Addons: security updates & sunset announcements

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited February 11 in Releases

There are a number of addons with important security updates. Please audit your addons against this list:

  1. FileUpload 1.9.2 was released today with 4 security patches. This is also its final release. Please upgrade to Advanced Editor or Rich Text Editor, which have uploading built into them. We will not make further security patches to it; it is now unsupported and will be deleted later this year.
  2. Signatures 1.6.1 was released 18 January with a security patch. Support continues.
  3. Q&A 1.4 - was released today with 2 security patches and a host of other overdue improvements. Support continues.
  4. Last Edited 1.3 - was released today with 1 security patch and other updates.
  5. Civil Tongue 1.2 - was released today with 1 security patch and other updates.

In 2018, we also deleted the Whispers and Customize Text addons. We strongly suggest removing them from your site if either is still there. The last known versions had security issues.

We removed these addons from the directory because they are now available within Vanilla 2.8:

  • Pockets
  • Akismet

You can manually retrieve addons we have sunset from core from our GitHub repo until they are deleted later this year:

These addons are now open source for the first time:

  • Hero Image (within Vanilla 2.8)
  • DebugBar (a developer tool not for production use)

These addons were recently deleted from the directory due to lack of use:

  • Submarine Discussions
  • No Bump
  • HTML Links
  • Facebook ID Display

These addons are likely to be removed in the near future:

  • Locale Developer (no longer supported)
  • Eventi (encourages view-based hooks we wish to move away from)

These addons have been added to the directory, but were already open source:

More addons are being updated as well, but have no current security patches or status changes to announce.



Sign In or Register to comment.