Jump to >

Review Board 5.0 Release Notes

Release date: October 4, 2022

This release contains all bug fixes and features from Review Board version 4.0.11.


Review Board 5.0 drops support for Python 2.7. This has been end-of-life since January 2020. The 5.x series will support Python 3.7 through 3.11.

To install this release, run the following using a compatible version of Python:

$ sudo pip3 install ReviewBoard==5.0

And then perform an upgrade of your site. See Upgrading Review Board for details.

Database Changes

Note that this release contains database schema changes to the following tables:

  • oauth2_provider_accesstoken

  • oauth2_provider_application

  • oauth2_provider_grant

  • oauth2_provider_idtoken

  • oauth2_provider_refreshtoken

  • reviewboard_oauth_application

  • scmtools_repository

  • webapi_webapitoken

This will take a small amount of time to migrate the database. Please test the upgrade on a copy of your database first, to ensure the upgrade is smooth and to time how long the upgrade takes.


Do not cancel the upgrade on a production system for any reason. Doing so will corrupt your database, requiring a backup or our repair service (available under a support contract).


New Features

Single Sign-On with SAML 2.0

Single Sign-On (SSO) is increasingly important in the enterprise world, providing centralized user and application provisioning and much better security.

Review Board now supports SAML 2.0 for authentication and user provisioning. This allows the use of Auth0, OneLogin, Okta, and many other SSO providers.

See SAML 2.0 Authentication for more information.

Detection of Trojan Source Attacks

Trojan Source attacks employ special Unicode characters, such as bi-directional control characters, zero-width spaces, or confusable/homoglyph characters (which have the appearance of other common character) to trick reviewers into approving possibly malicious code.

These are CVE-2021-42574 and CVE-2021-42694, and affect many tools on the market (code review tools, IDEs, repository browsers, and more).

Review Board now detects characters that can be used in these attacks, and flags them in the diff viewer. When found, a helpful notice with examples and informative links will be shown at the top of the file, and the lines themselves will be flagged.

The Unicode characters will be highlighted, replaced with the Unicode codepoint, rendering the attack harmless. Reviewers can click a button to see how the code would have looked.

This will also be shown when previewing a diff before publishing, in case any new code was copied/pasted from a malicious source.

Learn more.

Dashboard Improvements

The Ship It! indicators in the dashboard are now grey if there’s been a new update since the last Ship It! (Bug #2106).

This makes it easier to see at a glance which changes have been updated since they’ve been approved, helping you to prioritize what you review next.

Enhanced API Tokens

Since Review Board 2.5, users have been able to create API Tokens through the My Account page for use with RBTools or custom scripts using the Review Board API. These have historically been SHA1-based tokens.

We’ve revamped API tokens in Review Board 5. They now support:

  • Expiration dates – tokens past an expiration date will no longer work.

  • Invalidation – administrators can mark tokens as invalid and specify the reason.

  • A larger length (255 characters), for security.

  • Tracking the last-used date/time of a token.

  • The ability to be scanned via secret scanning by checking an identifiable prefix (rbp_) and a checksum in the token.

All legacy tokens will continue to work, but we recommend moving to newer tokens for security.

The API Tokens management page in My Account has been updated:

  • Tokens can now be copied with one click.

  • The time a token was last used and how long until it expires or how long since it expired is now shown and can be changed.

  • If a token is invalidated, the date and reason why will be shown.

Users will be notified if they try to use a token that has expired.

Administrators can invalidate tokens through a new invalidate-api-tokens site management command.

New Integrations

  • Elasticsearch 1.x, 2.x, 5.x, and 7.x

    Previously, due to compatibility issues in the search backend package we use, only Elasticsearch 1.x and 2.x were available. We now support 5.x and 7.x.

    To enable the version you want, you must install the appropriate version of the elasticsearch package. We provide the following convenient packages:

    • 1.x: pip3 install ReviewBoard[elasticsearch1]

    • 2.x: pip3 install ReviewBoard[elasticsearch2]

    • 5.x: pip3 install ReviewBoard[elasticsearch5]

    • 7.x: pip3 install ReviewBoard[elasticsearch7]

    See Elasticsearch Configuration for more information.

  • Matrix

    Matrix is a modern, decentralized chat service. It allows individual servers to be set up and federated, and supports many chat features, including end to end encryption.

    Review Board can now post to Matrix when review requests are posted or updated, or whenever there’s new discussions on the review request.

    See the documentation for configuration instructions.

    Patch by Ruonan Jia.

Administration Features

  • Custom syntax highlighting configuration for diffs.

    The choice of syntax highlighters has traditionally been left up to the decisions made by the Pygments library. In most cases it is correct, but sometimes the wrong lexer would be chosen for certain filenames. This can now be overridden on a case-by-case basis, mapping file extensions to Pygments lexer names. These mappings can be configured in the Diff Viewer settings within the Review Board admin UI.

  • The Install Key field in Administration UI -> Support Settings can now be copied with one click.

    This makes it easier to activate support or get a Power Pack license.

Performance Improvements

Significant improvements have been made to database query performance for dashboards, search, and in the API.

This should be especially noticeable on very large servers with many repositories and review groups.

For best performance, we also recommend installing using Python 3.10.



Several of Review Board’s internal APIs have been modernized.

Extensions can take advantage of the new features in Django 3.2, Djblets 3, and Review Board.

SCMTools Registry

SCMTools have traditionally been defined using Python entry points, and a management command had to be run to scan the entry points and add a row to the scmtools_tool table in the database.

We’ve changed this to instead use a registry. Entry points and the Tool model will still work in Review Board 5.0, but this usage is deprecated and will be removed in a future release.

As part of this, a new extension hook, SCMToolHook has been added. We recommend anybody who has implemented a custom SCMTool change their code to use the new hook instead of entry points.

JavaScript Async Operations

Most asynchronous operations in the JavaScript APIs have been extended to return promises. The promises can either be used directly, or can be used implicitly through the use of async and await.

If you develop client-side extensions, you will need to upgrade.

The callback usage is still available, but has been deprecated and will be removed in a future release.

Bug Fixes

Review Requests

  • Fixed a handful of issues that could occur when a new review request was discarded before being published, but then updated again via RBTools.

  • Fixed switching between “Source” and “Rendered” views when viewing a diff of Markdown-type file attachments.

User Accounts

  • Fixed a crash when a database issue causes multiple user profiles to be created for the same user.

  • Fixed a UI issue when changing API token policies where the wrong policy could be shown if making multiple changes to a policy and then canceling out of the policy editor.


  • Fixed potential problems with environment variables when executing brz.


  • Corrected the help text that would be displayed if an extension fails to load.

  • Fixed a crash when trying to load extensions from broken Python packages.


  • Barret Rennie

  • Chaoyu Xiang

  • Christian Hammond

  • David Trowbridge

  • Gurvir Dehal

  • Jordan Van Den Bruel

  • Kyle McLean

  • Matthew Goodman

  • Michelle Aubin

  • Ruonan Jia

  • Sarah Hoven

  • Taylor Christie