Hello my magnificent Flarumites!
We have taxed your patience in bringing the newest beta installment of Flarum. Yet this release marks closure on the most impactful change in preparation for stable since beta 8, the frontend framework upgrade. With 80+ issues closed in addition to that upgrade, Beta 14 is the largest release Flarum has seen so far. Moreover, this release only took 5 months, in comparison to Beta 8 which had comparable scope but took 17 months.
It wasn't always easy, especially with all that happened in the world around us, but our team persevered in shipping a release we can be proud of.

It does not matter how slowly you go so long as you do not stop. --Confucius

Cairns Birdwing

---

🔔 What’s Changed?

---

The focus of this release was a long overdue upgrade of Flarum's frontend framework from Mithril v0.2 to Mithril v2.0. This also included refactors of many major frontend components like the discussion list, notifications dropdown, and post stream. We also started using TypeScript in core's frontend, upgraded the Laravel packages we used from v5 to v6, and fixed a lot of bugs. Most changes are more applicable to extension developers, but they go a long way towards increasing stability of our frontend. A few user-visible highlights:

• 📦️ When enabling and disabling extensions we will now check their dependencies on other extensions to prevent bricking your forum. For instance , since askvortsov/categories relies on flarum/tags, you can't enable it unless flarum/tags is enabled. (flarum/core#2188)
• 🗨️ Fixed a bunch of bugs with the post stream
• 🏷️ Improved tag discussion count and last posted discussion calculations
• ⬅️ Added a "view post" popup when having edited a post similar to when you create a post. (flarum/core#2108)
• ✉️ Email configuration can now be tested from within the admin area. (flarum/core#2023)
• 🔍 Searching for users based on groups is now also possible using the group ID. (flarum/core#2192)
• 🕛️ Relative times are now updated without reloading. (flarum/core#2208)
• ⚠️ Improved request error handling with modals. (flarum/core#1929)
• 😁 Font Awesome was updated. (flarum/core#2274)
• 📛 User display names are now implemented as drivers, and have extenders (flarum/core#2174)
• 🔒️ The bundled Facebook, GitHub and Twitter authentication extensions have moved to Friends of Flarum. flarum/core#2006

There are a bunch more! If you're into this, feel free to scour our changelogs and releases on GitHub.

👨‍💻 For Developers

---

If you are a developer please understand there are many breaking changes in this release, make sure to read the full upgrade guide in our docs! Some key points:

• We are now using Mithril 2, which means a lot of changes to components will be needed. (flarum/core#2255)
• You MUST use the new View extender for registering Laravel View namespaces instead of resolving the View factory directly in extend.php (flarum/core#2134)
• The Laravel packages Flarum uses have been upgraded to v6 from v5. This means that some helpers, like array_get, are no longer available. Also, theApplication has been decoupled from the IoC container and Laravel's Application contract flarum/core#2243
• Application paths have been moved to the resolvable Paths class. (flarum/core#2142)
• Config (config.php contents) has been moved to the resolvable Config class. (flarum/core#2271)
• Subjects and bodies for notification emails can (and should!!!) now be translated. (flarum/core#2244)
• A user extender for display name drivers and user group pre-processing has been added. (flarum/core#2110)
• Other changes are mentioned in the upgrade guide for this release.

Developers are urged to check the changelogs of relating packages when they discover issues. You can review the Beta 14 Upgrade Guide to ensure your extensions are up to date.
If you have any questions or run into any obstacles in upgrading, please open a new discussion in the Dev tag or find us in #extend on our Discord.

Please also read about our flarum/core version constraint recommendation to stable.

⤴️ Upgrading

---

Please note that Beta 14 comes with a lot of changes, and extension developers will need some time to catch up. Please ensure that all extensions you need have been updated for beta 14 before upgrading your forum.

Before you run the upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Step 1: Ensure you are on version 0.1.0-beta.13 in your Admin Dashboard or by running php flarum info (use the previous release notes for upgrading from an earlier version)
Step 2: Uninstall every 3rd party extension that isn't compatible with beta 14 yet. Most extensions are no longer compatible! You can check which extensions are compatible at Extiverse (it needs up to one hour after release to display compatible extensions).
Step 3: Disable the remaining extensions. Re-enabling them one at a time after you update will make it easier to debug if any issues occur.
Step 4: Run the following commands:

composer remove --no-update flarum/auth-facebook flarum/auth-github flarum/auth-twitter

Now run the update all versions without installing (yet):

composer update --no-install --with-all-dependencies

[optional] In case you used the facebook, github or twitter log in extensions:

composer require --no-update fof/oauth

Now install everything you've updated:

composer install --prefer-dist --no-dev -a

Last step is to run the database changes and clear the cache:

php flarum migrate
php flarum cache:clear

Step 5: Use your newly-upgraded Flarum site!
If you run into any problems, please open a new discussion in the Support tag. There may be discussions of similar issues, but open a new one anyway, it helps us get your specific problem resolved faster.
If the problem persists – we're here to help! Make sure to include the output of php flarum info. Please also include the output of composer why-not flarum/core v0.1.0-beta.14

🙇‍♀️ Acknowledgements

---

Flarum releases wouldn't be possible without a multitude of people, our thanks go out to all of them! Thank you...
To everyone who contributed code this release, especially @w-4, @matteocontrini, @SychO, @Kylo, @Littlegolden, @iPurpl3x, @fengkx, @corvofeng, @Qiaeru, @davwheat, @gruentee, @tariqthedev, @eddiewebb, @angus, @alphaman, x7airworker, w3Abhishek, phanlyhuynh, nlssn, lhsazevedo, julakali, Heniisbaba, timas130, spekulatius, razonyang, jxsl13, and anyone else we've missed;
To our eagle-eyed bug reporters, especially @w-4, @matteocontrini, @SychO, @LianSheng, @peopleinside, @iPurpl3x and anyone else we've missed;
To the incredible team behind Flarum, including @Franz, @luceos, @jordanjay29, @datitisev, @clarkwinkelmann, @tankerkiller125, @askvortsov, @Liberty, @Digital, @Pollux, @katos, @Kyrne and @Ralkage;
To every Open Collective supporter and Github Sponsor, but especially Glowing Blue AG and KAV Partners. And also @rehrar, @BartVB, Christoph Schneegans, Dan Rezykowski, Sridhar Kamma, Donald Broussard, GuitarTalk, Hari, @ianm, Jian Gong, @phenomlab, @Edmilerad, Daniel Alter, espectrunk, FibraClick, HostBend LLC, Ken Lam, Lay Dominicans of bl. Michał Czartoryski, odyssea-ogc, Open Collective Inc, Timotheus Pokorra, malago86, yannisme, @askvortsov, zgq354, AndreiTelteu, @tankerkiller125, @angus, Wadera, @pkernstock, demianh, @hrvoje_hr;
Your continued support is extremely helpful, being fundamental to stable development for Flarum! Help us become a sustainable project by backing us on Open Collective or on GitHub
And finally, to you for your ongoing support and enthusiasm that keeps us all going!

Yesterday we released an emergency security fix for the bundled Tags extension. Here are more details.

Impact

This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.
Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.
By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.
The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.
Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.
Forums that don't use the Tags extension are unaffected.

Patches

The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.

References

flarum/core#2355

Credit

Thank you to @LianSheng for finding it and to @SychO for the quick fix!

How to update

If you are using Flarum beta 13:
In your Flarum folder (containing composer.json and config.php), run:

composer update flarum/tags --prefer-dist --no-dev -a

You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.13.2"), or by checking the version number in the admin panel in the extension list.
If you are using beta 12 or older:
You should update to Flarum beta 13 as soon as possible. We unfortunately can't support older Flarum releases with security fixes. Follow the instructions to update. The security fix will automatically be applied when you perform the update to beta 13.

Followup

The original fix released as v0.1.0-beta.13.1 contained an error. We have released an updated fix as v0.1.0-beta.13.2. If you already installed the 13.1 fix, repeat the steps above to install 13.2.
In our haste to get the fix out we missed an important quality check. We will review our process so this doesn't happen again. We apologize for the inconvenience.

This release fixes a couple of bugs in Flarum 0.1.0-beta.14 that prevents regular use of your community. Please understand this release does not ship with any new features and only contains fixes.

Upgrading

Check your admin dashboard, if it mentions the Flarum version as v0.1.0-beta.14.1 there's no need to upgrade. And if you're upgrading from previous versions after today you will automatically upgrade directly to beta 14.1.
Run the following command to update Flarum and bundled extensions that we patched. Feel free to leave out the bundled extensions that you previously uninstalled:

composer update --no-dev --prefer-dist -a --with-all-dependencies flarum/core flarum/lang-english flarum/akismet flarum/flags flarum/pusher 

Now clear the cache:

php flarum cache:clear

If you are running PHP-FPM with OPCache make sure to restart your PHP process to clear the cache.
In case you run into any issues please post in our support tag and mention the output of php flarum info or your composer.json.

Fixes

Core

• SuperTextarea component is not exported.
• Symfony dependencies do not match those depended on by Laravel (flarum/core#2407)
• Scripts from textformatter aren't executed (flarum/core#2415)
• Sub path installations have no page title.
• Losing focus of Composer area when coming from fullscreen.

English

• Missing translation keys for edited post (flarum/lang-english#163)

Akismet

• Incorrect use of Container::url method

Flags

• Flags cache was instantiated prematurely causing incorrect flags count (flarum/flags#31)

Pusher

• Children were incorrectly passed to show update highlight
• Update discussion list caused an error (flarum/pusher#27)

This is a placeholder, usually we'd have some information from our kick off meeting. That meeting is planned for Next Monday, so there's nothing to say right now other than Beta 14 just got released 😃

This is a placeholder, usually you would see some information about our kick off meeting. That meeting is planned for coming Friday, so there's nothing to say to you right now except that Beta 13 just got released 😄.

Feel free to use the Follow button to get notified whenever we talk about development of the upcoming Beta 14 release.

Now that we've managed to stick to releasing within reasonable margins of our deadline, let me tell you that beta 14 is to be released in three months (early August). We need this extra month because beta 14 checks off an important task from our checklist; the frontend rewrite and upgrade. I'm hoping to share more information about this rewrite the coming weeks.