OJS 3.5.0.4 โ Release Highlights
Status: โ
Released โ Current stable release
Release date: 2025
LTS Candidate: Yes โ PKP is evaluating 3.5.0.4 for Long-Term Support designation
This page summarises the key improvements introduced in OJS 3.5.0.4 compared to earlier 3.5.0.x releases.
Full guide available
For a step-by-step upgrade guide to this version, see the OJS 3.5.0.x โ OJS 3.5.0.4 Migration Guide.
Security Improvementsโ
- Hardened file upload validation โ malicious file extensions are now rejected at multiple validation layers
- XSS fix in search โ a reflected cross-site scripting vulnerability in the search interface has been patched
- Dependency updates โ JavaScript and PHP dependencies with known CVEs have been updated
- CSRF strengthening โ CSRF token validation tightened on additional form endpoints
Bug Fixes of Noteโ
| Area | What Was Fixed |
|---|---|
| PDF.js Viewer | Now renders correctly on HTTPS sites with strict Content Security Policy headers |
| CrossRef bulk deposit | Fixed failures for journals whose ISSNs contain special characters |
| COUNTER 5 reports | Eliminated duplicate rows in TR_J1 reports for multi-galley articles |
| OAI-PMH | Deleted records now return the correct datestamp in ListIdentifiers responses |
| Plugin manager | "Install from file" now works for ZIP archives larger than 20 MB |
| Reviewer notifications | "Send a copy to self" preference is now respected |
| User export | Bulk user export no longer includes unintended inactive accounts |
| Submission wizard | Missing metadata fields for certain locale configurations restored |
Improvementsโ
- Job queue stability โ background job worker is more resilient under high submission load
- REST API extension โ new
GET /submissions/{id}/publications/{pubId}/galleysendpoint - Accessibility โ improved WCAG 2.1 AA compliance on the reviewer interface
- Email templates โ updated default invitation email templates
Why 3.5.0.4 as LTS?โ
PKP targets a Long-Term Support designation for a 3.5.x release to give institutions a stable, well-supported version for 2โ3 years. OJS 3.5.0.4 is the current LTS candidate because:
- It resolves all known critical and high-severity bugs from the 3.5.0 series
- It ships the security hardening needed for production deployments
- PHP 8.1+ and MySQL 8.0+ requirements are now well-established in the ecosystem
- The plugin ecosystem has largely caught up to OJS 3.5 compatibility
Check the PKP Roadmap for the official LTS announcement.
Recommended Actionโ
If you are running any earlier OJS version:
- OJS 3.5.0.0 โ 3.5.0.3 โ Upgrade to 3.5.0.4 (patch upgrade, minimal downtime)
- OJS 3.4.x โ Upgrade to the latest 3.4 patch, then follow the Upgrading OJS guide to reach 3.5.0.4
- OJS 3.3.x โ Migrate 3.3 โ 3.4, then upgrade to 3.5.0.4
- OJS 2.x โ Migrate to OJS 3.3 first