Countly/countly-server

📋 Changes

• [content] Bugfixes for content showing
• [core] Improved validation for user passed queries.
• [journey_engine] result tab made available for running journeys

📋 Changes

• Overall security Fixes
• Ensuring Countly working from a network subdirectory
• [active_directory] Journey approver group added
• [ldap] Journey approver group added

📋 Changes

• [core] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation
• [jobs] Filter out jobs, which belongs to disabled plugins on fetching job list.
• [core] Fixed topEvents data calculations with event keys containing ".".
• [groups] Tolerate legacy string `group_id` on members in findGroups aggregation so the groups listing, User Management, Alerts and Preset Management pages no longer 400 with MongoDB Location40081 on tenants with pre-2021 data

📋 Changes

• [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)
• [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries
• [app_users] Sanitize user.picture filename before deletion (path traversal)
• [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames
• [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist
• [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)
• [auth] Handle req.session.regenerate error in token login
• [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag
• + 38 more

📋 Changes

• [auth] Restrict `/login/token/:token` to login-purpose tokens; regenerate session id on token login to close fixation
• [dashboards] Require auth + per-widget app permission on `/o/dashboards/test`; remove the unused endpoint
• [dashboards] Identical response for missing/inaccessible dashboard (no enumeration)
• [dbviewer] Block `$graphLookup` aggregation stage (cross-collection data exfiltration)
• [redirect] Apply SSRF protection (`api/utils/ssrf-protection.js`) to `app.redirect_url` outbound requests
• [tasks] Authorize `/i/tasks/{update,delete,name,edit}` per task ownership / app admin / global admin
• [exports] Authorize `/o/export/download` by task ownership / app_id
• [notes] Bind notes to permission-checked `app_id`; check edit permissions against the note's stored `app_id`
• + 29 more

📋 Changes

• [flow] Optimize timeline period query
• Bump follow-redirects from 1.15.11 to 1.16.0
• Bump get-random-values from 4.1.1 to 4.1.2
• Revert @vitejs/plugin-legacy from 8.0.1 to 7.2.1

📋 Changes

• [alerts] Fixed alert jobs using system's timezone instead of application's
• [compliance-hub] Correctly merge user history on user merge
• [onboarding] Fix redirection to newsletter page
• [star-rating] Fix active status checkbox in drawer
• [star-rating] Fix consent fields in drawer
• [retention_segments] Adding null check for breakdown filtering

📋 Changes

• [alerts] Fixed alert jobs using system's timezone instead of application's
• [core] Fixed duplicate conditional in form field template
• [data-manager] Fix notification message after editing user property
• [white-labeling] Update newsletter setting description

📋 Changes

• [push] Fix: Cannot create a push notification when configuration _id is a string
• [star-rating] Fixed widget asset path with subdirectory
• [journeys] Fix: prevent users entered stat to minus value for race conditions
• [surveys] Fixed widget asset path with subdirectory

📋 Changes

• [hooks] Implement domain/ip address validation for hooks with http effect
• [reports] Hardcoded default secret for the e-mails converted to be randomly generated
• [drill] Hide redacted user properties in filters
• [oidc] Using sub as fallback as user identifier when there's no email
• Bump countly-sdk-web from 26.1.0 to 26.1.1
• Bump ejs from 4.0.1 to 5.0.1
• Bump express-rate-limit from 8.3.0 to 8.3.1
• Bump fast-xml-parser from 5.4.1 to 5.5.7 in /plugins/push
• + 5 more

📋 Changes

• [core] Fixed replaceDatabaseString incorrectly replacing "countly" in the MongoDB username when it appears in the connection URL
• [dashboards] Unescape event segment values in meta
• [push] Using Android specific content for Huawei messages as well
• [data-manager] Fix validation approval button label
• [data-manager] Fix validation table column names

📋 Changes

• [push] Fixed the property name by changing it from link to url for message buttons for Huawei messages
• [web] Use Client Hints

📋 Changes

• [core] Update home page download notification text
• [data-manager] Add search and checkboxes in event selector when creating event group
• [funnels] Use lsid in same session funnel calculation
• [users] Export drill data on user export
• [users] Fix export query when there is profile group filter
• Bump @faker-js/faker from 10.2.0 to 10.3.0 in /ui-tests
• Bump axios from 1.13.2 to 1.13.5
• Bump basic-ftp from 5.1.0 to 5.2.0
• + 11 more

📋 Changes

• [journey] Workflow fixes
• [users] UI events table fixes

📋 Changes

• [core] Fixes for search bar in standart table component
• [journeys] Fixes for journey data updates on incoming data.
• [surveys] Return error message if invalid widget_id passed on template loading
• [users] Show content and journey events in user profile

📋 Changes

• [core] Fix period calculation
• [dashboards] Update dialog button color when deleting dashboard/widget
• [star-rating] Fix rating number when exporting data
• [content] Uniform journey and content block actions
• [content] Fix overflow and missing translations in content blocks
• [content] Fix button management when creating fullscreen content blocks
• [crash_symbolication] Use countlyfs for JavaScript symbolication
• [funnels] Fix funnel name tooltip content
• + 6 more

📋 Changes

• [compliance-hub] Correctly merge user history on user merge
• [core] Ensured usage of local fonts.
• [events] Fixed issue with page reloading on error
• [push] re-schedule on a message update for auto triggers as well
• [remote-config] Fix searching for parameter in experiment variants
• [star-rating] Fix active status checkbox in drawer
• [star-rating] Fix consent fields in drawer
• [cohorts] Correctly regenerate cohorts having $or rule on custom properties
• + 14 more

📋 Changes

• [core] Filtering out internal events while calculating top events
• [fix] Data Regeneration Error
• [onboarding] Fix redirection to newsletter page
• [push] Message cancellation doesn't work on cohort exit

📋 Changes

• [core] Add null checking for user permission when opening the dashboard
• [core] fixes for changeOwner script
• [core] Preserve URL hash during oauth
• [core] Rate limiting for api endpoints
• [2fa] Removed the secret and qr code from the dashboard response
• [data-masking] Correctly dealing with unexpected filter on event_data collection while masking
• [profile-groups] Error handling on missing list on failed profile group report download
• [retention_segments] Adding null check for breakdown filtering
• + 24 more

📋 Changes

• [journeys] Save to profiile block implemented
• [push] Better FCM error handling

📋 Changes

• [push] Better FCM error handling

📋 Changes

• [core] Do not output password in logs on mongodb connection initialisation error
• [core] Hide error details on render error from response
• [dashboards] Do not show error if request is cancelled.
• [dbviewer] Hide api_key from requests
• [events] Do not throw error in UI on returned group data if there is no segmentation set
• [drill] Fixed timeline recalculation
• [surveys] Do not fetch survey meta data if plugin is disabled

📋 Changes

• [alerts] Add alert interval validation in the frontend
• [events] Correctly navigate to event groupmin events menu
• [applications] Ensure application management list reorders after create/update
• [concurrent_users] Fix email check for alert
• [dashboards] Keep dashboard sidebar sorted alphabetically after additions
• [data-manager] Correctly show last triggered for events if data masking is enabled

📋 Changes

• [alerts] Add alert interval validation in the frontend
• [concurrent_users] Fix email check for alert

📋 Changes

• [core-vis] Fix chart legend click event
• [push] Fixed the options of the request being made during mime detection
• [views] Fix view name that is displayed in view table
• [concurrent_users] Fix alert threshold comparison
• [dashboards] Add setting to disable public dashboards
• [surveys] Handle multiple survey submission from same user based on survey visibility
• [users] Display user property limits in user profiles when exceeded
• [users] Set correct users widget table rows amount according to selected setting

📋 Changes

• [users] Set correct users widget table rows amount according to selected setting

📋 Changes

• [core-vis] Fix chart legend click event
• [data-manager] Fix last modified data for event and segment
• [views] Fix view name that is displayed in view table
• [concurrent_users] Fix alert threshold comparison
• [surveys] Handle multiple survey submission from same user based on survey visibility
• [users] Set correct users widget table rows amount according to selected setting

📋 Changes

• [push] Fixed timeout setting
• [security] Fixed injection possibility on res.expose
• [data-manager] Fixed bug when merging events with ampersand symbol in the name
• [groups] Add logs for user updates
• [nps] Sort widgets by internal name and search by name or internal name
• [surveys] Change question map log to debug log
• [surveys] Sort widgets by internal name and search by name or internal name
• Bump axios from 1.12.2 to 1.13.1 in /plugins/cognito
• + 9 more

📋 Changes

• [nps] Sort widgets by internal name and search by name or internal name
• [surveys] Sort widgets by internal name and search by name or internal name

📋 Changes

• [security] Fixed injection possibility on res.expose
• [data-manager] Fixed bug when merging events with ampersand symbol in the name
• [groups] Add logs for user updates
• [nps] Sort widgets by internal name and search by name or internal name
• [surveys] Sort widgets by internal name and search by name or internal name