Release 8.5.0

[rocketchat-github-ci]

You can see below a preview of the release change log:

8.5.0

Engine versions

• Node: 22.22.3
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.63.0

Minor Changes

• (#40343) Swap usage of internal @rocket.chat/apps-engine internal APIs to @rocket.chat/apps package

• (#40408) Adds 4 new permissions (assigned to admins by default) to control the visibility of each tab inside the ABAC Administration panel

• (#40341) Hides the room announcement, topic and description from the Administration > Rooms panel for ABAC managed rooms. In the channel sidebar Edit Channel form those fields stay visible to room members but are disabled, and the API rejects edits to them.

• (#39617) Adds new API endpoints custom-sounds.create and custom-sounds.update to manage custom sounds with strict file validation for size and specific MIME types to ensure system compatibility.

• (#40463) Allows apps with the right permission to read room's ABAC attributes.

• (#40604) Adds the capability for fetching a user by their sip extension to the apps

• (#38225) Adds a new "Drafts" group to the sidebar, providing quick access to all rooms with unfinished messages.

  This feature is available under the Drafts in sidebar feature preview and needs to be enabled in settings to be tested.

• (#40397) Adds the USE_ROOM_SEARCH_INDEX environment variable. When set to true, the messages collection's text index is created as { rid: 1, msg: 'text' } instead of the default { msg: 'text' }. The compound shape lets per-room $text searches use rid as a prefix, dramatically reducing the portion of the index scanned on workspaces where global search is disabled.

  The index is reconciled on every startup: if the existing text index already matches the desired shape, nothing happens; otherwise the stale text index is dropped and the desired one is recreated. Unsetting the variable on a later boot reverts to the default shape.

• (#40612) Adds freeSwitchExtension as a query parameter for api/v1/users.info

• (#39858) Adds support to room information on ViewSubmit and ViewClose events for ContextualBar surface

• (#40430) Adds a new admin setting Use_RC_SDK (General → Use Rocket.Chat SDK) that opts the workspace into the experimental SDK-over-DDP transport. When enabled, the client routes Meteor DDP traffic through @rocket.chat/ddp-client over a single WebSocket instead of the legacy Meteor stream. The flag is dormant by default; the server surfaces the value via a <meta name="rc-sdk-transport-enabled"> tag, and the client also honors a per-tab ?sdk_transport=on|off URL parameter and a rc-config-sdk_transport localStorage key (URL > localStorage > meta tag).

Patch Changes

• (#39858) Fixes an issue that prevented BlockAction interactions from having room information when triggered in a ContextualBar surface

• (#40524) Ensures OAuth tokens are cleaned up after user deactivation

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• (#40537) Fixes an issue that allowed a room converted from private to public (while abac is disabled) to retain its abac attributes (if any)

• (#39859) Fixes an issue where thread content would disappear after clicking "Jump to recent messages".

• (#40063) Fixes the missing edited indicator for the main parent message in the thread panel to ensure visual consistency with the main channel view.

• (#40357) Adds an accessible label to the system-messages multi-select in the channel edit panel so screen readers announce its purpose.

• (#40100) Fixes intermittent "Channel Not Joined" screen when opening rooms in embedded mode.

• (#40513) Fixes the users.presence endpoint returning an empty array when called with multiple comma-separated IDs, caused by ajvQuery coercing the string into a single-element array after the OpenAPI migration

• (#40496) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle

• (#40405) Disables SAML login when it is set to validate signatures without the proper configuration for it

• (#40423) Allows users to search for attribute values when assigning them to rooms

• (#40335) Fixes test button not playing default sound in Notifications Preferences

• (#40528) Ensures the Meteor method for translateMessage validates access and types

• (#40420) Fixes Insert Timestamp relative time preview not updating on input changes and losing the user's locale after the first refresh tick.

• (#40456) Fixes signed URL generation for S3 and Google Cloud Storage when the expiry setting is below 5 seconds, which previously caused expired or invalid preview URLs. Adds a dedicated URL expiry setting for Google Cloud Storage since it was incorrectly reusing the AWS S3 setting.

• (#40501) Ensures the visitor token is not present in the visitors.info response

• (#40405) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40613) Sanitizes image URLs in rendered messages to block javascript:, data:, and vbscript: schemes — matching the protection already applied to markdown links. Defense-in-depth against XSS via crafted markdown like ![label](javascript:...).

• (#40508) Ensures the autotranslate.translateMessage endpoint checks for room access

• (#40448) Fixes action buttons added by apps being rendered in the Marketplace Menu rather than the User Menu

• (#40635 by @copilot-swe-agent) Fixes the Chat Limits locking mechanism to allow bot agents to skip the lock as they aren't limited

• (#40499) Fixes an issue where some actions made by the abac service were not broadcasting to clients, which affected reactivity

• (#40492) Fixes issue that displayed the 'Delete all closed chats' button when user lacks remove-closed-livechat-rooms permission

• (#40393) Fixes a date-fns crash on routes that mount before the public settings stream finishes loading. useFormatDate was passing String(undefined) (the literal "undefined") to formatDate while Message_DateFormat was momentarily unloaded — date-fns rejects that token because it contains an unescaped n. The hook now uses 'LL' as the default token via useSetting's second argument, so the formatter always receives a valid format string.

• Updated dependencies [90f15e3, f7d47dd, cdb264f, 2a927fa, bede0e2, bede0e2, bede0e2, 4c39845, 7f2bdf1, b6b04aa, ad7d424, 4704bf8, d427b80, ebc9bab, f392d5c, 2198d9e, fac6472, 12897e2, e45585b, 0b7a763, 5183306, 2d32e52, 2a927fa, b1c2668, 90f15e3, 22c8d32]:

  • @rocket.chat/ui-kit@1.1.0
  • @rocket.chat/model-typings@2.3.0
  • @rocket.chat/models@2.3.0
  • @rocket.chat/i18n@3.1.0
  • @rocket.chat/apps-engine@1.63.0
  • @rocket.chat/ddp-client@1.1.0
  • @rocket.chat/rest-typings@8.5.0
  • @rocket.chat/ui-voip@21.0.0
  • @rocket.chat/gazzodown@31.0.0
  • @rocket.chat/apps@0.7.0
  • @rocket.chat/ui-client@31.0.0
  • @rocket.chat/core-typings@8.5.0
  • @rocket.chat/abac@0.2.1
  • @rocket.chat/media-calls@0.5.0
  • @rocket.chat/ui-composer@2.0.0
  • @rocket.chat/federation-matrix@0.1.4
  • @rocket.chat/network-broker@0.2.36
  • @rocket.chat/omni-core-ee@0.0.22
  • @rocket.chat/omnichannel-services@0.3.54
  • @rocket.chat/presence@0.2.57
  • @rocket.chat/core-services@0.14.1
  • @rocket.chat/cron@0.1.57
  • @rocket.chat/fuselage-ui-kit@31.0.0
  • @rocket.chat/instance-status@0.1.57
  • @rocket.chat/omni-core@0.1.1
  • @rocket.chat/server-fetch@0.2.1
  • @rocket.chat/ui-avatar@27.0.0
  • @rocket.chat/ui-contexts@31.0.0
  • @rocket.chat/ui-video-conf@31.0.0
  • @rocket.chat/web-ui-registration@31.0.0

[cubic-dev-ai]

You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment @cubic-dev-ai review.

[rc-layne]

Caution

These are security findings reported by the security scanners configured in Layne. Findings may contain false positives - review them and fix what makes sense. If you believe a finding is not valid, contact the security team.

Layne found 3 high issues in this PR.

View 3 finding(s)

Severity	Scanner	File	Rule	Description
🟠 High	semgrep	packages/apps/scripts/deno-cache.js:39	app.config.semgrep.rules.nodejs.child-process-execution	Child process execution detected. Ensure command and arguments are not user-controlled. Command injection (CWE-78) can occur if untrusted input flows into spawn/exec calls. Remediation: - Use allowlists for permitted commands - Validate/sanitize all arguments - Avoid shell=True or string-based command interpolation - Prefer execFile/spawn over exec when possible
🟠 High	semgrep	packages/apps/scripts/deno-cache.js:82	app.config.semgrep.rules.nodejs.child-process-execution	Child process execution detected. Ensure command and arguments are not user-controlled. Command injection (CWE-78) can occur if untrusted input flows into spawn/exec calls. Remediation: - Use allowlists for permitted commands - Validate/sanitize all arguments - Avoid shell=True or string-based command interpolation - Prefer execFile/spawn over exec when possible
🟠 High	semgrep	packages/apps/src/server/runtime/deno/AppsEngineDenoRuntime.ts:249	app.config.semgrep.rules.nodejs.child-process-execution	Child process execution detected. Ensure command and arguments are not user-controlled. Command injection (CWE-78) can occur if untrusted input flows into spawn/exec calls. Remediation: - Use allowlists for permitted commands - Validate/sanitize all arguments - Avoid shell=True or string-based command interpolation - Prefer execFile/spawn over exec when possible