Releases: gristlabs/grist-core
v1.3.2
What's Changed
- Preliminary work for a SCIM API endpoints
- New translations and minor fixes
Security advisory
A set of XSS vulnerabilities were found in Grist by a private bug bounty program funded by DINUM (the Interministerial Digital Directorate of the French government).
- A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs.
- Mitigation: restricted custom widget URLs and form redirect URLs to http(s) schemes.
- A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page.
- Mitigation: added an appropriate content security policy for attachments.
- A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page.
- Mitigation: restricted HyperLink cell links to http(s) schemes.
Versions prior to 1.3.2 are known to be vulnerable. Please upgrade.
These advisories are also documented in our security advisory page.
Thanks to @spawnzii for initially reporting these security vulnerabilities.
Full Changelog: v1.3.0...v1.3.2
v1.3.0
What's Changed
- Docker images are now built with Debian bookworm
- New UI for changing documents back and forth from template to tutorial
- Self-hosting Grist Business plan users can now enable audit logging
- New translations and miscellaneous bug fixes
New Contributors
- @manuhabitela made their first contribution in #1296
Full Changelog: v1.2.1...v1.3.0
v1.2.1
What's Changed
- For multi-org setups, there's a new site switcher, with the choice of per-org logos.
- New API endpoints for managing installation and site configuration.
- Docker images are now built with Debian bookworm and Node 22
- The maximum size of a document's history is now configurable via environment variables
- New translations and miscellanous bugfixes
New Contributors
- @rtwfroody made their first contribution in #1208
- @tristanrobert made their first contribution in #1239
- @senk made their first contribution in #1286
Join our Discord Community if you'd like to get into development of Grist.
v1.2.0
What's Changed
- Two-way references are now available, which synchronize reference columns between two tables.
- New cards on the home page link to useful resources like the welcome video, tutorial, webinars, and the Help Center. They are shown by default to new and existing users, and may be hidden via a toggle.
- The default LLM provider is now
gpt-4o
. For useful results, any alternative LLM should be on par with GPT 3.5 or above. - Backend changes for improving file handling in Grist Desktop.
- Miscellaneous bug fixes and translations.
Join our Discord Community if you'd like to get into development of Grist.
v1.1.18
What's Changed
- New docker compose examples
- New markdown cell format
- Minor fixes and improvements
See the newsletter at https://support.getgrist.com/newsletters/2024-08/
Join our Discord Community if you'd like to get into development of Grist.
v1.1.17
What's Changed
- There is a new set of formula functions to help with cumulative calculations,
PREVIOUS
,NEXT
, andRANK
. Read their documentation in our help center. - As a result of the above, minimum supported Python 3 version is now 3.11
- Grist Enterprise can now be turned on by a toggle in the admin.
- Additional security options for OIDC authentication were added, improving security and enabling compatibility with new providers that have specific requirements. These are enabled by default, according to best practices.
- Minor fixes and translations.
See the newsletter at https://support.getgrist.com/newsletters/2024-07/
Join our Discord Community if you'd like to get into development of Grist.
v1.1.16
Highlights
- There is a new Docker image,
grist-oss
. The existinggrist
image contains the extensions from thegrist-ee
image, but completely inert by default. For details, consult the README. - Grist Electron has been renamed to Grist Desktop. Other Desktop improvements have happened, check them out!
- Webhooks can send an authorization header.
- The Docker images now use a non-root user to run Grist.
- External contributors can launch temporary Grist preview instances to showcase their changes.
- The Grist database schema has new documentation.
- Minor fixes and translations.
See the newsletter at https://support.getgrist.com/newsletters/2024-06/
Join our Discord Community if you'd like to get into development of Grist.
v1.1.15
Highlights:
- A new environment variable,
GRIST_TERMS_OF_SERVICE_URL
is available, which can be used to display a link to your organization's terms of service. - Improvements to the admin panel such as showing authentication method and reconciling functionality with the boot page. The boot page has been removed, as all of its features have been moved into the admin page.
- Pyodide is now another possible sandboxing mechanism available in our Docker images.
- Minor fixes and translations.
See the newsletter at https://support.getgrist.com/newsletters/2024-05/
Join our Discord Community if you'd like to get into development of Grist.
v1.1.14
Highlights:
- A new environment variable
APP_HOME_INTERNAL_URL
for improving the self-hosted experience related to the URL of home servers behind a reverse proxy. - Minor documentation improvements.
- Minor bug fixes.
See the newsletter at https://support.getgrist.com/newsletters/2024-04/
Join our Discord Community if you'd like to get into development of Grist.
v1.1.13
Highlights:
- Grist Forms have a new design, and now support features like displaying text fields as text areas and copying an embed code for a published form.
- Support for importing and exporting TSV and DOO files. Read all about it in our monthly newsletter.
- The "Contact support" link is now customizable. Thanks @vviers!
- The export CSV and XLSX endpoints now support a
title
query parameter for specifying the filename of the downloaded file. Thanks @CamilleLegeron! - An experimental environment variable,
GRIST_SKIP_REDIS_CHECKSUM_MISMATCH
, is now available which causes checksum check failures to be treated as warnings rather than errors. Thanks @fflorent! - Date filter strings are now translatable in Weblate. Thanks @thomasweaver627!
- The
GRIST_ALLOWED_HOSTS
environment variable has been removed. Thanks @jonathanperret! - Fix for Ctrl-C not working in Docker. Thanks @fflorent!
- A new row menu shortcut, "Use as table headers", for quickly copying the selected row’s values to their columns’ headers. Thanks @CamilleLegeron!
- Podman can now be used to build the grist-core image from the Dockerfile. Thanks @paulfitz!
- Portability improvements to various bash scripts. Thanks @tykling!
- HTTP long polling is now supported as an alternative to WebSockets. Thanks @jonathanperret!
- Doc workers now shut down automatically when they are no longer in use. Thanks @fflorent!
- Webhooks can now be configured to only trigger when a specific column changes. Thanks @CamilleLegeron!
- Additional team sites can now be created. Thanks @CamilleLegeron!
- Misc. bug fixes and improvements.
See newsletter at https://support.getgrist.com/newsletters/2024-03/
Join our Discord Community if you'd like to get into development of Grist.