pump.io follows Semantic Versioning 2.0.0. Specifically, the following things are considered to be semver-major if changed in a backwards-incompatible way:
- Ability to merge trivial local template modifications
- Configuration value names, semantics, and format
- The plugin API
- The public HTTP API and federation protocol
pump.socket(7)
protocol semanticspump.socket(7)
commands and their semantics, except where explicitly documented otherwise inpump.socket(7)
- Supported Node.js versions
- This list of items
Changes to everything else are not considered breaking, although we may delay things until semver-major releases as a precautionary measure. This includes a bunch of stuff but in particular:
- Log messages
- Out-of-the-box web UI functionality
- Difficulty of merging in local modifications
If you think something that isn't in the first list should be covered, file an issue and we'll either state we consider that semver-major or give a rationale as to why it isn't. Please also feel free to ask questions in the issue tracker; this list could surely be more precise.
You cannot upgrade to this release with a zero-downtime restart.
- Support Node.js 12, 14 and 16
- The master process now listens on a control socket controllable by
pumpctl(8)
; seepump.socket(7)
for protocol documentation (#1643) - Ship an
npm-shrinkwrap.json
file with the package, ensuring that everyone gets the same version of all dependencies - Public endpoints will now content-negotiate ActivityStreams 2.0
- OAuth 2.0 can be used for authentication and is now preferred
- The systemd unit now links to online ReadTheDocs documentation
- Web UI realtime now automatically recovers if it disconnects (#1479)
- Web UI comments can now be canceled (#1471)
- The front page image can now be changed with the
mainImage
config option (#1486) - Improved startup performance and security by loading less code in the master process running as root (#1555)
- Don't link to OpenFarmGame in the intro text since the domain is dead
pump(1)
has been renamed topump(8)
- Dependency updates
- Internal test suite refactoring
- "Settings" is renamed to "Profile" in the web UI (#1680)
- Docker images automatically set
NODE_ENV=production
- Docker images now use Node.js 12
- The systemd unit now works on Debian Stretch
- Work around
upstreamDuplicates is an object, not an array
error on remote login with some profiles - bin/pump now crashes immediately on configuration problems instead of infinitely spawning workers (#1642)
- Fix layout error in the Lists view left over from 1.0's utml -> Jade transition
- Long lines no longer overflow in the web UI (#1157)
- Display the proper alert/error message in the web UI (#1352)
- Fix crash when directly visiting
/uploads/
(#1397) - Fix non-public images always returning 403 Forbidden (#1438)
- Fix multiple web UI Like buttons turning to Unlike when just one is clicked (#768)
pump(8)
documentsNODE_ENV
, which actually does something, as opposed toNODE_ENVIRONMENT
, which does absolutely nothing- Other miscellaneous bugfixes (#1535, #1520, #1465))
- Don't load or serve JavaScript, or show the "Login"/"Register" buttons, with
noweb
set to true (#1398)
- Drop support for Node.js 4 to 10 (#1502)
- Extract the CLI client tools to pump.io-cli and drop from this package (#381)
- Reorganize Jade files to reduce npm package size (affects custom templates) (#1457)
- Upgrade from jade@1 to pug@3 (affects custom templates) (#1580)
- Crash instead of logging a warning when admins set internal parameters (#1396)
- Crash instead of logging a warning when admins do not set
config.secret
, or set it to a well-known value (#1387) - Make the CLI options parsing more aware of boolean flags and string flags (#1334)
- Remove the SIGUSR2 handler for zero-downtime restarts; use
pumpctl(8)
withpump.socket(7)
instead (#1643)
- Increase minimum DOMPurify version to 2.0.16 due to recent upstream security advisories
- Increase minimum DOMPurify version to 2.0.16 due to recent upstream security advisories
- Increase minimum DOMPurify version to 2.0.6 due to recent upstream security advisories
- Increase minimum DOMPurify version to 2.0.6 due to recent upstream security advisories
- Bump Dockerfile base image to Alpine 3.8.1 to fix an
apk
remote code execution vulnerability
This will be the last release line to support Node.js 4, 5 and 7.
- Backport Docker image infrastructure
- Backport fix for non-public images always returning 403 Forbidden (#1438)
This will be the last release line to support Node.js 4, 5 and 7.
- Bump
gm
version out of caution to pull in a fully security-patcheddebug
This will be the last release line to support Node.js 4, 5 and 7.
- Generate startup log warnings on bad configurations, including insecure
secret
values and internal parameters - Add a
Dockerfile
- Added zero-downtime upgrade support
- Update deps
- Enable some more tests and start tracking code coverage with Coveralls
- Expand package.json metadata
- Clarify semver-major local modification policy
- Move most documentation to ReadTheDocs (#1496)
bin/pump-import-collection
no longer crashes due to anunderscore-contrib
reference- Fix the logged-out mobile homepage's menu icon being black (#1445)
- Fix the JavaScript license page not loading Bootstrap properly (#1432)
- Fix some README config options
- SockJS connections no longer fail due to authorization problems (#1475)
- Fix the package shipping with
.jade.js
files built from the 5.0.x releases
connect-auth-pumpio
is pulled from npm instead of GitHub again
No changes from 5.0.1 beta 0:
- Fix multiple denial-of-service security vulnerabilities in indirect dependencies: advisory 1, advisory 2, advisory 3 (no CVEs available)
- Fix multiple denial-of-service security vulnerabilities in indirect dependencies: advisory 1, advisory 2, advisory 3 (no CVEs available)
- Fix multiple denial-of-service security vulnerabilities in indirect dependencies: advisory 1, advisory 2, advisory 3 (no CVEs available)
This release was a private beta due to the security fixes being slightly risky for stability.
The relevant security bugs were publicly disclosed on October 1st, 2017.
- Fix multiple denial-of-service security vulnerabilities in indirect dependencies: advisory 1, advisory 2, advisory 3 (no CVEs available)
No changes since 5.0.0 beta 1.
- Original posts no longer show "shared by" (#1427)
- Fixed some minor inaccuracies in README.md's documentation of defaults
- Upgrade to [email protected]
- Node 7 and 8 are now supported
- Documented the
bounce
andlogLevel
config options - The web UI more clearly shows shares
- Worker process deaths are sent to the
error
log stream, not thewarning
stream
- Removed 0.10/0.12-specific hacks
- Internal refactoring to use newer ES6 features
- Fixed crash in an endpoint which prevented "login with remote account" from working (#1281)
- Dropped support for Node.js 0.10 and 0.12 (#1234)
- Added a period and space after the footer text; if you use
appendFooter
please adjust accordingly (#1349) - Switched from Glyphicons to Font Awesome (affects web UI template modifications) (#1351)
- Upgraded Backbone to 1.3.3 (ditto) (#1382)
- Switched from Underscore to Lodash (ditto) (#1326)
- Enabled many systemd security restrictions in the systemd service file (#1346, #1257)
- Backported some improved error messages to assist in debugging a bug
- Backported fix for crash in an endpoint which prevented "login with remote account" from working (#1281)
No changes from 4.1.0 beta 0. This will be the last release to support Node.js 0.10 and 0.12.
This will be the last release to support Node.js 0.10 and 0.12.
- Added some basic styles to the LibreJS info page (#1353)
- Minor UX improvements to the web UI (#1355, #1354)
- Expanded the list of disallowed nicknames and warn about them in the web UI (#1345, #1347)
- Pull our fork of connect-auth from npm instead of GitHub (#1360)
- Use Subresource Integrity for web UI resources pulled from CDNs (#1340)
- Internal test refactoring
- Switched bcrypt implementation from
bcrypt
tobcryptjs
(#1233)
- Return the correct Content-Type for OAuth endpoints (#822)
- Increase minimum DOMPurify version to 0.9.0: 0.8.9 security announcement, 0.9.0 security announcement
- Increase minimum DOMPurify version to 0.9.0: 0.8.9 security announcement, 0.9.0 security announcement
- Increase minimum DOMPurify version to 0.9.0: 0.8.9 security announcement, 0.9.0 security announcement
No changes from 4.0.0 beta 5.
- Revert bcrypt upgrade to fix install issues (#1333)
- Don't use newer
github:
syntax inconnect-auth
dep as it breaks npm@1 (#1253) - The commandline tools no longer crash due to missing
optimist
- Update documentation to match new config options
- Lock
connect-auth
dep to a particular version - Turn on tests for Node 6
- Fix a whitespace issue with
appendFooter
- Permanently remove the build-on-git-install hacks (#1291)
- Correct a potentially bad npm publish
- Added the
appendFooter
config option
- Frontend JavaScript runs in strict mode (#1221)
- Frontend Javascript passes JSHint (#1176)
- Remove direct Connect dependency (#1274)
- Upgrade many minor dependencies
- Add a robots.txt file (#1286)
- Don't suggest or offer avatar uploads if uploads aren't available
- Added the ability to specify configuration via environment variables
- Added the ability to specify configuration via CLI flags
- Added
--help
and--version
CLI flags - Embed IndieWeb metadata in the web UI
- Upgrade to Express 4.x (affects plugins)
- Switch to Yargs for config and CLI option parsing (should be identical but please double-check that your config is respected in case of subtle edge cases)
- Fix README.md documenting the old name of a config parameter
- Fix the sample
pump.io.json
including an obsolete parameter
- Removed build logic from public npm package because it was completely breaking installs (#1291)
No changes from 3.0.0 beta 1.
- Improve performance of front-page image
- Fix the web UI repeating YouTube videos (again)
- Fix direct visits to /following URLs not rendering layout (#1279)
- HTTP Strict Transport Security can now be configured (#1197)
- The sample systemd service can now be directly be used by specifying a Databank driver as an @-service parameter
- The web UI no longer loads a JSON polyfill
- Incorrect and unnecessary 'plugin-types' Content Security Policy directives are no longer sent
- The
uploaddir
option is obsolete and should be migrated to the newdatadir
option (#1272)
- Realtime functionality is working again
- Incorrect and unnecessary 'plugin-types' Content Security Policy directives are no longer sent
No changes from 2.1.0 beta 0.
- Files in bin/ are now properly validated by JSHint and JSCS
- Enable strict mode for server-side JS (#1221)
- Provide a more useful error message for invalid config JSON
- A sample systemd service is now included
- Fix web UI YouTube embeds appearing in all subsequent posts (#1249)
- Fix To: and CC: fields not showing in the web UI
- Remove a stray debugger statement in the web UI JS
- Certain template resource 404s in the web UI are now fixed
- Jade client-side files are now included in registry packages
- The Server: header now reports the correct pump.io version
- Updated some documentation version numbers
No changes from 2.0.0 beta 2.
- Fixed the web UI mangling some special characters when showing displayName properties
- A pump(1) manpage is now included
- Any internal web UI link with a
data-bypass
attribute is now ignored by the routing logic (useful for e.g. custom pages added by the admin) - YouTube links in posts are now shown as embeds by the web UI (#1158)
- Node.js 0.10 and 0.12 support is now deprecated (#1212)
- TLS connections now use Mozilla's "intermediate" cipher suite and forces server cipher suite preferences (#1061)
- Adjusted the XSS error page wording based on user feedback
- Upgrade to Express 3.x (affects plugins)
- Templates are now based on Jade instead of utml (affects people who change the templates) (#1167)
This release adds many security features. It's recommended that admins upgrade as soon as possible.
Please note that while we're not doing so yet, we're planning to deprecate running under Node.js 0.10 and 0.12 very soon. Additionally, upgrading to Node.js 4.x early will enable the new, better XSS scrubber - however, be aware that pump.io is far less tested under Node.js 4.x and you are likely to run into more bugs than you would under 0.10 or 0.12.
See #1184 for details.
- [API] Send the
Content-Length
header in Dialback requests - Add support for LibreJS (#1058)
- Node.js 4.x is officially supported (#1184)
- Browser MIME type sniffing is disabled via
X-Content-Type-Options: nosniff
(#1184) - Protect some versions of Internet Explorer from a confused deputy attack via
X-Download-Options: noopen
(#1184) - Make sure Internet Explorer's built-in XSS protection is as secure as possible with
X-XSS-Protection: 1; mode=block
(#1184) - Versions of Internet Explorer the XSS scrubber can't protect are presented with a security error instead of any content (#1184)
- Clickjacking is prevented via
X-Frame-Options: DENY
header (in addition to Content Security Policy) (#1184) - A
Content-Security-Policy
header is sent with every response (#1184)- Scripts are forbidden from everywhere except the application domain and (if CDNs are enabled)
cdnjs.cloudflare.com
andajax.googleapis.com
- Styles are forbidden from everywhere except the application domain and inline styles
<object>
,<embed>
, and<applet>
, as well as all plugins, are forbidden- Embedding the web UI via
<frame>
,<iframe>
,<object>
,<embed>
, and<applet>
is forbidden - Connecting to anything other than the application domain via
XMLHttpRequest
, WebSockets orEventSource
is forbidden - Loading Web Workers or nested browsing contexts (i.e.
<frame>
,<iframe>
) is forbidden except from the application domain - Fonts are forbidden from everywhere except the application domain
- Form submission is limited to the application domain
- Scripts are forbidden from everywhere except the application domain and (if CDNs are enabled)
- [API] Don't return
displayName
properties if they're empty (#1149) - Upgraded from Connect 1.x to Connect 2.x
- Upgraded various minor dependencies
- All files pass style checking and most pass JSHint
- Add links to the user guide on the homepage and welcome message (#1125)
- Add a new XSS scrubber implementation (#1184)
- DOMPurify-based scrubber is used on Node.js 4.x or better
- Otherwise, a more intrusive, less precise one is used
- Fix a crash upon access of an activity without any replies (#1135)
- Disable registration link if registration is disabled (#853)
package.json
now uses a valid SPDX license identifier (#1112)
TODO
TODO
TODO
TODO
TODO
TODO
TODO
- Initial release