Fixed

• Fix To: and CC: fields not showing in the web UI
• Remove a stray debugger statement in the web UI JS

Fixed

• Certain template resource 404s in the web UI are now fixed

Fixed

• Jade client-side files are now included in registry packages
• The Server: header now reports the correct pump.io version

Fixed

• Updated some documentation version numbers

No changes from 2.0.0 beta 2.

Changed

• Fixed the web UI mangling some special characters when showing displayName properties

Added

• A pump(1) manpage is now included
• Any internal web UI link with a data-bypass attribute is now ignored by the routing logic (useful for e.g. custom pages added by the admin)
• YouTube links in posts are now shown as embeds by the web UI (#1158)

Changed

• Node.js 0.10 and 0.12 support is now deprecated (#1212)
• TLS connections now use Mozilla's "intermediate" cipher suite and forces server cipher suite preferences (#1061)
• Adjusted the XSS error page wording based on user feedback

Breaking

• Upgrade to Express 3.x (affects plugins)
• Templates are now based on Jade instead of utml (affects people who change the templates) (#1167)

This release adds many security features. It's recommended that admins upgrade as soon as possible.

Please note that while we're not doing so yet, we're planning to deprecate running under Node.js 0.10 and 0.12 very soon. Additionally, upgrading to Node.js 4.x early will enable the new, better XSS scrubber - however, be aware that pump.io is far less tested under Node.js 4.x and you are likely to run into more bugs than you would under 0.10 or 0.12.

See #1184 for details.

Added

• [API] Send the Content-Length header in Dialback requests
• Add support for LibreJS (#1058)
• Node.js 4.x is officially supported (#1184)
• Browser MIME type sniffing is disabled via X-Content-Type-Options: nosniff (#1184)
• Protect some versions of Internet Explorer from a confused deputy attack via X-Download-Options: noopen (#1184)
• Make sure Internet Explorer's built-in XSS protection is as secure as possible with X-XSS-Protection: 1; mode=block (#1184)
• Versions of Internet Explorer the XSS scrubber can't protect are presented with a security error instead of any content (#1184)
• Clickjacking is prevented via X-Frame-Options: DENY header (in addition to Content Security Policy) (#1184)
• A Content-Security-Policy header is sent with every response (#1184)
  • Scripts are forbidden from everywhere except the application domain and (if CDNs are enabled) cdnjs.cloudflare.com and ajax.googleapis.com
  • Styles are forbidden from everywhere except the application domain and inline styles
  • <object>, <embed>, and <applet>, as well as all plugins, are forbidden
  • Embedding the web UI via <frame>, <iframe>, <object>, <embed>, and <applet> is forbidden
  • Connecting to anything other than the application domain via XMLHttpRequest, WebSockets or EventSource is forbidden
  • Loading Web Workers or nested browsing contexts (i.e. <frame>, <iframe>) is forbidden except from the application domain
  • Fonts are forbidden from everywhere except the application domain
  • Form submission is limited to the application domain

Changed

• [API] Don't return displayName properties if they're empty (#1149)
• Upgraded from Connect 1.x to Connect 2.x
• Upgraded various minor dependencies
• All files pass style checking and most pass JSHint
• Add links to the user guide on the homepage and welcome message (#1125)
• Add a new XSS scrubber implementation (#1184)
  • DOMPurify-based scrubber is used on Node.js 4.x or better
  • Otherwise, a more intrusive, less precise one is used

Fixed

• Fix a crash upon access of an activity without any replies (#1135)
• Disable registration link if registration is disabled (#853)
• package.json now uses a valid SPDX license identifier (#1112)