⚠️ Important Notice: Node.js 20 End-of-Life + Required Actions
Node.js 20 reaches end-of-life on April 30, 2026. After this date, Node.js 20 will no longer receive security patches, critical bug fixes, or upstream support. Customers and partners running Custodia services on Node.js 20 should plan migration to Node.js 22 LTS before the deadline.
Running end-of-life runtimes may impact compliance posture for SOC 2, PCI DSS, and ISO 27001 audits.
Required actions for this release:
- Plan and validate migration of all Custodia workloads from Node.js 20 to Node.js 22 LTS before April 30, 2026.
- Confirm runtime upgrade plans with internal compliance/security stakeholders where required.
🚨 Partner Platform Notice: Known Cal Issues
We are actively tracking the following known issues originating in Cal-managed flows. These may impact some customers:
- Viewing card details on Android devices is currently unreliable in some environments.
- Card lock/unlock actions are not consistently successful in all cases.
- Some Should-be-Business (SBB) transactions are appearing as duplicates in the Custodia UI, which may also impact billing reports.
- Some declined transactions are being posted after the fact, which may affect billing reports.
For updates, timelines, or customer-specific impact details, please contact your Cal representative directly. Cal support contact details are available here: Cal Support Hours and Contact Information.
✨ New Features
- INF-1634 Added consent/terms acceptance support to self/admin card issuance flows for marqeta-consumer cards in
custodia-ui(#7421). Users can now review and accept pending card consents directly in the UI where required. - ZEN-49179 Improved catalog-only "Other" activity handling, including fixed type resolution/caching and split/merge option parity (#7435). The activity wizard path was aligned so recurring/bulk/category behaviors stay consistent with other activity types.
🐛 Bug Fixes
- ZEN-48955 Updated the LRT allocation update contract to accept non-string
fromPeriodvalues (#7412). This prevents type-mismatch failures when recurring activity updates pass date-like objects through the long-running task pipeline. - ZEN-49012 Fixed cash and business expense creation failures caused by authorization context mismatch (#7417). Budget utilization updates now execute with the required system context to avoid "Authorization Required" errors.
- ZEN-49058 Fixed budget and related totals where MySQL DECIMAL aggregates started returning strings after driver changes (#7423). Numeric coercion was added in core arithmetic paths to prevent accidental string concatenation.
- ZEN-49058 Extended numeric hardening to additional aggregate-heavy paths beyond budget metrics (#7424). This protects spend reports, payment checks, merchant stats, and similar rollups from string/undefined math regressions.
- INF-1635 Added centralized aggregate value coercion so aliased SQL aggregate responses consistently return numeric values (#7425). The change also includes UI normalization and targeted tests to prevent repeat regressions.
- ZEN-48986 Resolved Card search
414 URI Too Longerrors by enabling POST usage forexecute-searchwhile keeping GET compatibility (#7426). The UI SDK now sends large filters in the request body. - ZEN-49112 Updated budget archive authorization to allow inherited ownership from parent budgets (#7429). Privileged role behavior is preserved, while non-owners continue to be blocked.
- ZEN-49114 Fixed Org Teams inline edit regression caused by grid column refresh behavior resetting edit state in
custodia-ui(#7427). A layout-only column refresh path now preserves editing context without forced refetch. - INF-1638 Switched Marqeta event conversion to use
MarqetaJournalEntryinstead of the generic journal model (#7432). This removes recurring transaction-model warning noise in live auth processing paths. - ZEN-48996 QuickBooks expense-level export now honors configured generate mode (
BillvsPurchase) for positive amounts (#7436). This improves reliability for cash/out-of-pocket export flows. - ZEN-49281 Added ACL support for budget-owner role execution of allocation reclaim (#7439). This aligns reclaim access with existing operational roles that already perform this action.
🛠 Improvements
- INF-1628 Expanded UI handling for
CONSENT-REQUIREDcards across filters, tiles, and dashboards incustodia-ui(#7413). This also hardens related views against runtime data-shape edge cases. - INF-1639 Optimized FX conversion lookup queries and added an index to reduce examined rows in high-volume auth flows (#7433). Cache date normalization was also hardened for missing-date requests.
- INF-1641 Standardized supported card operations across md, billing, and remote services (#7437). This includes explicit provider mapping and support for
set-pin-numberwhere applicable. - INF-1642 Sanitized persisted Marqeta
CardProvider.extradata to an allowlisted subset (#7438). The change reduces sensitive payload storage while keeping required operational fields. - INF-1633 Introduced a dedicated deployment automation role for controlled release operations (#7420). Model permissions were updated so deployment workflows can manage required feature and tenant-dictionary writes.
- INF-1631 Added broad unit test coverage and modernized test execution in
custodia, including CI updates (#7414). It also strengthens schema-update safety checks around lossy DECIMAL changes and duplicate relation-import paths.
📦 Dependency & Platform Updates
- INF-1630 Applied cross-service dependency updates, including connector/runtime package refreshes (#7418). This includes the MySQL connector update used to gate risky DECIMAL precision ALTER behavior.
- INF-1640 Enabled
mysql2SQL commenter tagging in OpenTelemetry instrumentation (#7434). SQL statements now carry trace context metadata to improve correlation with slow query logs.