Web UI Release Notes

Recently Released Changes

What’s New in Web UI for LTS 2025 (Version 2025.10.0)

Security Improvements

• Prototype Pollution Fix: Addressed risks in deep-merge logic by blocking unsafe keys (proto, constructor) and ensuring only own properties are merged, preventing potential XSS or logic-tampering attacks.

• GitHub Actions Permissions: Default permissions restricted to read-only, replacing previous read-write defaults. Write access is now restricted to necessary scopes only.

• jsondiffpatch Vulnerability: Resolved XSS vulnerability in jsondiffpatch (via HtmlFormatter) by upgrading from version 0.3.11 to version 0.7.3 and implemented HTML formatting rules to prevent script injection.

• Select2 XSS Fix: Patched vulnerability in Select2 version 4.0.5 and earlier where HTML templates with Ajax-loaded data could allow script injection. Updated Web UI logic now prevents unsafe HTML rendering.

Bug Fixes & Upgrades

• Dashboard Layout Consistency: Implemented uniform layout recalculations across dashboard and panels, eliminating extra scrollbars, spacing gaps, and inconsistent component sizing.

• Nuxeo Spreadsheet Compatibility: Fixed breaking changes after upgrading Select2 from 3.x to 4.x by updating wrapper classes and replacing deprecated APIs for full compatibility.

• PDF.js Upgrade: Updated to version 5.4, enabling better handling of complex PDFs and introducing new features.

• Metadata Enhancement: The “Publisher” and “Publish date” fields now accurately reflect the actual publishing of the document, ensuring better clarity and consistency in document lifecycle tracking.

Previous Release Notes