NodeBB v4.14.0 — Federation regression fixes, security fixes, and more!
With temperatures reaching well into the 30s (in celsius of course :sunglasses:) in the Toronto area, we're all firmly in summer mode :swimmer: :beach_with_umbrella: , but that won't stop us from forging on ahead with new features and fixes for NodeBB!
There are improvements across ActivityPub federation, administrative tooling, and security hardening. Our ActivityPub integration receives bug fixes including duplicate handling, configurable rate limiting, and better error reporting, alongside new hooks for remote user lifecycle events. The registration queue and invitations are reorganized into a dedicated UI with a new "Reject All" bulk action and improved notification handling. Security reports have been coming in consistently throughout the month with valid security reports (though almost all AI discovered and generated). This led to stricter privilege checks on post diffs, crossposts, and GDPR exports, plus protection against username enumeration. The NodeBB team strongly encourages upgrading to v4.14.0 for the latest security fixes and federation improvements. The release also includes a new tx() translation helper, Benchpress escaping improvements, and a first-run categories onboarding modal for fresh installations.
Here are the high level changes you can expect to see when you upgrade from v4.13.0 to v4.14.0... [...]
With temperatures reaching well into the 30s (in celsius of course :sunglasses:) in the Toronto area, we're all firmly in summer mode :swimmer: :beach_with_umbrella: , but that won't stop us from forging on ahead with new features and fixes for NodeBB!
There are improvements across ActivityPub federation, administrative tooling, and security hardening. Our ActivityPub integration receives bug fixes including duplicate handling, configurable rate limiting, and better error reporting, alongside new hooks for remote user lifecycle events. The registration queue and invitations are reorganized into a dedicated UI with a new "Reject All" bulk action and improved notification handling. Security reports have been coming in consistently throughout the month with valid security reports (though almost all AI discovered and generated). This led to stricter privilege checks on post diffs, crossposts, and GDPR exports, plus protection against username enumeration. The NodeBB team strongly encourages upgrading to v4.14.0 for the latest security fixes and federation improvements. The release also includes a new tx() translation helper, Benchpress escaping improvements, and a first-run categories onboarding modal for fresh installations.
Here are the high level changes you can expect to see when you upgrade from v4.13.0 to v4.14.0... [...]
:globe_with_meridians: Federation Regression Fixes!
Around v4.12.0 or so, a number of regressions were unintentionally introduced as part of security fixes that severely hampered federation — especially with Lemmy-based instances and relays. We've resolved those regressions and Relay/Lemmy federation should resume within 24 hours after upgrading.
The public key fetch rate limiter logic was simplified and updated (due to it being faulty and not really working in the first place), streamlined some duplicate logic with Like/Dislike activities, improved the AP Errors reporting page in the ACP, added a parent traversal depth guard, fixed an issue where updates to scheduled topics were accidentally being federated out, and about a hundred other smaller bugs :slightly_smiling_face:
:ballot_box_with_check: Registration Queue updates
The registration queue was moved out of the ACP, and invitations are also managed in this page now. A "reject all" button was added to allow admins to quickly reject every queued registrant in one fell swoop.
🔒 Privilege & Security Fixes
- Post diff access — Check topics:read privilege when loading post diffs
- Crossposts — Added source category privilege check to crossposts
- GDPR export — Prevented global moderators from performing GDPR data exports
- Nids ownership — Don't mark nids as read/unread that you don't own
- Upload privileges — Prevent uploading thumbnails without upload:image privilege; replaced extension-based MIME validation with content
sniffing - Username enumeration — Use dummy lockout key for non-existent users to prevent enumeration
- Category disabled flag — Check category disabled flag on getRaw
:interrobang: Benchpress Improvements
We use Benchpress as our templating engine. We updated our integration for security and performance. @baris put together a thorough write-up for that one here.
Miscellaneous
- First-run modal — New categories onboarding modal for fresh installations
- Dashboard warnings — Added localhost and URL mismatch warnings to admin dashboard notices
- Push notifications should work on Safari/iOS devices now (via the web-push plugin)