v4.10.9

What's Changed

• fix(worker): Fix user driven permission syncing for self-hosted code hosts by @brendan-kellam in #729
• fix(worker): Change error logging on rev-parse to be debug by @brendan-kellam in #733
• Non-ascii file tree bug by @msukkari in #726
• Mcp undefined filename bug by @msukkari in #718
• chore(docs): Remove references to demo instance in docs by @msukkari in #734
• docs(github-app): add github app connection auth docs by @msukkari in #735
• fix(web): Document 403 errors with user driven permission syncing when scope changes occur by @brendan-kellam in #639

Full Changelog: v4.10.8...v4.10.9

v4.10.8

What's Changed

• fix(web): Repo name whitespace bug by @brendan-kellam in #705
• chore(web): Increase /repos default page size to 20 by @brendan-kellam in #706
• Local repo index failure by @msukkari in #712
• chore(docker-compose): Change pull policy to always by @msukkari in #716
• chore(docs): Update permission syncing docs for self-hosted code hosts by @brendan-kellam in #722
• feat(web): Added Trigger Sync to /repos dropdown menu by @CyberT17 in #710
• fix(web): Fix text direction on filter panel by @brendan-kellam in #474
• chore: Improved release pipeline by @brendan-kellam in #724
• fix: Add back temporary workflow to publish main to ghcr by @brendan-kellam in #725

New Contributors

• @CyberT17 made their first contribution in #710

Full Changelog: v4.10.6...v4.10.8

v4.10.7

What's Changed

• fix(web): Repo name whitespace bug by @brendan-kellam in #705

Full Changelog: v4.10.6...v4.10.7

v4.10.6

What's Changed

• feat(web): enable browser assisted autofill for username and password. by @hugogu in #696
• fix: Fix release workflow by @brendan-kellam in #702
• fix(web): Image proxy header fix by @brendan-kellam in #703

Full Changelog: v4.10.5...v4.10.6

v4.10.5

What's Changed

• chore: Automated releases & bake SB version into code by @brendan-kellam in #680
• chore(deps): bump glob from 11.0.1 to 11.1.0 by @dependabot[bot] in #681
• chore(deps): bump vite from 5.4.14 to 5.4.21 by @dependabot[bot] in #682
• chore(deps): bump jws from 4.0.0 to 4.0.1 by @dependabot[bot] in #684
• chore(deps): bump @modelcontextprotocol/sdk from 1.10.2 to 1.24.0 by @dependabot[bot] in #683
• chore(web): Bump react email deps by @brendan-kellam in #685
• chore: bump posthog dependencies by @brendan-kellam in #686
• Revert "bump @modelcontextprotocol/sdk from 1.10.2 to 1.24.0" by @brendan-kellam in #688
• fix(web): Fix repo pagination by @brendan-kellam in #689
• fix(gitlab): Better error logs for gitlab config sync by @msukkari in #692

Full Changelog: v4.10.4...v4.10.5

v4.10.4

What's Changed

• fix(web): Encode parenthesis in query params by @brendan-kellam in #674
• chore: Revert to using GitHub runners by @brendan-kellam in #675
• fix(#206): Respect host protocol setting in environment variable by @hugogu in #676
• fix(web): Improve /repos page performance by @brendan-kellam in #677

New Contributors

• @hugogu made their first contribution in #676

Full Changelog: v4.10.3...v4.10.4

v4.10.3

What's Changed

• Add GHES support to the review agent by @brianphillips in #611
• fix: add support for anyuid to Dockerfile by @Cschlaefli in #658
• chore(web): Improve error messages for file loading errors by @brendan-kellam in #665
• chore(web): PostHog telemetry improvements by @brendan-kellam in #672
• chore(web): Bump next to 15.5.9 to fix CVE-2025-55184 and CVE-2025-55183 by @brendan-kellam in #673

New Contributors

• @Cschlaefli made their first contribution in #658

Full Changelog: v4.10.2...v4.10.3

v4.10.2

What's Changed

• fix(web): Respect disable telemetry flag for web server side events by @brendan-kellam in #657

Full Changelog: v4.10.1...v4.10.2

v4.10.1

Security Notice: CVE-2025-66478 (Critical)

Date: December 3, 2025

Severity: Critical (CVSS 10.0)

CVE: CVE-2025-66478

Summary

A critical remote code execution (RCE) vulnerability has been identified in Next.js and React that affects Sourcebot versions 4.6.5 through 4.10.0 (inclusive). This vulnerability (CVE-2025-66478) exists in the React Flight protocol and could allow an attacker to execute arbitrary code on affected systems.

Affected Versions

The following Sourcebot versions are vulnerable and require immediate upgrade:

• 4.6.5 through 4.10.0 (all versions in this range)

Fixed Versions

• 4.10.1 and later (released December 3, 2025)

Recommended Action

Immediate upgrade required. All users running Sourcebot versions 4.6.5 through 4.10.0 should upgrade to version 4.10.1 or later immediately.

Additional Information

This vulnerability was fixed in Sourcebot v4.10.1 by updating Next.js to version 15.5.7 and React to version 19.2.1, which include the upstream security patches.

References

GitHub Security Advisory
CVE-2025-66478
Sourcebot Changelog

Questions or Concerns

If you have any questions or need assistance with the upgrade, please contact team@sourcebot.dev or open an issue on GitHub.

Note: Sourcebot versions 4.6.4 and earlier are not affected by this vulnerability, as they use Next.js 14.x and React 18, which are not impacted by this CVE.

---

What's Changed

• fix(web): Fix issue where quotes cannot be used within a query by @brendan-kellam in #629
• feat(worker): Add ALWAYS_INDEX_FILE_PATTERNS env var to specify files that should always be indexed by @brendan-kellam in #631
• fix discord link by @brendan-kellam in #634
• fix(web): Fix error when loading files with special characters by @brendan-kellam in #637
• fix(web): Ask sourcebot perf improvements by @brendan-kellam in #632
• fix(web): Fix issue where creating a new Ask thread would result in a 404 by @brendan-kellam in #641
• Shrink Docker image size by ~1/3 by removing unnecessary ops by @thespad in #642
• chore(web): Bake PostHog token into build by @brendan-kellam in #648
• chore(web): Scope code nav to current repository by default by @brendan-kellam in #647
• fix(web): Fix CVE 2025-55182 by @brendan-kellam in #654
• chore(web): Fix mistake of upgrading to a breaking version of next by @brendan-kellam in #656
• chore(web): Server side search telemetry by @brendan-kellam in #652

New Contributors

• @thespad made their first contribution in #642

Full Changelog: v4.10.0...v4.10.1

v4.10.0

Added

• Added support for streaming code search results. #623
• Added buttons to toggle case sensitivity and regex patterns. #623
• Added counts to members, requets, and invites tabs in the members settings. #621
• [Sourcebot EE] Add support for Authentik as a identity provider. #627

Changed

• Changed the default search behaviour to match patterns as substrings and not regular expressions. Regular expressions can be used by toggling the regex button in search bar. #623
• Renamed public query prefix to visibility. Allowed values for visibility are public, private, and any. #623
• Changed archived query prefix to accept values yes, no, and only. #623

Removed

• Removed case query prefix. #623
• Removed branch and b query prefixes. Please use rev: instead. #623
• Removed regex query prefix. #623

Fixed

• Fixed spurious infinite loads with explore panel, file tree, and file search command. #617
• Wipe search context on init if entitlement no longer exists #618
• Fixed Bitbucket repository exclusions not supporting glob patterns. #620
• Fixed issue where the repo driven permission syncer was attempting to sync public repositories. #624
• Fixed issue where worker would not shutdown while a permission sync job (repo or user) was in progress. #624

New Contributors

• @josegrelnx made their first contribution in #620
• @TJReinert made their first contribution in #614

Full Changelog: v4.9.2...v4.10.0