InvoiceShelf
Open source invoicing solution for individuals and businesses
Alternative to: freshbooks, invoice ninja, zoho invoice
2.4.0
2026-06-122.x is entering feature freeze
InvoiceShelf 2.4.0 marks the feature freeze for the 2.x line. New feature development now moves to the next-generation 3.x branch. From here, 2.x will receive security patches only, through September 1, 2027 (2027-09-01) — no new features, but it stays supported and safe to run. We recommend planning your upgrade to 3.x before then; the in-app updater path to 3.x is being prepared.
This release rolls up the final round of 2.x work: security hardening, dependency updates, groundwork for a clean v2 → v3 upgrade, a move to pnpm for the frontend toolchain, and a couple of contributor features.
Security
- Enforce company scope on notes, estimate→invoice conversion, and user bulk-delete — GHSA-85wc, GHSA-j2vg, GHSA-wxrv (#661)
- Harden public EmailLog token endpoints — GHSA-73q7 (#662)
- Validate
ORDER BYinput on list endpoints — GHSA-cp8p (#663) - Restrict the Gotenberg renderer host to public addresses — GHSA-mfxg (#664)
- Recompute document totals server-side so client-supplied totals aren’t trusted — GHSA-8c69 (#665)
- Update dependencies to patched versions (#674):
laravel/framework(CVE-2026-48019),symfony/*,guzzlehttp/psr7,vite - Patch frontend dependencies — axios, vite, postcss, follow-redirects (#653)
Improvements
- Add duplicate expense action (#617) — @mchev
- Support 3-decimal tax percentages, e.g.
6.625%(#616) — @mchev - Updater: manifest-based stale-file cleanup + cache clearing, preparing a clean v2 → v3 in-app upgrade path (#659)
Build & Tooling
- Migrate the frontend toolchain to pnpm and pin a stable Vite build (#666, #674)
Translations
- New Crowdin translation updates across many locales (#615)
ℹ️ The CSV export work (#649) was reverted before this release and is deferred.
Full Changelog: https://github.com/InvoiceShelf/InvoiceShelf/compare/2.3.3…2.4.0