FOSSBilling publishes release notes and tagged versions on GitHub. Use the links below to review new features, fixes, and upgrade notes before you update.
GitHub Releases
View all FOSSBilling releases with detailed changelogs on GitHub Releases.
Version History
Browse the complete commit history to see all changes.
Latest Release
Section titled “Latest Release”For the latest changes, start with the most recent release.
Version 0.8.4
Section titled “Version 0.8.4”| Area | Summary |
|---|---|
| Breaking: Admin Permissions | Admin permissions reworked from per-user to a group-based model. Existing staff are auto-migrated to temporary groups on upgrade. Custom modules/themes checking permissions directly may need updating. |
| Security | Server manager credentials masked in API/admin UI; manage_settings permission enforced on extension config pages; Stripe webhooks require signing secret; server manager input hardened |
| Stripe | Recurring subscriptions via Setup Intents and webhooks; invoice paid webhook and currency normalization |
| Client Profiles | Per-user timezone support; country code selector and number formatter; custom client fields sorted and cap raised to 20; custom client IDs exposed in API |
| Knowledge Base | Migrated to Doctrine with improved search, view counts, and canned responses; Markdown-safe sanitization for ticket/KB messages |
| Admin UX | Ticket replies editable with revision history; staff notification emails scoped to admin groups; ribbon-style suspended badges; rate limit management UI; Discord community button |
| Invoicing | PDF invoice attachment to emails; configurable reminder intervals; zero-price order invoices; price validation at order creation; renewal price and duplicate-payment fixes |
| Bug Fixes | MySQL 8.0.22+ REGEXP charset conflict in patches 67/74; registrar adapter autoloader fix; PayPal duplicate subscription handling; Product Promotions crash on NULL flags; domain double-activation fix; UpdatePatcher undefined method from 0.6.x upgrades; Twig 500 error pages; cron defaults on fresh installs; DirectAdmin account deletion recovery |
| Development | Email, Extension, Support modules migrated to Doctrine; frontend JS migrated to TypeScript; document fields migrated to custom client fields |
| Dependencies | Twig v3.28.0; CKEditor 5 v48.3.0; Sentry v4.29.0; Stripe PHP v20.3.1; PostCSS v8.5.16; Autoprefixer v10.5.2; Rector v2.5.5 |
View the full 0.8.4 release notes for the complete list of changes.
Version 0.8.3
Section titled “Version 0.8.3”| Area | Summary |
|---|---|
| Breaking: Public Tickets | Public (guest) tickets unified with client tickets — same endpoints, templates, emails, and event hooks. Eight deprecated ticket hooks removed; replaced by shared client ticket hooks. Old email links redirect automatically. Custom modules/themes referencing the old hooks, templates, or endpoints need updating. |
| Security | Invoice hash self-healing — missing hashes are regenerated automatically; database patch backfills hashes for existing invoices |
| Admin UX | Persistent light/dark theme toggle with dark-mode logo support on login pages |
| Orders & Transactions | Order list/details use batch API retrieval; marking invoice as paid correctly records transaction; admin order templates handle null service data gracefully |
| Payment Gateways | Failed transactions marked as errored with retry support; SQL claim queries use correct IN grouping; Stripe type hints and appearance enhancements |
| Huraga Theme | Client dashboard widget slots; pagination tab redirects; fb_api_link usage for API actions instead of custom event listeners |
| Cron | is_cron flag for context awareness; admin-level fallback during cron runs now restricted |
| Templates | Twig strict-variables fixes across activity logs, tickets, invoices, payment gateways, and domain registrars; staff password reset emails now use correct recipient; client order page shows product add-ons for restricted categories |
| Bug Fixes | Currency settings crash when exchange rate data missing; stale unpaid_invoice references corrected; getCell returns proper types; legacy BoxBilling IPN params (bb_*, bb-ipn.php) redirect to standard endpoint |
| Frontend | Legacy PNG/font icons replaced with SVG; icon sprite xlink:href → href refactor with shared builder; Coloris color picker replaced with native input type="color" |
| Development | Product models migrating to Doctrine; promo code redemption compensates correctly on checkout failure; esbuild helpers refactored with JS checker and asset optimization |
| Dependencies | DiceBear core v10.3.0 / styles v10.2.0; esbuild v0.28.1; Sass v1.101.0; Sentry v4.28.0; guzzlehttp/psr7 v2.12.1; Docker base tag v1.25 |
View the full 0.8.3 release notes for the complete list of changes.
Version 0.8.2
Section titled “Version 0.8.2”| Area | Summary |
|---|---|
| Security | Rate limiting on guest invoice, PDF, and payment APIs with per-hash and per-IP limits; invoice hash format validated (30–60 hex chars) and hashes expire after configurable period; guest cron endpoint now requires security hash; extension uninstall paths validated against directory traversal; fixed reverse tabnabbing vulnerability in Theme service; password values no longer echoed in login templates |
| Rate Limiting | New invoice_get_ip, invoice_get_hash, invoice_pdf_ip, invoice_pdf_hash policies; invoice hashes expire by default after 90 days (invoice_hash_lifetime_days) |
| Email Templates | Built-in syntax validation with error tracking in admin panel; new last_error / error_checked_at columns for tracking rendering failures; bulk actions and batch delete |
| Payment Gateways | One-time payment enforcement per gateway; gateway keys required based on operating mode; update readiness checks in gateway settings UI |
| Performance | Doctrine ORM metadata now cached on filesystem |
| Updates | Pre-flight filesystem permission checks before applying updates |
| Widgets | Login forms now support widget slots for extension injection |
| Maintenance | Leftover Paidsupport and Servicemembership module files fully cleaned from disk |
View the full 0.8.2 release notes for the complete list of changes.
Version 0.8.1
Section titled “Version 0.8.1”| Area | Summary |
|---|---|
| Security | Sanitized admin ticket replies, validated downloadable stored filenames, hardened license doc links, prevented subdomain override, refreshed OPcache after config preservation, hardened UpdatePatcher SQL safety |
| Hosting | Free subdomain option with duplicate protection |
| Anti-spam | reCAPTCHA v3 score-based bot detection on public forms |
| Client signup | Auto-login after registration; separate last name field |
| Updates | Two-phase update finalization process (install then finalize patches); maintenance mode enabled during updates |
| Proxy | Pre-config proxy detection and admin proxy candidate settings UI for reverse proxy setups |
| Downloadable | stored_filename attribute for safer file tracking and orphan cleanup |
| Admin | Active menu highlighting, Massmailer autocomplete test client selector, tab-targeted redirects |
View the full 0.8.1 release notes for the complete list of changes.
For older releases, browse the full release history on GitHub.
Breaking Changes
Section titled “Breaking Changes”Before updating, review the release notes for any breaking changes or manual follow-up steps. We call these out in each release whenever they apply.
Security Updates
Section titled “Security Updates”Security-related changes are also published through our GitHub security advisories. If you run FOSSBilling in production, subscribe to release notifications and security alerts.