Or should we name it cycle 16...
Anyway, beta 15 was just tagged with only three days of delay. The whole team will be taking some time off to enjoy the holidays. On behalf of all of them :
🎄Happy holidays 🎅

Hello my magnificent Flarumites!
With our last release, beta 14, having been delayed quite extensively, we knew it was important to get back into our habit of regular release cycles. Well within our estimation we today are proud to ship to you Flarum 0.1.0-beta.15!

“Don’t dream of winning, train for it!” — Mo Farah

Australian Tiger Beetle

---

🔔 What’s Changed?

---

The focus of this release was extenders for extension developers and some better internationalization support. A few user-visible highlights:

• 🎨 Admin dashboard refresh (flarum/core#2409)
• 🌐 Slug driver support (flarum/core#2456)
• 📛 New nicknames extension (flarum/nicknames)
• 🧩 A ton of extenders for extension developers to use (src/Extend)

Aside from a ton of fixes, there are many other improvements and new small features in most of our bundled extensions. Let us know if you discovered one or discover them by looking through the extensions changelog.md or releases page on GitHub.

👨‍💻 For Developers

---

If you are a developer please understand there are many breaking changes in this release, make sure to read the full upgrade guide in our docs! Some key points:

• MomentJS BC layer has been removed
• Policy system has been reworked
• Composer options have been added for new Admin UI
• The Flarum\User\Event\GetDisplayName event has been removed, use the display name driver feature of the User extender instead
• The base_path, public_path, and storage_path global helpers have been removed
• Other changes are mentioned in the upgrade guide for this release.

Developers are urged to check the changelogs of relating packages when they discover issues. You can review the Beta 15 Upgrade Guide to ensure your extensions are up to date.
If you have any questions or run into any obstacles in upgrading, please open a new discussion in the Dev tag or find us in #extend on our Discord.

Please also read about our flarum/core version constraint recommendation to stable.

⤴️ Upgrading

---

Before you run the upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Step 1: Ensure you are on version 0.1.0-beta.14 in your Admin Dashboard or by running php flarum info (use the previous release notes for upgrading from an earlier version)
Step 2: Uninstall every 3rd party extension that isn't compatible with beta 15 yet. You can check which extensions are compatible at Extiverse (it needs up to one hour after release to display compatible extensions) or use the extiverse helper.
Step 3: Disable the remaining extensions. Re-enabling them one at a time after you update will make it easier to debug if any issues occur.
Step 4: Run the following commands:

Now run the update all versions without installing (yet):

composer update --no-install --with-all-dependencies

[optional] If you'd like to add nicknames support:

composer require --no-update flarum/nicknames

Now install everything you've updated:

composer install --prefer-dist --no-dev -a

Last step is to run the database changes and clear the cache:

php flarum migrate
php flarum cache:clear

Step 5: Use your newly-upgraded Flarum site!
If you run into any problems, please open a new discussion in the Support tag. There may be discussions of similar issues, but open a new one anyway, it helps us get your specific problem resolved faster.
If the problem persists – we're here to help! Make sure to include the output of php flarum info. Please also include the output of composer why-not flarum/core v0.1.0-beta.15.

🙇‍♀️ Acknowledgements

---

Flarum releases wouldn't be possible without a multitude of people, our thanks go out to all of them! Thank you...
To everyone who contributed code this release, especially @SychO, @ianm, nina-py, sl-kr, azibom, lhsazevedo, @w-4, @rob006, @franga2000, @Swader, @Littlegolden, qiaeru.
To our eagle-eyed bug reporters, especially @franga2000, @matteocontrini, @yulei745, @Rami-Sedhom, idk-pixel, lhsazevedo, @w-4.
To the incredible team behind Flarum, including @Franz, @luceos, @jordanjay29, @datitisev, @clarkwinkelmann, @tankerkiller125, @askvortsov, @SychO, @Liberty, @Digital, @Pollux, @katos, @Kyrne, @Deebug, @Wadera and @Ralkage;
To every Open Collective supporter and Github Sponsor, but especially Glowing Blue AG, ecomscan, Bitfalls, KAV partners, @BartVB, Sridhar Kamma, Project Alice and Forum WirsanSoizburg.
Your continued support is extremely helpful, being fundamental to stable development for Flarum! Help us become a sustainable project by backing us on Open Collective or on GitHub
And finally, to you for your ongoing support and enthusiasm that keeps us all going!

My dear Flarumites,
it is time for me to say good bye. 🎶 After five years, I quietly phased out my active involvement in Flarum core development near the end of 2020.
During the last year, I was able to spend my Fridays on Flarum - for real money. 😱 Being paid to work on my own open-source project was a dream come true and an awesome experience. This would not have been possible without your financial support, so thank you all! 🤗

But all good things come to an end. In this case, not because the money was running out - quite the opposite, actually.
I am sure that 2020 was wild for all of us, in so many ways. In addition, my wife and I welcomed our second child in 2020 - that can make a family's life even more crazy (the good kind, of course). 🎉

It became clear that we needed to revisit some priorities in our lives. With more responsibilities on my shoulders, I had to let some of them go.
Even though I knew it was the right thing to do, this was such a hard decision to make. As side-projects tend to do, Flarum has grown near and dear to my heart. However, the stress of juggling two projects of such size - in my day job and for Flarum - has taken its toll on me.
During the last year, I spent much more time than before creating and reviewing code and bringing the software closer to its big goal: the first stable release. But at the same time, I lost touch with the Flarum community and the surrounding ecosystem. Don't get me wrong: I am more than happy to do my thing in the background while relying on my awesome team members for all the other aspects of an open-source project. Also, being knee-deep in code and the discussions surrounding it is something I thoroughly enjoy.
And yet, something felt off-balance. 🤨
There are more things to this story, but in the end, it comes down to this: Being stressed by a hobby project did not feel right. Bringing some of this stress into my family was a red flag.
On the bright side: the last months have proven that this was the right thing to do. With some much-needed additional breathing room, I finally had more time again for things I love, and even for exploring new ideas. But most importantly, more time for my family.

Two of Flarum's original developers have now left the team, and yet I'm very optimistic for the future of this project.
During the last year, this great team has really stepped up and shown its dedication in following through on a more regular release cycle. Beyond that, several talented individuals have joined the team in the last few months, sharing the work across more shoulders and bringing in ideas and talents that weren't there before. 👍

Now, it is time for me to leave, with the best wishes for the project - may it finally reach its full potential when throwing off the beta label!
And to you, its users: thanks for making the last years possible! Now, it is your turn to make Flarum shine - not for its beautiful UI (thanks, Toby!), but for fostering open and loving communities. The world needs more of those.
Franz
P.S.: Stay safe and stay healthy!

On January 13, Laravel released (and re-released) a series of security updates.
On January 27, they released one more update for the same issue. The advisory was publicly published on February 2.
This security incident affects all Flarum installations created before January 28, 2021. We recommend you update the dependency as soon as possible.
In your Flarum folder, run the following command:

composer update illuminate/database --no-dev -a

Composer will show an output similar to the following:

Upgrading illuminate/database (v6.20.10 => v6.20.16)

If the version on the right of the arrow is 6.20.14 or higher, you have the fix.
If Composer says there's nothing to update, you can run composer show illuminate/database to see the currently installed version and confirm it's already above 6.20.14
We have conducted tests to evaluate the impact on Flarum. We have not found any situation in which the vulnerability can be exploited in Flarum and its bundled extensions in a significant way. The only impact found is the ability to discover pairs of restricted discussion IDs and their author IDs through brute-force. We have not found any way to leak content or perform unauthorized actions.
However there is a high chance for some community extensions to be impacted by the vulnerability. The single command above will protect both Flarum and all installed community extensions.
We have not released a Flarum update since the dependency can be updated independently from Flarum and does not require any change to Flarum or extension code.
Extension developers can learn more about the issue here. If your code is impacted, we recommend you add additional validation and/or type casting to future-proof your code again this kind of vulnerabilities.

Laravel security advisory https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
Advisory for the second update https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg

PS: you might have seen a different Laravel security incident discovered in November and talked about recently. Flarum is not using that particular Laravel component and is thus unaffected.

Today we are releasing a security update for the bundled Flarum Sticky extension. It addresses a cross-site scripting (XSS) vulnerability present in versions beta 14 and beta 15 of the extension.

How to update

If you are using Flarum beta 15:
In your Flarum folder (containing composer.json and config.php), run:

composer update flarum/sticky --prefer-dist --no-dev -a

You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.15.1"), or by checking the version number in the admin panel on the extension page.
If you are using Flarum beta 14, disable the Sticky extension until you can update to Flarum beta 15.
If you are using Flarum beta 13, you are not impacted by this particular issue. You should still update to Flarum beta 15 as soon as possible because the version is no longer under support and will not receive any security fix.

Impact

A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit.
Any HTML would be injected through Mithril's m.trust() helper. This resulted in an HTML injection where <script> tags would not be executed. However it was possible to run javascript from other HTML attributes, enabling a cross-site scripting (XSS) attack to be performed.
Since the exploit only happens with the first post of a pinned discussion, an attacker would need the ability to pin their own discussion, or be able to edit a discussion that was previously pinned.
On forums where all pinned posts are authored by your staff, you can be relatively certain the vulnerability has not been exploited.
Forums where some user-created discussions were pinned can look at the first post edit date to find whether the vulnerability might have been exploited. Because Flarum doesn't store the post content history, you cannot be certain if a malicious edit was reverted.

Patches

The fix will be available in version v0.1.0-beta.16 with Flarum beta 16. The fix has already been back-ported to Flarum beta 15 as version v0.1.0-beta.15.1 of the Sticky extension.

Workarounds

Forum administrators can disable the Sticky extension until they are able to apply the update. The vulnerability cannot be exploited while the extension is disabled.

Links

• Advisory on GitHub