Back to blog
2026-05-19 Thijs Creemers

Release: v1.0.1-alpha-25

This release adds welcome email support for admin-created users, a cross-page toast notification system, critical XSS security fixes, and further split-table improvements.

Added: welcome email on admin user creation

Admin user creation now supports an optional "send welcome" checkbox that triggers a welcome email via ISmtpProvider. Failures are handled gracefully — user creation succeeds even if email delivery fails.

Added: cross-page toast notifications

New toast notification system in boundary-ui-style using X-Toast response headers and sessionStorage. Toasts persist across page navigations and work across all page layouts (base, pilot, admin-pilot).

Added: dashboard extensibility

New :dashboard-extra-cards config option in boundary-user for injecting custom Hiccup cards into the user dashboard.

Fixed: XSS vulnerabilities

Two cross-site scripting vulnerabilities patched:

  • boundary-user: create-user-htmx-handler inline <script> now sanitizes return-to URL, toast JSON, and user name via escape-js-string before interpolation.

  • boundary-admin: Toast JSON injection via entity labels in delete/bulk-delete handlers patched with escape-json-string for X-Toast and HX-Trigger headers.

Fixed: split-table soft-delete

Split-table soft-delete now correctly writes deleted_at to both primary and secondary tables in a transaction, fixing column "deleted_at" does not exist errors.

Fixed: admin entity handling

  • Added config validation for split-table entities missing :create-redirect-url, failing early with a clear error instead of a StreamableResponseBody crash.

  • Added log/error to create-entity exception handler (previously swallowed silently).

  • Restored 500 status code for server errors in create-user-htmx-handler (was incorrectly returning 200).

  • Added missing deleted_at column to users test DDL for embedded PostgreSQL, fixing 12 pre-existing test errors.

  • Fixed arity mismatch in create-user-htmx-handler test calls.

Fixed: UI cleanup

  • Removed duplicate XHR monkey-patch from admin-ux.jscomponents.js already handles X-Toast capture.

  • Increased horizontal padding on table pagination for better alignment.

Fixed: CI

Replaced :local/root dep in bb.edn with direct :paths entry for libs/tools/src, preventing deps.clj from triggering a Clojure tools download that times out on CI runners.

Version alignment

All libraries bumped to v1.0.1-alpha-25 to maintain lockstep versioning.

Upgrade

Re-run the installer to pick up the latest release:

curl -fsSL https://get.boundary-app.org | bash

No breaking changes. The XSS fixes are transparent — no configuration changes needed.