|Tags||ruby ruby-on-rails git dvcs wiki bugtracker version-control|
13.11.304 May 2021 10:25 minor bugfix: (2021-04-30). ### (1 change). Instance-level Project Integration Management page for GitLab FOSS. !60354.
13.11.230 Apr 2021 07:05 minor security: (2021-04-27). ### Security (5 changes). Prevent tokens with only read_api scope from executing mutations. Do not allow deploy tokens in the dependency proxy authentication service. Disable keyset pagination for branches by default. Bump Carrierwave gem to v1.3.2. Restrict setting system_note_timestamp to owners.
13.11.126 Apr 2021 13:05 minor feature: (2021-04-22). ### Changed (1 change). Change unsubscribe language for email campaign on self managed. !59121. ### Added (1 change). Add documentation about Pages deployment migration. !59475.
13.11.022 Apr 2021 16:25 major bugfix: (2021-04-22). ### Security (3 changes). Update to Rails v18.104.22.168. !59328. Update mermaid to version 8.9.2. Allow to disable exiftool depending on env variable. ### Removed (10 changes, 1 of them is from the community). Redirect deprecated pipeline routes. !53990. Remove CI lint button from Jobs page nav. !56854. Remove graphql_individual_release_page feature flag. !56882. Remove deprecated repository archive routes. !57236. Remove add modal from boards (this has been disabled since 13.6). !57329. Remove unused feature flag ':roadmap_buffered_rendering'. !57486. Remove HipChat integration from frontend and docs. !57556. Remove temporary index from vulnerabilities table. !57656. Remove unused feature flag checks. !58469. Remove ability to create new service templates. !58624. ### (175 changes, 90 of them are from the community). Update gatsby project template to address the pipeline failure. !37410 (Takuya Noguchi). an where the link commit message did not end with a newline. !49086 (Kazuya Kojima). Partially incorrect icons for non-standard license files. !53207. Add language- preto CSS class of markdown code blocks. !55076 (Camil Staps). Filter out pipelines that were excluded in the relation scope in Ci::Pipeline#latest_pipeline_per_commit. !55657. mermaid diagrams in dark mode. !56183. Catch network errors. !56457 (Shubham Kumar). the Maven sync worker to not fail if the versionless package is not found. !56514. `#current_authenticated_job` when used with `.authenticate_with` in Grape APIs. !56564. Move graphql timelogs to CE. !56633. in wiki link rewriter filter. !56636. in Gollum Tags filter. !56638. derivation of effective permissions (access level) of group members. !56677. word wrapping in parallel diffs. !56713. Don't label select box on click if only mouseup outside. !56721. reference widget icon and text spacing. !56759. test report merge request widget summary and alignment. !56768. artifacts section from showing up
13.10.315 Apr 2021 13:25 minor security: (2021-04-13). ### Security (3 changes). Check image content type before running exiftool in workhorse. Clean only legitimate JPG and TIFF files. Update ruby-saml and rexml gems.
13.10.205 Apr 2021 08:45 minor feature: (2021-04-01). ### (1 change). Rendering of the image blobs. !57479. ### Added (1 change). Improve performance for composer v2 clients. !55169.
13.10.101 Apr 2021 11:45 minor feature: (2021-03-31). ### Security (6 changes). Leave pool repository on fork unlinking. XSS in merge requests sidebar. arbitrary read/write in AsciiDoctor and Kroki gems. Prevent infinite loop when checking if collaboration is allowed. Disable arbitrary URI and file reads in JSON validator. Require POST request to trigger system hooks. ### Removed (1 change). Make HipChat project service do nothing. !57434. ### Other (3 changes). Remove direct mimemagic dependency. !57387. Refactor MimeMagic calls to new MimeType class. !57421. Switch to using a fake mimemagic gem. !57443.
13.10.018 Mar 2021 07:45 major feature: (2021-03-22). ### Security (3 changes). Workhorse: prevent escaped router path traversal. Workhorse: Stop logging when path is excluded. Patch Kramdown syntax highlighter gem. ### Removed (2 changes). Remove Remove from board button from board sidebar. !53946. Remove workaround for icon loading in Chrome 84. !56114. ### (99 changes, 23 of them are from the community). button alignment in design management header. !48003. Updated UI text to match style guidelines. !50383. Don't auto suggest select boxes on click if only the mouseup (but not the mousedown) event happened outside the box. !51139. Auto DevOps deploys that use a default branch that's not named 'master'. !53280. Correct job artifacts API download for expired and locked files. !53567 (Fabio Huser). project import error occurring due to default visibility. !53827. relative URL with composer package. !53918. Cleanup incorrect data in projects.has_external__tracker. !53936. not skipped manual and delayed DAG jobs. !54073. Skip orphaned pool repositories on restore. !54112. Add space next to icons in epic list. !54138 (Yogi). Render version dropdowns in MR changes view above tab navbar. !54159. Do not show button to resolve discussion opening an when are disabled. !54263. Hide count and link in project list for projects with disabled. !54275. Handle GlobalIDs with invalid resource names. !54290. overflowing width - at mention container. !54377. Update k8s version for EKS cluster. !54389. React to new DOM nodes being added to the page to bind the user information popover to them. !54411. move create_release_evidence sidekiq queue out of the cronjob namespace. !54432. copy to clipboard tooltip button. !54472. bold text mismatch in MR menu. !54531. Wrap long code lines in markdown. !54540. Hide repeated trial offers on self-hosted instances. !54550. when snippet blobs array contain a nil value. !54552. the npm instance level API to exclude subgroups. !54554. the value of
13.9.309 Mar 2021 10:25 minor bugfix: (2021-03-08). ### (4 changes). Upgrade gitlab-shell to v13.17.0. !55295. Update Kroki to Wavedrom graphs. !55659. disabling of Kroki optional formats. !55665. Rename asset_proxy_allowlist column. !55884.
13.9.205 Mar 2021 11:05 minor security: (2021-03-04). ### Security (6 changes). Bump thrift gem to 0.14.0. Allow only owners to manage group variables. Do not store marshalled sessions ids in Redis. XSS in wiki author email and name. Workhorse: prevent escaped router path traversal. XSS vulnerability for swagger file viewer.
13.9.124 Feb 2021 20:05 minor bugfix: (2021-02-23). ### (6 changes, 1 of them is from the community). Send SIGINT instead of SIGQUIT to puma. !54446. Reset description template names cache key to reload an updated templates structure. !54614. Restore missing horizontal scrollbar on boards. !54634. keep latest artifacts checkbox being always disabled. !54669. Metric tab not showing up on operations page. !54736. S3 object storage failing when endpoint is not specified. !54868. ### Changed (1 change). Updates authorization for linting endpoint. !54492. ### Performance (1 change). N+1 SQL regression in exporting to CSV. !54287. ### Other (1 change). creating the idx_on__where_service_desk_reply_to_is_not_null index before the post migration. !54346.
13.9.021 Feb 2021 02:25 major feature: (2021-02-22). ### Security (1 change). Add token_with_iv table. ### Removed (4 changes). Remove implicit FF check on `Featurable`. !52223. Remove merge_request_reviewers feature flag. !52468. Removed unused Text dropdown. !53464. Remove legacy alerts service data and table. !53534. ### (131 changes, 29 of them are from the community). Allow to retrieve all jobs for a given pipeline. !48589 (Alexander Kutelev). Include submodule information for files in diff metadata. !50346. "Stay on Page" alert showing in empty snippet. !50400. Add css to fluid layout for index file. !50626. Make System OAuth app index table responsive and externalize text. !50979. Prevent long variable names from overflowing the popover in CI/CD settings. !51018. long CI variable name overflows on origin. !51021. breadcrumb dropdown on mobile being too narrow. !51092. Show correct ref name in code coverage statistics header. !51385 (Andreas Schmidt). Change Jira Connect update sequence id to use Unix Time. !51697. batch query when primary key is -1. !51716. Allow versionless maven-metadata.xml file duplicates even when maven duplicates are disabled. !51758. comment form dropdown check alignment. !51787. Schedule artifact expiry date backfill background jobs. !51822. alignment and font in project operations settings page. !51825 (Yogi). broken testsuite link if the suite contains a dot. !51828. Move Social connect button to new GitLab UI. !51835 (Yogi). border bottom color collapsed replies. !51871 (Yogi). alignment of chevron-down icon in toggle replies. !51872 (Yogi). Remove container_class in project activity which removes extra padding. !51878 (Yogi). Add btn-default to MR edit button. !51879 (Yogi). Remove duplicates from related_commit_sha query. !51888. Add btn-default class to button in project breadcrumb. !51910 (Yogi). top border-radius of the login box. !51950 (Yogi). Improve duplication validation on Release Links. !51951. Update Project/Group Exp
13.8.412 Feb 2021 07:05 minor security: (2021-02-11). ### Security (9 changes). Cancel running and pending jobs when a project is deleted. !1220. Prevent Denial of Service Attack on gitlab-shell. Prevent exposure of confidential titles in file browser. Updates authorization for linting API. Check user access on API merge request read actions. Limit daily invitations to groups and projects. Enforce the analytics enabled project setting for project-level analytics features. Perform SSL verification for FortiTokenCloud Integration. Prevent Server-side Request Forgery for Prometheus when secured by Google IAP.
13.8.306 Feb 2021 12:25 minor bugfix: (2021-02-05). ### (2 changes). Revert multipart URL optimization for AWS S3. !52561. Regression with old wiki image uploads. !52656.
13.8.202 Feb 2021 04:45 minor feature: (2021-02-01). ### Security (5 changes). Filter sensitive GraphQL variables from logs. Avoid exposing release links when the user cannot read git-tag/repository. Sanitize target branch on MR page. DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting. Add routes for unmatched url for not-get requests.
13.8.127 Jan 2021 22:05 minor bugfix: (2021-01-26). ### (3 changes). Cancel artifact expiry backfill background jobs. !51821. LFS not working with S3 specific-storage settings. !52296. missing setting LDAP servers. !52512.
13.8.022 Jan 2021 13:25 major feature: (2021-01-22). ### Security (4 changes, 1 of them is from the community). The NuGet endpoints will no longer ignore an invalid username when a personal access token or deploy token is passed via HTTP Basic authentication. !38627 (Ethan Reesor). Update WEBrick to v1.6.1. !50720. Prevent user-defined variables from being used by non-maintainers. !51682. Upgrade Workhorse to 8.58.2. ### Removed (2 changes). Drop group_id column from compliance_management_frameworks table. !50829. Remove deprecated generic alert integration in favor of HTTP Integrations. !50913. ### (91 changes, 35 of them are from the community). Deduplicate labels with identical title and group. !37148. Remove diff display preferences and file tree from changes empty state. !43467. Upgrade to Grape v1.5.0. !44554. database timeout errors when removing expired job artifacts. !47496. Return release milestones in predictable order. !47700. multiple simultaneous requests for vulnerabilities on pipeline security tab. !48426. Remove duplicate service records. !49463. Add LaTeX support for Jupyter Notebooks. !49497. confusing button text when importing from GitHub. !49684. identicon text color in dark mode. !49785. installation of Knative under Helm 3. !49843. Hide inoperable group search Releases filter. !50010. visibility level validation for deep nested forks. !50081. Change type of CiJob.needs. !50192. Handle git errors when cleaning up MR refs. !50250. over-eagerly updating Web IDE Live Preview. !50255. Persist updated_at value in state change events. !50272. Enlarge the timeline toggle button. !50284. Hide "Actions" label on group members view if no action buttons exist. !50304. with snippets in HEAD when default branch is not master. !50366. Add project scope to ci clint graphql endpoint. !50418. the graphQL type for container repository tags. !50419. Allow more actions on group members. !50445. Don't allow filtering by release tag on groups. !50457. Flash transf
13.7.415 Jan 2021 10:05 minor security: (2021-01-13). ### Security (1 change). Deny implicit flow for confidential apps.
13.7.312 Jan 2021 03:18 minor bugfix: (2021-01-08). ### (7 changes). Canary Ingress weight is not reflected on UI immediately. !50246. Change pages deployments size to bigint. !50262. Viewing container repositories with tags with corrupted manifest. !50362. The graphQL type for container repository tags. !50419. (eetrialbanner): EE trial banner to allow dismiss. !50436. Update Helm 2 version to 2.17.0. !50547. Project access token regression. !50800.
13.7.208 Jan 2021 19:25 minor bugfix: (2021-01-07). ### Security (7 changes). Forbid public cache for private repos. Deny implicit flow for confidential apps. Update NuGet regular expression to protect against ReDoS. regular expression backtracking in package name validation. stealing API token from GitLab Pages and DoS Prometheus through GitLab Pages. Update trusted OAuth applications to set them as confidential. Upgrade Workhorse to 8.58.2.
13.7.126 Dec 2020 07:45 minor bugfix: (2020-12-23). ### (1 change). Project transfer corrupting shared runners state. !47316.
13.7.022 Dec 2020 07:05 major feature: (2020-12-22). ### Security (1 change). regular expression backtracking in custom emoji name validation. ### Removed (2 changes, 1 of them is from the community). Remove Google Code importer. !48139 (Getulio Valentin Sánchez). Remove release notes from Tags page. !49979. ### (109 changes, 7 of them are from the community). Update user mentions when markdown columns are directly saved to DB. !38034. Retain spinner when applying MR suggestions. !46203. Skipped jobs no longer trigger a cancelled deployment. !46614. Catch wiki timeouts when rendering pages. !46627. single file snippets display for Geo secondary sites. !46812. Jira Connect styles not loaded when startup_css is enabled. !47043. Add migration that updated users that don't need to have 2fa established. !47193. project integration form validation when integration is inactive. !47201. project access token build authentication error. !47247. Support S3 server side encryption in CI cloud native job logs. !47536. repository clone panel for wikis. !47676. Hide Mark as draft button in a merged MR even on mobile. !47678 (Takuya Noguchi). Eliminate N+1 performance in MergeRequest.pipelines in GraphQL API. !47784. Add cascade delete foreign key to web_hooks on service_id without validation. !47821. Implement passing dotenv variables to bridge jobs. !47905. Allow canceling all pipelines with auto-cancel. !47906. error in Issuable::ImportCsv::BaseService when CSV file is empty. !47918. editing labels on the swimlanes sidebar. !47946. Scroll exactly to the top of a discussion on the MR Overview tab. !47970. Search page: empty results status. !48034. Move fuzz license check to.pre stage. !48076. Add link in Access Request API. !48081 (jimcser). Add gitlab:db:active task. !48083. overscroll for MR diffs in mobile view. !48091. incorrect line height in file header. !48117. Repopulate historical vulnerability statistics. !48128. image diff comments positioning. !48132. Manually trigge
13.6.312 Dec 2020 12:05 minor bugfix: (2020-12-10). ### (5 changes). error 500s creating projects concurrently. !48571. container_registry url for relative urls. !48661. Resolve Members page 500 error after Invitation sent via API. !48937. Add different string encoding method in rack middleware. !49044. MR rendering when user is tool admin and not project member. !49258. ### Changed (1 change). Update Rake check and docs to require Ruby 2.7. !48552.
13.6.208 Dec 2020 07:25 minor bugfix: (2020-12-07). ### Security (10 changes). Validate zoom links to start with https only. !1055. Require at least 3 characters when searching for project in the Explore page. Do not show emails of users in confirmation page. Forbid setting a gitlabUserList strategy to a list from another project. mermaid resource consumption in GFM fields. Ensure group and project memberships are not leaked via API for users with private profiles. GraphQL User: do not expose email if set to private. Filter search parameter to prevent data leaks. Do not expose starred projects of users with private profile via API. Do not show starred contributed projects of users with private profile.
13.6.125 Nov 2020 06:45 minor bugfix: (2020-11-23). ### (5 changes). Project transfer corrupting shared runners state. !48032. Project select split button. !48065. Tags pages erroring for projects with private pipelines. !48184. Ensure Alerts list loads when only HTTP integrations are enabled. !48247. Does not track package events on a read-only instance. !48257. ### Changed (1 change). Re-name Instance Statistics as Usage Trends. !48183.
13.6.021 Nov 2020 03:45 major feature: (2020-11-22). ### Removed (3 changes). Removed ACE editor from the codebase. !46420. Remove storage limit column from application settings. !46676. Remove the ability to resole individual notes. !46775. ### (140 changes, 11 of them are from the community). rendering of markdown headings and floated images. !25442 (Gwen_). release assets link redirection. !35381. chatbot replies not including job log. !42010. Show tar warning message when file/folder changed during backup instead of failing whole backup operation. !42197. Remove default EKS Region dropdown in cluster create form. !43017. Remove all records from `security_findings` table. !44312. Add `position` column into security_findings table. !44815. Render script newlines in CI Lint view. !45087 (Nejc Habjan). a race condition checking whether a project is read-only. !45160. Limit number of times a background migration is rescheduled. !45298. Improve project labels page card layout consistency. !45311. Do not convert unicode versions of trademark, copyright, and registered trademark to emoji. !45457. Gracefully recover from deleted LFS file. !45459. Bad Escape in Board Empty State. !45465. Update cluster applications CI template to 0.34.1. !45487. multi line comment options in parallel mode. !45557. Removed not equal filter option for drafts on merge requests. !45649. target branch not filtering. !45652. Merge Request "Edit in Web IDE" dropdown link on MR diffs page. !45653. Handle malformed strings in URL. !45701. Reset the pagination cursor when a search result filter changes. !45708. aria label on IDE tab button. !45709. danger-secondary button in the Web IDE dark theme. !45714. Removes the hamburger icon in the Changes tab in Web IDE. !45717. exception when saving Jira integration info for an instance. !45718. Make sure the http_requests_total and http_request_duration_seconds metrics are not empty on application start. !45755. Configure CSP for displaying Youtube videos i
13.5.414 Nov 2020 13:05 minor bugfix: (2020-11-13). ### (4 changes). Vue Labels Select dropdown keyboard scroll. !43874. Hashed Storage: make migration and rollback resilient to exceptions. !46178. compliance framework database migration on CE instances. !46761. Resolve problem when namespace_settings were not created for groups created via admin panel. !46875.
13.5.307 Nov 2020 04:05 minor feature: (2020-11-03). ### (3 changes). IDE with special characters. !46398. Ensure that copy to clipboard button is visible. !46466. Auto Deploy: for fetching other charts from stable repo. !46531. ### Added (1 change). Add environment variables to override backup/restore DB settings. !45855.
13.5.203 Nov 2020 16:45 minor security: (2020-11-02). ### Security (9 changes). Add CSRF protection to runner pause and resume. !1021. Do not expose Terraform state record in API. Path traversal to RCE via LFS upload. Update container_repository_name_regex to prevent catastrophic backtracking. Validate nuget package names. Prevent private repo from being accessed via internal Kubernetes API. Validate each upload param key in multipart.rb. XSS vulnerability for job build dependencies. unauthorized user is able to access schedule pipeline variables and values.
13.5.126 Oct 2020 11:25 minor feature: (2020-10-22). ### Other (1 change). Update GitLab Shell to v13.11.0. !45660.
13.5.022 Oct 2020 11:25 major feature: (2020-10-22). ### Security (1 change). Update GitLab Runner Helm Chart to 0.21.1. ### Removed (3 changes, 2 of them are from the community). Drop Iglu registry URL column. !42939. Remove coverage_report_view feature flag. !43711. Remove release_evidence_collection feature flag. !44234. ### (118 changes, 9 of them are from the community). Include builds from child pipelines in latest sucessful build for ref/sha. !29710. branches_to_be_notified API param for hangouts chat service. !35599. Add empty dependencies value to ECS Deploy job. !36862. with optional merge requests approval in CE. !42119 (Pavel Kuznetsov). type of SentryErrorType global ID. !42185. Remove linux arch only rule for coverage fuzzing. !42316. Do not show retried builds in the MR code coverage. !42402. Does not refresh project/snippet statistics on a read-only instance. !42417. Rendering trailing slash in reference links (). !42484. Remove retry icon on failed job if merge pipeline. !42495. Designs: return an error if uploading designs with duplicate names. !42514 (Sushil Khanchi). Unit Test Report: icon for errored status. !42540. Copy designs to when an with designs is moved. !42548. triggering multiple children pipeline with the same artifact. !42595. caret sizes in navigation. !42605. Revert required encryption on CI runner tokens. !42623. Markdown "Preview" tab on New/Edit Release and New Snippet pages. !42640. a causing 'Missing author note' to be added to notes for mapped users when importing project using GitLab Import. !42648. Hides batch suggestions button if there is only 1 suggestion. !42681. GraphQL token authentication when installed under a relative URL. !42706. Update pipeline failed notification e-mail warning. !42736. clickable width of release asset links. !42757. size of edit button on releases page. !42779. Move before_script into script for CQ template. !42782. Resolve Error when quickly reordering designs. !42818. Eliminate extra spacing
13.4.416 Oct 2020 15:45 minor feature: (2020-10-15). ### (2 changes). rollback portion of migration that adds temporary index for container scanning findings. !44593. Improve merge error when pre-receive hooks fail in fast-forward merge. !44843. ### Other (1 change). Revert 42465 and 42343: Expanded collapsed diff files. !43361.
13.4.307 Oct 2020 21:45 minor bugfix: (2020-10-06). ### (3 changes). Exclude 2FA from upload#show routes and 404s. !42784. Use create_wiki method on ensure_wiki_exists in update_service. !42910. Large backups not working with Azure Blob storage. !44233.
13.4.022 Sep 2020 15:05 major bugfix: (2020-09-22). ### Security (2 changes, 1 of them is from the community). Update lodash to 4.17.20. !41036 (Takuya Noguchi). Update GitLab Runner Helm Chart to 0.20.1. ### Removed (6 changes, 1 of them is from the community). Remove secret_detection job from vendored SAST CI template. !40028. Remove Docker-in-Docker mode from Dependency Scanning documentation. !40631. Removes unused classes on initial Ci::Ref implementation. !41077. Drop Docker-in-Docker mode for SAST and Dependency Scanning. !41260. Remove application settings for Snowplow iglu registry url. !41556. Remove Value Stream Total stage. !42345. ### (160 changes, 41 of them are from the community). Conditionally render the packages scopes in deploy token settings. !35334. advanced filters in log explorer view for gitlab managed applications. !37926. RegExp for dotenv report artifact. !38562. composer 404 with http auth. !38641. Update EKS Kubernetes versions. !38644. skipped status of DAG pipelines. !39205. wrong MR pipeline link when FF-merge strategy is used. !39396. Include also inherited project members in GraphQL API. !39444. Refactor spec/support/shared_examples/services/ and ee/spec/support/shared_examples/services/ to Rails/SaveBang Cop. !39538 (Rajendra Kadam). Removes extra spaces on MR/Epic tabs-containers on mobile. !39549 (Takuya Noguchi). Milestone Dashboard: Move Gray Type Badge Next to the Milestone Title. !39617. GraphQL file uploads accepting non-file input. !39763. Metrics dashboard embeds when using new URLs. !39876. Respect original visibility for instrumented methods. !39951. Take relative_url_path into account when building URLs in snippets. !39960. non-retrying bridges after retried builds in CI pipelines. !39989. Support X-Envelope-To header as a location for Service Desk key. !40001. where conan does not properly check package channel when returning file download urls. !40029. example within file_hooks documentation. !40071 (Roger Meier). miss
13.3.404 Sep 2020 02:05 minor security: (2020-09-02). ### Security (1 change). Protect OAuth endpoints from brute force/password stuffing.
13.3.229 Aug 2020 11:25 minor bugfix: (2020-08-28). ### Removed (1 change). Display upcoming database deprecation warning only if current database version minimum is not met. !38225. ### (5 changes). Race condition in concurrent backups. !39894. Prevent accidental group deletion if path rename fails. !40353. Snippet save button disabled with empty file path. !40412. Exception handling when a concurrent backup fails. !40451. Scope incident counts by given project or group. !40700.
13.3.023 Aug 2020 09:45 major feature: (2020-08-22). ### Security (2 changes). Improve path traversal validation checks. !33114. Update GitLab Runner Helm Chart to 0.19.2. ### Removed (3 changes). Remove Internet Explorer 11 from babel transpilation. !36840. Remove namespace storage limit setting. !38108. Geo: Drop tables related to vulnerability export replication. !38299. ### (116 changes, 14 of them are from the community). filter by releases at group and merge requests search bar. !26740 (Gilang Gumilar). Disable commenting on lines in files that were or are symlinks or replace or are replaced by symlinks. !35371. icon alignment on board cards. !35710 (carolcarvalhosa). Make Add metrics button visible on self monitoring dashboard. !36169. Keep large spinner while MR file tree is loading. !36446. : Child pipelines are not found by API endpoints. !36494. Show relevant error messages when failing to match a CI job entry. !36536. Don t show icon on flash warning. !36581. Updates to file table in package details UI. !36723 (Adam Alvis). Add graceful timeout handling for analytics. !36811. Resolve Pasting an image into a comment also uploads design. !37171. release evidence sometimes not being collected. !37184. editing note throws js error. !37216. merge request approvals for EE without a license. !37246. ops settings titles. !37259. Refactor all factories to SaveBang Cop. !37268 (Rajendra Kadam). Resolve Anchor tags to Designs is not working. !37307. content validation for existing wiki pages. !37310. Alert management list spacing. !37320. with blank keyset pagination parameters. !37351. Remove dashed border on designs hover. !37375. CSV downloads for multiple series in the same chart. !37377. Pypi and Nuget Storage Statistics. !37386. Display files in tab counter same as diff stats. !37390. vertical alignment of design management toolbar buttons. !37398. Allow LFS to be enabled in project settings even when Repository is disabled. !37401. Update MRs on push. !374
13.2.619 Aug 2020 13:45 minor feature: (2020-08-18). No changes.
13.2.412 Aug 2020 19:25 minor feature: (2020-08-11). ### Security (1 change). Add decompressed archive size validation on Project/Group Import. !38736. ### (1 change). Automatic creation via Prometheus alerts. !37884.
13.2.306 Aug 2020 22:05 minor security: (2020-08-05). ### Security (12 changes). Update kramdown gem to version 2.3.0. Enforce 2FA on Doorkeeper controllers. Revoke OAuth grants when a user revokes an application. Refresh project authorizations when transferring groups. Stop excess logs from failure to send invite email when group no longer exists. Verify confirmed email for OAuth Authorize POST endpoint. XSS in Markdown reference tooltips. XSS in milestone tooltips. xss vulnerability on jobs view. Block 40-character hexadecimal branches. Prevent a temporary access escalation before group memberships are recalculated when specialized project share workers are enabled. Update GitLab Runner Helm Chart to 0.18.2.
13.2.230 Jul 2020 10:25 minor feature: (2020-07-29). ### (3 changes). Coerce repository_storages_weighted, removes repository_storages. !36376. JiraImportUsersInput startAt field. !37492. Provide better git error message when the user is unconfirmed. !37944. ### Changed (1 change). Skip mass unconfirming users when send_user_confirmation_email setting is off. !38024.
13.2.022 Jul 2020 11:05 major feature: (2020-07-22). ### Security (3 changes). Unconfirm wrongfully verified email addresses and user accounts. !35492. Make logrotate run as git user for source installations. !35519. Replace misleading text in re-confirmation emails. !36634. ### Removed (7 changes, 2 of them are from the community). Remove deprecated dashboard group milestone pages. !13237. Removed UltraAuth integration for OmniAuth. !29330 (Kartikey Tanna). Remove all search autocomplete for groups/projects/other. !31187. Remove temporary datepicker position as it is no longer required. !31836 (Arun Kumar Mohan). Remove the ability to customize the title and description of some integrations (zilla, Custom Tracker, Redmine, and YouTrack). !33298. Drop deprecated _ANALYZER_IMAGE_PRE. !34325. Remove Internet Explorer 11 specific polyfills. !36830. ### (300 changes, 79 of them are from the community). Remove broken hyperlink from and reopen button. !22220 (Lee t). 'Active' checkbox text in Pipeline Schedule form to be a label. !27054 (Jonston Chan). back button when switching MR tabs. !29862 (Lee t). Remove ability to scroll while in Design View. !29881. merge request note label URLs. !30428 (Lee t). default path when creating project from group template. !30597 (Lee t). that prevented k8s authentication with intermediate certificates. !31254 (Abdelrahman Mohamed). group transfer service to deny moving group to its subgroup. !31495 (Abhisek Datta). issuable listings with any label filter. !31729. Move prepend to last in ee-app-services. !31838 (Rajendra Kadam). Fallback to lowest visibility level in snippet visibility radio. !31847. Add class stubs and leaky constant alert in query limit helper spec. !31949 (Rajendra Kadam). Remove usage of spam constants in spec. !31959 (Rajendra Kadam). leaky constant in uninstall progress service check. !32036 (Rajendra Kadam). leaky constant in commit entity spec. !32039 (Rajendra Kadam). leaky constant in task completion status spec
13.1.308 Jul 2020 00:45 minor feature: (2020-07-06). No changes.
13.1.202 Jul 2020 07:25 minor security: (2020-07-01). ### Security (18 changes). Update xterm js dependency to latest stable 3.x version. Do not show activity for users with private profiles. stored XSS in markdown renderer. Upgrade swagger-ui to solve XSS. group deploy token API authorizations. Check access when sending TODOs related to merge requests. Change from hybrid to JSON cookies serializer. Prevent XSS in group name validations. Disable caching for wiki attachments. Disable Github Importer API by settings. null byte error in upload path. Update permissions for time tracking endpoints. Add snippet repository validation after bundle import. Update Kaminari gem. note author name rendering. Sanitize bitbucket repo urls to mitigate XSS. Stored XSS on the Error Tracking page. security when rendering issuable.
13.1.124 Jun 2020 13:05 minor bugfix: (2020-06-23). ### (4 changes). Missing templating vars set from URL in metrics dashboard. !34668. Edit status dropdown overflow. !34847. Load user before logging git http-requests. !34923. Do not mask key comments for DeployKeys. !35014. ### Added (1 change). Periodically recompute project authorizations. !34071.
13.0.611 Jun 2020 20:05 minor feature: (2020-06-10). No changes.
13.0.407 Jun 2020 03:05 minor security: (2020-06-03). ### Security (1 change). Prevent fetching repository code with unauthorized ci token.
13.0.302 Jun 2020 18:05 minor bugfix: (2020-05-29). ### (8 changes, 1 of them is from the community). redirection to project snippets. !32530. Geo replication for design thumbnails. !32703. s downloading build artifacts. !32741. Auto DevOps manual rollout jobs not being allowed to fail. !32865. Update deprecated routes in irker integration. !32923 (Marc Jeanmougin). Change format of variables parameter in Prometheus proxy API for metrics dashboard. !33062. and MR API performance regression when Markdown cache is stale. !33235. when user created the. !33294.
13.0.129 May 2020 10:45 minor feature: (2020-05-27). ### Security (12 changes). Add an extra validation to Static Site Editor payload. Hide EKS secret key in admin integrations settings. Added data integrity check before updating a deploy key. Display only verified emails on notifications and profile page. Require confirmed email address for GitLab OAuth authentication. Kubernetes cluster details page no longer exposes Service Token. confirming unverified emails with soft email confirmation flow enabled. Disallow user to control PUT request using mermaid markdown in description. Check forked project permissions before allowing fork. Limit memory footprint of a command that generates ZIP artifacts metadata. file enuming using Group Import. Prevent XSS in the monitoring dashboard.
13.0.025 May 2020 21:45 major feature: (2020-05-22). ### Removed (20 changes, 5 of them are from the community). Remove project routes that were deprecated before 12.1. !26808. Drop x-y-stable version pinning for Secure templates. !29603. Remove logs from the admin pages. !30485. Remove deprecated /admin/application_settings redirect. !30532. Drop support for License-Management CI template. !30645. Remove deprecated InfluxDB. !30786. Remove deprecated Release Evidence endpoints. !30975. Remove deprecated Release Evidence endpoints documentation. !30978. Drop support for `license_management` artifact. !31247. Remove deprecated container scanning report parser. !31294. Remove rake task `gitlab:track_deployment`. !31404. Remove token attribute from Runners API. !31448. Remove support for Ruby format variable interpolation (` variable `) in custom dashboards. !31581. Remove JenkinsDeprecatedService. !31607 (tnwx). Remove ruby_memory_bytes metric, duplicate of ruby_process_resident_memory_bytes. !31705. Remove project_list_show_mr_count feature flag. !31789 (Gilang Gumilar). Remove project_list_show__count feature flag. !31793 (Gilang Gumilar). Remove set_user_last_activity feature flag. !31795 (Gilang Gumilar). Remove registrations_recaptcha feature flag. !31797 (Gilang Gumilar). Remove deprecated Sidekiq rake tasks. ### (171 changes, 54 of them are from the community). Allow public access to pipeline schedules. !20806 (Lee t). Add user last_activity logging in GraphQL. !23063. Render TestReport parsing errors back to pipeline test summary. !24188. Add user popovers to system notes. !24241. missing RSS feed events. !28054. Resolve Text for future Release date grammatically incorrect. !28075. number of approvals given calculation. !28293 (Steffen Köhler). Always display new subgroup button when permission is granted. !28309 (Mattias Michaux). Correct the permission according to docs. !28657. duplicated activity and events on deletion of tag. !28861 (Sashi Kumar). init.d s
12.10.621 May 2020 12:05 minor bugfix: (2020-05-15). ### (5 changes). Duplicate index removal on ci_pipelines.project_id. !31043. on creating an invalid domains and verification. !31190. Incorrect number of errors returned when querying sentry errors. !31252. Add instance column to services table if it's missing. !31631. Incorrect regex used in FileUploader#extract_dynamic_path. !32271.
12.10.514 May 2020 06:45 minor feature: (2020-05-13). ### Added (1 change). Consider project group and group ancestors when processing CODEOWNERS entries. !31804.
12.10.406 May 2020 15:45 minor feature: (2020-05-05). ### (1 change). Add a Project's group to list of groups when parsing for codeowner entries. !30934.
12.10.201 May 2020 15:25 minor security: (2020-04-30). ### Security (8 changes). Ensure MR diff exists before codeowner check. Apply CODEOWNERS validations to web requests. Prevent unauthorized access to default branch. Do not return private project ID without permission. doorkeeper CVE-2020-10187. Change GitHub service integration token input to password. Return only safe urls for mirrors. Validate workhorse 'rewritten_fields' and properly use them during multipart uploads.
12.10.127 Apr 2020 17:45 minor bugfix: (2020-04-24). ### (5 changes). creating project from git ssh. !29771. Web IDE handling of deleting newly added files. !29783. null dereference in /import status REST endpoint. !29886. Service Templates missing Active toggle. !29936. error on accessing restricted levels. !30313. ### Changed (1 change). Move Group Deploy Tokens to new Group-scoped Repository settings. !29290. ### Other (1 change). Migration of dismissals to vulnerabilities. !29711.
12.10.023 Apr 2020 10:25 major feature: (2020-04-22). ### Removed (3 changes). Revert LDAP readonly attributes feature. !28541. Remove deprecated /ci/lint page. !28562. Remove open in file view link from Web IDE. !28705. ### (118 changes, 26 of them are from the community). Return 202 for command only notes in REST API. !19624. Run SAST using awk to pass env variables directly to docker without creating.env file. !21174 (Florian Gaultier). #42671: Project and group storage statistics now support values up to 8 PiB. !23131 (Matthias van de Meent). error on profile/chat_names for deleted projects. !24341. Migrate the database to activate projects prometheus service integration for projects with prometheus installed on shared k8s cluster. !24684. archived corrupted projects not displaying in admin. !25171 (erickcspice). some Web IDE with empty projects. !25463. failing ci variable e2e test. !25924. new file not being created in non-ascii character folders. !26165. Validate uniqueness of project_id and type when a new project service is created. !26308. assignee dropdown on new page. !26971. Resolve Unable to expand multiple downstream pipelines. !27029. Hide admin user actions for ghost and bot users. !27162. invalid ancestor group milestones when moving projects. !27262. right sidebar when scrollbars are always visible. !27314. OpenAPI file detector. !27321 (Roger Meier). managed_free_namespaces scope to only groups without a license or a free license. !27356. Set commit status to failed if the TeamCity connection is refused. !27395. Resolve Improve format support message in design. !27409. Add tooltips with full path to file headers on file tree. !27437. Scope WAF Statistics anomalies to environment.external_url. !27466. Show the proper information in snippet edit form. !27479. the repository Vue router not working with Chinese characters. !27494. smartcard config initialization. !27560. audit event that weren't being created for failed LDAP log-in tries. !27608. filtere
12.9.419 Apr 2020 14:45 minor bugfix: (2020-04-16). No changes. ### (5 changes, 1 of them is from the community). Not working File upload from Project overview page. !26828 (Gilang Gumilar). Storage rollback regression caused by previous refactor. !28496. Incorrect regex used in FileUploader#extract_dynamic_path. !28683. Fully qualify id columns for keyset pagination (Projects API). !29026. Slack notifications when upgrading from old GitLab versions. !29111.
12.9.315 Apr 2020 15:45 minor security: (2020-04-14). ### Security (3 changes). Refresh ProjectAuthorization during Group deletion. Prevent filename bypass on artifact upload. Update rack and related gems to 2.0.9 to security.
12.9.201 Apr 2020 13:05 minor feature: (2020-03-31). ### (5 changes). Ensure import by URL works after a failed import. !27546. /MR state not being preserved when importing a project using Project Import/Export. !27816. Leave upload Content-Type unchaged. !27864. Disable archive rate limit by default. !28264. rake gitlab:setup failing on new installs. !28270. ### Changed (1 change). Rename feature on the FE and locale. ### Performance (1 change). Index on sent_notifications table. !27034.
12.9.127 Mar 2020 16:45 minor bugfix: (2020-03-26). ### Security (16 changes). Add permission check for pipeline status of MR. Ignore empty remote_id params from Workhorse accelerated uploads. External user can not create personal snippet through API. Prevent malicious entry for group name. Restrict mirroring changes to admins only when mirroring is disabled. Reject all container registry requests from blocked users. Deny localhost requests on fogz importer. Redact notes in moved confidential. UploadRewriter Path Traversal vulnerability. Block hotlinking to repository archives. Restrict access to project pipeline metrics reports. vulnerability_feedback records should be restricted to a dev role and above. Exclude Carrierwave remote URL methods from import. Update Nokogiri to CVE-2020-7595. Prevent updating trigger by other maintainers. XSS vulnerability in `admin/email` "Recipient Group" dropdown. ### (1 change). updating the authorized_keys file. !27798.
12.9.022 Mar 2020 17:25 major bugfix: (2020-03-22). ### Security (1 change). Update Puma to 4.3.3. !27232. ### Removed (3 changes). Remove staging from commit workflow in the Web IDE. !26151. Remove and deprecate snippet content search. !26359. Remove "Analytics" suffrom the sidebar menu items. !26415. ### (117 changes, 19 of them are from the community). Set all NULL `lock_version` values to 0 for issuables. !18418. Support finding namespace by ID or path on fork API. !20603 (leoleoasd). caret position after pasting an image 15011. !21382 (Carolina Carvalhosa). Use of sha instead of ref when creating a new ref on deployment creation. !23170. logic to determine project export state and add regeneration_in_progress state. !23664. Create child pipelines dynamically using content from artifact as CI configuration. !23790. Handle Gitaly failure when fetching license. !24310. error details layout and alignment for mobile view. !24390. Added the multiSelect option to stop event propagation when clicking on the dropdown. !24611 (Gwen_). Activate Prometheus integration service for newly created project if this project has access to shared Prometheus application. !24676. Jump to next unresolved thread. !24728. Require a logged in user to accept or decline a term. !24771. quick actions executing in multiline inline code when placed on its own line. !24933 (Pavlo Dudchenko). timezones for popovers. !24942. Prevent "Select project to create merge request" button from overflowing out of the viewport on mobile. !25195. Add validation for updated_at parameter in update API. !25201 (Filip Stybel). Elasticsearch: when index is absent warn users and disable index button. !25254. pipeline details page initialisation on invalid pipeline. !25302 (Fabio Huser). with sidebar not expanding at certain resolutions. !25313 (Lee t). Rescue elasticsearch server error in pod logs. !25367. project setting approval input in non-sequential order. !25391. Add responsivity to cluster environments table.
12.8.717 Mar 2020 17:05 minor bugfix: (2020-03-16). ### (1 change, 1 of them is from the community). Crl_url parsing and certificate visualization. !25876 (Roger Meier).
12.8.613 Mar 2020 12:25 minor security: (2020-03-11). ### Security (1 change). Do not enable soft email confirmation by default.
12.8.509 Mar 2020 12:25 minor bugfix: ### (8 changes). Group Import API file upload when object storage is disabled. !25715. Web IDE fork modal showing no text. !25842. regression when URL was encoded in a loop. !25849. repository browsing for folders with non-ascii characters. !25877. search for Sentry error list. !26129. Send credentials with GraphQL fetch requests. !26386. Show CI status in project dashboards. !26403. Rescue invalid URLs during badge retrieval in asset proxy. !26524. ### Performance (2 changes). Disable Marginalia line backtrace in production. !26199. Remove unnecessary Redis deletes for broadcast messages. !26541. ### Other (1 change, 1 of them is from the community). tures for Error Tracking Web UI. !26233 (Takuya Noguchi).
12.8.205 Mar 2020 15:25 minor bugfix: ### Security (17 changes). Update container registry authentication to account for login request when checking permissions. Update ProjectAuthorization when deleting or updating GroupGroupLink. Prevent an endless checking loop for two merge requests targeting each other. Update user 2fa when accepting a group invite. for XSS in branch names. Prevent directory traversal through FileUploader. Run project badge images through the asset proxy. Check merge requests read permissions before showing them in the pipeline widget. Respect member access level for group shares. Remove OID filtering during LFS imports. Protect against denial of service using pipeline webhook recursion. Expire account confirmation token. Prevent XSS in admin grafana URL setting. Don't require base_sha in DiffRefsType. Sanitize output by dependency linkers. Recalculate ProjectAuthorizations for all users. Escape special chars in Sentry error header. ### Other (1 change, 1 of them is from the community). tures for Error Tracking Web UI. !26233 (Takuya Noguchi).
12.8.126 Feb 2020 08:05 minor bugfix: ### (5 changes). Markdown layout of incident. !25352. Time series extends axis options correctly. !25399. "Edit Release" page. !25469. Upgrade failure in EE displaying license. !25788. Last commit widget when Gravatar is disabled.
12.8.023 Feb 2020 00:05 major bugfix: ### Security (6 changes, 2 of them are from the community). Upgrade Doorkeeper to 4.4.3 to address CVE-2018-1000211. !20953. Upgrade Doorkeeper to 5.0.2. !21173. Update webpack related packages. !22456 (Takuya Noguchi). Update rubyzip gem in qa tests to 1.3.0 to CVE-2019-16892. !24119. Update GraphicsMagick from 1.3.33 to 1.3.34. !24225 (Takuya Noguchi). Update handlebars to remove from dependency dashboard. ### Removed (2 changes, 1 of them is from the community). Remove temporary index at services on project_id. !24263. Remove CI status from Projects Dashboard. !25225. ### (136 changes, 21 of them are from the community). When a namespace GitLab Subscription expires, disable SSO enforcement. !21135. with snippet counts not being scoped to current authorisation. !21705. Log user last activity on REST API. !21725. Create LfsObjectsProject record for forks as well. !22418. Limit size of diffs returned by /projects/:id/repository/compare API endpoint. !22658. spacing and UI on Recent Deliveries section of Project Services. !22666. Improve error messages when adding a child epic. !22688. a new line with suggestions in the last line of a file. !22732. Use POSTGRES_VERSION variable in Auto DevOps Test stage. !22884 (Serban Marti). Include milestones from subgroups in the list of Group Milestones. !22922. Authenticate user when scope is passed to events api. !22956 (briankabiro). Limit productivity analytics graph y-axis scale to whole numbers. !23140. GraphiQL when GitLab is installed under a relative URL. !23143 (Mathieu Parent). Stop NoMethodError happening for 1.16+ Kubernetes clusters. !23149. advanced global search permissions for guest users. !23177. JIRA DVCS retrieving repositories. !23180. logs api etag with elasticsearch. !23249. Add border radius and remove blue outline on recent searches filter. !23266. premailer and S/MIME emailer hooks order. !23293 (Diego Louzán). Web IDE alert message look and feel. !23300 (Sean Nichols
12.7.505 Feb 2020 05:45 minor bugfix: ### (4 changes, 1 of them is from the community). Add accidentally deleted project config for custom apply suggestions. !23687 (Fabio Huser). Database permission check for triggers on Amazon RDS. !24035. Applying the suggestions with an empty custom message. !24144. Remove invalid data from _tracker_data table.
12.7.331 Jan 2020 06:45 minor security: ### Security (17 changes, 1 of them is from the community). xss on frequent groups dropdown. !50. Bump rubyzip to 2.0.0. (Utkarsh Gupta). Disable access to last_pipeline in commits API for users without read permissions. Add constraint to group dependency proxy endpoint param. Limit number of AsciiDoc includes per document. Prevent API access for unconfirmed users. Enforce permission check when counting activity events. Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it. GraphQL api deprecate token field in GrafanaIntegration type. Cleanup todos for users from a removed linked group. XSS vulnerability on custom project templates form. Protect internal CI builds from external overrides. ImportExport::ExportService to require admin_project permission. Make sure that only system notes where all references are visible to user are exposed in GraphQL API. Disable caching of repository/files/:file_path/raw API endpoint. Make cross-repository comparisons happen in the source repository. Update excon to 0.71.1 to CVE-2019-16779. Add workhorse request verification to package upload endpoints.
12.7.124 Jan 2020 19:54 major feature:
8.0.621 Oct 2015 13:25 minor bugfix: Loading spinner sometimes not being hidden on Merge Request tab switches.
8.0.516 Oct 2015 13:25 minor bugfix: Correct lookup-by-email for LDAP logins. Loading spinner sometimes not being hidden on Merge Request tab switches.
8.0.406 Oct 2015 23:25 minor bugfix: Message-ID header to be RFC 2111-compliant to prevent e-mails being dropped (Stan Hu). Referrals for :back and relative URL installs. Anchors to comments in diffs. - Remove CI token from build traces. - "Assign All" button on Runner admin page.
8.0.301 Oct 2015 03:15 minor bugfix: URL shown in Slack notifications. - where projects would appear to be stuck in the forked import state (Stan Hu). - Error 500 in creating merge requests with 1000 diffs (Stan Hu).
8.0.227 Sep 2015 03:15 minor bugfix: default avatar not rendering in network graph (Stan Hu). - Skip check_initd_configured_correctly on omnibus installs. - Prevent double-preing of help page paths. - Clarify confirmation text on user deletion. - Make commit graphs responsive to window width changes (Stan Hu). - top margin for sign-in button on public pages. - LDAP attribute mapping. - Remove git refs used internally by GitLab from network graph (Stan Hu). - Use standard Markdown font in Markdown preview instead of -width font (Stan Hu). - Reply by email for non-UTF-8 messages. - Add option to use StartTLS with Reply by email IMAP server.
8.0.023 Sep 2015 08:15 major feature: Continuous integration fully integrated (all tests, deployments, packaging). Completely new look and feel. Turbo Merges. 50 less space used. Reply by Email. Quick open in Gmail. Easily upload files in GitLab. Public user profile and group pages. Notification settings within the project s main page. GitLab 8.0 can be upgraded online. Better HTTP Support. Single Sign On to authenticate with Mattermost beta1. SSL Verification for Web Hooks.
7.5.027 Nov 2014 07:05 major feature: GitLab Community Edition 7.5 brings custom git hooks, various performance improvements, API extensions and better GitLab CI support.
7.2.022 Aug 2014 21:41 major feature: This release adds an "Explore" page, project stars, a Log for Sidekiq arguments. It adds better labels: colors, ability to rename and remove. Improves the way merge request collects diffs, compare page for large diffs. Exposes the full commit message via API. Fixes 500 error on repository rename, bug when MR download patch return invalid diff. Repository import timeout increased from 2 to 4 minutes allowing larger repos to be imported. The API adds support for labels, and the ability to set an import url when creating project for specific user.
Submitted bySven Wick
ManageYou can also help out here by:
← Update project
or flagging this entry for moderator attention.