v7.27.2

Release Notes

This update provides important bug fixes and improvements.

Security

Resolved Issues

• Fixed: An authenticated user may be able to retrieve or delete files outside the intended authorization scope. An authorization issue was addressed with improved checks. CVE-2026-32097

Files

Updates & Improvements

• The thread file retrieval endpoint has been updated to GET /class/{class_id}/thread/{thread_id}/message/{message_id}/file/{file_id}.
• The thread file deletion endpoint has been updated to DELETE /class/{class_id}/thread/{thread_id}/message/{message_id}/file/{file_id}.
• The thread image retrieval endpoint for Classic Assistants has been split into two endpoints:
  • GET /class/{class_id}/thread/{thread_id}/ci_call/{ci_call_id}/image/{file_id} for Code Interpreter outputs.
  • GET /class/{class_id}/thread/{thread_id}/message/{message_id}/image/{file_id} for user uploaded images.
• GET /class/{class_id}/thread/{thread_id}/image/{file_id} remains the thread image retrieval endpoint for Next-Gen Assistants.

Deprecations

• The thread-scoped file retrieval endpoint (GET /class/{class_id}/thread/{thread_id}/file/{file_id}) is no longer supported.
• The thread-scoped file deletion endpoint (DELETE /class/{class_id}/thread/{thread_id}/file/{file_id}) is no longer supported.
• The thread-scoped image retrieval endpoint (GET /class/{class_id}/thread/{thread_id}/image/{file_id}) is no longer supported for Classic Assistants.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

Full Changelog: v1144+srv577.web407...v1146+srv578.web408

v7.27.1

Release Notes

This update provides important bug fixes and improvements.

UI

Resolved Issues

• Fixed: The group selector at the top header may display incorrectly.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• fix(ui): restore group selector scrolling behavior by @ekassos in #1517

Full Changelog: v1142+srv577.web406...v1144+srv577.web407

v7.27

Release Notes

This update introduces a refreshed design, along with important bug fixes and improvements.

UI

New Features

• The main PingPong app adopts the new designed introduced for Canvas Connect featuring a more responsive interface that puts conversations front and center, with more space for threads, messages, and content that matters most.

Updates & Improvements

• In larger screen sizes, the sidebar is expanded, with the option to collapse it always available.
• In larger screen sizes, thread conversations remain centered with a maximum width.
• The expand/collapse button icons in the sidebar have been replaced, and a helper tooltip was added.

Notes

• Share Link anonymous sessions and viewing public pages when unauthenticated retain the existing design.

Canvas Connect

New Features

• URL validation is now configured through a structured [lti.security] section, with optional per-endpoint overrides for OpenID configuration, authorization, token, JWKS, Names and Role, and registration endpoints.
• Use the new structured [lti.security] configuration section with allow/deny pattern lists. Host patterns support wildcards for subdomain matching (e.g. *.instructure.com matches school.instructure.com) and path patterns support glob matching (e.g. /api/lti/*).
• Use the new deny configuration lists for explicitly blocking specific hosts or paths. Deny rules are evaluated before allow rules.
• Redirect handling for fetched LTI endpoints is now validated hop-by-hop against the configured host/path rules for that endpoint.

Updates & Improvements

• Defaults for hosts and paths reflect the default behavior in PingPong 7.20 or earlier (allow = ["*"]) instead of requiring an explicit allowlist, reducing setup friction for new deployments.
• Canvas Connect now normalizes the token endpoint before both requesting the token and building the client assertion audience, preventing aud mismatches when http:// endpoints are upgraded to https://.

Resolved Issues

• Fixed: Already percent-encoded LTI path bytes may be double-encoded during URL sanitization, which can corrupt canonicalized or redirect URLs before allow/deny checks.
• Fixed: OpenID discovery URL validation may ignore configured global lti.security.paths rules when deprecated LTI keys are still present.
• Fixed: LTI launches may accept and persist invalid NRPS context_memberships_url values without validation.

Deprecations

• The following LTI config keys are deprecated and will be removed in the next major release (PingPong 8.0): lti.platform_url_allowlist, lti.openid_configuration_paths, lti.dev_http_hosts.
  • The deprecated LTI config keys have been replaced by a structured [lti.security] section that supports allow/deny patterns for both hosts and paths. The deprecated LTI config keys will continue to work until the next major PingPong release but will emit a warning at startup.
  • New fields map as follows:
    • lti.platform_url_allowlist -> lti.security.openid_configuration.hosts.allow
    • lti.openid_configuration_paths -> lti.security.openid_configuration.paths.allow
    • lti.dev_http_hosts -> lti.security.allow_http_in_development
  • Existing configs using the old keys will be automatically migrated at startup. A deprecation warning will be logged with migration instructions. Update your config before the upgrading to PingPong 8.0.
• The lti suggest-config-from-db CLI command has been removed with no replacement. If you relied on the CLI command to derive allowlist entries from existing registrations, check the deprecation warnings for migration instructions or configure hosts.allow manually.

Notes

• See below for a migration example from the deprecated LTI keys setup to the new [lti.security] configuration:

  Before (deprecated):

  [lti]
  platform_url_allowlist = ["canvas.example.edu"]
  dev_http_hosts = ["localhost", "canvas.docker"]
  
  [lti.openid_configuration_paths]
  mode = "append"
  paths = ["/custom/openid-config"]

  After (new):

  [lti.security]
  allow_http_in_development = true
  
  [lti.security.hosts]
  allow = ["canvas.example.edu", "localhost", "canvas.docker"]
  deny = []
  
  [lti.security.paths]
  allow = ["*"]
  deny = []
  
  [lti.security.openid_configuration.paths]
  allow = [
    "/.well-known/openid-configuration",
    "/.well-known/openid",
    "/api/lti/security/openid-configuration",
    "/custom/openid-config",
  ]
  deny = []

  Key Differences:

  • platform_url_allowlist now maps to the global hosts.allow list, not just OpenID discovery.
  • openid_configuration_paths is replaced by lti.security.openid_configuration.paths.allow.
  • Legacy-only configs keep the legacy default OpenID discovery paths. If you used mode = "append", merge the default paths with your custom ones into paths.allow.
  • dev_http_hosts is replaced by the boolean allow_http_in_development (defaults to true). Per-host HTTP control is no longer supported.
  • Both hosts and paths now support wildcard patterns (["*"] allows all).
  • If both legacy and new keys are provided, the new lti.security.openid_configuration.* values take precedence.

Internal

Updates & Improvements

• Dependency updates.
• Updated permissions for Claude workflows to allow writing comments in PRs and issues, and allowing Claude to read CI results on PRs.
• Add progress tracker for Claude code review workflow.

Resolved Issues

• Fixed: Claude code reviews triggered by @claude review may fail because track_progress is unconditionally requested including in unsupported events.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	YES

Deployment Details

• Configuration Update: Use the new structured [lti.security] configuration section.

Related PRs

• deps(web-dev): bump the development-dependencies group in /web/pingpong with 7 updates by @dependabot[bot] in #1510
• deps(gha): bump the github-actions group with 4 updates by @dependabot[bot] in #1508
• deps(web): bump the production-dependencies group in /web/pingpong with 4 updates by @dependabot[bot] in #1509
• feat(ui): expand LTI redesign to main app by @ekassos in #1512
• feat(lti): streamline LTI endpoint checks by @ekassos in #1513
• fix(lti): validate NRPS URLs during launch and other fixes by @ekassos in #1514
• chore: update claude workflow permissions by @ekassos in #1515
• fix: claude's track_progress not always supported by @ekassos in #1516
• deps(py): update pytz requirement from <2026.0,>=2025.2 to >=2025.2,<2027.0 in the production-dependencies group by @dependabot[bot] in #1507

Full Changelog: v1135+srv574.web403...v1142+srv577.web406

v7.26

Release Notes

This update introduces support for new content types in assistant messages, along with other bug fixes and improvements.

Messages & Output

New Features

• Threads support Mermaid diagrams and SVG images in assistant responses. Toggle "Use LaTeX and other markup" in the assistant configuration to include additional instructions in your prompt for handling these features.

Assistants

Updates & Improvements

• Assistant Prompt previews include the additional formatting instructions inserted by the system.

UI

Resolved Issues

• Fixed: After a recent update to resolve issues with non-overflow edge cases, the model dropdown header radius appears incorrect in typical circumstances.

Internal

Updates & Improvements

• Worktree creation scripts follow the repository's recommended branch naming scheme.
• Streamline SVG & Mermaid diagram renderers.
• Upgrade dompurify from 3.3.1 to 3.3.2 to resolve DOMPurify contains a Cross-site Scripting vulnerability

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• fix: model dropdown header radius by @ekassos in #1500
• chore: update worktree workflows to follow branch name guidelines by @ekassos in #1501
• feat: introducing mermaid diagrams in threads by @ekassos in #1502
• feat: introducing svg support in threads and other updates by @ekassos in #1503
• chore: refactor svg & mermaid renderers by @ekassos in #1504
• chore(deps): bump dompurify from 3.3.1 to 3.3.2 by @ekassos in #1505
• chore(deps): bump dompurify from 3.3.1 to 3.3.2 by @ekassos in #1506

Full Changelog: v1128+srv572.web397...v1135+srv574.web403

v7.25

Release Notes

This update expands the types of data included in Thread Exports, and includes important bug fixes and improvements.

Thread Exports

New Features

• Review File Search, Code Interpreter, Web Search, and MCP Server tool calls in Group Thread exports.
• Review reasoning details and summaries in Group Thread exports.
• Tool call and reasoning details appear in an easy-to-parse format in CSV exports.

Updates & Improvements

• Review files users uploaded as thread attachments with the associated message.
• Files linked by the assistant and generated in Code Interpreter include a direct download link.

Notes

• Thread Exports upgrades are only available for Next-Gen Assistants.

Assistants

Updates & Improvements

• Clearer Legacy Model helper language to clarify that users editing assistants using a legacy model should switch to one of the currently recommended models.

Models

Updates & Improvements

• Clarify that GPT-4.1 is no longer the most capable non-reasoning model and encourage users to upgrade to GPT-5.4 with reasoning effort set to none for better performance.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• change: Legacy Model helper language by @ekassos in #1496
• change: GPT-4.1 helper text by @ekassos in #1497
• feat: add tool calls in thread exports by @ekassos in #1498
• feat(exports): reasoning, and more export updates by @ekassos in #1499

Full Changelog: v1123+srv569.web396...v1128+srv572.web397

v7.24

Release Notes

This update provides important bug fixes and improvements.

Models

New Features

• Use the new GPT-5.4 model, OpenAI's best model for broad general-purpose work. Control how long the model spends thinking in Advanced Options. Set reasoning effort to none for the non-thinking version of this model.
• Use GPT-5.3 Chat, which points to the GPT-5.3 snapshot currently used in ChatGPT. We recommend GPT-5.4 for most assistants. Control how long the model spends thinking in Advanced Options.

Updates & Improvements

• Use eligible models with tools when reasoning is set to 'none' for quicker responses.
• A "Newer models available" notice appears when not using the latest Latest or Pinned model.
• Updates to helper language to clarify that Latest models move to the newest release within the same model family.
• Added a "More models above" notice within the model selector to ensure users are aware of all models.

Resolved Issues

• Fixed: Some unavailable models may appear in the model selector when using Azure as the AI provider.

Deprecations

• The following models are now considered legacy and are not available for selection in new assistants:
  • Latest models: gpt-5.2, gpt-4o, gpt-realtime-mini, gpt-4o-realtime-preview, gpt-4o-mini-realtime-preview.
  • Pinned models: gpt-5.2-2025-12-11, gpt-5.2-chat-latest, gpt-5.1-2025-11-13, gpt-5.1-chat-latest, gpt-5-2025-08-07, gpt-5-mini-2025-08-07, gpt-4.1-mini-2025-04-14, gpt-4o-2024-11-20, gpt-4o-2024-08-06, gpt-4o-mini-2024-07-18, gpt-realtime-mini-2025-10-06, gpt-4o-realtime-preview-2024-12-17, gpt-4o-realtime-preview-2024-10-01, gpt-4o-mini-realtime-preview-2024-12-17.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• feat: introducing GPT-5.4, and more model selector updates by @ekassos in #1495

Full Changelog: v1121+srv568.web395...v1123+srv569.web396

v7.23

Release Notes

This update adds more flexibility with File Search document uploads.

Assistants

Updates & Improvements

• Upload up to 1,000 files for File Search with Classic and Next-Gen Assistants. Assistant-based Code Interpreter and Thread document uploads are still limited to 20 files.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• feat: update file search upload count limits by @ekassos in #1494

Full Changelog: v1119+srv567.web394...v1121+srv568.web395

v7.22.1

Release Notes

This update provides important bug fixes and improvements.

UI

Updates & Improvements

• Updated padding in About page header.

Resolved Issues

• Fixed: After the migration to Tailwind CSS 4, the default ring size around Carousel thumbnails is smaller than typical.
• Fixed: After the migration to Tailwind CSS 4, radio buttons and checkboxes have primary (black) color fill instead of the default blue.

Internal

Updates & Improvements

• Skip Claude PR reviews with skip-ai-reviews label.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• fix: ring size around Carousel thumbnails is smaller than typical by @ekassos in #1489
• chore: skip claude reviews with skip-ai-reviews label by @ekassos in #1490
• chore: fix spacing in about page header by @ekassos in #1491
• fix: controls have primary color fill instead of flowbite's blue by @ekassos in #1492

Full Changelog: v1115+srv567.web391...v1119+srv567.web394

v7.22

Release Notes

This update provides important bug fixes and improvements.

UI

New Features

• Users will now see a loading screen with the PingPong logo on the first load.
• Users will now see a more informative error page whenever Svelte raises errors, including when a user doesn't have permissions to view threads or groups.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	No

Deployment Details

• N/A

Related PRs

• feat: all loading screen on first load by @ekassos in #1487
• feat(ui): error page by @ekassos in #1488

Full Changelog: v1112+srv567.web389...v1115+srv567.web391

v7.21

Release Notes

This update provides important bug fixes and improvements.

Canvas Connect

New Features

• New host validation workflow before allowing saving and redirecting to platform provided endpoints. Allowed hosts are saved at the config.toml level. Use pingpong lti suggest-config-from-db to get suggestions on your configuration based on existing LTI Registration entries.

Updates & Improvements

• pingpong lti suggest-config-from-db LTI platform configuration suggestions incorporate class membership data as an additional source for building URL allowlists.
• Use --suppress-registration-prints with pingpong lti suggest-config-from-db to hide the per-registration source lines at the end of text output. The default --show-registration-prints maintains current behavior.

UI

Updates & Improvements

• Better handling of polling for a thread to complete streaming in another window.

Internal

Updates & Improvements

• Dependency updates.
• Update minimatch dependency to >=10.2.3 to resolve minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments and minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions.
• Remove unnecessary pnpm dependency version overrides.
• Remove create release and release-v2 workflows that are no longer used.
• Update deprecated version getsentry/action-release action identifier to release.
• [Code Quality] Lock pnpm/action-setup version in workflows.
• [Code Quality] Lock anthropics/claude-code-action version in workflows.
• [Code Quality] Lock getsentry/action-release version in workflows.
• [Code Quality] Remove a console error logging call that triggers a false positive CodeQL "Clear-text logging of sensitive information" check.
• [Code Quality] Update logging in LTI key store to resolve "Clear-text logging of sensitive information" CodeQL false positive
• [Code Quality] Update URL validation functions in LTI module to resolve CodeQL "URL redirection from remote source" false positive.
• [Code Quality] Update alembic script and existing migration files to resolve CodeQL's py/unused-global-variable notes.
• [Code Quality] Update Python code to resolve CodeQL's py/empty-except.
• [Code Quality] Update Python code to resolve CodeQL's py/ineffectual-statement.
• [Code Quality] Update Python code to resolve CodeQL's py/unnecessary-pass.
• [Code Quality] Update Python code to resolve CodeQL's py/multiple-definition.
• [Code Quality] Update Python code to resolve CodeQL's py/mixed-returns.
• [Code Quality] Update Python code to resolve CodeQL's py/catch-base-exception.
• [Code Quality] Update Python code to resolve CodeQL's py/unreachable-statement.
• [Code Quality] Update Python code to resolve CodeQL's py/not-named-cls.
• [Code Quality] Update Python code to resolve CodeQL's py/unused-local-variable.
• [Code Quality] Update TypeScript code to resolve CodeQL's js/superfluous-trailing-arguments.
• [Code Quality] Update TypeScript code to resolve CodeQL's js/useless-assignment-to-local.
• [Code Quality] Update TypeScript code to resolve CodeQL's js/unreachable-statement.
• [Code Quality] Update TypeScript code to resolve CodeQL's js/trivial-conditional.
• [Code Quality] Update TypeScript code to resolve CodeQL's js/call-to-non-callable.
• Bump MIT license year.

Resolved Issues

• [Code Quality] Fixed log injection issues by sanitizing log entries that depend on a user-provided value.
• [Code Quality] Fixed: GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as pull_request_target or issue_comment followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.

Deployment Information

Schema Upgrade	Migration Script	Permissions Update	Task Definition Update	Configuration Update
No	No	No	No	YES

Deployment Details

• Configuration Update: Set lti.platform_url_allowlist and lti.openid_configuration_paths.

Related PRs

• deps(web-dev): bump rollup from 4.58.0 to 4.59.0 in /web/pingpong by @dependabot[bot] in #1453
• deps(web-dev): bump svelte from 5.53.2 to 5.53.5 in /web/pingpong by @dependabot[bot] in #1452
• chore: bump minimatch to >=10.2.3 by @ekassos in #1454
• fix(security): Log Injection by @ekassos in #1455
• security: Checkout of untrusted code in trusted context by @ekassos in #1456
• chore: remove unused workflows by @ekassos in #1457
• security: lock pnpm/action-setup version by @ekassos in #1458
• security: lock anthropics/claude-code-action version by @ekassos in #1459
• security: lock getsentry/action-release version by @ekassos in #1460
• chore: update deprecated 'version' sentry action identifier to 'release' by @ekassos in #1461
• feat: validate allowed canvas connect hosts by @ekassos in #1462
• chore: clean up error logging that triggers CodeQL false positive by @ekassos in #1463
• chore: update key store logging to resolve CodeQL false positive by @ekassos in #1465
• feat(lti): update url validation that triggers CodeQL false positive by @ekassos in #1464
• feat(lti): update url validation that triggers CodeQL false positive by @ekassos in #1466
• chore/ resolve CodeQL's py/unused-global-variable in alembic files by @ekassos in #1467
• chore/ resolve CodeQL's py/empty-except by @ekassos in #1468
• chore/ resolve CodeQL's py/ineffectual-statement by @ekassos in #1469
• chore/ resolve CodeQL's py/unnecessary-pass by @ekassos in #1470
• chore/ resolve CodeQL's py/multiple-definition by @ekassos in #1471
• chore/ resolve CodeQL's py/mixed-returns by @ekassos in #1472
• chore/ resolve CodeQL's py/catch-base-exception by @ekassos in #1473
• chore/ resolve CodeQL's py/unreachable-statement by @ekassos in #1474
• chore/ resolve CodeQL's py/not-named-cls by @ekassos in #1475
• chore/ resolve CodeQL's py/unused-local-variable by @ekassos in #1476
• chore/ resolve CodeQL's js/superfluous-trailing-arguments by @ekassos in #1477
• chore/ resolve CodeQL's js/useless-assignment-to-local by @ekassos in #1478
• chore/ resolve CodeQL's js/unreachable-statement by @ekassos in #1479
• chore/ resolve CodeQL's js/trivial-conditional by @ekassos in #1480
• chore/ resolve CodeQL's js/call-to-non-callable by @ekassos in #1481
• deps(web): bump the production-dependencies group in /web/pingpong with 3 updates by @dependabot[bot] in #1482
• deps(gha): bump the github-actions group with 4 updates by @dependabot[bot] in #1483
• deps(web-dev): bump the development-dependencies group in /web/pingpong with 11 updates by @dependabot[bot] in #1484
• chore: bump MIT license year by @ekassos in #1485
• feat(lti): add LTIClass membership URL to suggest configuration by @ekassos in #1486

Full Changelog: v1085+srv551.web379...v1112+srv567.web389