RC 387

Bug Fixes

• Fraud prevention: New device sign in list failed mfa attempts (#10659)

Internal

• Analytics: Document standard FormResponse analytics consistently (#10745)
• Analytics: Log the requested NameID format (#10761)
• Automated Testing: Validate unnecessary exempted files in TypeScript enforcement (#10760)
• Automated Testing: Remove unnecessary allowed_extra_analytics in accessibility specs (#10749)
• Automated Testing: Refactor NameID format related tests (#10727)
• Dependencies: Update dependencies to latest versions (#10746, #10766, #10770)
• Identity verification: Guard against double-counting SP costs (#10743)
• Internationalization: Update Spanish content (#10719)
• Platform Automation: Add production IDP image creation (#10738)
• Reporting: Fixed the bug where the new_unique_users_unknown column was not populating properly (#10752)
• Reporting: Modified logic in partner helper to reflect new billing requirements (#10769)

RC 386

User-Facing Improvements

• Footer Links: Add Accessibility Statement link to footer (#10717)
• Personal key profile recovery: Add label for personal key input (#10695)

Bug Fixes

• Security: Fix CORS stopping POST for OIDC RP-Initiated Logout 1.0 (#10697)

Internal

• Analytics: Document analytics for critical-path sign-in flow (#10736)
• Analytics: Remove sp_request_requested_attributes from completion events (#10737)
• Code Quality: Remove unused Attempts API code (#10732)
• Configuration: Remove unused configuration keys (#10730)
• Database: Remove unused database field (#10735)
• Dependencies: Update dependencies to resolve security advisories (#10744)
• OIDC: Fix missing action for OIDC test route (#10721)
• Reporting: Adds users failing fraud review to DIVR (#10741)
• Source code: Increase unit test coverage (#10739)

Upcoming Features

• Aggregated Sign-In Email: Fix new device notification on reuathentication (#10731)

RC 385

User-Facing Improvements

• Authentication: Translation updates from previous sprint (#10669)

Internal

• CI: Handle multiple kube contexts (#10715) (#10715)
• Code Quality: Remove unused analytics methods (#10718)
• OIDC: Remove gate allowing backward compatabilty for x509:presented attr value (#10701)
• Reporting: Refine Protocols report (#10699)
• Reporting: Key metrics count (#10710)
• Source code: Update RuboCop lint rules (#10716)
• Source code: Unify related classes (#10720)

RC 384

RC 384 is a redo of RC 383

• Without SAML name ID changes (#10629)
• With #10706 and #10696 added

Bug Fixes

• Code Revert: Revert changes introduced in fb74d7b (#10627)
• Code Revert: Revert changes introduced in 30cb0f3 (#10629)
• Code Revert: Revert changes introduced in 6c16f7a

Internal

• Analytics: Remove track_mfa_submit analytics pass-through method (#10679)
• Code Quality: Remove unused code (#10705, #10706)
• Code Quality: Remove unused feature flags (#10693)
• Dependencies: Update dependencies to latest versions (#10698)
• Document Authentication: Add zipcode to analytics events (#10696)
• FormObject normalization: Updates the HowToVerify flow (#10682)
• Performance: Reduce size of application stylesheet (#10703)
• Reporting: Key metrics count (#10691)

RC 383

Warning

This release was rolled back

User-Facing Improvements

• SAML: Validate requested NameID formats and return appropriate response (#10629)

Internal

• Analytics: Remove track_mfa_submit analytics pass-through method (#10679)
• Code Quality: Remove unused code (#10705)
• Code Quality: Remove unused feature flags (#10693)
• Dependencies: Update dependencies to latest versions (#10698)
• FormObject normalization: Updates the HowToVerify flow (#10682)
• Performance: Reduce size of application stylesheet (#10703)
• Reporting: Key metrics count (#10691)

RC 382

User-Facing Improvements

• Account Management: Prompt user to confirm setting up backup codes from account page (#10685)
• Authentication: Translations fixing for DOS (#10642)
• Authentication: Update translations (#10651)
• Doc Auth: Simpliefied Chinese translations (#10557)
• IdV: Update translations for agreement step screen (#10675)
• In-person proofing: Update translations for Opt-in IPP non-biometric (#10428)

Bug Fixes

• Code Revert: Revert changes introduced in 97e5c06 (#10689)
• Selfie: Fix problem with focus jumping for screenreader while capturing selfie (#10668)

Internal

• Code Quality: Remove unused Step Indicator component styles (#10661)
• Continuous Integration: Fix command for review app configuration in GitLab job (#10667)
• Design System: Use design system centered variant for banner (#10663)
• Doc Auth: Add tests for resubmit h1 and body copy (#10674)
• Document Authentication: TrueIDReponse successful if transaction status passes (#10427)
• FormObject: Fix usage in AgreementController (#10652)
• Identity verification: Send issue + expiry date to AAMVA (#10653)
• In-Person Proofing: Prevent get usps proofing results job spec to pass when enrollment status by email is enabled (#10671)
• Logging: Log whether the state ID issue/exp dates are present. (#10658)
• Performance: Verify and consume backup code in single database transaction (#10687)
• Performance: Optimize size of fonts to include only content character data (#10655)
• Performance: Reduce path size for static assets (#10677)
• Performance: Delete and regenerate backup codes in a single transaction (#10686)
• Performance: Avoid outputting font-face for unused light font weight (#10673)
• Reporting: Added new billing report fields (#10683)
• Source code: Remove unused scripts (#10579)
• in-person-proofing: Rename skip_doc_auth (#10672)

Upcoming Features

• Aggregated Sign-In Message: Fix aggregated new device sign-in for expired session (#10628, #10678)

RC 381

User-Facing Improvements

• Doc Auth: Fix error messaging for case of multiple errors (#10635)
• GPO verify: Improved letter enqueued language (#10611)
• IdV: Remove Get Help CTA from non fraud screens (#10639)
• Layout: Error message on IdV code entry now is full width. (#10643)

Internal

• Automated Testing: Remove unused spec user factory traits (#10645)
• Build Tooling: Use SHA256 for JavaScript subresource integrity (#10647)
• CI: Set env for reviewapp deployment (#10657) (#10657)
• Internationalization: Fix language picker when displaying in Chinese (Simplified) (#10656)
• Maintenance: Update rexml gem (#10641)
• Rate Limiting: Use configured locales when building path-based rate limits (#10636)
• Reporting: Fix the date range nil check for both billing reports (#10634)
• Security: Add subresource integrity for design system initializer script (#10648)
• Translations: Update translations for language pickers (#10640)

Upcoming Features

• Chinese Language: Fix content for Chinese verified text (#10654)

RC 380

Internal

• Authentication Funnel Report: Remove AAL2 lines from Auth Funnel report (#10622)
• Code Quality: Improve readability of view form code (#10610)
• Continuous Integration: Upgrade to Ruby 3.3.1 (#10609)
• Dropoff Report: Make Dropoff Report able to be sent automatically (#10399, #10630, #10631)

Upcoming Features

• Biometrics: Modified UX/Content on How to Verify view conditionally for biometrics (#10524)

RC 379

User-Facing Improvements

• Authentication: Update language to DoS standards (#10461)
• Please call email: Add zh translation (#10588)

Bug Fixes

• Forms: Disable autocomplete consistently for all forms (#10604)
• New Device Detection: Extend duration of permanent device cookie on every user event (#10606)
• Security: Support POST for OIDC RP-Initiated Logout 1.0 (#10573)
• Sign In: Fix typo for error message on exceeded sign-in attempts (#10590)
• State id: Check ssn so view is not changed to update erroneously (#10567)

Internal

• Analytics: Adds property to SP redirect initiated event (#10560)
• Analytics: Include user_id in piv_cac_login event (#10584)
• Automated Testing: Fail build on unnecessary allowed_extra_analytics (#10571, #10617)
• Continuous Integration: Upgrade to Ruby 3.3.1 (#10609)
• Doc Auth: Clean up exit survey (#10572)
• DocAuth: Remove outdated Acuant SDK version (#10582)
• IdV: Fix error Identity report job with empty email array (#10577)
• Internationalization: Add consistency checks for whitespace in internationalization (#10583)
• OpenID Connect: Respect openid_connect_content_security_form_action_enabled configuration on client-side redirects (#10603)
• Performance: Optimize preload response headers to prioritize critical assets (#10612)
• Post office search spec: Remove unused arcgis test (#10607)
• Reporting: New billing_report_v2 with partner (#10613)
• Reporting: Update specs and unique partner helper (#10556)
• Reporting: Create protocols report (#10537)
• Reporting: Create LOA ACR requests report (#10562)
• Security Tooling: Configure Dependabot for security updates, major Stylelint releases (#10576, #10585, #10589, #10601)
• Source code: Reformat i18n files to simplify merges (#10503)
• Source code: Update internationalization specs (#10580)
• Spam Mitigation: Add resource hints to improve load speed for reCAPTCHA (#10616)
• Tech Debt: Renames CaptureDocStatusController to LinkSentPollController (#10615)
• Tests: Improve test message for unused allowed untranslated keys (#10574)
• in-person-proofing: Add new skip_doc_auth name (#10586) (#10586)
• in-person-proofing: Add new skip_doc_auth name (#10605)

RC 378

User-Facing Improvements

• Identity Verification: Updates the step indicator on all IdV paths. (#10353)
• redirect: Redirect user when canceling after first method setup (#10405)

Internal

• Build Tooling: Resolve nested selectors with Stylelint selector-class-pattern configuration (#10563)
• Build Tools: Replace stylelint-config-recommended-scss with stylelint-config-standard-scss (#10564)
• Dependencies: Update dependencies to latest versions (#10559, #10569, #10570)
• Document Authentication: Remove implementation of document escrow (#10561)
• Documentation: Document additional analytics events properties (#10548)
• IdV: Add Proofing Rate Metrics to IdentityVerificationReport and rename metrics names (#10566)
• In-Person Proofing: Remove hardcoded prod block for selfie feature (#10516)
• Spam Mitigation: Annotate reCAPTCHA assessments with MFA results (#10522)
• State id: Update route for controller version (#10507)
• Vector of Trust: Removed use of sp_session[:biometric_comparison_required] (#10531)