1.10.5-ls180

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls180/index.html

LinuxServer Changes:

Full Changelog: 1.10.5-ls179...1.10.5-ls180

Remote Changes:

This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.

Bugfixes

• Fix the bundled healthcheck in the docker container

1.10.5-ls179

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls179/index.html

LinuxServer Changes:

Full Changelog: 1.10.5-ls178...1.10.5-ls179

Remote Changes:

This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.

Bugfixes

• Fix the bundled healthcheck in the docker container

1.10.5-ls178

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls178/index.html

LinuxServer Changes:

Full Changelog: 1.10.5-ls177...1.10.5-ls178

Remote Changes:

This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.

Bugfixes

• Fix the bundled healthcheck in the docker container

1.10.5-ls177

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls177/index.html

LinuxServer Changes:

Full Changelog: 1.10.4-ls176...1.10.5-ls177

Remote Changes:

This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.

Bugfixes

• Fix the bundled healthcheck in the docker container

1.10.4-ls176

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.4-ls176/index.html

LinuxServer Changes:

Full Changelog: 1.10.3-ls175...1.10.4-ls176

Remote Changes:

Security fixes

This release contains two low severity security fixes:

• GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
• GHSA-6wm6-3vpq-6qvv reports a possible CSRF vulnerability when using certain social login providers because the state parameter is not used and checked.

Enhancements

• Add enableUploads (CMD_ENABLE_UPLOADS) config option to restrict uploads to registered users, all users or
  none to completely disable uploads.
• Allow links to protocols such as xmpp, webcal or geo
• Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
• Ensure compatibility with Node 24
• Protect user history from accidental or malicious deletion by adding a CSRF-like token
• Many enhancements in the documentation at docs.hedgedoc.org

Bugfixes

• Ignore the healthcheck endpoint in the "too busy" limiter
• Send the referrer origin for YouTube embeddings due to their requirement
• Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
• Secure iframes with credentialless and sandbox attributes
• Fix regexes for [time=...], [name=...] and [color=...] shortcodes in lists
• Use state parameter for OAuth2 flows and PKCE where applicable

Node compatibility

• Support for Node 24 was verified. The docker image now uses Node 24 as its base image.

Contributors

• Nora Matthias Schiffer (#6096)
• 4censord (#6102)
• Zachery Faria (#6105)
• pl7ofit (#6106)
• Lars Kiesow (#6107)
• Kim Brose (#6114)
• Achilleas Pipinellis (#6119)
• Andreas Boesen (#6148, #6149)
• Thary (#6155)

1.10.3-ls175

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls175/index.html

LinuxServer Changes:

Full Changelog: 1.10.3-ls174...1.10.3-ls175

Remote Changes:

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since
  some instances didn't comply with the new defaults of @node-saml/passport-saml

1.10.3-ls174

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls174/index.html

LinuxServer Changes:

Full Changelog: 1.10.3-ls173...1.10.3-ls174

Remote Changes:

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since
  some instances didn't comply with the new defaults of @node-saml/passport-saml

1.10.3-ls173

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls173/index.html

LinuxServer Changes:

Full Changelog: 1.10.3-ls172...1.10.3-ls173

Remote Changes:

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since
  some instances didn't comply with the new defaults of @node-saml/passport-saml

1.10.3-ls172

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls172/index.html

LinuxServer Changes:

Full Changelog: 1.10.3-ls171...1.10.3-ls172

Remote Changes:

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since
  some instances didn't comply with the new defaults of @node-saml/passport-saml

1.10.3-ls171

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls171/index.html

LinuxServer Changes:

Rebase to Alpine 3.22.

Remote Changes:

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since
  some instances didn't comply with the new defaults of @node-saml/passport-saml