Flarum 1.8.14 Released 🎉

We're shipping another maintenance release for the Flarum 1.x series. This one includes a security fix for flarum/nicknames, a solid batch of bug fixes, meaningful performance improvements, and some welcome changes to the GDPR extension.

---

⚠️ Flarum 1.x end-of-life is coming

This release marks a turning point for the 1.x series. It is likely one of the last regular releases.
With Flarum 2.0 approaching its Release Candidate phase, we are shifting 1.x into an almost-EOL state with immediate effect:

• ❌ No new features, improvements, or tweaks are planned for 1.x
  
• ❌ Non-security bug fixes will generally not be backported
  
• ⚠️ Security vulnerabilities will be investigated and addressed where possible — but we want to be honest: the aging dependency stack (Flarum 1.x runs on Laravel 8, which is itself well into EOL) means that some security issues may simply not be fixable on this branch
  
• ✅ Flarum 2.0 is where all active development, security work, and long-term support is happening
  

The official EOL date for 1.x has not yet been set, but it will be clearly communicated in advance. The current plan is to officially EOL Flarum 1.x 12 months after the 2.0 stable release. In the meantime, we strongly encourage all 1.x forum admins to start planning their upgrade to Flarum 2.0.

🚀 If you haven't started evaluating Flarum 2.0 yet, now is the time. Beta.8 — the last beta before the RC phase — is due in approximately two weeks.

---

🚨 A note on Flarum 2.0 — action required for extension developers

Beta.8 is due in approximately two weeks, and it will be the last beta before the RC (Release Candidate) phase.
Here's what the RC phase means in practice:

• 🔶 Beta (where we are now) — APIs are still in flux. We can still make changes to core to accommodate extension needs.
  
• 🔷 Release Candidate — The API is frozen. No new features, no breaking changes. Only critical bug fixes are accepted.
  
• 🟢 Stable 2.0.0 — RC with no blockers = stable release.
  

For extension developers, this is your most important window. Once we enter RC, the ability to adapt the core API to your extension's needs closes. If you're working on a 2.0 update and find that core is getting in your way — an API is too rigid, something is missing, an interface is awkward — now is the time to tell us. Open a discussion here or file an issue on GitHub. We are actively listening and we want to help you ship compatible extensions alongside 2.0 stable.

📣 Please test your extensions against beta.7 (and shortly, beta.8) and let us know what you find. Every compatibility report before RC is an opportunity to fix something permanently. After RC, it has to wait for 2.1.

---

🌍 Help translate Flarum 2.0

Flarum 2.0 brings a lot of new strings, and getting them translated before stable is a huge community effort. If you speak a language other than English, your help is needed — even a few strings reviewed or translated makes a difference.
Translations for Flarum 2.0 are managed on Weblate: weblate.rob006.net/projects/flarum2
You don't need to be a developer — if you can read and write your language, you can contribute. Every little helps. 🙏

---

🔐 Security fix — flarum/nicknames v1.8.3 (CVE-2026-30913)

If you use the flarum/nicknames extension, updating to 1.8.3 is strongly recommended.
A medium-severity vulnerability was discovered and responsibly disclosed via the SBB Community bug bounty programme. When flarum/nicknames is enabled, a user could set their nickname to a string that email clients interpret as a hyperlink — for example a bare domain name (nasty.com) or markdown link syntax ([CLICK](https://evil.com)). The nickname is included verbatim in plain-text notification emails, potentially misleading recipients into visiting attacker-controlled URLs.

• Variant 1 (autolink) — a nickname like nasty.com is auto-linked by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird)
  
• Variant 2 (markdown) — a nickname like [CLICK](https://evil.com) is rendered as a clickable link by email clients that auto-render markdown in plain text (e.g. Apple Mail, Thunderbird)
  

The fix adds validation in flarum/nicknames to reject nicknames containing characters that could be misinterpreted in email contexts, while preserving legitimate nicknames like Jane.Smith.
The default username-based display name driver is not affected — it already constrains values to [a-zA-Z0-9_-]+. Any third-party display name driver that permits arbitrary characters should be reviewed.

🙏 Thanks to tank0 for reporting this responsibly via Intigriti, and to @gianniguida and @Davetodave178 for helping with the fix and verification.

---

⚡ Performance improvements

This release includes several under-the-hood optimisations. Nothing you'll see directly — but your server will thank you.

• ⚡ Notification counts cached — was a DB query on every page load; now cached for 5 minutes and invalidated automatically when something changes (including when you delete all notifications).
  
• ⚡ Auth last-seen write eliminated — was an unconditional DB write on every authenticated request; now only writes when the data has actually changed.
  
• ⚡ Scheduler timestamp moved to cache — was a DB write every ~1 minute; now stored in the cache layer instead.
  

Together, these changes add up to noticeably fewer database operations — especially on sites with active users.

💡 Running Redis? The gains stack up significantly. fof/redis v1.1.6 pairs perfectly with these core improvements. It caches Flarum's forum settings in Redis with a three-layer chain — per-request in-process cache, then Redis, then the database — so settings are read from the database at most once per Redis TTL, and from Redis at most once per request regardless of how many times settings->get() is called. In production, this alone can reduce Redis egress from settings reads by over 95%. On top of that, fof/redis now auto-detects phpredis (the native PHP extension) and uses it automatically when available, enabling persistent connections that reuse the socket across requests within the same PHP-FPM worker — significantly reducing connection overhead at scale. If you're running Redis and haven't updated fof/redis recently, now is a great time.

---

🐛 Bug fixes

• HTTP 405 "Method Not Allowed" pages now show the correct message ("This page does not support that request method.") instead of the generic "An error occurred" fallback.
  
• PHP warnings in restricted environments — a handful of PHP notices/warnings that could appear on certain hosting configurations have been resolved.
  
• Less boolean custom functions — a regression where custom Less functions returning boolean values were not handled correctly has been fixed.
  
• Extension Manager — references to the discontinued Extiverse marketplace have been removed.
  

---

🔒 GDPR extension — v1.8.2

This release includes a significant security and compliance update to the flarum/gdpr extension:

• One-time confirmation links — the erasure confirmation token is now invalidated after use. Previously, a user's confirmation email link could be re-used indefinitely; it is now a true one-time link.
  
• Processed request guard — revisiting a confirmation link for an already-processed or manually-handled erasure request now returns a proper error instead of silently resetting its status.
  
• Confirmation IP logging — the IP address used to confirm an erasure request is now stored for audit purposes.
  
• Automatic IP purge — a new scheduled command (gdpr:clear-confirmation-ips) automatically nulls stored confirmation IPs after 90 days, keeping data retention proportionate.
  
• Erasure modal timestamps — the admin process-erasure modal now shows the requested-at, confirmed-at, and eligible-for-auto-processing dates.
  

---

📦 Versions released

• flarum/core — 1.8.14
  
• flarum/nicknames — 1.8.3 ⚠️ security fix
  
• flarum/extension-manager — 1.0.8
  
• flarum/suspend — 1.8.6
  
• flarum/gdpr — 1.8.2
  

---

🚀 How to update

composer update

As always, back up your database before updating, and test on a staging environment first if possible.

---

📋 Full changelog

Core (flarum/core)

Fixed

• Show correct error message for HTTP 405 Method Not Allowed responses by @IanM #4417
  
• Fix PHP warnings in restricted environments by @IanM #4336
  
• Fix Less boolean custom functions returning incorrect values by @IanM #4405
  
• Invalidate unread notification count cache when all notifications are deleted by @IanM #4391
  

Performance

• Eliminate redundant DB writes in auth middleware and cache notification counts by @IanM #4365
  
• Store scheduler last-run timestamp in cache instead of database by @IanM #4363
  

Added

• Fire ApplicationBooted event after all service provider boot callbacks complete by @IanM #4358

Nicknames (flarum/nicknames)

Security

• Validate nicknames to prevent display name injection in notification emails (CVE-2026-30913) GHSA-3c4m-j3g4-hh25

Extension Manager (flarum/extension-manager)

Changed

• Remove Extiverse marketplace references by @IanM #4395

Suspend (flarum/suspend)

Changed

• Build missing JS typings by @IanM #4337

GDPR (flarum/gdpr)

Fixed / Security

• Invalidate erasure confirmation token after use (one-time link) by @IanM flarum/gdpr#70
  
• Guard against re-confirming already-processed erasure requests by @IanM flarum/gdpr#70
  

Added

• Log confirming IP address on erasure requests for audit purposes by @IanM flarum/gdpr#70
  
• Scheduled command to purge confirmation IPs after 90 days by @IanM flarum/gdpr#70
  
• Show requested-at, confirmed-at, and eligible-for-auto-processing dates in erasure modal by @IanM flarum/gdpr#70
  

Flarum 2.0.0-beta.8 Released 🎉

Beta.8 is a big one. After the infrastructure groundwork laid in earlier betas, this release is packed with new features, a major icon library upgrade, meaningful performance wins, and a long list of fixes and polish. This is the most feature-rich beta we've shipped for 2.0.

👀 You're already running it. This very forum — discuss.flarum.org — has been updated to beta.8. Consider this your live preview.
🧪 Want to try Flarum 2.0 before committing? Check out our nightly demo at nightly.flarum.site, rebuilt every day from the latest 2.x code.
🚨 Beta.8 is the last feature release before RC. The 2.x branch is now in a bug-fix-only freeze — no new features will be merged. 2.0.0-rc.1 is scheduled for April 20, 2026. If you've been waiting to test Flarum 2.0, the time is now.

---

🆕 What's in beta.8?

⚠️ New PHP requirement

Due to the Laravel upgrade in this release, Flarum 2.0 now has a minimum PHP requirement of 8.3
Supported versions are: 8.3, 8.4 and 8.5

🎨 FontAwesome 7.x

Flarum now ships with FontAwesome 7, upgraded from 6.5.2. FA7 brings a refreshed icon set, a cleaner package structure, and is the foundation for all future icon additions. The good news for extension developers: the .fas / .far / .fab class aliases are preserved, so existing icon class strings continue to work without changes.
Alongside the upgrade, the FontAwesome CDN/Kit is now loaded non-blocking, so it no longer holds up page rendering — a meaningful improvement for forums relying on the CDN for Pro icons.

---

⚡ CSS loads asynchronously

Stylesheets are now loaded asynchronously to eliminate render-blocking CSS. This means the browser can start rendering the page sooner, reducing perceived load time — particularly noticeable on first visit or cold cache.

---

🔔 Realtime: extender API, per-extension integrations & notification toasts

The realtime extension has been significantly rearchitected. Extensions can now wire their own realtime behaviour via a dedicated Realtime extender, rather than requiring realtime to have hardcoded knowledge of every extension.
In practice this means:

• flarum/flags, flarum/likes, flarum/lock, and flarum/messages all now handle their own realtime push events
• A new NotificationToast component shows incoming notifications as auto-dismissing toasts in the top-right corner — you'll see these appear in real time as activity happens while you're browsing

---

🖼️ WebP image conversion

Flarum now automatically converts uploaded avatars and logos to WebP — a modern format that's typically 30–50% smaller than JPEG/PNG with no visible quality loss. A batch migration command is included to convert existing avatars. Logos also gain support for animated GIF and a new dark mode logo setting.

---

🔒 OAuth improvements

The OAuth flow has been rewritten to use a redirect-only model. This is a security improvement and fixes edge cases in the previous approach where the response type could vary.

---

📋 Admin panel additions

• Announcements widget on the admin dashboard — keep your team informed directly from the admin panel

---

📳 Haptic feedback

Mobile users now get haptic feedback on key interactions (button taps, etc.), with a user preference to disable it if desired. This has been extended to core and bundled extensions.

---

📦 Laravel 13

Flarum's Illuminate components have been upgraded to Laravel 13. No changes are needed for extensions that follow standard patterns.

---

🌊 IdWithDisplayNameSlugDriver

A new slug driver that combines a model's ID with its display name — giving you human-readable URLs that remain stable even if the display name changes. Available for discussions, users, tags, and mentions.

---

📧 Mail improvements

• Postmark is now a supported mail driver out of the box
• Send failures are now logged and fire an EmailSendFailed event, making it much easier to diagnose mail delivery issues

---

🌐 Miscellaneous additions

• Logout is now a POST request (security improvement — prevents CSRF-based logout)
• New CloseWatcher API for modals and dropdowns uses the browser's native back-gesture/Escape handling where available
• Reusable Hero component for use in custom pages
• Customizable user avatar drivers — extensions can now register their own avatar sources
• (gdpr) PII field declarations, anonymized context support, confirmation token invalidation, IP logging and purge, and a safeguard for cancelled erasure requests
• (package-manager) Now searches Packagist directly instead of the flarum.org API; rejects extensions incompatible with the current Flarum major version
• (subscriptions) Auto-follow discussions on create
• (realtime) Notification toast duration is now configurable from the admin panel; set to 0 to disable toasts entirely
• (install) Queue driver configuration is now supported directly in the installer
• PostgreSQL search_path is now configurable for multi-schema setups

---

🔧 Fixes & polish

Beta.8 also includes the most fixes of any beta so far. Highlights:

📱 Mobile layout

Posts on mobile now have symmetric horizontal padding, fixing the visual asymmetry caused by the hidden avatar column.

🔔 Notification contrast

Unread notifications now have a clear primary-colour left border in the notification dropdown, improving readability in dark mode where background contrast alone wasn't sufficient.

🔍 Search & mentions

• User search is now case-insensitive across all supported databases
• Mentions no longer crash when a tag or group has no icon/color set
• An editor-ready race condition in mentions has been resolved without the previous arbitrary timeout workaround
• The AuthorFilter in search now uses SlugManager so custom slug drivers are respected

🏷️ Other fixes

• Sticky discussions in hidden tags no longer appear on the "All Discussions" page
• Admin dropdown menus (maintenance mode, slug driver, FontAwesome source) now correctly show their default values on fresh and upgraded installs
• Extension boot order is now re-sorted during php flarum migrate, so new optional-dependencies declarations take effect after a composer update without needing a manual enable/disable cycle
• Deleting a user account now also removes their avatar file from disk
• Emoji updated to Unicode 17

🔐 Security

• Display names are now sanitized in HTML notification emails to prevent injection (nicknames extension)
• Notification queries are scoped to the authenticated user
• Package manager task list endpoint restricted to admins

🛠️ Developer-facing

• LESS mixin definitions corrected — Button--block, Button--icon and others are now proper parametric mixins, fixing the FA Kit icon alignment issues
• Boolean custom LESS functions now return the correct Less_Tree_Keyword type
• Uncaught ReferenceError for async default exports prevented
• src/bootstrap/ typo fixed in jest-config (was src/boostrap/)
• Skip-to-content link visibility restored

---

🌍 The ecosystem is getting ready

With RC1 targeted for April 20, 2026, the ecosystem push is in full swing.
🌐 Language packs — @rob006 continues to drive language pack updates for 2.0. If you maintain a translation, please check in on those threads.
🤝 Friends of Flarum — FoF extensions are making great progress toward 2.0 compatibility, with only a handful of extensions left to go. Thank you to everyone involved.
📣 Extension developers — the API is now frozen. If something in core is blocking your extension update, open a discussion or file an issue immediately — bug fixes are still being accepted before RC1 on April 20, but this is your last window.

---

🚀 Try it yourself

• 🖥️ Live demo — nightly.flarum.site, rebuilt daily
• 👁️ Right here — discuss.flarum.org is running beta.8
• ⬆️ Update your install — composer update -W followed by php flarum migrate and php flarum cache:clear, and finally php flarum assets:publish (staging + backup first, as always)

---

💙 Thank you

Beta.8 has more community contributions than any previous 2.0 beta — thank you to everyone who submitted a pull request.

• @datlechin (GitHub) — customizable user avatar drivers #4130, skip password check for passwordless drivers #4435
• @davetodave178 — reusable Hero component #4215, IdWithDisplayNameSlugDriver #4470
• @rafaucau (GitHub) — CloseWatcher API #4433, dark mode logo support #4457, prevent Uncaught ReferenceError for async default exports #4397, missing content attr type on Alert #4495
• @edgeinfinity1 (GitHub) — tags mutation improvements #4393
• @grimur82 (GitHub) — GDPR safeguard for cancelled erasure requests #4387
• @johannsa (GitHub) — PostgreSQL search_path support #4241
• @huoxin233 (GitHub) — auto-follow discussions on create #4464
• @IanM — everything else

---

📋 Changelog

Added

• (realtime) extender API, per-extension integrations, and notification toasts by @IanM #4473
• (admin) announcements widget on admin dashboard by @IanM #4471
• (admin) collapsible extension categories, health widget & abandoned package support by @IanM #4392
• (core, mentions, likes) implement IdWithDisplayNameSlugDriver by @davetodave178 #4470
• (core) redirect-only OAuth flow — rewrite ResponseFactory by @IanM #4461
• (core) CloseWatcher API for modals and dropdowns by @rafaucau #4433
• (core) haptic feedback user preference and utility by @IanM #4430 #4434
• (core) reusable Hero component by @davetodave178 #4215
• (core) customizable user avatar drivers by @datlechin #4130
• (core) convert uploaded avatars to WebP, add batch migration command by @IanM #4431
• (core) convert uploaded logos to WebP, support animated GIF by @IanM #4458
• (core) add dark mode logo support by @rafaucau #4457
• (core) change logout from GET to POST by @IanM #4448
• (core) upgrade FontAwesome from 6.x to 7.x by @IanM #4388
• (core) load FontAwesome CDN/Kit non-blocking by @IanM #4463
• (core) load CSS asynchronously to eliminate render-blocking stylesheets by @IanM #4462
• (gdpr) PII field declarations and anonymized context support by @IanM #4396
• (gdpr) port confirmation token invalidation, IP logging and IP purge by @IanM #4423
• (mail) add Postmark driver by @IanM #4455
• (mail) log send failures and fire EmailSendFailed event by @IanM #4385
• (package-manager) replace flarum.org API with Packagist search by @IanM #4394
• (tags) fix tags mutation shows [deleted] and related improvements by @edgeinfinity1 #4393
• (realtime) make notification toast duration configurable; 0 disables toasts by @IanM #4497
• (subscriptions) add support for auto follow discussions on create by @huoxin233 #4464
• (install) support queue configuration in installer file by @IanM #4484
• (core) add support for pgsql's search_path by @johannsa #4241

Fixed

• (core) various styling fixes: mobile post padding, unread notification contrast, primary button text colour by @IanM #4480
• (realtime) restore full-width new-activity banner; move state to IndexPage by @IanM #4481
• (core) make user search case-insensitive across all supported databases by @IanM #4467
• (core) normalize database version strings in admin dashboard by @IanM #4466
• (core) skip password check on update page for passwordless drivers by @datlechin #4435
• (core) add missing method_not_allowed translation for error view by @IanM #4418
• (core) preserve translations when switching locale by @IanM #4400
• (core) return Less_Tree_Keyword for boolean custom Less functions by @IanM #4406
• (core) prevent Uncaught ReferenceError for async default exports by @rafaucau #4397
• (core) use correct --page-bottom-padding CSS variable in App by @IanM #4438
• (core) use luma-based text colour for primary buttons to ensure contrast by @IanM #4451
• (core) add left padding to posts on mobile by @IanM #4422
• (core) reduce post horizontal padding on mobile to 15px by @IanM #4456
• (core) prevent hr at end of poststream if more children are present by @IanM #4460
• (core) LESS mixin definitions and skip-to-content link visibility by @IanM #4389
• (core) disable auto_tls for None encryption, add SSL cert verification bypass by @IanM #4445
• (approval) apply opacity to whole unapproved post, not child elements by @IanM #4453
• (formatter) handle null content in HasFormattedContent and mentions unparsers by @IanM #4452
• (gdpr) add GDPR safeguard for cancelled erasure requests by @grimur82 #4387
• (jest-config) rename src/boostrap/ to src/bootstrap/ and update all imports by @IanM #4413
• (less) fix FA Kit icon alignment and spurious icon regressions by @IanM #4409
• (mentions) prevent crash when tag or group has no icon/color by @IanM #4447
• (mentions) resolve editor-ready race condition without arbitrary timeout by @IanM #4411
• (messages) refresh DialogMessage after create to resolve number expression by @IanM #4384
• (nicknames) sanitize display names to prevent injection in HTML notification emails by @IanM #4454
• (notifications) scope notification queries to the authenticated user by @IanM #4441
• (notifications) invalidate unread count cache on delete all by @IanM #4390
• (package-manager) reject extensions incompatible with current Flarum major version by @IanM #4412
• (package-manager) restrict task list endpoint to admins only by @IanM #4410
• (search) use SlugManager in AuthorFilter to support custom slug drivers by @IanM #4486
• (settings) register missing defaults for admin dropdown settings by @IanM #4491
• (sticky) sticky discussions in hidden tags appear on all-discussions page by @IanM #4492
• (user) delete avatar file from disk when user account is deleted by @IanM #4485
• (core) capture extension name by value in initializer error closure by @IanM #4482
• (core) add missing content attr type to Alert component by @rafaucau #4495
• (emoji) update to Emoji/Unicode 17 by @datitisev #4489

Changed

• upgrade Illuminate components to Laravel 13 by @IanM #4468
• (core) flarum-webpack-config 3.0.3 by @IanM #4398
• (core) remove Array.prototype.flat polyfill by @IanM #4483
• (extensions) re-sort extension order during migrate to pick up new optional-dependencies by @IanM #4493

Flarum 2.0.0-beta.7 Released 🎉

We're happy to ship another beta release! Beta.7 is a focused quality-of-life update — no sweeping infrastructure changes this time, just a collection of bug fixes, polish, and some meaningful performance improvements that will benefit every Flarum installation.

👀 You're already running it. This very forum — discuss.flarum.org — has been updated to beta.7. Consider this your live preview.
🧪 Want to try Flarum 2.0 before committing? Check out our nightly demo at nightly.flarum.site, rebuilt every day from the latest 2.x code.
🗺️ Roadmap heads up: we're planning just one more beta before we move into the RC (Release Candidate) cycle. If you've been sitting on the fence about testing 2.0, now is the time — your feedback in these final betas directly shapes the release.

---

🔭 What's the RC cycle?

For those unfamiliar with how software release cycles work, here's a quick rundown of where we're headed:

• 🔶 Beta (where we are now) — Feature-complete enough to test, but APIs are still in flux. Breaking changes to extensions can happen between betas.
• 🔷 Release Candidate (RC) — "Last call." The API is frozen: no new features, no breaking changes. Only critical bug fixes are accepted.
• 🟢 Stable 2.0.0 — RC with no blockers = stable release. Flarum 2.x then follows normal semantic versioning.

What this means for you specifically:

• 🏠 Forum admins — Once we reach RC, the upgrade path to stable will be smooth and well-defined. RC is safe to run in production for early adopters.
• 🔌 Extension developers — The RC is your last warning sign. Extensions not updated by then will be incompatible with Flarum 2.0 stable. Update now while we can still adapt core to your needs.
• 🐛 Everyone — Bug reports during RC carry extra weight. A report could be the difference between a fix landing in 2.0.0 or being deferred to 2.0.1 or even 2.1.

---

🆕 What's in beta.7?

🏷️ Tag-restricted discussions: authors can now rename and hide their own posts

This one has been a thorn in the side of communities using tag permissions for a while. If your forum has a restricted tag (where only certain groups can interact), authors were unexpectedly blocked from renaming or deleting their own discussions — even though those are "own-content" actions that should always be available to the author.
The root cause was subtle: the tag permission system was intercepting every permission check, including the ones core uses to let authors manage their own content. It would deny the request before core even got a chance to say "but wait, they're the author!"
Beta.7 fixes this properly, backed by 14 new integration tests to keep it that way. ✅

---

⚡ Performance: fewer database queries on every request

This release includes several under-the-hood optimisations. Nothing you'll see directly — but your server will thank you.

• ⚡ Notification counts cached — was a DB query on every page load; now cached for 5 minutes and invalidated automatically when something changes.
• ⚡ Auth last-seen write eliminated — was an unconditional DB write on every request; now only writes when the data has actually changed.
• ⚡ Scheduler timestamp moved to cache — was a DB write every ₁ minute; now stored in the cache instead.
• ⚡ Rogue settings DELETE query fixed — a DELETE query was firing on every single request; this is now fixed.
• ⚡ DB version lookup cached — was a query on every admin page load; now cached for 24 hours.

Together, these changes add up to noticeably fewer database operations — especially on sites with active users.

---

🌙 Better dark mode support

Flarum now sets the color-scheme CSS property on the page root. Browsers use this hint to style their own native UI elements — scrollbars, checkboxes, form controls — to match your forum's theme. It also prevents Chrome's "Auto Dark Theme" from incorrectly inverting things like user avatars on forums already using a dark theme.

---

🔌 New for extension developers: ApplicationBooted event

There is now an ApplicationBooted event fired after all service provider boot() callbacks have completed. This gives extensions a reliable moment to run code that depends on the entire application being fully initialised — something that wasn't cleanly possible before.

---

✨ Forum interface polish

A handful of UI niggles have been smoothed out:

• 📜 Scroll jumping when navigating to a specific post — links to mid-discussion posts could cause the page to jump noticeably. Fixed.
• 🎬 Pop-in animation on the first post — the first post in a discussion wasn't getting the same smooth entrance animation as subsequent posts. Now it does.
• 🔗 Discussion URL not updating on scroll — the address bar URL should update as you scroll through a discussion. This wasn't always working. Fixed.
• 💬 Notification button tooltip positioning — the tooltip on the notification bell could appear in the wrong position. Fixed.
• 🔍 Search modal crash — in rare cases, triggering a search result navigation could crash with a null reference error. Fixed.
• ⚙️ Admin search source fix — an issue in the admin panel's search source could cause incorrect results in certain configurations. Fixed.

---

📡 Realtime extension fixes

• Fixed an error when a post wasn't visible to the current user due to tag restrictions — instead of crashing, it now handles this gracefully.
• The external settings cache now uses Eloquent instead of a raw database query, keeping things consistent.

---

🌍 The ecosystem is getting ready

Beta.7 is a good moment to take stock of where the broader Flarum ecosystem stands heading into the final stretch.
🌐 Language packs — @rob006 is actively working on getting the Flarum language packs updated for 2.0. If you maintain or contribute to a language pack, now is a great time to get involved — keep an eye on the language pack threads for updates.
🤝 Friends of Flarum — The FoF team is working through the last few extensions to bring them up to 2.0 compatibility. Great progress is being made and we're grateful for their ongoing commitment to the ecosystem.
📣 Other extension developers — your turn! We'd really love to see as many extensions updated as possible before RC. Here's why timing matters: if we discover a core API needs to change to accommodate your extension, we can still do that now in beta. Once we hit RC, that window closes.

Please update your extensions, test them against beta.7, and let us know if anything in core is getting in your way. Open a discussion here or file an issue on GitHub. We're listening and we want to help make the transition as smooth as possible.

---

🚀 Try it yourself

• 🖥️ Live demo — nightly.flarum.site, rebuilt daily from the latest 2.x code, no setup required
• 👁️ Right here — discuss.flarum.org is running beta.7, you're already experiencing it
• ⬆️ Update your own install — run composer update (staging environment + database backup first, as always)

With only one more beta before the RC cycle, there's no better time to kick the tyres and let us know what you find. Bug reports, feedback, and extension compatibility notes are all incredibly valuable at this stage.

---

💙 Thank you to our contributors

Beta.7 wouldn't be possible without the people who reported bugs, submitted pull requests, and reviewed code:

• @iPurpl3x — three forum scroll and animation fixes
• @zDaleZ — color-scheme dark mode improvement
• @IanM — everything else in this release

---

📋 Changelog

Added

• fire ApplicationBooted event after all service provider boot callbacks complete by @IanM #4366

Fixed

• (tags) authors unable to rename/hide own discussions in restricted tags by @IanM #4379
• handle null gotoItem in SearchModal to prevent crash by @IanM #4376
• (tooltip) add container prop to fix notification button tooltip positioning by @IanM #4375
• (admin) correct tree array construction in GeneralSearchSource by @IanM #4373
• (forum) sync discussion URL immediately on programmatic scroll by @iPurpl3x #4371
• (realtime) error when post not visible due to tag restrictions by @IanM #4369
• (forum) show pop-in animation on first post when loading a discussion by @iPurpl3x #4362
• (forum) prevent scroll jump when loading discussion to a specific post by @iPurpl3x #4361

Changed

• eliminate redundant DB writes in auth middleware and cache notification counts by @IanM #4380
• store scheduler last-run timestamp in cache instead of database by @IanM #4364
• fix rogue settings delete query that ran on every request by @IanM #4368
• (realtime) replace raw DB query with Eloquent for external settings cache by @IanM #4367
• add color-scheme property to root.less for better dark-mode support by @zDaleZ #4357