DSpace-CRIS Release 2025.02.00

DSpace-CRIS 2025.02.00 February, 20th (REST | Angular)

This version, released on February 20th 2026, provides alignment with DSpace 9.2 tag.

Improvements to existing features

• Switched to ROR v2 API
• Added a configuration setting to disable the standard email+password login method
• Introduced tracking of correlation ID in logs on log4j for EKS
• Improved the hint text of the search bar in the Browse section in English, German, Spanish, French, and Italian
• Updated to AWS SDK v2 for the S3 bitstore service and switched to the CRT client
• Introduced a new default cris-layout tool
• Upgraded citeproc-java to latest version 3.3.0 and add full support to APA v. 7
• Improved the performance of metadata-importprocess by bringing bulkedit.change.commit.count limit to 20 items
• Improved Dockerfile and related docker-compose
• Added AAA comodo certificate inside the keytool
• Improved the e2e test for the header
• Refactoring of the standard-login - co-funded by UNZA

Bug fixes

• Patch for CVE-2025-66516 / CVE-2025-54988 in Apache Tika (critical severity). All versions of Apache Tika prior to version 3.2.2 contain a critical XML External Entity (XXE) vulnerability.  This XXE vulnerability may be possible to exploit in DSpace if an attacker has submitter privileges. See #11678 for more details
• Fixed Audit Logs feature inside the item-page
• Fixed SiteServiceInitializer failures during flyway migrations.
• Fixed failing tests
• Fixed search issues related to the upgrade with DSpace-9.2
• Changed header text to DSpace-CRIS 9
• Fixed wrongly shown results inside the search page ( removed Collections and Communities )
• Fixed an issue with accessibility settings not being saved when logged off
• Fixed missing statistics dropdown options, fixed missing community and collections admin menu voice
• Fixed qualdrop, which now has the correct icon lookup circle inside the text area
• Fixed bulk-item-export process failures during exports from myDSpace page
• Removed duplicated buttons from the accordion in item page and submission form
• Fixed issues in search pages
• In the statistics, if the categories tabs has no data to display we show a “no data available” box
• Fixed NEW → Collection menu for administrators
• Fixed missing menus in admin-bar:
  • Import
  • Export
  • Admin Search
• Fixed progressbar in file upload, which was not showing
• Fixed missing label for detect-duplicate step ( submission.sections.submit.progressbar.detect-duplicate )
• Fixed the Accessibility settings, which were resetting to old values when saving
• Fixed the edit cms metadata dropdown to have the correct width
• Fixed missing navbar explore pages translated labels
• Fixed missing navbar rendering for community and collection labels
• Fixed admin sidebar logic to enable external links
• Fixed navbar options
• Removed unnecessary ORCID initialization that caused startup logs to show cookie warnings; application now starts cleanly without irrelevant messages
• Added a pipeline step to check for e2e runners to be up before running e2e tests
• Fixed solr configuration of each core with updateLog details
• Fixed google scholar redirect
• Added API to generate presigned S3 URLs for bitstreams, enabling faster downloads via direct S3 access; includes configurable expiration and security checks
• Fixed duplicated notification on end user agreement page
• Fixed duplicated version notice badge on item page
• Fixes grouping issue with DocumentCrosswalk for apa-cv.csl configuration
• Added support for authority in SAF import using UUID or provider IDs. Invalid authorities are logged as errors without stopping the process
• Fixed REST pipeline failure caused by an integration test checking DSpace demo availability
• Fixed the visibility of Request a correction feature in the dropdown item menu
• Fixed import and admin search for community / collection administrators
• Fixed issue with ovlerapping UI components
• Fixed “Show more” button on search result elements
• Fixed file upload issue with symbolic links in assetstore
• Resolved an issue causing inconsistent rendering of bitstream attachments due to external caching behavior
• Fixed the positioning of facet checkboxes when the facet description spans on multiple lines
• Fixed the issue preventing registered DOIs from being updated
• Porting of the DSpace community to make Shibboleth, ORCID, and OIDC authentication to support special groups. Pull Request #11633 by vins01-4science · DSpace/DSpace
• Fixed an issue where the Import from External Sources dropdown in the MyDSpace page displayed entity types that did not have any configured external sources available for import. The dropdown now correctly lists only entities associated with at least one valid external provider, ensuring a consistent and accurate import workflow
• Language dropdowns now appear for each group in nested fields (e.g., author and affiliation) instead of a single dropdown for the entire nested structure. Language values are correctly saved in all nested metadata

DSpace-CRIS release 2024.02.04

DSpace-CRIS 2024.02.04 January, 13th (REST | Angular)

This version, released on January 13th 2026, is based on the DSpace 8.2 tag.

---

New Features

• Provided new cclicense rendering type

Improvements to existing features

• Added support for Node.js 20 and 22
• Switched to ROR v2 API
• Updated to AWS SDK v2 for the S3 bitstore service
• Added lang attribute to metadata values on item pages
• Improved the hint text of the search bar in the Browse section in English, German, Spanish, French, and Italian
• Introduced a new default cris-layout tool
• Added API to generate presigned S3 URLs for bitstreams, enabling faster downloads via direct S3 access; includes configurable expiration and security checks
• English labels file updated with new labels
• Refactored the standard-login - co-funded by UNZA
• If morelikethis is configured, it gets exposed in search results
• Added autosave event on the ISSN field
• Language dropdowns now appear for each group in nested fields (e.g., author and affiliation) instead of a single dropdown for the entire nested structure. Language values are correctly saved in all nested metadata
• Added multi‑entity authority support: references resolve across configured types; new items use a configurable default entity, with the option to choose a different type at creation
• Allowed discovery.solr.fulltext.charLimit to control max analyzed chars for Solr HitHighlights
• Removed disalignments between submission-forms and cris-layout-tool, and improved item relations
• Configured a new default for End User Agreement
• Adjusted labels in the ORCID suggestion page

Bug fixes

• Patch for CVE-2025-66516 / CVE-2025-54988 in Apache Tika (critical severity). All versions of Apache Tika prior to version 3.2.2 contain a critical XML External Entity (XXE) vulnerability.  This XXE vulnerability may be possible to exploit in DSpace if an attacker has submitter privileges. See #11678 for more details
• Fixed failing integration tests for CRIS8 functionality to ensure system stability and proper functionality validation
• Fixed typo in lucky-search route
• Fixed broken import of Person from external ORCID source
• Removed unnecessary ORCID initialization that caused startup logs to show cookie warnings; application now starts cleanly without irrelevant messages
• Fixed an issue where structured data was no longer being added due to a bug
• Resolved a potential script injection vulnerability during server-side rendering caused by metadata included in structured data. Metadata is now properly sanitized to prevent XSS attacks
• Fixed “show more” functionality
• Fixed Solr configuration of each core with updateLog details
• Fixed Google Scholar redirect
• Fixed an issue with the longtext rendering type not working properly
• Fixed bold text in the underfooter to normal
• Fixed duplicated notification on the end user agreement page
• Fixed a duplicate version notice badge on the item page
• Fixed grouping issue with DocumentCrosswalk for apa-cv.csl configuration
• Fixed the issue causing some SVG thumbnails to not show correctly on item pages
• Added support for authority in SAF import using UUID or provider IDs. Invalid authorities are logged as errors without stopping the process
• Fixed ORCID sync not working
• Fixed issue with overlapping UI components
• Fixed file upload issue with symbolic links in assetstore
• Fixed SAF Import concurrency issue: the working directory now uses a random UUID instead of the submitter UUID to avoid conflicts in parallel executions.
• Prevent the entire indexing process from failing in case of broken items
• Fixed the issue preventing registered DOIs from being updated
• Redirected old IIIF Manifest URLs coming from CRIS 5/6 to the News URLs
• Fixed the problem with the title visualization if the item has encoding characters like ><
• Added labels on filter badges
• Fixed the custom theme does not display the Most Viewed and Recent Additions sections - Donated by Kallox
• Fixed the issue with the language force parameter in the URL, which, when present, interfered with the language change from the UI

DSpace-CRIS release 2024.02.03.01

DSpace-CRIS 2024.02.03.01 December, 24th (REST)

⚠️ This is an updated version of the DSpace-CRIS release 2024.02.03 release which includes the following security fixes:

• Patch for CVE-2025-66516 / CVE-2025-54988 in Apache Tika (critical severity). All versions of Apache Tika prior to version 3.2.2 contain a critical XML External Entity (XXE) vulnerability. This XXE vulnerability may be possible to exploit in DSpace if an attacker has submitter privileges. See #11678 for more details.

  After upgrading, we recommend all sites recreate text extracted files. This is a safety measure to ensure that none of those text extracted files contain unexpected information because of a prior exploit of this XXE vulnerability. To recreate your text extracted files, run:

# This command will force all current text-extracted files to be deleted and recreated.
./dspace filter-media -f -p "Text Extractor"

DSpace-CRIS release 2023.02.07.02

DSpace-CRIS 2023.02.07.02 December, 24th (REST)

⚠️ This is an updated version of the DSpace-CRIS release 2023.02.07.01 release which includes the following security fixes:

• Patch for CVE-2025-66516 / CVE-2025-54988 in Apache Tika (critical severity). All versions of Apache Tika prior to version 3.2.2 contain a critical XML External Entity (XXE) vulnerability. This XXE vulnerability may be possible to exploit in DSpace if an attacker has submitter privileges. See #11678 for more details.

  After upgrading, we recommend all sites recreate text extracted files. This is a safety measure to ensure that none of those text extracted files contain unexpected information because of a prior exploit of this XXE vulnerability. To recreate your text extracted files, run:

# This command will force all current text-extracted files to be deleted and recreated.
./dspace filter-media -f -p "Text Extractor"

DSpace-CRIS release 2024.02.03

DSpace-CRIS 2024.02.03 October, 10th (REST | Angular)

This release is based on the DSpace 8.2 tag.

---

Improvements to Existing Features

• Added support for explicit Apache Tika configuration via the TIKA_CONFIG env variable or -Dtika.config JVM argument; default file is config/tika-config.xml.
• Set the iiifuploader.machinetoken by default to dspace.cli.jwt.
• Improved Italian translations in Browse by pages.
• Enhanced performance of the metadata-import process by increasing the bulkedit.change.commit.count limit to 20 items.
• Improved login pop-up behavior when standard login is disabled.
• Metadata enrichment from authorities can now be configured to enrich related metadata with all values from the selected vocabulary entry.
• Introduced a background batch deletion script (dspace-object-deletion) to avoid blocking the UI/API. Supports deletion of Communities, Collections, or Items via UUID or handle.
• Changed the label of the bulk-import start button on the item page.
• Improved bulk execution of curation tasks to avoid reprocessing already handled items, enhancing performance on large repositories.
  • Introduced metadata markers (cris.curation.process, cris.curation.history), paginated Solr queries, and runtime flags (--force, --recent) to control execution.
  • Enhanced and tested multiple curation tasks across addons (OCR, IIIF, DocViewer).
• Upgraded citeproc-java to version 3.3.0 and added full support for APA v. 7.
• Handled NullPointerException when XML parsing for OAI fails.

---

Bug Fixes

• Fixed REST pipeline failure caused by an integration test checking DSpace demo availability.
• Fixed visibility of the "Request a correction" feature in the dropdown item menu.
• Fixed import and admin search for community/collection administrators.
• Fixed configuration for login backdoor.
• Fixed “Show more” button on search result elements.
• Fixed broken read-only form field mechanism in submission forms (donated by kskaiser).
• Fixed issue accessing the item’s administrative page when cris.customurl is defined.
• Fixed end-to-end tests.
• Fixed metadata with underscores not being properly indexed.
• Fixed NULL mimetype issues affecting file download and management.
• Fixed an issue causing tables in item pages to display with incorrect proportions.
• bulk-item-export process launched from the search page now correctly filters results when an end date is set.
• Fixed and updated Docker scripts for DSpace-CRIS (donated by tdonohue).
• Fixed duplication of rows during the cris-layout-export script execution.
• Fixed a NPE during Drag and Drop submission in MyDSpace, and allowed drag-and-dropped files to be uploaded (co-funded by BFH - Berner Fachhochschule).

DSpace-CRIS release 2024.02.02

DSpace-CRIS 2024.02.02 August, 1st (REST | Angular)

This version, released on August 1st 2025, provides alignment with DSpace 8.2 tag. See DSpace 8.2 release notes for further information

Improvements to existing features

• Added proper configuration for CrossRef import using new property mappings
• Improved ITs related to the LDNMessage feature
• Changed the ROR API setting to force the use of ROR API version 1
• Added loading feedback when navigating to administrative item page
• Added a configuration setting to disable the standard email+password login method
• Added the Authority label and refined the visualization of the table in Template item page
• Updated the server configurations so that the health page now shows the status for all cores used by DSpace-CRIS
• Implemented new option to run bulk access control on a bundle level
• Improved fallback mechanism for avatar image in pop-over so that placeholder image depends on the entity type of the item
• BulkAccessControl now updates policies on all bitstreams and bundles derived from those in the ORIGINAL bundle
• Optimized SQL queries for metadata enhancer updates
• Improved the Submission related PATCH request
• Added JAVA_HOME to the PATH environment variables in the setenv.sh
• Refactored Bitbucket pipeline configuration to introduce a reusable environment variable block, updated Maven execution commands with parallel build options and environment arguments, and consolidated parallel pipeline steps for various branches and pull requests
• Added two new options to the filter-media process:
  • the -b repeatable option enhances item processing control. This option allows users to specify one or more bundle names whose presence should exclude the corresponding item from being selected for processing.
    Please note that this is a best-effort mechanism. Items without the specified bundles may still be retrieved inadvertently. Items with one or more of the specified bundles may still be processed if required by other filters or processing logic (e.g., for newly added bitstreams).
  • The -t option enables filtering items based on how recently they were updated. By specifying a number of days, users can control the recency window for processing (-t 1 will include only items updated within the last 24 hours)

Bug fixes

• Fixed the autoload of first levels in the tree views
• Resolved an issue causing inconsistent rendering of bitstream attachments due to external caching behavior
• Fixed an issue that caused the list of processes not to load completely when the browser was zoomed-in
• Updated endpoint /api/system/processes/search/own adding new parameter processStatus to prevent loading issues of MyProcesses section
• Fixed error on file upload for bulk import
• Fixed titles of export modals that were not displaying the Community/Collection name
• Processes launched on the orchestrator are no longer marked as “failed” if the Tomcat is restarted while they are running or scheduled
• Fixed an error preventing the /server/oai page from responding
• Fixed the positioning of facet checkboxes when the facet description spans multiple lines
• Prevented CORS error when a bitstream is embedded in an external page via its download/html page
• Fixed findByItemHandle redirect sending wrong parameter
• Fixed subscription bug causing the method to return a wrong value when the subscription for the user is checked
  • Added crispatent-types.xml, iiif-bitstream-formats.xml, and ocr-bitstream-formats.xml now auto-load via Flyway or ./dspace registry-loader -all.
  • Removed duplicate loading of openaire4-types.xml.
• Fixed format to support PNG files in IIIF and OCR

DSpace-CRIS release 2023.02.07.01

DSpace-CRIS 2023.02.07.01 July, 22nd (REST)

⚠️ This is an updated version of the DSpace-CRIS release 2023.02.07 release which includes the following security fixes:

• Fix for CVE-2025-53621 (moderate severity). XML External Entity (XXE) injection possible in import via Simple Archive Format (SAF) or import from external sources. See security advisory or mailing list “security notice” for details.

• Fix for CVE-2025-53622 (moderate severity). Path traversal vulnerability in Simple Archive Format (SAF) package import via “contents” file. See security advisory or mailing list “security notice” for details.

• Fix possible "Zip Slip" in SWORDv2 ingest process. This potential issue was found via an automated code scan and no exploit has been confirmed. See #10725

DSpace-CRIS release 2024.02.01

DSpace-CRIS 2024.02.01 May, 13th (REST | Angular)

This version, released on May 13th 2025, provides alignment with DSpace 8.1 tag.

This version also includes all the improvements and fixes developed for version 2023.02.07. Check the complete list at Version 2023.02.07 - Release notes.

Key Enhancements

• Alignment with DSpace 8.1 tag. See DSpace 8.1 release notes for further information

Bug Fixing

• Removed async functions calls from HTML of cris layout pages to improve performance and avoid the page to get stuck

• Fixed the authority display in the filter facets, now showing the label instead of the authority value when a facet value with authority

• Fixed an issue where charts could not be shown

• Added the missing title prefix label in full view on the Event item page

• Applied fix for the ConfirmationModalComponent that uses getName method to retrieve the dsoName of the item selected

• Fixed an issue that caused wrong positioning of elements in the myDSpace page

• Fixed template of primary bitsteam button

• Fixed the duplication of tags after deposit (Bug fixing paid by TUWIEN)

• Fixed a bug that caused the Statistic voice on the navbar to not be clickable.

• Fixes two bugs in metadata form handling:

  • If you change the value of a metadata field associated with a security configuration, the security level of the metadata field is lost

  • If you change the security level of a metadata field, the confidence value of the metadata field is lost. (Donated by saschaszott)

• Various Translations, SCSS and code cleanUp from DSpace-CRIS Community contribution (Donated by saschaszott)

• Fixed an issue where the download link for an exported item was not being shown

• Corrected navigation link for authority controlled metadata in items result lists

• Added a missing label for the deduplication section in submission form

• Fix issue when sorting chips in relation group component

• Fixed select/unselect buttons not showing

• Fixed Community page Tabs, which had inconsistencies from the default DSpace version

• Fixed the error of application.properties loaded from the server-8.1 jar of DSpace

• Configured the system-wide alert to retrieve messages during client-side rendering (CSR), bypassing the application cache

• Removed the wrong configuration for the title display field when using ROR to import from external sources

• Fixed the Manage Projects functionality on Person page, improving its stability

DSpace-CRIS release 2023.02.07

DSpace-CRIS 7 2023.02.07 April, 14th (REST | Angular)

This version, released on April 14th 2025, provides alignment with DSpace 7.6.3 tag.

Summary

• Alignment with DSpace 7.6.3 tag. See DSpace 7.6.3 release notes for further information.

New Features

• Implemented the possibility for editors to execute workflow actions in bulk

• Added the HTML and Longhtml rendering types for Cris Layout

• Added support for AWS S3 Environment credentials for S3 Assetstore

• Introduced a shell script named dspacerestprocess to invoke a dspace process via the REST API using the jwt machine token available in the configuration via the property dspace.cli.jwt

  This allows to schedule in the server crontab process that will appear in the DSpace UI as they were requested from the UI

• Added new Data Quality addon configurations

• Added dspace.workflow.startDateTime metadata to the Metadata registry schema. The metadata counts the time since the workflow started

Improvements to existing features

• Exposed the mandatory ‘description’ metadata to be compliant with Google Dataset Search Dataset Search

• The search graphs section is now fully collapsible, with a dedicated toggle button for expanding or minimizing it, ensuring an optimized use of space when not actively needed.

• Installation of fonts locally in order to be compliant with the GDPR.

• Activated the impersonate function by default in settings

• Added Disallow rules in robots.txt file to improve indexing (e.g. Scholar) and reduce unnecessary traffic

• Improved the filter label badge on the search page when results are filtered by criteria under authority, such as authors. The label now shows the name or title instead of the authority UUID.

• The property to limit the characters in the breadcrumb in the DSpace-CRIS code was discarded in favour of the DSpace solution

• Improvements for the Audit feature:

  • Fixed issue with status code

  • Fixed issue with unprovided observable

  • Adopted UI guard to check for collection and community admins

  • Modified pre-authorization feature so that audits are accessible also to users with write permissions for the community or for the collection to which the item belongs

• Set max-http-header-size to 64k by default in the application.properties

• Implement health indicators for DSpace components to enable automated query validation for epersongroup and site.

• Improved the performance of the index-discovery script when a uuid/handle is provided with the -i parameter

• Added preventMetadataSecurity as default projection in search manager.

• In the submission form, added a setting to specify a minimum number of characters required before performing a lookup.

• Prevented NPE in browse if no value-pairs has been found (file controlled vocabularies with authority)

• Improved margins for metrics boxes in item pages

• Added a new parameter for handling the bundle name in the LuckySearch functionality to use a query parameter value

• Added support for setting the item accessConditions step as mandatory by introducing the required property in the configuration bean

• Refactored Bitbucket pipeline configurations to improve build efficiency and cleaned up Maven project structure by removing redundant groupId tags and refining pom.xml dependencies. Updated Maven configuration in pom.xml to replace the <includeClassifiers> entries and modify <includeTypes> to include jar,test-jar

• Triggered a MODIFY event on collections when a parent Community Administrator group is created, ensuring Solr documents update the submit field to reflect new permissions

• Added new access header configuration and inclusion for the REST process script

• Excluded the bot's activity in the item count for metrics as done on the statistics page, fixing the discrepancy in the displayed numbers

• Updated the MetadataService to correctly handle adding multiple <meta> tags with the same name by allowing the addition of tags instead of replacing existing ones and limit the number of metadata tags to improve page rendering

• Handled language for qualdrop metadata

• Cleaned code and removed unused lines

Bug fixes

• Fixed an issue with pagination not updating after clicking on pages

• Fixed Orgunits entities which are always displayed as untitled

• Fixed reliability of RorOrgUnitAuthorityIT with mock data and service.

• Fixed workflow curation execution. The workflow framework raised errors after the execution of a curate due to a commit operation in the curation flow

• Fixed bug that leads to retrieval of undiscoverable or withdrawn items in the ItemAuthority lookup

• Clicking on a “Downloads” item metric now opens the Statistics page on the correct graph.

• Resolved issue with multi-row drag-and-drop functionality for metadata fields featuring chip buttons in submissions, implementing a custom fix for Angular versions prior to 18 to ensure smooth item reordering across rows.

• Fixed the error red border in inline group in the form to show the red border around the entire grey form box

• Fixed an issue where the search button, the language selector and the login button disappeared from the header and used a second row.

• Fixed format to support PNG files in IIIF and OCR

• Fixed issue with displaying entity type before title in full item page for workflow & workspace items.

• Fixed the possibility for administrators to access data in the tabs and boxes restricted by custom security policy

• Fixed multilanguage for qualdrop inputs

• Fixed the context menu button in “Browse by” on collection pages.

• Updated breadcrumbs.component.html to enable HTML rendering in breadcrumb

• Fixed errors with view event on Solr

• Fixed labels for statistics in Publication reports & Project reports.

• Fixed bug that leads to retrieval of undiscoverable or withdrawn items in the ItemAuthority lookup

• Removes wrong exception reference in AuthorizeService

• Fixed filter’s skeleton loader issue that would result in filters hanging in loading state

• Fixed an issue where identifier links could contain whitespaces

• Fixed an issue with tree loading when a value is selected

• Fixed issue of metadata values that could overflow their rendering box in the item page view

• Fixed an issue with authority values on dynamic dropdowns in submission forms

• Fixed the store-metrics script to commit changes every 20 processed items

• Fixed the 404 error returned when clicking on nested tabs in item pages

• Fixed the export of items on a search result when a facet is filtering on more than one value

• Fixed error in metadata security evaluation, which led to a broken OAI page

• Fixed an issue in the signpostingLinksResolver to correctly resolve links for items with a custom URL

• Fixed text overflowing in search result items

• Fixed issue in the CrisSecurity check. When the user only belongs to special groups set and belongs to no real group, the specialgroups were not considered at all due to this bug

• Fixed community selector issue for non-admin users

• Fixed chart button not disappearing when no chart is available

• Fixed an issue where changing values of an ePerson that were previously not defined caused errors

• Fixed the generation of the APA citation, now the APA citation also includes the name of the journal retrieved using the dc.relation.ispartof metadata

• Prevent SSR error when setting signposting links in header

• Fixed the dynamic display issue of the Researcher Profile section, ensuring it is shown or hidden based on the correct configuration value

• Fixed tests failing in a non-deterministic fashion

• Fixed missing data reload after bulk import in MyDspace

• Fixed JS error on file upload

• Fixed the issue blocking direct downloads of bitstreams while logged in, refactored the logic for user redirection during direct downloads

• Fixed the issue of placeholder values not hidden

• Fixed BulkImport issues for external files.

• Fixed proper version retrieval for addon modules

• Fixed missing title information on error pages

• Removed unnecessary conditional logic within the getTypeBindModelUpdates method to streamline the retrieval of valueChanges from the type bind model to retrieve the value of the type bind field correctly when the type bind field is a checkbox

DSpace-CRIS release 2024.02.00

This version, released on the 31st December 2024, provides alignment with DSpace 8.0 tag.
See DSpace 8.0 release notes for further information.