1.10.1-ls155

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.1-ls155/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue where brute-forcing local email/passwords is possible because of missing rate-limits.
We recommend upgrading as soon as possible, if you use local logins.

See also GHSA-6w39-x2c6-6mpf

This release changes the default configuration of the HSTS preload attribute to false for compliance with the
HSTS preload list requirements. This shouldn't impact any instance. However, if you intend to use HSTS preloading
you should enable the config setting hsts.preload to true or set environment variable CMD_HSTS_PRELOAD=true.

This release deprecates support for Node 18.
As the LTS support for 18 runs out in April 2025, the next release will only work with Node 20 and upwards.
Consider this your early warning to upgrade any running instances to at least Node 20.

Enhancements

• Add fixed rate-limiting to the login and register endpoints
• Add configurable rate-limiting to the new notes endpoint

Bugfixes

• Fix a crash when cannot read user profile in OAuth (#5850 by @lautaroalvarez)
• Fix CSP Header for mermaid embedded images (#5887 by @domrim)
• Change default of HSTS preload to false for compliance with the HSTS preload list requirements (#5913 by @SvizelPritula)

Contributors

• Dominik Rimpf
• Lautaro Alvarez

1.10.0-ls154

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls154/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls153

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls153/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls152

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls152/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls151

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls151/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls150

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls150/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls149

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls149/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

hedgedoc Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls148

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.0-ls148/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

hedgedoc Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls147

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

hedgedoc Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

1.10.0-ls146

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

hedgedoc Changes:

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023.
You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)