11.4.5-ce.0

11.4.5 (2018-11-04)

Fixed (4 changes, 1 of them is from the community)

• fix link to enable usage ping from convdev index. !22545 (Anand Capur)
• Update gitlab-ui dependency to 1.8.0-hotfix.1 to fix IE11 bug.
• Remove duplicate escape in job sidebar.
• Fixed merge request fill tree toggling not respecting fluid width preference.

Other (1 change)

• Fix stage dropdown not rendering in different languages.

11.4.4-ce.0

11.4.4 (2018-10-30)

Security (1 change)

• Monkey kubeclient to not follow any redirects.

11.4.3-ce.0

11.4.3 (2018-10-26)

• No changes.

11.4.2-ce.0

Security (5 changes)

• Escape entity title while autocomplete template rendering to prevent XSS. !2571
• Persist only SHA digest of PersonalAccessToken#token.
• Redact personal tokens in unsubscribe links.
• Block loopback addresses in UrlBlocker.
• Validate Wiki attachments are valid temporary files.

11.4.1-ce.0

11.4.1 (2018-10-23)

Security (2 changes)

• Fix XSS in merge request source branch name.
• Prevent SSRF attacks in HipChat integration.

11.4.0-ce.0

11.4.0 (2018-10-22)

Security (9 changes)

• Filter user sensitive data from discussions JSON. !2536
• Encrypt webhook tokens and URLs in the database. !21645
• Redact confidential events in the API.
• Set timeout for syntax highlighting.
• Sanitize JSON data properly to fix XSS on Issue details page.
• Markdown API no longer displays confidential title references unless authorized.
• Properly filter private references from system notes.
• Fix stored XSS in merge requests from imported repository.
• Fix xss vulnerability sourced from package.json.

Removed (2 changes)

• Remove background job throttling feature. !21748
• Remove sidekiq info from performance bar.

Fixed (68 changes, 18 of them are from the community)

• Fixes 500 for cherry pick API with empty branch name. !21501 (Jacopo Beschi @jacopo-beschi)
• Fix sorting by priority or popularity on group issues page, when also searching issue content. !21521
• Fix vertical alignment of text in diffs. !21573
• Fix performance bar modal position. !21577
• Bump KaTeX version to 0.9.0. !21625
• Correctly show legacy diff notes in the merge request changes tab. !21652
• Synchronize the default branch when updating a remote mirror. !21653
• Filter group milestones based on user membership. !21660
• Fix double title in merge request chat messages. !21670 (Kukovskii Vladimir)
• Delete container repository tags outside of transaction. !21679
• Images are no longer displayed in Todo descriptions. !21704
• Fixed merge request widget discussion state not updating after resolving discussions. !21705
• Vendor Auto-DevOps.gitlab-ci.yml to fix bug where the deploy job does not wait for Deployment to complete. !21713
• Use Reliable Sidekiq fetch. !21715
• No longer show open issues from archived projects in group issue board. !21721
• Issue and MR count now ignores archived projects. !21721
• Fix resizing of monitoring dashboard. !21730
• Fix object storage uploads not working with AWS v2. !21731
• Don't ignore first action when assign and unassign quick actions are used in the same comment. !21749
• Align form labels following Bootstrap 4 docs. !21752
• Respect the user commit email in more places. !21773
• Use stats RPC when comparing diffs. !21778
• Show commit details for selected commit in MR diffs. !21784
• Resolve "Geo: Does not mark repositories as missing on primary due to stale cache". !21789
• Fix leading slash in redirects and add rubocop cop. !21828 (Sanad Liaquat)
• Fix activity titles for MRs in chat notification services. !21834
• Hides Close Merge request btn on merged Merge request. !21840 (Jacopo Beschi @jacopo-beschi)
• Doesn't synchronize the default branch for push mirrors. !21861
• Fix broken styling when issue board is collapsed. !21868 (Andrea Leone)
• Set a header for custom error pages to prevent them from being intercepted by gitlab-workhorse. !21870 (David Piegza)
• Fix resolved discussions being unresolved when commented on. !21881
• Fix timeout when running the RemoveRestrictedTodos background migration. !21893
• Enable the ability to use the force env for rebuilding authorized_keys during a restore. !21896
• Fix link handling for issue cards to avoid too sensitive drag events. !21910 (Johann Hubert Sonntagbauer)
• Guard against a login attempt with invalid CSRF token. !21934
• Allow setting user's organization and location attributes through the API by adding them to the list of allowed parameters. !21938 (Alexis Reigel)
• Includes commit stats in POST project commits API. !21968 (Jacopo Beschi @jacopo-beschi)
• Fix loading issue on some merge request discussion. !21982
• Prevent Error 500s with invalid relative links. !22001
• Fix stale issue boards after browser back. !22006 (Johann Hubert Sonntagbauer)
• Filter issues without an Assignee via the API. !22009 (Eva Kadlecová)
• Fixes modal button alignment. !22024 (Jacopo Beschi @jacopo-beschi)
• Fix rendering placeholder notes. !22078
• Instance Configuration page now displays correct SSH fingerprints. !22081
• Fix showing diff file header for renamed files. !22089
• Fix LFS uploaded images not being rendered. !22092
• Fix the issue where long environment names aren't being truncated, causing the environment name to overlap into the column next to it. !22104
• Trim whitespace when inviting a new user by email. !22119 (Jacopo Beschi @jacopo-beschi)
• Fix incorrect parent path on group settings page. !22142
• Update copy to clipboard button data for application secret. !22268 (George Tsiolis)
• Improve MR file tree in smaller screens. !22273
• Fix project deletion when there is a export available. !22276
• Fixes stuck block URL linking to documentation instead of settings page. !22286
• Fix caching issue with pipelines URL. !22293
• Fix erased block not being rendered when job was erased. !22294
• Load correct stage in the stages dropdown. !22317
• Fixes close/reopen quick actions preview for issues and merge_requests. !22343 (Jacopo Beschi @jacopo-beschi)
• Allow Issue and Merge Request sidebar to be toggled from collapsed state. !22353
• Fix filter bar height bug when a tag is added.
• Fix the state of the Done button when there is an error in the GitLab Todos section. (marcos8896)
• Fix wrong text color of help text in merge request creation. (Gerard Montemayor)
• Add borders and white background to markdown tables.
• Fixed mention autocomplete in edit merge request.
• Fix long webhook URL overflow for custom integration. (Kukovskii Vladimir)
• Fixed file templates not fully being fetched in Web IDE.
• Fixes performance bar looking for a key in a undefined prop.
• Hides sidebar for job page in mobile.
• Fixes triggered/created labeled in job header.

Changed (26 changes, 4 of them are from the community)

• Enable unauthenticated access to public SSH keys via the API. !20118 (Ronald Claveau)
• Support Kubernetes RBAC for GitLab Managed Apps when creating new clusters. !21401
• Highlight current user in comments. !21406
• Excludes project marked from deletion to projects API. !21542 (Jacopo Beschi @jacopo-beschi)
• Improve install flow of Kubernetes cluster apps. !21567
• Move including external files in .gitlab-ci.yml from Starter to Libre. !21603
• Simplify runner registration token resetting. !21658
• Filter any parameters ending with "key" in logs. !21688
• Ensure the schema is loaded with post_migrations included. !21689
• Updated icons used in filtered search dropdowns. !21694
• Enable omniauth by default. !21700
• Vendor Auto-DevOps.gitlab-ci.yml to refactor registry_login. !21714 (Laurent Goderre @LaurentGoderre)
• Add Gitaly diff stats RPC client. !21732
• Allow user to revoke an authorized application even if User OAuth applications setting is disabled in admin settings. !21835
• Change vertical margin of page titles to 16px. !21888
• Preserve order of project tags list. !21897
• Avoid close icon leaving the modal header. !21904
• Allow /copy_metadata for new issues and MRs. !21953
• Link to the tag for a version on the help page instead of to the commit. !22015
• Show SHA for pre-release versions on the help page. !22026
• Use local tiller for Auto DevOps. !22036
• Remove 'rbac_clusters' feature flag. !22096
• Increased retained event data by extending events pruner timeframe to 2 years. !22145
• Add installation type to backup information file. !22150
• Remove duplicate button from the markdown header toolbar. !22192 (George Tsiolis)
• Update to Rouge 3.3.0 including frozen string literals for improved memory usage.

Performance (17 changes, 6 of them are from the community)

• Enable frozen string in app/controllers/**/*.rb.
• Improve lazy image loading performance by using IntersectionObserver where available. !21565
• Adds support for Gitaly ListLastCommitsForTree RPC in order to make bulk-fetch of commits more performant. !21921
• Dont create license_management build when not included in license. !21958
• Skip creating auto devops jobs for sast, container_scanning, dast, dependency_scanning when not licensed. !21959
• Reduce queries needed to compute notification recipients. !22050
• Banzai label ref finder - minimize SQL calls by sharing context more aggresively. !22070
• Removes expensive dead code on main MR page request. !22153
• Lazy load xterm custom colors css.
• Mitigate N+1 queries when parsing commit references in comments.
• Enable more frozen string in app/controllers/. (gfyoung)
• Increase performance when creating discussions on diff.
• Enable frozen string in lib/api and lib/backup. (gfyoung)
• Enable frozen string in vestigial files. (gfyoung)
• Enable frozen string for app/helpers/**/*.rb. (gfyoung)
• Enable frozen string in app/graphql + app/finders. (gfyoung)
• Enable even more frozen string in app/controllers. (gfyoung)

Added (37 changes, 21 of them are from the community)

• Allow file templates to be requested at the project level. !7776
• Add /lock and /unlock quick actions. !15197 (Mehdi Lahmam (@mehlah))
• Added search functionality for Work In Progress (WIP) merge requests. !18119 (Chantal Rollison)
• pipeline webhook event now contain pipeline variables. !18171 (Pierre Tardy)
• Add markdown header toolbar button to insert table. !18480 (George Tsiolis)
• Add link button to markdown editor toolbar. !18579 (Jan Beckmann)
• Add access control to GitLab pages and make it possible to enable/disable it in project settings. !18589 (Tuomo Ala-Vannesluoma)
• Add a filter bar to the admin runners view and add a state filter. !19625 (Alexis Reigel)
• Add a type filter to the admin runners view. !19649 (Alexis Reigel)
• Allow user to choose the email used for commits made through GitLab's UI. !21213 (Joshua Campbell)
• Add autocomplete drop down filter for project snippets. !21458 (Fabian Schneider)
• Allow events filter to be set in the URL in addition to cookie. !21557 (Igor @ig...

11.3.6-ce.0

11.3.6 (2018-10-17)

• No changes.

11.3.5 (2018-10-15)

Fixed (2 changes)

• Fix loading issue on some merge request discussion. !21982
• Fix project deletion when there is a export available. !22276

11.3.3 (2018-10-04)

• No changes.

11.3.2 (2018-10-03)

Fixed (4 changes)

• Fix NULL pipeline import problem and pipeline user mapping issue. !21875
• Fix migration to avoid an exception during upgrade. !22055
• Fixes admin runners table not wrapping content.
• Fix Error 500 when forking projects with Gravatar disabled.

Other (1 change)

• Removes the 'required' attribute from the 'project name' field. !21770

11.3.1 (2018-09-26)

Security (6 changes)

• Redact confidential events in the API.
• Set timeout for syntax highlighting.
• Sanitize JSON data properly to fix XSS on Issue details page.
• Fix stored XSS in merge requests from imported repository.
• Fix xss vulnerability sourced from package.json.
• Block loopback addresses in UrlBlocker.

11.3.0 (2018-09-22)

Security (5 changes, 1 of them is from the community)

• Disable the Sidekiq Admin Rack session. !21441
• Set issuable_sort, diff_view, and perf_bar_enabled cookies to secure when possible. !21442
• Update rubyzip to 1.2.2 (CVE-2018-1000544). !21460 (Takuya Noguchi)
• Fixed persistent XSS rendering/escaping of diff location lines.
• Block link-local addresses in URLBlocker.

Removed (1 change)

• Remove Gemnasium service. !21185

Fixed (83 changes, 24 of them are from the community)

• Hide PAT creation advice for HTTP clone if PAT exists. !18208 (George Thomas @thegeorgeous)
• Allow spaces in wiki markdown links when using CommonMark. !20417
• disable_statement_timeout no longer leak to other migrations. !20503
• Events API now requires the read_user or api scope. !20627 (Warren Parad)
• Fix If-Check the result that a function was executed several times. !20640 (Max Dicker)
• Add migration to cleanup internal_ids inconsistency. !20926
• Fix fallback logic for automatic MR title assignment. !20930 (Franz Liedke)
• Fixed bug when the project logo file is stored in LFS. !20948
• Fix buttons on the new file page wrapping outside of the container. !21015
• Solve tooltip appears under modal. !21017
• Fix Bitbucket Cloud importer omitting replies. !21076
• Fix pipeline fixture seeder. !21088
• Fix blocked user card style. !21095
• Fix empty merge requests not opening in the Web IDE. !21102
• Fix label list item container height when there is no label description. !21106
• Fixes input alignment in user admin form with errors. !21108 (Jacopo Beschi @jacopo-beschi)
• Rails5 fix specs duplicate key value violates unique constraint 'index_gpg_signatures_on_commit_sha'. !21119 (Jasper Maes)
• Add gitlab theme to spam logs pagination. !21145
• Split remembering sorting for issues and merge requests. !21153 (Jacopo Beschi @jacopo-beschi)
• Fix git submodule link for subgroup projects with relative path. !21154
• Fix: Project deletion may not log audit events during group deletion. !21162
• Fix 1px cutoff of emojis. !21180 (gfyoung)
• Auto-DevOps.gitlab-ci.yml: update glibc package to 2.28. !21191 (sgerrand)
• Show google icon in audit log. !21207 (Jan Beckmann)
• Fix bin/secpick error and security branch prefixing. !21210
• Importing a project no longer fails when visibility level holds a string value type. !21242
• Fix attachments not displaying inline with Google Cloud Storage. !21265
• Fix IDE issues with persistent banners. !21283
• Fix "Confidential comments" button not saving in project hooks. !21289
• Bump fog-google to 1.7.0 and google-api-client to 0.23.0. !21295
• Don't use arguments keyword in gettext script. !21296 (gfyoung)
• Fix breadcrumb link to issues on new issue page. !21305 (J.D. Bean)
• Show '< 1%' when percent value evaluated is less than 1 on Stacked Progress Bar. !21306
• API: Catch empty commit messages. !21322 (Robert Schilling)
• Fix SQL error when sorting 2FA-enabled users by name in admin area. !21324
• API: Catch empty code content for project snippets. !21325 (Robert Schilling)
• Avoid nil safe message. !21326 (Yi Siliang)
• Allow date parameters on Issues, Notes, and Discussions API for group owners. !21342 (Florent Dubois)
• Fix remote mirrors failing if Git remotes have not been added. !21351
• Removing a group no longer triggers hooks for project deletion twice. !21366
• Use slugs for default project path and sanitize names before import. !21367
• Vertically centres landscape avatars. !21371 (Vicary Archangel)
• Fix Web IDE unable to commit to same file twice. !21372
• Fix project transfer name validation issues causing a redirect loop. !21408
• Fix Error 500s due to encoding issues when Wiki hooks fire. !21414
• Rails 5: include opclasses in rails 5 schema dump. !21416 (Jasper Maes)
• Bump GitLab Pages to v1.1.0. !21419
• Fix links in RSS feed elements. !21424 (Marc Schwede)
• Allow gaps in multiseries metrics charts. !21427
• Auto-DevOps.gitlab-ci.yml: fix redeploying deleted app gives helm error. !21429
• Use sample data for push event when no commits created. !21440 (Takuya Noguchi)
• Fix importers not assigning a new default group. !21456
• Fix edge cases of JUnitParser. !21469
• Fix breadcrumb link to merge requests on new merge request page. !21502 (J.D. Bean)
• Handle database statement timeouts in usage ping. !21523
• Handles exception during file upload - replaces the stack trace with a small error message. !21528
• Fix closing issue default pattern. !21531 (Samuele Kaplun)
• Fix outdated discussions being shown on Merge Request Changes tab. !21543
• Remove orphaned label links. !21552
• Delete a container registry asynchronously. !21553
• Make MR diff file filter input Clear button functional. !21556
• Replace white spaces in wiki attachments file names. !21569
• API: Use find_branch! in all places. !21614 (Robert Schilling)
• Fixes double +/- on inline diff view. !21634
• Fix broken exports when they include a projet avatar. !21649
• Fix workhorse temp path for namespace uploads. !21650
• Fixed resolved discussions not toggling expanded state on changes tab. !21676
• Update GitLab Shell to v8.3.2. !21701
• Fix absent Click to Expand link on diffs not rendered on first load of Merge Requests Changes tab. !21716
• Update GitLab Shell to v8.3.3. !21750
• Fix import error when archive does not have the correct extension. !21765
• Fixed IDE deleting new files creating wrong state.
• Does not collapse runners section when using pagination.
• Fix Emojis cutting in the right way. (Alexander Popov)
• Fix NamespaceUploader.base_dir for remote uploads.
• Increase width of checkout branch modal box.
• Fixes SVGs for empty states in job page overflowing on mobile.
• Fix checkboxes on runner admin settings - The labels are now clickable.
• Fixed IDE file row scrolling into view when hovering.
• Accept upload files in public/uplaods/tmp when using accelerated uploads.
• Include correct CSS file for xterm in environments page.
• Increase padding in code blocks.
• Fix: Project deletion may not log audit events during user deletion.

Changed (32 changes, 5 of them are from the community)

• Add default avatar to group. !17271 (George Tsiolis)
• Allow project owners to set up forking relation through API. !18104
• Limit navbar search for current project or group for small viewports. !18634 (George Tsiolis)
• Add Noto Color Emoji font support. !19036 (Alexander Popov)
• Update design of project overview page. !20536
• Improve visuals of language bar on projects. !21006
• Migrate NULL wiki_access_level to correct number so we count active wikis correctly. !21030
• Support a custom action, such as proxying to another server, after /api/v4/internal/allowed check succeeds. !21034
• Remove storage path dependency of gitaly install task. !21101
• Support Kubernetes RBAC for GitLab Managed Apps when adding a existing cluster. !21127
• Change 'Backlog' list title to 'Open' in Issue Boards. !21131
• Enable Auto DevOps Instance Wide Default. !21157
• Allow author to vote on their own issue and MRs. !21203
• Truncate branch names and update "commits behind" text in MR page. !21206
• Adds count for different board list types (label lists, assignee lists, and milestone lists) to usage statistics. !21208
• Render files (.md) and wikis using CommonMark. !21228
• Show deprecation message on project milestone page for category tabs. !21236
• Remove redundant header from metrics page. !21282
• Add default parameter to branches API. !21294 (Riccardo Padovani)
• Restrict reopening locked issues for non authorized issue authors. !21299
• Send back required object storage PUT headers in /uploads/authorize API. !21319
• Display default status emoji if only message is entered. !21330
• Move badge settings to general settings. !21333
• Move project settings for default branch under "Repository". !21380
• Import all common metrics into database. !21459
• Improved commit panel in Web IDE. !21471
• Administrative cleanup rake tasks now leverage Gitaly. !21588
• Remove health check feature flag in BackgroundMigrationWorker.
• Expose user's id in /admin/users/ show page. (Eva Kadlecova)
• Improved styling of top bar in IDE job trace pane.
• Make terminal button more visible.
• Shows download artifacts button for pipelines on small screens.

Performance (13 changes, 2 of them are from the community)

• Enable frozen string in rest of app/models/**/*.rb.
• Add background migrations for legacy artifacts. !18615
• Optimize querying User#manageable_groups. !21050
• Incremental rendering with Vue on merge request page. !21063
• Remove redundant ci_builds (status) index. !21070
• Enable frozen in app/mailers/**/*.rb. !21147 (gfyoung)
• Improve performance when fetching related merge requests for an issue. !21237
• Speed up dif...

10.8.5-ce.0

10.8.5 (2018-06-21)

Security (5 changes)

• Fix XSS vulnerability for table of content generation.
• Update sanitize gem to 4.6.5 to fix HTML injection vulnerability.
• HTML escape branch name in project graphs page.
• HTML escape the name of the user in ProjectsHelper#link_to_member.
• Don't show events from internal projects for anonymous users in public feed.

10.8.3-ce.0

10.8.3 (2018-05-30)

Fixed (4 changes)

• Replace Gitlab::REVISION with Gitlab.revision and handle installations without a .git directory. !19125
• Fix encoding of branch names on compare and new merge request page. !19143
• Fix remote mirror database inconsistencies when upgrading from EE to CE. !19196
• Fix local storage not being cleared after creating a new issue.

Performance (1 change)

• Memoize Gitlab::Database.version.

10.8.2-ce.0

10.8.2 (2018-05-28)

Security (3 changes)

• Prevent user passwords from being changed without providing the previous password.
• Fix API to remove deploy key from project instead of deleting it entirely.
• Fixed bug that allowed importing arbitrary project attributes.