By Emily Stark

Hi everyone,

We just released Meteor 0.8.1. There’s lots in here: please see the full release notes for details.

Here are the highlights. If you like working on this kind of stuff, we’re hiring.

We closed a security hole in our OAuth client. We recommend everyone using OAuth-based accounts take the 0.8.1 update as soon as possible. (We also have an 0.7.2.2 available with a backport.) After you update, we suggest logging out all users by running this command from your meteor mongo console:

console: db.users.update({}, { $set: { ‘services.resume.loginTokens’: [] } }, { multi: true });

A new meteor list-sites command prints out the list of all the sites you've deployed using your Meteor developer account.

command prints out the list of all the sites you've deployed using your Meteor developer account. Blaze now disallows setting a URL attribute to a javascript: URL, preventing an XSS attacker from executing malicious code. (Escaping user input to prevent unwanted HTML tags isn't sufficient here; Blaze parses the template and automatically knows where to filter inappropriate uses of the javascript: string.)

URL, preventing an XSS attacker from executing malicious code. (Escaping user input to prevent unwanted HTML tags isn't sufficient here; Blaze parses the template and automatically knows where to filter inappropriate uses of the string.) Latency compensation now works automatically in cases where you insert multiple documents from a method. This one’s been on the roadmap for awhile.

Credit to respond.ly for identifying the OAuth vulnerability. Thanks also to ldeed, apendua, arbesfeld, awwx, dandv, davegonzalez, emgee3, justinsb, mquandalle, Neftedollar, Pent, sdarnell, and timhaines for contributions in this release.