Gogs v0.12.0 Release Notes

  • ➕ Added

    • 👌 Support for Git LFS, you can read documentation for both user and admin. #1322
    • 👍 Allow admin to remove observers from the repository. #5803
    • 👉 Use Last-Modified HTTP header for raw files. #5811
    • 👌 Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
    • Able to fill in pull request title with a template. #5901
    • 📚 Able to override static files under public/ directory, please refer to documentation for usage. #5920
    • 🆕 New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
    • 👌 Support backup with retention policy for Docker deployments. #6140

    🔄 Changed

    • The required Go version to compile source code changed to 1.14.
    • 🍱 All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
    • 🚚 Application and Go versions are removed from page footer and only show in the admin dashboard.
    • 🏁 Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
    • 🗄 Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
    • 🗄 Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
    • 🗄 Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
    • 🔧 Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
    • 🔧 Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
    • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
    • 🔧 Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
    • 🔧 Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
    • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
    • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
    • 🗄 Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
    • 🔔 Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
    • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
    • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
    • The name - is reserved and cannot be used for users or organizations.

    🛠 Fixed

    • 🔒 [Security] Potential open redirection with i18n.
    • 🔒 [Security] Potential ability to delete files outside a repository.
    • 🔒 [Security] Potential ability to set primary email on others' behalf from their verified emails.
    • 🔒 [Security] Potential XSS attack via .ipynb. #5170
    • 🔒 [Security] Potential SSRF attack via webhooks. #5366
    • 🔒 [Security] Potential CSRF attack in admin panel. #5367
    • 🔒 [Security] Potential stored XSS attack in some browsers. #5397
    • 🔒 [Security] Potential RCE on mirror repositories. #5767
    • 🔒 [Security] Potential XSS attack with raw markdown API. #5907
    • File both modified and renamed within a commit treated as separate files. #5056
    • ⏪ Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
    • Open/close milestone redirects to a 404 page. #5677
    • Disallow multiple tokens with same name. #5587 #5820
    • Enable Federated Avatar Lookup could cause server to crash. #5848
    • Private repositories are hidden in the organization's view. #5869
    • Server error when changing email address in user settings page. #5899
    • Fall back to use RFC 3339 as time layout when misconfigured. #6098
    • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.

    ✂ Removed

    • Configuration option [other] SHOW_FOOTER_VERSION
    • Configuration option [server] STATIC_ROOT_PATH
    • Configuration option [repository] MIRROR_QUEUE_LENGTH
    • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
    • Configuration option [session] ENABLE_SET_COOKIE
    • 🚀 Configuration option [release.attachment] PATH
    • 🔧 Configuration option [webhook] QUEUE_LENGTH
    • 🏗 Build tag sqlite, which means CGO is now required.

    🚀 Older change logs can be found on GitHub.