Releases: bugsink/bugsink
2.0.13
2.0.13 (21 February 20206)
Security
Fix: escape output for pygments fallback.
An unauthenticated attacker could store arbitrary JavaScript in a bugsink
project by sending a crafted Sentry event. Any admin who views the stacktrace
will execute the payload.
Other
- annotate with meta: when meta-keys are not actually in the var
- Reduce Slack title length from 200 to 150 characters (See #318)
- fix dbrouter
allow_migratefor more than 2 databases - Distinguish installation-quota warning message from the project-level ones
- fix unsupported operand type(s) for +: 'NoneType' and 'str' in request.url display
- Add a
descriptionfield to authtoken (See #312) - 400 template should say 'bad request' not 'server error'
- Max retention: default per-project of 20% per project to avoid out-of-room on project 2
- Allow editing of project when global
max_rentionsettings have recently been decreased
2.0.12
2.0.12 (26 January 2026)
Fixes:
- Quota checks: don't get confused (so much) by eviction, see c157827
cleanup_eventstoragecommand: don't fail when no storage initialized, see 45dc85aEventStorage.listmust return UUIDs for usage in .delete, see c8457ed- Don't rely on SDK-provided
event_idfor ingest-digest handover, see 6ab3fa5, and 9e8f59e cleanup_events(after delete): push out of transaction, see 4130cd2 and 7f726ca- Add simple command to delete the oldest events until under retention max, see 9414906
FileEventStorageconfig forward-compatible, see 5099d69migrate_to_current_eventstoragecommand: don't crash when there are 'very many' events, see 34cf7dc
Upgrading
The optional management command fix_project_digest_order can be run in
addition to migrations; this will make rate-limiting quota work more
correctly immediately.
(if you don't care, this will become eventually correct as the old data fades away).
2.0.11
2.0.11 (20 January 2026)
- Add brotli and gzip filestorages, see 5b345e0
- Apply max retention from settings even if stored project value is higher, see 1f1b06b
- Max retention event count: guard the API, see d3beed5
- Max event retention: don't mention a negative budget, see 0a39ce1
- New project: suggest no more than the legal retention, see 0cdb6c0
2.0.9
2.0.8
2.0.8 (10 January 2026)
- Improve default Sentry SDK settings for Python, Fix #298
- Fix background of event search inputs in dark mode, see #300
- Add missing tailwindcss dependencies (for development)
MAX_RETENTION[_PER_PROJECT]as a setting- More fully disable the admin when
USE_ADMIN=False, See #131 - quota exceeded: show a message
- Project quota: pick up on settings-changes
- Setting & check for site-wide per-month event ingestion maximum
- Add modelcounts command; useful in the context of housekeeping when servers are down
- Fix exception for unsupported envelope items / when minidump feature is off. See #293
2.0.7
2.0.7 (6 January 2026)
New & Improved Alert backends
- Adds the Mattermost Alert Backend, see #278, #253, #277
- Adds the Discord Alert Backend, see #279, #121
Minidump API Endpoint: Experimental
This release contains code that supports Minidumps, and which can be turned on with the
feature-flag (setting) FEATURE_MINIDUMPS.
However, as it stands, this code should be seen as development-only: it has not
passed security-review yet, which means it opens your Bugsink-installation to DOS-like
attacks.
Other changes
- Fix
never_evictfor the "conditional ummute" case, see #292 - ingest ParseError: don't raise a 500; make this the SDK's problem (400), see 4fe8bd3
- Upgrade Verbose CSRF Middleware to match Django 5.2, see e3f1c92
- Fix for pygements mishandling a weird case w/ ruby, see 4564131
- Raise 413 for the 'content too large' case
- Slack alerts: issue title in message title, fix #283
- Channel support for Mattermost message backend, see #281
- Discord alert backend: send 'valid' URLs only, fix #280
- yesno filter: just don't return None ever, see 9b2acdd
- tailwind update, see bddc2e8
- Link to 'all tags' in the 'tags' RHS box, see eeac2e7
- 'files' is a bugsink module too; reflect in
eat_your_own_dogfood, see 74a04f6 - Don't log emails to 0 recepients, see #86
- Fix member counts on project/team list, they were at most 1, see a93f369
- Support request.body when doing Chuncked Transfer Encoding, see #9
- Fix inefficient bytes concatenation when
KEEP_ENVELOPES!= 0, see 0432451 - Compression decoding errors: return 400 rather than 500, see 53bea10
- Support Python 3.14, see #267
2.0.6
2.0.6 (8 November 2025)
Security
Add a mitigation for another DOS attack using adverserial brotli payloads.
Similar to, but distinct from, the fix in 2.0.5.
2.0.5
2.0.5 (8 November 2025)
Security
Add a mitigation for certain DOS attacks using adverserial brotli payloads, see #266
Backwards incompatible changes
Fail to start when using non-sqlite for snappea, See #252
Since this was always recommended against, and probably broken anyway, this is not
expected to be backwards incompatible in practice, but it is at least in prinicple.
Other changes
- Markdown stacktrace: render with all frames, See 9cb89ec
- Add database vendor, version and machine arch to phonehome message, see d8fef75
- Fix redirect on single-click actions when hosting at subdomain, Fix #250
- 'poor mans's DB lock: lock the right DB; See e55c0eb, and #252 for context
- Add more warnings about using non-sqlite for snappea in the conf templates, See #252
parse_timestamp: actually parse as UTC when timezone not provided, see 8ad7f97- Add debug setting for email-sending, Fix #86
- docker-compose-sample.yaml: more clearly email:password, See #261
- create snappea database on Docker start rather than image build, See #244