Collaborative office suite, end-to-end encrypted and open-source.
Our main goal for this release was to prepare a BETA version of our new forms app, however, it also includes a number of nice bug fixes and minor features.
As this release includes a new app you'll want to compare your current NGINX config against our example (cryptpad/docs/example.nginx.conf) and update yours to match the updated sections which rewrites URLs to include trailing slashes. We've also introduced a number of new variables to our color scheme which might conflict with customizations you've made to your stylesheets. As always, it's recommended that you test your customizations on a updated non-production instance before deploying.
We've been steadily adding new tests to our recently developed checkup page each time we observe particular types of instance misconfigurations in the wild. Unfortunately, it seems the admins that have the most trouble with instance configuration are those that haven't read the numerous mentions of this page throughout the last few release notes. For that reason we've made it so the server prints a link to this page at launch time if it detects that some important value is left unconfigured.
On the topic of instance configuration, admins that have enabled their instance's admin panel may notice that it contains a new "Network" tab. On this pane you may find a button that links to the instance's checkup page to make it even easier to identify configuration problems. You should also notice options for configuring a number of values, some of which could previously only be set by modifying the server's configuration file and restarting.
To update from 4.6.0 to 4.7.0:
bower update and npm i
Please note that the new Forms app depends on an update to our cryptography library. If you omit bower update from the upgrade sequence above, the app will not work.
This release introduces our new Forms app. This app allows users to create complex forms and to collect answers. Three roles are available with granular permissions:
This new app addresses many of the shortcomings of our current Polls and vastly expands the feature set. Polls are effectively one of the many question types now available in Forms. For this reason we are deprecating the Polls app. It will remain available to view and respond to existing polls, but we discourage the creation of new polls and all future improvements will be focused on Forms.
In response to a GitHub issue we've added an option to the toolbar's File menu to add the current pad to your drive regardless of whether it is already stored in one of your teams' drives.
Likewise, we received some reports that some users found it frustrating that the home page automatically redirected them to their drive when they were logged in. We've disabled this behaviour by default but added an option in the settings page through which you may re-enable the old behaviour. This can be found at the top of the "CryptDrive" pane.
Embedded markdown editors' toolbars (such as that in the kanban and form apps) now include an "embed file" option.
We've revised some text on the checkup page to better explain what some headers do and how to correct them.
Some error messages printed by the server under rare conditions now include a little more debugging information.
We've improved some of the UI of the "report" page (which diagnoses possible reasons why your drive, shared folders, or teams might be failing to load now includes) so that users can now copy the output of the report directly to their clipboard instead of having to select that page's text and use their OS's copy to clipboard functionality.
<script>alert("pew")</script> for their username at registration time. On a correctly configured instance this was blocked everywhere except in the sheet editor due to its more lax Content-Security Policy. This unsanitized value was never displayed for remote accounts, so the impact is extremely limited. Even so, we recommend that you update.Our main goal for this release cycle was to get a strong start on our upcoming Forms app. This is a big job which we didn't expect to finish in the course of a few weeks, so in the meantime we've taken the opportunity to address many minor issues, stabilize the codebase, and implement a number of new tests.
Over the years the example configuration file has grown to include a large number of parameters. We've seen that this can make it hard to pick out which configuration parameters are important for a newly installed or migrated instance. We're trying to address this by moving more configuration options to the admin panel.
4.6.0 introduces the ability to generate credentials for your instance's support ticket mailbox and publish the corresponding public key with the push of a button. Previously it was necessary to run a script, copy its value, update the config file, restart the server, and enter the private component of the keypair into an input on the admin panel. The relevant button can be found in the admin panel's Support tab.
We've also introduced the ability to update your adminEmail settings via a field on the General tab of the admin panel. This value is used by the contact page so that your users can contact you (instead of us) in case they encounter any problems when using your instance. Both the supportMailbox and adminEmail values are distributed by the /api/config endpoint which is typically cached by clients. You probably need to use the Flush cache button to ensure that everyone loads the latest value. This button can also found on the General tab.
One admin reported difficulty customizing their instance because they copy-pasted code from cryptpad/www/common/application_config_internal.js directly into cryptpad/customize/application_config.js. Unfortunately the internal variable name for the configuration object in the former did not match the value in the latter, so this led to a reference error. We've updated the variable name in the internal configuration file which provides the default options to match the customizable one, making it easier to copy-paste code examples without understanding what it's really doing.
We also introduced a new configuration option in application_config_internal.js which prevents unregistered users from creating new pads. Add AppConfig.disableAnonymousPadCreation = true; to your customize/application_config.js to disable anonymous pad creation. If you read the adjacent comment above the default example you'll see that this barrier is only enforced on the client, so it will keep out honest users but won't stop malicious ones from messaging the server directly.
This release also includes a number of new tests on the /checkup/ page. Most notably it now checks for headers on certain assets which can only be checked from within the sandboxed iframe. These new tests automate the manual checks we were performing when admins reported that everything was working except for sheets, and go a little bit further to report which particular headers are incorrect. We also fixed some bugs that were checking headers on resources which could be cached, added a test for the recently added anti-FLoC header, fixed the styles on the page to respond to both light and dark mode, and made sure that websocket connections that were opened by tests were closed when they finished.
Some of the tests we implemented checked the headers on resources that were particularly prone to misconfiguration because its headers were set by both NGINX and the NodeJS application server (see #694). We tested in a variety of configurations and ultimately decided that the most resilient solution was to give up on using heuristics in the application server and just update the example NGINX config to use a patch proposed by another admin which fully overrides the settings of the application server. You can find this patch in the /api/(config|broadcast) section of the example config.
Finally, we've made some minor changes to the provided package-lock.json file because npm reported some "Regular Expression Denial of Service" vulnerabilities. One of these was easy to fix, but another two were reported shortly thereafter. These "vulnerabilities" only affect some developer dependencies and will have no effect on regular usage of our software. The "risk" is essentially that malicious modifications to our source code can be tailored to make our style linting software run particularly slowly. This can only be triggered by integrating such malicious changes into your local repository and running npm run lint:less, so maybe don't do that.
To update from 4.5.0 to 4.6.0:
bower update and npm i
This release includes very few new features aside from those already mentioned in the Update notes section. One very minor improvement is that formatted code blocks in the code editor's markdown preview use the full width of their parent container instead of being indented.
This release cycle we aimed to complete three major milestones: the official release of our calendar app, the ability for admins to close registration on their instance, and the deployment of the admin section of our official documentation. We spent the remainder of our time addressing a growing backlog of issues on GitHub by fixing a number of weird bugs.
This release includes a new GitHub issue template (cryptpad/.github/ISSUE_TEMPLATE/initial-instance-configuration.md). The intent of this file is to make it clear that Bug Reports are for intended for bugs in the software itself, not for soliciting help in configuring your personal server. Such issues take away time that we'd rather spend improving the platform for everybody's benefit, rather than for single administrators.
Sometimes difficulty configuring an instance does stem from an actual bug, however, most of the time these issues relate to the use of an unsupported configuration or failure to correctly follow installation instructions. The issue template includes some basic debugging steps which should identify the vast majority of problems. Beyond its primary goal of narrowing the scope of our issue tracker, we hope it will also be useful as an offline reference for administrators attempting to debug their instance.
This template references the /checkup/ page that we've been steadily improving over the last few releases. It now includes even more tests to diagnose instance configuration problems, each with their own messages that provide some fairly detailed hints about what is wrong when an error is detected. This release introduces a number of tests that print warnings that won't break an instance but might detract from users' experience. We recommend checking this page on your instance with each release as we will continue to improve it on an regular basis, and it might detect some errors of which you were unaware.
Otherwise, this release includes some changes to the provided example NGINX config file. It now includes a header designed to disable clients' participation in Google's FLoC network, as well as some basic rules related to the addition of our calendar app and OnlyOffice's two remaining editors (which are still not officially supported despite their inclusion here).
Lastly, any instance administrators that have had to customize their instance in order to disable registration can instead rely on a built-in feature that is available on the main page of the admin panel. Checking the "Close registration" checkbox will cause the application server to reject the creation of new "login blocks" (which store users' encrypted account credentials) while permitting existing users to change their passwords. Clients will be informed that registration is closed via the /api/config endpoint, causing the registration page to display a notice instead of the usual form. You may need to use the FLUSH CACHE button which can found on the same page of the admin panel in order to force clients to load the updated server config.
To update from 4.4.0 to 4.5.0:
bower update and npm i
customize/application_config.js. An example is included in cryptpad/www/common/application_config_internal.js.Our main goal for this release was to complete the first steps of our "Dialogue" project, which will introduce surveys into CryptPad. We've also put considerable effort towards addressing some configuration issues, correcting some inconsistently translated UI, and writing some new documentation.
This release removes the default privacy policy that has been included in CryptPad up until now. It included some assertions that were true of our own instance (CryptPad.fr) which we couldn't guarantee on third-party instances. We've updated our custom configuration to link to a privacy policy that was written in a rich text pad. You can do the same on your instance by editing cryptpad/customize/application_config.js to include the absolute URL of your instance, like so: AppConfig.privacy = "https://cryptpad.your.website/privacy.html";.
We've clarified a point about telemetry in the notes of our 4.3.1 release. The text suggested that users on your instance would send telemetry to OUR webserver. It has been clarified to reflect that telemetry from your users is only ever sent to your instance.
We've spent some time working on improving our (officially) unreleased integrations of OnlyOffice's presentation and document editors. We've advised against enabling these editors on your instance. This release includes changes that may not be fully backwards compatible. If your users rely on either editor we advise that you not update until they have had an opportunity to back up their documents. We still aren't officially supporting either editor and we may make further breaking changes in the future. Consider this a warning and not an advertizement of their readiness!
This release also includes changes to the recommended NGINX configuration. Compare your instance's config against cryptpad/docs/example.nginx.conf and apply all the new changes before updating. In particular, you'll want to pay attention to the configuration for a newly exposed server API (/api/broadcast). This should work much the same as /api/config, so if you're using a non-standard configuration that uses more than one server you may want to proxy it in a similar fashion.
Lastly, we've made some big improvements to the /checkup/ page which performs some basic tests to confirm that your instance is configured correctly. It now provides some much more detailed descriptions of what might be wrong and how you can start debugging any issues that were identified. If you experience any problems after updating please review this page to assess your instance for any known issues before asking for help.
To update from 4.3.1 to 4.4.0:
bower update and npm i
This release requires updates to both clientside and serverside dependencies. You will experience problems if you skip any of the above steps.
This minor release addresses some bugs discovered after deploying and tagging 4.3.0
This release is a continuation of our recent efforts to stabilize the platform, fixing small bugs and inconsistencies that we missed when developing larger features. In the meantime we've received reports of the platform performing poorly under various unusual circumstances, so we've developed some targeted fixes to both improve user experience and decrease the load on our server.
This release should be fairly simple for admins.
To update from 4.2.1 to 4.3.0:
bower update and npm i
customize/application_config.js by setting a degradedLimit attribute.customize/application_config.js by setting allowDrivelessMode to false.This minor release addresses a few bugs discovered after deploying 4.2.0:
We've made a lot of big changes to the platform lately. This release has largely been an attempt to stabilize the codebase by fixing bugs and merging features that we hadn't had a chance to test until now, all while updating our documentation and removing unused or outdated code.
This release includes an update to the sheet editor which is not backwards-compatible. Clients running the new version will not be able to correctly communicate with clients running older versions. Clients will automatically detect that a new version is available upon reconnecting to the server after a restart, so as long as you follow the steps recommended below this should be fine.
We've also updated a server-side dependency that is not backwards-compatible. Failure to update both the platform and its dependencies together will result in errors.
The scripts directory now includes a script to identify unused translations. We used this to reduce the size of our localization files (cryptpad/www/common/translations/*.json). We reviewed the changes carefully and did our best to test, but it's always possible that a string was erroneously removed. If you notice any bugs in the UI where text seems to be missing, please let us (the developers) know via a GitHub issue.
CryptPad.fr now stores more than a terabyte of data, making it quite intensive to run the scripts to remove inactive files from the disk. To help alleviate this strain we've moved the code responsible for deleting files that have been archived for longer than the configured retention period into its own script (./scripts/evict-archived.js). For the moment this script is not integrated into the server and will not automatically run in the background as the main eviction script does. It's recommended that you run it manually if you find you are low on disk space.
Since early in the pandemic we've been serving a custom home page on CryptPad.fr to inform users that we've increased the amount of storage provided for free. This was originally intended as a temporary measure, but since almost a year has passed we figured it was about time we integrate this custom code into the platform itself. Admins can now add a custom note to the home page, using customized HTML in customize/application_config.js. To do this, define an AppConfig.homeNotice attribute like so: AppConfig.homeNotice = "<b>pewpew</b>";.
To update from 4.1.0 to 4.2.0:
git fetch origin && git checkout 4.2.0, or just git pull origin main)bower update and npm i
Our recent 4.0.0 release introduced major changes to CryptPad's style-sheets which likely caused some difficulty for admins who'd made extensive changes to their instance's appearance. We figure it's best to make more changes now instead of making small breaking changes more frequently, so we decided now is a good time to refactor a lot of our styles to implement an often-requested dark mode in CryptPad.
As noted above, this release introduces some major changes to CryptPad styles. If you have customized the look of your instance we recommend testing this new version locally before deploying it to your server to ensure that there are no critical conflicts.
Otherwise, to update from 4.0.0 to 4.1.0:
git fetch origin && git checkout 4.1.0, or just git pull origin main)bower update and npm i
We're very happy to introduce CryptPad v4.0!
This release is the culmination of a great deal of work over the last year, in which we searched for the right metaphors and imagery to clearly represent what CryptPad is all about. We've reworked our logo, color theme, text on our static pages, and the icons throughout the platform to convey the calm and safety we want our users to feel.
Our release schedule typically follows an alphabetical naming scheme, ranging from A for the first (or zero-th) release of the cycle to Z for the last, with a thematic name for each letter. In the rush of preparing translations and double-checking all of our changes we never found time to settle on a theme for this release, but we do find there's some value in maintaining the otherwise arbitrary rhythm we've followed all this time. The progression through the alphabet gives a sense of pace to what can otherwise seem like a endless stream of problems that need solving, and the end of the alphabet prompts us to build towards major milestones like this one.
With that in mind, you can expect 25 more major releases in this cycle before version 5.0, roughly every three weeks or so depending on circumstances.
The main intent of this release was to deploy our rebrand branch which had been in development for some time. Along the way we also made notable improvements to the sheet editor which will be mentioned below.
In the process of redesigning the platform we started using some new features of the LESS CSS pre-processor language that were not supported by the version of lesshint that we were using to scan for errors. We've updated that dev dependency to a newer version (4.5.0 => 6.3.7) which introduced a rather large number of minor dependencies. These are only used during development, not by the server itself, so this is unlikely to have any impact on the software itself.
Otherwise, this release includes lots of changes to the platform's style sheets and static pages. If you've applied heavy customizations to your instance you might notice errors due to incompatibilities with your local changes. We recommend that you test your customizations against the latest release locally before updating a public instance to avoid service outages.
To update from 3.25.1 to 4.0.0:
bower update and npm i
driveChannel attribute to simplify this process.Finally, the "rebrand" part of this release: