2.026.03f

What's Changed

• chore: new formpack version by @rgraber in #6805

Full Changelog: 2.026.03e...2.026.03f

2.026.03e

⚠️ API users — action recommended for GET /api/v2/assets/

If your account has assets shared with many users, you may have noticed slow responses on that endpoint. This release introduces a new query parameter to significantly reduce that overhead:

GET /api/v2/assets/?current_user_permissions_only=true`

When set, the permissions field in the response will only contain your own permission assignments instead of every user's. The web app now sends this flag automatically, but API consumers need to opt in manually.
Use this if: you're listing assets programmatically and don't need to inspect other users' permissions — which is the common case for integrations and data pipelines.
Default behavior is unchanged: omitting the parameter (or passing false) still returns the full permission set as before. No breaking change.

What's Changed

• refactor(hooks): remove verbose info logs from send method DEV-1762 by @noliveleger in #6754
• fix(organizations): add long-running migration to remove organizations owned by deleted users DEV-1256 by @rajpatel24 in #6751
• feat(db): enforce PostgreSQL timeout per environment and worker type DEV-1705 by @noliveleger in #6758
• fix(migration): prevent OOM crashes and race conditions in long running migrations DEV-1745 by @Guitlle in #6720
• fix(longRunningMigration): fix 0005 pagination timeout and improve duplicate cleanup DEV-1698 by @noliveleger in #6777
• fix(longRunningMigrations): restart failed long running migrations 0005, 0011, and 0013 DEV-1798 by @rajpatel24 in #6781
• fix(reports): sanitize non-finite floats to prevent invalid JSON responses DEV-1797 by @noliveleger in #6779
• fix(celery): use correct prod_celery settings module name by @noliveleger in #6792
• fix(mfa): remove signal handler DEV-1821 by @rgraber in #6795
• feat(settings): remove per-user MFA conditions DEV-1820 by @Akuukis in #6794
• fix(migrations): fix materialized view migration conflict DEV-1822 by @rajpatel24 in #6796
• ci: reduce CI test suite runtime with parallel jobs DEV-1824 by @noliveleger in #6798
• perf(assets): reduce memory and query overhead in permission loading DEV-1803 by @noliveleger in #6790

Full Changelog: 2.026.03c...2.026.03e

2.026.03c

What's Changed

• fix(assets): exclude assets from inactive accounts from asset list DEV-1768 by @noliveleger in #6745
• feat(restServices): improve retry logic and add XPath caching for submissions DEV-1767 by @noliveleger in #6744
• perf(submissions): prevent OOM during bulk deletion DEV-1771 by @noliveleger in #6752

Full Changelog: 2.026.03b...2.026.03c

2.026.03b

What's Changed

• feat(signup): block user signup for blacklisted email addresses DEV-1741 by @rajpatel24 in #6719
• fix(hooks): prevent missing logs and add worker failure recovery DEV-1728 by @noliveleger in #6725
• fix(submissions)!: handle duplicate UUIDs when editing submissions DEV-1751 by @noliveleger in #6729
• fix(mfa): investigate and fix mfa migration tests DEV-1695 by @Guitlle in #6692
• fix(submissions): prevent edit link for duplicate submissions DEV-1751 by @noliveleger in #6732

Full Changelog: 2.026.03a...2.026.03b

2.026.03a

What's Changed

• feat(releases): branch new release after prev tag DEV-1468 by @Akuukis in #6705
• fix(userReports): fix missing subscription for orgs when stripe metadata lacks organization_id DEV-1735 by @rajpatel24 in #6712
• fix(hooks): improve hook to avoid missing logs DEV-1728 by @Guitlle in #6710

Full Changelog: 2.026.03...2.026.03a

2.026.03

What's changed

Features (8)

• ⚠️ pagination: add API pagination size configuration constants (#6689)

  This PR introduces DEFAULT_API_PAGE_SIZE and MAX_API_PAGE_SIZE
  constants to standardize pagination behavior across API endpoints

  This PR adds two configuration constants to control API pagination
  behavior. DEFAULT_API_PAGE_SIZE sets the default page size when no
  limit is specified in API requests, while MAX_API_PAGE_SIZE enforces a
  maximum limit to prevent oversized responses that could impact system
  performance. The constants are designed with future-proof naming to
  support expansion beyond the current submission list endpoints to other
  API endpoints as needed.

• analysis: introduce optional clear button (#6445)

  Modern implementations of radio components don't allow de-selection.
  After updating the select one question type in the qualitative analysis
  section to mantine, we lost this functionality. To ensure the ability to
  de-select select one questions, they will appear with a "clear" button
  next to the "delete" button

• billing: switch asset usage endpoint to limit offset pagination (#6234)

  Removes custom asset usage page-size pagination, thereby using KPI's
  default limit-offset pagination, and adjusts drf_spectacular code for
  the endpoint to improve API docs/frontend helpers.

• exports: only allow one anonymous export at a time (#6514)

  Only create one export at a time for anonymous users.

  If an anonymous user creates an export and another anonymous user
  attempts to create a new export before the other one is finished, they
  will receive a 503 error with a message to try again.

• gallery: paginated modal for images (#6521)

  Project → Data → Gallery images now open images in a modal with
  prev/next pagination.

• messages: add user details to in-app messages (#6569)

  Replace selected 'template tags' with user details on in-app messages.

• submission: expose meta/rootUuid in UI (#6557)

  Display meta/rootUuid in Data Table, Single Submission modal, and
  Project Downloads. Also make it possible to include it in exported data.

• usage: add LLM requests usage card under feature flag (#6510)

Bug Fixes (8)

• asset: prevent translation errors after adding hints to a form (#6587)

  Allow users to add hints to forms which have translations before
  deploying the form.

• assets: add unit test for assets' numeric-only search queries (#6565)

  Add unit test to ensure asset search does not crash when numeric-only or
  float searches are used.

  Part of: #6563

• data: update /api/v2/data/ limits (#6472)

  Change maximum number of results that /api/v2/data/ can return to 100
  by default and 1000 maximum.

• mfa: change MFA modal copywriting (#6536)

  Update copywriting in MFA modal

• migrations: kpi migration script failure on fresh installs (#6485)

• nlp: don't crash when translating a transcript (#6532)

  KPI won't crash anymore when clicking "begin" button to add a
  translation in the NLP view.

• project: history buttons overlap (#6501)

• projectViews: searchbox missing in Org View (#6500)

  Display search in top navigation for organization projects.

Documentation (2)

• hsts: note that production overrides Django config INFRA-297 (#6486)
• link: update upload form by url support doc link (#6506)

  Updated the XLSForm import help link to point to the correct support
  article section with anchor.

Continous Integration (5)

• automation: push new image tag for main branch to devops/instance-kfmain for deployment INFRA-325 (#6533)
• release: don't run workflow twice on creation (#6556)
• releases: changelog job should handle all cases (#6546)
• releases: pin git-cliff version due breaking changes (#6568)
• zulip: convert stream name to input for zulip workflow (#6564)

Build & Dependencies (1)

• dev: add convenience script to run frontend/backend branches separately (#6490)

Security (7)

• deps: bump node-forge from 1.3.1 to 1.3.2 in the minor-and-patch group across 1 directory (#6508)
• deps: bump aws-actions/configure-aws-credentials from 5.1.0 to 5.1.1 in the actions-deps group (#6531)
• deps: bump actions/cache from 4 to 5 in the actions-deps group (#6552)
• deps: bump actions/create-github-app-token from 1 to 2 in the actions-deps group (#6570)
• deps: bump qs from 6.13.0 to 6.14.1 in the minor-and-patch group across 1 directory (#6577)
• deps: bump dependabot/fetch-metadata from 2.4.0 to 2.5.0 in the actions-deps group (#6600)
• deps-dev: bump js-yaml from 3.14.1 to 3.14.2 (#6482)

Refactor (2)

• analysis: migrate select one form to mantine (#6462)
• rename retention environment variable to be clearer and more consistent (#6527)

  Improve clarity and consistency of the retention setting name, making it
  easier for superusers in Constance and for future development.

  This refactor updates the name of the retention-related environment
  variable to a more explicit and consistent form. The clearer naming
  helps superusers quickly understand its purpose in Constance and reduces
  ambiguity for developers working with retention logic. No behavioral
  changes are introduced—only improved readability and maintainability.

Chores (4)

• deps: bump the actions-deps group across 1 directory with 2 updates (#6496)
• deps: bump the minor-and-patch group across 1 directory with 2 updates (#6518)
• deps: bump the minor-and-patch group across 1 directory with 2 updates (#6597)
• submissions: update anonymous submissions help link (#6517)

  Update the help link for allowing anonymous submissions

Other (1)

• Fix uv in pip-compile.sh (#6562)

Revise pip-compile.sh to add the --output <OUT_FILE>
option (requirements.txt)

• pip-compile requirements.in

• uv pip compile requirements.in --output-file requirements.txt

For more info, see
#6562.

Without --output-file, uv won't infer requirements.txt
from requirements.in automatically like pip-tools would.

So you'd get a result equivalent to:

--update Use latest version of all packages
(instead of what's in requirements.txt)
--dry-run Print to stdout only
(instead of updating requirements.txt

---

Full Changelog: https://github.com/kobotoolbox/kpi/compare/2.025.47g..2.026.03

2.025.47g

What's Changed

• fix(userReports): fix missing service usage for infinite plans and null last_updated in user reports DEV-1674 by @rajpatel24 in #6680
• feat(api): track usage of deprecated v1 endpoints DEV-1652 by @rajpatel24 in #6669
• fix(longRunningMigration): move job starter to long-running celery queue by @noliveleger in #6691
• fix(organizations): fix permission revocation logic and OOM errors in long running migration 0015 DEV-1714 by @rajpatel24 in #6685

Full Changelog: 2.025.47f...2.025.47g

2.025.47f

What's Changed

• fix(storageCounters): always reset submission_suspended to false after counter sync DEV-1689 by @noliveleger in #6667

Full Changelog: 2.025.47e...2.025.47f

2.025.47e

What's Changed

• fix(userReports): fix duplicated social_accounts in /api/v2/user-reports/ DEV-1490 by @rajpatel24 in #6659
• fix(longRunningMigrations): restart job with smaller batches and improved logging DEV-570 by @noliveleger in #6661

Full Changelog: 2.025.47d...2.025.47e

2.025.47d

What's Changed

• fix(projectOwnership): only restart transfers that have been accepted DEV-1643 by @RuthTurk in #6655

Full Changelog: 2.025.47c...2.025.47d