API

• Fix: Correctly sanitize against regex attack in members search (@YoyoChaud)
• Fix: Initialize ioredis for connecting to rate limiter (@phillipthelen)

API

• Performance: Use worker server instead of main for user deletion operations (@phillipthelen and @SabreCat)
• Chore: Locale files updated (@weblate contributors)

Client

• Feature: Add sitemap and robots.txt (@phillipthelen)
• Refactor: Move apidoc to its own site, domain, and repo (@SabreCat)

API

• Content: Preload of Gala and monthly content for July-September 2026 (@SabreCat, @beffymaroo et al)
• Chore: Locale files updated (@weblate contributors)

Client

• Feature: Summary text of Daily scheduling outside of Group Plans (@Hafizzle)
• Fix: cursor: pointer for collapsible FAQ entries (@SabreCat)

API

• Fix: New iteration of rate limiter that doesn't punish normal typing during registration (@phillipthelen)
• Fix: Clean up database records of chat messages that are beyond threshold for display (@phillipthelen)
• Fix: Add missing word in description of Verdant Page Banner item (@SabreCat)
• Fix: Process recurring_payment_skipped PayPal IPNs and cancel subscription when this happens (@SabreCat)
• Chore: Locale files updated (@weblate contributors)

API

• Fix: Apply rate limiting to /api/v4 requests and increase cost of account registration (@phillipthelen)
• Fix: Move quest accept operations to a transaction to avoid inconsistent state of RSVPNeeded field (@Hafizzle and @SabreCat)
• Chore: Locale files updated (@weblate contributors)

Client

• Fix: Correct z-index of task options dropdown vs other tasks in column (@SabreCat)
• Fix: Adjust tab order and focus highlighting when navigating across task elements with keyboard (@SabreCat)

API

• Feature: Capture some basic KPIs in our own database instead of sending data to third party analytics platforms (@phillipthelen)
• Fix: Disable CSP rules that were breaking Google login and apidoc, for now (@SabreCat)

Client

• Feature: Caution user about including sensitive personal information, or SPI, in task fields (@SabreCat)
• Fix: Rerender task columns as necessary to ensure DOM stays consistent in display of user's task order (@SabreCat)
• Refactor: Remove prior analytics solution (@phillipthelen)

API

• Feature: Remove logging at subscription time for PayPal; instead capture data at IPN endpoint (@SabreCat)
• Fix: Include habitica.com literal as well as *.habitica.com wildcard in CSP whitelist (@SabreCat)

API

• Feature: Implemented Content-Security-Policy (@SabreCat)
• Refactor: Moment locales delivered from core translations API (@phillipthelen)
• Chore: Locale files updated (@weblate contributors)

Client

• Fix: Capture email during registration flow for some Apple users with accounts that lack emails (@SabreCat and @Hafizzle)
• Refactor: Remove Webpack and vue-fragment (@SabreCat)

API

• Fix: Look up expired group plans by dateCreated instead of customerId, which gets blanked out after cancellation (@Hafizzle)
• Chore: Locale files updated (@weblate contributors)

API

• Fix: Add a default price to the latest event background, to better fit mobile logic (@SabreCat)
• Chore: Locale files updated (@weblate contributors)

Client

• Fix: Restore mistakenly deleted CSS related to animated GIFs (@SabreCat)