v1.8.5 - Spanish Locale & Token-Based Chunking

Highlights

• 🇪🇸 Spanish (es-ES) language support with full translation coverage
• Token-based embedding chunking — better handling of CJK and mixed-language content
• Resilient credential handling — broken/mismatched encryption keys no longer crash the API

---

Added

• Spanish (es-ES) locale with 930+ translation keys and language toggle entry (#757) — thanks @chemazener!

Changed

• Embedding chunking is now token-based instead of character-based, improving chunk sizing consistency for CJK and mixed-language content (#542, #749) — thanks @unendless314!
• OPEN_NOTEBOOK_CHUNK_SIZE and OPEN_NOTEBOOK_CHUNK_OVERLAP semantics changed from characters to tokens; default reduced from 1200 characters to 400 tokens to stay safely below the 512-token ceiling of BERT-family embedders (e.g. mxbai-embed-large). Existing stored embeddings are unaffected — only new ingestions use the new chunking.
• Internal: migrated i18n from the custom Proxy pattern to standard react-i18next t() function for better tooling compatibility (#755)

Fixed

• Credentials endpoint no longer crashes (500) when the encryption key doesn't match stored credentials (#740, #753)
• Broken credentials are now shown with a decryption warning and can still be deleted
• DELETE endpoint for broken credentials supports model migration via the migrate_to parameter
• Azure credentials: base_url now correctly maps to endpoint (#741)

Docs

• Improved local quick-start documentation (#734) — thanks @vincentrou!

Dependencies

• Bump langchain-openai 1.1.7 → 1.1.14 (#762)
• Bump langchain-text-splitters 1.1.0 → 1.1.2 (#761)
• Bump langchain-core 1.2.22 → 1.2.28 (#737)
• Bump langsmith 0.6.4 → 0.7.31 (#759)
• Bump authlib 1.6.9 → 1.6.11 (#760)
• Bump cryptography 46.0.6 → 46.0.7 (#736)
• Bump pytest 9.0.2 → 9.0.3 (#752)
• Bump python-multipart 0.0.22 → 0.0.26 (#758)
• Bump tornado 6.5.4 → 6.5.5 (#668)
• Bump next 16.1.7 → 16.2.3 (#744)
• Bump axios 1.13.5 → 1.15.0 (#748)
• Bump follow-redirects 1.15.11 → 1.16.0 (#754)
• Bump vite 7.3.1 → 7.3.2 (#728)

---

🙏 Thanks

Huge thanks to everyone who contributed to this release:

• @chemazener — Spanish localization
• @unendless314 — token-based embedding chunking
• @vincentrou — documentation improvements

And thanks to all the users who opened issues and helped us prioritize what to ship next!

Full Changelog: v1.8.4...v1.8.5

v1.8.4 - Security Fix

Security

Three vulnerabilities reported by CERT-EU Offensive Security Team via coordinated disclosure:

• Remote Code Execution via Server-Side Template Injection (CVSS 9.2 Critical)

  • User-created transformation prompts were rendered by an unsandboxed Jinja2 environment, allowing arbitrary Python code execution on the server. Bumped ai-prompter to 0.4.0 which uses SandboxedEnvironment for all template rendering.

• Arbitrary file write via path traversal (CVSS 7.0 High)

  • File upload did not sanitize filenames, allowing path traversal payloads (e.g., ../../../../tmp/test.txt) to write files outside the upload directory. Filenames are now sanitized with os.path.basename() and resolved paths are validated.

• Arbitrary file read via Local File Inclusion (CVSS 8.2 High)

  • The source creation endpoint accepted arbitrary file_path values, allowing reading of any file on the container (e.g., /etc/passwd, /proc/self/environ). File paths are now validated to be within the uploads directory.

Affected versions

All versions up to and including v1.8.3.

Recommended action

Upgrade to v1.8.4 immediately.

Credit

Reported by CERT-EU Offensive Security Team via coordinated vulnerability disclosure.

v1.8.3 - Security Fix

Security

• Fix SurrealDB injection via unsanitized order_by query parameter (CVSS 8.7 High)
  • GET /api/notebooks accepted arbitrary input in the order_by parameter, allowing injection of SurrealQL commands. Exploitable via CSRF by tricking a user into clicking a crafted URL.
  • Added allowlist validation for sorting parameters in the notebooks endpoint
  • Replaced f-string query interpolation with parameterized $variable binding in source chat and migration queries
  • Added defensive validation in the get_all() base method to prevent injection via order_by parameter

Affected versions

All versions up to and including v1.8.2.

Recommended action

Upgrade to v1.8.3 immediately.

Credit

Reported by CERT-EU Offensive Security Team via coordinated vulnerability disclosure.

v1.8.2

What's New

Features

• DashScope (Qwen) & MiniMax provider support — Two new AI providers via Esperanto v2.20.0: Alibaba Cloud's Qwen models and MiniMax models with 204K context (#725)
• Bengali (bn-IN) language support — Full i18n translation for Bengali (#643)

Bug Fixes

• Source asset persistence — Failed sources now persist their asset (URL/file path), making them identifiable and retryable (#722)
• Source title preservation — User-set custom titles are no longer overwritten after background processing (#722)
• Credential cascade delete — Deleting a credential now automatically removes linked models instead of returning a 409 error (#722)
• Source list auto-refresh — Source list now updates automatically after adding a new source via URL, file upload, or text (#721)
• Podcast directory names — Uses UUID for episode directories, fixing filesystem errors with special characters in titles (#666)
• Tiktoken offline handling — API no longer crashes in air-gapped environments when tiktoken can't download encodings (#622)
• SurrealDB healthcheck — Removed incompatible healthcheck from Docker Compose that caused false-negative container status (#656)
• Esperanto embedding fixes — Bumped to v2.19.7 fixing base_url/api_key config issues across multiple embedding providers (#664, #665)

Maintenance

• Upgraded default Azure API version to 2024-10-21 (#638)
• Deprecated single-container Docker image in favor of Docker Compose (#723)
• Dependency updates: langchain-core, fastmcp 3.x, Next.js 16.1.7, aiohttp, cryptography, and more

Contributors

Thanks to everyone who contributed to this release! 🎉

• @dobberr (#656)
• @kunalk16 (#643)
• @orihatav (#622)

Full Changelog: v1.8.1...v1.8.2

v1.8.1

What's Changed

Added

• i18n support for Bengali (bn-IN) (#643)
• Podcast language support via podcast-creator 0.12.0 (#645)
• Upgrade default Azure API version for model testing and fetching (#638)

Fixed

• Tiktoken network errors in offline/air-gapped Docker deployments — pre-downloads encoding at build time (#264, #622)
• SurrealDB getting stuck (#656)

Dependencies

• Bump esperanto to 2.19.5 (#657)
• Bump langgraph from 1.0.6 to 1.0.10rc1 (#658)
• Bump authlib from 1.6.6 to 1.6.7 (#649)
• Bump lxml-html-clean from 0.4.3 to 0.4.4 (#646)
• Bump rollup from 4.55.1 to 4.59.0 (#635)
• Bump minimatch in frontend (#634)
• Bump tar from 7.5.9 to 7.5.11 (#650, #659)

Contributors

• @kunalk16
• @orihatav
• @dobberr
• @lfnovo

Full Changelog: v1.8.0...v1.8.1

v1.8.0 - Podcast Model Registry Integration

What's New

Podcast Model Registry Integration & Credential Passthrough

Episode and speaker profiles now use the model registry instead of loose provider/model strings. This enables automatic credential passthrough to podcast-creator and brings podcasts in line with the rest of the system.

• Episode profiles use outline_llm / transcript_llm (model registry references) instead of provider/model strings
• Speaker profiles use voice_model (model registry reference) instead of tts_provider/tts_model strings
• Credentials are automatically resolved and passed to podcast-creator
• New language field on episode profiles (BCP 47 locale codes like pt-BR, en-US)
• Per-speaker voice model override support
• Data migration auto-converts legacy profiles on startup (idempotent)
• New GET /api/languages endpoint
• Profile forms use ModelSelector component instead of manual provider/model dropdowns
• "Templates" tab renamed to "Profiles"
• "Setup required" badge on profiles missing model configuration
• i18n updated across all 8 locales
• Added pycountry and babel dependencies

Closes #486, closes #552

Chat: Remove 50-source cap

Notebook chat context no longer has a hard limit of 50 sources. All sources in a notebook are now available for context. (#628)

Docker: Pin SurrealDB version

Pin SurrealDB to a specific version in Docker Compose to prevent breaking changes from upstream updates. Also fixes single-container documentation. (#629)

UI: Fix CJK text orientation

Correct text orientation for CJK (Chinese, Japanese, Korean) characters in the collapsible column component. (#619)

Other

• docs: add missing SURREAL_NAMESPACE and SURREAL_DATABASE env vars
• chore(deps-dev): bump tar from 7.5.7 to 7.5.9 in frontend

Migration

Existing podcast profiles are automatically migrated on first startup. If your profiles used providers with configured credentials, the migration is seamless. Profiles that can't be auto-migrated will show a "Setup required" badge in the UI.

Contributors

Thank you to everyone who contributed to this release!

• @1Zonghao — CJK text orientation fix (#619)

v1.7.4

Fixed

• Embedding large documents (3MB+) fails with 413 Payload Too Large (#594)
• generate_embeddings() now batches texts in groups of 50 with per-batch retry, preventing provider payload limits from being exceeded
• 413 errors now classified with user-friendly message in error classifier
• Misleading "Created 0 embedded chunks" log in process_source_command — embedding is fire-and-forget, so the count was always 0; now logs "embedding submitted" instead

v1.7.3 - Podcast failure recovery and retry

This release makes a ton of fixed in the podcast creation functionality. It adds retry capabilities, improved Json parsing for Gemini, ability to retry failed generation and more. Hope you enjoy it.

Added

• Retry button for failed podcast episodes in the UI (#211, #218)
• Error details displayed on failed podcast episodes (#185, #355)
• POST /podcasts/episodes/{id}/retry API endpoint for re-submitting failed episodes
• error_message field in podcast episode API responses

Fixed

• Podcast generation failures now correctly marked as "failed" instead of "completed" (#300, #335)
• Disabled automatic retries for podcast generation to prevent duplicate episode records (#302)

Dependencies

• Bump podcast-creator to >= 0.11.2
• Bump esperanto to >= 2.19.4

KNOWN ISSUES

The podcast creation process is still not respecting the new credentials config and relies on the ENV variables to work. This will be fixed in the next release.

v1.7.2

Added

• Error classification utility that maps LLM provider errors to user-friendly messages (#506)
• Global exception handlers in FastAPI for all custom exception types with proper HTTP status codes
• getApiErrorMessage() frontend helper that falls back to backend messages when no i18n mapping exists

Fixed

• LLM errors (invalid API key, wrong model, rate limits) now show descriptive messages instead of "An unexpected error occurred" (#590)
• SSE streaming error events in source chat and ask hooks were swallowed by inner JSON parse catch blocks
• Transformation execution errors were caught and re-wrapped as generic 500s instead of using proper status codes
• Fail fast when source content extraction returns empty instead of retrying (#589)
• Chat input and message overflow with long unbroken strings (#588)
• Word-wrap overflow in source cards, note editor, inline edit, note titles, and dialog content (#588)
• Translation proxy shadowing name keys (#588)
• OpenAI-compatible provider name handling via Esperanto update (#583)

Changed

• ValueError replaced with ConfigurationError in model provisioning for proper error classification
• ConfigurationError added to command retry stop_on lists to avoid retrying permanent config failures

Dependencies

• Bump esperanto to 2.19.3 (#583)
• Bump podcast-creator to 0.9.1

v1.7.1

What's Changed

Added

• French (fr-FR) language support (#581)
• CI test workflow and improved i18n validation (#580)
• Expose embed command_id in note API responses (#545)

Fixed

• ElevenLabs TTS credential passthrough via Esperanto update (#578)
• Handle empty/whitespace source content without retry loop (#576)
• Increase transformation max_tokens and update Esperanto dep (#568)
• Turn the embedding field into optional (#557)

Docs

• Fix docker container names in local setup guides (#577)

Dependencies

• Bump langchain-core from 1.2.7 to 1.2.11 (#564)
• Bump cryptography from 46.0.3 to 46.0.5 (#563)

Thank You

Thanks to everyone who contributed to this release! 🙏

• @richardsolomou for exposing embed command_id in note API responses (#545)
• @saikrishna-prathapaneni for the French translation work (#514)

Full Changelog: v1.7.0...v1.7.1