Skip to main content

v2026.11.0 Production Release

Jim
Updated

⚠️ Important Notice: Node.js 20 End-of-Life + Required Actions

Node.js 20 reaches end-of-life on April 30, 2026. To stay secure and fully supported, teams running Custodia-hosted integrations or self-managed services should move to a currently supported Node.js LTS version.

  • Action required: Plan and complete Node.js runtime upgrades in non-production and production environments.
  • Why this matters: End-of-life runtimes stop receiving security patches and reliability fixes.
  • Recommended next step: Validate integrations, scheduled jobs, and custom scripts after upgrade.

🤝 Partner Platform Notice: Known Cal Issues

We are monitoring known Partner Platform Cal issues that may intermittently affect update timing in some partner-facing workflows. No data integrity issues have been identified from this release.

  • Status updates may appear delayed in a subset of screens during peak activity windows.
  • Retry behavior and error handling were improved in this release to reduce user impact.
  • Some cards may appear as "DO NOT USE" or "Cal Configuration Issue"; these should be escalated with Cal for resolution.
  • For updates, timelines, or customer-specific impact details, please contact your Cal representative directly. Cal support contact details are available here: Cal Support Hours and Contact Information.

✨ Release Highlights

  • Expanded activity audit trail coverage with clearer visibility into key user actions and comments.
  • Improved card and expense matching behavior to reduce false positives and edge-case misses.
  • Strengthened access and validation controls to prevent invalid requests and tighten identity lookups.
  • Improved observability and background-processing resilience for activity and recurring-task flows.
  • Updated UI and platform routes for Web UI 2.0, including dashboard groundwork and `/v2` route alignment.

🏢 Tenant Updates

📝 Activity Management and Audit Experience

  • Added optional reclaim comments with audit trail capture so teams can better track why ownership and workflow changes were made. (ZEN-49281, #7446)
  • Delivered comprehensive Activity Audit Trail improvements across UI and backend for a more complete action history. (ZEN-49043, #7464)
  • Added activity-based template fallback for start notifications, improving continuity when a primary template is unavailable. (ZEN-50032, #7479)
  • Added scoped activity notifier template management to improve tenant-level control of notification behavior. (ZEN-50063, #7480)
  • Improved generic test-engine activity creation handling to avoid failed or incomplete activity setup paths. (INF-1643, #7440)
  • Improved recurring activity update stability by fixing delayed-task error handling in scheduler execution. (INF-1649, #7467)

💳 Cards, Expenses, and Matching Accuracy

  • Fixed card issuer and product metadata propagation for Marqeta-linked expenses for more reliable downstream enrichment. (ZEN-49404, #7462)
  • Excluded zero-score expense types from BaseAuthService matching responses to reduce confusing low-value matches. (ZEN-49500, #7461)
  • Ensured tenant override precedence in cost-type merchant search so tenant-specific rules apply first. (ZEN-49517, #7465)
  • Honored scoped zero-score overrides in BaseAuthService matrix lookups for more predictable matching outcomes. (ZEN-49518, #7466)
  • Fixed `boundToCardId` replication behavior in ACR budget allocation merge paths to preserve card linkage. (ZEN-49575, #7468)
  • Fixed ledger clearing matching and journal entry approval normalization to reduce reconciliation inconsistencies. (INF-1650, #7469)

🔐 Security, Data Validation, and API Behavior

  • Enforced ICC-only access for OIDC `findOne` paths to tighten identity lookup boundaries. (ZEN-49285, #7442)
  • Added required-field checks before `findById` in AppRoleMapping to prevent invalid requests from reaching data access. (INF-1646, #7443)
  • Corrected DiPocket card-holder offboarding payload and API call handling for cleaner partner offboarding execution. (INF-1647, #7444)
  • Enforced Turkey URL stripping for Twilio SMS requests for region-specific compliance handling. (ZEN-49740, #7481)
  • Restored single UTF-8 BOM behavior and default CSV quoting to improve export compatibility. (ZEN-49775, #7472)

📡 Reliability and Observability

  • Fixed OpenTelemetry trace-context pollution, improved span naming, and corrected background-task tracing behavior. (INF-1645, #7441)
  • Updated dependencies and compatibility handling for npm v10/v11 optional dependency behavior. (INF-1654, #7482, #7488)

🖥️ Web UI Updates

  • Updated currency amount presentation to consistently show 0 or 2 decimal places for cleaner readability. (INF-1543, #7260)
  • Updated Web UI 2.0 route prefix from `/app2` to `/v2` across UI and backend integration points. (DEV-16187, #7478)
  • Established foundational Dashboard infrastructure in `custodia-repo` for upcoming Web UI 2.0 dashboard capabilities. (DEV-16214, #7477)

Related articles

Powered by Zendesk