I Feel Love | Browser Extension & API

Introduction

Passbolt 5.13.0 is a maintenance release that introduces in-app edition management. Administrators can now switch between the Community and Pro editions without manual migrations. It also includes scalability and monitoring improvements for larger deployments, security updates, and bug fixes.

In-app edition management

Until now, administrators running the Community Edition who wanted to evaluate Pro features had to set up a separate environment or run manual migrations. With the codebase unification shipped in 5.12 and the edition management introduced in 5.13, they can now upgrade or downgrade directly from the organisation settings.

The entire project remains open source under the AGPL-3.0 licence, and the Community edition will always be free. A dedicated blog post with more details on this choice will follow.

Scalability and monitoring

Administrators who monitor their instance through the healthcheck status endpoint (/healthcheck/status.json) will get a more complete signal. This endpoint now verifies the availability of the caching system.

For organisations that manage large numbers of credentials, the browser extension now starts paginating resource fetching, which reduces server load. This is part of a continuous effort to improve passbolt scalability, with folder pagination being next in line.

Maintenance and security

This release fixes a number of bugs, among them an issue that prevented Firefox users from creating TOTPs from uploaded QR codes. It also ships third-party dependency upgrades and security advisory fixes. Check the detailed logs below for the full list.

Conclusion

Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

API

Added

• PB-42980 As an administrator I can upgrade my Passbolt CE instance to a Pro edition from the product
• PB-42980 As an administrator I can downgrade my Passbolt Pro instance back to CE from the product
• PB-51980 Adds a healthcheck that reports the edition currently served by the instance
• PB-51533 As an admin I can contain my_group_user in PUT /groups.json
• PB-52020 As an administrator I can run the healthcheck command if the DB is not reachable
• PB-51039 Extends the /healthcheck/status.json endpoint to verify additional components such as the cache

Fixed

• PB-51161 Stops folder cycle detection at the personal folder boundary
• PB-50013 Fixes user session being destroyed in Safari when fetching avatar images from the web application
• PB-52027 Fixes SCIM endpoints returning non-standard HTTP status codes
• PB-51646 Fixes missing spaces in the email sent when a user lost their key/passphrase and recovery is aborted

Security

• PB-52135 Upgrades mobiledetect/mobiledetectlib
• PB-51940 Fixes qs security vulnerability advisory GHSA-q8mj-m7cp-5q26 (Medium)
• PB-51639 Fixes PKSA-pwvr-3754-v57r security vulnerability advisory affecting composer/composer package
• PB-51194 PBL-15-006: Fixes internal UUID still disclosed in SCIM user creation conflict response (Low)

Maintenance

• PB-51650 Introduces ScimSettingsDto for the ScimGetSettingsService::getSettings()
• PB-51647 Adds unit tests for GroupsUsersTable::isManager()
• PB-52010 Removes cakephp/bake from composer dev requirements
• PB-52126 Upgrades symfony/string to 7.4.13
• PB-51570 Upgrades CakePHP to v5.3.6 and replaces _execute() calls with process() to fix deprecations
• PB-52070 Fixes "Use expr() instead of newExpr()" deprecation warning after CakePHP upgrade
• PB-48002 Removes security.prompt from the SSO configuration
• PB-49755 Removes GitLab CI definition (moved to the ci-definitions repository)
• PB-49425 Refactors DirectorySync controller tests using fixture factories
• PB-35955 Refactors /healthcheck/status.json endpoint to use a pluggable default status strategy

Browser extension

Added

• PB-51594 Move findAllForActionLogController and test to the correct location
• PB-48516 Build process improvement - Webpack
• PB-51534 Update group edit call in groupApiService to contain "my_group_user" as urlOptions
• PB-51580 PCD 1.1 - Migrate SearchUsersAndGroupsController off ShareModel
• PB-51585 PCD 1.2 - Migrate resourceCreateService ShareModel usage to ShareResourceService
• PB-51586 PCD 1.3 - Move passbolt.share.get-folders to controller pattern
• PB-51587 PCD 1.4 - Clear ShareModel
• PB-51588 PCD 1.5 - Migrate MoveFolderController off FolderModel
• PB-51589 PCD 1.6 - Migrate MoveOneFolderService off FolderModel
• PB-51590 PCD 1.7 - Migrate MoveResourcesService off FolderModel + ResourceModel
• PB-51782 PCD 2.01 - Create SynchroniseKeyringController and binding
• PB-51783 PCD 2.02 - Create KeyringServiceWorkerService
• PB-51785 PCD 2.04 - Create GetOrFindGroupService
• PB-51786 PCD 2.05 - Create GetOrFindGroupController and binding
• PB-51787 PCD 2.06 - Create GetOrFindGroupsUsersService
• PB-51788 PCD 2.07 - Create GetOrFindGroupsUsersController and binding
• PB-51789 PCD 2.08 - Create GetOrFindUsersService
• PB-51790 PCD 2.09 - Create GetOrFindUsersController and binding
• PB-51791 PCD 2.10 - Add new methods getByIds, getGroupsUsersByGropuId on GroupServiceWorkerService
• PB-51999 PCD 2.10.B - Consolidate UserEntity between browser extension and styleguide
• PB-52000 PCD 2.10.C - Move GroupEntity + GroupsCollection to the styleguide
• PB-51792 PCD 2.11 - Create UserServiceWorkerService
• PB-51793 PCD 2.12 - Create PermissionServiceWorkerService
• PB-51794 PCD 2.13 - Create SearchUsersAndGroupsService
• PB-51795 PCD 2.14 - Refactor ShareService into ShareApiService
• PB-51796 PCD 2.15 - Update GroupApiService to support the new filter
• PB-51798 PCD 2.17 - Update FindAndUpdateGroupsLocalStorageService to add a method findForLocalStorageByIds
• PB-51799 PCD 2.18 - Align UserLocalStorage to add memory cache
• PB-51800 PCD 2.19 - Rename UserService to UserApiService
• PB-52047 CE/PRO upgrade
• PB-49605 Grid columns min-width
• PB-51808 PCD 2.27 - Create UserPermissionItem
• PB-51809 PCD 2.28 - Create GroupUserPermissionItem
• PB-47929 PAG - WP1.1 Add pagination support to ResourceService
• PB-47930 PAG - WP1.2 Paginate resource fetch for updating local storage in FindResourceService
• PB-52056 Add create method to SubscriptionKeyServiceWorkerService
• PB-52057 Add delete method to SubscriptionKeyServiceWorkerService
• PB-52058 Adapt EditSubscriptionKey to be customizable
• PB-52061 Adapt DisplaySubscriptionKeyTeasing to handle upgrade from app
• PB-52064 Create ConfirmDowngradeSubscriptionDialog
• PB-52062 Adapt DisplaySubscriptionKey to handle downgrading
• PB-52128 DisplaySubscriptionKey new layout

Security

• PB-51937 Fix ws GHSA-58qx-3vcg-4xpx - MEDIUM CVSS3.1
• PB-51938 Fix brace-expansion GHSA-jxxr-4gwj-5jf2 - MEDIUM CVSS3.1
• PB-52029 Fix tmp GHSA-ph9p-34f9-6g65 - HIGH CVSS4.0
• PB-51532 Include GitLab file from ci-definitions repo
• PB-51642 Fix fast-uri GHSA-q3j6-qgpj-74h6 - HIGH CVSS3.1
• PB-51643 Fix @babel/plugin-transform-modules-systemjs GHSA-fv7c-fp4j-7gwp - HIGH CVSS3.1
• PB-51940 Fix qs GHSA-q8mj-m7cp-5q26 - MEDIUM CVSS4.0
• PB-52030 Fix webpack-dev-server GHSA-79cf-xcqc-c78w - MEDIUM CVSS3.1
• PB-51698 Use correct passbolt repo names in safe-chain whitelist

Fixed

• PB-52148 CSP is blocking upload to TOTP QRCode on Firefox
• PB-50949 Fix MetadataKeysSettingsLocalStorageContext and MetadataTypesSettingsLocalStorageContext entity issue on storage changes
• PB-52047 Fix Passbolt Pro Edition wording
• PB-52156 Fix password preview button min-width

Maintenance

• PB-48560 Use NODE_ENV for webpack mode config
• PB-48564 Remove grunt-header
• PB-48528 Transpile LESS from webpack
• PB-48558 Extract translations directly from webpack
• PB-48559 Remove rimraf
• PB-49064 Remove Grunt
• PB-48516 Replace eval sourcemap by inline
• PB-48516 Prevent br tags to be added in translations.
• PB-48516 Remove duplicated translations
• PB-51793: Add PermissionServiceWorkerService and transfer Permission entity and collection on styleguide
• PB-51160 Update Firefox manifest to avoid Mozilla warnings
• PB-52155 Update github issue template