Release v0.129.3

27 November 2025

Another patch release, this time focused on security improvements from our recent audit. There are also a few bugfixes, including an important one from the last release that potentially breaks model pages for new users!

Whatโ€™s Changed

๐Ÿ”’ Security ๐Ÿ”’

  • Obfuscate password input fields in user admin area by @Floppy in #5094
  • Sanitize upload filenames to prevent path traversal by @Floppy in #5098
  • Only object owners can set sharing permissions by @Floppy in #5099
  • Obfuscate OAuth client secret on screen (with reveal and copy options) by @Floppy in #5100
  • OIDC: Donโ€™t match accounts by unverified emails by @Floppy in #5101
  • Improve and test rate limiting, including OAuth and OIDC endpoints by @Floppy in #5104
  • Add explicit sanitization to fields that come in from the Fediverse by @Floppy in #5111

    ๐Ÿ› Bug Fixes ๐Ÿ›

  • Include slicer app images locally to avoid CORS errors by @Floppy in #5077
  • Fix server scheme in API documentation by @Floppy in #5102
  • Fix tour error on model page blocking entire UI by @Floppy in #5106
  • Fix error when rendering remote actors in federated search by @Floppy in #5110

Full Changelog: v0.129.2โ€ฆv0.129.3

See the original release on GitHub: v0.129.3