What shipped
All reposKey FrontendKeystoneKey Service Sites (KSL/GHK)Training Centre (STC/CPD)Key ProtosKeyflowCompany Backend (Strapi)Key Docs
All authorsJoshYG-TheKeyOwenTourlamainRhadamanthus1TheTomWardalex-wilson-the-keycpoteylunky84robin-agentsarahcthekeysnyk-io-eu[bot]
14 PRs · 4 repos · 6 contributors · 6 Jun – 6 Jul
Monday, 6 July 2026
Key Protos
- Llunky84A new API endpoint was added to allow services to check whether feature flags are enabled for a specific organization without needing to duplicate that logic everywhere.#124 — PENG-3540 add IsFeatureFlagEnabled rpc
Keystone
- Rrobin-agentKeystone's gRPC calls now have timeouts to prevent workers from hanging indefinitely on slow services, retries for transient failures, and the assignment cleanup moved off the blocking request path.#1497 — feat: PENG-3675 gRPC deadlines, retries & async assignment cleanup (supersedes #1496)
Thursday, 2 July 2026
Key Protos
- JJoshYG-TheKeyAdded optional publish date filters to the chat search request protocol so articles can be filtered by when they were last updated.#118 — feat(ai_search): add published_after/before to ChatSearchRequest
- Rrobin-agentIncluded the publication status of training items in API responses so downstream services can see whether items are published or coming-soon.#117 — feat: PENG-3648 add status field to HydratedTrainingItem
- Aalex-wilson-the-keyAdded a missing external links data type to support KCSIE compliance features in the training assignment system.#120 — feat(assign-KCSIE-2): PENG-3668 Added external links data type with kcsie again
Keystone
- Rrobin-agentAutomatically deleted orphaned training assignments when a user account is permanently removed from the system to prevent data inconsistencies.#1494 — feat(signals): PENG-3643 delete assignments when KeyUser is deleted
Wednesday, 1 July 2026
Key Protos
- Aalex-wilson-the-keyThe system now supports external links as a new assignment type, allowing users to assign government documents like KCSIE files as required reading with a corresponding external link identifier.#119 — feat(protos): PENG-3668 add EXTERNAL_LINK assignment type and identifier fields
Keystone
- Llunky84User authentication now bypasses caching during password resets so that login immediately validates against the new password hash instead of stale cached credentials.#1493 — PENG-3667 fix reset password stop caching KeyUser
Friday, 26 June 2026
Key Protos
- TTheTomWardAdded new API endpoints to support migrating training data between different user accounts.#115 — fix(migrate-data): PENG-3603 Updates to enable training data migration
Keyflow
- CcpoteyEnsured the local development database doesn't restore a stale deprecated validation URL when reset, preventing authentication issues during testing.#68 — fix(db): PENG-3645 clear MYKEY authorisation_redirect_url in set-data…
Keystone
- CcpoteyRemoved a stale redirect URL from the MYKEY application record that was causing login flows to hit a deprecated endpoint instead of returning users to their intended destination.#1490 — fix(auth): PENG-3645 clear MYKEY authorisation_redirect_url via data …
Wednesday, 24 June 2026
Company Backend (Strapi)
- Rrobin-agentFixed security vulnerabilities in lodash-es and fast-xml-parser by adding dependency overrides and upgrading packages to safer versions.#68 — fix: PENG-3041 override lodash-es and upgrade fast-xml-parser to 5.x
Tuesday, 23 June 2026
Company Backend (Strapi)
- Rrobin-agentAdditional vulnerable transitive dependencies in company-backend have been patched through pnpm overrides to address remaining security vulnerabilities like prototype pollution and HTTP response splitting issues.#67 — fix: PENG-3041 override additional vulnerable transitive dependencies
- Rrobin-agentSeventy-one vulnerable transitive dependencies introduced by Strapi have been mitigated by pinning safe patched versions through pnpm overrides, addressing critical security issues while maintaining API compatibility.#66 — fix: PENG-3041 override vulnerable transitive dependencies