Version 0.17
WriteFreely v0.17 is here, includes some critical security fixes, along with a ton of quality-of-life improvements and fixes for users.
Download v0.17.0 now, and read on to see what’s new in this version.
Security
- Fix config.ini defaults to world-readable (by @thebaer, CVE-2025-24337)
- Fix Cross-User IDOR: Subscriber List Disclosure (by @thebaer, GHSA-cfcq-76gr-62x8)
- Prevent signups via /auth/signup with closed registrations by @thebaer in #1686
User-Facing Changes
- Title fixes for ActivityPub by @thebaer in #1491
- Fix collection Customize page header nav on single-user instances by @thebaer in #1505
- Fix single-user blog URL on Customize page by @thebaer in #1508
- Add support for alternative smallweb URL schemes by @smazmi in #1565
- Fix font toggle in classic editor #876 by @vtyeh in #1135
- Display stat numbers as monospace by @lolbinarycat in #1142
- Support changing published post font on web by @thebaer in #1609
- Fix character set for post signature column on MySQL / MariaDB instances by @thebaer in #1608
- Redirect /read/feed to correct /read/feed/ URL by @thebaer in #1522
- Fix ProseMirror HTML handling by @thebaer in #1644
- Use datetime picker on Post Metadata page and fix API inconsistency by @thebaer in #1492
- Markdown preview by @thebaer in #1647
- Sort list of Fediverse followers by subscription date, descending by @thebaer in #1630
- Limit password to max characters supported by bcrypt by @thebaer in #1664
- Improve and fix up data exports by @thebaer in #1623
- Fix missing user nav on blog Customize page by @thebaer in #1687
Admin-Facing Changes
- Document MariaDB support in README by @robertsilen in #1665
- Ignore missing socket file on shutdown by @thebaer in #1503
- ActivityPub robustness and monitoring by @blacklight in #1437
Developer-Facing Changes
- Don't add blank strings to mentioned users array in Activity object by @thebaer in #1575
- Refactor: Email Subscription shortcode and form by @thebaer in #1646
- Run goimports on project by @thebaer in #1559
Dependencies and minor fixes
- Add missing
hostNameassignment in viewEditCollection by @thebaer in #1504 - Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot[bot] in #1151
- Bump docker/metadata-action from 4.6.0 to 5.8.0 by @dependabot[bot] in #1462
- Bump docker/login-action from 3.0.0 to 3.5.0 by @dependabot[bot] in #1463
- Bump docker/build-push-action from 5.0.0 to 6.18.0 by @dependabot[bot] in #1464
- Bump docker/setup-buidx-action from 3.0.0 to 3.11.1 by @dependabot[bot] in #1465
- Bump golang.org/x/net from 0.43.0 to 0.44.0 by @dependabot[bot] in #1500
- Bump docker/login-action from 3.5.0 to 3.6.0 by @dependabot[bot] in #1497
- Bump golang.org/x/crypto from 0.41.0 to 0.42.0 by @dependabot[bot] in #1499
- Bump golang.org/x/net from 0.45.0 to 0.46.0 by @dependabot[bot] in #1509
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #1528
- Bump golang.org/x/net from 0.47.0 to 0.48.0 by @dependabot[bot] in #1548
- Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @dependabot[bot] in #1546
- Bump github.com/fatih/color from 1.17.0 to 1.18.0 by @dependabot[bot] in #1140
- Bump github.com/gosimple/slug from 1.14.0 to 1.15.0 by @dependabot[bot] in #1232
- Bump golang.org/x/net from 0.48.0 to 0.49.0 by @dependabot[bot] in #1571
- Bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #1567
- Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @dependabot[bot] in #1541
- Bump docker/metadata-action from 5.8.0 to 5.10.0 by @dependabot[bot] in #1525
- Bump docker/setup-qemu-action from 3.0.0 to 3.7.0 by @dependabot[bot] in #1515
- Bump docker/build-push-action from 6.18.0 to 6.19.2 by @dependabot[bot] in #1602
- Bump golang.org/x/net from 0.49.0 to 0.51.0 by @dependabot[bot] in #1627
- Bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #1631
- Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #1632
- Bump docker/metadata-action from 5.10.0 to 6.0.0 by @dependabot[bot] in #1633
- Bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in #1634
- Bump golang.org/x/net from 0.51.0 to 0.53.0 by @dependabot[bot] in #1657
- Bump github.com/fatih/color from 1.18.0 to 1.19.0 by @dependabot[bot] in #1641
- Bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @dependabot[bot] in #1653
- Bump golang.org/x/net from 0.53.0 to 0.55.0 by @dependabot[bot] in #1673
- Bump golang.org/x/crypto from 0.51.0 to 0.53.0 by @dependabot[bot] in #1674
- Bump docker/setup-buildx-action from 3.12.0 to 4.1.0 by @dependabot[bot] in #1669
- Bump actions/checkout from 4 to 7 by @dependabot[bot] in #1684
- Bump docker/build-push-action from 7.0.0 to 7.2.0 by @dependabot[bot] in #1666
- Bump docker/metadata-action from 6.0.0 to 6.1.0 by @dependabot[bot] in #1667
- Bump docker/login-action from 4.0.0 to 4.2.0 by @dependabot[bot] in #1668
- Bump github.com/gorilla/csrf from 1.7.2 to 1.7.3 by @dependabot[bot] in #1361
- Bump golang.org/x/net from 0.55.0 to 0.56.0 by @dependabot[bot] in #1693
- Bump docker/login-action from 4.2.0 to 4.3.0 by @dependabot[bot] in #1695
Upgrading from v0.16.x or earlier
- Download the latest release for your operating system and architecture
- Stop running your
writefreelyserver - Replace all files in your installation (except for the
keysdirectory) with the ones in the archive - Update your database by running:
writefreely db migrate - Start your
writefreelyserver again
If you're upgrading from a much earlier version, follow the instructions in each previous release.
New Contributors
Thank you to all who contributed to this release!
- @smazmi made their first contribution in #1565
- @blacklight made their first contribution in #1437
- @lolbinarycat made their first contribution in #1142
- @robertsilen made their first contribution in #1665