← Back to all sparks
M

Meilisearch

DEVOPS
Velocity6.3

Open-source, fast, typo-tolerant search engine API.

Meilisearch hardens auth and speeds synonyms as its new settings indexer nears completion

searchperformancesecurityvector-searchindexing
Current state
Meilisearch is on a fast weekly point-release cadence centered on engine performance and security. Its new settings indexer reached feature-complete in v1.47, synonym storage was reworked for up to 13x faster search on large synonym sets, and two authentication CVEs were patched across the 1.47 and 1.48 branches. Experimental work on a render-template route and multimodal fragments points at deeper embedder tooling underneath the search core.
Where it's heading
The near-term arc is consolidation: finishing the settings-indexer migration, tightening authentication, and stabilizing the S3 snapshot and remote-federated-search paths. The experimental render-template and fragment routes suggest Meilisearch is building out its vector and multimodal search story so document templates and embedders can be tested and iterated before indexing.
Prediction
Expect v1.50 to graduate some of the experimental render-template and embedder tooling toward stable, while security and settings-indexer hardening continue in the point releases.

Recent moves

  1. 2d ago

    Prototype v1.50 build: add missing OpenAPI route descriptions

    A prototype-tag build adding missing OpenAPI route descriptions — documentation plumbing ahead of the v1.50 line, with no user-facing behavior change.

    View source ↗
  2. 3d ago

    Synonyms storage reworked for up to 13x faster search

    Synonym storage was reworked to load lazily, cutting the search-time penalty of large synonym sets by up to 13x. A concrete performance win on the same query path the engine has been optimizing all cycle.

    View source ↗
  3. 10d ago

    Fixes for an S3 snapshot race and duplicate remote-search hits

    Point-release bug fixes: a rare S3-snapshot race condition and a remote-federated-search duplicate-document issue, plus minor OpenAPI cleanups. Stabilization of the recently added snapshot and federation paths.

    View source ↗
  4. 15d ago

    Security patch: privilege-escalation and info-disclosure CVEs (1.47 branch)

    The 1.47-branch security release fixing two authentication CVEs — a privilege escalation via index-scoped API keys reaching global actions, and an information-disclosure path through search tenant tokens. Users on 1.47 or lower should update.

    View source ↗
  5. 15d ago

    Security patch: same CVEs fixed on the 1.48 branch

    The same two authentication CVEs patched on the 1.48 branch; recommended for anyone on v1.48. Paired with the 1.47.1 release, it closes the privilege-escalation and tenant-token disclosure holes across both supported lines.

    View source ↗
  6. 17d ago

    Revert after a dumpless-upgrade bug report

    A revert of an earlier change after a dumpless-upgrade bug report — corrective housekeeping on the upgrade path, no new capability.

    View source ↗