v5.15.0

What's Changed

• fix: ModuleNotFoundError: No module named 'pkg_resources by @kelvin-muchiri in #3011
• Switch to Python 3.13 from 3.10.19 by @ukanga in #3013
• feat: edit decrypted submission by @kelvin-muchiri in #3009
• Update dependencies by @FrankApiyo in #3015
• fix: upgrade trivy-action to v0.34.0 (CWE-78) by @ukanga in #3020
• fix: incorrect cors middlware placement by @kelvin-muchiri in #3021
• Fix missing dependency and layer compression issue by @FrankApiyo in #3022
• fix: make user registration atomic to prevent inactive user state by @kelvin-muchiri in #3018
• fix: target base stage and preserve venv in docker-compose by @kelvin-muchiri in #3023
• fix: sanitize CSV/XLSX exports to prevent formula injection (CWE-1236) by @FrankApiyo in #3024
• fix: entity rejected if duplicate in other project by @kelvin-muchiri in #3026
• fix: entity update fails if duplicate uuid exists in another project by @kelvin-muchiri in #3027
• fix: handle pyxform Itemset objects in SAV export value labels by @FrankApiyo in #3029
• chore: bump version v5.15.0 by @kelvin-muchiri in #3030
• chore: update requirements by @ukanga in #3032
• Fix/trivy supply chain remediation v2 by @ukanga in #3036
• fix: pin trivy-action and setup-trivy to commit SHAs by @FrankApiyo in #3035
• fix: remove hardcoded ioLocale from SavWriter to fix locale error by @FrankApiyo in #3034
• feat: persist enketo URLs in MetaData and improve error handling by @FrankApiyo in #3031
• fix: make find_choice_label defensive against non-dict choices by @FrankApiyo in #3047
• fix: decrypting Instance fails if form inactive by @kelvin-muchiri in #3048
• fix: overriding public key allowed for managed forms by @kelvin-muchiri in #3049
• docs: update changes.rst v5.15.0 notes by @kelvin-muchiri in #3050

Full Changelog: v5.14.2...v5.15.0

v5.10.0-20260325-1

fix: pin GitHub Actions to commit SHAs and update trivy to v0.35.0

Mitigate supply-chain risk by pinning all GitHub Actions to immutable
commit hashes instead of mutable tags. Update trivy-action to v0.35.0,
setup-trivy to v0.2.6, trivy to v0.69.3, and add VEX hub configuration.
Add github-actions Dependabot ecosystem for automated updates.

Ref: https://github.com/aquasecurity/trivy/discussions/10425

v5.10.0-20260304-4

Full Changelog: v5.10.0-20260304-2...v5.10.0-20260304-4

v5.15.0-rc9

What's Changed

• fix: ModuleNotFoundError: No module named 'pkg_resources by @kelvin-muchiri in #3011
• Switch to Python 3.13 from 3.10.19 by @ukanga in #3013
• feat: edit decrypted submission by @kelvin-muchiri in #3009
• Update dependencies by @FrankApiyo in #3015

Full Changelog: v5.14.2...v5.15.0-rc9

v5.10.0-20260304-3

Full Changelog: v5.10.0-20260128-2...v5.10.0-20260304-3

v5.14.2

What's Changed

• fix: user removal from an org doesn't revoke project permissions by @kelvin-muchiri in #3004
• perf: prioritize xform.is_managed over xform.kms_keys.exists() by @kelvin-muchiri in #3007

Full Changelog: v5.14.1...v5.14.2

v5.10.0-20260128-2

Full Changelog: v5.10.0-20260128-1...v5.10.0-20260128-2

v5.10.0-20260128-1

Full Changelog: v5.10.0...v5.10.0-20260128-1

v5.14.1

What's Changed

• Dockerfile cleanup by @FrankApiyo in #3003

Full Changelog: v5.14.0...v5.14.1

v5.14.0

What's Changed

• Update requirements to the latest versions by @ukanga in #2995
• Allow usernames to have any Unicode characters by @FrankApiyo in #3001

Full Changelog: v5.13.2...v5.14.0