LoginSign Up
← Back to all sparks
Rocket.Chat logo

Rocket.Chat

COMMS
Velocity5.0

Open-source team communication platform

rocket.chat

Rocket.Chat doubles down on enterprise governance — ABAC permissions and phishing-resistant MFA define the 8.x arc

enterprise-governanceauthenticationabacomnichannelsecurityself-hosted-chat
Current state
Rocket.Chat is mid-stream on its 8.x release line, with active 8.3, 8.4, and 8.5 RC cycles in parallel and an LTS posture on 7.12/7.13 via security hotfixes. The bulk of substantive work clusters around two themes: attribute-based access control (ABAC) granularity and authentication hardening. The 8.4 RC stream layered file thumbnails, media-call REST control, livechat externalIds, and cold-storage read receipts onto that foundation.
Where it's heading
The project is visibly preparing for a 9.0 boundary. The new skipTranspile flag for webhook integrations is explicitly marked deprecated and tied to Babel removal in 9.0, giving admins a per-integration validation path before the cliff. ABAC keeps getting decomposed — a Virtru PDP integration in 8.4, then four new permissions in 8.5 that split admin tab visibility. The 8.5 OAuth rewrite moves token handling fully server-side with PKCE, CSRF and state validation, and forces 2FA even on OAuth logins.
Prediction
Expect 8.5.0 GA to ship with the phishing-resistant OAuth flow promoted as a headline security feature, followed by a 9.0 cut that removes Babel and tightens the apps-engine API boundary. The cadence of ABAC permission carve-outs suggests at least one more per minor release before the model stabilizes.

Recent moves

  1. 1d ago

    8.5 RC: server-side OAuth with PKCE, plus four new ABAC permissions

    ⚡ SPARK

    The 8.5 RC lands the two biggest threads of the 8.x arc in one cut: a fully server-side OAuth flow with PKCE, CSRF and state validation, and four new ABAC permissions that split admin panel visibility per tab. Both directly serve regulated, identity-conscious buyers.

    View source ↗
  2. 23d ago

    8.4 RC.2 dependency bumps

    Internal dependency bumps across the 8.4 RC line. No user-visible change beyond the version roll.

    View source ↗
  3. 28d ago

    8.4 RC.1 dependency bumps

    Another iteration of the 8.4 RC train — pure dependency synchronization with no user-facing surface change.

    View source ↗
  4. 1mo ago

    8.4 RC: file thumbnails, media-call REST control, cold-storage read receipts

    8.4 RC.0 is the substantive cut of the line: file thumbnails in the message composer, a REST endpoint for accepting or rejecting media calls without an active session, externalIds for livechat visitors, a skipTranspile flag on webhook integrations as a 9.0 migration shim, and cold-storage archiving for read receipts. This is the cumulative ABAC and omnichannel work that 8.5's OAuth rewrite sits on top of.

    View source ↗
  5. 1mo ago

    7.13.6 security hotfix

    Security hotfix backported to the 7.13 line, consistent with the project's pattern of maintaining recent minor branches alongside the 8.x mainline for self-hosted operators who upgrade conservatively.

    View source ↗
  6. 1mo ago

    7.12.7 security hotfix

    Companion security hotfix on the 7.12 line, shipped the same day as 7.13.6. The dual backport confirms an LTS-style policy for self-hosted deployments still on prior minors.

    View source ↗