BookStack vs Asana
Side-by-side trajectory, velocity, and editorial themes.
BookStack opened a real theme extension surface, then spent six weeks patching CVEs.
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.
Asana doubles down on rules-driven automation while loosening the old project-team coupling.
Asana is shipping at a high cadence on two parallel tracks. The first is deepening its automation engine — pausable rules, rule duplication across projects, scheduled triggers that now act on tasks already in a project, and rule actions that bind to project-template roles. The second is reshaping enterprise governance and data model, with RBAC view permissions in Release Preview and Teamless Projects loosening a long-standing structural constraint.
Rules are being built into the automation backbone of the product — closer to a no-code workflow runtime than a notification system. Teamless Projects removes a constraint that made enterprise rollouts awkward, and the Timesheets and Budgets add-on going GA pulls Asana into PSA-adjacent territory. The pattern is consistent: move from a flat, team-scoped task tracker toward a configurable platform that can be sold up-market.
Expect future rule actions to look more agentic — AI-driven branching, conditional approvals — and an RBAC-aware automation surface so admins can govern who can trigger what across the workspace.
See more alternatives to BookStack →
See more alternatives to Asana →