Add parentId query param support to documents/templates folder index
pages so View All correctly shows subfolders. Fix search not filtering
unpinned folders on documents page and broken mt- Tailwind class on
templates page.
## Description
When signing via embed, recipient name and email provided through the
embed context were ignored if the DB recipient record had empty values.
This fix adds:
- the signing context's fullName and email as fallbacks in the recipient
payload
- keeps the form in sync with values instead of defaultValues
- ensures the override payload is sent even when the form is hidden
Webhook URLs were being fetched without validating whether they
resolved to private/loopback addresses, exposing the server to SSRF.
Current SSRF is best effort and fail open, you should never host
services that
you cant risk exposure of.
This extracts webhook execution into a shared module that validates
URLs against private IP ranges (including DNS resolution), enforces
timeouts, and disables redirect following. The resend route now
queues through the job system instead of calling fetch inline.
Configure default transaction options (5s maxWait, 10s timeout) on the
PrismaClient instead of per-transaction overrides. Move side effects
like email sending, webhook triggers, and job dispatches out of
$transaction blocks to avoid holding database connections open during
network I/O.
Also extracts the direct template email into a background job and fixes
a bug where prisma was used instead of tx inside a transaction.
Upgrade @libpdf/core from 0.2.12 to 0.3.3, which includes:
- WebCrypto SHA-256 replacing pure-JS @noble/hashes (10x signing
speedup)
- Iterative collectReachableRefs (fixes stack overflow on large PDFs)
- Iterative Math.max helpers in xref writer (fixes remaining stack
overflow)
Extract duplicated FontLibrary.use() calls from render-certificate,
render-audit-logs, and insert-field-in-pdf-v2 into a shared
ensureFontLibrary() helper with has() guards so fonts are only
registered once per process.
- Allow admins to update recipient role from document detail page
- Add download button to export audit logs as PDF
- Display recipient status details in accordion
- Add LocalTime component with hover popover for timestamps
For document signing embeds, the hash-provided name and email should
only
be used when the recipient doesn't already have values set. For template
signing, the hash values are always allowed.
Also makes the email input editable in V1 embeds when the recipient has
no email, matching V2 behavior.
Ref: documenso/embeds#53
Catalin Pit
David Nguyen
Lucas Smith
Niels Kaspers
github-actions[bot]
Ted Liang
Abdul Alim
Konrad
Ephraim Duncan
Timur Ercan
Joshua Sharp
VIVEK TIWARI