Changelog
Notable changes across CH-UI releases
The authoritative, full changelog lives in CHANGELOG.md
in the repository, and every release is published on the
GitHub Releases page with
signed checksums and an SBOM. This page highlights the headline changes.
Unreleased — Enterprise hardening
A broad enterprise-readiness pass. Highlights:
Security
- OIDC Single Sign-On (Pro) — Okta/Entra/Google/Keycloak. See SSO.
- Native TLS termination (
tls_cert_file/tls_key_file); a startup warning when serving plaintext HTTP. - Markdown from AI/Brain and dashboards is sanitized (stored-XSS fix).
- Admin-gated connection tokens and audit-log read/export; failed logins audited.
- Per-IP rate limiting on public dashboards; request-body caps.
Operations
- Prometheus
/metricsand audit forwarding (SIEM) via webhook, file, or stdout, plus a CSV/JSON audit export. See Monitoring & SIEM. - License grace period — an expired Pro license enters a 14-day read-only window instead of a hard lockout.
- Panic-recovery for HTTP handlers and background workers; Docker
HEALTHCHECK. - Helm chart and Docker Compose quick-start;
ch-ui backupfor a consistent database snapshot; schema-version tracking on upgrade.
Reliability
- Kafka pipeline ingestion is now at-least-once (offsets commit after the sink write).
Supply chain
- CI on every change (tests with
-race,govulncheck, lint, typecheck); Dependabot; SECURITY.md; the self-updater now verifies checksums fail-closed; releases publish a CycloneDX SBOM and cosign-signed checksums and images.
Licensing
- Pro modules are now published under the Business Source License 1.1 (source-available; converts to Apache-2.0 on the Change Date). The community core stays Apache-2.0. See Plans & Licensing.
2.4.0
- Query Insights (Pro), Cluster Health (Pro), result filters and ClickHouse error parsing in the query results view.
For older releases and exact commit-level detail, see GitHub Releases.