pump.io

Social server with an ActivityStreams API

This project is maintained by pump.io contributors

pump.io 5.1.4 and 5.0.4 security releases are now available

Another day, another DOMPurify security release.

DOMPurify - which pump.io uses to protect against cross-site scripting vulnerabilities - today released version 2.0.16, which per the release notes fixes "an mXSS-based bypass caused by nested forms inside MathML" in Chrome. So as we usually do, the pump.io project is publishing a release that makes 2.0.16 the minimum required DOMPurify version, to make sure everyone running pump.io gets this patch.

Per our security support policy, we're making patches available for both the current and previous stable releases:

  1. pump.io 5.1.3 has been updated to pump.io 5.1.4
  2. pump.io 5.0.3 has been updated to pump.io 5.0.4

All administrators should upgrade as soon as possible since these are security releases. The risk that something will break from the upgrade is extremely low since both 5.1.4 and 5.0.3 are drop-in replacements for their predecessors. If you installed pump.io 5.1 using npm - our recommended configuration - you can upgrade with:

$ npm install -g pump.io@5

If you're still running pump.io 5.0, we recommend that you take this opportunity to upgrade to pump.io 5.1 by using the above command - it's a drop-in replacement, and will require no intervention on your part. However, if you want to stick with 5.0 for now, you can install a patched version with:

$ npm install -g pump.io@5.0

On the other hand, if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do. This will depend on how exactly you installed pump.io in the first place.

If you need help, or if you have questions about these security releases, the community is always happy to help.