ePRINTit - Planned System Update: Cloud 2.0.1.59 – Maintenance details

All systems operational

Planned System Update: Cloud 2.0.1.59

Planned
Scheduled for January 05, 2026 at 3:00 PM – 4:00 PM

Affects

Cloud Services

Under maintenance from 3:00 PM to 12:00 AM

SrFax Status

Under maintenance from 3:00 PM to 12:00 AM

Updates
  • Planned
    January 05, 2026 at 3:00 PM
    Planned
    January 05, 2026 at 3:00 PM

    New Features:

    Real-Time EasyBooking Rule Verification API

    A new backend API endpoint allows you to validate EasyBooking rules for Sirsi, Innovative, Polaris, and Sip2 configurations in real time directly from the Identity Provider page. The API evaluates the active EasyBooking rules for a specified CustomerID and AuthProvider, returning a detailed and structured response showing matched groups and subsets along with non-matched rules and the specific reasons for each outcome. No data from these real-time verifications is saved in the audit logs.

    Clone Role Feature on Roles Page

    You can now create a duplicate of an existing role from the Roles page if you have the clone_role permission. The cloned role is created with the same permissions as the original, including the ability to clone roles, and cloning does not impact the original role or its settings.

    Clone Roles on Roles Page

    You can now duplicate any existing role directly from the roles page. If you have the "Clone" permission, the option to clone a selected role appears in the role actions menu. The new role is created with the same settings and permissions as the original, allowing you to modify details as needed after cloning.

    Progressive Web App (PWA) Support

    Your application can now be installed as a Progressive Web App (PWA) on supported devices, with offline functionality enabled. It handles offline scenarios by serving cached assets and a dedicated fallback page when the network is unavailable. The PWA install prompt has been tested and is available across major platforms, and the interface notifies you if the network connection is lost, disabling navigation until connectivity is restored.

    Hide or Delete Grayscale and Color Email Addresses for TBS Customers

    You can now hide or delete Grayscale and Color email addresses from the interface for TBS-type customers. Selecting "Delete" marks the chosen email address as disabled, immediately removing it from display in the UI. Hidden email addresses can be restored and shown again using a dedicated toggle control, allowing you to re-enable addresses as needed.

    New Zealand Dollar (NZ$) Currency Support

    New Zealand Dollar (NZ$) is now available as a selectable currency within ePRINTit SaaS. You can view, set, and process transactions in NZ$ wherever currency choices are displayed.

    Hide or Delete Email Addresses from the UI

    You can now hide or delete email addresses from the user interface. In situations where displaying an email is unnecessary—such as when a library does not support color printing—the email field will not be shown or can be removed entirely through the settings.

    Tasks:

    HEIF Image File Upload Support

    You can now upload and print HEIF (.heif) image files using ePRINTit SaaS. The system recognizes the .heif file extension along with previously supported formats, allowing uploads and print jobs for images created on Apple devices without encountering unsupported file type errors.

    Consistent Show/Hide Behavior for Email Printing Sections for TBS Customers

    For TBS-type customers, the Email Printing sections and related buttons now hide automatically across the Customer Detail, Public Upload, and User Portal pages when both Color and Black & White email addresses are missing. When only one email is available, the interface displays it correctly and maintains layout integrity. No changes affect other customer types, and existing functionality remains unchanged for non-TBS customers.

    Automatic Expiration of ThingSession and Connections Records

    Expired records in the ThingSession and Connections collections are now automatically removed based on configured time-to-live (TTL) settings. TTL indexes have been introduced to these collections, enabling automatic cleanup of expired documents without affecting valid records or active sessions. Each new record includes an expiry date to ensure timely cleanup.

    Advanced Email Creation Validation

    When attempting to create a new advanced email, duplicate addresses are now prevented, including cases where the advanced email matches the default customer email. If you try to create an advanced email with an address that is already used, you will see an error message and the email will not be created.

    HEIF File Format Support

    You can now upload and print HEIF (.heif) image files through ePRINTit SaaS. The backend recognizes .heif as a supported file extension, allowing uploads and printing of HEIF images without generating a file type error. This enhancement aligns HEIF support with existing HEIC file handling, so files from Apple devices using the HEIF format are accepted and processed successfully.

    GraphQL API operationName Logging

    All incoming GraphQL API queries and mutations now record the operationName in application logs. This log entry is included for every request and appears in standard monitoring tools such as CloudWatch, allowing you to verify that operationName is consistently provided by clients and integrations, including those from kiosks and external systems.

    Resolved Duplicate Response Error in /public/sendStatus API

    The /public/sendStatus API no longer throws the "Cannot set headers after they are sent to the client" error. The response handling logic now ensures that only a single response is sent for each request, preventing duplicate responses and associated errors in the server logs. The status code in the response accurately reflects the outcome, and you may use both the status message and status code as needed.

    CORS and Module Loading Errors After Dependency Update

    Following a recent deployment, certain application routes are returning errors due to a mismatch between CommonJS and ES Module imports in dependencies. The @dabh/diagnostics module attempts to use require() with @so-ric/colorspace, which has migrated to being ES Module-only. This causes runtime module load failures and additional CORS errors, rendering some API endpoints inaccessible to users.

    Bugs Fixes:

    Address Display in Hours Section Corrected

    An issue where the location's address appeared in the Hours section despite correct settings has been resolved. The address now displays only in its designated area, ensuring accurate section labeling and organization within the location details view.

    Print Button Disabled When No Printers Available

    The print button on the print page is now disabled when there are no printers available. If you upload a document and reach the print screen without any connected printers, the button no longer appears clickable, preventing attempts to initiate a print job when printing is not possible.

    Executive Report Corrections

    Spelling in the executive report section now displays "General" instead of "Genaral." Duplicate job submission methods such as “mobile-web” and “Mobile-web” have been consolidated and standardized to a single format.

    Updated Print Page Button Styles

    The Print page now features redesigned buttons for the Page Range and Number of Copies selectors. These controls match the latest Figma specifications, providing a more consistent and visually aligned interface for selecting the desired print range and adjusting copy quantities.

    Dark Mode Visual Improvements

    Dark mode now displays with corrected background and text colors across all menus and interface sections. Buttons, popovers, and dialog elements use improved contrast for readability, and visual inconsistencies in shadows and highlights have been resolved. You may notice more consistent icon visibility and alignment in various navigation and content areas.

    Premium Tier Label Removal

    The "Premium" tier label is now replaced by the "Standard" tier label for all existing customer accounts. When viewing or managing customer profiles in the Admin portal, you will see "Standard" in place of any previous "Premium" designation for onboarded customers.

    Enhanced Multi-Select Dropdowns for Reports

    The customer and location multi-select dropdowns in Executive Reports, Printer Reports, CSV Reports, License Reports, Value Added Reports, Kiosk Reports, and Payment Transaction Reports now include improved Select All functionality. When you choose "Select All," every available option is selected, and individual selection or deselection updates the Select All state accordingly. The dropdowns now support infinite scrolling, allowing you to load additional results as you scroll to the bottom of the list. A loading indicator is displayed when more options are being fetched, and it will disappear once the new items are loaded.

    Google Translation Tool Field Exclusion

    The Google Translation Tool now excludes specific fields from automated translation: Customer Name, Location Name, all Joblist options (including Paper Sizes, Orientation, Duplex, Copies, and Page Range), and Document Name. These fields will remain in their original form when using the translation feature, avoiding unwanted changes to proper names and standardized options.

    Security Enhancements:

    jsonpath-plus Dependency Upgrade for RCE Mitigation

    All transitive dependencies on jsonpath-plus have been upgraded to version 10.2.0 or higher. This update addresses a remote code execution vulnerability in earlier versions, which could allow unsafe code evaluation when processing untrusted JSONPath input. Continuous integration now blocks merges with vulnerable jsonpath-plus versions, and audits, input validation, and sandboxing have been implemented as needed for any remaining JSONPath evaluation on untrusted input.

    elliptic ECDSA Signing Vulnerability Mitigated

    All direct and transitive dependencies on elliptic have been upgraded to version 6.6.1 or later to address a critical security issue allowing private key extraction when signing malformed inputs. Additional input normalization and validation now ensures all ECDSA signing operations only accept byte array types, preventing nonce reuse and blocking attacks that rely on crafted message types. Continuous integration checks have been updated to prevent regressions and confirm that vulnerable elliptic versions are not reintroduced.

    Patched xml-crypto Dependency for Signed XML Verification

    The transitive dependency xml-crypto, used for verifying XML signatures in backend authentication flows, has been upgraded to a patched version. All Node.js services that process and validate signed XML—including SAML responses via saml2-js—now use xml-crypto version 3.2.1 or higher. This update enforces expected XML signature verification and prevents bypass through multiple SignedInfo references or other tampering attempts, ensuring services correctly reject malformed or maliciously altered XML documents.

    xml-crypto Dependency Security Upgrade

    The xml-crypto package has been upgraded to mitigate a vulnerability allowing signature verification bypass in signed XML documents including SAML assertions. All affected services now require at least version 3.2.1 (or 6.0.1 for the 6.x line), and package manager overrides or resolutions have been implemented where needed to prevent the use of older, vulnerable versions. Continuous integration checks and dependency audits will block regressions involving these versions.

    Security Update: Patched Vulnerable form-data Dependency in Node Services

    Transitive dependencies on form-data have been updated to version 4.0.4 to address CVE-2025-7783, which involved predictable multipart boundary generation due to the use of Math.random(). This patch ensures all Node-based services now generate non-deterministic boundaries, preventing multipart parameter injection through boundary prediction. Older versions of form-data are no longer present in the dependency tree, and continuous integration pipelines enforce that no vulnerable versions can be reintroduced.

    SSRF Vulnerability Fixed in ip Node.js Library

    The ip Node.js library, used internally by the GraphQL API, has been upgraded to address a server-side request forgery (SSRF) vulnerability affecting specific IP address formats. The update ensures that edge cases such as octal-formatted localhost addresses (for example, 017700000001) are accurately classified as private, preventing incorrect identification of public addresses and exposure of internal network resources. All functions relying on ip.isPublic() and ip.isPrivate() now perform correct IP classification, and regression tests for dependent features have been completed.

    Security Dependency Upgrade for Update Mutation APIs

    The transitive dependency on the unmaintained inflight@1.0.6 package has been removed from the backend codebase. This change addresses a memory leak vulnerability related to the makeres() function, which was introduced through the graphql and dot-object dependency chain. Affected code paths include 35 different update mutation APIs, which were previously relying on dot-object methods like dot.remove() and dot.dot() for object manipulation. The dependency tree has been updated to ensure no lingering references to inflight, and regression testing has been performed to validate continued API functionality.