "0.0.1"
  resolved "git+https://github.com/shawnmclean/Idle.js#2b57cc6e49d177b7ddce0cca00ef5cbe07453541"
@ -952,10 +962,10 @@ available-typed-arrays@^1.0.4:
  resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.4.tgz#9e0ae84ecff20caae6a94a1c3bc39b955649b7a9"
  integrity sha512-SA5mXJWrId1TaQjfxUYghbqQ/hYioKmLJvPJyDuYRtXXenFNMjj4hSSt1Cf1xsuXSXrtxrVC5Ot4eU6cOtBDdA==

-aws-sdk@^2.888.0:
-  version "2.968.0"
-  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.968.0.tgz#2cfa60cebce28211a9909980c7e30a2c103ad7b1"
-  integrity sha512-6kXJ/4asP+zI8oFJAUqEmVoaLOnAYriorigKy8ZjFe3ISl4w0PEOXBG1TtQFuLiNPR3BAvhRuOQ5yH6JfqDNNw==
+aws-sdk@^2.977.0:
+  version "2.977.0"
+  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.977.0.tgz#14533cd1ba2611bd60becf4498e7eadcc8483b0a"
+  integrity sha512-LU0ityBR3w28Ewwr+V0xu4KyQr8i4C1ypafmBNttYm3FHVUDDPQ/hLHASnGq1zGp6rBxBxO1ZE6meFqpKXIaug==
  dependencies:
    buffer "4.9.2"
    events "1.1.1"
@ -4571,10 +4581,10 @@ forever-agent@~0.6.1:
  resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91"
  integrity sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=

-fork-awesome@1.1.7:
-  version "1.1.7"
-  resolved "https://registry.yarnpkg.com/fork-awesome/-/fork-awesome-1.1.7.tgz#1427da1cac3d1713046ee88427e5fcecb9501d21"
-  integrity sha512-IHI7XCSXrKfUIWslse8c/PaaVDT1oBaYge+ju40ihL2ooiQeBpTr4wvIXhgTd2NuhntlvX+M5jYHAPTzNlmv0g==
+fork-awesome@1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/fork-awesome/-/fork-awesome-1.2.0.tgz#acd43f1e1f54510fa45209c31385b4fde3a95003"
+  integrity sha512-MNwTBnnudMIweHfDtTY8TeR5fxIAZ2w9o8ITn5XDySqdxa4k5AH8IuAMa89RVxDxgPNlosZxqkFKN5UmHXuYSw==

 form-data@1.0.0-rc3:
  version "1.0.0-rc3"
@ -5614,6 +5624,13 @@ is-fullwidth-code-point@^4.0.0:
  resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-4.0.0.tgz#fae3167c729e7463f8461ce512b080a49268aa88"
  integrity sha512-O4L094N2/dZ7xqVdrXhh9r1KODPJpFms8B5sGdJLPy664AgvXsreZUyCQQNItZRDlYug4xStLjNp/sz3HvBowQ==

+is-generator-function@^1.0.7:
+  version "1.0.10"
+  resolved "https://registry.yarnpkg.com/is-generator-function/-/is-generator-function-1.0.10.tgz#f1558baf1ac17e0deea7c0415c438351ff2b3c72"
+  integrity sha512-jsEjy9l3yiXEQ+PsXdmBwEPcOxaXWLspKdplFUVI9vq1iZgIekeC0L167qeu86czQaxed3q/Uzuw0swL0irL8A==
+  dependencies:
+    has-tostringtag "^1.0.0"
+
 is-glob@^2.0.0, is-glob@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-2.0.1.tgz#d096f926a3ded5600f3fdfd91198cb0888c2d863"
@ -5757,7 +5774,7 @@ is-symbol@^1.0.2, is-symbol@^1.0.3:
  dependencies:
    has-symbols "^1.0.2"

-is-typed-array@^1.1.6:
+is-typed-array@^1.1.3, is-typed-array@^1.1.6:
  version "1.1.7"
  resolved "https://registry.yarnpkg.com/is-typed-array/-/is-typed-array-1.1.7.tgz#881ddc660b13cb8423b2090fa88c0fe37a83eb2f"
  integrity sha512-VxlpTBGknhQ3o7YiVjIhdLU6+oD8dPz/79vvvH4F+S/c8608UCVa9fgDpa1kZgFoUST2DCgacc70UszKgzKuvA==
@ -6747,7 +6764,7 @@ messageformat@^2.3.0:

 "meta-marked@git+https://github.com/hedgedoc/meta-marked":
  version "0.4.5"
-  resolved "git+https://github.com/hedgedoc/meta-marked#520377908591c8e3cf73ce75cace5c406a3aa8ff"
+  resolved "git+https://github.com/hedgedoc/meta-marked#763a41027dbd7b58e1b7c21c06cef471aef5a15c"
  dependencies:
    js-yaml "~4.1.0"
    marked "~2.1.0"
@ -6995,7 +7012,6 @@ micromatch@^4.0.4:

 "midi@https://github.com/paulrosen/MIDI.js.git#abcjs":
  version "0.4.2"
-  uid e593ffef81a0350f99448e3ab8111957145ff6b2
  resolved "https://github.com/paulrosen/MIDI.js.git#e593ffef81a0350f99448e3ab8111957145ff6b2"

 miller-rabin@^4.0.0:
@ -7064,21 +7080,22 @@ minimist@^1.0.0, minimist@^1.2.0, minimist@^1.2.5:
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

-minio@^7.0.0:
-  version "7.0.18"
-  resolved "https://registry.yarnpkg.com/minio/-/minio-7.0.18.tgz#a2a6dae52a4dde9e35ed47cdf2accc21df4a512d"
-  integrity sha512-jVRjkw8A5Spf+ETY5OXQUcQckHriuUA3u2+MAcX36btLT8EytlOVivxIseXvyFf9cNn3dy5w1F1UyjMvHU+nqg==
+minio@^7.0.19:
+  version "7.0.19"
+  resolved "https://registry.yarnpkg.com/minio/-/minio-7.0.19.tgz#ca47b68669e45237286709a8c06ecf89f992aa61"
+  integrity sha512-DOGKauWLdmj0/y2QKXdnrhqyzRFEnUteHi6q382uujg9TjSDrA84BiQVppS2Ew6V8Rcg+2IaRkF4GR34zw9sIA==
  dependencies:
    async "^3.1.0"
    block-stream2 "^2.0.0"
    es6-error "^4.1.1"
    fast-xml-parser "^3.17.5"
    json-stream "^1.0.0"
-    lodash "^4.17.20"
+    lodash "^4.17.21"
    mime-types "^2.1.14"
    mkdirp "^0.5.1"
    querystring "0.2.0"
    through2 "^3.0.1"
+    web-encoding "^1.1.5"
    xml "^1.0.0"
    xml2js "^0.4.15"

@ -8017,18 +8034,18 @@ passport-oauth@^1.0.0:
    passport-oauth1 "1.x.x"
    passport-oauth2 "1.x.x"

-passport-saml@^3.0.0:
-  version "3.1.1"
-  resolved "https://registry.yarnpkg.com/passport-saml/-/passport-saml-3.1.1.tgz#257470003366e06ce3c5738aa64a1209a0f4d7e7"
-  integrity sha512-45YXn/BUdzMSx27lEmY0EMXck+qgR8jdnsdgNbnG5HNzwGbcSLcTkH5AoULW+6gd5fcG1rcMDtKyIJwTIMJA6A==
+passport-saml@^3.1.2:
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/passport-saml/-/passport-saml-3.1.2.tgz#34a0c2c423d729ce102e69fea9c22040910e6d43"
+  integrity sha512-EhD3/ofiz1vu7R72i4RskXk/dQG9GyDmXPdHJf5LYB+93B5kvKv5p+5lpZgO3z+Wf3eN0h/tGdGd6noyYdjY6g==
  dependencies:
+    "@xmldom/xmldom" "^0.7.2"
    debug "^4.3.1"
    passport-strategy "^1.0.0"
-    xml-crypto "^2.1.2"
-    xml-encryption "^1.2.4"
+    xml-crypto "^2.1.3"
+    xml-encryption "^1.3.0"
    xml2js "^0.4.23"
    xmlbuilder "^15.1.1"
-    xmldom "^0.6.0"

 passport-strategy@1.x.x, passport-strategy@^1.0.0:
  version "1.0.0"
@ -11279,6 +11296,18 @@ util@^0.11.0:
  dependencies:
    inherits "2.0.3"

+util@^0.12.3:
+  version "0.12.4"
+  resolved "https://registry.yarnpkg.com/util/-/util-0.12.4.tgz#66121a31420df8f01ca0c464be15dfa1d1850253"
+  integrity sha512-bxZ9qtSlGUWSOy9Qa9Xgk11kSslpuZwaxCg4sNIDj6FLucDab2JxnHwyNTCpHMtK1MjoQiWQ6DiUMZYbSrO+Sw==
+  dependencies:
+    inherits "^2.0.3"
+    is-arguments "^1.0.4"
+    is-generator-function "^1.0.7"
+    is-typed-array "^1.1.3"
+    safe-buffer "^5.1.2"
+    which-typed-array "^1.1.2"
+
 utila@~0.4:
  version "0.4.0"
  resolved "https://registry.yarnpkg.com/utila/-/utila-0.4.0.tgz#8a16a05d445657a3aea5eecc5b12a4fa5379772c"
@ -11457,6 +11486,15 @@ watchpack@^1.7.4:
    chokidar "^3.4.1"
    watchpack-chokidar2 "^2.0.1"

+web-encoding@^1.1.5:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/web-encoding/-/web-encoding-1.1.5.tgz#fc810cf7667364a6335c939913f5051d3e0c4864"
+  integrity sha512-HYLeVCdJ0+lBYV2FvNZmv3HJ2Nt0QYXqZojk3d9FJOLkwnuhzM9tmamh8d7HPM8QqjKH8DeHkFTx+CFlWpZZDA==
+  dependencies:
+    util "^0.12.3"
+  optionalDependencies:
+    "@zxing/text-encoding" "0.9.0"
+
 web-namespaces@^2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/web-namespaces/-/web-namespaces-2.0.0.tgz#1f6a2d7b5823329abaedeb6bdf09ef2fed35db13"
@ -11669,22 +11707,22 @@ wurl@2.5.4:
  resolved "https://registry.yarnpkg.com/wurl/-/wurl-2.5.4.tgz#6af35a6c623296c4a0c607c4651d01b8f4e3fdec"
  integrity sha512-Vuo550m5YbqRcM/69zz3jVNsCUvFTWLRYQcYvnqNWQ4d0Bjg7aoaofbcsPTe4rM9A2/4xjd8uIf9viIUV9EMXQ==

-xml-crypto@^2.1.2:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-2.1.2.tgz#501506d42e466f6cd908c5a03182217231b4e4b8"
-  integrity sha512-DBhZXtBjENtLwJmeJhLUBwUm9YWNjCRvAx6ESP4VJyM9PDuKqZu2Fp5Y5HKqcdJT7vV7eI25Z4UBMezji6QloQ==
+xml-crypto@^2.1.3:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-2.1.3.tgz#6a7272b610ea3e4ea7f13e9e4876f1b20cbc32c8"
+  integrity sha512-MpXZwnn9JK0mNPZ5mnFIbNnQa+8lMGK4NtnX2FlJMfMWR60sJdFO9X72yO6ji068pxixzk53O7x0/iSKh6IhyQ==
  dependencies:
-    xmldom "^0.6.0"
+    "@xmldom/xmldom" "^0.7.0"
    xpath "0.0.32"

-xml-encryption@^1.2.4:
-  version "1.2.4"
-  resolved "https://registry.yarnpkg.com/xml-encryption/-/xml-encryption-1.2.4.tgz#767d13f9ff2f979ff5657b93bd72aa729d34b66c"
-  integrity sha512-+4aSBIv/lwmv5PntfYsZyelOnCcyDmCt/MNxXUukRGlcWW8DObJ26obbVX3iXYRdqkLqbv3AKk8ntNCGKIq/UQ==
+xml-encryption@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/xml-encryption/-/xml-encryption-1.3.0.tgz#4cad44a59bf8bdec76d7865ce0b89e13c09962f4"
+  integrity sha512-3P8C4egMMxSR1BmsRM+fG16a3WzOuUEQKS2U4c3AZ5v7OseIfdUeVkD8dwxIhuLryFZSRWUL5OP6oqkgU7hguA==
  dependencies:
+    "@xmldom/xmldom" "^0.7.0"
    escape-html "^1.0.3"
    node-forge "^0.10.0"
-    xmldom "~0.6.0"
    xpath "0.0.32"

 xml2js@0.2.8:
@ -11735,11 +11773,6 @@ xmldom@0.1.x:
  resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.31.tgz#b76c9a1bd9f0a9737e5a72dc37231cf38375e2ff"
  integrity sha512-yS2uJflVQs6n+CyjHoaBmVSqIDevTAWrzMmjG1Gc7h1qQ7uVozNhEPJAwZXWyGQ/Gafo3fCwrcaokezLPupVyQ==

-xmldom@^0.6.0, xmldom@~0.6.0:
-  version "0.6.0"
-  resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.6.0.tgz#43a96ecb8beece991cef382c08397d82d4d0c46f"
-  integrity sha512-iAcin401y58LckRZ0TkI4k0VSM1Qg0KGSc3i8rU+xrxe19A/BN1zHyVSJY7uoutVlaTSzYyk/v5AmkewAP7jtg==
-
 xmlhttprequest-ssl@~1.6.2:
  version "1.6.3"
  resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.6.3.tgz#03b713873b01659dfa2c1c5d056065b27ddc2de6"