InvoiceShelf logo

InvoiceShelf

Open source invoicing solution for individuals and businesses

Alternative to: freshbooks, invoice ninja, zoho invoice


About Versions (20)

2.4.0

2026-06-12

2.x is entering feature freeze

InvoiceShelf 2.4.0 marks the feature freeze for the 2.x line. New feature development now moves to the next-generation 3.x branch. From here, 2.x will receive security patches only, through September 1, 2027 (2027-09-01) — no new features, but it stays supported and safe to run. We recommend planning your upgrade to 3.x before then; the in-app updater path to 3.x is being prepared.

This release rolls up the final round of 2.x work: security hardening, dependency updates, groundwork for a clean v2 → v3 upgrade, a move to pnpm for the frontend toolchain, and a couple of contributor features.

Security

  • Enforce company scope on notes, estimate→invoice conversion, and user bulk-delete — GHSA-85wc, GHSA-j2vg, GHSA-wxrv (#661)
  • Harden public EmailLog token endpoints — GHSA-73q7 (#662)
  • Validate ORDER BY input on list endpoints — GHSA-cp8p (#663)
  • Restrict the Gotenberg renderer host to public addresses — GHSA-mfxg (#664)
  • Recompute document totals server-side so client-supplied totals aren’t trusted — GHSA-8c69 (#665)
  • Update dependencies to patched versions (#674): laravel/framework (CVE-2026-48019), symfony/*, guzzlehttp/psr7, vite
  • Patch frontend dependencies — axios, vite, postcss, follow-redirects (#653)

Improvements

  • Add duplicate expense action (#617) — @mchev
  • Support 3-decimal tax percentages, e.g. 6.625% (#616) — @mchev
  • Updater: manifest-based stale-file cleanup + cache clearing, preparing a clean v2 → v3 in-app upgrade path (#659)

Build & Tooling

  • Migrate the frontend toolchain to pnpm and pin a stable Vite build (#666, #674)

Translations

  • New Crowdin translation updates across many locales (#615)

ℹ️ The CSV export work (#649) was reverted before this release and is deferred.

Full Changelog: https://github.com/InvoiceShelf/InvoiceShelf/compare/2.3.3…2.4.0