10.4.3-ce.0

10.4.3 (2018-02-05)

Security (4 changes)

• Fix namespace access issue for GitHub, BitBucket, and GitLab.com project importers.
• Fix stored XSS in code blocks that ignore highlighting.
• Fix wildcard protected tags protecting all branches.
• Restrict Todo API mark_as_done endpoint to the user's todos only.

10.4.2-ce.0

10.4.2 (2018-01-30)

Fixed (6 changes)

• Fix copy/paste on iOS devices due to a bug in webkit. !15804
• Fix missing "allow users to request access" option in public project permissions. !16485
• Fix encoding issue when counting commit count. !16637
• Fixes destination already exists, and some particular service errors on Import/Export error. !16714
• Fix cache clear bug withg using : on Windows. !16740
• Use has_table_privilege for TRIGGER on PostgreSQL.

Changed (1 change)

• Vendor Auto DevOps template with DAST security checks enabled. !16691

10.4.1-ce.0

10.4.1 (2018-01-24)

Fixed (4 changes)

• Ensure that users can reclaim a namespace or project path that is blocked by an orphaned route. !16242
• Correctly escape UTF-8 path elements for uploads. !16560
• Fix issues when rendering groups and their children. !16584
• Fix bug in which projects with forks could not change visibility settings from Private to Public. !16595

Performance (2 changes)

• rework indexes on redirect_routes.
• Remove unnecessary query from labels filter.

10.4.0-ce.0

10.4.0 (2018-01-22)

Security (8 changes, 1 of them is from the community)

• Upgrade Ruby to 2.3.6 to include security patches. !16016
• Prevent a SQL injection in the MilestonesFinder.
• Check user authorization for source and target projects when creating a merge request.
• Fix path traversal in gitlab-ci.yml cache:key.
• Fix writable shared deploy keys.
• Filter out sensitive fields from the project services API. (Robert Schilling)
• Fix RCE via project import mechanism.
• Prevent OAuth login POST requests when a provider has been disabled.

Fixed (68 changes, 24 of them are from the community)

• Update comment on image cursor and icons. !15760
• Fixes the wording of headers in system info page. !15802 (Gilbert Roulot)
• Reset todo counters when the target is deleted. !15807
• Execute quick actions (if present) when creating MR from issue. !15810
• fix build count in pipeline success mail. !15827 (Christiaan Van den Poel)
• Fix error that was preventing users to change the access level of access requests for Groups or Projects. !15832
• Last push event widget width for fixed layout. !15862 (George Tsiolis)
• Hide link to issues/MRs from labels list if issues/MRs are disabled. !15863 (Sophie Herold)
• Use relative URL for projects to avoid storing domains. !15876
• Fix gitlab-rake gitlab:import:repos import schedule. !15931
• Removed incorrect guidance stating blocked users will be removed from groups and project as members. !15947 (CesarApodaca)
• Fix some POST/DELETE requests in IE by switching some bundles to Axios for Ajax requests. !15951
• Fixing error 500 when member exist but not the user. !15970
• show None when issue is in closed list and no labels assigned. !15976 (Christiaan Van den Poel)
• Fix tags in the Activity tab not being clickable. !15996 (Mario de la Ossa)
• Disable Vue pagination when only one page of content is available. !15999 (Mario de la Ossa)
• disables shortcut to issue boards when issues are not enabled. !16020 (Christiaan Van den Poel)
• Ignore lost+found folder during backup on a volume. !16036 (Julien Millau)
• Fix abuse reports link url in admin area navbar. !16068 (megos)
• Keep typographic hierarchy in User Settings. !16090 (George Tsiolis)
• Adjust content width for User Settings, GPG Keys. !16093 (George Tsiolis)
• Fix gitlab-rake gitlab:import:repos import schedule. !16115
• Fix import project url not updating project name. !16120
• Fix activity inline event line height on mobile. !16121 (George Tsiolis)
• Fix slash commands dropdown description mis-alignment on Firefox. !16125 (Maurizio De Santis)
• Remove unnecessary sidebar element realignment. !16159 (George Tsiolis)
• User#projects_limit remove DB default and added NOT NULL constraint. !16165 (Mario de la Ossa)
• Fix API endpoints to edit wiki pages where project belongs to a group. !16170
• Fix breadcrumbs in User Settings. !16172 (rfwatson)
• Move 2FA disable button. !16177 (George Tsiolis)
• Fixing bug when wiki last version. !16197
• Protected branch is now created for default branch on import. !16198
• Prevent excessive DB load due to faulty DeleteConflictingRedirectRoutes background migration. !16205
• Force Auto DevOps kubectl version to 1.8.6. !16218
• Fix missing references to pipeline objects when restoring project with import/export feature. !16221
• Fix inconsistent downcase of filenames in prefilled Add commit messages. !16232 (James Ramsay)
• Default merge request title is set correctly again when external issue tracker is activated. !16356 (Ben305)
• Ensure that emails contain absolute, rather than relative, links to user uploads. !16364
• Prevent invalid Route path if path is unchanged. !16397
• Fixing rack request mime type when using rack attack. !16427
• Prevent RevList failing on non utf8 paths. !16440
• Fix giant fork icons on forks page. !16474
• Fix links to uploaded files on wiki pages. !16499
• Modify LDAP::Person to return username value based on attributes.
• Fixed merge request status badge not updating after merging.
• Remove related links in MR widget when empty state.
• Gracefully handle garbled URIs in Markdown.
• Fix hooks not being set up properly for bare import Rake task.
• Fix Mermaid drawings not loading on some browsers.
• Humanize the units of "Showing last X KiB of log" in job trace.
• Avoid leaving a push event empty if payload cannot be created.
• Show authored date rather than committed date on the commit list.
• Fix when branch creation fails don't post system note. (Mateusz Bajorski)
• Fix viewing merge request diffs where the underlying blobs are unavailable.
• Fix 500 error when visiting a commit where the blobs do not exist.
• Set target_branch to the ref branch when creating MR from issue.
• Fix closed text for issues on Todos page.
• [API] Fix creating issue when assignee_id is empty.
• Fix false positive issue references in merge requests caused by header anchor links.
• Fixed chanages dropdown ellipsis positioning.
• Fix shortcut links on help page.
• Clears visual token on second backspace. (Martin Wortschack)
• Fix onion-skin re-entering state.
• fix button alignment on MWPS component.
• Add optional search param for Merge Requests API.
• Normalizing Identity extern_uid when saving the record.
• Fixed typo for issue description field declaration. (Marcus Amargi)
• Fix ANSI 256 bold colors in pipelines job output.

Changed (18 changes, 3 of them are from the community)

• Make mail notifications of discussion notes In-Reply-To of each other. !14289
• Migrate existing data from KubernetesService to Clusters::Platforms::Kubernetes. !15589
• Implement checking GCP project billing status in cluster creation form. !15665
• Present multiple clusters in a single list instead of a tabbed view. !15669
• Remove soft removals related code. !15789
• Only mark import and fork jobs as failed once all Sidekiq retries get exhausted. !15844
• Translate date ranges on contributors page. !15846
• Update issuable status icons. !15898
• Update feature toggle design to use icons and make it i18n friendly. !15904
• Update groups tree to use GitLab SVG icons, add last updated at information for projects. !15980
• Allow forking a public project to a private group. !16050
• Expose project_id on /api/v4/pages/domains. !16200 (Luc Didry)
• Display graph values on hover within monitoring page. !16261
• removed tabindexes from tag form. (Marcus Amargi)
• Move edit button to second row on issue page (and change it to a pencil icon).
• Run background migrations with a minimum interval.
• Provide additional cookies to JIRA service requests to allow Oracle WebGates Basic Auth. (Stanislaw Wozniak)
• Hide markdown toolbar in preview mode.

Performance (11 changes)

• Improve the performance for counting diverging commits. Show 999+ if it is more than 1000 commits. !15963
• Treat empty markdown and html strings as valid cached text, not missing cache that needs to be updated.
• Cache merged and closed events data in merge_request_metrics table.
• Speed up generation of commit stats by using Rugged native methods.
• Improve search query for issues.
• Improve search query for merge requests.
• Eager load event target authors whenever possible.
• Use simple Next/Prev paging for jobs to avoid large count queries on arbitrarily large sets of historical jobs.
• Improve performance of MR discussions on large diffs.
• Add index on namespaces lower(name) for UsersController#exists.
• Fix timeout when filtering issues by label.

Added (26 changes, 8 of them are from the community)

• Support new chat notifications parameters in Services API. !11435
• Add online and status attribute to runner api entity. !11750
• Adds ordering to projects contributors in API. !15469 (Jacopo Beschi @jacopo-beschi)
• Add assets_sync gem to Gemfile. !15734
• Add a gitlab:tcp_check rake task. !15759
• add support for sorting in tags api. !15772 (haseebeqx)
• Add Prometheus to available Cluster applications. !15895
• Validate file status when commiting multiple files. !15922
• List of avatars should never show +1. !15972 (Jacopo Beschi @jacopo-beschi)
• Do not generate NPM links for private NPM modules in blob view. !16002 (Mario de la Ossa)
• Backport fast database lookup of SSH authorized_keys from EE. !16014
• Add i18n helpers to branch comparison view. !16031 (James Ramsay)
• Add pause/resume button to project runners. !16032 (Mario de la Ossa)
• Added option to user preferences to enable the multi file editor. !16056
• Implement project jobs cache reset. !16067
• Rendering of emoji's in Group-Overview. !16098 (Jacopo Beschi @jacopo-beschi)
• Allow automatic creation of Kubernetes Integration from template. !16104
• API: get participants from merge_requests & issues. !16187 (Brent Greeff)
• Added option to disable commits stats in the commit endpoint. !16309
• Disable creation of new Kubernetes Integrations unless they're active or created from template. !41054
• Added badge to tree & blob views to indicate LFS tracked files.
• Enable ordering of groups and their children by name.
• Add button to run scheduled pipeline immediately.
• Allow user to rebase merge requests.
• Handle GitLab hashed storage repositories using the repo import task.
• Hide runner token in CI/CD settings page.

Other (12 changes, 3 of them are from the community)

• Adds the multi file editor as a new beta feature. !15430
• Use relative URLs when linking to uploaded files. !15751
• Add docs for why you might be signed out when using the Remember me token. !15756
• Replace '.team << [user, role]' with 'add_role(user)' in specs. !16069 (@blackst0ne)
• Add id to modal.vue to support data-toggle="modal". !16189
• Update scss-lint to 0.56.0. !16278 (Takuya Noguchi)
• Fix web ide user preferences copy and buttons. !41789
• Update redis-rack to 2.0.4.
• Import some cod...

10.3.5-ce.0

10.3.5 (2018-01-18)

• Fix error that prevented the 'deploy_keys' migration from working in MySQL databases.

10.3.4-ce.0

10.3.4 (2018-01-10)

Security (7 changes, 1 of them is from the community)

• Prevent a SQL injection in the MilestonesFinder.
• Fix RCE via project import mechanism.
• Prevent OAuth login POST requests when a provider has been disabled.
• Filter out sensitive fields from the project services API. (Robert Schilling)
• Check user authorization for source and target projects when creating a merge request.
• Fix path traversal in gitlab-ci.yml cache:key.
• Fix writable shared deploy keys.

10.3.3-ce.0

10.3.3 (2018-01-02)

Fixed (3 changes)

• Fix links to old commits in merge request comments.
• Fix 404 errors after a user edits an issue description and solves the reCAPTCHA.
• Gracefully handle orphaned write deploy keys in /internal/post_receive.

10.3.2-ce.0

10.3.2 (2017-12-28)

Fixed (1 change)

• Fix migration for removing orphaned issues.moved_to_id values in MySQL and PostgreSQL.

---

Docker image related changes

• Added support for puppet pre-receive hooks. Selected by variables on run stage. See README Works perfectly with polinux/puppet-server docker image

10.3.1-ce.0

10.3.1 (2017-12-27)

Changed (1 change)

• Geo: Show sync percent on bar graph and count within tooltips. !3794

10.3.0-ce.0

10.3.0 (2017-12-22)

Security (1 change, 1 of them is from the community)

• Upgrade jQuery to 2.2.4. !15570 (Takuya Noguchi)

Fixed (55 changes, 8 of them are from the community)

• Fail jobs if its dependency is missing. !14009
• Fix errors when selecting numeric-only labels in the labels autocomplete selector. !14607 (haseebeqx)
• Fix pipeline status transition for single manual job. This would also fix pipeline duration becuse it is depending on status transition. !15251
• Fix acceptance of username for Mattermost service update. !15275
• Set the default gitlab-shell timeout to 3 hours. !15292
• Make sure a user can add projects to subgroups they have access to. !15294
• OAuth identity lookups case-insensitive. !15312
• Fix filter by my reaction is not working. !15345 (Hiroyuki Sato)
• Avoid deactivation when pipeline schedules execute a branch includes [ci skip] comment. !15405
• Add recaptcha modal to issue updates detected as spam. !15408
• Fix item name and namespace text overflow in Projects dropdown. !15451
• Removed unused rake task, 'rake gitlab:sidekiq:drop_post_receive'. !15493
• Fix commits page throwing 500 when the multi-file editor was enabled. !15502
• Fix Issue comment submit button being disabled when pasting content from another GFM note. !15530
• Reenable Prometheus metrics, add more control over Prometheus method instrumentation. !15558
• Fix broadcast message not showing up on login page. !15578
• Initializes the branches dropdown when the 'Start new pipeline' failed due to validation errors. !15588 (Christiaan Van den Poel)
• Fix merge requests where the source or target branch name matches a tag name. !15591
• Create a fork network for forks with a deleted source. !15595
• Fix search results when a filename would contain a special character. !15606 (haseebeqx)
• Strip leading & trailing whitespaces in CI/CD secret variable keys. !15615
• Correctly link to a forked project from the new fork page. !15653
• Fix the fork project functionality for projects with hashed storage. !15671
• Added default order to UsersFinder. !15679
• Fix graph notes number duplication. !15696 (Vladislav Kaverin)
• Fix updateEndpoint undefined error for issue_show app root. !15698
• Change boards page boards_data absolute urls to paths. !15703
• Using appropiate services in the API for managing forks. !15709
• Confirming email with invalid token should no longer generate an error. !15726
• fix #39233 - 500 in merge request. !15774 (Martin Nowak)
• Use Markdown styling for new project guidelines. !15785 (Markus Koller)
• Fix error during schema dump. !15866
• Fix broken illustration images for monitoring page empty states. !15889
• Make sure user email is read only when synced with LDAP. !15915
• Fixed outdated browser flash positioning.
• Fix gitlab:import:repos Rake task moving repositories into the wrong location.
• Gracefully handle case when repository's root ref does not exist.
• Fix GitHub importer using removed interface.
• Align retry button with job title with new grid size.
• Fixed admin welcome screen new group path.
• Fix related branches/Merge requests failing to load when the hostname setting is changed.
• Init zen mode in snippets pages.
• Remove extra margin from wordmark in header.
• Fixed long commit links not wrapping correctly.
• Fixed deploy keys remove button loading state not resetting.
• Use app host instead of asset host when rendering image blob or diff.
• Hide log size for mobile screens.
• Fix sending notification emails to users with the mention level set who were mentioned in an issue or merge request description.
• Changed validation error message on wrong milestone dates. (Xurxo Méndez Pérez)
• Fix access to the final page of todos.
• Fixed new group milestone breadcrumbs.
• Fix image diff notification email from showing wrong content.
• Fixed merge request lock icon size.
• Make sure head pippeline always corresponds with the head sha of an MR.
• Prevent 500 error when inspecting job after trigger was removed.

Changed (14 changes, 2 of them are from the community)

• Only owner or master can erase jobs. !15216
• Allow password authentication to be disabled entirely. !15223 (Markus Koller)
• Add the option to automatically run a pipeline after updating AutoDevOps settings. !15380
• Add total_time_spent to the changes hash in issuable Webhook payloads. !15381
• Monitor NFS shards for circuitbreaker in a separate process. !15426
• Add inline editing to issues on mobile. !15438
• Add custom brand text on new project pages. !15541 (Markus Koller)
• Show only group name by default and put full namespace in tooltip in Groups tree. !15650
• Use custom user agent header in all GCP API requests. !15705
• Changed the deploy markers on the prometheus dashboard to be more verbose. !38032
• Animate contextual sidebar on collapse/expand.
• Update emojis. Add :gay_pride_flag: and :speech_left:. Remove extraneous comma in :cartwheel_tone4:.
• When a custom header logo is present, don't show GitLab type logo.
• Improved diff changed files dropdown design.

Performance (19 changes)

• Add timeouts for Gitaly calls. !15047
• Performance issues when loading large number of wiki pages. !15276
• Add performance logging to UpdateMergeRequestsWorker. !15360
• Keep track of all circuitbreaker keys in a set. !15613
• Improve the performance for counting commits. !15628
• Reduce requests for project forks on show page of projects that have forks. !15663
• Perform SQL matching of Build&Runner tags to greatly speed-up job picking.
• Only load branch names for protected branch checks.
• Optimize API /groups/:id/projects by preloading associations.
• Remove allocation tracking code from InfluxDB sampler for performance.
• Throttle the number of UPDATEs triggered by touch.
• Make finding most recent merge request diffs more efficient.
• Fetch blobs in bulk when generating diffs.
• Cache commits for MergeRequest diffs.
• Use fuzzy search with minimum length of 3 characters where appropriate.
• Add axios to common file.
• Remove template selector from global namespace.
• check the import_status field before doing SQL operations to check the import url.
• Stop sending milestone and labels data over the wire for MR widget requests.

Added (22 changes, 15 of them are from the community)

• Limit autocomplete menu to applied labels. !11110 (Vitaliy @blackst0ne Klachkov)
• Make diff notes created on a commit in a merge request to persist a rebase. !12148
• Allow creation of merge request from email. !13817 (janp)
• Add an ability to use a custom branch name on creation from issues. !13884 (Vitaliy @blackst0ne Klachkov)
• Add anonymous rate limit per IP, and authenticated (web or API) rate limits per user. !14708
• Create a new form to add Existing Kubernetes Cluster. !14805
• Add support of Mermaid (generation of diagrams and flowcharts from text). !15107 (Vitaliy @blackst0ne Klachkov)
• Add total time spent to milestones. !15116 (George Andrinopoulos)
• Add /groups/:id/subgroups endpoint to API. !15142 (marbemac)
• Add administrative endpoint to list all pages domains. !15160 (Travis Miller)
• Adds Rubocop rule for line break after guard clause. !15188 (Jacopo Beschi @jacopo-beschi)
• Add edit button to mobile file view. !15199 (Travis Miller)
• Add dropdown sort to group milestones. !15230 (George Andrinopoulos)
• added support for ordering and sorting in notes api. !15342 (haseebeqx)
• Hashed Storage migration script now supports migrating project attachments. !15352
• New API endpoint - list jobs for a specified runner. !15432
• Add new API endpoint - get a namespace by ID. !15442
• Disables autocomplete in filtered searc. !15477 (Jacopo Beschi @jacopo-beschi)
• Update empty state page of merge request 'changes' tab. !15611 (Vitaliy @blackst0ne Klachkov)
• Allow git pull/push on group/user/project redirects. !15670
• show status of gitlab reference links in wiki. !15694 (haseebeqx)
• Add email confirmation parameters for user creation and update via API. (Daniel Juarez)

Other (17 changes, 7 of them are from the community)

• Enable UnnecessaryMantissa in scss-lint. !15255 (Takuya Noguchi)
• Add untracked files to uploads table. !15270
• Move update_project_counter_caches? out of issue and merge request. !15300 (George Andrinopoulos)
• Removed tooltip from clone dropdown. !15334
• Clean up empty fork networks. !15373
• Create issuable destroy service. !15604 (George Andrinopoulos)
• Upgrade seed-fu to 2.3.7. !15607 (Takuya Noguchi)
• Rename GKE as Kubernetes Engine. !15608 (Takuya Noguchi)
• Prefer ci_config_path validation for leading slashes instead of sanitizing the input. !15672 (Christiaan Van den Poel)
• Fix typo in docs about Elasticsearch. !15699 (Takuya Noguchi)
• Add internationalization support for the prometheus integration. !33338
• Export text utils functions as es6 module and add tests.
• Stop reloading the page when using pagination and tabs - use API calls - in Pipelines table.
• Clean up schema of the "issues" table.
• Clarify wording of protected branch settings for the default branch.
• Update svg external depencency.
• Clean up schema of the "merge_requests" table.