github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-01-06 05:11:50 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1219 from hedgedoc/release/1.8.0

Browse source
This commit is contained in:
David Mehren 2021-05-03 22:49:15 +02:00 committed by GitHub
commit f48e36d205
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 12 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/content/dev/openapi.yml
View file

@ -3,7 +3,7 @@ openapi: 3.0.1
info:
title: HedgeDoc
description: HedgeDoc is an open source collaborative note editor. Several tasks of HedgeDoc can be automated through this API.
version: 1.8.0-rc1
version: 1.8.0
contact:
name: HedgeDoc on GitHub
url: https://github.com/hedgedoc/hedgedoc

2
docs/content/setup/docker.md
View file

@ -28,7 +28,7 @@ services:
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.7.2
image: quay.io/hedgedoc/hedgedoc:1.8.0
environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_DOMAIN=localhost

14
docs/content/setup/manual-setup.md
View file

@ -16,7 +16,7 @@
1. Check if you meet the [requirements at the top of this document](#manual-installation).
2. Download the [latest release](https://hedgedoc.org/latest-release/) and extract it.
<small>Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.7.2 https://github.com/hedgedoc/hedgedoc.git`.</small>
<small>Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.8.0 https://github.com/hedgedoc/hedgedoc.git`.</small>
3. Enter the directory and execute `bin/setup`, which will install the dependencies and create example configs.
4. Configure HedgeDoc: To get started, you can use this minimal `config.json`:
```json
@ -35,18 +35,14 @@
For details, have a look at [the configuration documentation](../configuration.md).
5. *:octicons-light-bulb-16: If you use the release tarball for 1.7.0 or newer, this step can be skipped.*
Build the frontend bundle by running `yarn run build`.
6. Modify the file named `.sequelizerc`, change the value of the variable `url` to your db connection string. For example:
- `postgres://username:password@localhost:5432/hedgedoc`
- `mysql://username:password@localhost:3306/hedgedoc`
- `sqlite:///opt/hedgedoc/hedgedoc.sqlite` (note that you need to use an absolute path to the SQLite file)
7. It is recommended to start your server manually once:
6. It is recommended to start your server manually once:
```shell
NODE_ENV=production yarn start
```
This way it's easier to see warnings or errors that might occur.
<small>You can leave out `NODE_ENV=production` for development.</small>
8. If you use the example config, HedgeDoc should now be available at [http://127.0.0.1:3000](http://127.0.0.1:3000).
9. Run the server as you like (node, forever, pm2, systemd, Init-Scripts).
7. If you use the example config, HedgeDoc should now be available at [http://127.0.0.1:3000](http://127.0.0.1:3000).
8. Run the server as you like (node, forever, pm2, systemd, Init-Scripts).
See [below](#systemd-unit-example) for an example using systemd.
## Upgrading
@ -62,7 +58,7 @@ If you want to upgrade HedgeDoc from an older version, follow these steps:
and the latest release.
2. Fully stop your old HedgeDoc server.
3. [Download](https://hedgedoc.org/latest-release/) the new release and extract it over the old directory.
<small>If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.7.2`</small>
<small>If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.8.0`</small>
5. Run `bin/setup`. This will take care of installing dependencies. It is safe to run on an existing installation.
6. *:octicons-light-bulb-16: If you used the release tarball for 1.7.0 or newer, this step can be skipped.*
Build the frontend bundle by running `yarn run build`.

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "HedgeDoc",
"version": "1.8.0-rc1",
"version": "1.8.0",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",

6
public/docs/release-notes.md
View file

@ -1,12 +1,14 @@
# Release Notes
## <i class="fa fa-tag"></i> 1.8.0-rc1 <i class="fa fa-calendar-o"></i> 2021-04-26
## <i class="fa fa-tag"></i> 1.8.0 <i class="fa fa-calendar-o"></i> 2021-05-03
This release fixes a security issue. We recommend upgrading as soon as possible.
This release fixes multiple security issues. We recommend upgrading as soon as possible.
**Please note:** This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running [the latest LTS release](https://nodejs.org/en/about/releases/).
### Security Fixes
- [CVE-2021-29474: Relative path traversal Attack on note creation](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87)
- [CVE-2021-21306: Underscore ReDoS](https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96) in the `marked` library
This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting!
We also published an advisory for [CVE-2021-29475: PDF export allows arbitrary file reads](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3),
which has already been fixed since HedgeDoc 1.6.0.