CiviForm version 3.22.0 is now available
0 views
Skip to first unread message
Tallulah Kay
Feb 10, 2026, 1:12:08 PM (10 days ago) Feb 10
to civiform...@googlegroups.com, civiform-...@googlegroups.com
v3.22.0
What's Changed
This release contains a fix for a vulnerability around encryption of session cookies. This vulnerability is rated medium to low, depending on what information your login provider sends to CiviForm upon login. We encourage all deployments to upgrade to this version as soon as possible. For more details, see https://docs.google.com/document/d/1_y1fLgi7Ix_Mj5CznBRYKEQx67jd2YtUJhlCDwfYOlk.
External programs are now enabled by default. To disable external programs, set EXTERNAL_PROGRAM_CARDS_ENABLED to false in your deployment config.
This release also includes continued work on session timeout, expanded form logic, and enumerator improvements, as well as the foundations for the USWDS admin migration. This release also includes the final PR for login-only programs.
Features
- Adding Modal Web Component by @gwendolyngoetz in #12565
- [External Program Cards] Make flag admin readable and default to true by @rockycodes in #12525
Bug fixes
- Change "Start an application with account" to new button "Sign in to start an application" button by @swatkat1 in #12526
- Turn off session renewal in the callback controller by @nb1701 in #12538
- Improve file access security by focusing the access check by @shane-exygy in #12594
Under Development
- [Session Timeout] simplify session client code by @tallulahkay in #12509
- [Session Timeout] Update play filters by @tallulahkay in #12516
- [Expanded logic] Improvements to form accessibility by @AlvieH in #12498
- [Session Timeout] update logic for when session warning modals show by @tallulahkay in #12552
- [Expanded logic] Add client-side validation for well-formed input by @AlvieH in #12537
- [Expanded logic] Mark unfilled questions as invalid by @AlvieH in #12563
- Add Thymeleaf/USWDS version of admin/reporting page by @CallaJune in #12559
- [Expanded logic] Update text based on eligibility gating by @AlvieH in #12568
- [Session Timeout] add session timeout logic to filters by @tallulahkay in #12549
- Getting new layout template in place by @gwendolyngoetz in #12596
- [Expanded logic] Add support for missing Map and Yes/No question types by @AlvieH in #12566
- [Enumerator Improvements] - Repeated screen names by @fernandez-jack in #12378
Dependencies
- Update vitest monorepo to v4.0.18 by @renovate[bot] in #12518
- Update dependency com.itextpdf:itextpdf to v5.5.13.5 by @renovate[bot] in #12517
- Update dependency globals to v17.1.0 by @renovate[bot] in #12522
- Update dependency globals to v17.1.0 by @renovate[bot] in #12521
- Update dependency vite-plugin-static-copy to v3.1.6 by @renovate[bot] in #12523
- Update awssdk to v2.41.14 by @renovate[bot] in #12499
- Update quay.io/keycloak/keycloak:26.5 Docker digest to latest commit by @renovate[bot] in #12540
- Update dependency org.assertj:assertj-core to v3.27.7 by @renovate[bot] in #12541
- Update dependency ch.qos.logback:logback-classic to v1.5.26 by @renovate[bot] in #12542
- Update dependency sbt/sbt to v1.12.1 by @renovate[bot] in #12544
- Update awssdk to v2.41.15 by @renovate[bot] in #12548
- Update dependency vite-plugin-static-copy to v3.2.0 by @renovate[bot] in #12554
- Bump fast-xml-parser from 5.2.5 to 5.3.4 in /server by @dependabot[bot] in #12577
- Update dependency globals to v17.3.0 by @renovate[bot] in #12556
- Update dependency globals to v17.3.0 by @renovate[bot] in #12557
- Update dependency maplibre-gl to v5.17.0 by @renovate[bot] in #12558
- Update grafana/grafana Docker tag to latest commit by @renovate[bot] in #12560
- Update play-pac4j and use new method for encrypting session cookies and allow for fallback by @nb1701 in #12595
Other changes
- Small cleanups for ensureFileRecord() by @shane-exygy in #12519
- [Expanded logic] Populate CSV values on predicate load by @AlvieH in #12547
- Internationalize admin reporting page text by @CallaJune in #12567
- Change method name by @CallaJune in #12576
- Create Thymeleaf/USWDS version of show program page in admin/reporting by @CallaJune in #12575
- Move text on admin reporting program page to messages to support i18n by @CallaJune in #12603
- Adding custom button Thymeleaf component by @gwendolyngoetz in #12503
- remove users/id by @CallaJune in #12604
- Adding radio and checkbox custom thymeleaf components by @gwendolyngoetz in #12619
- make namePrefix backwards compatible by @fernandez-jack in #12620
Full Changelog: v3.21.0...v3.22.0
Reply all
Reply to author
Forward
0 new messages