v5.0.1

What's Changed

• fix(web): Prompt anonymous users to login if they want to use connectors in Ask by @jsourcebot in #1274

Full Changelog: v5.0.0...v5.0.1

v5.0.0

Checkout the migration guide for details on upgrading your instance to v5.

Changed

• [Breaking Change] Changed the default role assignment to Owner for organizations on the free tier. See the v4 to v5 guide. #1106
• [Breaking Change] Relicensed Ask Sourcebot and MCP under ee. See the v4 to v5 guide. #1106
• [Breaking Change] Removed the embedded Postgres and Redis from the Docker image. External Postgres and Redis are now required: set DATABASE_URL and REDIS_URL, or deploy with the provided docker-compose.yml. See the v4 to v5 guide. #1106
• [Breaking Change] Sourcebot no longer auto-generates AUTH_SECRET and SOURCEBOT_ENCRYPTION_KEY, nor reads them from the plaintext files it previously wrote to the data volume; both must now be set explicitly as environment variables. See the v4 to v5 guide. #1106
• Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. #1106
• Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. #1106
• Improved the setup-sourcebot wizard: prompts for a setup directory, clarifies that secrets are stored locally in .env, switches multi-select to Tab, hides "No results" until a real search runs, and detects/cleans up conflicting Docker deployments and volumes before starting. #1106

Added

• Added ask connectors: connect 3rd party MCP servers to your ask agent. #1106
• Added progress bar when navigating between pages. #1106
• Added a integrated changelog into the sidebar. #1106
• Added scroll position restoration when viewing files in the code browser, so returning to a previously viewed file restores your scroll position. #1106

Fixed

• Fixed git "dubious ownership" errors when the container runs as a non-root user by setting safe.directory at the system level instead of the global (root-only) level. #1106

Full Changelog: v4.17.4...v5.0.0

v4.17.4

What's Changed

• docs: add security notes to docs by @msukkari in #1218
• fix(web): Add support for opus 4.8 by @brendan-kellam in #1249

Full Changelog: v4.17.3...v4.17.4

v4.17.3

What's Changed

• fix(worker): Fix issue with stale permissions by @brendan-kellam in #1215
• fix(worker): extend permission-sync fail-closed to HTTP 410 by @msukkari in #1216
• fix(worker): replace Bitbucket Cloud user-repos endpoint removed by CHANGE-2770 by @msukkari in #1217
• fix(web): propagate session invalidation to /api/auth/session by @msukkari in #1219
• fix(web): reject OAuth account-linking without a signed-in session by @msukkari in #1221

Full Changelog: v4.17.2...v4.17.3

v4.17.2

What's Changed

• chore(dev): bump docker/build-push-action to latest by @brendan-kellam in #1172
• fix: Add missing changes from #1170 by @brendan-kellam in #1176
• fix(web): use blame line's path when navigating to commit diff by @brendan-kellam in #1178
• chore(worker): Reduce logger verbosity by @brendan-kellam in #1179
• chore: bump fast-uri to ^3.1.2 by @brendan-kellam in #1181
• fix: upgrade simple-git to 3.36.0 to address CVE-2026-6951 by @brendan-kellam in #1183
• fix: upgrade hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458 by @brendan-kellam in #1186
• fix: refresh yarn.lock to upgrade ip-address to ^10.2.0 (CVE-2026-42338) by @brendan-kellam in #1189
• fix: refresh yarn.lock to upgrade fast-xml-builder to ^1.2.0 (CVE-2026-44664, CVE-2026-44665) by @brendan-kellam in #1184
• fix(backend): opt in to simple-git unsafe categories present in env by @brendan-kellam in #1193
• refactor(web): detect hoverable symbols via Lezer highlight tags by @brendan-kellam in #1194
• feat(web): add skeleton to LatestCommitInfo while loading by @brendan-kellam in #1195
• feat(backend): write changed-path Bloom filters to commit-graph by @brendan-kellam in #1198
• chore(web): add ESLint rule require-auth-wrapper by @brendan-kellam in #1199
• chore: add lint workflow for PRs by @brendan-kellam in #1200
• fix(web): preserve source revisions in chat citation links by @brendan-kellam in #1205
• chore: upgrade next to ^16.2.6 to address CVE-2026-45109 by @brendan-kellam in #1203
• chore: upgrade react-email to ^6.1.4 by @brendan-kellam in #1206
• chore(web): Upgrade @posthog/ai by @brendan-kellam in #1207
• fix: pin @protobufjs/inquire to 1.1.0 to fix Turbopack incompatibility by @brendan-kellam in #1208

Full Changelog: v4.17.1...v4.17.2

v4.17.1

What's Changed

• feat(web): add audit log entries for org membership changes by @brendan-kellam in #1165
• feat(web): JWT session versioning and credential revocation on org removal by @brendan-kellam in #1168
• fix(schemas): allow spaces in Azure DevOps project and repo names by @brendan-kellam in #1170

Full Changelog: v4.17.0...v4.17.1

v4.17.0

What's Changed

• feat(web): add git history view by @brendan-kellam in #1150
• chore(web): bump postcss to 8.5.10 by @brendan-kellam in #1155
• feat(web): Commit diffs by @brendan-kellam in #1154
• feat(web): collapsible file diffs in commit diff panel by @brendan-kellam in #1157
• feat(web): add /api/blame endpoint by @brendan-kellam in #1158
• feat(web): add /api/avatar resolver by @brendan-kellam in #1159
• feat(web): add file blame view to code browser by @brendan-kellam in #1160
• chore(web): harden post-auth redirects and legacy URL rewrite by @brendan-kellam in #1161
• chore(web): make session and OAuth token lifetimes configurable by @brendan-kellam in #1162
• chore(web): guard OAuth API routes against 307/308 redirects by @brendan-kellam in #1163

Full Changelog: v4.16.15...v4.17.0

v4.16.15

What's Changed

• fix(web): restore ServiceError boundary in getFileSourceForRepo by @fatmcgav in #1145
• feat: improve diff tool display and token efficiency by @brendan-kellam in #1146
• fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq by @brendan-kellam in #1147
• chore(web): bump @aws-sdk/credential-providers to ^3.1036.0 (CVE-2026-41650) by @brendan-kellam in #1148

Full Changelog: v4.16.14...v4.16.15

v4.16.14

What's Changed

• feat(web): GitLab MR Review Agent by @fatmcgav in #1104

Full Changelog: v4.16.13...v4.16.14

v4.16.13

What's Changed

• chore: sync vendor/zoekt with upstream sourcegraph/zoekt by @msukkari in #1140
• chore: bump vendor/zoekt with CodeQL security fixes by @msukkari in #1141
• feat(web): expose get_diff on MCP server by @msukkari in #1142

Full Changelog: v4.16.12...v4.16.13