v6.2.1 — 28 January 2026

Type: Patch release
Breaking changes: None

Summary

This is a targeted patch release to address three issues reported by customers following the v6.2.0 rollout, plus two security patches from our regular security audit.

Bug fixes

Invoice PDF rendering broken for some address formats

Invoices for clients with an address longer than 60 characters were being truncated on the PDF, cutting off the city/state line. This only affected the PDF download — the on-screen invoice displayed correctly.

Fixed: Address block now wraps to a second line when the address exceeds the column width.

Affected customers: Any account generating PDF invoices for clients with long addresses. No data was lost.

Xero sync failing for bills with zero-quantity line items

When a Purchase Order was received with a line item at zero quantity (e.g. a backordered item not yet received), the Xero sync would fail with an unhelpful “Invalid bill” error. The sync failure did not cause data loss — the PO was still correctly recorded in StockFlow — but the corresponding bill was not created in Xero.

Fixed: Zero-quantity line items are now excluded from the Xero bill. A note is added to the bill description explaining that the item was backordered.

Affected customers: Customers using the Xero integration with partial PO receiving.

Decimal quantities rounded incorrectly in movement log export

When exporting the Movement Log to CSV, quantities stored with more than 2 decimal places (e.g. 2.750 kg) were being rounded to 2 decimal places in the export (2.75). The in-app display was correct.

Fixed: Movement Log CSV now exports the full precision quantity as stored.

Security patches

Reflected XSS in product search field

A reflected cross-site scripting (XSS) vulnerability was found in the product search field of the Goods List. An attacker would need to trick a logged-in StockFlow user into clicking a specially crafted URL to exploit this.

Severity: Medium (CVSS 4.3). Exploitability is low because it requires the victim to be authenticated and click a malicious link.

Fixed: Input is now sanitised before being reflected back in the UI. Reported responsibly by a security researcher.

Session token not invalidated on password change

Changing a user’s password did not immediately invalidate existing session tokens for that user. This meant that if a session token was compromised, changing the password alone would not immediately terminate the attacker’s access.

Severity: Medium (CVSS 5.1).

Fixed: All active sessions for a user are now immediately invalidated when their password is changed or reset.

Notes

No database schema changes in this release. No action required from customers.