# Version history This page the release history for the Zulip server. See also the [Zulip release lifecycle](../overview/release-lifecycle.md). ## Zulip 5.x series ### 5.0 -- unreleased This section is an incomplete draft of the release notes for the next major release, and is only updated occasionally. See the [commit log][commit-log] for an up-to-date list of raw changes. #### Highlights - New [resolve topic](https://zulip.com/help/resolve-a-topic) feature allows marking topics as completed for lightweight workflow management. - Users can now select an emoji when setting an away status. - OpenID Connect joins SAML, LDAP, Google, GitHub, Azure Active Directory, and more as a supported Single Sign-On provider. - Redesigned "Stream settings" to be much more usable, with separate tabs for personal settings, global settings, and membership. - Redesigned "Full user profile" widget to show the user's stream and user group subscriptions. - Reorganized personal and organization settings to have clearer labels and make it easier to find privacy settings. - Migrated most permissions settings that only supported administrators or normal users to fully support roles. - Added a data import tool for migrating from Rocket.Chat. Mattermost data import now supports importing uploaded files. #### Upgrade notes for 5.0 - This release contains a migration, `0009_confirmation_expiry_date_backfill`, that can take several minutes to run on a server with millions of messages of history. #### Full feature changelog - Timestamps in Zulip messages are now permanent links to the message in its thread. - Added support for referring to a user group with a silent mention. - Added support for expanding the compose box to be full-screen. - Added support for filtering events in webhooks. - Added support for overriding Zulip's defaults for new users in your organization. - User groups mentions are now correctly inactive inside block quotes. - Messages sent by muted users can now be rehidden after being revealed. One can also now muted deactivated users. - Reworked the UI for selecting a stream when moving topics. - Redesigned modals in the app to have more consistent and cleaner UX. - SAML authentication now supports syncing custom profile fields. Additionally, SAML authentication now supports automatic account creation. - Added new topic filter widget in left sidebar zoomed view. - New integrations: Freshstatus, Lidarr, Radarr, Sonarr. - Redesigned hover behavior for timestamps and time mentions. - Added styled loading page. - Webhook integrations now support specifying the target stream by ID. - Notifications now differentiate user group mentions from personal mentions. - Added support for configuring how long the server should wait before sending email notifications after a mention or PM. - Improved integrations: Grafana, PagerDuty. - Improved the typeahead sorting for choosing code block languages. - Zulip now supports configuring the database name and username when using a remote Postgres server. Previously, these were hardcoded to "zulip". - Migrated many tooltips to prettier tooltips powered by TippyJS. - Autocomplete is now available when editing topics. - Changed "Quote and reply" to insert quoted content at the cursor when the compose box is not empty. - The compose box now has friendly UI for messages longer than 10K characters. - Compose typeahead now opens after typing only "@". - Adjusted permissions to only allow administrators to override unicode emoji with a custom emoji of the same name. - Fixed various bugs resulting in missing translations; most importantly in the in-application search/markdown/hotkeys help widgets. - Fixed linkifier validation to prevent invalid linkifiers. - Fixed `Ctrl+.` shortcut not working correctly with empty topics. - Fixed numerous corner case bugs with email and mobile push notifications. - Fixed a bug resulting in long LaTeX messages failing to render. - Fixed buggy logic displaying users' last active time. - Fixed confusing "delete stream" language for archiving streams. - Fixed exceptions in races involving messages being deleted while processing a request to add emoji reactions, mark messages as read, or sending notifications. - Fixed most remaining 500 errors seen in Zulip Cloud (these were already quite rare, so this process involved debugging several rare races, timeouts, and error handling bugs.). - Fixed subtle bugs involving composing messages to deactivated users. - Fixed subtle bugs with reloading the page while viewing settings with "Recent topics" as the default view. - Fixed bug where pending email notifications could be lost when restarting the Zulip server. - Fixed several subtle Markdown rendering bugs. - Changed "From" header in invitation emails to no longer include the name of the user who sent the invitation, to prevent anti-phishing software from flagging invitations. - Reworked the `manage.py help` interface to hide Django commands that are useless or harmful to run on a production system. Also deleted several useless management commands. - Added automated testing of the upgrade process from previous releases, to reduce the likelihood of problems upgrading Zulip. - Optimized critical parts of the message sending code path for large organizations. - Added IP-based rate limiting for unauthenticated requests. - Added documentation for Zulip's rate-limiting rules. - Merged the API endpoints for a user's personal settings into the /settings endpoint with a cleaner interface. - Added to the API most page-load parameters used by the web app application that were missing from the `/register` API. - Simplified the infrastructure for rendering API documentation so that only a few pages require Markdown templates in addition to the OpenAPI specification file. - Major improvements to the mypy type-checking, discovered via using the django-stubs project to get Django stubs. - Added development environment support for M1 Mac hardware. ## Zulip 4.x series ### 4.7 -- 2021-10-04 - CVE-2021-41115: Prevent organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier patterns. ### 4.6 -- 2021-09-23 - Documented official support for Debian 11 Bullseye, now that it is officially released by Debian upstream. - Fixed installation on Debian 10 Buster. Upstream infrastructure had broken the Python `virtualenv` tool on this platform, which we've worked around for this release. - Zulip releases are now distributed from https://download.zulip.com/server/, replacing the old `www.zulip.org` server. - Added support for LDAP synchronization of the `is_realm_owner` and `is_moderator` flags. - `upgrade-zulip-from-git` now uses `git fetch --prune`; this ensures `upgrade-zulip-from-git master` with return an error rather than using a stale cached version of the `master` branch, which was renamed to `main` this month. - Added a new `reset_authentication_attempt_count` management command to allow sysadmins to manually reset authentication rate limits. - Fixed a bug that caused the `upgrade-postgresql` tool to incorrectly remove `supervisord` configuration for `process-fts-updates`. - Fixed a rare migration bug when upgrading from Zulip versions 2.1 and older. - Fixed a subtle bug where the left sidebar would show both old and new names for some topics that had been renamed. - Fixed incoming email gateway support for configurations with the `http_only` setting enabled. - Fixed issues where Zulip's outgoing webhook, with the Slack-compatible interface, had a different format from Slack's documented interface. - The installation and upgrade documentations now show the latest release's version number. - Backported many improvements to the ReadTheDocs documentation. - Updated translation data from Transifex. ### 4.5 -- 2021-07-25 - Added a tool to fix potential database corruption caused by host OS upgrades (was listed in 4.4 release notes, but accidentally omitted). ### 4.4 -- 2021-07-22 - Fixed a possible denial-of-service attack in Markdown fenced code block parsing. - Smokescreen, if installed, now defaults to only listening on 127.0.0.1; this prevents it from being used as an open HTTP proxy if it did not have other firewalls protecting incoming port 4750. - Fixed a performance/scalability issue for installations using the S3 file uploads backend. - Fixed a bug where users could turn other users’ messages they could read into widgets (e.g. polls). - Fixed a bug where emoji and avatar image requests were sent through Camo; doing so does not add any security benefit, and broke custom emoji that had been imported from Slack in Zulip 1.8.1 or earlier. - Changed to log just a warning, instead of an exception, in the case that the `embed_links` worker cannot fetch previews for all links in a message within the 30-second timeout. Each preview request within a message already has a 15-second timeout. - Ensured `psycopg2` is installed before starting `process_fts_updates`; otherwise, it might fail to start several times before the package was installed. - Worked around a bug in supervisor where, when using SysV init, `/etc/init.d/supervisor restart` would only have stopped, not restarted, the process. - Modified upgrade scripts to better handle failure, and suggest next steps and point to logs. - Zulip now hides the “show password” eye icon that IE and Edge browsers place in password inputs; this duplicated the already-present JavaScript-based functionality. - Fixed “OR” glitch on login page if SAML authentication is enabled but not configured. - The `send_test_email` management command now shows the full SMTP conversation on failure. - Provided a `change_password` management command which takes a `--realm` option. - Fixed `upgrade-zulip-from-git` crashing in CSS source map generation on 1-CPU systems. - Added an `auto_signup` field in SAML configuration to auto-create accounts upon first login attempt by users which are authenticated by SAML. - Provided better error messages when `puppet_classes` in `zulip.conf` are mistakenly space-separated instead of comma-separated. - Updated translations for many languages. ### 4.3 -- 2021-06-02 - Fixed exception when upgrading older servers with the `JITSI_SERVER_URL` setting set to `None` to disable Jitsi. - Fixed GIPHY integration dropdown appearing when the server doesn't have a GIPHY API key configured. - The GIPHY API library is no longer loaded for users who are not actively using the GIPHY integration. - Improved formatting for Grafana integration. - Fixed previews of Dropbox image links. - Fixed support for storing avatars/emoji in non-S3 upload backends. - Fixed an overly strict database constaint for code playgrounds. - Tagged user status strings for translation. - Updated translation data from Transifex. ### 4.2 -- 2021-05-13 - Fixed exception in purge-old-deployments when upgrading on a system that has never upgraded using Git. - Fixed installation from a directory readable only by root. ### 4.1 -- 2021-05-13 - Fixed exception upgrading to the 4.x series from older releases. ### 4.0 -- 2021-05-13 #### Highlights - Code blocks now have a copy-to-clipboard button and can be integrated with external code playgrounds, making it convenient to work with code while discussing it in Zulip. - Added a new organization [Moderator role][roles-and-permissions]. Many permissions settings for sensitive features now support only allowing moderators and above to use the feature. - Added a native Giphy integration for sending animated GIFs. - Added support for muting another user. - Recent topics is no longer beta, no longer an overlay, supports composing messages, and is now the default view. The previous default view, "All messages", is still available, and the default view can now be configured via "Display settings". - Completed API documentation for Zulip's real-time events system. It is now possible to write a decent Zulip client with minimal interaction with the Zulip server development team. - Added new organization settings: wildcard mention policy. - Integrated [Smokescreen][smokescreen], an outgoing proxy designed to help protect against SSRF attacks; outgoing HTTP requests that can be triggered by end users are routed through this service. We recommend that self-hosted installations configure it. - This release contains more than 30 independent changes to the [Zulip API](https://zulip.com/api/changelog), largely to support new features or make the API (and thus its documentation) clearer and easier for clients to implement. Other new API features support better error handling for the mobile and terminal apps. - The frontend internationalization library was switched from i18next to FormatJS. - The button for replying was redesigned to show the reply recipient and be more obvious to users coming from other chat apps. - Added support for moving topics to private streams, and for configuring which roles can move topics between streams. [roles-and-permissions]: https://zulip.com/help/roles-and-permissions #### Upgrade notes for 4.0 - Changed the Tornado service to use 127.0.0.1:9800 instead of 127.0.0.1:9993 as its default network address, to simplify support for multiple Tornado processes. Since Tornado only listens on localhost, this change should have no visible effect unless another service is using port 9800. - Zulip's top-level puppet classes have been renamed, largely from `zulip::foo` to `zulip::profile::foo`. Configuration referencing these `/etc/zulip/zulip.conf` will be automatically updated during the upgrade process, but if you have a complex deployment or you maintain `zulip.conf` is another system (E.g. with the [manual configuration][docker-zulip-manual] option for [docker-zulip][docker-zulip]), you'll want to manually update the `puppet_classes` variable. - Zulip's supervisord configuration now lives in `/etc/supervisor/conf.d/zulip/` - Consider enabling [Smokescreen][smokescreen] - Private streams can no longer be default streams (i.e. the ones new users are automatically added to). - New `scripts/start-server` and `scripts/stop-server` mean that one no longer needs to use `supervisorctl` directly for these tasks. - As this is a major release, we recommend [carefully updating the inline documentation in your `/etc/zulip/settings.py`][update-settings-docs]. Notably, we rewrote the template to be better organized and more readable in this release. - The web app will now display a warning in the UI if the Zulip server has not been upgraded in more than 18 months. template to be better organized and more readable. - The next time users log in to Zulip with their password after upgrading to this release, they will be logged out of all active browser sessions (i.e. the web and desktop apps). This is a side effect of improved security settings (increasing the minimum entropy used when salting passwords from 71 bits to 128 bits). - We've removed the partial Thumbor integration from Zulip. The Thumbor project appears to be dead upstream, and we no longer feel comfortable including it in Zulip from a security perspective. We hope to introduce a fully supported thumbnailing integration in our next major release. [docker-zulip-manual]: https://github.com/zulip/docker-zulip#manual-configuration [smokescreen]: ../production/deployment.html#using-an-outgoing-http-proxy [update-settings-docs]: ../production/upgrade-or-modify.html#updating-settings-py-inline-documentation #### Full feature changelog - Added new [release lifecycle documentation](../overview/release-lifecycle.md). - Added support for subscribing another stream's membership to a stream. - Added RealmAuditLog for most settings state changes in Zulip; this data will fascilitate future features showing a log of activity by a given user or changes to an organization's settings. - Added support for using Sentry for processing backend exceptions. - Added documentation for using `wal-g` for continuous PostgreSQL backups. - Added loading spinners for message editing widgets. - Added live update of compose placeholder text when recipients change. - Added keyboard navigation for popover menus that were missing it. - Added documentation for all [zulip.conf settings][zulip-conf-settings]. - Added dozens of new notification sound options. - Added menu option to unstar all messages in a topic. - Added confirmation dialog before unsubscribing from a private stream. - Added confirmation dialog before deleting your profile picture. - Added types for all parameters in the API documentation. - Added API endpoint to fetch user details by email address. - Added API endpoint to fetch presence details by user ID. - Added new LDAP configuration options for servers hosting multiple organizations. - Added new `@**|user_id**` mention syntax intended for use in bots. - Added preliminary support for Zulip on Debian Bullseye; this release is expected to support Bullseye without any further changes. - Added several useful new management commands, including `change_realm_subdomain` and `delete_user`. - Added support for subscribing all members of a user group to a stream. - Added support for sms: and tel: links. - Community topic editing time limit increased to 3 days for members. - New integrations: Freshping, JotForm, Uptime Robot, and a JSON formatter (which is particularly useful when developing a new integration). - Updated integrations: ClubHouse, NewRelic, Bitbucket, Zabbix. - Improved formatting of GitHub and GitLab integrations. - Improved the user experience for multi-user invitations. - Improved several rendered-message styling details. - Improved design of `