Tuleap 17.1 turns up the heat on the Burning Parrot makeover: cleaner, sharper, and more consistent screens across Tracker, Git, and Document. With the MediaWiki 1.43 LTS upgrade, the removal of legacy services, and 41 fixes including key security updates, this release keeps Tuleap moving forward.
The Grand Burning Parrot Migration
Visual Overhaul and Theme Alignment
We continue our journey to align the visual theme and improve consistency across Tuleap. No functional changes have been introduced, but the interface is becoming progressively more cohesive. Below, you’ll find screenshots of the migrated pages and a list of all updated screens in version 17.1.
Tracker
Tracker general settings view
Tracker workflow: manage global rules
Updated sections:
- Tracker administration
- Semantics (velocity)
- Permissions (tracker & fields)
- Workflow (field dependencies, global rules, triggers, webhooks)
- Administration (general settings, tracker hierarchy, canned responses)
Document
Document notifications configuration
Updated sections:
- Notifications
- Statistics
Git
Git administration: default access control
Git repository fork
Updated sections:
- Service administration (gerrit, administrators, pull request templates, access control templates, jenkins)
- Repository settings (fork, access control, webhooks)
Other Burning Parrotifications
- Legacy MediaWiki (if you still use it, you should migrate to MediaWiki Standalone)
- Subversion (notifications, repository display)
- Backlog (plannings configuration, charts configuration)
MediaWiki upgrade to 1.43
We bumped « MediaWiki Standalone » to the latest LTS version. This update includes numerous improvements across MediaWiki and its key extensions. For details, see the release notes for 1.40, 1.41, 1.42 & 1.43 release notes.
Highlight:
Improved Edit Recovery (from version 1.42): Quickly restore unsaved edits when returning to the editing interface, protecting against browser crashes, accidental navigation, and other disruptions.
Removal of Legacy Services
As announced, we are cleaning-up the legacy services. In Tuleap 17.1, the following are gone:
- Tracker v3
- Project links plugin
- Tracker v3 date reminder
Bugs and requests
During the 17.1 release cycle, 41 requests were implemented. Bugs and security fixes have already been backported to Tuleap Enterprise builds. You will find below a detailed list of fixes. The most notable ones are in bold.
Security
- #45583 FRS project administrator can access releases in all projects – CVE-2025-64497 – High
- #45593 Missing CSRF protections when updating tracker general settings – CVE-2025-64498 – Moderate
- #45592 Missing CSRF protections on planning management – CVE-2025-64499 – Moderate
- #45618 Missing CSRF protections in the management of tracker triggers – CVE-2025-64760 – Moderate
- #45632 Missing CSRF protections in tracker field dependencies – CVE-2025-65962 – Moderate
Tracker
- #45591 Adding a shared field to a tracker is broken
Test Management
- #45626 Buttons to hide and load closed test campaigns appear simultaneously
Document
- #45639 Lock info not shown in QuickLook
