CubicWeb Monthly news August 2022

Activity report

#473 Extraction of the Web part of CubicWeb into a dedicated cube

For CubicWeb 4, we plan to be able to launch an instance without any view; thus CubicWeb will only be a server which serve data.

We have set the following goals for the month of August:

  1. Ensure that unit tests for CubicWeb and the Web Cube are functional and green.
  2. Report all the modifications made on CubicWeb and concerning the web part in the Web cube.

For the first point, we managed to correct almost all the unit tests and at the end of the meeting of August 30, there were only 7 failed tests (out of 381) for the Web cube.

For the second point, all the patches forgotten between the start of the cube development and the end of August have been added to the Web cube.

The next steps will be to test the work on more complex projects (customers and internal). This will allow faster detection of regressions and bugs caused by this extraction.

This step is essential before considering that the extraction is indeed finished and functional.

#583 Notifications

Work has been done on the CubicWeb notification system, so that it no longer depends on the Web cube.

The code was published through the merge request !476.

#564 Security (XSS)

We have had reports of XSS vulnerabilities present in CubicWeb from one of our customers.

The flaw in question concerned CubicWeb self-generated forms, which can be edited directly from the consultation page (via JavaScript).

The fix was implemented via merge request !479 and releases fixes have been released.

The bootstrap cube is still vulnerable to XSS vulnerabilities. The merge request !40 has been opened, but needs to be tested .

#585 Template CookieCutter

To facilitate the creation of React/TypeScript project with CubicWeb, research has been started with the CookieCutter tool.

Developments are still in progress, but the first works are already available on the forge, with the project cookiecutter-react-ts-cwclient.


Opening a public forge?

Currently, it is not possible to have an account on our forge, without having to contact one of the administrators so that he can create it.

A proposal has been made, to open an account on a public forge (like, in order to put a mirror of our projects there.

This would allow potential contributors to easily sign up and start submitting merge requests or opening tickets.

CubicWeb mailing lists closed

The cubicweb-devel list closed at the end of August. The archives can be consulted as needed.

Regarding the cubicweb list, we could consider moving it to another service (like https:/ /

Discussions are ongoing on the Sysadmin project ticket #831.

New versions

The following components were released during the month of October:

  • cubicweb 3.37.5 (with backports for 3.35 and 3.36 branches)

See you next month!