pump.io

Social server with an ActivityStreams API

This project is maintained by pump.io contributors

Posts categorized as "releases"

pump.io 5.1 stable published to npm

Last night I officially published pump.io 5.1 to npm as a stable release!

As I wrote in the beta announcement, this release contains a variety of improvements:

  • Zero-downtime restarts, which allows administrators to seamlessly roll over to new configurations and codebases
  • The daemon now generates startup log warnings on bad configurations, including insecure secret values and internal parameters
  • An official Dockerfile is now included with the release
  • The logged-out mobile homepage's menu icon is no longer incorrectly styled as black
  • An authorization problem with SockJS connections has been fixed

5.1 stable does include one change the beta didn't: a bump to the version of the gm npm package which we depend on. This bump was done as a precautionary measure, as previous versions of gm depended on a version of the debug module which was vulnerable to denial-of-service security bugs.

As a project, we addressed these bugs back in October when we issued security releases for all supported release branches, and at the time we confirmed that the vulnerable function wasn't used by gm. Today's gm bump does not constitute a security release; instead, we're just bumping the version as a precautionary measure in case we missed something in October's assessment of the situation.

Aside from the gm bump, there are (as usual) miscellaneous version bumps included in this release. We've also started tracking test suite coverage information as well as overhauled our documentation on ReadTheDocs, moving most of the in-repository documentation there.

If you want even more details of this release, you can also check out the changelog.

pump 5.1 is a drop-in replacement for 5.0. That means if you're using our recommended installation method and installing from npm, you can upgrade with npm install -g pump.io@5.1. If you have a source-based install, you should merge and/or switch to the v5.1.0 tag. And as always, if you encounter any problems, please feel free to reach out to the community or file bugs you find.

Finally, I would be remiss if I didn't point out that pump.io has a brand-new announcement mailing list! While the blog is great for announcing new releases, not everyone finds it convenient to check. Also, if we issue new betas in the middle of a release cycle, these aren't typically announced on the blog. Therefore in the future all new releases will be announced on the mailing list, not just initial betas. If you want to subscribe to the mailing list, you may do so here - you'll get announcements of new features only, not e.g. feature announcements as seen on this blog. I hope people find this service useful!


pump.io 5.1 is in beta

I'm really excited to announce that pump.io 5.1 is officially in beta!

This release makes a wide array of improvements. One of the features I'm most excited about is zero-downtime restarts, which will allow administrators to gracefully roll over to new configurations and codebases with absolutely no user-visible impact! Aside from that, here's a list of highlights:

  • The daemon now generates startup log warnings on bad configurations, including insecure secret values and internal parameters
  • An official Dockerfile is now included with the release
  • The logged-out mobile homepage's menu icon is no longer incorrectly styled as black
  • SockJS connections no longer fail due to authorization problems

As usual, this release also includes some small updates to dependencies. Plus, we started tracking how much code our test suite covers! We've also significantly cleaned up the documentation and moved almost all of the in-repository documentation to ReadTheDocs, where it's a lot more organized and accessible. If you want more than just these highlights, you can check out the changelog.

Note that while the repository includes a Dockerfile now, we have not yet begun publishing on Docker Hub due to some security logistics that need to be figured out - when we do, it'll be announced in all the usual places (including this blog).

I'm so excited for people to try out this release. 5.1 beta 0 is a drop-in replacement for 5.0, so if you're on 5.0 and want to live (more) on the bleeding edge, you can upgrade with npm install -g pump.io@5.1 if you have an npm-based install. If you have a source-based install, you should merge and/or switch to the v5.1.0-beta.0 tag. And as always, if you encounter any problems you can reach out to the community or file bugs you find.


Denial-of-service security fixes now available

Recently some denial-of-service vulnerabilities were discovered in various modules that we indirectly depend on. I've bumped Express and send to pull in patched versions, and I've updated our fork of connect-auth to require a patched version of Connect, too. The remaining vulnerabilities I've confirmed don't affect us.

Because of these version bumps, I've just put out security releases which all administrators are encouraged to upgrade to as soon as possible. A semver-major release (5.0.0) was released within the past 6 months so per our security support policy this means there are three new releases:

  1. pump.io 5.0.2 replaces 5.0.0 and is available now on npm
  2. pump.io 4.1.3 replaces 4.1.2 and is available now on npm
  3. pump.io 4.0.2 will replace 4.0.1 and is currently undergoing automated testing (it'll be on npm shortly) Update: pump.io 4.0.2 is now on npm

As these are security releases we encourage admins to upgrade as soon as possible. If you're on 5.0.0 installed via npm - our recommended configuration - you can upgrade by issuing:

$ npm install -g pump.io@5

If you're on 4.1.3, you can upgrade by issuing:

$ npm install -g pump.io@4

And when 4.0.2 is out, if you're on 4.0.1 you can upgrade by issuing:

$ npm install -g pump.io@4.0

Note though that 4.1.3 is a drop-in replacement for 4.0.2, so you should consider just upgrading to that instead. Or even better, upgrade to 5.x!

If you don't have an npm-based install, you'll have to upgrade however you normally do. How to do this will depend on your particular setup.

As always, if you need help, you should get in touch with the community. I'd also like to specifically thank Jason Self, who generously deployed a 24-hour private beta of these fixes on Datamost. One of the version bumps was ever-so-slightly risky, and being able to test things in production before rolling out patches for the entire network was invaluable. I wouldn't be as confident as I am in these releases without his help. So thanks, Jason - I really appreciate it!


pump.io 5.0 declared stable

I'm super excited to announce that as of a couple days ago, pump.io 5.0 has now been declared stable and released!

This release cycle had an extra beta since I found a bug with the new display of shares. The fix ended up being trivial, though, and other than that there's been no changes from the beta announcement:

  • Documentation has been expanded
  • Small improvements to the administrator experience have landed
  • The web UI has gotten, among other things, some user experience polishing as well as upgrades to more performant and better-licensed libraries
  • "Login with remote account" no longer crashes (although this one was backported in 4.1.1)
  • The systemd service shipped with the package has significant security improvements
  • Lots of internal refactoring and simplification made possible by dropping Node 0.10/0.12 support

As I said in the beta announcement, some of these changes - particularly the systemd changes and the fact that (as previously announced) Node 0.10 and 0.12 are no longer supported - will require administrator intervention. Be sure to read our upgrade guide for details on how to deal with these.

pump.io 5.0 is the most stable and secure release yet, so as always, I'd encourage all administrators to upgrade as soon as possible. And if you get stuck, the community is always here to help.

Cheers!


pump.io 5.0 beta released

I'm excited to announce that pump.io 5.0.0 is now officially in beta!

This is another big release and makes a wide variety of improvements. Here are some highlights from the changelog:

  • More complete documentation
  • Small improvements to the administrator experience
  • A better web UI, including some user experience polishing as well as an upgrade to more performant and better-licensed libraries
  • A fix for crashes related to "login with remote account" (although this one was backported in 4.1.1)
  • Significant security improvements in the systemd service shipped with the package
  • Lots of internal refactoring and simplification made possible by dropping Node 0.10/0.12 support

Many of these changes - particularly the systemd changes and the fact that (as previously announced) Node 0.10 and 0.12 are no longer supported - will require administrator intervention. Be sure to read our upgrade guide for details on how to deal with these changes.

All of these features add up to make pump.io 5.0 beta the most stable and secure release yet. As always, it will go through our beta period for about a month before being released as a fully stable version. If you try it out, the community would love to hear about it - and be sure to report any bugs you encounter!