1. Knowledge base
  2. Release Notes

Release 1.62.0

Release date: April 9, 2026

Important Release Documents

Release Notes - Seatmap Platform

Version 1.62.0 - 2026-04-09

Release Focus: Authentication hardening, stateless JWT, and internal observability platform

What’s New

This release is security- and infrastructure-focused. There are no product-facing feature changes, no API changes, and no breaking changes for integrators. The highlights are a full server-side session removal, four internal security fixes, and a new internal observability platform for the SRE team.

Security and Authentication

Fully stateless editor-service (SEAT-913)

For years, editor-service ran two auth layers in parallel: the primary JWT flow and a Spring Session JDBC layer that persisted SecurityContext into spring_session / spring_session_attributes Postgres tables, keyed by an X-Auth-Token header. V65 in 2021 tried to drop those tables, but Spring Session’s initialize-schema: always silently recreated them on every boot.

This release removes the Spring Session layer entirely and makes editor-service pure stateless JWT, matching how the /public/api/** filter chain has always behaved:

  • spring-session-core and spring-session-jdbc removed from the build.
  • Main filter chain flipped from SessionCreationPolicy.ALWAYS to STATELESS.
  • Dead code paths for loginForSession() and the sessionId field in LoginResponse deleted, along with 7 setSessionId() call sites.
  • spring.session.* configuration removed from application.yaml.
  • V99 migration drops the spring_session and spring_session_attributes tables for good.
  • SEAT-914 follow-up: the editor-client now scrubs auth tokens from window.location immediately after it consumes them, so they no longer leak via browser history or Referer headers.

What operators should know: on upgrade, every editor user currently logged in gets signed out and has to log in again. No Redis or DB maintenance is required. See deployment.md for the step-by-step.

What host integrators should know: nothing. The public REST contract is unchanged. JWT-based integrators were always on the stateless path.

Vite dev-server CVE patches

Both frontend projects (booking-client and editor-client) were pulling Vite 7.3.1 transitively through vitest. Two high-severity advisories capped at <= 7.3.1:

  • GHSA-v2wj-q39q-566rserver.fs.deny bypass via query parameters.
  • GHSA-p9ff-h696-f583 — arbitrary file read via the Vite dev server WebSocket.

Both are bumped to Vite 7.3.2 and pinned via yarn resolutions so vitest cannot pull the older copy back in. These are dev-server-only vulnerabilities; they do not affect production bundles. The CI dependency-audit job now returns clean.

Observability and Operations

These are SRE-facing additions. Customers will not see them in the product.

Knowledge Base

Follow-up cleanup from the 1.61.0 Ghost-to-Hugo blog migration: broken asset paths fixed, Hugo blog wiring finalized, SEO front-matter patched on legacy posts. No content changes.

Migration Guide

This release is backward-compatible for every integration surface: no REST API changes, no renderer API changes, no webhook changes, no embed changes.

The only operator-visible effect is that every editor user logged in at the moment of upgrade will be signed out and redirected to the login page. This is a consequence of dropping Spring Session — see deployment.md for context and verification steps.

No customer action required.

Additional Documentation

  • Deployment Guide — V100 migration, Spring Session removal, rollback posture.
  • CHANGELOG.md — full technical changelog with commit references.

Questions? Contact the Seatmap team or check our documentation at seatmap.pro.