Releases · kimai/kimai

@tikket1

Compatible with PHP 8.2 to 8.5

Features

Added options to allow watermark-text and watermark-image in PDF (not allowed for PDFa/PDFx) usable in twig templates e.g. to define a background image
Translations update from Hosted Weblate (#5973)

Bugfixes

Added missing "default user" in invoice archive query (fixes invisible filter) (#5971)

🚨 Security

Improve whitespace handling in Search term parser (#5977) - thanks @tikket1

You can read more about all security reports here or grab this RSS feed to get notified about new published advisories.

Involved in this release: @kevinpapst

@shafiqaimanx

Compatible with PHP 8.2 to 8.5

Write log message for failed image downloads (invoice / export templates) (#5957)
Add user.account and entry.user_account as invoice template variables (#5957)
Fix number generator created duplicates on subsequent calls in one transaction for customer/project/activity (#5957)
Allow wizard to be extended by plugins (see docs) (#5957)
Added "user" as new filter for the invoice archive (#5957)
JS fix for forms without events (#5957)
Allow to use forms and modals without padding (#5957)
Translations update from Hosted Weblate (#5954) (#5967)
Fix adding an empty space in the delete modals (#5962)

Security

This release contains a fix for a high severity security issue reported by @shafiqaimanx

You can read more about all published vulnerabilities here or grab a RSS feed to get notified about new published advisories.

Involved in this release: @cheriimoya and @kevinpapst and @shafiqaimanx

@tofuSCHNITZEL

Compatible with PHP 8.2 to 8.5

Adds a setting to disable first time wizard for new users (#5938) - thanks @tofuSCHNITZEL
Switch to PNPM for frontend dependencies (#5953)
New wizard images (#5952)
Split wizards and password reset subscriber into two classes (#5952)
Relax upper PHP version (#5952)
Fix: sticky tooltip survives page reload (#5952)
Fix: actions could trigger GET requests to the API (#5952)
Fix: formatting locale reset after embedded controller sub-requests (#5944) - thanks @cheriimoya
Split CI lint and test jobs in separate workflows (#5952)
Docker: use tag as ref for checkout and build from local code (#5952)
Docker: new docker image version name (#5952)

Security

This release contains quite a few security related improvements and fixes (yep, LLMs are pretty strong nowadays).

User permissions <name>_other_profile now respect teams
CI: Added audit job to scan frontend deps for known vulnerabilities
CI: Added zizmor for GitHub action workflow security
Verify Project permissions in Timesheet Restart and Duplicate - thanks @Mitchell45
Prevent re-use of Password-Reset link - thanks @AzureADTrent
Auto generated APP_SECRET in Docker images - thanks @AzureADTrent
Removed API timesheet stop/restart GET endpoints to prevent CSRF - thanks @Mitchell45
Teamleads could create ExportTemplate besides hidden button - thanks @AzureADTrent
Prevent rendering images via markdown in custom templates - thanks @Mitchell45
Use a safe network client for fetching external sources in custom templates - thanks @Mitchell45
Verify current user can see user/activity when editing team via API - thanks @Mitchell45
Move create default team routes to API to prevent CSRF - thanks @Mitchell45

You can read more about all published vulnerabilities here or grab a RSS feed to get notified about new published advisories.

Involved in this release: @kevinpapst and @cheriimoya and @tofuSCHNITZEL and @Mitchell45 and @AzureADTrent

@cheriimoya

Compatible with PHP 8.2 to 8.5

New API endpoints for comment (list, create, delete, pin) for projects and customers
New configuration to define the theme for non-authenticated requests like login page (#5929)
Export naming: only name the default renderer "default" (#5929)
Fix: new weekly-hours could not be added in weeks with exported timesheets (#5642)
Fix: some dashboard widget links were invisible in dark mode (#5940)
Upgrade all dependencies (#5929)
Fix checking for correct formatter in durationDecimal (#5943)
Translations update from Hosted Weblate (#5928)

Security

This release contains multiple security fixes both from Kimai and its dependencies, upgrade as soon as possible.

Prevent querying arbitrary user timesheets (#5929)
Prevent changing favorites of arbitrary users (#5929)
Prevent regular users from turning their account into a systemAccount (#5929)
Prevent cross entity rate manipulation (#5929)
Secure timesheet API patch for disabled projects (#5929)
Prevent creating child objects of parents without access (#5929)

You can read more about all published vulnerabilities here or grab a RSS feed to get notified about new published advisories.

Involved in this release: @cheriimoya and @kevinpapst and @offset and @Mitchell45 and Abdul-Ramon

@kevinpapst

Compatible with PHP 8.2 to 8.5

‼️ The required minimum PHP version is now 8.2 (see below) ‼️

Added Catalan translation (#5921)
New API endpoint to download invoices (#5926)
New API endpoint to save invoice meta-fields (#5916)
Re-usable ACL checks on teams, xxx_other_timesheet permissions respect teams (#5925)
Whitelist PDF context options (#5924)
Twig config improvements (#5923)
Improved management script ./kimai.sh - please test and leave your feedback (#5909)
Translations update from Hosted Weblate (#5911)

⚠️⚠️⚠️ The required minimum PHP version is now 8.2 ⚠️⚠️⚠️

If you are still using PHP 8.1, please be aware it is EOL and does not receive security updates any longer. Many libraries added 8.2 as minimum requirements, so Kimai has to follow to receive updates.

If you have to upgrade to a newer version, do yourself the favor and upgrade directly to PHP 8.5.
The requirement for 8.2 is an intermediate solution for the near future, and the requirement will be raised to 8.5 rather sooner than later.

Involved in this release: @kevinpapst, @ntrpc-tech, @nullvector1, @melnicek, @fg0x0

@kevinpapst