Changelog

Changes and additions to Widget Platform, ordered by date (newest first).

2026-04-22 - Build Status: Non-Fatal Advisory Warnings

The build status on GitHub repository sources now includes a warnings array alongside state and error, surfacing non-fatal advisories detected on the latest build. The first advisory reports when a repository still uses the deprecated widget_registry.json filename, so you can spot the rename opportunity before the legacy fallback is removed.

2026-04-22 - Widget Registry: settings.shared Default Is Now false

When a widget in extensions_registry.json omits settings.shared, it now defaults to false (previously true). Authors who want cross-page sharing must set settings.shared to true explicitly. See Widget Definition Reference for the full settings reference.

2026-04-22 - Widget Registry: Non-Array configuration.properties Rejected with Targeted Error

In widget.json, configuration.properties must be an array of field definitions. Builds with the common JSON-Schema-style object shape are now rejected with a targeted error showing the correct shape. See Widget Definition Reference for details.

2026-04-22 - Widget Registry: category Is Now Required

Every widget in widget.json must declare a category. Publishes without one are rejected with a clear error identifying the missing field. Existing widgets that already declare a category are unaffected. See Widget Definition Reference for the full widget schema.

2026-04-21 - Extensions Registry: Canonical Filename Renamed to extensions_registry.json

The registry file at the root of your repository is now named extensions_registry.json. The old filename widget_registry.json is deprecated and still works during a migration window, but will be removed in a future release — rename it at your earliest convenience. No schema changes are required; the file contents remain identical. See Repository Layout for details.

2026-04-20 - HTML Attributes for Scripts and Stylesheets

Custom scripts and stylesheets now support an optional attributes field for standard HTML attributes like defer, async, and crossorigin, giving widget creators control over loading behavior and execution timing. See Script Definition Reference and Stylesheet Definition Reference for details.

2026-04-16 - Removed Legacy Template Customization for Widgets

Widget HTML is no longer processed as a Jinja2 template at render time. Previously, query parameters on the render URL were injected into {{ }} placeholders in widget HTML — this legacy mechanism has been removed. Widgets that used this pattern should migrate to sdk.getProps() for all runtime configuration needs.

2026-03-30 - Response Transformation for Connectors

Connectors can now reshape upstream API responses before returning them to the widget. Configure a Jinja2 template to extract specific fields, reformat JSON, or normalize error responses — all on the server, without any client-side logic. An optional content-type override lets you change the response format when the template produces a different output type. See Response Transformation for details.

2026-02-25 - Repository-Based Connector Definitions

Connectors can now be defined alongside widgets in a connectors_registry.json file at the repository root, validated and synced automatically on every push — ensuring the repository remains the single source of truth. See Repository Registry for details.

2026-02-19 - Manage GitHub Accounts and Disconnect

You can now manage GitHub account connections from one place: connect additional accounts, disconnect an account from your community without uninstalling the app from GitHub, and reconnect later if needed. See Connect Your GitHub Account for details.

2026-02-19 - Credential Scanning

Widget code is now scanned for hardcoded credentials — including API keys, private keys, and access tokens — before publishing, with flagged builds blocked to prevent accidental secret exposure. See Content Security for details.

2026-02-12 - Widget Thumbnails via Relative imageSrc

Widget creators can now use relative paths in imageSrc for widget preview images, keeping thumbnails in the same repository as the widget instead of hosting them externally.

2026-02-12 - Content Safety Scanning

Widget code is now automatically scanned for security issues — including crypto mining, data exfiltration, phishing, and obfuscated code — before publishing, with flagged builds rejected alongside a clear error message. See Content Security for details.

2026-02-11 - Security Headers and Cache Invalidation

Widget responses now include Referrer-Policy and Permissions-Policy headers, strengthening browser-level protections for embedded widgets. Additionally, deleting a widget now automatically removes cached content, ensuring stale content is no longer served after removal.

2026-02-10 - Delimiter-Separated Values in Connector Configuration

Connector configuration now accepts delimiter-separated values (comma, pipe, semicolon) in query parameters and headers, such as field selection lists commonly used when calling external APIs.

2026-02-04 - Widget Asset Co-location

Widget creators can now store assets (CSS, JS, images) alongside widget code and reference them using standard HTML relative paths, simplifying development and improving load performance.

2026-02-04 - Secure Secret References in Connector Configuration

Connector configuration now enforces secret references for credential fields, ensuring sensitive values are always stored securely.