The next generation of Review Board is here.

Review Board 5 introduces an assortment of new enhancements to keep your server, your source code, and your users more secure, through Single Sign-On, Trojan Source Detection, and enhanced API tokens.

Stale Ship It! indicators in the dashboard help your users see which review requests need another round of reviews.

New global review and comment APIs help you perform queries across all accessible reviews and comments published on the server.

Review Board 5 is built using the latest LTS releases of Python 3 and Django 3.2, helping you keep your server secure and maintained for years to come, and offering your in-house extensions all new capabilities.

Let's go on a tour of Review Board 5.

Single Sign-On

Review Board 5 integrates with SAML-based Single Sign-On systems, such as Auth0, OneLogin, and Okta.

This works alongside existing authentication services, including LDAP and Active Directory, giving you many options to manage how your users sign into Review Board.

Screenshot of a Log In form with Single Sign-On

Trojan Source Detection

Trojan Source attacks allow an attacker to craft malicious code that executes one way but looks another way through clever use of Unicode characters.

The diff viewer now looks for trojan source code, warning if found, and helping reviewers see how the malicious code was crafted.

Screenshot of a Trojan Source attack warning

Enhanced API Tokens

API Tokens are the recommended way to connect RBTools, your scripts, and your services to Review Board.

We've increased the strength and features of API tokens, enabling:

  • Token expiration, to help you limit use and transition to newer tokens
  • Revocation, enabling administrators to lock down access in the event of a security breach
  • Last use tracking, so you know if a token is safe to remove
  • Secret scanning, to help catch tokens leaked during review (we'll be enabling this in an upcoming release of Review Bot).

Screenshot of the new API token features, including new token format, expiration, and last use timestamp

Stale Ship It! Indicators

Ever get a Ship It! on a change, post a new update, and then have to bug people to give your change another look?

The dashboard now shows when the Ship It! on your review request is stale, and your change needs a re-review. The green "Ship It!" indicator will turn from a fresh green to a dull grey, hinting that there's more to do.

Screenshot of the dashboard with stale Ship It! indicators.


  • New APIs for looking up and filtering all reviews and comments on the server
  • Support for Elasticsearch 5.x and 7.x
  • New integrations with the Matrix secure team chat service
  • Ability to customize which syntax highlighter to use for which file types
  • Many performance improvements, bug fixes, and compatibility updates

See the release notes for the full list of changes in Review Board 5.

Ready to upgrade?

First, back up your database and site directory, and test an upgrade on a test server running Python 3.7-3.11 (we recommend 3.9 or 3.10 at this time).

An upgrade can take time, so plan accordingly. If you use extensions, make sure they've been updated to work with Review Board 5.

If your deployment fails, or you need assistance with your upgrade, we can help under a support contract.

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.