INSTALLER LEVEL FIXES:
Fixed issue with health check that resulted in timeouts in detecting ready state during startup.
APPLICATION LEVEL BREAKING CHANGES:
- Security: reverted VCS client URLs to being immutable to prevent secret leakage in the site admin.
- Fixed issue blocking the ability to login without SAML when SAML is enabled.
APPLICATION LEVEL FEATURES:
- Added an attribute to workspaces, "speculative-enabled", which turns off speculative plans from PRs for a workspace.
- Added organization external-id attribute to organization API responses
- Added summary popup to show additional information about workspaces.
- Added workspace settings to switch between remote and local execution modes.
- Added the ability to fully manage OAuth clients and tokens while using an organization token within the API.
- Changed the Sentinel runtime to version 0.10.0. For the latest changes, see the release notes.
- Added help text to the Manage SSH Keys page to clarify the purpose of these keys
- Added the ability to run policy checks on Terraform versions 0.12 and higher.
- Changed loading spinner to a hexagon
- Added external ID to organization attributes on admin API endpoints
- Added support for generating Sentinel mocks for Terraform versions 0.12 and later.
APPLICATION LEVEL BUG FIXES:
- Fixed server error when viewing modules with existing versions containing semver metadata
- Fixed policy check UI spacing
- Add possible reasons to error message when setting up a workspace with an empty VCS repo
- Changed VCS pull request event to run a speculative plan only in workspaces which track the base branch for the PR.
- Fixed: Bitbucket Server repo names now display correctly for autocomplete on workspace create/edit
- Fixed an issue with locking when using the remote backend with a team token
- Fixed a site-wide performance issue by delaying Vault decryption until decryption is needed.
APPLICATION LEVEL SECURITY FIXES:
- Security: improved Markdown sanitization to prevent stored XSS vulnerability.
- Security: upgraded dependencies to address CVE-2019-11068
- Security: upgraded jQuery to 3.4.0 to address CVE-2019-11358.
- Security: Re-enabling MFA after disabling it now correctly requires all browsers and devices that previously selected "remember this device" to re-enter MFA on the next login.