← Back to all sparks
L

Leantime

PM
Velocity6.3

Open-source project management system for non-project managers, designed for small teams and startups with focus on goals and milestones.

Leantime is stabilizing its big 3.9 rewrite while extending cross-project planning and a mobile API

project-managementself-hostedapipermissionsmobilerefactor
Current state
Leantime is deep in a modernization cycle. The 3.9.0 release rebuilt the app around a native, fail-closed permission engine, a JSON-RPC API, and a consolidated Blueprints domain; the releases since then mostly stabilize that foundation. Recent point releases fix regressions (repeated Bearer/PAT auth fixes) while adding cross-project program views and a mobile app backend.
Where it's heading
The work is consolidation over expansion: hardening the new auth/permission and API layers, closing security IDORs domain by domain, and building the surface a mobile app and program-level planning need. The steady stream of small patch releases reflects shaking out regressions from the 3.9.0 refactor rather than opening new product directions.
Prediction
Expect continued point releases fixing regressions from the permission-engine and JSON-RPC migration, plus buildout of the Leantime Mobile app now that its Bearer-authenticated backend API is landing.

Recent moves

  1. 21h ago

    Leantime 3.9.8: milestone reporting and MCP endpoint fixes

    A bug-fix release: milestone reports, the milestone modal, closed-project to-dos, post-3.9.7 regressions, and the /mcp endpoint accepting API keys. Pure stabilization of the 3.9 line with no new user-facing capability.

    View source ↗
  2. 3d ago

    Leantime 3.9.7 adds cross-project program views

    Adds cross-project program views with sprints inherited across the program board, moves personal access tokens fully into core, and reorganizes MCP tools into domain modules. A real step up in planning scope, built on the 3.9 foundation.

    View source ↗
  3. 4d ago

    Leantime 3.9.6: security hardening plus content templates

    Security hardening (authorization, SSRF, reset-token, LDAP, stored-XSS), a new content-templates domain, a getMyDaySchedule API, and PAT management. Continues closing the security gaps opened while the permission engine rolled out.

    View source ↗
  4. 20d ago

    Leantime 3.9.5 adds mobile notification and calendar APIs

    Adds session-scoped mobile endpoints for the notifications inbox and calendar, plus bug fixes. Small but on-theme: filling out the backend surface the Leantime Mobile app needs.

    View source ↗
  5. 25d ago

    Leantime 3.9.4 fixes cross-project 'My Work' loading

    A single-fix release restoring cross-project 'My Work' ticket loading and securing the mark-ticket-done action. Regression cleanup from the ongoing API migration.

    View source ↗
  6. 25d ago

    Leantime 3.9.3 fixes Bearer-token API authentication

    Fixes a Bearer token error that denied every permission-gated API method and unifies web, API-key, and Bearer auth through a single session factory so role and 2FA state can't diverge. Reliability work central to making the new token-based API usable.

    View source ↗