Releases: sourcebot-dev/sourcebot
Releases · sourcebot-dev/sourcebot
Release list
v5.1.0
What's Changed
- feat: support richer token cost tracking for ask by @jsourcebot in #1353
- fix(web): change version banner copy from "Upgrade" to "Update" by @msukkari in #1354
- docs: clarify Yarn setup for contributors by @royalpinto007 in #1358
- fix: add pcre2 and libyaml to macos install script by @dsabsay in #1360
- fix(web): send anonymous PostHog events as personless by @brendan-kellam in #1367
- Improve token caching. by @jsourcebot in #1366
- Visualize context window usage in Ask Sourcebot by @jsourcebot in #1370
- refactor(web): normalize Ask user message text extraction by @whoisthey in #1371
- feat(web): render mermaid diagrams in Ask answers by @whoisthey in #1369
- chore(web): mermaid followups by @whoisthey in #1373
- refactor(web): resolve language model capabilities from models.dev by @whoisthey in #1372
- fix(backend): pass zoekt index args without shell by @brendan-kellam in #1376
- fix(web): verify review webhook deliveries by @brendan-kellam in #1378
- Add OpenAPI generation workflow by @brendan-kellam in #1398
- Allow DPoP-bound OAuth access tokens by @brendan-kellam in #1395
- ci: enforce prisma migration ordering and schema drift by @brendan-kellam in #1400
- feat(web): text file attachments for Ask by @whoisthey in #1374
- feat(web): binary file attachments for Ask by @whoisthey in #1375
- chore(web): Validate OAuth scopes for MCP access by @brendan-kellam in #1396
- fix(web): add HTTP security headers to all responses by @msukkari in #1407
- feat: add SCIM 2.0 user provisioning (EE) by @brendan-kellam in #1306
- chore: make backend worker API URL configurable via WORKER_API_URL by @brendan-kellam in #1409
- chore: upgrade nodemailer to ^9.0.1 to address GHSA-p6gq-j5cr-w38f by @linear-code[bot] in #1356
- chore: bump vendor/zoekt to upgrade golang.org/x/net and golang.org/x/crypto (CVEs) by @brendan-kellam in #1412
- fix(web): maintain sidebar scroll position when navigating between chats by @brendan-kellam in #1411
- chore: upgrade @opentelemetry/core to ^2.8.0 to address CVE-2026-54285 by @brendan-kellam in #1413
- Jminnetian/fix connector scrolling by @jsourcebot in #1418
- feat(setupWizard): add reo by @msukkari in #1419
- fix(ci): pass --no-workspaces-update to npm version in setup-sourcebot release by @msukkari in #1420
- fix(setupWizard): add repository field for npm publish provenance by @msukkari in #1421
- fix(ci): map @react-grab and element-source licenses to MIT in license audit by @msukkari in #1422
- feat(web): add deployment system stats to service ping by @brendan-kellam in #1424
- feat(web): guard EE user deletion behind SCIM and unify user API shape by @brendan-kellam in #1425
- fix(backend): handle Gitea ERR_STREAM_PREMATURE_CLOSE during sync by @brendan-kellam in #1405
- feat(web): fetch /browse data client-side and disallow crawlers via robots.txt by @brendan-kellam in #1426
- chore(ci): Add cloud ci by @brendan-kellam in #1429
- docs: point Docker image references at docker.sourcebot.dev by @msukkari in #1430
- feat(web): enable Sentry node and browser profiling by @brendan-kellam in #1431
- feat: show not-found UI when an Ask GitHub repo doesn't exist by @brendan-kellam in #1432
- Jminnetian/askskills by @jsourcebot in #1410
- Jminnetian/sanitize tool names by @jsourcebot in #1423
New Contributors
- @royalpinto007 made their first contribution in #1358
- @dsabsay made their first contribution in #1360
Full Changelog: v5.0.4...v5.1.0
v5.0.4
What's Changed
- chore: upgrade vite to ^8.0.16 to address CVE-2026-53571 by @brendan-kellam in #1313
- chore: upgrade @grpc/grpc-js to ^1.14.4 to address CVE-2026-48068, CVE-2026-48069 by @brendan-kellam in #1315
- chore: upgrade nodemailer to ^8.0.9 to address GHSA-r7g4-qg5f-qqm2 by @brendan-kellam in #1331
- chore: upgrade dompurify to ^3.4.11 to address GHSA-x4vx-rjvf-j5p4 by @brendan-kellam in #1332
- chore: upgrade hono to ^4.12.25 to address CVE-2026-54287 by @brendan-kellam in #1322
- chore: upgrade form-data to ^4.0.6 to address CVE-2026-12143 by @brendan-kellam in #1316
- chore: upgrade markdown-it to ^14.2.0 to address CVE-2026-48988 by @brendan-kellam in #1321
- chore: upgrade @babel/core to ^7.29.6 to address CVE-2026-49356 by @brendan-kellam in #1333
- chore: upgrade nodemailer to ^8.0.11 to address GHSA-268h-hp4c-crq3 by @brendan-kellam in #1328
- chore: upgrade ws to ^8.21.0 to address CVE-2026-48779 by @brendan-kellam in #1324
- chore: refresh @babel/core lockfile to ^7.29.7 to address CVE-2026-49356 by @linear-code[bot] in #1344
- chore: upgrade esbuild to ^0.28.1 to address GHSA-g7r4-m6w7-qqqr by @linear-code[bot] in #1342
- chore: upgrade tar to ^7.5.16 to address CVE-2026-53655 by @linear-code[bot] in #1338
- chore: upgrade protobufjs to ^7.6.4 to address CVE-2026-54269 by @linear-code[bot] in #1336
- chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550 by @linear-code[bot] in #1335
- chore(ci): remove LLM summary generation from vulnerability triage by @brendan-kellam in #1334
- feat(ci): tag triaged Linear issues with the source repository by @brendan-kellam in #1345
- fix(web): enable Next.js version skew protection during rolling deploys by @brendan-kellam in #1346
- feat(web): record service ping history and add usage report download by @brendan-kellam in #1348
- feat(shared): decouple offline anonymous access from seat cap by @brendan-kellam in #1349
New Contributors
- @linear-code[bot] made their first contribution in #1344
Full Changelog: v5.0.3...v5.0.4
v5.0.3
What's Changed
- fix(web): always request
offline_accessfor MCPrefresh_tokengrant by @fatmcgav in #1292 - chore(web): Improved security settings by @brendan-kellam in #1303
- fix(shared): validate SOURCEBOT_ENCRYPTION_KEY length by @brendan-kellam in #1305
- fix(web): prevent crash when User-Agent header is missing by @brendan-kellam in #1309
- fix(web): require User.email and reject SSO sign-ins without an email by @brendan-kellam in #1310
Full Changelog: v5.0.2...v5.0.3
v5.0.2
What's Changed
- refactor(web): share connectors explainer copy across login and upsell menus by @msukkari in #1280
- chore: add release workflow for setup-sourcebot by @brendan-kellam in #1279
- chore: upgrade protobufjs to ^7.6.2 by @brendan-kellam in #1281
- feat(web): support for anthropic prompt caching and UI cached token display by @jsourcebot in #1278
- fix(web): fix GitLab MR inline comment 400 errors on context lines and renames by @fatmcgav in #1149
- chore: upgrade qs to ^6.15.2 to address CVE-2026-8723 by @brendan-kellam in #1282
- chore: upgrade picomatch to ^4.0.4 to address CVE-2026-33671, CVE-2026-33672 by @brendan-kellam in #1283
- chore: ignore CVE-2026-41305 (postcss build-time XSS) in Trivy by @brendan-kellam in #1288
- chore: upgrade ws to ^8.20.1 to address CVE-2026-45736 by @brendan-kellam in #1286
- chore: upgrade hono to ^4.12.24 to address CVE-2026-47673, CVE-2026-47674, CVE-2026-47675, CVE-2026-47676 by @brendan-kellam in #1289
- chore: bump zoekt submodule to upgrade go-git to v5.19.1 (CVE-2026-45571) by @brendan-kellam in #1290
- fix(web): surface actionable error when Lighthouse is unreachable by @brendan-kellam in #1293
- fix(web): stop rapid localStorage flip when removing a language model by @brendan-kellam in #1295
- feat(web): resolve Anthropic thinking config from model capabilities by @brendan-kellam in #1294
- feat(web): add isLanguageModelConfigured to service ping by @brendan-kellam in #1296
- chore: remove deprecated env-var identity provider configuration by @brendan-kellam in #1297
- fix(web): Support multiple IDPs of the same type by @brendan-kellam in #1177
- fix(backend): prevent duplicate index jobs from indexedAt race by @brendan-kellam in #1298
- chore: upgrade shell-quote to ^1.8.4 to address CVE-2026-9277 by @jsourcebot in #1299
- fix(worker): pass logger to getAuthCredentialsForRepo during repo sync by @brendan-kellam in #1300
Full Changelog: v5.0.1...v5.0.2
v5.0.1
What's Changed
- fix(web): Prompt anonymous users to login if they want to use connectors in Ask by @jsourcebot in #1274
Full Changelog: v5.0.0...v5.0.1
v5.0.0
Checkout the migration guide for details on upgrading your instance to v5.
Changed
- [Breaking Change] Changed the default role assignment to
Ownerfor organizations on the free tier. See the v4 to v5 guide. #1106 - [Breaking Change] Relicensed Ask Sourcebot and MCP under ee. See the v4 to v5 guide. #1106
- [Breaking Change] Removed the embedded Postgres and Redis from the Docker image. External Postgres and Redis are now required: set
DATABASE_URLandREDIS_URL, or deploy with the provideddocker-compose.yml. See the v4 to v5 guide. #1106 - [Breaking Change] Sourcebot no longer auto-generates
AUTH_SECRETandSOURCEBOT_ENCRYPTION_KEY, nor reads them from the plaintext files it previously wrote to the data volume; both must now be set explicitly as environment variables. See the v4 to v5 guide. #1106 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. #1106
- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. #1106
- Improved the
setup-sourcebotwizard: prompts for a setup directory, clarifies that secrets are stored locally in.env, switches multi-select to Tab, hides "No results" until a real search runs, and detects/cleans up conflicting Docker deployments and volumes before starting. #1106
Added
- Added ask connectors: connect 3rd party MCP servers to your ask agent. #1106
- Added progress bar when navigating between pages. #1106
- Added a integrated changelog into the sidebar. #1106
- Added scroll position restoration when viewing files in the code browser, so returning to a previously viewed file restores your scroll position. #1106
Fixed
- Fixed git "dubious ownership" errors when the container runs as a non-root user by setting
safe.directoryat the system level instead of the global (root-only) level. #1106
Full Changelog: v4.17.4...v5.0.0
v4.17.4
What's Changed
- docs: add security notes to docs by @msukkari in #1218
- fix(web): Add support for opus 4.8 by @brendan-kellam in #1249
Full Changelog: v4.17.3...v4.17.4
v4.17.3
What's Changed
- fix(worker): Fix issue with stale permissions by @brendan-kellam in #1215
- fix(worker): extend permission-sync fail-closed to HTTP 410 by @msukkari in #1216
- fix(worker): replace Bitbucket Cloud user-repos endpoint removed by CHANGE-2770 by @msukkari in #1217
- fix(web): propagate session invalidation to /api/auth/session by @msukkari in #1219
- fix(web): reject OAuth account-linking without a signed-in session by @msukkari in #1221
Full Changelog: v4.17.2...v4.17.3
v4.17.2
What's Changed
- chore(dev): bump docker/build-push-action to latest by @brendan-kellam in #1172
- fix: Add missing changes from #1170 by @brendan-kellam in #1176
- fix(web): use blame line's path when navigating to commit diff by @brendan-kellam in #1178
- chore(worker): Reduce logger verbosity by @brendan-kellam in #1179
- chore: bump fast-uri to ^3.1.2 by @brendan-kellam in #1181
- fix: upgrade simple-git to 3.36.0 to address CVE-2026-6951 by @brendan-kellam in #1183
- fix: upgrade hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458 by @brendan-kellam in #1186
- fix: refresh yarn.lock to upgrade ip-address to ^10.2.0 (CVE-2026-42338) by @brendan-kellam in #1189
- fix: refresh yarn.lock to upgrade fast-xml-builder to ^1.2.0 (CVE-2026-44664, CVE-2026-44665) by @brendan-kellam in #1184
- fix(backend): opt in to simple-git unsafe categories present in env by @brendan-kellam in #1193
- refactor(web): detect hoverable symbols via Lezer highlight tags by @brendan-kellam in #1194
- feat(web): add skeleton to LatestCommitInfo while loading by @brendan-kellam in #1195
- feat(backend): write changed-path Bloom filters to commit-graph by @brendan-kellam in #1198
- chore(web): add ESLint rule require-auth-wrapper by @brendan-kellam in #1199
- chore: add lint workflow for PRs by @brendan-kellam in #1200
- fix(web): preserve source revisions in chat citation links by @brendan-kellam in #1205
- chore: upgrade next to ^16.2.6 to address CVE-2026-45109 by @brendan-kellam in #1203
- chore: upgrade react-email to ^6.1.4 by @brendan-kellam in #1206
- chore(web): Upgrade @posthog/ai by @brendan-kellam in #1207
- fix: pin @protobufjs/inquire to 1.1.0 to fix Turbopack incompatibility by @brendan-kellam in #1208
Full Changelog: v4.17.1...v4.17.2
v4.17.1
What's Changed
- feat(web): add audit log entries for org membership changes by @brendan-kellam in #1165
- feat(web): JWT session versioning and credential revocation on org removal by @brendan-kellam in #1168
- fix(schemas): allow spaces in Azure DevOps project and repo names by @brendan-kellam in #1170
Full Changelog: v4.17.0...v4.17.1