← Back to all sparks
A

Appsmith

DEVOPS
Velocity2.5

Open-source low-code platform for building custom internal applications.

Appsmith is in a sustained security-hardening and runtime-modernization cycle.

low-codeself-hostedsecurity-hardeningcve-remediationruntime-upgradedevtools
Current state
Nearly every Appsmith release is dominated by CVE remediation and hardening — SSRF filters, path-traversal validation, XSS fixes, stored-XSS and injection guards, and batches of dependency upgrades. The v2.0 release re-platformed the base image onto MongoDB 7, Java 25, and Node 24 with a mandatory intermediate-upgrade path. Genuine features arrive steadily but modestly, most recently cross-application copy of APIs, queries, and JS objects in v2.2.
Where it's heading
This is a self-hosted low-code platform prioritizing enterprise security posture and modern runtimes over new surface. The v2.x base sets up further modernization; feature work is incremental widget, datasource, and dev-productivity polish layered on top of a heavy security cadence.
Prediction
Expect the CVE-remediation cadence to continue and more infrastructure-forward work on the v2 runtime base, with periodic developer-experience features like cross-app copy. No directional product pivot is visible.

Recent moves

  1. 14h ago

    Release v2.2 🌈

    v2.2 adds cross-application copy of APIs, queries, and JS objects — a real developer-productivity feature — atop the usual batch of CVE fixes and a breaking swap of IN_DOCKER for APPSMITH_DISABLE_SSRF_FILTER.

    View source ↗
  2. 1mo ago

    Release v2.1 🌈

    v2.1 is mostly SSRF and infrastructure hardening, with an Intercom-to-Pylon support swap and a memory-sizing script — no user-facing capability change.

    View source ↗
  3. 1mo ago

    Release v2.0 🌈

    v2.0 re-platforms onto MongoDB 7, Java 25, and Node 24 with a required v1.99 intermediate-upgrade step — a significant runtime modernization delivered alongside heavy security fixes.

    View source ↗
  4. 2mo ago

    Release v1.99 🌈

    v1.99 is entirely fixes and CVE remediation — SSRF, injection, and permission guards — the migration-bridge release before v2.0.

    View source ↗
  5. 3mo ago

    Release v1.98 🌈

    v1.98 adds TLS (SSL mode) support for the Redis datasource among a set of critical-CVE fixes — a small but real capability increment.

    View source ↗
  6. 4mo ago

    Release v1.97 🌈

    v1.97 brings user-facing polish — Favorite Applications V2, per-row table color options, and Caddy response compression — on top of open-redirect fixes.

    View source ↗