v0.8.2

Important

This update includes important security fixes.

Upgrading to BookWyrm v0.8.2

All environments

Warning

This release includes a database migration

• ALWAYS BACK UP YOUR DATABASE BEFORE UPGRADING and ideally know how you can restore it if something goes wrong.

Docker

Run ./bw-dev update

Non-docker

Follow the instructions for dockerless upgrades.

What's Changed

Updated Dependencies 🧸

• Bump django from 5.2.3 to 5.2.8 by @dependabot[bot] in #3728

Other Changes

• Comments out inefficient queries by @mouse-reeve in #3726
• isbn_10: fix datamigration and management command by @ilkka-ollakka in #3727
• Modifies delete user flow by @mouse-reeve in #3732
• Fixes admin page stats by @mouse-reeve in #3734
• Adds flow to force users to reset their passwords by @mouse-reeve in #3733

Full Changelog: v0.8.1...v0.8.2

v0.8.1

This is a bugfix release. It is strongly recommended to patch as soon as possible.

Upgrading to BookWyrm v0.8.1

All environments

Warning

This release includes a data migration

• ALWAYS BACK UP YOUR DATABASE BEFORE UPGRADING and ideally know how you can restore it if something goes wrong.
• This patch includes a data migration and adds a new management command (fix_isbn10_entries). Both of these repair 11-digit ISBN-10 entries caused by a bug in v0.8.0. You do not need to run the new command when updating, but you may wish to use it in the future to fix any books that are added or merged from a federated server.

Docker

Run ./bw-dev update

Non-docker

Follow the instructions for dockerless upgrades. It is important that you complete the migration stage (venv/bin/python3 manage.py migrate) as this will apply a fix to incorrect ISBN entries.

What's Changed

Bug Fixes 🐛

• book: fix validation for 979 prefixed isbn-13 and isbn_13_to_10 function by @ilkka-ollakka in #3710
• parse review dates for book imports by @hughrun in #3715

Other Changes

• edit_book: improve author search matching on some names and aliases by @ilkka-ollakka in #3714

Full Changelog: v0.8.0...v0.8.1

v0.8.0

Important

This update includes important security fixes.

User exports and imports

User import and export files will now both be saved to /exports in local storage by default. Import files will be deleted once the import is completed.

Instance administrators should manually check your images directory (local and S3 storage) for any user export files (ending in .gz). These should be deleted as a matter of priority as they are publicly available. You are also strongly encouraged to delete any files in S3 exports directories, especially is you are using Backblaze (B2) or Cloudflare (R2) S3-compatible storage as your bucket may be unsecured.

If you wish to use S3 storage for export files instead of local storage, you must set the following values in your .env file:

• USE_S3_FOR_EXPORTS=true
• EXPORTS_S3_CUSTOM_DOMAIN
• EXPORTS_STORAGE_BUCKET_NAME

The following new .env values for are optional, and will default to the equivalent S3 env values if not set:

• EXPORTS_ACCESS_KEY_ID
• EXPORTS_SECRET_ACCESS_KEY
• EXPORTS_S3_REGION_NAME
• EXPORTS_S3_ENDPOINT_URL

Important

This update changes default values

The default file upload limit is now 100MiB. This can be changed by defining MAX_UPLOAD_MiB in .env, as a number representing mebibytes. This may change again in future after enough time is provided for legacy user export files to be imported to new instances.

User import and export files now default to save to /exports in local storage. If you wish to use S3 storage for user import/export files instead of local storage, you must set USE_S3_FOR_EXPORTS=truein your .env file.

Warning

This version has new minimum versions for dependencies

Postgres version

The minimum Postgres version is now 14 (17 preferred). Follow the BookWyrm upgrade instructions below to ensure a smooth migration.

Django version

The Django version is now 5.2.

Environment variables

New env variables

• NGINX_SETUP - this actually changed in 0.7.5 but was not mentioned in the release notes. Possible values are reverse-proxy or https. If not set, defaults to https. If you are using a reverse-proxy or working in a development environment (including when using localhost), set this to reverse-proxy.

Changes and deprecations to env values

• USE_HTTPS is no longer used. HTTPS will now always be assumed unless DOMAIN=localhost. This ensures that it is not possible to run in production on the http protocol. If you were previously running in production with USE_HTTPS set to False (or not set at all) you may have some user and object IDs with http URLs. You should ensure that you have http to https forwarding in place for your IDs work correctly.
• DEBUG now defaults to false rather than true. This makes production installs more secure by default, but may require adjustment for existing development environments.
• If not set, PORT will now default to 443 unless DOMAIN is localhost, in which case it will default to 80. This is different to previous behaviour, where if unset, PORT was 1333.

Upgrading to BookWyrm v0.8.0

All environments

• ALWAYS BACK UP YOUR DATABASE BEFORE UPGRADING and ideally know how you can restore it if something goes wrong.
• Check the environment variables you have set in .env against the notes above, and make any necessary changes

Docker

• You will need to stop your containers in order to upgrade: docker compose down
• Upgrade postgres to version 17: ./bw-dev upgrade_db_version
• Upgrade BookWyrm: ./bw-dev update (NOTE: if you have previously commented out the docker-compose build stage you must uncomment this first in order to correctly rebuild with Django 5.2)

Non-docker

• Check that your postgresql version is at least 14 (17 is preferred). If necessary, upgrade according to the postgres instructions or using the relevant procedure for your operating system
• Follow the BookWyrm upgrade documentation for dockerless

What's Changed

‼️ Breaking Changes & New Settings ⚙️

• change DEBUG default to True by @hughrun in #3576
• Deprecate USE_HTTPS by @hughrun in #3588
• Make file-upload limit configurable and inform when import-file is too big by @ilkka-ollakka in #3627
• Prefer existing book data from the fedi when importing user accounts by @hughrun in #3653
• Allow S3 Default ACL Override by @hughrun in #3699

Updated Dependencies 🧸

• update aiohttp requirement to fix connectivity to services behind cloudflare by @ilkka-ollakka in #3536
• fix bw-dev setup failing and remove --build from bw-dev up by @hughrun in #3561
• update requests dependency to 2.23.3 by @ilkka-ollakka in #3571
• requirements: update django-celery-beat and django-sass-processor by @ilkka-ollakka in #3617
• requirements: upgrade psycopg2 to psycopg3 by @ilkka-ollakka in #3605
• update postgresql to version 17 and add bw-dev command to upgrade current database volume by @ilkka-ollakka in #3615
• Upgrade django to 5.2 LTS by @ilkka-ollakka in #3616
• requirements: pump pillow to 11.3 by @ilkka-ollakka in #3674

New Features 🎉

• show finna links/update button in book info if finna key is present by @ilkka-ollakka in #3642
• Add ability to view and terminate user sessions by @hughrun in #3664
• Improve sort title handling by @hughrun in #3666
• Make form error messages more obvious by @hughrun in #3665
• Improve Unicode support in slugs and URL patterns by @talmuth in #3692
• Add DublinCore metadata to Book page by @jakkarth in #3694

Bug Fixes 🐛

• Exclude deleted items in user export by @ilkka-ollakka in #3586
• Bugfix/show rating shown without existing ratings by @mario-kromer in #3577
• fix s3 exports storage location by @hughrun in #3602
• fix opensearch base url missing by @hughrun in #3603
• add isbn10 and isbn13 validators to Edition model by @ilkka-ollakka in #3573
• Fix shelf RSS items to use shelved date rather than book publication date by @timothyjrogers in #3634
• Don't require authentication to view user's non-private groups by @timothyjrogers in #3637
• Fix #3632: Add anchor link to scroll to reviews section by @AdityaDeshmukh1 in #3646
• Updated EXIF removal to support large image uploads by @timothyjrogers in #3651
• https: send x-forwarded-proto from nginx and use it in django by @ilkka-ollakka in #3673
• Guess series number from series-info in openlibrary connector via regex by @ilkka-ollakka in #3657
• fix Inventaire covers not appearing in book search by @hughrun in #3678
• Fix follower/following AP requests returning wrong JSON data by @hughrun in #3686

Other Changes

• search: use default confidence of 0.1 on search instead of disabling min_confidence by @ilkka-ollakka in #3553
• inventaire: scale confidence linearly based on search score by @ilkka-ollakka in #3554
• Split nginx config files and fix flower access config by @ilkka-ollakka in #3540
• use gunicorn in main branch also by @ilkka-ollakka in #3557
• normalize rank to be 0..1 from database searches by @ilkka-ollakka in #3555
• remove port 8000 from docker-compose as unnecessary for web container by @ilkka-ollakka in #3541
• Fix randomly failing importer test jobs by add job ordering by @ilkka-ollakka in #3572
• RFC: Automatically handle nginx domain and make letsencrypt setup simpler by @ilkka-ollakka in #3543
• define testpaths for pytest to speed up pytest-run by @ilkka-ollakka in #3587
• Add bw-dev create_secrets -command...

v0.7.5

What's Changed

Updated Dependencies 🧸

• Bump aiohttp from 3.10.2 to 3.10.11 by @dependabot in #3473
• Bump django from 4.2.18 to 4.2.20 by @dependabot in #3520

Other Changes

• possible fix for #3372 - user export timeouts by @hughrun in #3378
• Fix CSS path prefix when S3 storage is used by @lo48576 in #3384
• Use a simpler query for books to show on the landing page by @mouse-reeve in #3374
• Add an up-to-date sqlparse to requirements.txt by @dato in #3400
• Avoid empty <title> in templates by @dato in #3402
• In-memory Celery backend for tests by @dato in #3151
• Fix reading progress start_date bug by @dato in #3401
• Trim search whitespace by @timothyjrogers in #3410
• Narrowed is_authenticated check in verfication_modal to only restrict… by @timothyjrogers in #3411
• csv import and export fixes by @hughrun in #3135
• Hide ratings by @mouse-reeve in #3418
• Sets edit status header to indicate status type by @mouse-reeve in #3416
• Order user shelf previews by book shelved date by @matthewmincher in #3394
• sign all AP requests by @hughrun in #3434
• Fix IntegrityError caused by duplicate periodic task creation by @Guanchishan in #3451
• show Wikidata link on author page by @Guanchishan in #3454
• Fix post dates being inconsistent by @hughrun in #3437
• Prevent invite requests from blocked domains by @hughrun in #3476
• add Finna API connector by @ilkka-ollakka in #3498
• Add STATIC_ROOT to .env.example to fix CSS loading issues by @Guanchishan in #3452
• Add author born/death years to search results by @tkbremnes in #3474
• Included value of Accept header in Vary header generated for get requ… by @timothyjrogers in #3516
• Removed login_required from viewing public lists from user profiles by @timothyjrogers in #3518
• Updated locations that process a cover file upload to strip EXIF data… by @timothyjrogers in #3524
• Replace imghdr with use of pil.Image.format by @ilkka-ollakka in #3519
• Fix statuses creating duplicate Editions by @hughrun in #3471
• Import goodreads key when importing goodreads csv by @ilkka-ollakka in #3515
• User import and export improvements by @hughrun in #3431
• RSS for shelves by @mattkatz in #3013
• add CONTRIBUTING and minor updates to other meta docs. by @hughrun in #3532
• Make non-BookWyrm connectors default to a lower priority by @hughrun in #3531
• add django generated migrations for updated timezones by @ilkka-ollakka in #3534
• importer: add openreads importer by @ilkka-ollakka in #3511
• Make remote follow username regex comply to rfc 7565 by @timothyjrogers in #3528
• Duplicate authors by @hughrun in #3535
• Manage connectors from admin web UI by @hughrun in #3530
• Update locales and simplifies bw-dev command for loading locales by @mouse-reeve in #3544

New Contributors

• @lo48576 made their first contribution in #3384
• @timothyjrogers made their first contribution in #3410
• @matthewmincher made their first contribution in #3394
• @Guanchishan made their first contribution in #3451
• @ilkka-ollakka made their first contribution in #3498
• @tkbremnes made their first contribution in #3474
• @mattkatz made their first contribution in #3013

Full Changelog: v0.7.4...v0.7.5

v0.7.4

What's Changed

Updated Dependencies 🧸

• Bump pillow from 10.2.0 to 10.3.0 by @dependabot in #3347
• Bump aiohttp from 3.9.2 to 3.9.4 by @dependabot in #3359
• Bump requests from 2.31.0 to 2.32.0 by @dependabot in #3369

Other Changes

• Fix detection of unlisted posts by @dato in #3258
• bulk-fmt: bracket-wrap calls to patch() for better readability by @dato in #3320
• Remove twitter from README.md by @ccamara in #3334
• flower 2.0.1 fixes a few link bugs (particularly for favicon) by @prolibre in #3337
• Update CodeQL workflows to v3 by @Minnozz in #3343
• Fix resource leaks by @Minnozz in #3339
• Add index on Status.remote_id by @Minnozz in #3346
• Make nginx config safer by @Minnozz in #3338
• Define more indexes for slow queries by @Minnozz in #3348
• Track which Author/Work/Edition a duplicate has been merged into by @Minnozz in #3299
• Adds merge migration by @mouse-reeve in #3355
• Install same version of eslint in CI as in dev-tools by @Minnozz in #3356
• [FIX] make sure to get Pillow>=10 compatible pilkit by @hbrunn in #3342
• Fix user exports to deal with s3 storage by @hughrun in #3228
• Fix creation of quotations with no end position by @dato in #3353
• Support AWS_S3_URL_PROTOCOL by @Minnozz in #3336
• refactor Move for more redundancy by @hughrun in #3360
• Correctly handle serving BookWyrm on custom port by @Minnozz in #3350
• feat: add OAuth authentication by @SMillerDev in #3114
• Upgrade to Django 4.2 by @Minnozz in #3341
• Add as:Hashtag to activitypub context by @Tak in #3370
• add GitHub templates for PRs and releases by @hughrun in #3362

New Contributors

• @prolibre made their first contribution in #3337
• @SMillerDev made their first contribution in #3114

Full Changelog: v0.7.3...v0.7.4

v0.7.3

What's Changed

• Fix awkward clipping on about page by @bSolt in #3219
• nginx: fix missing ttf static files by @verymilan in #3229
• Add redis automatic rewrite configuration. by @WesleyAC in #3245
• Hide "year in the books" for newly registered users by @rsk2 in #3207
• Adding FictionBook format ("FB2", "FB3") to autocomplete options in "get a copy" block. by @skobkin in #3253
• Allow page numbers to be text, instead of integers. by @WesleyAC in #3195
• Check version number asynchronously by @mouse-reeve in #3185
• Add Korean (ko-kr) to LANGUAGES and locale. by @fofwisdom in #3283
• Fix label and input association for shelves filter by @polarbirke in #3285
• Move ratings and reviews when switching editions by @mattlehrer in #3117
• Add search for author by @Minnozz in #3274
• fix multiple issues from user exports config changes by @hughrun in #3238
• Add timeouts to requests.get by @MaggieFero in #3300
• Fixed shelving date changing when changing editions by @jakejack13 in #3193
• FileLinkForm: fix duplicate check by @Minnozz in #3311
• Upgrade Python Version and Several Other Packages for Security by @MaggieFero in #3303
• Invalidate active_shelf when switching editions by @dato in #3217
• Add wikidata field for authors by @ccamara in #3275
• Add book series by title in feed posts by @bSolt in #3261

New Contributors

• @bSolt made their first contribution in #3219
• @rsk2 made their first contribution in #3207
• @skobkin made their first contribution in #3253
• @polarbirke made their first contribution in #3285
• @mattlehrer made their first contribution in #3117
• @jakejack13 made their first contribution in #3193

Full Changelog: v0.7.2...v0.7.3

v0.7.2

Important
You will need to update your nginx config! You need to make two changes to the default.conf file so that they reflect the current state of production.conf:

1. Change the location block on line 99 (this may vary if you have made any edits to your copy of the file) from location ~ ^/(images|static)/ { to location ~ \.(bmp|ico|jpg|jpeg|png|tif|tiff|webp|css|js)$ {. The whole block should now look like this:

    location ~ \.(bmp|ico|jpg|jpeg|png|tif|tiff|webp|css|js)$ {
        root /app;
        try_files $uri =404;
        add_header X-Cache-Status STATIC;
        access_log off;
    }

2. Add a new block below (by default this will be on line 106):

    # block access to any non-image files from images or static
    location ~ ^/images/ {
         return 403;
    }

It's a good idea to check that your config syntax is valid before restarting nginx. With docker, you can run: docker-compose run --rm nginx nginx -t. Please reach out in the developer chat if you have any questions ❤️

What's Changed

• Let a user search books within their shelves by @rosschapman in #3118
• Export ReadThrough in the csv export by @ccamara in #3189
• Disable user exports by @hughrun in #3226
• Pass correct user id in Move notification by @hughrun in #3224

New Contributors

• @rosschapman made their first contribution in #3118
• @ccamara made their first contribution in #3189

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

• Add: installable as PWA by @rg-wood in #2981
• Complete Migrations of Bookwyrm Accounts across instances by @CSDUMMI in #2980
• User migration by @hughrun in #3088
• introduce .prettierrc by @jaschaurbach in #3034
• Show/Hide password icon by @skmanohar in #3029
• Add sandboxing to systemd examples by @hbrunn in #2960
• fix for npm dev commands (stylelint and prettier) by @viviicat in #2032
• Cite author in quotations and alt text by @dato in #3008
• Create bump-version.sh by @jaschaurbach in #3050
• make options consistent in celery by @hughrun in #3068
• Add Move activity for user migration by @hughrun in #2970
• Adds "Your Books" to the header and removed "Feed" by @mouse-reeve in #2201
• Fix creation of covers for ActivityPub imports by @dato in #3039
• Fix parsing of punctuation in format_links() by @dato in #3027
• Erase user data and statuses on account deletion by @mouse-reeve in #3086
• Fix bw-dev initdb by @Tak in #3097
• Check no missing migrations in django-tests workflow by @dato in #3112
• Create notifications for incoming invite requests by @dato in #3105
• hide instance actor from users by @hughrun in #3125
• Partial, stable dates with automatic precision field by @dato in #3059
• Give admins option to test if a theme loads correctly by @mouse-reeve in #3128
• use bw-file-resubmit to retain images during validation checks by @hughrun in #3083
• Faster tests with setUpTestData by @dato in #3146
• Allow removing followers and fix follow rejections by @hughrun in #3124
• Update page formatter on ordered collection by @villasv in #3144
• Adds Ukranian locale and updates locales by @0x29a in #3154
• User migration via export file by @hughrun in #3054

New Contributors

• @rg-wood made their first contribution in #2981
• @CSDUMMI made their first contribution in #2980
• @skmanohar made their first contribution in #3029
• @hbrunn made their first contribution in #2960
• @villasv made their first contribution in #3144

Full Changelog: v0.6.6...v0.7.1

v0.6.6

What's Changed

• Type annotations for bookwyrm.importers by @jderuiter in #2963
• fix opensearch template by @hughrun in #2972
• Pre-populate sort title in edit book form if not provided by @mouse-reeve in #2948
• Makes the delete announcement view post-only by @mouse-reeve in #2964
• Serve static files in debug mode by @dato in #3002
• Pinned versions of docker containers by @JJimenez71 in #2987
• Correct EPUB spelling by @fofwisdom in #2986
• Minor improvements to Quotation pure content by @dato in #3000
• create instance user on instance creation by @hughrun in #3007
• fix ids of labels in invite request form in admin by @categulario in #2912
• Add spanish articles by @MaggieFero in #2953

New Contributors

• @dato made their first contribution in #3002
• @JJimenez71 made their first contribution in #2987
• @fofwisdom made their first contribution in #2986
• @categulario made their first contribution in #2912
• @MaggieFero made their first contribution in #2953

Full Changelog: v0.6.5...v0.6.6

v0.6.5

What's Changed

• Remove '@' from the beginning of hashtag names in activity by @jderuiter in #2923
• Disable Spellcheck on header search inputs by @joachimesque in #2929
• fix button text when editing posts by @tararoshan in #2922
• Remove links trailing punctuation by @joachimesque in #2933
• Only trigger add_status_task when status is first created by @mouse-reeve in #2934
• Fixes for create-book by @jderuiter in #2937
• Add copy button for ISBN by @axiomizer in #2915
• Adds management command to repair editions in bad state by @mouse-reeve in #2905
• Include Dutch locale by @jderuiter in #2918
• On readthrough, progressupdate or status delete return to previous page by @jderuiter in #2938
• Isbn hyphenation by @axiomizer in #2921
• Convert description from Markdown when importing from Open Library by @jderuiter in #2935
• Record report actions by @mouse-reeve in #2854
• Adds breadcrumbs and better titles to followers/following pages by @mouse-reeve in #2946

New Contributors

• @jderuiter made their first contribution in #2916
• @tararoshan made their first contribution in #2922
• @axiomizer made their first contribution in #2915

Full Changelog: v0.6.4...v0.6.5