CKAN 2.11.4

Titlev.2.11.4 2025-10-29
Version2.11.4
Release Date2025-10-29
Changes
Show details

Migration notes

This version requires a requirements upgrade on source installations

Restore handling of plugin order for ITemplateHelpers to align with add_template_directory precedence again (first plugin wins). You might have to change the order of a plugin in ckan.plugins if you relied on overriding a template helper from another plugin. (#9069)

A new config option ckan.uploads_enabled was added to prevent a critical error being shown in the logs about a missing ckan.storage_path setting. This is not required and existing sites should work as before. When the ckan.uploads_enabled is not set, uploads will be shown in the UI if ckan.storage_path is defined or there is an IUploader plugin configured. (#8977)

Minor changes

  • Replaced lint tool flake8 with ruff. (#8964)
  • Remove unused ckan.static_max_age config option (#9005)
  • Include CHANGELOG.rst in MANIFEST.in. (#9083)

Bugfixes

  • CVE-2025-64100: Rotate session identifiers to prevent Session Cookie Fixation .
  • CVE-2025-54384: Stored XSS vector in Markdown description fields
  • Add handling for ObjectNotFound to Datapusher delete-datastore route (#9130)
  • Fix auth check for resource_view_reorder (#9131)
  • Rewrite query to fetch one row instead of whole table in tracking code (#8757)
  • Fix ckan datastore upgrade command with columns containing definition with % characters (#9115)
  • Fix: document js translations generation (#8927)
  • Ensure UnicodeDecodeError is caught if session data was not improperly encoded (#8939)
  • Pass proper context to tabledesigner _create_table_and_view to preserve the original context from resource_create and resource_update (#9057)
  • Use non-zero exit codes when search-index CLI fails (#9011)
  • Hide users data from stats if the ckan.auth.public_user_details setting is set to False. This ensures that user details are not exposed in the statistics when public user details are disabled. (#9030)
  • Fixes the font of the sort indicator in datatablesview by properly closing the opening <i tag (#9078)
  • Historical versions of a custom dataset type ignores base template specified by the IDatasetForm interface. (#8875)
  • Fix EXPLAIN JSON output sometimes being auto-decoded in multithreaded environments by setting json_deserializer at engine level. (#8929)
  • Catch NotAuthorized exception raised by datastore_search (#8989)
  • Remove override of group_dict[‘package_count’] to display the correct dataset count (#8252
Url Ckangeloghttps://github.com/ckan/ckan/blob/master/CHANGELOG.rst#v2114-2025-10-29