|
1 | | -Release song: https://www.youtube.com/watch?v=QNa5o85Q-FE |
2 | | - |
3 | | -Passbolt 5.9 is designed to keep upgrades predictable and everyday use reliable. It expands runtime compatibility with PHP 8.5, makes environment risks easier to spot earlier through health checks, and closes a couple of security gaps that could otherwise be used to probe accounts or mislead users during navigation. |
4 | | - |
5 | | -**Warning**: If you run MariaDB 10.3 or 10.5, or MySQL 5, pay particular attention to the environment section below. Support for these versions is planned to stop in January 2027, and this release starts flagging them proactively so you can schedule upgrades before they become urgent. |
6 | | - |
7 | | -### Environment support and deprecation signals you can act on early |
8 | | - |
9 | | -Passbolt 5.9 adds PHP 8.5 support, helping administrators and platform teams validate upcoming runtime upgrades in advance. Moreover, while PHP 8.2 is still supported until 2027, it has entered security maintenance, and administrators should plan its upgrade this year. |
10 | | - |
11 | | -At the same time, this release improves environment health checks to surface database versions that have reached end of life. MariaDB 10.3 and 10.5, and MySQL 5, are now flagged as deprecated allowing administrators to identify risky deployments during routine maintenance rather than responding under time pressure. These notices are explicitly tied to a planned end of support in January 2027, giving teams a clear runway to align database upgrades with regular change windows and internal upgrade policies. |
12 | | - |
13 | | -### Safer account recovery responses to reduce email enumeration risk |
14 | | - |
15 | | -Account recovery endpoints can unintentionally reveal whether a user exists, which makes targeted attacks easier. In Passbolt 5.9, the recover endpoint no longer leaks information when a user does not exist in the database, reducing the signal attackers rely on for email or username enumeration. |
16 | | - |
17 | | -### Stronger protection against clickjacking and deceptive overlays |
18 | | - |
19 | | -Clickjacking and overlay techniques aim to trick users into clicking something different from what they believe they are interacting with. Passbolt 5.9 reinforces defenses against these UI-level attacks in edge-case conditions, including scenarios where a compromised website tries to influence user interactions when a password could be suggested. |
20 | | - |
21 | | -In practice, this extra hardening helps ensure users cannot be guided into interacting with sensitive Passbolt components when those components are not fully visible and clearly presented to them. |
22 | | - |
23 | | -### Better visibility and efficiency around email digest operations |
24 | | - |
25 | | -Large folder operations can generate a lot of email activity and can be difficult to reason about as queues grow. Passbolt 5.9 improves digest handling related to folder operations, helping reduce unnecessary mail churn in workspaces where folder structure and permissions evolve frequently. |
26 | | - |
27 | | -In addition, the passbolt *email_digest* command now reports how many emails were sent and how many remain in the queue. This makes it easier for administrators to confirm progress, anticipate bursts, and troubleshoot queue behavior using logs. |
28 | | - |
29 | | -### Maintenance work that improves stability over time |
30 | | - |
31 | | -Passbolt 5.9 continues the migration work of its UI framework for authentication-related applications. The first applications have been migrated as part of a larger foundation effort aimed at improving stability and long-term performance as more areas move to the new framework. |
32 | | - |
33 | | -### Conclusion |
34 | | -This release also includes additional fixes and improvements beyond the highlights above. Check out the changelogs to learn more. Thanks to the community members and teams who reported issues and helped validate fixes. |
35 | | - |
| 1 | +Passbolt 5.10.0 is the first version of Passbolt that officially supports Safari. Also, this version comes with tags in the grid and security improvements regarding CSV exports. |
| 2 | + |
| 3 | +# Safari is now supported |
| 4 | + |
| 5 | +Passbolt 5.10.0 adds Safari as a supported browser. Safari has its own specificities and limitations, therefore features like avatars are disabled. |
| 6 | + |
| 7 | +# TOTP Autofill |
| 8 | + |
| 9 | +Passbolt 5.10.0 now automatically fills the one-time password directly into login forms, just like it does with usernames and passwords. This seamless integration simplifies your multi-factor authentication by eliminating manual copying. |
| 10 | + |
| 11 | +# Tags are visible in the grid |
| 12 | + |
| 13 | +This version also releases modernization of the tag codebase. This allows us to present these tags in the grid but also paves the way for further improvement of this feature. |
| 14 | + |
| 15 | +# CSV export security update |
| 16 | + |
| 17 | +CSV export has been updated to reinforce Passbolt's security postures. Some spreadsheet software that supports CSV also executes formulas when opening these files. It's a security issue that has been tackled in this version in 2 ways: |
| 18 | +the CSV exports are disabled by default (import is still working) and can be reenabled via a server configuration |
| 19 | +When CSV exports are enabled, a confirmation checkbox is displayed to ensure the users know what are the risks of this kind of export. Exported values are not modified to keep data integrity |
| 20 | + |
| 21 | +# React 18 migration |
| 22 | + |
| 23 | +The migration to React 18 is a significant step toward modernizing the application's entire codebase. This update improves the code and brings performance optimizations for our users. |
| 24 | + |
| 25 | +# Conclusion |
| 26 | +3 long awaited features are finally out: Safari, TOTP autofill and tags in the grid. |
| 27 | + |
| 28 | +### Added |
| 29 | +- PB-28063 Activate Safari support in the styleguide |
| 30 | +- PB-29275 SAF - WP2.10 Add Safari as supported extension |
| 31 | +- PB-29292 SAF - WP2.11 Fix quickaccess opening on Safari |
| 32 | +- PB-29605 SAF - WP2.7 Fix detached quickaccess not being closed after "use on this page" click |
| 33 | +- PB-36503 Browser extension causes performance degradation on some websites |
| 34 | +- PB-36503 Browser extension causes performance degradation on some websites |
| 35 | +- PB-43353 SAF - WP2.8 Fix file download on Safari |
| 36 | +- PB-43355 SAF - WP2.9 Fix quickaccess animations |
| 37 | +- PB-43997 SAF - WP1 Update the Safari browser extension build |
| 38 | +- PB-44342 SAF - WP2.1 Provide Safari with its own polyfill |
| 39 | +- PB-44343 SAF - WP2.2 Remove unsupported index.js callback |
| 40 | +- PB-44345 SAF - WP2.4 fix the CSS injection in styleguide.js |
| 41 | +- PB-45869 SAF - WP2.13 Implement file download using the native messaging |
| 42 | +- PB-45870 SAF - WP2.14 Implement a custom fetch using the native messaging |
| 43 | +- PB-46265 SAF - WP2.15 Fix authentication with MFA in the quickaccess |
| 44 | +- PB-46679 SAF - Fix bold font rendering |
| 45 | +- PB-47765 Tags modernization |
| 46 | +- PB-47777 Migrate tags logic from components to TagServiceWorkerService |
| 47 | +- PB-47789 REACT18 - Update ReactDom render to createRoot |
| 48 | +- PB-47992 REACT 18 - migration of ResourceWorkspaceContext |
| 49 | +- PB-48158 REACT 18 - Implement the migration of Dialog and Progress Contexts |
| 50 | +- PB-48240 REACT18 - UserWorkspace migration |
| 51 | +- PB-48252 REACT18 - Migrate ExtAppContext |
| 52 | +- PB-48253 SAF - Temporarily remove Avatar download to avoid user being signed out |
| 53 | +- PB-48258 SAF - Temporarily remove "upload avatar" feature |
| 54 | +- PB-48337 REACT18 - Update contexts that should use functional update |
| 55 | +- PB-48338 REACT18 - Update shared components that should use functional update |
| 56 | +- PB-48339 REACT18 - Update quickaccess components that should use functional update |
| 57 | +- PB-48340 REACT18 - Update authentication components that should use functional update |
| 58 | +- PB-48342 REACT18 - Update user setting components that should use functional update |
| 59 | +- PB-48343 REACT18 - Update administration components that should use functional update |
| 60 | +- PB-48360 REACT18 - Update resource components that should use functional update |
| 61 | +- PB-48363 REACT18 - Update user components that should use functional update |
| 62 | +- PB-48366 REACT18 - Remove await set state in contexts |
| 63 | +- PB-48384 REACT18 - Remove await setState in components and apps |
| 64 | +- PB-48404 REACT18 - Object.assign should use functional set state for context |
| 65 | +- PB-48408 CSV - WP1.2 Add a warning message when user is selecting a CSV format on the button |
| 66 | +- PB-48416 CSV - WP2.9 Check if the setting is enabled when displaying the csv format on exportFormats |
| 67 | +- PB-48419 REACT18 - Update the components to use functional setState |
| 68 | +- PB-48425 REACT18 - Form validation should not check errors in the state for component |
| 69 | +- PB-48470 Create ColumnTagsModel component |
| 70 | +- PB-48471 TAGRID-1.2 Create CellTags component and make it resizable |
| 71 | +- PB-48472 TAGRID-1.3 Add ColumnTagsModel and CellTags to DisplayResourcesList |
| 72 | +- PB-48473 TAGRID-1.4 Clicking on a tag should filter the workspace |
| 73 | +- PB-48521 Harmonise tags style |
| 74 | +- PB-48553 SAF - Use webNavigation instead of tab update to improve navigation performances |
| 75 | +- PB-49070 REACT18 - Migrate SSOContext for react-extension |
| 76 | +- PB-49085 REACT18 - Migrate tests to remove legacyRoot true |
| 77 | +- PB-49092 TAGRID-1.6 Hovering the tag on the resource detail should display tooltip |
| 78 | +- PB-49106 CSV - WP2.2 Implement the exportPoliciesSettingsEntity |
| 79 | +- PB-49107 CSV - WP2.3 Implement the exportPoliciesSettingsApiService |
| 80 | +- PB-49108 CSV - WP2.4 Implement the findExportPoliciesSettingsService |
| 81 | +- PB-49109 CSV - WP2.5 Implement findExportPoliciesSettingsController |
| 82 | +- PB-49110 CSV - WP2.7 Implement exportPoliciesSettingsServiceWorkerService |
| 83 | +- PB-49134 REACT18 - Migrate ApiAppContext |
| 84 | +- PB-49137 CSV - WP2.8 Implement the ExportPoliciesContext |
| 85 | +- PB-49138 CSV - WP2.6 Add event to find export policies settings |
| 86 | +- PB-49172 REACT18 - Rename method in DisplaySelfRegistrationAdminstration |
| 87 | +- PB-49248 REACT 18 - Revert functional setstate |
| 88 | +- PB-49262 REACT18 - revert functional setstate in contexts and components |
| 89 | +- PB-49270 SAF - Fix Safari Users settings for Duo MFA configuration |
| 90 | +- PB-49293 TOTP Autofill |
| 91 | +- PB-49294 Send TOTP through port to fill from in-form menu or quickaccess |
36 | 92 |
|
37 | 93 | ### Fixed |
38 | | -- PB-43511 Display the "Migrate metadata" admin home page card icon with a 2px stroke width |
| 94 | +- PB-48468 Fix layout when an announcement is visible |
| 95 | +- PB-49330 Alignment issues in 2FA Yubikey login page |
39 | 96 |
|
40 | 97 | ### Maintenance |
41 | | -- PB-6069 Moving folders should not send unnecessary data to the API |
42 | | -- PB-44598 Replaced links from old help site with new docs links |
43 | | -- PB-46314 REACT18 Implement migration for Login Content Script |
44 | | -- PB-46361 REACT18 Implement migration for Login WAR file |
45 | | -- PB-46364 REACT18 Implement migration for Account Recovery |
46 | | -- PB-46664 First browser extension build has missing dist folder for browsers that cause issue |
47 | | -- PB-46665 Browser extension build should add chrome-mv3 in the global build command |
48 | | -- PB-47012 Add prettier to replace ESLINT styling rules |
49 | | -- PB-47073 Add SubscriptionKeyServiceWorkerService |
50 | | -- PB-47074 Rename subscriptionService to subscriptionApiService |
51 | | -- PB-47075 Migrate subscription key finder business logic |
52 | | -- PB-47100 Move find controller logic from SubscriptionController |
53 | | -- PB-47101 Migrate subscription logic from SubscriptionController to UpdateSubscriptionKeyController |
54 | | -- PB-47103 Remove grunt-contrib-clean dependency |
55 | | -- PB-47351 Chrome Bext is killed and not restarted on upgrade |
56 | | -- PB-47606 Add eslint-plugin-security |
57 | | -- PB-47607 Add eslint-plugin-n |
58 | | -- PB-47608 Add eslint-plugin-regexp |
59 | | -- PB-47609 Add eslint-plugin-promise |
60 | | -- PB-47621 Move SubscriptionEntity from browser extension to styleguide |
61 | | -- PB-47692 Fix prettier warning |
62 | | -- PB-47707 REACT18 Implement migration for Recover |
63 | | -- PB-47711 REACT18 Implement migration for Setup |
64 | | -- PB-47719 REACT18 Implement migration for Inform Menu |
65 | | -- PB-47783 REACT18 Implement migration for API Triage Feedback |
66 | | -- PB-47785 REACT18 Implement migration for Setup/Recover Account recovery |
67 | | -- PB-47867 Align dynamic roles to work with the windows application |
68 | | -- PB-47902 Add a ResponseEntity factory for the unit tests |
69 | | -- PB-47905 Refactor test mock for subscription refactoring |
70 | | -- PB-47931 Cleanup ResourceModel |
71 | | -- PB-47955 Update overlay calculation detection on inform |
72 | | -- PB-48014 Remove dead code from Google Closure library |
73 | | -- PB-48038 Small upgrade for validator |
| 98 | +- PB-47191 Review Dependabot alert for useless regular expression escape in browser extension |
| 99 | +- PB-47542 Add unit tests to roleApiService |
| 100 | +- PB-47713 REACT18- 10.2 Implement migration for QuickAccess |
| 101 | +- PB-48088 Remove console errors related to pagemod page detection |
| 102 | +- PB-48242 Remove dev phantom dependencies |
| 103 | +- PB-48375 Add tests to gpg user id parser |
| 104 | +- PB-48467 Add unit test to improve coverage on Allowed Content type page |
| 105 | +- PB-49472 Remove unnecessary permissions from entitlements and project |
| 106 | +- PB-49631 Optimize getFirst function |
74 | 107 |
|
75 | 108 | ### Security |
76 | | -- PB-46637 Prevent in-form menu to be displayed when overlaid by other components |
| 109 | +- PB-48025 Major upgrade for pino (Medium) - passbolt-browser-extension |
| 110 | +- PB-48039 Small upgrade for validator (Medium) - styleguide |
| 111 | +- PB-48256 Small upgrade for lodash-es (Medium) - all-projects |
| 112 | +- PB-48257 Small upgrade for lodash (Medium) - all projects |
| 113 | +- PB-48527 Small upgrade for locutus (Critical) - passbolt-windows |
| 114 | +- PB-48535 NPM - Remove now unnecessary overrides in package.json for styleguide and bext |
| 115 | +- PB-49119 Remove dev phantom dependencies - node-fetch |
| 116 | +- PB-49120 Remove dev phantom dependencies - history |
| 117 | +- PB-49121 Remove dev phantom dependencies - expect |
| 118 | +- PB-49369 Fix GCVE-0-2026-2391 - Medium CVSS4.0 |
| 119 | +- PB-49372 Fix GCVE-0-2025-68458 & GCVE-0-2025-68157 - LOW CVSS3.1 |
| 120 | +- PB-49373 Fix GCVE-0-2026-25547 - CRITICAL CVSS4.0 |
| 121 | +- PB-49432 Fix GCVE-0-2025-69873 - MEDIUM CVSS4.0 |
| 122 | +- PB-49452 Fix GHSA-3ppc-4f35-3m26 - HIGH CVSS4.0 |
| 123 | +- PB-49454 Update CSPs to allow inline <style> in SVGs |
0 commit comments