Alf.io 2.0-M5 (2024-09-06)
This is the fifth milestone on our way to Alf.io v2. See Roadmap and full Changelog
What's Changed
Starting from 2.0-M5, we are dropping the old "executable war" file format in favor of a more standard "jar". Please update your instances accordingly.
Security Fixes
- CVE-2024-45300: Bypassing promo code limitations with race conditions - reported by @isacaya
- CVE-2024-45299: preloaded data as json is not escaped correctly - reported and fixed by @syjer
Changelog
- fix package-lock by @syjer in #1318
- add more ua for link preview: this round whatsapp and slack by @syjer in #1319
- delete references for ticket field in legacy tables by @syjer in #1321
- complete fix issue #1320 by @syjer in #1322
- fix issue #1324, handle donations by @syjer in #1325
- restrict lombok annotation use, add config file by @syjer in #1331
- Migrate to springboot 3.2 by @cbellone in #1349
- Initial integration of lit for admin by @syjer in #1353
- update lit, add context and task package by @syjer in #1356
- switch from mjml to mjml4j for build by @syjer in #1358
- Lit admin project banner, wip by @syjer in #1360
- Link subscriptions with categories by @cbellone in #1361
- switch to the new friendly fork of openhtmltopdf by @syjer in #1362
- Fix user-defined donation prices being saved with zero value by @shanebrowncs in #1363
- supporting "percentage fee" additional items by @cbellone in #1357
- port project banner from angularjs to lit by @syjer in #1364
- refactor file upload manager by @syjer in #1365
- add an unified "blob" cache by @syjer in #1366
- Improve error handling on public UI by @cbellone in #1376
- use different UUIDs for reservation/UI and check-in by @cbellone in #1375
- refactor admin: remove old angular-qrcode, use shoelace component by @syjer in #1378
- Bugfix/openid spring security 6 by @cbellone in #1383
- Support Cloudflare turnstile by @cbellone in #1385
- Disable SessionRepositoryFilter when accessing static resources by @syjer in #1386
- preload auth enabled check by @syjer in #1387
- display spinner on submit + refresh category by @cbellone in #1388
- prevent empty reservations to be created in case of high resources contention by @cbellone in #1390
- Improve file handling with if-none-match by @syjer in #1395
- fix OAuth redirection when connecting payment providers by @cbellone in #1396
New Contributors
- @shanebrowncs made their first contribution in #1363
- @isacaya made their first contribution in GHSA-67jg-m6f3-473g
Full Changelog: 2.0-M4-2407...2.0-M5
Contributors
syjer, cbellone, and 2 other contributors