CHANGELOG.md 611 KB
Newer Older
1 2 3
**Note:** This file is automatically generated. Please see the [developer
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
Felipe's avatar
Felipe committed
4

5 6 7 8 9 10 11
## 12.6.4

### Security (1 change)

- Fix private objects exposure when using Project Import functionality.


12 13 14 15 16 17 18 19 20 21 22 23
## 12.6.2

### Security (6 changes)

- GraphQL: Add timeout to all queries.
- Filter out notification settings for projects that a user does not have at least read access.
- Hide project name and path when unsusbcribing from an issue or merge request.
- Fix 500 error caused by invalid byte sequences in uploads links.
- Return only runners from groups where user is owner for user CI owned runners.
- Fix Vulnerability of Release Evidence.


24 25
## 12.6.1

26 27 28 29 30 31 32 33 34
### Fixed (2 changes)

- Handle forbidden error when checking for knative. !22170
- Fix stack trace highlight for PHP. !22258

### Performance (1 change)

- Eliminate N+1 queries in PipelinesController#index. !22189

35

36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247
## 12.6.0

### Security (4 changes)

- Update Rugged to v0.28.4.1. !21869
- Update maven_file_name_regex for full string match.
- Add maven file_name regex validation on incoming files.
- Update Workhorse and Gitaly to fix a security issue.

### Removed (1 change)

- Remove downstream pipeline connecting lines. !21196

### Fixed (101 changes, 16 of them are from the community)

- Fix delete user dialog bypass caused by hitting enter. !17343
- Fix broken UI on Environment folder. !17427 (Takuya Noguchi)
- Fix award emoji tooltip being escaped twice if multiple people voted. !19273 (Brian T)
- Use cascading deletes for deleting oauth_openid_requests upon deleting an oauth_access_grant. !19617
- Update merging an MR behavior on the API when pipeline fails. !19641 (briankabiro)
- Vertically align collapse button on epic sidebar. !19656
- Fix projects list to show info in user's locale. !20015 (Arun Kumar Mohan)
- Update padding for cluster alert warning. !20036 (George Tsiolis)
- Show correct warning on issue when project is archived. !20078
- Resets aria-describedby on mouseleave. !20092 (carolcarvalhosa)
- Allow patch notes on repo tags page to word wrap. !20135
- Remove Release edit url for users not allowed to update a release. !20136
- Fix group managed accounts members cleanup. !20157
- Epic tree bug fixes. !20209
- Add missing external-link icon for Crossplane managed app. !20283
- Fixes MR approvers tooltip wrong color. !20287 (Dheeraj Joshi)
- Ignore empty MR diffs when migrating to external storage. !20296
- Add link color to design comments. !20302
- Fix graph groups in monitor dashboard that are hidden on load. !20312
- Update Container Registry naming restrictions to allow for sequential '-'. !20318
- Fixed monitor charts from throwing error when zoomed. !20331
- Validate the merge sha before merging, confirming that the merge will only contain what the user saw. !20348
- Change container registry column name from Tag ID to Image ID. !20349
- Fix dropdown location on the monitoring charts. !20400
- Fixed project import from export ignoring namespace selection. !20405
- Backup: Disable setting of ACL for Google uploads. !20407
- Fix documentation link from empty environment dashboard. !20415
- Move persistent_ref.create into run_after_commit. !20422
- Update external link to provider in cluster settings. !20425
- Fix issue trying to edit weight with collapsed sidebar as guest. !20431
- Handle empty stacktrace and entries with no code. !20458
- Refactor the Deployment model so state machine events are used by both CI and the API. !20474
- Guest users should not delete project snippets they created. !20477
- Accept user-defined dashboard uids in Grafana embeds. !20486
- Fix multi select input padding in project and group user select. !20520 (Kevin Lee)
- Use correct fragment identifier for vulnerability help path. !20524
- Fix group search in groups dropdown. !20535
- Fix removing of child epics that belong to subgroups. !20610
- Fix opening Sentry error details in new tab. !20611
- Ensure next unresolved discussion button takes user to the right place. !20620
- Allow Gitlab GKE clusters to access Google Cloud Registry private images. !20662 (Tan Yee Jian)
- Fix cron parsing for Daylight Savings. !20667
- Fix incorrect new branch name from issue. !20677 (Lee Tickett)
- Improve the way the metrics dashboard waits for data. !20687
- Remove destroy_personal_snippet ability. !20717
- Try longer to clean up after using a gpg-keychain and raise exption if the cleanup fails. !20718
- Fix tooltip hovers in environments table. !20737
- Remove DB transaction from Rebase operation. !20739
- Improve UX for vulnerability dismissal note. !20768
- Fix change to default foreground and backgorund colors in job log. !20787
- Display Labels item in sidebar when Issues are disabled. !20817
- Junit success percentage no longer displays 100% if there are failures. !20835
- Ensure to check create_personal_snippet ability. !20838
- Fix a display bug in the fork removal description message. !20843
- Validate unique environment scope for instance clusters. !20886
- Add empty region when group metrics are missing. !20900
- Adjust issue metrics first_mentioned_in_commit_at calculation. !20923
- Update copy on managed namespace prefixes. !20935
- Add protected branch permission check to run downstream pipelines. !20964
- Fix assignee url in issue board sidebar. !20992 (Lee Tickett)
- Retrieve issues from subgroups when rendering group milestone. !21024
- Adds 409 when user cannot be soft deleted through the API. !21037
- Respect the timezone reported from Gitaly. !21066
- Fix Container repositories can not be replicated when s3 is used. !21068
- Remove redundant toast.scss file and variables. !21105
- Respect snippet query params when displaying embed urls. !21131
- Remove action buttons from designs tab if there are no designs. !21186
- Correctly return stripped PGP text. !21187 (Roger Meier)
- Fix error when linking already linked issue to epic. !21213
- Do not attribute unverified commit e-mails to GitLab users. !21214
- Add nonunique indexes to Labels. !21230
- Fix snippet routes. !21248
- Fix Zoom Quick Action server error when creating a GitLab Issue. !21262
- Rename snippet refactored routes. !21267
- Validate connection section in direct upload config. !21270
- Fix pipeline retry in a CI DAG. !21296
- Authenticate runner requests in Rack::Attack. !21311
- Fix top border of README file header in file list. !21314
- Fix forking a deduplicated project after it was moved to a different shard. !21339
- Fix misaligned approval tr. !21368 (Lee Tickett)
- Fix crash registry contains helm charts. !21381
- Web IDE: Fix the console error that happens when discarding a newly added/uploaded file. !21537
- Authenticate requests with job token as basic auth header for request limiting. !21562
- Fix Single-File-Editor-Layout breaking when branch name is too long. !21577 (Roman Kuba)
- Fix top border of README in vue_file_list. !21578 (Hector Bustillos)
- Stage dropdown lists style corrections. !21607 (Hector Bustillos)
- Change commit_id type on commit_user_mentions table. !21651
- Do not clean the prometheus metrics directory for sidekiq. !21671
- !21542 Part 1: Add new utils for Web IDE store. !21673
- Update auto-deploy-image to v0.8.3. !21696
- Match external user new snippet button visibility to permissions. !21718
- Links to design comments now lead to specific note. !21724
- Re-enable the cloud run feature. !21762
- Ensure forks count cache refresh for source project. !21771
- Fix padding on the design comments. !21839
- Fix "Discard all" for new and renamed files. !21854
- Fix project file finder url encoding file path separators. !21861
- Ensure namespace is present for Managed-Cluster-Applications CI template. !21903
- Rename common template jobs in sast and ds. !22084
- Fixed query behind release filter on merge request search page. !38244
- Activate projects Prometheus service integration when Prometheus managed application is installed on shared cluster.

### Deprecated (4 changes)

- Drop deprecated column from projects table. !18914
- Limit number of projects displayed in GET /groups/:id API. !20023
- Move operations project routes under - scope. !20456
- Move wiki routing under /-/ scope. !21185

### Changed (60 changes, 10 of them are from the community)

- Use better context-specific empty state screens for the Security Dashboards. !18382
- Add evidence collection for Releases. !18874
- Update information and button text for deployment footer. !18918
- Move merge request description into discussions tab. !18940
- Keep details in MR when changing target branch. !19138
- Make internal projects poolable. !19295 (briankabiro)
- Enable support for multiple content query in GraphQL Todo API. !19576
- Allow merge without refresh when new commits are pushed. !19725
- Correct link to Merge trains documentation on MR widget. !19726
- Preserve merge train history. !19864
- Support go-source meta tag for godoc.org. !19888 (Ethan Reesor (@firelizzard))
- Display a better message when starting a discussion on a deleted comment. !20031 (Jacopo Beschi @jacopo-beschi)
- Add sort param to error tracking issue index. !20101
- Add template repository usage to the usage ping. !20126 (minghuan lei)
- Convert flash epic error to form validation error. !20130
- Add 'download' button to Performance Bar. !20205 (Will Chandler)
- SaaS trial copy shows plan. !20207
- Add rbac access to knative-serving namespace deployments to get knative version information. !20244
- Unlock button changed from Icon to String. !20307
- Upgrade to Gitaly v1.72.0. !20313
- Increase upper limit of start_in attribute to 1 week. !20323 (Will Layton)
- Add CI variable to show when Auto-DevOps is explicitly enabled. !20332
- Hashed Storage attachments migration: exclude files in object storage as they are all hashed already. !20338
- Removes caching for design tab discusisons. !20374
- Fixes to inconsistent margins/sapcing in the project detail page. !20395
- Changes to how the search term is styled in the results. !20416
- Move confidence column in the security dashboard. !20435 (Dheeraj Joshi)
- Upgrade to Gitaly v1.73.0. !20443
- Replacing incorrect icon in security dashboard. !20510
- Rework pod logs navigation scheme. !20578
- Reduce start a trial rocket emoji size. !20579
- Upgrade auto-deploy-image for helm default values file. !20588
- Exposed deployment build manual actions for merge request page. !20615
- Upgrade to Gitaly v1.74.0. !20706
- Fetches initial merge request widget data async. !20719
- Add service desk information to project graphQL endpoint. !20722
- Add admin mode controller path to Rack::Attack defaults. !20735 (Diego Louzán)
- Add more filters to SnippetsFinder. !20767
- Clean up the cohorts table. !20779
- Remove vulnerability counter from security tab. !20800
- Only blacklist IPs from Git requests. !20828
- Optimize Deployments endpoint by preloading associations and make record ordering more consistent. !20848
- Update deploy instances color scheme. !20890
- Add service desk information to projects API endpoint. !20913
- Added event tracking to the package details installation components. !20967
- Hide Merge Request information on milestones when MRs are disabled for project. !20985 (Wolfgang Faust)
- Upgrade to Gitaly v1.75.0. !21045
- Evidence - Added restriction for guest on Release page. !21102
- Increase lower DAG `needs` limit from five to ten. !21237
- Add doc links to features on admin dashboard. !21419
- Autofocus cluster dropdown search input. !21440
- Add autofocus to label search fields. !21508
- When a forked project is less visible than its source, merge requests opened in the fork now target the less visible project by default. !21517
- UI improvements in the views for new project from template and the user groups and snippets. !21524 (Hector Bustillos)
- Show merge immediately dialog even if the MR's pipeline hasn't finished. !21556
- Support toggling service desk from API. !21627
- Make `workflow:rules` to work well with Merge Requests. !21742
- Upgrade to Gitaly v1.76.0. !21857
- Remove authentication step from visual review tools instructions.
- Fixes wording on runner admin.

### Performance (22 changes)

- Optimize query for CI pipelines of merge request. !19653
- Replace index on environments table project_id and state with project_id, state, and environment_type. !19902
- Remove reactive caching value keys once the alive key has expired. !20111
- Suggest squash commit messages based on recent commits. !20231
- Improve performance of /api/:version/snippets/public API and only return public personal snippets. !20339
- Add limit for snippet content size. !20346
- Reduce Gitaly calls in BuildHooksWorker. !20365
- Enable ETag caching for MR notes polling. !20440
- Disable public project counts on welcome page. !20517
- Optimize query when Projects API requests private visibility level. !20594
- Improve issues search performance on GraphQL. !20784
- UpdateProjectStatistics updates after commit. !20852
- Run housekeeping after moving a repository between shards. !20863
- Require group_id or project_id for MR target branch autocomplete action. !20933
- Cache the ancestor? Gitaly call to speed up polling for the merge request widget. !20958
- Optimize loading the repository deploy keys page. !20970
- Added lightweight check when retrieving Prometheus metrics. !21099
- Limit max metrics embeds in GFM to 100. !21356
- Fork Puma to validate scheduler fixes. !21547
- Remove an N+1 call rendering projects search results. !21626
- Skip updating LFS objects in mirror updates if repository has not changed. !21744
- Add indexes on deployments to improve environments search. !21789

248
### Added (119 changes, 18 of them are from the community)
249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366

- Add upvote/downvotes attributes to GraphQL Epic query. !14311
- Delete kubernetes cluster association and resources. !16954
- Add badge name field. !16998 (Lee Tickett)
- Add OmniAuth authentication support to admin mode feature. !18214 (Diego Louzán)
- Creates DB tables for storing mentioned users, groups, projects referenced in a note or issuable description. !18316
- Add body data elements for pageview context. !18450
- Added filtering of inherited members for subgroups. !18842
- Added responsiveness to audit events table. !18859
- Add ability to make Jira comments optional. !19004
- Store users, groups, projects mentioned in Markdown to DB tables. !19088
- Upgrade `mail_room` gem to 0.10.0 and enable structured logging. !19186
- Add possibility to save max issue weight on lists. !19220
- Return 422 status code in case of error in submitting comments. !19276 (raju249)
- Add Personal Access Token expiration reminder. !19296
- Add recent search to error tracking. !19301
- Resolve Limit the number of stored sessions per user. !19325
- Add services for 'soft-delete for groups' feature. !19358
- Notify user when over 1000 epics in roadmap. !19419
- Search list of Sentry errors by title in GitLab. !19439
- Add issue statistics to releases on the Releases page. !19448
- Add snowplow events for monitoring dashboard. !19455
- Add snowplow events for APM. !19463
- Add GraphQL mutation to mark all todos done for a user. !19482
- Added rules configuration for Ci::Bridge. !19605
- Add workers for 'soft-delete for groups' feature. !19679
- add tagger within tag view. !19681 (Roger Meier)
- Strong validate import export references. !19682
- Update Release API with evidence related data. !19706
- Graphql query for issues can now be sorted by weight. !19721
- GraphQL for Sentry rror details. !19733
- View closed issues in epic. !19741
- Add API endpoint to unpublish GitLab Pages. !19781
- Add Pipeline Metadata to Packages. !19796
- Create data model for serverless domains. !19835
- Add Unify Circuit project integration service. !19849 (Fabio Huser)
- add sha256 fingerprint to keys model, view and extend users API to search user via fingerprint. !19860 (Roger Meier)
- Allow order_by updated_at in Pipelines API. !19886
- Implement pagination for project releases page. !19912 (Fabio Huser)
- Add migrations for secret snippets. !19939
- Control passing artifacts from CI DAG needs. !19943
- Genereate a set of sample prometheus metrics and route to the sample metrics when enabled. !19987
- Add warning dialog when users click the "Merge immediately" merge train option. !20054
- Expose moved_to_id in issues API. !20083 (Lee Tickett)
- Relate issues when they are marked as duplicated. !20161 (minghuan lei)
- Asks for confirmation before changing project visibility level. !20170
- Allow CI config path to point to a URL or file in a different repository. !20179
- Allow groups to disable mentioning their members, if the group is mentioned. !20184 (Fabio Huser)
- Add modsecurity deployment counts to usage ping. !20196
- Added legend to deploy boards. !20208
- Support passing CI variables via git push options. !20255
- Add GraphQL mutation to restore a Todo. !20261
- Allow specifying Kubernetes namespace for an environment in gitlab-ci.yml. !20270
- Add migrations for 'soft-delete for groups' feature. !20276
- Add Maven installation commands to package detail page for Maven packages. !20300
- Add feature to allow specifying userWithId strategies per environment spec. !20325
- Enable creating Amazon EKS clusters from GitLab. !20333
- Add ability to create new issue from sentry error detail page. !20337
- Convert flash alerts to toasts. !20356
- Return project commit url instead of commits url. !20369 (raju249)
- Collect the date a SaaS trial starts on. !20384
- Add option to delete cached Kubernetes namespaces. !20411
- Create container expiration policies for projects. !20412
- Adjust fork network relations upon project visibility change. !20466
- Create a license info rake task. !20501 (Jason Colyer)
- Add GraphQL mutation for changing due date of an issue. !20577
- Add Snippet GraphQL resolver endpoints. !20613
- Allow Job-Token authentication on Releases creation API. !20632
- Add created_before/after filter to group/project audit events. !20641
- Allow searching of projects by full path. !20659
- Allow administrators to set a minimum password length. !20661
- Update helper text for sentry error tracking settings. !20663 (Rajendra Kadam)
- Adds ability to create issues from sentry details page. !20666
- Add coverage difference visualization to merge request page. !20676 (Fabio Huser)
- Use CI configured namespace for deployments to unmanaged clusters. !20686
- Resolve Design view: Download single issue design image. !20703
- Import large gitlab_project exports via rake task. !20724
- Added Total/Frontend metrics to the performance bar. !20725
- Add dependency scanning flag for skipping automatic bundler audit update. !20743
- Add GraphQL mutation for setting an issue as confidential. !20785
- Track adding metric via monitoring dashboard. !20818
- Add _links object to package api response. !20820
- CI template for installing cluster applications. !20822
- Add SalesforceDX project template. !20831
- Allow NPM package downloads with CI_JOB_TOKEN. !20868
- Allow raw blobs to be served from an external storage. !20936
- Added Snippets GraphQL mutations. !20956
- Added WebHookLogs for ServiceHooks. !20976
- Surface GitLab issue in error detail page. !21019
- Add type to broadcast messages. !21038
- add OpenAPI file viewer. !21106 (Roger Meier)
- Add updated_before and updated_after filters to the Pipelines API endpoint. !21133
- Implement pagination for sentry errors. !21136
- Add support for Conan package management in the package registry. !21152
- Add syntax highlight for Sentry error stack trace. !21182
- Keyset pagination for REST API (Project endpoint). !21194
- CI template for Sentry managed app. !21208
- Add CI variable to set the version of pip when scanning dependencies of Python projects. !21218
- Add dependency scanning flag for specifying pip requirements file for scanning. !21219
- Do not allow specifying a Kubernetes namespace via CI template for managed clusters. !21223
- Sort Sentry error list by first seen, last seen or frequency. !21250
- Add documentation about dependency scanning gradle support. !21253
- Allow PDF attachments to be opened on browser. !21272
- Add child label to commit box. !21323
- Update Knative to 0.9.0. !21361 (cab105)
- Add target_path to broadcast message API. !21430
- Allow Kubernetes namespaces specified via CI template to be used for terminals, pod logs and deploy boards. !21460
- Allow styling broadcast messages. !21522
- Enable new job log by default. !21543
- Document support for sbt dependency scanning. !21588
- Return multiple errors from CI linter. !21589
- Add specific error states to dashboard. !21618
- Add timestamps to pod logs. !21663
- Hide profile information when user is blocked. !21706
- link to group on group admin page. !21709
- Added migration which adds service desk username column. !21733
- Add SentryIssue table to store a link between issue and sentry issue. !37026
- Add path based targeting to broadcast messages.
367 368
- Add allow failure in pipeline webhook event. !20978 (Gaetan Semet)
- Add runner information in build web hook event. !20709 (Gaetan Semet)
369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424

### Other (51 changes, 28 of them are from the community)

- Remove done callbacks from vue_shared/components/markdown. !16842 (Lee Tickett)
- Update timeago to the latest release. !19407
- Improve job tokens and provide access helper. !19793
- Add post deployment migration to complete pages metadata migration. !19928
- Resolve Document - Make using GitLab auth with Vault easy. !19980
- Remove IIFEs from gl_dropdown.js. !19983 (nuwe1)
- Improve sparkline chart in MR widget deployment. !20085
- Updated jekyll project_template. !20090 (Marc Schwede)
- Updated hexo project_template. !20105 (Marc Schwede)
- Updated hugo project_template. !20109 (Marc Schwede)
- Resolve environment rollback was not friendly. !20121
- Removed all references of BoardService. !20144 (nuwe1)
- Removes references of BoardService in list file. !20145 (nuwe1)
- replace var gl_dropdown.js. !20166 (nuwe1)
- delete board_service.js. !20168 (nuwe1)
- Improve create confidential MR dropdown styling. !20176 (Lee Tickett)
- Remove milestone_id from epics. !20187 (Lee Tickett)
- Remove build badge path from route. !20188 (Lee Tickett)
- Add worker attributes to Sidekiq metrics. !20292
- Update GitLab Runner Helm Chart to 0.11.0. !20461
- add missing test for add_index rubocop rule. !20464 (Eric Thomas)
- Suppress progress on pulling image on Code Quality of Auto DevOps. !20604 (Takuya Noguchi)
- Increase margin between project stats. !20606
- Remove extra spacing below sidebar time tracking info. !20657 (Lee Tickett)
- Add e2e qa test for email delivery. !20675 (Diego Louzán)
- Collect project import failures instead of failing fast. !20727
- Removed unused methods in monitoring dashboard. !20819
- removes references of BoardService. !20872 (nuwe1)
- removes references of BoardService. !20874 (nuwe1)
- removes references of BoardService. !20875 (nuwe1)
- removes references of BoardService. !20876 (nuwe1)
- removes references of BoardService. !20877 (nuwe1)
- removes references of BoardService. !20879 (nuwe1)
- removes references of BoardService. !20880 (nuwe1)
- removes references of BoardService. !20881 (nuwe1)
- Remove whitespaces between tree-controls elements. !20952
- Add Project Export request/download rate limits. !20962
- Remove feature flag for limiting diverging commit counts. !20999
- Changed 'Add approvers' to 'Approval rules'. !21079
- Resolve Add missing popover and remove none in MR widget. !21095
- Change Puma log format to JSON. !21101
- Update GitLab Shell to v10.3.0. !21151
- Improve diff expansion text. !21616
- Remove var from app/assets/javascripts/commit/image_file.js. !21649 (Abubakar Hassan)
- Rename User#full_private_access? to User#can_read_all_resources?. !21668 (Diego Louzán)
- Replace CI_COMMIT_REF with CI_COMMIT_SHA on CI docs. !21781 (Takuya Noguchi)
- Add reportSnippet permission to Snippet GraphQL. !21836
- Harmonize capitalization on cluster UI. !21878 (Evan Read)
- Add mark as spam snippet mutation. !21912
- Update Workhorse to v8.18.0. !22091
- Replace Font Awesome bullhorn icon with GitLab bullhorn icon.


John Skarbek's avatar
John Skarbek committed
425 426
## 12.5.5

427 428 429 430 431 432 433 434 435
### Security (1 change)

- Upgrade Akismet gem to v3.0.0. !21786

### Fixed (2 changes)

- Fix error in updating runner session. !20902
- Fix Asana integration. !21501

John Skarbek's avatar
John Skarbek committed
436

437 438 439 440 441 442
## 12.5.4

### Security (1 change)

- Update maven_file_name_regex for full string match.

443

444 445 446 447 448 449 450 451 452 453 454 455 456 457
## 12.5.3

### Fixed (4 changes)

- Fix project creation with templates using /projects/user/:id API. !20590
- Fix merging merge requests from push options. !20639
- Fix Crossplane help link in cluster applications page. !20668
- Fixes job log not scrolling to the bottom.

### Changed (1 change)

- Flatten exception details in API and controller logs. !20434


458 459
## 12.5.1

460
### Security (11 changes)
461

462 463
- Do not create todos for approvers without access. !1442
- Hide commit counts from guest users in Cycle Analytics.
464 465
- Encrypt application setting tokens.
- Update Workhorse and Gitaly to fix a security issue.
466 467
- Add maven file_name regex validation on incoming files.
- Check permissions before showing a forked project's source.
468 469 470 471
- Limit potential for DNS rebind SSRF in chat notifications.
- Ensure are cleaned by ImportExport::AttributeCleaner.
- Remove notes regarding Related Branches from Issue activity feeds for guest users.
- Escape namespace in label references to prevent XSS.
472
- Add authorization to using filter vulnerable in Dependency List.
473 474


475 476
## 12.5.0

477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494
### Security (15 changes)

- Enable the HttpOnly flag for experimentation_subject_id cookie. !19189
- Update incrementing of failed logins to be thread-safe. !19614
- Sanitize all wiki markup formats with GitLab sanitization pipelines.
- Sanitize search text to prevent XSS.
- Remove deploy access level when project/group link is deleted.
- Mask sentry auth token in Error Tracking dashboard.
- Return 404 on LFS request if project doesn't exist.
- Don't leak private members in project member autocomplete suggestions.
- Require Maintainer permission on group where project is transferred to.
- Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
- Disallow unprivileged users from commenting on private repository commits.
- Analyze incoming GraphQL queries and check for recursion.
- Show cross-referenced label and milestones in issues' activities only to authorized users.
- Do not display project labels that are not visible for user accessing group labels.
- Standardize error response when route is missing.

495
### Fixed (100 changes, 15 of them are from the community)
496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595

- Fix incorrect selection of custom templates. !17205
- Smaller width for design comments layout, truncate image title. !17547
- Correctly cleanup orphan job artifacts. !17679 (Adam Mulvany)
- Add Infinite scroll to Add Projects modal in the operations dashboard. !17842
- Allow emojis to be linkable. !18014
- Enable image link and lazy loading in AsciiDoc documents. !18164 (Guillaume Grossetie)
- Expose prometheus status to monitor dashboard. !18289
- Time limit the database lock when rebasing a merge request. !18481
- Fix missing admin mode UI buttons on bigger screen sizes. !18585 (Diego Louzán)
- Abort only MWPS when FF only merge is impossible. !18591
- Remove pointer cursor from MemoryUsage chart on MR widget deployment. !18599
- Fix keyboard shortcuts in header search autocomplete. !18685
- Fix empty chart in collapsed sections. !18699
- Fix error when viewing group billing page. !18740
- Fix query validation in custom metrics form. !18769
- Fix Gitaly call duration measurements. !18785
- Resolve Error when uploading a few designs in a row. !18811
- Block MR with OMIPS on skipped pipelines. !18838
- Pipeline vulnerability dashboard sort vulnerabilities by severity then confidence. !18863
- Remove empty Github service templates from database. !18868
- Fix broken images when previewing markdown files in Web IDE. !18899
- fixed #27164 Image cannot be collapsed on merge request changes tab. !18917 (Jannik Lehmann)
- Let ANSI \r code replace the current job log line. !18933
- Fix serverless function descriptions not showing on Knative 0.7. !18973
- Fix "project or group was moved" alerts showing up in the wrong pages. !18985
- Add missing breadcrumb in Project > Settings > Integrations. !18990
- Fixed admin geo collapsed sidebar fly out not showing. !19012
- Serialize short sha as nil if head commit is blank. !19014
- Add max width on manifest file attachment input. !19028
- Do not generate To-Dos additional when editing group mentions. !19037
- Fix previewing quick actions for epics. !19042
- Fix errors in GraphQL Todos API due to missing TargetTypeEnum values. !19052
- Hashed Storage Migration: Handle failed attachment migrations with existing target path. !19061
- Set shorter TTL for all unauthenticated requests. !19064
- Fix Todo IDs in GraphQL API. !19068
- Triggers the correct endpoint on licence approval. !19078
- Fix search button height on 404 page. !19080
- Fix Kubernetes help text link. !19121
- Make `jobs/request` to be resillient. !19150
- Disable pull mirror if repository is in read-only state. !19182
- Only enable protected paths for POST requests. !19184
- Enforce default, global project and snippet visibilities. !19188
- Make Bitbucket Cloud superseded pull requests as closed. !19193
- Fix crash when docker fails deleting tags. !19208
- Fix environment name in rollback dialog. !19209
- Fixed a typo in the "Keyboard Shortcuts" pop-up. !19217 (Manuel Stein)
- Fix unable to expand or collapse files in merge request by clicking caret. !19222 (Brian T)
- Allow release block edit button to be visible. !19226
- Fix double escaping in /tableflip quick action. !19271 (Brian T)
- Add missing bottom padding in CI/CD settings. !19284 (George Tsiolis)
- Prevents console warning on design upload. !19297
- Resolve: Web IDE does not create POSIX Compliant Files. !19339
- Use initial commit SHA instead of branch id to request IDE files and contents. !19348 (David Palubin)
- Resolve: Web IDE Throws Error When Viewing Diff for Renamed Files. !19348
- Fix project service API 500 error. !19367
- Fix cluster feature highlight popover image. !19372
- Fix template selector filename bug. !19376
- Fixes mobile styling issues on security modals. !19391
- Only move repos for legacy project storage. !19410
- Show correct total number of commit diff's changes. !19424
- Increase the timeout for GitLab-managed cert-manager installation to 90 seconds (was 30 seconds). !19447
- Fix uninitialized constant SystemDashboardService. !19453
- Properly handle exceptions in StuckCiJobsWorker. !19465
- Fix user popover not being displayed when the user has a status message. !19519
- Update omniauth_openid_connect to v0.3.3. !19525
- Fix project clone dropdown button width. !19551 (George Tsiolis)
- Do not escape HTML tags in Ansi2json as they are escaped in the frontend. !19610
- [Geo] Fix: undefined Gitlab::BackgroundMigration::PruneOrphanedGeoEvents. !19638
- Revert btn-xs styling in projects scss. !19640
- Fix canary badge and favicon inconsistency. !19645
- Use fingerprint when comparing security reports in MR widget. !19654
- Update GCP credit URLs. !19683
- Update squash_commit_sha only on successful merge. !19688
- Fix import of snippets having `award_emoji` (Project Export/Import). !19690
- Allow admins to administer personal snippets. !19693 (Oren Kanner)
- Re-add missing file sizes in 2-Up diff file viewer. !19710
- Fix checking task item when previous tasks contain only spaces. !19724
- Fix Bitbucket Cloud importer pull request state. !19734
- Fix merge train is not refreshed when the system aborts/drops a merge request. !19763
- Resolve Hide Delete selected in designs when viewing an old version. !19889
- Use new trial registration URL in billing. !19978
- Helm v2.16.1. !19981
- Ensure milestone titles are never empty. !19985
- Remove unused image/screenshot. !20030 (Lee Tickett)
- Remove local qualifier from geo sync indicators. !20034 (Lee Tickett)
- Fixed the scale of embedded videos to fit the page. !20056
- Fix broken monitor cluster health dashboard. !20120
- Fix expanding collapsed threads when reference link clicked. !20148
- Fix sub group export to export direct children. !20172
- Remove update hook from date filter to prevent js from getting stuck. !20215
- Prevent Dropzone.js initialisation error by checking target element existence. !20256 (Fabio Huser)
- Fix style reset in job log when empty ANSI sequence is encoutered. !20367
- Add productivity analytics merge date filtering limit. !32052
- Fix productivity analytics listing with multiple labels. !33182
- Fix closed board list loading issue.
- Apply correctly the limit of 10 designs per upload.
- Only allow confirmed users to run pipelines.
- Fix scroll to bottom with new job log.
- Fixed protected branches flash styling.
596
- Show tag link whenever it's a tag in chat message integration for push events and pipeline events. !18126 (Mats Estensen)
597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825

### Deprecated (2 changes)

- Ignore deprecated column and remove references to it. !18911
- Move some project routes under - scope. !19954

### Changed (56 changes, 6 of them are from the community)

- Upgrade design/copy for issue weights locked feature. !17352
- Reduce new MR page redundancy by moving the source/target branch selector to the top. !17559
- Replace raven-js with @sentry/browser. !17715
- Ask if the user is setting up GitLab for a company during signup. !17999
- When a user views a file's blame or blob and switches to a branch where the current file does not exist, they will now be redirected to the root of the repository. !18169 (Jesse Hall @jessehall3)
- Propagate custom environment variables to SAST analyzers. !18193
- Fix any approver project rule records. !18265
- Minor UX improvements to Environments Dashboard page. !18280
- Reduce the allocated IP for Cluster and Services. !18341
- Update flash messages color sitewide. !18369
- Add modsecurity template for ingress-controller. !18485
- Hide projects without access to admin user when admin mode is disabled. !18530 (Diego Louzán)
- Update Runners Settings Text + Link to Docs. !18534
- Store Zoom URLs in a table rather than in the issue description. !18620
- Improve admin dashboard features. !18666
- Drop `id` column from `ci_build_trace_sections` table. !18741
- Truncate recommended branch name to a sane length. !18821
- Add support for YAML anchors in CI scripts. !18849
- Save dashboard changes by the user into the vuex store. !18862
- Update expired trial status copy. !18962
- Can directly add approvers to approval rule. !18965
- Rename Vulnerabilities API to Vulnerability Findings API. !19029
- Improve clarity of text for merge train position. !19031
- Updated Auto-DevOps to kubectl v1.13.12 and helm v2.15.1. !19054 (Leo Antunes)
- Refactor maximum user counts in license. !19071 (briankabiro)
- Change return type of getDateInPast to Date. !19081
- Show approval required status in license compliance. !19114
- Handle new Container Scanning report format. !19123
- Allow container scanning to run offline by specifying the Clair DB image to use. !19161
- Add maven cli opts flag to maven security analyzer (part of dependency scanning). !19174
- Added report_type attribute to Vulnerabilities. !19179
- Migrate enabled flag on grafana_integrations table. !19234
- Improve handling of gpg-agent processes. !19311
- Update help text of "Tag name" field on Edit Release page. !19321
- Add user filtering to abuse reports page. !19365
- Move add license button to project buttons. !19370
- Update to Mermaid v8.4.2 to support more graph types. !19444
- Move release meta-data into footer on Releases page. !19451
- Expose subscribed field in issue lists queried with GraphQL. !19458 (briankabiro)
- [Geo] Fix: rake gitlab:geo:check on the primary is cluttered. !19460
- Hide trial banner for namespaces with expired trials. !19510
- Hide repeated trial offers on self-hosted instances. !19511
- Add loading icon to error tracking settings page. !19539
- Upgrade to Gitaly v1.71.0. !19611
- Make role required when editing profile. !19636
- Made `name` optional parameter of Release entity. !19705
- Vulnerabilities history chart - use sparklines. !19745
- Add event tracking to container registry. !19772
- Update SaaS trial header to include the tier Gold. !19970
- Update start a trial option in top right drop down to include Gold. !19971
- Improve merge request description placeholder. !20032 (Jacopo Beschi @jacopo-beschi)
- Add backtrace to production_json.log. !20122
- Change the default concurrency factor of merge train to 20. !20201
- Upgrade to Gitaly v1.72.0.
- Require explicit null parameters to remove pages domain certificate and allow to use Let's Encrypt certificates through API.
- Replace wording trace with log.

### Performance (13 changes)

- Record latencies for Sidekiq failures. !18909
- Fix N+1 for group container repositories view. !18979
- Do not render links in commit message on blame page. !19128
- Puma only: database connection pool now always >= number of worker threads. !19286
- Run check_mergeability only if merge status requires it. !19364
- Execute limited request for diff commits instead of preloading. !19485
- Improve performance of admin/abuse_reports page. !19630
- Remove N+1 DB calls from branches API. !19661
- Improve performance of linking LFS objects during import. !19709
- Optimize MergeRequest#mergeable_discussions_state? method. !19988
- Add index for unauthenticated requests to projects API default endpoint. !19989
- Add index for authenticated requests to projects API default endpoint. !19993
- Increase PumaWorkerKiller memory limit in development environment. !20039

### Added (83 changes, 8 of them are from the community)

- Adds Application Settings and ui settings in the integration admin area for Pendo. !15086
- Add endpoint for a group's vulnerable projects. !15317
- Added new chart component to display an anomaly boundary. !16530
- Add links to associated releases on the Milestones page. !16558
- Merge Details Page and Edit Page for Page Domains. !16687
- Share groups with groups. !17117
- Add links to associated release(s) to the milestone detail page. !17278
- New group path uniqueness check. !17394
- Unify html email layout for member html emails. !17699 (Diego Louzán)
- The Security Dashboard displays DAST vulnerabilities for all the scanned sites, not just the first. !17779
- Create table for elastic stack. !18015
- Allow to define a default CI configuration path for new projects. !18073 (Mathieu Parent)
- Issues queried in GraphQL now sortable by due date. !18094
- Add cleanup status to clusters. !18144
- Added Tests tab to pipeline detail that contains a UI for browsing test reports produced by JUnit. !18255
- Users can verify SAML configuration and view SamlResponse XML. !18362
- Support Enable/Disable operations in Feature Flag API. !18368
- Expose arbitrary job artifacts in Merge Request widget. !18385
- Add project option for deleting source branch. !18408 (Zsolt Kovari)
- Adds ability to set management project for cluster via API. !18429
- Close issues on Prometheus alert recovery. !18431
- Add ApplicationSetting for snowplow_iglu_registry_url. !18449
- Allow Grafana charts to be embedded in Gitlab Flavored Markdown. !18486
- Mark todo done by GraphQL API. !18581
- Create a users_security_dashboard_projects table to store the projects a user has added to their personal security dashboard. !18708
- New API endpoint for creating anonymous merge request discussions from Visual Review Tools. !18710
- Enable the color chip in AsciiDoc documents. !18723
- Add prevent_ldap_sign_in option so LDAP can be used exclusively for sync. !18749
- Show inherited group variables in project view. !18759
- Add "release" filter to issue search page. !18761
- Search list of Sentry errors by title in Gitlab. !18772
- Add migrations and changes for soft-delete for projects. !18791
- Support for Crossplane as a managed app. !18797 (Mahendra Bagul)
- Bump Auto-Deploy image to v0.3.0. !18809
- Set X-GitLab-NotificationReason header if notification reason is explicit subscription. !18812
- Add issues, MRs, participants, and labels tabs in group milestone page. !18818
- Add ability to reorder projects on operations dashboard. !18855
- Make `Job`, `Bridge` and `Default` inheritable. !18867
- Show epic events on group activity page. !18869
- Detail view of Sentry error in GitLab. !18878
- Expose mergeable state of a merge request. !18888 (briankabiro)
- Add ability to select a Cluster management project. !18928
- Add a Slack slash command to add a comment to an issue. !18946
- Added installation commands for npm and yarn packages to package detail page. !18999
- Show start and end dates in Epics list page. !19006
- Populate new pipeline CI vars from params. !19023
- Add warnings about pages access control settings. !19067
- Graphql mutation for (un)subscribing to an epic. !19083
- API for stack trace & detail view of Sentry error in GitLab. !19137
- Add grafana integration active status checkbox. !19255
- GraphQL: Add Merge Request milestone mutation. !19257
- Add MergeRequestSetAssignees GraphQL mutation. !19272
- Add edit button to metrics dashboard. !19279
- Add "release" filter to merge request search page. !19315
- Add dead jobs to Sidekiq metrics API. !19350 (Marco Peterseil)
- Add pipeline information to dependency list header. !19352
- Build CI cache key from commit SHAs that changed given files. !19392
- Adding support for searching tags using '^' and '$'. !19435 (Cauhx Milloy)
- Sentry error stacktrace. !19492
- Add an `error_code` attribute to the API response when a cherry-pick or revert fails. !19518
- Add documentation for sign-in application setting. !19561 (Horatiu Eugen Vlad)
- Create AWS EKS cluster. !19578
- Add modsecurity logging sidecar to ingress controller. !19600
- Add start a trial option in the top-right user dropdown. !19632
- Manage and display labels from epic in the GraphQL API. !19642
- Allow order_by updated_at in Deployments API. !19658
- Add can_edit and project_blob_path to metrics_dashboard endpoint. !19663
- Add usage ping data for project services. !19687
- Graphql query for issues can now be sorted by relative_position. !19713
- Add API endpoint to trigger Group Structure Export. !19779
- Show Tree UI containing child Epics and Issues within an Epic. !19812
- Enable environments dashboard by default. !19838
- Update the DB schema to allow linking between Vulnerabilities and Issues. !19852
- Add Group Audit Events API. !19868
- Adds a copy button next to package metadata on the details page. !19881
- GraphQL: Create MR mutations needed for the sidebar. !19913
- Add id_before, id_after filter param to projects API. !19949
- Add modsecurity feature flag to usage ping. !20194
- Specify management project for a Kubernetes cluster. !20216
- Upgrade pages to 1.12.0. !20217
- Support template_project_id parameter in project creation API. !20258
- Add heatmap chart support. !32424
- Add template for Serverless Framework/JS. !33805

### Other (59 changes, 26 of them are from the community)

- Add EKS cluster count to usage data. !17059
- Track the starting and stopping of the current signup flow and the experimental signup flow. !17521
- Attribute Sidekiq workers according to their workloads. !18066
- Add ApplicationSetting entries for EKS integration. !18307
- Geo: Add resigns-related fields to Geo Node Status table. !18379
- Allow adding requests to performance bar manually. !18464
- Removes `export_designs` feature flag. !18507 (nate geslin)
- Update AWS SDK to 2.11.374. !18601
- Remove required dependecy of Postgresql for Gitaly. !18659
- Add deployment_merge_requests table. !18755
- Bump Gitaly to 1.70.0 and remove cache invalidation feature flag. !18766
- Update gRPC to v1.24.0. !18837
- Update GitLab Runner Helm Chart to 0.10.0. !18879
- Adds a Sidekiq queue duration metric. !19005
- Create explicit Default and Free plans. !19033
- Improve instance mirroring help text. !19047
- Add Codesandbox metrics to usage ping. !19075
- Add internal_socket_dir to gitaly config in setup helper. !19170
- Use Rails 5.2 Redis caching store. !19202
- Update GitLab Runner Helm Chart to 0.10.1. !19232
- Rename snowplow_site_id to snowplow_app_id in application_settings table. !19252
- Removed IIFEs from network.js file. !19254 (nuwe1)
- Remove IIFEs from project_select.js. !19288 (minghuan lei)
- Remove IIFEs from merge_request.js. !19294 (minghuan lei)
- Make snippet list easier to scan. !19490
- Removed IIFEs from image_file.js. !19548 (nuwe1)
- Fix api docs for deleting project cluster. !19558
- Change blob edit view button styling. !19566
- Include exception and backtrace in API logs. !19671
- Add index on marked_for_deletion_at in projects table. !19788
- Visual design for edit buttons in blob view. !19932
- Refactor disabled sidebar notifications to Vue. !20007 (minghuan lei)
- Remove IIFEs from branch_graph.js. !20008 (minghuan lei)
- Remove IIFEs from new_branch_form.js. !20009 (minghuan lei)
- Remove duplication from slugifyWithUnderscore function. !20016 (Arun Kumar Mohan)
- Update registry.gitlab.com/gitlab-org/security-products/codequality to 12-5-stable. !20046 (Takuya Noguchi)
- Add mb-2 class to global alerts. !20081 (2knal)
- Remove var from syntax_highlight_spec.js. !20086 (Lee Tickett)
- Remove var from merge_request_tabs_spec.js. !20087 (Lee Tickett)
- Remove var from bootstrap_jquery_spec.js. !20089 (Lee Tickett)
- Remove var from project_select.js. !20091 (Lee Tickett)
- Remove var from new_commit_form.js. !20095 (Lee Tickett)
- Remove var from issue.js. !20098 (Lee Tickett)
- Remove var from new_branch_form.js. !20099 (Lee Tickett)
- Remove var from tree.js. !20103 (Lee Tickett)
- Remove var from line_highlighter.js. !20108 (Lee Tickett)
- Remove var from preview_markdown.js. !20115 (Lee Tickett)
- remove all references of BoardService in boards_selector.vue. !20147 (nuwe1)
- Remove all references to BoardsService in index.vue. !20152 (nuwe1)
- Remove var from labels_select.js. !20153 (Lee Tickett)
- Remove all reference to BoardService in board_form.vue. !20158 (nuwe1)
- Remove calendar icon from personal access tokens. !20183
- Move margin-top from flash container to flash. !20211
- Bump Auto DevOps deploy image to v0.7.0. !20250
- Make 'Sidekiq::Testing.fake!' mode as default. !31662 (@blackst0ne)
- Replace task-done icon with list-task icon to better align with other toolbar list icons.
- Dependency Scanning template that doesn't rely on Docker-in-Docker.
- Adding dropdown arrow icon and updated text alignment.
- Change selects from default browser style to custom style.

826

827 828 829 830 831 832 833
## 12.4.8

### Security (1 change)

- Fix private objects exposure when using Project Import functionality.


834 835 836 837
## 12.4.5

- No changes.

838 839 840 841 842 843 844 845
## 12.4.3

### Fixed (2 changes)

- Only enable protected paths for POST requests. !19184
- Fix Bitbucket Cloud importer pull request state. !19734


846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866
## 12.4.2

### Fixed (10 changes)

- Increase timeout for FetchInternalRemote RPC call. !18908
- Clean up duplicate indexes on ci_trigger_requests. !19053
- Fix project imports not working with serialized data. !19124
- Fixed welcome screen icons not showing. !19148
- Disable protected path throttling by default. !19185
- Fix Prometheus duplicate metrics. !19327
- Fix ref switcher not working on Microsoft Edge. !19335
- Extend gRPC timeouts for Rake tasks. !19461
- Disable upload HTTP caching to fix case when object storage is enabled and proxy_download is disabled. !19494
- Removes arrow icons for old collapsible sections.

### Changed (2 changes)

- Increased deactivation threshold to 180 days. !18902
- Add extra sentence about registry to AutoDevOps popup. !19092


867 868
## 12.4.1

869
### Security (14 changes)
870 871 872 873

- Standardize error response when route is missing.
- Do not display project labels that are not visible for user accessing group labels.
- Show cross-referenced label and milestones in issues' activities only to authorized users.
874
- Show cross-referenced label and milestones in issues' activities only to authorized users.
875 876 877 878 879 880 881 882
- Analyze incoming GraphQL queries and check for recursion.
- Disallow unprivileged users from commenting on private repository commits.
- Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
- Require Maintainer permission on group where project is transferred to.
- Don't leak private members in project member autocomplete suggestions.
- Return 404 on LFS request if project doesn't exist.
- Mask sentry auth token in Error Tracking dashboard.
- Fixes a Open Redirect issue in `InternalRedirect`.
883
- Remove deploy access level when project/group link is deleted.
884 885 886
- Sanitize all wiki markup formats with GitLab sanitization pipelines.


887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205
## 12.4.0

### Security (14 changes)

- HTML-escape search term in empty message. !18319
- Fix private feature Elasticsearch leak.
- Prevent bypassing email verification using Salesforce.
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Do not show resource label events referencing not accessible labels.
- Check permissions before showing head pipeline blocking merge requests.
- Cancel all running CI jobs triggered by the user who is just blocked.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
- Display only participants that user has permission to see on milestone page.
- Fix Gitaly SearchBlobs flag RPC injection.
- Add a policy check for system notes that may not be visible due to cross references to private items.
- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
- Prevent GitLab accounts takeover if SAML is configured.
- Only render fixed number of mermaid blocks.

### Fixed (103 changes, 12 of them are from the community)

- When user toggles task list item, keep details open until user closes the details manually. !16153
- Fix formatting welcome screen external users. !16667
- Fix signup link in admin area not being disabled. !16726 (Illya Klymov)
- Fix routing bugs in security dashboards. !16738
- Fix Jira integration favicon image with relative URL. !16802
- Add timeout mechanism for CI config validation. !16807
- Fix for count in todo badge when user has over 1,000 todos. Will now correctly display todo count after user marks some todos as done. !16844 (Jesse Hall @jessehall3)
- Naming a project "shared" will no longer automatically open the "Shared Projects" tab. !16847 (Jesse Hall @jessehall3)
- Adds the ability to delete single tags from the docker registry. Fix the issue that caused all related tags and image to be deleted at the same time. !16886
- Changed confidential quick action to only be available on non confidential issues. !16902 (Marc Schwede)
- Stop sidebar icons from jumping when expanded & collapsed. !16971
- Set name and updated_at properly in GitHub ReleaseImporter. !17020
- Remove thin white line at top of diff view code blocks. !17026
- Show correct CI indicator when build succeeded with warnings. !17034
- Create a persistent ref per pipeline for keeping pipelines run from force-push and merged results. !17043
- Move SMAU usage counters to the UsageData count field. !17074
- Allow maintainers to toggle write permission for public deploy keys. !17210
- Fix GraphQL for read-only instances. !17225
- Fix visibility level error when updating group from API. !17227 (Mathieu Parent)
- Fix stylelint errors in epics.scss. !17243
- Fix new discussion replies sometimes showing up twice. !17255
- Adjust unnapliable suggestions in expanded lines. !17286
- Show all groups user belongs to in Notification settings. !17303
- Alphabetically sorts selected sidebar labels. !17309
- Show issue weight when weight is 0. !17329 (briankabiro)
- Generate LFS token authorization for user LFS requests. !17332
- Backfill releases table updated_at column and add not null constraints to created_at and updated_at. !17400
- Log Sidekiq exceptions properly in JSON format. !17412
- Redo fix for related issues border radius. !17480
- Show the original branch name and link of merge request in pipeline emails. !17513
- Fixes issues with the security reports migration. !17519
- Users can view the blame or history of a file with newlines in its filename. !17543 (Jesse Hall @jessehall3)
- Display reCAPTCHA modal when making issue public. !17553
- Fix css selector for details in issue description. !17557
- Prevents a group path change when a project inside the group has container registry images. !17583
- Show 20 labels in dropdown instead of 5. !17596
- Nullify platform Kubernetes namespace if blank. !17657
- Fix Issue: WebIDE asks for confirmation to leave the page when committing and creating a new MR. !17671
- Catch unhandled exceptions in health checks. !17694
- Suppress error messages shown when navigating to a new page. !17706
- Specify sort order explicitly for Group and Project audit events. !17739
- Merge Request: Close JIRA issues when issues are disabled. !17743
- Disable gitlab-workhorse static error page on health endpoints. !17770
- Fix notes race condition when linking to specific note. !17777
- Fix relative positioning when moving items down and there is no space. !17781
- Fix project imports for pipelines for merge requests. !17799
- Increase the limit of includes in CI file to 100. !17807
- Geo: Fix race condition for container synchronization. !17823
- Geo: Invalidate cache after refreshing foreign tables. !17885
- Abort Merge When Pipeline Succeeds when Fast Forward merge is impossible. !17886
- Fix viewing merge reqeust from a fork that's being deleted. !17894
- Fix empty security dashboard for public projects. !17915
- Fix inline rendering of videos for uploads with uppercase file extensions. !17924
- Hide redundant labels in issue boards. !17937
- Time window filter in monitor dashboard gets reset. !17972
- Use cache_method_asymmetrically with Repository#has_visible_content?. !17975
- Allow users to compare Git revisions on a read-only instance. !18038
- Enable Google API retries for uploads. !18040
- Fix bug with new wiki not being indexed. !18051
- Stops the expand button in reports from expanding. !18064
- Make sure project insights stick on its own. !18082
- Embed metrics time window scroll no longer affects other embeds. !18109
- Fix broken notes avatar rendering in Chrome 77. !18110
- Ignore incoming emails with X-Autoreply header. !18118
- Enable grid, frame and stripes styling on AsciiDoc tables. !18165 (Guillaume Grossetie)
- Add backend support for selecting custom templates by ID. !18178
- Fix notifications for private group mentions in Notes, Issues, and Merge Requests. !18183
- Do not strip forwarded message body when creating an issue from Service Desk email. !18196
- Fix protected branch detection used by notification service. !18221
- Fix error where helper was incorrectly returning `true`. !18231
- Adjust placeholder to solve misleading regex. !18235
- Fix Flaky spec/finders/members_finder_spec.rb:85. !18257 (Jacopo Beschi @jacopo-beschi)
- Fix 500 error on clicking to LetsEncrypt Terms of Service. !18263
- Fix error tracking table layout on small screens. !18325
- GitHub import: Handle nil published_at dates. !18355
- Do not allow deactivated users to use slash commands. !18365
- Fix creating epics with dates from api. !18393
- JIRA Service: Improve username/email validation. !18397
- Stopped CRD apply retrying from allowing silent failures. !18421
- Fix erroneous "No activities found" message. !18434
- Support ES searches for project snippets. !18459
- Fix styling of set status emoji picker. !18509
- Fix showing diff when it has legacy diff notes. !18510
- JIRA Integration API URL works having a trailing slash. !18526
- Fixes embedded metrics chart tooltip spacing. !18543
- Bump GITLAB_ELASTICSEARCH_INDEXER_VERSION=v1.4.0. !18558
- Fix pod logs failure when pod contains more than 1 container. !18574
- Prevent the slash command parser from removing leading whitespace from content that is unrelated to slash commands. !18589 (Jared Deckard)
- Fix inability to set snippet visibility via API. !18612
- Fix Web IDE tree not updating modified status. !18647
- Fix button link foreground color. !18669
- Resolve missing design system notes icons. !18693
- Remove duplicate primary button in dashboard snippets. !32048 (George Tsiolis)
- Allow to view productivity analytics page without a license. !33876
- Fix container registry delete tag modal title and button. !34032
- Fixes variables overflowing in sm screens.
- Update top nav bar to fit all content in at all screen sizes.
- Fix permissions for group milestones.
- Removes Collapsible Sections from Job Log.
- Fixes job overflow in stages dropdown.
- Fix moved help URL for monitoring performance.
- Fix issue with wiki TOC links being treated as external links. (Oren Kanner)
- Show error message when setting an invalid group ID for the performance bar.

### Deprecated (1 change)

- Removing cleanup:repo, cleanup:dirs. !18087

### Changed (51 changes, 3 of them are from the community)

- Links on Releases page to commits and tags. !16128
- Add status to deployments and state to environments in API responses. !16242
- Use search scope label in empty results message. !16324
- Add step 2 of the experimental signup flow. !16583
- Add property to enable metrics dashboards to be rearranged. !16605
- Allow intra-project MR dependencies. !16799
- Use scope param instead of hide_dismissed. !16834
- Add empty state in file search. !16851
- Warn before applying issue templates. !16865
- MR Test Summary now shows errors as failures. !17039
- Add support for the association of multiple milestones to the Releases page. !17091
- Display if an issue was moved in issue list. !17102
- Improve UI for admin/projects and group/settings/projects pages. !17247
- Update registry tag delete popup message. !17257
- Show the "Set up CI/CD" prompt in empty repositories when applicable. !17274 (Ben McCormick)
- Knative version bump 0.6 -> 0.7. !17367 (Chris Baumbauer)
- Fix usability problems with the file template picker. !17522
- Make commit status created for any pipelines. !17524 (Aufar Gilbran)
- Add warnings to performance bar when page shows signs of poor performance. !17612
- Banners should only be dismissable by clicking x button. !17642
- Changes response body of liveness check to be more accurate. !17655
- Enable Request Access functionality by default for new projects and groups. !17662
- Add more attributes to issues GraphQL endpoint. !17802
- Improve admin/system_info page ui. !17829
- Adds management project for a cluster. !17866
- Upgrade gitlab-workhorse to 8.12.0. !17892
- Geo: Fix instruction from rake geo:gitlab:check. !17895
- Upgrade to Gitaly v1.66.0. !17900
- Do not start mirroring via API when paused. !17930
- Use MR links in PipelinePresenter#ref_text for branch pipelines. !17947
- Avoid knative and prometheus uninstall race condition. !18020
- Deprecate usage of state column for issues and merge requests. !18099
- Add missing page title to projects/container-registry. !18114
- Port over EE pipeline functionality to CE. !18136
- Aggregate push events when there are too many. !18239
- Cleanup background migrations for any approval rules. !18256
- Container registry tag(s) delete button pluralization. !18260
- Create clusters with VPC-Native enabled. !18284
- Update cluster link text. !18322
- Upgrade to Gitaly v1.67.0. !18326
- Improve UI of documentation under /help. !18331
- Cross-link unreplicated Geo types to issues. !18443
- Make designs read-only if the issue has been moved, or if its discussion has been locked. !18551
- Do not show new issue button on archived projects. !18590
- Increase group avatar size to 40px. !18654
- Sort vulnerabilities by severity then confidence for dashboard and pipeline views. !18675
- Add timeouts for each RPC call. !31766
- Add more specific message to clarify the role of empty images in container registry. !32919
- Embed Jaeger in Gitlab UI.
- Use text instead of icon for recent searches dropdown.
- Export liveness and readiness probes.

### Performance (25 changes, 1 of them is from the community)

- Limit diverging commit counts requests. !16737
- Use GetBlobs RPC for uri type. !16824
- Reduce Gitaly calls when viewing a commit. !17095
- Limit snippets search count. !17585
- Narrow snippet search scope in GitLab.com. !17625
- Handle wiki and graphql attachments in gitlab-workhorse. !17690
- Reduce lock contention of deployment creation by allocating IID outside of the pipeline transaction. !17696
- Update PumaWorkerKiller defaults. !17758
- Add trigram index on snippet content. !17806
- Fix Gitaly N+1 queries in related merge requests API. !17850
- Don't execute webhooks/services when above limit. !17874
- Only schedule updating push-mirrors once per push. !17902
- Show only personal snippets on explore page. !18092
- Priority bump authorized_projects sidekiq queue. !18125
- Avoid dumping files on disk when direct_upload is enabled. !18135
- Check if mapping is empty before caching in File Collections. !18290 (briankabiro)
- Avoid unnecessary locks on internal_ids. !18328
- Fix N+1 queries in Jira Development Panel API endpoint. !18329
- Optimize SQL requests for BlameController and CommitsController. !18342
- Remove N+1 for fetching commits signatures. !18389
- Reduce idle in transaction time when updating a merge request. !18493
- Use cascading deletes for deleting logs upon deleting a webhook. !18642
- Replace index on ci_triggers. !18652
- Hide license breakdown in /admin if user count is high. !18825
- Cache branch and tag names as Redis sets. !30476

### Added (78 changes, 12 of them are from the community)

- Adds sorting of packages at the project level. !15448
- Add projects.only option to Insights. !15930
- Add kubernetes section to group runner settings. !16338
- Enable Cloud Run on GKE cluster creation. !16566
- Add file matching rule to flexible CI rules. !16574
- Enable preview of private artifacts. !16675 (Tuomo Ala-Vannesluoma)
- Upgrade Gitaly to v1.64. !16788
- Render xml artifact files in GitLab. !16790
- Add GitHub & Gitea importers project filtering. !16823
- Add project filtering to Bitbucket Cloud import. !16828
- Provides internationalization support to chart legends. !16832
- Expose name property in imports API. !16848
- Add allowFilter and allowAnySHA1InWant for partial clones. !16850
- [ObjectStorage] Allow migrating back to local storage. !16868
- Require admins to enter admin-mode by re-authenticating before performing administrative operations. !16981 (Roger Rüttimann & Diego Louzán)
- Deactivate a user (with self-service reactivation). !17037
- Add database tables to store AWS roles and cluster providers. !17057
- Collect docker registry related metrics. !17063
- Allow releases to be targeted by URL anchor links on the Releases page. !17150
- Add project_pages_metadata DB table. !17197
- Add index on ci_builds for successful Pages deploys. !17204
- Creation of Evidence collection of new releases. !17217
- API: Add missing group parameters. !17220 (Mathieu Parent)
- Allow to exclude ancestor groups on group labels API. !17221 (Mathieu Parent)
- Added 'copy link' in epic comment dropdown. !17224
- Add columns for per project/group max pages/artifacts sizes. !17231
- Create table for grafana api token for metrics embeds. !17234
- Add proper label REST API for update, delete and promote. !17239 (Mathieu Parent)
- Allow cross-project pipeline triggering with CI_JOB_TOKEN in core. !17251
- Add user_id and created_at columns to design_management_versions table. !17316
- Add pull_mirror_branch_prefix column on projects table. !17368
- Expose web_url for epics on API. !17380
- Improve time window filtering on metrics dashboard. !17554
- Group level Container Registry browser. !17615
- Add API for manually creating and updating deployments. !17620
- Introduce diffs_batch JSON endpoint for paginated diffs. !17651
- Web IDE button should fork and open forked project when selected from read-only project. !17672
- Allow users to be searched with a @ prefix. !17742
- Add individual inherited member lookup API. !17744
- Preserve custom .gitlab-ci.yml config path when forking. !17817 (Mathieu Parent)
- Introduce CI_PROJECT_TITLE as predefined environment variable. !17849 (Nejc Habjan)
- Feature enabling embedded audio elements in markdown. !17860 (Jesse Hall @jessehall3)
- Add 'New release' to the project custom notifications. !17877
- Added timestamps (created_at and updated_at) to API pipelines response. !17911
- Added timestamp (updated_at) to API deployments response. !17913
- Add pipeline preparing status icons. !17923
- Creates Vue and Vuex app to render exposed artifacts. !17934
- Add web_exporter to expose Prometheus metrics. !17943
- Schedule background migration to populate pages metadata. !17993
- Add "Edit Release" page. !18033
- Unpin ingress image version, upgrade chart to 1.22.1. !18047
- Adds sorting of packages at the group level. !18062
- Introduce a lightweight diffs_metadata endpoint. !18104
- Limit the number of comments on an issue, MR, or commit. !18111
- Introduce new Ansi2json parser to convert job logs to JSON. !18133
- Use new Ansi2json job log converter via feature flag. !18134
- Snowplow custom events for Monitor: Health Product Categories. !18157
- Support Create/Read/Destroy operations in Feature Flag API. !18198
- Add two new predefined stages to pipelines. !18205
- Add endpoint to proxy requests to grafana's proxy endpoint. !18210
- Add ability to query todos using GraphQL. !18218
- Include in the callout message a list of jobs that caused missing dependencies failure. !18219
- Adds login input with copy box and supporting copy to empty container registry view. !18244 (nate geslin)
- Add max_artifacts_size fields under project and group settings. !18286
- Provide Merge requests and Issue links through the Release API. !18311
- Adds separate parsers for mentions of users, groups, projects in markdown content. !18318
- Add matching branch info to branch column. !18352
- Users can preview audio files in a repository. !18354 (Jesse Hall @jessehall3)
- Add edit button to release blocks on Releases page. !18411
- Add "Custom HTTP Git clone URL root" setting. !18422
- Add support for epic update through GraphQL API. !18440
- Expose subscribed attribute for epic on API. !18475
- Geo: Enable replicating uploads, LFS objects, and artifacts in Object Storage. !18482
- Show related merge requests in pipeline view. !18697
- Allow users to configure protected paths from Admin panel. !31246
- persist the refs when open the link of refs in a new tab of browser. !31998 (minghuan lei)
- Add first_parent option to list commits api. !32410 (jhenkens)
- Allow users to add and remove zoom rooms on an issue using quick action commands.

### Other (23 changes, 5 of them are from the community)

- Sync issuables state_id with null values. !16480
- Experimental separate sign up flow. !16482
- Upgrade Rouge to v3.11.0. !17011
- Better job naming for Docker.gitlab-ci.yml. !17218 ([email protected])
- Update GitLab Runner Helm Chart to 0.9.0. !17326
- Change welcome message and make translatable. !17391
- Remove map-get($grid-breakpoints, xs) for max-width. !17420 (Takuya Noguchi)
- Document Git LFS and max file size interaction. !17609
- Refactor email notification code. !17741 (briankabiro)
- Ignore id column of ci_build_trace_sections table. !17805
- Extend graphql query endpoint for merge requests to return more attributes to support sidebar implementation. !17813
- Project list: Align star icons. !17833
- Moves the license compliance reports to the Backend. !17905
- Fixes wrong link on Protected paths admin settings. !17945
- Update Pages to v1.11.0. !18010
- Refactor checksum code in uploads. !18065 (briankabiro)
- Make instance configuration user friendly. !18363 (Takuya Noguchi)
- Update Workhorse to v8.14.0. !18391
- Attribute each Sidekiq worker to a feature category. !18462
- Update GitLab Shell to v10.2.0. !18735
- Use correct icons for issue actions.
- Increase color contrast of select option path.
- Remove Postgresql specific setup tasks and move to schema.rb.


1206 1207 1208 1209 1210 1211
## 12.3.9

### Security (1 change)

- Update maven_file_name_regex for full string match.

1212

1213 1214
## 12.3.7

1215
### Security (12 changes)
1216

1217 1218
- Do not create todos for approvers without access. !1442
- Limit potential for DNS rebind SSRF in chat notifications.
1219 1220
- Encrypt application setting tokens.
- Update Workhorse and Gitaly to fix a security issue.
1221
- Add maven file_name regex validation on incoming files.
1222
- Hide commit counts from guest users in Cycle Analytics.
1223
- Check permissions before showing a forked project's source.
1224 1225 1226 1227
- Fix 500 error caused by invalid byte sequences in links.
- Ensure are cleaned by ImportExport::AttributeCleaner.
- Remove notes regarding Related Branches from Issue activity feeds for guest users.
- Escape namespace in label references to prevent XSS.
1228
- Add authorization to using filter vulnerable in Dependency List.
1229 1230


1231 1232 1233 1234 1235 1236 1237 1238
## 12.3.4

### Fixed (2 changes)

- Fix cannot merge icon showing in dropdown for users who can merge. !17306
- Fix pipelines for merge requests in project exports. !17844


1239 1240
## 12.3.2

1241
### Security (12 changes)
1242 1243 1244 1245 1246

- Fix Gitaly SearchBlobs flag RPC injection.
- Add a policy check for system notes that may not be visible due to cross references to private items.
- Display only participants that user has permission to see on milestone page.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
1247
- Check permissions before showing head pipeline blocking merge requests.
1248 1249 1250 1251
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Prevent bypassing email verification using Salesforce.
- Do not show resource label events referencing not accessible labels.
- Cancel all running CI jobs triggered by the user who is just blocked.
1252
- Fix Gitaly SearchBlobs flag RPC injection.
1253 1254 1255 1256
- Only render fixed number of mermaid blocks.
- Prevent GitLab accounts takeover if SAML is configured.


1257 1258 1259 1260 1261 1262 1263 1264 1265 1266
## 12.3.1

### Fixed (4 changes)

- Fix ordering of issue board lists not being persisted. !17356
- Fix error when duplicate users are merged in approvers list. !17406
- Fix bug that caused a merge to show an error message. !17466
- Fix CSS leak in job log.


1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535
## 12.3.0

### Security (23 changes)

- Filter out old system notes for epics in notes api endpoint response.
- Fix SSRF via DNS rebinding in Kubernetes Integration.
- Fix project import restricted visibility bypass via API.
- Prevent disclosure of merge request ID via email.
- Use admin_group authorization in Groups::RunnersController.
- Gitaly: ignore git redirects.
- Prevent DNS rebind on JIRA service integration.
- Make sure HTML text is always escaped when replacing label/milestone references.
- Fix HTML injection for label description.
- Avoid exposing unaccessible repo data upon GFM post processing.
- Remove EXIF from users/personal snippet uploads.
- Fix weak session management by clearing password reset tokens after login (username/email) are updated.
- Added image proxy to mitigate potential stealing of IP addresses.
- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds.
- Ensure only authorised users can create notes on Merge Requests and Issues.
- Send TODOs for comments on commits correctly.
- Check permissions before responding in MergeController#pipeline_status.
- Limit the size of issuable description and comments.
- Enforce max chars and max render time in markdown math.
- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth.
- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks.
- Upgrade pages to 1.8.1.
- Show cross-referenced MR-id in issues' activities only to authorized users.

### Removed (1 change)

- Removed redundant index on releases table. !31487

### Fixed (78 changes, 25 of them are from the community)

- Avoid Devise "401 Unauthorized" responses. !16519
- Allow close status to be shown on locked issues. !16685
- Changed todo/done quick actions to work not only for first usage. !16837 (Marc Schwede)
- Adds missing error handling. !16896 (toptalo)
- Prevent the user from seeing an invalid "Purchase more minutes" prompt. !16979
- Fix missing board lists when other users collapse / expand the list. !17318
- Uses projects_authorizations.access_level in MembersFinder. !28887 (Jacopo Beschi @jacopo-beschi)
- Let project reporters create issue from group boards. !29866
- Remove margin from user header. !30878 (lucyfox)
- Improve application settings API. !31149 (Mathieu Parent)
- Fix encoding of special characters in "Find File". !31311 (Jan Beckmann)
- Avoid conflicts between ArchiveTracesCronWorker and ArchiveTraceWorker. !31376
- Disable "Transfer group" button when no group is selected. !31387 (Jan Beckmann)
- Prevent archived projects from showing up in global search. !31498 (David Palubin)
- Fixed embeded metrics tooltip inconsistent styling. !31517
- Fix 500 errors caused by pattern matching with variables in CI Lint. !31719
- Fixed removing directories in Web IDE. !31727
- All of discussion expand/collapse button is clickable. !31730
- Only show /copy_metadata quick action when usable. !31735 (Lee Tickett)
- Read pipelines from public projects through API without an access token. !31816
- fix charts scroll handle icon to use gitlab svg. !31825
- Remove "Commit" from pipeline status tooltips. !31861
- Fix top-nav search bar dropdown on xl displays. !31864 (Kemais Ehlers)
- Fix loading icon causing text to jump in file row of Web IDE. !31884
- Fix MR reports section loading icon alignment. !31897
- Fix broken git clone box on wiki git access page. !31898
- Exempt user gitlab-ci-token from rate limiting. !31909
- Fix search preserving space when change branch. !31973 (minghuan lei)
- Fix file header style and position during scroll in a merge conflict resolution. !31991
- Allow latency measurements of sidekiq jobs taking > 2.5s. !32001
- Return correct user for manual deployments. !32004
- Fix style of secondary profile tab buttons. !32010 (Wolfgang Faust)
- Fix serverless entry page layout. !32029
- Fix HTML rendering for fast-forward rebases in merge request widget. !32032
- Update the timestamp in Operations > Environments to show correct deployment date for manual deploy jobs. !32072
- Fix dropdowns closing when click is released outside the dropdown. !32084
- Hide duplicate board list while dragging. !32099
- Don't check external authorization when disabling the service. !32102 (Robert Schilling)
- Makes custom Pages domain open as external link in new tab. !32130 (jakeburden)
- Change default visibility level for FogBugz imported projects to Private. !32142
- Move visual review toolbar code to NPM. !32159
- Fix parsing of months in time tracking commands. !32165
- Wrong format on MS teams integration push events with multi line commit messages. !32180 (Massimeddu Cireddu)
- Guard against deleted project feature entry in project permissions. !32187
- Fix ref switcher separators from conflicting with branch names. !32198
- Fix performance bar on Puma. !32213
- Remove token field from runners edit form. !32231
- Fix 500 error in CI lint when included templates are an array. !32232
- Fix users cannot access job detail page when deployable does not exist. !32247
- Do not translate system notes into author's language. !32264
- Fix moving issues API failing when text includes commit URLs. !32317
- Fix issue due notification emails not being threaded correctly. !32325
- Allow project feature permissions to be overridden during import with override_params. !32348
- Handle invalid mirror url. !32353 (Lee Tickett)
- New project milestone primary button. !32355 (Lee Tickett)
- Display `more information` docs link on error tracking page when users do not have permissions to enable that feature. !32365 (Romain Maneschi)
- Quick action label must be first in issue comment. !32367 (Romain Maneschi)
- Fix for missing avatar images dislpayed in commit trailers. !32374 (Jesse Hall @jessehall3)
- Make it harder to delete issuables accidentally. !32376
- Replaced vue resource to axios in the  Markdown field preview component. !32386 (Prakash Chokalingam @prakash_Chokalingam)
- Fix create MR from issue using a tag as ref. !32392 (Jacopo Beschi @jacopo-beschi)
- Add X-GitLab-NotificationReason header to note emails. !32422
- Expand textarea for CA cert in cluster form. !32508
- Prevent empty external authorization classification labels from overriding the default label. !32517 (Will Chandler)
- Allow not resolvable urls when dns rebind protection is disabled. !32523
- Avoid checking dns rebind protection when validating. !32577
- Passing job rules downstream and E2E specs for job:rules configuration. !32609
- Quote branch names in how to merge instructions. !32639 (Lee Tickett)
- Fix removal of install pods. !32667
- Fix sharing localStorage with all MRs. !32699
- Default the asset proxy whitelist to the installation domain. !32703
- Add some padding to details markdown element. !32716
- Use `ChronicDuration` in a thread-safe way. !32817
- Fix watch button styling and notifications buttons consistency. !32827
- Fix encoding error in MR diffs when using external diffs. !32862 (Hiroyuki Sato)
- Add bottom margin to snippet title. !32877
- Bump markdown cache version to fix any incorrect links from asset proxy defaults.
- Persist `needs:` validation as config error.

### Changed (39 changes, 6 of them are from the community)

- Extend pipeline graph scroll area to full width. !14870
- Frontend support for saving issue board preferences on the current user. !16421
- Switch Milestone and Release to a many-to-many relationship. !16517
- Align project selector search box better with design system. !16795
- Adds the runners_token of the group if the user that requests the group info is admin of it. !16831 (Ignacio Lorenzo Subirá Otal [email protected])
- Upgrade to Gitaly v1.65.0. !17135
- Make flash notifications sticky. !30141
- Add Issue and Merge Request titles to Todo items. !30435 (Arun Kumar Mohan)
- Remove wiki page slug dialog step when creating wiki page. !31362
- Improve system notes for Zoom links. !31410 (Jacopo Beschi @jacopo-beschi)
- Updated WebIDE default commit options. !31449
- Remove oauth form from GitHub CI/CD only import authentication. !31488
- Update assignee (cannot merge) style. !31545
- Updated latest pipeline tag tooltip to be more descriptive. !31624
- Add optional label_id parameter to label API for PUT and DELETE. !31804
- Updates issues REST API to allow extended sort options. !31849
- Fix to show renamed file in mr. !31888
- Replaced expand diff icons. !31907
- Upgrade to Gitaly 1.60.0. !31981
- Make MR pipeline widget text more descriptive. !32025
- Fix wording on milestone due date when milestone is due today. !32096
- Improve search result labels. !32101
- Limit access request emails to ten most recently active owners or maintainers. !32141
- Improve chatops help output. !32208
- Update merge train documentation. !32218
- Add caret icons to the monitoring dashboard. !32239
- Install cert-manager v0.9.1. !32243
- Bring text mail for new issue & MR more in line. !32254
- Add cluster domain warning. !32260
- Rename epic column state to state_id. !32270
- Use moved instead of closed in issue references. !32277 (juliette-derancourt)
- Standardize use of `content` parameter in snippets API. !32296
- Show meaningful message on /due quick action with invalid date. !32349 (Jacopo Beschi @jacopo-beschi)
- Remove dynamically constructed feature flags starting with prometheus_transaction_. !32395 (Jacopo Beschi @jacopo-beschi)
- Indicate on Issue Status if an Issue was Duplicated. !32472
- Avoid dns rebinding checks when the domain is whitelisted. !32603
- Upgrade to Gitaly v1.62.0. !32608
- Unified presentation of the filter input field for projects listings. !32706
- Hide resolve thread button from guest. !32859

### Performance (20 changes)

- Lower search counters. !11777
- Considerably improve the query performance for MR discussions load. !16635
- Eliminate Gitaly N+1 queries with notes API. !32089
- Optimise UpdateBuildQueueService. !32095
- Remove N+1 SQL query loading project feature in dashboard. !32169
- Reduce the number of SQL requests on MR-show. !32192
- Makes LFS object linker process OIDs in batches. !32268
- Preload routes information to fix N+1 issue. !32352
- Reduce N+1 when doing project export. !32423
- Skip requesting diverging commit counts if no branches are listed. !32496
- Support selective highlighting of lines. !32514
- Replace indexes for counting active users. !32538
- Create partial index for gitlab-monitor CI metrics. !32546
- Optimize queries for snippet listings. !32576
- Preprocess wiki attachments with GitLab-Workhorse. !32663
- Create index for users.unconfirmed_email. !32664
- Optimize /admin/applications so that it does not timeout. !32852
- Replace events index with partial one. !32874
- Partial index for namespaces.type. !32876
- Fix member expiration not always working. !32951

### Added (42 changes, 10 of them are from the community)

- Enable modsecurity in nginx-ingress apps. !15774
- Database table for tracking programming language trends over time. !16491
- Add DAST full scan domain validation. !16680
- Add not param to Issues API endpoint. !16748
- Allow specifying timeout per-job in .gitlab-ci.yml. !16777 (Michał Siwek)
- Document forwarding CI variables to docker build in Auto DevOps. !16783
- Add links for latest pipelines. !20865 (Alex Ives)
- New interruptible attribute for CI/CD jobs. !23464 (Cédric Tabin)
- API: Promote project labels to group labels. !25218 (Robert Schilling)
- Introduced Build::Rules configuration for Ci::Build. !29011
- Notification emails can be signed with SMIME. !30644 (Diego Louzán)
- Allow milestones to be associated with a release (backend). !30816
- Enable serving static objects from an external storage. !31025
- Save collapsed option for board lists in database. !31069
- Apply quickactions when modifying comments. !31136
- Add SwaggerUI Pages template for .gitlab-ci.yml. !31183 (mdhtr)
- Add ability to see project deployments at cluster level (FE). !31575
- Create component to display area and line charts in monitor dashboards. !31639
- Add persistance to last choice of projects sorting on projects dashboard page. !31669
- Run Pipeline button & API for MR Pipelines. !31722
- Add service to transfer Group Milestones when transferring a Project. !31778
- Allow $CI_REGISTRY_USER to delete tags. !31796
- Support adding and removing labels w/ push opts. !31831
- Enable line charts in dashbaord panels and embedded charts. !31920
- Add First and Last name columns to User model. !31985
- Add option to allow OAuth providers to bypass two factor. !31996 (Dodocat)
- Expose namespace storage statistics with GraphQL. !32012
- Add usage pings for merge request creating. !32059
- Add warning about initial deployment delay for GitLab Pages sites. !32122
- Allow Knative to be installed on group and instance level clusters. !32128
- Add a close issue slack slash command. !32150
- Support chat notifications to be fired for protected branches. !32176
- Add system hooks for project/group membership updates. !32371 (Brandon Williams)
- Add source and merge_request fields to pipeline event webhook. !32373 (Bian Jiaping)
- Allow ECDSA certificates for pages domains. !32393
- Show link to cluster used on job page. !32446
- Group level JupyterHub. !32512
- Creates utility parser for the job log. !32555
- Expose update project service endpoint JSON. !32759
- Expose 'protected' field for Tag API endpoint. !32790 (Andrea Leone)
- Create table `alerts_service_data`. !32860
- Creates base components for the new job log.

### Other (42 changes, 13 of them are from the community)

- Setting NOT NULL constraint to users.private_profile column. !14838
- Schedule productivity analytics recalculation for EE. !15137
- Document Lambda deploys via GitLab CI/CD. !16858
- Add Redis interceptor tracing. !30238
- Encrypt existing and new deploy tokens. !30679
- Clean up keyboard shortcuts help modal, removing and adding as needed. !31642
- Add warning to pages domains that obtaining/deploying SSL certificates through Let's Encrypt can take some time. !31765
- Add new API method in Api.js: projectUsers. !31801
- Upgrade babel to 7.5.5. !31819 (Takuya Noguchi)
- Update docs to reflect the rename of gitlab-monitor to gitlab-exporter. !31901
- Count comments on commits and merge requests. !31912
- Resolve Badge counter: Very low contrast between foreground and background colors. !31922
- Add index to improve group cluster deployments query performance. !31988
- Replace finished_at with deployed_at for the internal API Deployment entity. !32000
- Update to GitLab Shell v9.4.0. !32009
- Default clusters namespace_per_environment column to true. !32139
- Remove deprecation message for milestone tabs. !32252
- Refactored Karma spec to Jest for mr_widget_auto_merge_failed. !32282 (Illya Klymov)
- Update GitLab Runner Helm Chart to 0.8.0. !32289
- Refactor showStagedIcon property to reflect the behavior its name represents. !32333 (Arun Kumar Mohan)
- Upgrade pages to 1.8.0. !32334
- Change prioritized labels empty state message. !32338 (Lee Tickett)
- make test of note app with comments disabled dry. !32383 (Romain Maneschi)
- Use new location for gitlab-runner helm charts. !32384
- Mention in docs how to disable project snippets. !32391 (Jacopo Beschi @jacopo-beschi)
- delete animation width on global search input. !32399 (Romain Maneschi)
- Remove vue resource from sidebar service. !32400 (Lee Tickett)
- Remove vue resource from issue. !32421 (Lee Tickett)
- Remove vue resource from remove issue. !32425 (Lee Tickett)
- Remove vue-resource from PerformanceBarService. !32428 (Lee Tickett)
- Added warning note on the project container registry setting informing users that the registry is public for public projects. !32447
- Admin dashboard: Fetch and render statistics async. !32449
- Update GitLab Workhorse to v8.10.0. !32501
- Remove Users.support_bot column. !32554
- Add padding to left of "Sort by" in members dropdown. !32602
- Log errors for failed pipeline creation in PostReceive. !32633
- Avoid prefilling target branch when source branch is the default one. !32701
- Bump Kubeclient to 4.4.0. !32811
- Remove vue-resource from notes service. !32934 (Lee Tickett)
- Added board name to page title in boards view.
- Remove vue resource from group service. (Lee Tickett)
- Updates tooltip of 'detached' label/state.


1536 1537 1538 1539
## 12.2.11

- No changes.

1540 1541 1542 1543 1544 1545 1546
## 12.2.8

### Security (1 change)

- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.


1547 1548 1549 1550 1551 1552 1553
## 12.2.7

### Security (1 change)

- Fix private feature Elasticsearch leak.


1554 1555
## 12.2.6

1556
### Security (11 changes)
1557 1558 1559 1560

- Add a policy check for system notes that may not be visible due to cross references to private items.
- Display only participants that user has permission to see on milestone page.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
1561
- Check permissions before showing head pipeline blocking merge requests.
1562 1563 1564 1565 1566 1567 1568 1569 1570
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Prevent bypassing email verification using Salesforce.
- Do not show resource label events referencing not accessible labels.
- Cancel all running CI jobs triggered by the user who is just blocked.
- Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.59.3].
- Only render fixed number of mermaid blocks.
- Prevent GitLab accounts takeover if SAML is configured.


1571 1572 1573 1574 1575 1576 1577
## 12.2.5

### Security (1 change)

- Upgrade pages to 1.7.2.


1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594
## 12.2.4

### Fixed (7 changes)

- Add syntax highlighting for line expansion. !31821
- Fix issuable sidebar icon on notification disabled. !32134
- Upgrade Mermaid to v8.2.4. !32186
- Fix Piwik not working. !32234
- Fix snippets API not working with visibility level. !32286
- Fix upload URLs in Markdown for users without access to project repository. !32448
- Update Mermaid to v8.2.6. !32502

### Performance (1 change)

- Fix N+1 Gitaly calls in /api/v4/projects/:id/issues. !32171


1595 1596
## 12.2.3

1597 1598 1599 1600
- No changes.

## 12.2.2

1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626
### Security (22 changes)

- Ensure only authorised users can create notes on Merge Requests and Issues.
- Gitaly: ignore git redirects.
- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks.
- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth.
- Limit the size of issuable description and comments.
- Send TODOs for comments on commits correctly.
- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds.
- Added image proxy to mitigate potential stealing of IP addresses.
- Filter out old system notes for epics in notes api endpoint response.
- Avoid exposing unaccessible repo data upon GFM post processing.
- Fix HTML injection for label description.
- Make sure HTML text is always escaped when replacing label/milestone references.
- Prevent DNS rebind on JIRA service integration.
- Use admin_group authorization in Groups::RunnersController.
- Prevent disclosure of merge request ID via email.
- Show cross-referenced MR-id in issues' activities only to authorized users.
- Enforce max chars and max render time in markdown math.
- Check permissions before responding in MergeController#pipeline_status.
- Remove EXIF from users/personal snippet uploads.
- Fix project import restricted visibility bypass via API.
- Fix weak session management by clearing password reset tokens after login (username/email) are updated.
- Fix SSRF via DNS rebinding in Kubernetes Integration.


1627
## 12.2.1
1628

1629
### Fixed (2 changes)
1630

1631 1632 1633 1634 1635 1636
- Fix for embedded metrics undefined params. !31975
- Fix "ERR value is not an integer or out of range" errors. !32126

### Performance (1 change)

- Fix Gitaly N+1 calls with listing issues/MRs via API. !31938
1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648

### Fixed (3 changes)

- Fix for embedded metrics undefined params. !31975
- Fix "ERR value is not an integer or out of range" errors. !32126
- Prevent duplicated trigger action button.

### Performance (1 change)

- Fix Gitaly N+1 calls with listing issues/MRs via API. !31938


1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888
## 12.2.0

### Security (4 changes, 1 of them is from the community)

- Update mini_magick to 4.9.5. !31505 (Takuya Noguchi)
- Upgrade Rugged to 0.28.3. !31794
- Queries for Upload should be scoped by model.
- Restrict slash commands to users who can log in.

### Removed (3 changes)

- Remove Kubernetes service integration page. !31365
- Remove line profiler from performance bar.
- Remove GC metrics from performance bar.

### Fixed (74 changes, 4 of them are from the community)

- Resolve Incorrect empty state message on Explore projects. !25578
- Search issuables by iids. !28302 (Riccardo Padovani)
- Make it easier to find invited group members. !28436
- fix: updates to include units for the y axis label. !30330
- Align access permissions for wiki history to those of wiki pages. !30470
- Add index for issues on relative position, project, and state for manual sorting. !30542
- Fix suggestion on lines that are not part of an MR. !30606
- Add empty chart component. !30682
- Remove blank block from job sidebar. !30754
- Remove duplicate buttons in diff discussion. !30757
- Order projects in 'Move issue' dropdown by name. !30778
- Fix bug in dashboard display of closed milestones. !30820
- Fixes alignment issues with reports. !30839
- Ensure visibility icons in group/project listings are grey. !30858
- Fix admin labels page when there are invalid records. !30885
- Extra logging for new live trace architecture. !30892
- Fix pipeline emails not respecting group notification email setting. !30907
- Handle trailing slashes when generating Jira issue URLs. !30911
- Optimize relative re-positioning when moving issues. !30938
- Better support clickable tasklists inside blockquotes. !30952
- Add space to "merged by" widget. !30972
- Remove duplicated mapping key in config/locales/en.yml. !30980 (Peter Dave Hello)
- Update Mermaid to v8.2.3. !30985
- Use persistent Redis cluster for Workhorse pub/sub notifications. !30990
- Remove :livesum from RubySampler metrics. !31047
- Fix pid discovery for Unicorn processes in `PidProvider`. !31056
- Respect group notification email when sending group access notifications. !31089
- Default dependency job stage index to Infinity, and correctly report it as undefined in prior stages. !31116
- Fix incorrect use of message interpolation. !31121
- Moved labels out of fields on Search page. !31137
- Ensure Warden triggers after_authentication callback. !31138
- Fix admin area user access level radio button labels. !31154
- Ignore Gitaly errors if cache flushing fails on project destruction. !31164
- Prevent double slash in review apps path. !31212
- Make pdf.js render CJK characters. !31220
- Prevent discussion filter from persisting to `Show all activity` when opening links to notes. !31229
- Improve layout of dropdowns in the metrics dashboard page. !31239
- Remove pdf.js deprecation warnings. !31253
- Fix GC::Profiler metrics fetching. !31331
- Jupyter fixes. !31332 (Amit Rathi)
- Fix first-time contributor notes not rendering. !31340
- Fix inline rendering of relative paths to SVGs from the current repository. !31352
- Make `bin/web_puma` consider RAILS_ENV. !31378
- Removed extrenal dashboard legend border. !31407
- Fix visual review app storage keys. !31427
- Fix flashing conflict warning when editing issues. !31469
- Fix broken issue links and possible 500 error on cycle analytics page when project name and path are different. !31471
- Prevent turning plain links into embedded when moving issues. !31489
- Add a field for released_at to GH importer. !31496
- Adjust size and align MR-widget loading icon. !31503
- Fix an issue where clicking outside the MR/branch search box in WebIDE closed the dropdown. !31523
- Don't attempt to contact registry if it is disabled. !31553
- Fix IDE new files icon in tree. !31560
- Fix missing author line (`Created by: <user>`) in MRs/issues/comments of imported Bitbucket Cloud project. !31579
- Add missing report-uri to CSP config. !31593
- Fixed display of some sections and externalized all text in the shortcuts modal overlay. !31594
- Remove extra padding from disabled comment box. !31603
- Allow CI to clone public projects when HTTP protocol is disabled. !31632
- error message for general settings. !31636 (Mesut Güneş)
- Invalidate branches cache on PostReceive. !31653
- Fix active metric files being wiped after the app starts. !31668
- Fix :wiki_can_not_be_created_total counter. !31673
- Fix job logs where style changes were broken down into separate lines. !31674
- Properly save suggestions in project exports. !31690
- Fix project avatar image in Slack pipeline notifications. !31788
- Fix empty error flash message on profile:account page when updating username with username that has already been taken. !31809
- Fix starrers counts after searching. !31823
- Fix pipelines not always being created after a push. !31927
- Fix 500 errors in commits api caused by empty ref_name parameter.
- Center loading icon in CI action component.
- Prevents showing 2 tooltips in pipelines table.
- Fix tag page layout.
- Prevent duplicated trigger action button.
- Hides loading spinner in pipelines actions after request has been fullfiled.

### Changed (31 changes, 5 of them are from the community)

- Update cluster page automatically when cluster is created. !27189
- Add branch/tags/commits dropdown filter on the search page for searching codes. !28282 (minghuan lei)
- Add support for start_sha to commits API. !29598
- Maintainers can create subgroups. !29718 (Fabio Papa)
- Extract Auto DevOps deploy functions into a base image. !30404
- Add MR form to Visual Review (EE) runtime configuration. !30481
- Adjust redis cache metrics. !30572
- Add DS_PIP_DEPENDENCY_PATH option to configure Dependency Scanning for projects using pip. !30762
- Bring scoped environment variables to core. !30779
- Add Web IDE Usage Ping for Create SMAU. !30800
- Update the container scanning CI template to use v12 of the clair scanner. !30809
- Multiple pipeline support for Commit status. !30828 (Gaetan Semet)
- Add support for exporting repository type data for LFS objects. !30830
- Avoid increasing redis counters when usage_ping is disabled. !30949
- Added navbar searches usage ping counter. !30953
- Convert githost.log to JSON format. !30967
- Adjusted the clickable area of collapsed sidebar elements. !30974 (Michel Engelen)
- Mark push mirrors as failed after 1 hour. !30999
- Allows masking @ and : characters. !31065
- Remove incorrect fallback when determining which cluster to use when retrieving MR performance metrics. !31126
- Retry push mirrors faster when running concurrently, improve error handling when push mirrors fail. !31247
- Make issue boards importable. !31434 (Jason Colyer)
- Allow users to resend a confirmation link when the grace period has expired. !31476
- Remove counts from default labels API responses. !31543
- Upgrade to Gitaly v1.57.0. !31568
- Rename githost.log -> git_json.log. !31634
- Load search result counts asynchronously. !31663
- feat: adds a download to csv functionality to the dropdown in prometheus metrics. !31679
- Adjust copy for adding additional members. !31726
- Upgrade to Gitaly v1.59.0. !31743
- Filter title, description, and body parameters from logs.

### Performance (17 changes, 1 of them is from the community)

- Add partial index on identities table to speed up LDAP lookups. !26710
- Improve MembersFinder query performance using UNION. !30451 (Jacopo Beschi @jacopo-beschi)
- Rake task to cleanup expired ActiveSession lookup keys. !30668
- Update usage ping cron behavior. !30842
- Make Bootsnap available via ENABLE_BOOTSNAP=1. !30963
- Batch processing of commit refs in markdown processing. !31037
- Use tablesample approximate counting by default. !31048
- Create index on environments by state. !31231
- Split MR widget into etag-cached and non-cached serializers. !31354
- Speed up loading and filtering deploy keys and their projects. !31384
- Only track Redis calls if Peek is enabled. !31438
- Only expire tag cache once per push. !31641
- Reduce Gitaly calls in PostReceive. !31741
- Eliminate many Gitaly calls in discussions API. !31834
- Optimize DB indexes for ES indexing of notes. !31846
- Expire project caches once per push instead of once per ref. !31876
- Look up upstream commits once before queuing ProcessCommitWorkers.

### Added (51 changes, 11 of them are from the community)

- Make starred projects and starrers of a project publicly visible. !24690
- Make quick action commands applied banner more useful. !26672 (Jacopo Beschi @jacopo-beschi)
- Allow Helm to be uninstalled from the UI. !27359
- Improve pipeline status Slack notifications. !27683
- Add links to relevant configuration areas in admin area overview. !29306
- Display project id on project admin page. !29734 (Zsolt Kovari)
- Display group id on group admin page. !29735 (Zsolt Kovari)
- Resolve Keyboard shortcut for jump to NEXT unresolved discussion. !30144
- Personal access tokens are accepted using OAuth2 header format. !30277
- Add Outbound requests whitelist for local networks. !30350 (Istvan Szalai)
- Allow multiple Auto DevOps projects to deploy to a single namespace within a k8s cluster. !30360 (James Keogh)
- Allow Knative to be uninstalled from the UI. !30458
- Add admin-configurable "Support page URL" link to top Help dropdown menu. !30459 (Diego Louzán)
- Allow specifying variables when running manual jobs. !30485
- Use predictable environment slugs. !30551
- Return an ETag header for the archive endpoint. !30581
- Add Rate Request Limiter to RawController#show endpoint. !30635
- Add git blame to GitLab API. !30675 (Oleg Zubchenko)
- Use separate Kubernetes namespaces per environment. !30711
- Support remove source branch on merge w/ push options. !30728
- Deploy serverless apps with gitlabktl. !30740
- Adjust group level analytics to accept multiple ids. !30744
- Adds event enum column to DesignsVersions join table. !30745
- Allow email notifications to be disabled for all members of a group or project. !30755 (Dustin Spicuzza)
- Export and download CSV from metrics charts. !30760
- Add API endpoints to return container repositories and tags from the group level. !30817
- Add support for deferred links in persistent user callouts. !30818
- Add system notes for when a Zoom call was added/removed from an issue. !30857 (Jacopo Beschi @jacopo-beschi)
- Count wiki creation, update and delete events. !30864
- Add new expansion options for merge request diffs. !30927
- Count snippet creation, update and comment events. !30930
- Update namespace label for GitLab-managed clusters. !30935
- UI for disabling group/project email notifications. !30961 (Dustin Spicuzza)
- Support setting of merge request title and description using git push options. !31068
- Add new table to store email domain per group. !31071
- Redirect from a project wiki git route to the project wiki home. !31085
- Link and embed metrics in GitLab Flavored Markdown. !31106
- Moves snowplow tracking from ee to ce. !31160 (jejacks0n)
- Allow Cert-Manager to be uninstalled. !31166
- Add new outbound network requests application setting for system hooks. !31177
- Allow links to metrics dashboard at a specific time. !31283
- Enable embedding of specific metrics charts in GFM. !31304
- Support creating DAGs in CI config through the `needs` key. !31328
- Generate shareable link for specific metric charts. !31339
- Add support for Content-Security-Policy. !31402
- Add BitBucketServer project import filtering. !31420
- Embed specific metrics chart in issue. !31644
- Track page views for cycle analytics show page. !31717
- Add usage pings for source code pushes. !31734
- Makes collapsible title clickable in job log.
- Adds highlight to the collapsible section.

### Other (36 changes, 9 of them are from the community)

- Rewrite `if:` argument in before_action and alike when `only:` is also used. !24412 (George Thomas @thegeorgeous)
- Create rake tasks for migrating legacy uploads out of deprecated paths. !29409
- Remove the warning style from the U2F device message in user settings > account. !30119 (matejlatin)
- Set visibility level 'Private' for restricted 'Internal' imported projects when 'Internal' visibility setting is restricted in admin settings. !30522
- Change BoardService in favor of boardsStore on board blank state of the component board. !30546 (eduarmreyes)
- Adds Sidekiq scheduling latency structured logging field. !30784
- Adds chaos endpoints to Sidekiq. !30814
- Added multi-select deletion of container registry images. !30837
- When GitLab import fails during importer user mapping step, add an explicit error message mentioning importer. !30838
- Add Rugged calls and duration to API and Rails logs. !30871
- Fixed distorted avatars when resource not reachable. !30904 (Marc Schwede)
- Update GitLab Runner Helm Chart to 0.7.0. !30950
- Use Rails 5.2 Redis caching store. !30966
- Add Rugged calls to performance bar. !30983
- add color selector to broadcast messages form. !30988
- Harmonize selections in user settings. !31110 (Marc Schwede)
- Update rouge to v3.7.0. !31254
- Update 'Ruby on Rails' project template. !31310
- Fix mirroring help text. !31348 (jramsay)
- Enhance style of the shared runners limit. !31386
- Enables storage statistics for root namespaces on database. !31392
- Improve quick action error messages. !31451
- Enable authenticated cookie encryption. !31463
- Update karma to 4.2.0. !31495 (Takuya Noguchi)
- Add max_replication_slots to PG HA documentation. !31534
- Create database tables for the new cycle analytics backend. !31621
- Updated the detached pipeline badge tooltip text to offer a better explanation. !31626
- Add Gitaly and Rugged call timing in Sidekiq logs. !31651
- Fix the style-lint errors and warnings for `app/assets/stylesheets/pages/wiki.scss`. !31656
- Update GraphicsMagick from 1.3.29 to 1.3.33 for CI tests. !31692 (Takuya Noguchi)
- Migrate remaining users with null private_profile. !31708
- Bump Helm to 2.14.3 and kubectl to 1.11.10 for Kubernetes integration. !31716
- Updated the personal access token api scope description to reflect the permissions it grants. !31759
- Add finished_at to the internal API Deployment entity. !31808
- Remove Security Dashboard feature flag. !31820
- Update Packer.gitlab-ci.yml to use latest image. (Kelly Hair)


1889 1890 1891 1892 1893 1894 1895
## 12.1.14

### Security (1 change)

- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.


1896 1897
## 12.1.12

1898
### Security (12 changes)
1899 1900 1901 1902

- Add a policy check for system notes that may not be visible due to cross references to private items.
- Display only participants that user has permission to see on milestone page.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
1903
- Check permissions before showing head pipeline blocking merge requests.
1904 1905 1906 1907 1908 1909 1910 1911 1912 1913
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Prevent bypassing email verification using Salesforce.
- Do not show resource label events referencing not accessible labels.
- Cancel all running CI jobs triggered by the user who is just blocked.
- Fix Gitaly SearchBlobs flag RPC injection.
- Only render fixed number of mermaid blocks.
- Prevent GitLab accounts takeover if SAML is configured.
- Upgrade mermaid to prevent XSS.


1914 1915 1916 1917
## 12.1.10

- No changes.

1918 1919 1920 1921 1922 1923 1924 1925
## 12.1.5

### Security (2 changes)

- Upgrade Gitaly to 1.53.2 to prevent revision flag injection exploits.
- Upgrade pages to 1.7.1 to prevent gitlab api token recovery from cookie.


1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938
## 12.1.4

### Fixed (3 changes, 1 of them is from the community)

- Properly translate term in projects list. !30958
- Add exclusive lease to mergeability check process. !31082
- Fix Docker in Docker (DIND) listen port behavior change by adding DOCKER_TLS_CERTDIR in CI job templates. !31201 (Cameron Boulton)

### Performance (1 change)

- Improve job log rendering performance. !31262


1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959
## 12.1.3

### Fixed (11 changes)

- Prevent multiple confirmation modals from opening when deleting a repository. !30532
- Fix the project auto devops API. !30946
- Fix "Certificate misses intermediates" UI error when enabling Let's Encrypt integration for pages domain. !30995
- Fix xterm css not loading for environment terminal. !31023
- Set DOCKER_TLS_CERTDIR in Auto Dev-Ops CI template to fix jobs using Docker-in-Docker. !31078
- Set DOCKER_TLS_CERTDIR in CI job templates to fix Docker-in-Docker service. !31080
- Support Docker OCI images. !31127
- Fix error rendering submodules in MR diffs when there is no .gitmodules. !31162
- Fix pdf.js rendering pages in the wrong order. !31222
- Fix exception handling in Gitaly autodetection. !31285
- Fix bug that caused diffs not to show on MRs with changes to submodules.

### Performance (1 change)

- Optimise import performance. !31045


1960 1961
## 12.1.2

1962 1963 1964 1965
### Security (1 change)

- Use source project as permissions reference for MergeRequestsController#pipelines.

1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978
### Security (9 changes)

- Restrict slash commands to users who can log in.
- Patch XSS issue in wiki links.
- Queries for Upload should be scoped by model.
- Filter merge request params on the new merge request page.
- Fix Server Side Request Forgery mitigation bypass.
- Show badges if pipelines are public otherwise default to project permissions.
- Do not allow localhost url redirection in GitHub Integration.
- Do not show moved issue id for users that cannot read issue.
- Drop feature to take ownership of trigger token.


1979 1980 1981 1982
## 12.1.1

- No changes.

1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253
## 12.1.0

### Security (11 changes, 2 of them are from the community)

- Update tar to 2.2.2. !29949 (Takuya Noguchi)
- Update lodash to 4.7.14 and lodash.mergewith to 4.6.2. !30602 (Takuya Noguchi)
- Correctly check permissions when creating snippet notes.
- Gate MR head_pipeline behind read_pipeline ability.
- Prevent Billion Laughs attack.
- Add missing authorizations in GraphQL.
- Fix Denial of Service for comments when rendering issues/MR comments.
- Expose merge requests count based on user access.
- Fix DoS vulnerability in color validation regex.
- Prevent the detection of merge request templates by unauthorized users.
- Persist tmp snippet uploads at users.

### Removed (7 changes)

- Disable Kubernetes credential passthrough for managed project-level clusters. !29262
- Remove deprecated group routes. !29351
- Remove support for creating non-RBAC kubernetes clusters. !29614
- Remove Kubernetes service integration and Kubernetes service template from available deployment platforms. !29786
- Remove MySQL support. !29790
- Remove depreated /u/:username routing. !30044
- Remove support for legacy pipeline triggers. !30133

### Fixed (84 changes, 14 of them are from the community)

- Update a user's routes after updating their name. !23272
- Show poper panel when validation error occurs in admin settings panels. !25434
- Expect bytes from Gitaly RPC GetRawChanges. !28164
- Sanitize LDAP output in Rake tasks. !28427
- Left align mr widget icons and text. !28561
- Keep the empty folders in the tree. !29196
- Fix incorrect emoji placement in commit diff discussion. !29445
- Fix favicon path with uploads of object store. !29482 (Roger Meier)
- Remove duplicate trailing +/- char in merge request discussions. !29518
- Fix the signup form's username validation messages not displaying. !29678 (Jiaan Louw)
- Fix broken environment selector and always display it on monitoring dashboard. !29705
- Fix Container Scanning job timeout when using the kubernetes executor. !29706
- Look for new branches more carefully. !29761
- Fix nested lists unnecessary margin. !29775 (Kuba Kopeć)
- Fix reports jobs timing out because of cache. !29780
- Fix Double Border in Profile Page. !29784 (Yoginth <@yo>)
- Remove minimum character limits for fuzzy searches when using a CTE. !29810
- Set default sort method for dashboard projects list. !29830 (David Palubin)
- Protect TeamCity builds from triggering when a branch has been deleted. And a MR-option. !29836 (Nikolay Novikov, Raphael Tweitmann)
- Fix pipeline schedule does not run correctly when it's scheduled at the same time with the cron worker. !29848
- Always shows author of created issue/started discussion/comment in HTML body and text of email. !29886 (Frank van Rest)
- Build correct basenames for title search results. !29898
- Resolve "500 error when forking via the web IDE button". !29909
- Turn commit sha in monitor charts popover to link. !29914
- Fix broken URLs for uploads with a plus in the filename. !29915
- Retry fetching Kubernetes Secret#token (#63507). !29922
- Enforce presence of pipeline when "Pipeline must succeed" project setting is enabled. !29926
- Fix unresponsive reply button in discussions. !29936
- Allow asynchronous rebase operations to be monitored. !29940
- Resolve Avatar in Please sign in pattern too large. !29944
- Persist the cluster a deployment was deployed to. !29960
- Fix runner tags search dropdown being empty when there are tags. !29985
- Display the correct amount of projects being migrated/rolled-back to Hashed Storage when specifying ranges. !29996
- Resolve Environment details header border misaligned. !30011
- Correct link to docs for External Dashboard. !30019
- Fix Jupyter-Git integration. !30020 (Amit Rathi)
- Update Mermaid to 8.1.0. !30036
- Fix background migrations failing with unused replication slot. !30042
- Disable Rails SQL query cache when applying service templates. !30060
- Set higher TTL for write lock of trace to prevent concurrent archiving. !30064
- Fix charts on Cluster health page. !30073
- Display boards filter bar on mobile. !30120
- Fix IDE editor not showing when switching back from preview. !30135
- Support note position tracing on an image. !30158
- Replace slugifyWithHyphens with improved slugify function. !30172 (Luke Ward)
- 'Open' and 'Closed' issue board lists no longer display a redundant tooltip. !30187
- Fix pipelines table to update without refreshing after action. !30190
- Change ruby_process_start_time_seconds metric to unix timestamp instead of seconds from boot. !30195
- Fix attachments using the wrong URLs in e-mails. !30197
- Make sure UnicornSampler is started only in master process. !30215
- Don't show image diff note on text file. !30221
- Fix median counting for cycle analytics. !30229
- In WebIDE allow adding new entries of the same name as deleted entry. !30239
- Don't let logged out user do manual order. !30264
- Skip spam check for task list updates. !30279
- Make Housekeeping button do a full garbage collection. !30289
- Removing an image should not output binary data. !30314
- Fix spacing issues for toasts. !30345
- Fix race in forbid_sidekiq_in_transactions.rb. !30359
- Fixed back navigation for projects filter. !30373
- Fix environments broken terminal. !30401
- Fix invalid SSL certificate errors on Drone CI service. !30422
- Fix subgroup url in search drop down. !30457
- Make unicorn_workers to return meaningful results. !30506
- Fix wrong URL when creating milestones from instance milestones dashboard. !30512
- Fixed incorrect line wrap for assignee label in issues. !30523 (Marc Schwede)
- Improves section header whitespace on the CI/CD Charts page. !30531
- Prevent multiple confirmation modals from opening when deleting a repository. !30532
- Aligns CI icon in Merge Request dashboard. !30558
- Add text-secondary to controls in project list. !30567
- Review Tools: Add large z-index to toolbar. !30583
- Hide restricted and disallowed visibility radios. !30590
- Resolve Label picker: Line break on long label titles. !30610
- Fix a bug that prevented projects containing merge request diff comments from being imported. !30630
- I fixed z index bug in diff page. !30657 (Faruk Can)
- Allow client authentication method to be configured for OpenID Connect. !30683 (Vincent Fazio)
- Fix commenting before discussions are loaded. !30724
- Fix linebreak rendering in Mermaid flowcharts. !30730
- Make httpclient respect system SSL configuration. !30749
- Bump fog-aws to v3.5.2. !30803
- API: Allow changing only ci_default_git_depth. !30888 (Mathieu Parent)
- Search issuables by iids. (Riccardo Padovani)
- Fix broken warnings while Editing Issues and Edit File on MR.
- Make sure we are receiving the proper information on the MR Popover by updating the IID in the graphql query.

### Changed (39 changes, 8 of them are from the community)

- Improve group list UI. !26542
- Backport and Docs for Paginate license management and add license search. !27602
- Update merge requests section description text on project settings page. !27838
- Knative version bump 0.5 -> 0.6. !28798 (Chris Baumbauer)
- Add salesforce logo for salesforce SSO. !28857
- Enforced requirements for UltraAuth users. !28941 (Kartikey Tanna)
- Return 400 when deleting tags more often than once per hour. !29448
- Add identity information to external authorization requests. !29461
- Enable just-in-time Kubernetes resource creation for project-level clusters. !29515
- renamed discussion to thread in merge-request and issue timeline. !29553 (Michel Engelen)
- Changed HTTP Status Code for disabled repository on /branches and /commits to 404. !29585 (Sam Battalio)
- Enable Git object pools. !29595 (jramsay)
- Updated container registry to display error message when special characters in path. Documentation has also been updated. !29616
- Allow developers to delete tags. !29668
- Will not update issue timestamps when changing positions in a list. !29677
- Include a link back to the MR for Visual Review feedback form. !29719
- Improve discussion reply buttons layout and how jump to next discussion button appears. !29779
- Renders a pre-release tag for releases. !29797
- Migrate NULL values for users.private_profile column and update users API to reject null value for private_profile. !29888
- Re-name files in Web IDE in a more natural way. !29948
- Include events from subgroups in group's activity. !29953 (Fabian Schneider @fabsrc)
- Upgrade to Gitaly v1.49.0. !29990
- Remove group and instance clusters feature flag. !30124
- Add support for creating random passwords in user creation API. !30138
- Support CIDR notation in IP rate limiter. !30146
- Add Redis call details in Peek performance bar. !30191
- Create Knative role and binding with service account. !30235
- Add cleanup migration for MR's multiple assignees. !30261
- Updates PHP template to php:latest to ensure always targeting latest stable. !30319 (Paul Giberson)
- Format `from` and `to` fields in JSON audit log. !30333
- Upgrade to Gitaly v1.51.0. !30353
- Modify cycle analytics on project level. !30356
- Extract clair version as CLAIR_EXECUTABLE_VERSION variable and update clair executable from v8 to v11. !30396
- Upgrade Rouge to 3.5.1. !30431
- Move multiple issue boards to core. !30503
- Upgrade to Gitaly v1.52.0. !30568
- Upgrade to Gitaly v1.53.0. !30614
- Open WebIDE in fork when user doesn't have access. !30642
- Propagate python version variable. (Can Eldem)

### Performance (25 changes, 1 of them is from the community)

- Remove tooltip directive on project avatar image component. !29631 (George Tsiolis)
- Use Rugged if we detect storage is NFS and we can access the disk. !29725
- Add endpoint for fetching diverging commit counts. !29802
- Cache feature flag names in Redis for a minute. !29816
- Avoid storing backtraces from Bitbucket Cloud imports in the database. !29862
- Remove import columns from projects table. !29863
- Enable Gitaly ref name caching for discussions.json. !29951
- Allow caching of negative FindCommit matches. !29952
- Eliminate N+1 queries in Dashboard::TodosController. !29954
- Memoize non-existent custom appearances. !29957
- Add a separate endpoint for fetching MRs serialized as widgets. !29979
- Use CTE to fetch clusters hierarchy in single query. !30063
- Enable Gitaly ref caching for SearchController. !30105
- Avoid loading pipeline status in search results. !30111
- Improve performance of MergeRequestsController#ci_environment_status endpoint. !30224
- Add a memory cache local to the thread to reduce Redis load. !30233
- Cache Flipper persisted names directly to local memory storage. !30265
- Limit amount of JUnit tests returned. !30274
- Cache Flipper feature flags in L1 and L2 caches. !30276
- Prevent amplification of ReactiveCachingWorker jobs upon failures. !30432
- Allow ReactiveCaching to support nil value. !30456
- Improve performance of fetching environments statuses. !30560
- Do Redis lookup in batches in ActiveSession.sessions_from_ids. !30561
- Remove catfile cache feature flag. !30750
- Fix Gitaly auto-detection caching. !30954

### Added (46 changes, 12 of them are from the community)

- Document the negative commit message push rule for the API. !14004 (Maikel Vlasman)
- Expose saml_provider_id in the users API. !14045
- Improve Project API. !28327 (Mathieu Parent)
- Remove Sentry from application settings. !28447 (Roger Meier)
- Implement borderless discussion design with new reply field. !28580
- Enable terminals for instance and group clusters. !28613
- Resolve Multiple discussions per line in merge request diffs. !28748
- Adds link to Grafana in Admin > Monitoring settings when grafana is enabled in config. !28937 (Romain Maneschi)
- Bring Manual Ordering on Issue List. !29410
- Added commit type to tree GraphQL response. !29412
- New API for User Counts, updates on success of an MR the count on top and in other tabs. !29441
- Add option to limit time tracking units to hours. !29469 (Jon Kolb)
- Add confirmation for registry image deletion. !29505
- Sync merge ref upon mergeability check. !29569
- Show an Upcoming Status for Releases. !29577
- Add order_by and sort params to list runner jobs api. !29629 (Sujay Patel)
- Allow custom username for deploy tokens. !29639
- Add a verified pill next to email addresses under the admin users section. !29669
- Add rake task to clean orphan artifact files. !29681
- Render GFM in GraphQL. !29700
- Upgrade asciidoctor version to 2.0.10. !29741 (Rajendra Kadam)
- Allow auto-completing scoped labels. !29749
- Enable syntax highlighting for AsciiDoc. !29835 (Guillaume Grossetie)
- Expose placeholder element for metrics charts in GFM. !29861
- Added a min schema version check to db:migrate. !29882
- Extract zoom link from issue and pass to frontend. !29910 (raju249)
- GraphQL mutations for add, remove and toggle emoji. !29919
- Labeled issue boards can now collapse. !29955
- Allow Ingress to be uninstalled from the UI. !29977
- Add permission check to metrics dashboards endpoint. !30017
- Allow JupyterHub to be uninstalled from the UI. !30097
- Allow GitLab Runner to be uninstalled from the UI. !30176
- GraphQL mutations for managing Notes. !30210
- Add API for CRUD group clusters. !30213
- Add endpoint to move multiple issues in boards. !30216
- Enable terminals button for group clusters. !30255
- Prevent excessive sanitization of AsciiDoc ouptut. !30290 (Guillaume Grossetie)
- Extend `MergeToRefService` to create merge ref from an arbitrary ref. !30361
- Add CI variable to provide GitLab HOST. !30417
- Add migration for adding rule_type to approval_project_rules. !30575
- Enable section anchors in Asciidoctor. !30666 (Guillaume Grossetie)
- Preserve footnote link ids in Asciidoctor. !30790 (Guillaume Grossetie)
- Add support for generating SSL certificates for custon pages domains through Let's Encrypt.
- Introduce default: for gitlab-ci.yml.
- Move Multiple Issue Boards for Projects to Core.
- Add Gitaly data to the usage ping.

### Other (35 changes, 15 of them are from the community)

- Remove unresolved class and fixed height in discussion header. !28440 (David Palubin)
- Moved EE/CE code differences for file `app/views/search/_category.html.haml` into CE. !28755 (Michel Engelen)
- Changes "Todo" to "To Do" in the UI for clarity. !28844
- Migrate GitLab managed project-level clusters to unmanaged if a Kubernetes namespace was unable to be created. !29251
- Migrate GitLab managed project-level clusters to unmanaged if they are missing a Kubernetes service account token. !29648
- Add strategies column to operations_feature_flag_scopes table. !29808
- Disallow `NULL` values for `geo_nodes.primary` column. !29818 (Arun Kumar Mohan)
- Replace 'JIRA' with 'Jira'. !29849 (Takuya Noguchi)
- Support jsonb default in add_column_with_default migration helper. !29871
- Update pagination prev and next texts. !29911
- Adds metrics to measure cost of expensive operations. !29928
- Always allow access to health endpoints from localhost in dev. !29930
- Update GitLab Runner Helm Chart to 0.6.0. !29982
- Use darker gray color for system note metadata and edited text. !30054
- Fix typo in docs about Elasticsearch. !30162 (Takuya Noguchi)
- Fix typo in code comments about Elasticsearch. !30163 (Takuya Noguchi)
- Update mixin-deep to 1.3.2. !30223 (Takuya Noguchi)
- Migrate markdown header_spec.js to Jest. !30228 (Martin Hobert)
- Remove istanbul JavaScript package. !30232 (Takuya Noguchi)
- Centralize markdownlint configuration. !30263
- Use PostgreSQL 9.6.11 in CI tests. !30270 (Takuya Noguchi)
- Fix typo in updateResolvableDiscussionsCounts action. !30278 (Frank van Rest)
- Change color for namespace in commit search. !30312
- Remove applySuggestion from notes service. !30399 (Frank van Rest)
- Improved readability of storage statistics in group / project admin area. !30406
- Alignign empty container registry message with design guidelines. !30502
- Remove toggleAward from notes service. !30536 (Frank van Rest)
- Remove deleteNote from notes service. !30537 (Frank van Rest)
- change the use of boardService in favor of boardsStore on footer for the board component. !30616 (eduarmreyes)
- Update example Prometheus scrape config. !30739
- Update GitLab Pages to v1.7.0.
- Add token_encrypted column to operations_feature_flags_clients table.
- Removes EE diff for app/views/profiles/preferences/show.html.haml.
- Removes EE differences for app/views/layouts/fullscreen.html.haml.
- Removes EE differences for app/views/admin/users/show.html.haml.


John Skarbek's avatar
John Skarbek committed
2254 2255 2256 2257
## 12.0.12

- No changes.

John Skarbek's avatar
John Skarbek committed
2258 2259
## 12.0.10

John Skarbek's avatar
John Skarbek committed
2260
- No changes.
John Skarbek's avatar
John Skarbek committed
2261 2262
- No changes.

2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290
## 12.0.7

### Security (22 changes)

- Ensure only authorised users can create notes on Merge Requests and Issues.
- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks.
- Queries for Upload should be scoped by model.
- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth.
- Limit the size of issuable description and comments.
- Send TODOs for comments on commits correctly.
- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds.
- Added image proxy to mitigate potential stealing of IP addresses.
- Filter out old system notes for epics in notes api endpoint response.
- Avoid exposing unaccessible repo data upon GFM post processing.
- Fix HTML injection for label description.
- Make sure HTML text is always escaped when replacing label/milestone references.
- Prevent DNS rebind on JIRA service integration.
- Use admin_group authorization in Groups::RunnersController.
- Prevent disclosure of merge request ID via email.
- Show cross-referenced MR-id in issues' activities only to authorized users.
- Enforce max chars and max render time in markdown math.
- Check permissions before responding in MergeController#pipeline_status.
- Remove EXIF from users/personal snippet uploads.
- Fix project import restricted visibility bypass via API.
- Fix weak session management by clearing password reset tokens after login (username/email) are updated.
- Fix SSRF via DNS rebinding in Kubernetes Integration.


2291 2292 2293 2294
## 12.0.6

- No changes.

2295 2296
## 12.0.3 (2019-06-27)