⚠️ Potential Breaking Changes

Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
To use this feature, update @directus/visual-editing to v1.2.0+ on your website.

Disabled interfaces are not interactive anymore, which includes opening disabled read-only fields in a drawer (#26470 by @formfcw)

✨ New Features & Improvements

• @directus/app
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
  • Added toggle to allow comparing revision to previous revision (#26480 by @robluton)
  • Added relational field support on x-axis of bar chart (#26489 by @JamesW1)
  • Added visual editing support to the live preview split pane, including display options menu, full-width mode with drag-to-expand, and quick access to the Visual Editor module. (#26463 by @bryantgillespie)
  • Changed permission-blocked fields from disabled to non-editable appearance (#26572 by @HZooly)
• @directus/api
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/sdk
  • Fixed race condition and allow accessing the connected state (#26511 by @Nitwel)
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/system-data
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/types
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/errors
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/env
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
• @directus/utils
  • Added collaborative editing (#26172 by @Nitwel)
• @directus/ai
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/memory
  • Added distributed locking (#26172 by @Nitwel)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Replaced deprecated ldapjs with ldapts (#26363 by @dstockton)
  • Fixed an issue where the caret would jump to the end of the input in v-template-input when typing or updating content. (#26520 by @mustafaazad03)
  • Fixed back button navigation on related items (#26553 by @robluton)
  • Fixed table options menu clipping in markdown editor (#26487 by @DamnItAzriel)
  • Hide AI settings page when MCP and AI features are disabled through ENV (#26504 by @bryantgillespie)
  • Updated dependency (#26518 by @rijkvanzanten)
  • Fixed inconsistent disabled state across interfaces (#26470 by @formfcw)
  • Fixed an issue where custom CSS classes applied to PrivateView were not rendered (#26523 by @u12206050)
  • Fixed WYSIWYG interface not rendering when field is named "tooltip" (#26581 by @robluton)
  • Fixed issue preventing sidebar details from being fetched when navigating back (#26542 by @robluton)
  • Fixed Vue warning by passing required prop to interfaces (#26506 by @formfcw)
  • Fixed hardcoded "Loading..." text in field tree by using translation key (#26526 by @sinan-yildiz-marsus)
  • Renamed AI Chat to AI Assistant (#26517 by @bryantgillespie)
• @directus/api
  • Improved error message for system field updates that are not schema.is_indexed (#26548 by @JamesW1)
  • Replaced deprecated ldapjs with ldapts (#26363 by @dstockton)
  • Changed users.last_access display mode to absolute (#26548 by @JamesW1)
• @directus/system-data
  • Added collaborative editing (#26172 by @Nitwel)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
  • Changed users.last_access display mode to absolute (#26548 by @JamesW1)
  • Renamed AI Chat to AI Assistant (#26517 by @bryantgillespie)
• @directus/env
  • Fixed LDAP DN properties casted as arrays (#26579 by @ComfortablyCoding)
• @directus/memory
  • Handled empty buffers to prevent errors during race conditions or disconnects (#26172 by @Nitwel)

📦 Published Versions

• @directus/app@15.1.0
• @directus/api@33.1.0
• @directus/ai@1.1.0
• @directus/composables@11.2.10
• create-directus-extension@11.0.26
• @directus/env@5.5.0
• @directus/errors@2.2.0
• @directus/extensions@3.0.17
• @directus/extensions-registry@3.0.17
• @directus/extensions-sdk@17.0.6
• @directus/memory@3.1.0
• @directus/pressure@3.0.15
• @directus/schema-builder@0.0.12
• @directus/storage-driver-azure@12.0.15
• @directus/storage-driver-cloudinary@12.0.15
• @directus/storage-driver-gcs@12.0.15
• @directus/storage-driver-s3@12.1.1
• @directus/storage-driver-supabase@3.0.15
• @directus/system-data@4.1.0
• @directus/themes@1.2.2
• @directus/types@14.1.0
• @directus/utils@13.2.0
• @directus/validation@2.0.15
• @directus/sdk@21.1.0

Notice

• The Windows agent's updated version of LibreHardwareMonitorLib now uses PawnIO instead of WinRing0. If you lose temperature sensors, make sure PawnIO is installed. (See #1657 and #1697.)

• Container NetworkSent and NetworkRecv fields have been deprecated in favor of Bandwidth. Agents will stop populating those fields in 0.19.0, so please update any integrations to prefer Bandwidth. It's available for all containers on hubs >= 0.18.3.

What's Changed

• Add experimental sysfs AMD GPU collector. (#737, #1569)
• Improve container network stats accuracy.
• Fix SHARE_ALL_SYSTEMS for system_details, smart_devices, and systemd_services. (#1660)
• Improve CJK truncation in UI.
• Fix container uptime sorting edge case. (#1696)
• Remove stale systemd services from tracking after deletion. (#1594)
• Update honeypot field name and autofill ignores. (#1011)
• Write health_file to /dev/shm instead of /tmp if available. (#1455)
• Ensure battery current charge doesn't exceed full capacity. (#1668)
• Increase smartctl --scan timeout to 10 seconds. (#1465)
• Update Go dependencies

• Change usermod to addgroup for docker access by @wowi42 in #1641
• fix: update smartctlArgs call to use hasExistingData flag by @nemvince in #1645
• feat: add tooltip to system name in systems table by @Fahleen1 in #1640
• chore: update workflows and templates by @svenvg93 in #1661
• Add SMART_DEVICES_SEPARATOR + allow drives with the same name to be added with different types (e.g. raid controllers) by @jules2689 in #1655
• Chore: Remove Debian package goreleaser workaround by @svenvg93 in #1677
• [Agent] feat: parse ATA device statistics for temperature and future metrics by @sternma in #1689
• [Bug] Restore "Add System" button on mobile. by @svenvg93 in #1687
• Bug: Apply SELinux context after binary replacement by @svenvg93 in #1678
• feat: Added tooltips for navbar buttons to clear meaning of each one by @Fahleen1 in #1636
• Bug: Don't force lowercase text by @svenvg93 in #1682
• fix: update LibreHardwareMonitorLib to 0.9.5 by @bartvdbraak in #1697
• bug: ignore alt key combinations by @svenvg93 in #1698

New Contributors

• @wowi42 made their first contribution in #1641
• @nemvince made their first contribution in #1645
• @Fahleen1 made their first contribution in #1640
• @jules2689 made their first contribution in #1655
• @sternma made their first contribution in #1689
• @bartvdbraak made their first contribution in #1697

Full Changelog: v0.18.2...v0.18.3

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1264 now possible to grant the get permission when creating a share 95b827f
  • the button was already there, but until now it did nothing

🩹 bugfixes

• a safeguard (24141b4) added in v1.20.5 was too strict and would block requests from certain reverseproxies, specifically anything that adds X-Forwarded-HTTP-Version 72224d2

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1240 webdav clients can now set fractional last-modified timestamps (thx @jcwillox!) 296362f
• #1260 add support for running the server with GraalPy (thx @vgskye!) 73d06ea
• #1182 pressing CTRL-C will copy links of selected files to clipboard 9c14972

🩹 bugfixes

• #1248 shares: fix the buttons for extending expiration time b6bf6d5
• #1242 webdav: fix «MacOS Finder» taking forever to connect (thx @freddyheppell!) 8e046fb
• ie11 would spinlock in write-only folders 5c4ba37

🔧 other changes

• fast again! ed6a8d5
  • replaced the connection:close band-aid added in v1.20.4 with a proper fix that doesn't make things slower behind reverseproxies
  • I've tried everything I can think of (with nginx as reverseproxy) and can't notice any difference in behavior, but please let me know if this breaks anything for you 🙏
• #1245 updated Portuguese translation (thx @000yesnt!) 69fa1d1
• #1259 OpenRC: add command to test config (thx @lotsospaghetti!) 79273a7
• #1257 removed the nth global-option because it was never implemented (thx @stackxp!) 22cdc0f
• syntax highlighter: added languages nasm + nix, removed autohotkey + cmake b20d325

🌠 fun facts

• http/1.1 still tends to be faster than http/2 and http/3 for large transfers which is the main reason copyparty hasn't made the change
  • eh, not really a fun fact I suppose ┐( ´ w `)┌

⚠️ not the latest version!

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.3 has been released.

This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.

We strongly advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.

Additional Update Notices

• Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.

Full List of Changes

• Updated application PHP dependencies.
• Updated session-based API authentication to only be active for GET requests.
• Updated page content filtering to remove many common form elements & attributes.
• Updated translations with latest Crowdin changes. (#5997)

Part-DB 2.5.1

Improvements

• When using the "upload files" button automatically determine a fitting attachment type based on extension
• Support SPN columns for all suppliers as columns in BOM imports, not only LCSC (PR#1208, thanks @MayNiklas)

Bug fixes

• Disable the ID search by default, like intended in PR #1184
• Use correct language for sidebar trees, even if no user is logged in
• Prevent ordering of extra column in log tables, as this errors on Postgres and has no real use
• Show an error popup instead of a 500 page when info provider retrieval fails
• Added clear button for part select input in BOMs (#1156)

Miscellaneous

• Updated dependencies
• Updated translations

New Contributors

• @MayNiklas made their first contribution in #1208

Full Changelog: v2.5.0...v2.5.1

• Milestone

This is a release focussing on bug fixing, in particular regressions from the release 1.28.0.

Selected new features ✨:

• New customisable message for closed registrations
• Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy

Improved performance 🏎️:

• Disable counting articles in user labels for Ajax requests (unused)

Many bug fixes 🐛

This release has been made by @Alkarex, @Frenzie, @Inverle and newcomers @ciro-mota, @eveiscoull, @hackerman70000, @Hufschmidt, @johan456789, @martgnz, @mmeier86, @netsho, @neuhaus, @RobLoach, @rupakbajgain.

Full changelog:

• Features
  • Handle Web scraping of text/plain as <pre class="text-plain"> #8340
  • New customisable message for closed registrations #8462
• Bug fixing
  • Fix unwanted expansion of user queries (saved searches) applied to filters #8395
  • Fix encoding of filter actions for labels #8368
  • Fix searching of tags #8425
  • Fix refreshing feeds with token while anonymous refresh is disabled #8371
  • Fix RSS and OPML access by token #8434
  • Fix MySQL/MariaDB transliterator_transliterate fallback (when the php-intl extension is unavailable) #8427
  • Fix regression with MySQL/MariaDB index hint #8460
  • Auto-add lastUserModified database column also during mark-as-read action #8346
  • Do not include hidden feeds when counting unread articles in categories #8357
  • Remove wrong PHP deprecation of OPML export action #8399
  • Fix shortcut for next unread article #8466
  • Fix custom session.cookie-lifetime #8446
  • Fix feed validator button when changing the feed URL #8436
• Performance
  • Disable counting articles in user labels for Ajax requests (unused) #8352
• Security
  • Change Content-Disposition: inline to attachment in f.php #8344
  • Hardened user methods exists, mtime, ctime #26c1102
• Deployment
  • Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy #8392
• SimplePie
  • Update of CURLOPT_ACCEPT_ENCODING #8376, simplepie#960, simplepie#962
  • Fix don’t preserve children inside disallowed <template> element #8443
  • Fixes before PHPStan 2 #8445, simplepie#957
• Extensions
  • Update .gitignore to ignore installed extensions #8372
• UI
  • Add data-category="3" to ease custom CSS styling of articles #8397
  • Fix space between By: and the author’s name #8422
• I18n
  • Improve Brazilian Portuguese #8411
  • Improve Dutch #8403
  • Improve German #8402
  • Improve Polish #8408
  • Improve Spanish #8464
• Misc.
  • Update dev dependencies #8387, #8388, #8389,
    #8390, #8391, #8393,
    #8453

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5970)
• Updated PHP dependency versions.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🩹 bugfixes

• #1235 rightclick-menu: fix creating new files/folders in gridview (thx @SpaceXCheeseWheel!) ffca67f
• #1231 fix http desync if the urlform global-option was changed to get
  • this initial fix only applies when reverse-proxied, in which case copyparty will now always connection:close (don't reuse tcp/uds connections), as giving each client a fresh socket helps avoid all such issues e1eff21 b4fddbc
  • the expected performance impact from this change is near-zero for real use, even if benchmarks show a 40% reduction in requests/sec in the absolute-worst-case (burst of cheap requests)
  • a future version will also fix this issue for non-proxied clients

🔧 other changes

• #1229 updated the Esperanto translation (thx @slashdevslashurandom!) 1142ac2
• #1232 shares: if an external domain is configured, then show both the LAN and external link for each share 81e5eb7

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• send-message-to-serverlog now also available as url-parameter ?smsg=foo 6dcb1ef
  • option smsg configures which HTTP-methods to allow; can be set to GET,POST but default is only POST because GET is dangerous (CSRF)

🩹 bugfixes

• #1227 dillo was not able to login because dillo is more standards-compliant than every other browser (nice) b4df8fa
• a web-scraper which got banned for making malicious requests could remain banned for one request longer than intended (wait why did I fix this) ba67b27
• ?ls was still a bit jank 0a3a807

🌠 fun facts

• this 6AM release was powered by void/mournfinale
• was going to name the release "dilla på dillo" but somehow google-translate thinks that means "fuck on fuck" which would have been inappropriate

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• #1212, #1214 range-select in the grid-view by click-and-drag (thx @icxes!) 3e3228e 72c5940
• #134 xattrs (linux extended file attributes) can now be indexed and searchable 8240ef6
• rightclick-menu:
  • #1184 add rename option (thx @stackxp!) 25a8b96
  • #1216 add sharing options (thx @stackxp!) ffb2560
  • #1198, #1206 also works in the search-results view (thx @hackysphere!) 04f612f d32704e
• option to override the domain in certain links, so copyparty returns an external URL even if you're accessing it by a LAN address:
  • #1211 newly created shares 41d3bae
  • #255 newly uploaded files d925553
• new option vol-nospawn (volflag nospawn) to not automatically create the volume's folder on the server's HDD if it doesn't exist
• new option vol-or-crash (volflag assert_root) to intentionally crash on startup if a volume's folder doesn't already exist on the server HDD
• new option --flo to tweak the log-format used by the -lo option for logging to a file 826e84c
• #1197 u2c (commandline uploader): give up and crash if server is offline for longer than 3 minutes (configurable) 67c5d8d

🩹 bugfixes

• #1203 configured chmod/chown rules were not applied when a file was being deduped bef0772
• the unlistc* volflags could not be specified for single-file volumes 2664891
• the defensive renaming of uploaded readmes/logues would assume the default filenames, not considering the recently added option to customize these names c17c3be
• #1191 the ipu option can once again be used to reject connections from certain IP-ranges caf831f
  • this was a regression in v1.19.21 causing the server to crash on startup if such a config was attempted
• some empty folders could be created during startup in certain server-configs with nested volumes 4e67b46
• api: trying to ?ls nested virtual folders could return an error 6675039
• ui/ux:
  • #1179 improve errormessage if audio transcoding fails 7357d46
  • ensure a trailing slash when viewing a folder with the h permission; good for relative links in html-files

🔧 other changes

• #1193, #1194: NixOS improvements (thx @toast003!) 9d223d6 d5a8a34
• truncate huge errormessages from ffmpeg so the log doesn't get flooded 3aebfab
• ui/ux:
  • the dl button (to download selected files individually) now skips folders, since that never worked bc24604
  • #1200 add html classes to make custom styling easier c46cd7f
  • rephrase errormessages from see serverlog to see fileserver log
• docs:
  • mention in the readme that uploading files from a deeply nested folder using a webbrowser on Windows can fail because browsers don't handle the max-pathlen limitation of Windows optimally (not a copyparty-specific issue, but still hits us)

🌠 fun facts

• n/a; no fun has been had since v1.20.0
  • (that's a lie btw, sniffing the airwaves is pretty darn fun 😁)

⚠️ not the latest version!

Part-DB 2.5.0

New features

• Added console command to change database platform (e.g. from sqlite to mysql, or mysql to postgresql)
• Added a ability to search for part IDs from searchfields (thanks @kernchen-brc, #1184)

Improvements

• Do not mark new categories excluded from simulation in KiCAD, to avoid annoying symbols in KiCad (thanks @lukas-runge , #1192)
• Optimized frontend file sizes a bit

Bug fixes

• Fixed OEMSecretsProvider (thanks @d-buchmann, #1187)
• Fixed CSRF issue with barcode scanner (thanks @swdee, #1197)

Miscellaneous

• Updated dependencies

New Contributors

• @kernchen-brc made their first contribution in #1184
• @swdee made their first contribution in #1191
• @lukas-runge made their first contribution in #1192

Full Changelog: v2.4.0...v2.5.0

⚠️ Potential Breaking Changes

Added multi-domain support for OAuth/OpenID (#26312)
SSO callback URL generation and redirect validation now includes port matching to ensure redirects target the correct server.

Fixed getAsset returning all file fields instead of only those allowed by the users permissions (#25905)
getAsset / GET /assets/:id now respects directus_files permissions when returning file based fields.

• @directus/app
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.
  • Removed the "Comment" tab from the activities page (#26440 by @Abdallah-Awwad)
• @directus/api
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.
  • Fixed getAsset returning all file fields instead of only those allowed by the users permissions (#25905 by @gaetansenn)
  • Added multi-domain support for OAuth/OpenID (#26312 by @gaetansenn)
  • Added a new AI_ENABLED environment variable to allow opting out of our AI chat feature (#26458 by @bryantgillespie)
• @directus/system-data
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.
• @directus/specs
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.
• @directus/types
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.
• @directus/sdk
  • Removed the deprecated /webhooks functionality across the stack. This includes the API route and its related tests, (#26311 by @mobml)
    controller, and mocks, as well as the corresponding SDK commands and schema types, types and services, system fields and
    collections, OpenAPI specifications, and App UI routes and components. This endpoint has been unused for over a year and
    has now been fully removed.

✨ New Features & Improvements

• @directus/app
  • Added a new AI_ENABLED environment variable to allow opting out of our AI chat feature (#26458 by @bryantgillespie)
  • Added concurrency control for file uploads via a new FILES_MAX_UPLOAD_CONCURRENCY env variable (#26424 by @thomas-svrts)
  • Added nested validation rules to validation error notice (#26389 by @robluton)
  • Added Comparison modal wysiwyg diff highlighting (#26301 by @robluton)
  • Fixed an issue that would cause some drawer header icons from being displayed too large (#26442 by @kekekuli)
• @directus/api
  • Added concurrency control for file uploads via a new FILES_MAX_UPLOAD_CONCURRENCY env variable (#26424 by @thomas-svrts)
• @directus/env
  • Added multi-domain support for OAuth/OpenID (#26312 by @gaetansenn)
  • Added a new AI_ENABLED environment variable to allow opting out of our AI chat feature (#26458 by @bryantgillespie)
  • Added concurrency control for file uploads via a new FILES_MAX_UPLOAD_CONCURRENCY env variable (#26424 by @thomas-svrts)
  • Added support for specifying a KMS Key ID in S3 storage when using aws:kms Server Side Encryption (#26377 by @Joey92)
• @directus/types
  • Added missing MCP settings types. (#26469 by @bryantgillespie)
• @directus/storage-driver-s3
  • Added support for specifying a KMS Key ID in S3 storage when using aws:kms Server Side Encryption (#26377 by @Joey92)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Added multi-domain support for OAuth/OpenID (#26312 by @gaetansenn)
  • Improves behavior of the in-studio back button (#26427 by @rijkvanzanten)
  • Fixed disabled state for datetime, file, select-dropdown-m2o & collection-item dropdowns interfaces (#26365 by @ComfortablyCoding)
  • Fixed GraphQL error when duplicating M2A items with same name fields of conflicting types. (#26367 by @dstockton)
  • Enforces the eslint vue/no-undef-components rule in the sourcecode (#26390 by @rijkvanzanten)
  • Fixed incorrect initial slider fill position when the midpoint is not a valid stepped value (#26408 by @DamnItAzriel)
  • Fixed sticky column background in M2M list interface (#26401 by @vdr-smartdev-trinh)
  • Improved system permissions collection picker to support easier multi-selection (#26410 by @thanhle98)
  • Enforced PascalCase usage within app source code (#26391 by @rijkvanzanten)
  • Cleaned up header button inconsistencies (#26375 by @rijkvanzanten)
  • Replaced the local useLocalStorage composable with the VueUse equivalent (#26303 by @tydung26)
  • Disable text highlighting for draggable vue elements in Chrome and Firefox (#26413 by @DanielRubianes)
  • Fix markdown editor layout when a minimum input height is applied (#26430 by @DamnItAzriel)
  • Added image validation type for file image upload (#25946 by @gaetansenn)
• @directus/api
  • Updated nodemailer dependency from 7.0.10 to 7.0.11 (#26288 by @dependabot)
  • Added system index for revisions.activity (#26479 by @br41nslug)
  • Fixed cockroachdb failing on "Add Marketplace" migration (#26467 by @ComfortablyCoding)
  • Fixed password reset timing (#26485 by @br41nslug)
  • Fixed MySQL migration compatibility with sql_require_primary_key (#26374 by @gaetansenn)
  • Fix permission cache to respect CACHE_SYSTEM_TTL (#26295 by @clintmoyer)
  • Improved CockroachDB database introspection performance (#26393 by @br41nslug)
• @directus/types
  • Updated nodemailer dependency from 7.0.10 to 7.0.11 (#26288 by @dependabot)
• @directus/system-data
  • Added system index for revisions.activity (#26479 by @br41nslug)
  • Added a new AI_ENABLED environment variable to allow opting out of our AI chat feature (#26458 by @bryantgillespie)
• @directus/memory
  • Fix permission cache to respect CACHE_SYSTEM_TTL (#26295 by @clintmoyer)
• @directus/sdk
  • Added a new AI_ENABLED environment variable to allow opting out of our AI chat feature (#26458 by @bryantgillespie)
  • Fixed conversion of fields from object notation to dot syntax in SDK subscription queries (#26397 by @bruno-costa)
• @directus/schema
  • Improved CockroachDB database introspection performance (#26393 by @br41nslug)
• @directus/themes
  • Enforced PascalCase usage within app source code (#26391 by @rijkvanzanten)
• @directus/schema-builder
  • Fixed singleton support (#26478 by @licitdev)
• @directus/storage-driver-supabase
  • Fixed an issue where the Supabase storage driver would fail if the root folder is the empty string. (#26384 by @aderugy)

📦 Published Versions

• @directus/app@15.0.0
• @directus/api@33.0.0
• @directus/composables@11.2.9
• create-directus-extension@11.0.25
• @directus/env@5.4.0
• @directus/extensions@3.0.16
• @directus/extensions-registry@3.0.16
• @directus/extensions-sdk@17.0.5
• @directus/memory@3.0.14
• @directus/pressure@3.0.14
• @directus/schema@13.0.5
• @directus/schema-builder@0.0.11
• @directus/specs@12.0.0
• @directus/storage-driver-azure@12.0.14
• @directus/storage-driver-cloudinary@12.0.14
• @directus/storage-driver-gcs@12.0.14
• @directus/storage-driver-s3@12.1.0
• @directus/storage-driver-supabase@3.0.14
• @directus/system-data@4.0.0
• @directus/themes@1.2.1
• @directus/types@14.0.0
• @directus/utils@13.1.1
• @directus/validation@2.0.14
• @directus/sdk@21.0.0

This release fixes a regression that resulted in the agent binary being dynamically linked, causing it to fail on musl-based Linux distributions like Alpine and OpenWrt. If you were affected by this, see below for instructions to fix.

What's Changed

• Add separate dynamically linked glibc build for Linux. (#1618)
• Fix GPU ID collision between Intel and NVIDIA collectors. (#1522)
• Agent update command now detects your system's C library and downloads the optimal binary (static or glibc) on Linux.
• fix: some of indonesia translate by @marmar76 in #1625
• Jetson tegrastats regex pre jetpack5 by @Vascolas007 in #1631
• site: only hide GPU engine graph if entire usage is 0% by @crimist in #1624

New Contributors

• @marmar76 made their first contribution in #1625
• @Vascolas007 made their first contribution in #1631

Fix for musl-based Linux distributions

If you updated to a version that currently fails to start (./beszel-agent: not found), you can restore your agent by running the following commands:

# 1. Download latest static binary (replace 'amd64' with your arch if different)
curl -L https://github.com/henrygd/beszel/releases/latest/download/beszel-agent_linux_amd64.tar.gz | tar -xz

# 2. Replace the broken binary
mv beszel-agent /opt/beszel-agent/beszel-agent
chmod +x /opt/beszel-agent/beszel-agent

# 3. Restart the service
# For Alpine:
rc-service beszel-agent restart
# For OpenWRT:
/etc/init.d/beszel-agent restart

Full Changelog: v0.18.1...v0.18.2

Fixes bug in 0.18.0 release where all containers were cleared from the "All Containers" page when any system returned no containers.

Additionally, there was a temporary problem with the :latest Docker image which may have caused your agents to report as down. This is fixed now and you can re-pull the image if necessary: #1618 (comment)

What's Changed

• Add option to make universal token permanent. (#1097, #1614)
• Add experimental NVML GPU collector. (#1522, #1587)
• Add low battery alerts. (#1507)
• Add battery charge to systems table.
• Add --url and --token command line arguments to the agent. (#1524)
• Collect S.M.A.R.T. data in the background every hour.
• Add SMART_INTERVAL environment variable to customize S.M.A.R.T. data collection interval.
• Collect system distribution and architecture.
• Add system_details collection to store infrequently updated system information.
• Improve S.M.A.R.T. device path lookup for NVMe devices. (#1504)
• Raise smartctl timeout to 15 seconds. (#1465)
• Fix container logs decoding for raw streams. (#1535)
• Rename login honeypot field to prevent password manager autofill (#1011).
• fix: When there is no client, LoaderCircle will always transfer by @Zero2A11 in #1511
• fix non unique fingerprint by @deadbeef84 in #1556
• bug: fix disk sorting in smart table by @svenvg93 in #1551
• chore; add check for systemd before monitoring by @svenvg93 in #1550
• fix: use origin country flags for Spanish and Portuguese languages by @Natxo09 in #1571
• Add Serbian and Bahasa Indonesia translations.
• Update Go dependencies.

New Contributors

• @Zero2A11 made their first contribution in #1511
• @daviddavis made their first contribution in #1530
• @deadbeef84 made their first contribution in #1556
• @crimist made their first contribution in #1587
• @Natxo09 made their first contribution in #1571

Full Changelog: v0.17.0...v0.18.0

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• #1174 add Japanese translation (thx @tkymmm!) b918b59
• #1164 rightclick-menu now works in the gridview too (thx @Foox-dev!) feabbf3
• #1176 IP to bind can be specified per protocol 87a5c22

🩹 bugfixes

• various SFTP fixes (i blame the single tschunk on day 3):
  • #1170 be more lenient regarding stat permissions 9030828
  • #1170 deletes could return EPERM when ENOENT was more appropriate 8c9e101
  • #1170 files would be created with an extremely restrictive chmod 2f4a30b
    • certified octal moment
  • write-only folders could return ENOENT 6c41bac
• #1177 disk-usage quotas became incompatible with shares in v1.20.0 038af50
• appending to existing files with ?apnd was possible in volumes with non-reflink dedup, where it could propagate to deduped copies of the file 738a419
  • (was only possible for users with write+delete perms, so at least it couldn't be used for nefarious purposes)
• rightclick-menu: "copy link" would strip filekeys 3a16d34

🔧 other changes

• copyparty.exe: updated pillow to 12.1.0 a9ae6d5

🌠 fun facts

• tschunk is the sound a hacker makes as they faceplant onto the table after having one too many
  • also see the funfacts in the previous release for more CCC hijinks :p

⚠️ not the latest version!

Changelog

Bug fixes

• 7277f39: fix: listen on 0.0.0.0 by default, close #1570 (@seriousm4x)

Changelog

Features

• 61da5f5: feat: UPSNAP_HTTP_LISTEN: check for custom addr in go (@seriousm4x)

Bug fixes

• d18b54e: fix: go tests (@seriousm4x)
• 4bfc057: fix: remove test case (@seriousm4x)
• c75679f: fix: update HTTP_LISTEN configuration in Dockerfile and docker-compose.yml (#1563) (@xiagw)

Others

• 212e1b6: Update go.sum (@seriousm4x)
• a85a7de: update deps (@seriousm4x)

Npm dependencies

• 3d68442: npm-dep: bump @inlang/paraglide-js from 2.7.0 to 2.7.1 in /frontend (@dependabot[bot])
• 8714f93: npm-dep: bump @inlang/paraglide-js from 2.7.1 to 2.7.2 in /frontend (@dependabot[bot])
• d1c6ee5: npm-dep: bump @sveltejs/kit from 2.49.2 to 2.49.3 in /frontend (@dependabot[bot])
• dbcdd2b: npm-dep: bump typescript-eslint from 8.50.1 to 8.51.0 in /frontend (@dependabot[bot])
• 341d6b7: npm-dep: bump typescript-eslint from 8.51.0 to 8.52.0 in /frontend (@dependabot[bot])

Part-DB 2.4.0

New features

• Added info provider for Buerklin (thanks to @mkne, #1151)
• Show part IDs in project BOMs

Improvements

• Use more performant hash algorithms for cache keys
• Increase label generator PDF preview height to show PDF toolbar (@mkne , #1171)
• Show info provider capabilities in fixed order

Bug fixes

• Fixed exception if DigiKey has no media for a part (#1154)

Miscellaneous

• Updated dependencies

New Contributors

• @fsbrc made their first contribution in #1168

Full Changelog: v2.3.0...v2.4.0

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• sftp server 4714c2f ec7ea30
  • included in docker-images im, iv, ac, dj
  • not using docker? install the optional dependency paramiko
• #1135 right-click menu (thx @stackxp and @Scotsguy!) 82c4960 05a4472
• PUT can now append to existing files 63d8e5a
  • new option apnd-who to configure who is allowed to do that
• #1128 added option to skip uploading a file if the filename is already taken on the server (thx @Scotsguy!) fa32e15
• #1127 descript.ion now also works for folders 2c26aec
• in file listings, up_by and up_ip (uploader info) can now be displayed for non-admin users by adding them to the mte option 7bfd370
• #1120 display the disk-space quota instead of the underlying HDD size (thx @rabid-dev!) 511dc01 e0845b2
• option to skip dotfiles/dotfolders when using download-as-zip 7d7a151
• #1124 button to skip files with a filename collision when copying/moving files 85639ad
• #1151 u2c (commandline uploader): option to use basic-auth instead of the PW header (thx @Le0Developer!) 120fdfb
• the name of the pw url-param and http-header can be changed f81d80b
  • mainly to force basic-auth, but perhaps also for other purposes
  • changing these will break support for many clients, so you probably want to keep the default

🩹 bugfixes

• image-viewer:
  • images now scale properly when rotated while the zoom feature is enabled c0e167f
  • the current image rotation will now be applied to the next image as well 485c60c c82a3cb
• groups announced by an IdP will now also apply for native (copyparty-config) users f08cb25
• windows: download-as-zip would flatten everything to a single folder 2d1d295
• #1157 dirkeys did not work in grid-view d1ddcb1
• #1123 the ui-notree option to simplify the UI would simplify a bit too much 4c73704
• don't add the trailing slash to a volume in the controlpanel when the volume is a file 80a3749
  • the link couldn't be clicked on Windows CE 4.20 using Internet Explorer 4.01

🔧 other changes

• #1158 updated german translation (thx @Scotsguy!) 3bf80c8
• the dotfiles button now also toggles showing unlisted files e55e5a4
• /?h&ls (the api to list volumes) now includes the user's permissions for each volume 1f6e811
• #1142 new option dav-port to open a dedicated port for webdav clients 4642d32
  • workaround for certain clients which pretend to be webbrowsers
• #1147 workaround for a buggy browser-extension 8551472
• detect (and panic) when a webbrowser has failed to load one of the javascript files af3f777
  • replaces the confusing errormessage resulting from half of the code missing

🌠 fun facts

• it turns out that copyparty runs just fine on SGI IRIX! 39c3ccc
  • there's a photo of the server and a screenshot as proof 😁
  • the feature comparison has been updated accordingly
• this release was mostly coded at 39c3 (see photo above) and the release was made at revspace

⚠️ not the latest version!

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.1 has been released.

This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.

We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.

Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.

Full List of Changes

• Updated application PHP dependencies.
• Add some additional resource-based limits. (#5968)
• Updated translations with latest Crowdin changes. (#5962)

Changelog

Others

• dd9a009: add sft to onlyBuiltDependencies (@seriousm4x)
• 326cc15: increase command input width (@seriousm4x)
• c7f15d3: pnpm update (@seriousm4x)

Go dependencies

• 451dc1d: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• d3c0247: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 4583e8a: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• cc4bae8: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])

Npm dependencies

• 3c9e3e1: npm-dep: bump @eslint/js from 9.39.1 to 9.39.2 in /frontend (@dependabot[bot])
• 5b6dfff: npm-dep: bump @inlang/paraglide-js from 2.5.0 to 2.6.0 in /frontend (@dependabot[bot])
• 0f290f8: npm-dep: bump @inlang/paraglide-js from 2.6.0 to 2.7.0 in /frontend (@dependabot[bot])
• 3c48888: npm-dep: bump @sveltejs/kit from 2.49.0 to 2.49.1 in /frontend (@dependabot[bot])
• d6e47b1: npm-dep: bump @sveltejs/kit from 2.49.1 to 2.49.2 in /frontend (@dependabot[bot])
• 2a738cd: npm-dep: bump @tailwindcss/postcss from 4.1.17 to 4.1.18 in /frontend (@dependabot[bot])
• d1715b5: npm-dep: bump daisyui from 5.5.11 to 5.5.13 in /frontend (@dependabot[bot])
• 3484bdd: npm-dep: bump daisyui from 5.5.13 to 5.5.14 in /frontend (@dependabot[bot])
• 636da19: npm-dep: bump daisyui from 5.5.5 to 5.5.8 in /frontend (@dependabot[bot])
• af28d0b: npm-dep: bump daisyui from 5.5.8 to 5.5.11 in /frontend (@dependabot[bot])
• 609b5e2: npm-dep: bump eslint from 9.39.1 to 9.39.2 in /frontend (@dependabot[bot])
• 28d2db9: npm-dep: bump eslint-plugin-svelte from 3.13.0 to 3.13.1 in /frontend (@dependabot[bot])
• c6983d8: npm-dep: bump pocketbase from 0.26.3 to 0.26.4 in /frontend (@dependabot[bot])
• 1a8ee6b: npm-dep: bump pocketbase from 0.26.4 to 0.26.5 in /frontend (@dependabot[bot])
• 9300d66: npm-dep: bump prettier from 3.6.2 to 3.7.0 in /frontend (@dependabot[bot])
• 7d6d60a: npm-dep: bump prettier from 3.7.0 to 3.7.1 in /frontend (@dependabot[bot])
• bc27081: npm-dep: bump prettier from 3.7.1 to 3.7.3 in /frontend (@dependabot[bot])
• 846a530: npm-dep: bump prettier from 3.7.3 to 3.7.4 in /frontend (@dependabot[bot])
• aba6615: npm-dep: bump prettier-plugin-svelte from 3.4.0 to 3.4.1 in /frontend (@dependabot[bot])
• 12b294a: npm-dep: bump prettier-plugin-tailwindcss in /frontend (@dependabot[bot])
• e94c101: npm-dep: bump svelte from 5.43.14 to 5.44.1 in /frontend (@dependabot[bot])
• c775ca2: npm-dep: bump svelte from 5.44.1 to 5.45.2 in /frontend (@dependabot[bot])
• 9f75e42: npm-dep: bump svelte from 5.45.10 to 5.46.0 in /frontend (@dependabot[bot])
• ed6062e: npm-dep: bump svelte from 5.45.2 to 5.45.4 in /frontend (@dependabot[bot])
• 178f34b: npm-dep: bump svelte from 5.45.4 to 5.45.5 in /frontend (@dependabot[bot])
• c670ff9: npm-dep: bump svelte from 5.45.5 to 5.45.6 in /frontend (@dependabot[bot])
• 1773636: npm-dep: bump svelte from 5.45.6 to 5.45.8 in /frontend (@dependabot[bot])
• 51498f7: npm-dep: bump svelte from 5.45.8 to 5.45.10 in /frontend (@dependabot[bot])
• c2c7b3c: npm-dep: bump svelte from 5.46.0 to 5.46.1 in /frontend (@dependabot[bot])
• 1cbbe9b: npm-dep: bump svelte-check from 4.3.4 to 4.3.5 in /frontend (@dependabot[bot])
• 98081bd: npm-dep: bump tailwindcss from 4.1.17 to 4.1.18 in /frontend (@dependabot[bot])
• b29ad9b: npm-dep: bump typescript-eslint from 8.47.0 to 8.48.0 in /frontend (@dependabot[bot])
• c72d63e: npm-dep: bump typescript-eslint from 8.48.0 to 8.48.1 in /frontend (@dependabot[bot])
• 3d3a536: npm-dep: bump typescript-eslint from 8.48.1 to 8.49.0 in /frontend (@dependabot[bot])
• 76cf5fb: npm-dep: bump typescript-eslint from 8.49.0 to 8.50.0 in /frontend (@dependabot[bot])
• 258d4d6: npm-dep: bump typescript-eslint from 8.50.0 to 8.50.1 in /frontend (@dependabot[bot])

Github Actions

• 4f6a902: gh-action: bump actions/cache from 4 to 5 (@dependabot[bot])
• 6465130: gh-action: bump actions/download-artifact from 6 to 7 (@dependabot[bot])
• d3a4b7c: gh-action: bump actions/upload-artifact from 5 to 6 (#1547) (@dependabot[bot])

• Milestone

This is a major release, just in time for the holidays 🎄

Selected new features ✨:

• New sorting and filtering by date of User modified, with corresponding search operator, e.g. userdate:PT1H for the past hour
• New sorting by article length
• New advanced search form
• New overview of dates with most unread articles
• New ability to share feed visibility through API (implemented by e.g. Capy Reader)
  • Bonus: Capy Reader is also the first open source Android app to support user labels
• Better transitions UI between groups of articles
• New links in UI for transitions between groups of articles, and jump to next transition
• Docker default image updated to Debian 13 Trixie with PHP 8.4.11
• And much more…

Improved performance 🏎️:

• Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users
• Improve SQL speed for some critical requests for large databases
• API performance optimisation thanks to streaming of large responses

Selected bug fixes 🐛:

• Fix OpenID Connect with Debian 13
• Fix MySQL / MariaDB bug wrongly sorting new articles
• Fix SQLite bind bug when adding tag

Breaking changes 💥:

• Move unsafe autologin to an extension
• Potential breaking changes for some extensions (which have to rename some old functions)

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @andris155, @horvi28, @math-GH, @minna-xD and newcomers @Darkentia, @FollowTheWizard, @GreyChame1eon, @McFev, @jocmp, @larsks, @martinhartmann, @matthew-neavling, @pudymody, @raspo, @scharmach, @scollovati, @stag-enterprises, @vandys, @xtmd, @yzx9.

Full changelog:

• Features
  • New sorting and filtering by date of User modified #7886, #8090,
    #8105, #8118, #8130
    • Corresponding search operator, e.g. userdate:PT1H for the past hour #8093
    • Allows finding articles marked by the local user as read/unread or starred/unstarred at specific dates for e.g. undo action.
  • New sorting by article length #8119
  • New advanced search form #8103, #8122, #8226
  • Add compatibility with PCRE word boundary \b and \B for regex search using PostgreSQL #8141
  • More uniform SQL search and PHP search for accents and case-sensitivity (e.g. for automatically marking as read) #8329
  • New overview of dates with most unread articles #8089
  • Allow marking as read articles older than 1 or 7 days also when sorting by publication date #8163
  • New option to show user labels instead of tags in RSS share #8112
  • Add new feed visibility (priority) Show in its feed #7972
  • New ability to share feed visibility through API (implemented by e.g. Capy Reader) #7583, #8158
  • Configurable notification timeout #7942
  • OPML export/import of unicity criteria #8243
  • Ensure stable IDs (categories, feeds, labels) during export/import #7988
  • Add username and timestamp to SQLite export from Web UI #8169
  • Add option to apply filter actions to existing articles #7959, #8259
  • Support CSS selector ~ subsequent-sibling #8154
    • Upstream PR phpgt/CssXPath#231
  • Rework saving of configuration files for more reliability in case of e.g. full disk #8220
  • Web scraping support date format as milliseconds for Unix epoch #8266
  • Allow negative category sort numbers #8330
• Performance
  • Improve SQL speed for updating cached information #6957, #8207,
    #8255, #8254, #8255
  • Fix SQL performance issue with MySQL, using an index hint #8211
  • Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users #8277
  • API streaming of large responses for reducing memory consumption and increasing speed #8041
• Security
  • 💥 Move unsafe autologin to an extension #7958
  • Fix some CSRFs #8035
  • Strengthen some crypto (login, tokens, nonces) #8061, #8320
  • Create separate HTTP Retry-After rules for proxies #8029, #8218
  • Add data: to CSP in subscription controller #8253
  • Improve anonymous authentication logic #8165
  • Enable GitHub release immutability #8205
• Bug fixing
  • Exclude local networks for domain-wide HTTP Retry-After #8195
  • Fix OpenID Connect with Debian 13 #8032
  • Fix MySQL / MariaDB bug wrongly sorting new articles #8223
  • Fix MySQL / MariaDB database size calculation #8282
  • Fix SQLite bind bug when adding tag #8101
  • Fix SQL auto-update of field f.kind to ease migrations from FreshRSS versions older than 1.20.0 #8148
  • Fix search encoding and quoting #8311, #8324, #8338
  • Fix handling of database unexpected null content (during migrations) #8319, #8321
  • Fix drag & drop of user query losing information #8113
  • Fix DOM error while filtering retrieved full content #8132, #8161
  • Fix config.custom.php during install #8033
  • Fix do not mark important feeds as read from category #8067
  • Fix regression of warnings in Web browser console due to lack of window.bcrypt object #8166
  • Fix chart resize regression due to chart.js v4 update #8298
  • Fix CLI user creation warning when language is not given #8283
  • Fix merging of custom HTTP headers #8251
  • Fix bug in the case of duplicated mark-as-read filters #8322
• SimplePie
  • Fix support of HTTP trailer headers #7983, simplepie#943
  • Apply HTTPS policy also on GUIDs and permalinks #8037, simplepie#951
    • Fix WordPress.com HTTP duplicates with WebSub Automattic/pushpress#16
  • Implement HTML whitelist for SimplePie sanitizer #7924, simplepie#947
  • Various upstream contributions simplepie#940, simplepie#944
• Deployment
  • Docker default image updated to Debian 13 Trixie with PHP 8.4.11 and Apache 2.4.65 #8032
  • Docker alternative image updated to Alpine 3.23 with PHP 8.4.15 and Apache 2.4.65 #8285
  • Fix Docker healthcheck cli/health.php compatibility with OpenID Connect #8040
  • Improve Docker for compatibility with other base images such as Arch Linux #8299
    • Improve cli/access-permissions.sh to detect the correct permission Web group such as www-data, apache, or http
  • Update PostgreSQL volume for Docker #8216, #8224
  • Catch lack of exec() function for git update #8228
  • Work around DOMDocument::saveHTML() scrambling charset encoding in some versions of libxml2 #8296
  • Improve configuration checks for PHP extensions (in Web UI and CLI), including recommending e.g. php-intl #8334
• UI
  • New button for toggling sidebar on desktop view #8201, #8286
  • Better transitions between groups of articles #8174
  • New links in transitions and jump to next transition #8294
  • More visible selected article #8230
  • Show the parsed search query instead of the original user input #8293,
    #8306, #8341
  • Show search query in the page title #8217
  • Scroll into filtered feed/category on page load in the sidebar #8281, #8307
  • Fix autocomplete issues in change password form #7812
  • Fix navigating between read feeds using shortcut shift+j/k #8057
  • Dark background in Web app manifest to avoid white flash when opening #8140
  • Increase button visibility in UI to change theme #8149
  • Replace arrow navigation in theme switcher with <select> #8190
  • Improve scroll of article after load of user labels #7962
  • Keep scroll state of page when closing the slider #8295, #8301
  • Scroll into filtered feed/category on page load #8281
  • Display sidebar dropdowns above if no space below #8335, #8336
  • Use native CSS instead of SCSS #8200, #8241
    • Using CSS nesting and relative colours.
  • Various UI and style improvements: #8171, #8185, #8196
  • JavaScript finalise migration from Promise to async/await: #8182
• API
  • API performance optimisation: streaming of large responses #8041
  • Fever API: Add with_ids parameter to mass-change read/unread/saved/unsaved on lists of articles #8312
  • Misc API: better REST error semantics #8232
• Extensions
  • Add support for extension priority #8038
  • Add support for extension compatibility #8081
  • Improve PHP code with hook enums #8036
  • New hook nav_entries #8054
  • Rename Extensions default branch from master to main #8194
• I18n
  • Translation status as text in README #7842
  • Add new translate CLI commands move #8214
  • Change some regional language codes to comply with RFC 5646 / IETF BCP 47 / ISO 3166 / ISO 639-1 #8065
  • Improve German #8028
  • Improve Greek #8146
  • Improve Finnish #8073, #8092
  • Improve Hungarian #8244
  • Improve Italian #8115, #8186
  • Improve Polish #8134, #8135
  • Improve Russian #8155, #8197
  • Improve Simplified Chinese #8308, #8313
• Misc.
  • Add code to modify a search expression #8293
  • Remove Pocket sharing service #8127, #8128
  • Update to PHPMailer 7.0.1 #8048, #8180, #8272
  • 💥 Housekeeping of lib_rss.php with potential breaking changes for some extensions #8193,
  • Use native PHP #[Deprecated] #8325
  • Improve PHP code #8156, #8203, #8284,
    #8292, #8297
  • GitHub Actions: --no-progress #8315
  • Update dev dependencies #8043, #8044,
    #8045, #8046, #8047,
    #8052, #8176, #8177,
    #8178, #8179, #8210,
    #8270, #8271, #8273,
    #8274, #8275, #8276

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added user mentions for comments. (#5944, #560)
• Added slug history tracking system. (#5913, #5411)
• Added initial developer API for the new WYSIWYG editor. (#5928, #5763)
• Added internal reference handling on content copying. (#5917, #3239)
• Added settings to control the number of books/shelves that will be displayed per page. Thanks to @Xenoamor. (#5606, #2343)
• Updated translations with latest Crowdin changes. (#5933)
• Updated new WYSIWYG editor with a range of fixes. (#5939)
• Updated BookStack system CLI to v0.4. (#5956)
• Updated CSS dark/light mode handling so all CSS variables exist by default. (#5923)
• Updated "Microsoft URL Rewrite Module for IIS" download link. Thanks to @gerundt. (#5952)
• Updated image thumbnail generation to more reliably log issues on error. (#5869)
• Updated database to add index to views table to make view-based queries more efficient. (#5948)
• Updated application database requirements. (#5882)
• Fixed search pagination not using APP_URL value, and breaking for sub-path usage. (#5951)
• Fixed search pagination overflowing view on smaller screen sizes. (#5920)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• #1080 new translation: Vietnamese (thx @thatfrozenfrog and @khoidauminh!) b60eb3f d4a9787
• #1110 add option xf-proto-fb to support reverseproxies which do not provide an x-forwarded-proto header 9c64788
  • and improve the rproxy config guidance message in the serverlog c8f3b4e
  • and show a warning in the controlpanel if misconfiguration is detected c8f3b4e
• #1109 add option --ipar, reverseproxy-aware alternative to --ipa 3368421
  • its purpose is rejecting connections from unexpected/unwanted IPs/subnets
• option idp-chsub can be used to replace spaces in IdP usernames/groupnames 5e1d9a5
• #1029 indicate password max-length in ui 8d46cf1
  • thx to @grantbacon for the initial take!

🩹 bugfixes

• #1111 apple gave us coal for xmas this year 0b6d2d2
  • workaround for a new bug in safari (iOS and Macos) where it would randomly show a login-popup
• #1113 the @acct group was unavailable in groupless IdP setups b6c2ec1

🌠 fun facts

• speaking of current events, @stackxp made copyparty bad-apple-certified a little while back 😁
  • the plugin is available here

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• #1068 #1089 add options to customize which textfiles (readme/prologue/epilogue) to embed above/below directory listings 14bef85
  • prologues, epilogues, readmes, preadmes (global-options and/or volflags) accept a comma-separated list of filenames to look for
• #1092 add option th-qv to change the thumbnail quality a1cbac0
  • also found and enabled a size-optimization for libvips, so:
• #1092 automatically delete and rebuild thumbnails if thumbnailer-config is changed ca6c4de
• #1049 add option log-date to display dates in logs 965a4a6
• #1047 rss-feed: title/description of each entry is now a template-string which can reference arbitrary metadata properties (thx @djjeane!) 5e85e3d
• extend the ramdisk safeguard to also prevent moving files into ephemeral storage fa91822
  • would previously prevent creating new files, but this was another potential source for confusion (thx coworker!)
• now possible to customize the thank you for playing ban-message ce2eeba
• #964 option to change the default value of the Cache-Control response-header 3bc0bf1
  • don't let this be you :^)

🩹 bugfixes

• #1010 correctly replace illegal characters in filenames according to underlying filesystem ba017f7
  • for example, uploading a folder named COMPLE:X into an exFAT flashdrive on linux is now possible
  • and, to make that possible, filesystem-detection now sees the true filesystem behind FUSE (for example ntfs-3g) 3bbed1b
• audio-playback would skip into the next folder rather than play the rest of the current one if the folder was sufficiently massive 8e2fb05
• #1094 fix ipu with idp users 594ec39
• commandline uploader: fix termsize detection on windows 7d526ea
• #1104 the rss feature now complains loudly if e2d is not enabled (because that was always necessary but not obvious) 9219540
• ui/ux:
  • #1102 the option to cosmetically hide server info did not apply for all themes e440578
  • the metadata-property date (default-disabled) was renamed to tdate to avoid colliding with the last-modified timestamp if enabled fecc3fd
• docs:
  • #1070 how to use the bundled archlinux systemd scripts 7f82189
  • podman-systemd: fix paths in guide (thx @emiliatheworst!) a869839
  • synology: better way to hide @eaDir 1b0eb45

🔧 other changes

• add a loud warning in logs if X-Forwarded-Proto is not added by the reverseproxy ad45de9 1b222fb
  • almost did the same for X-Forwarded-Host too before realizing that's generally not a thing
• #1038 creating a blank chpw.json before starting copyparty is now supported and no longer crashes on startup efc6a09
• #1105 better feedback in the login ui (thx @stackxp!) 08474db
• mtag/audio-key.py: replaced the melodic key detector since ffmpeg-8 / alpine-3.23 broke it 67ddc64
• updated deps:
  • webdeps: dompurify-3.3.1 e0b04d9
  • copyparty.exe: python-3.13.11 9e64fe0

🌠 fun facts

• 39c3 has a LOT of awesome self-organized sessions
  • didn't have anything copyparty-related this time but CCC HYPE!

⚠️ not the latest version!

⚠️ Potential Breaking Changes

• @directus/stores
  • Removed sidebar states from app store (#26259 by @rijkvanzanten)

✨ New Features & Improvements

• @directus/app
  • Added support for downloading multiple files and entire folder trees (#26006 by @Nitwel)
  • Added AI chat sidebar (#26259 by @rijkvanzanten)
  • Added support for float intervals and min/max warnings for number inputs (#26190 by @gaetansenn)
  • Made both sidebars resizable (#26259 by @rijkvanzanten)
  • Added header interface (#26302 by @AlexGaillard)
• @directus/api
  • Added support for downloading multiple files and entire folder trees (#26006 by @Nitwel)
  • Added AI chat sidebar (#26259 by @rijkvanzanten)
• @directus/types
  • Added support for downloading multiple files and entire folder trees (#26006 by @Nitwel)
  • Added AI chat sidebar (#26259 by @rijkvanzanten)
• @directus/utils
  • Added support for downloading multiple files and entire folder trees (#26006 by @Nitwel)
  • Moved fetchRolesTree,fetchGlobalAccess, fetchGlobalAccessForUser and fetchGlobalAccessForRoles to the public utility package (#26248 by @ComfortablyCoding)
• @directus/sdk
  • Added support for downloading multiple files and entire folder trees (#26006 by @Nitwel)
• @directus/system-data
  • Added AI chat sidebar (#26259 by @rijkvanzanten)
• @directus/errors
  • Added AI chat sidebar (#26259 by @rijkvanzanten)
• @directus/themes
  • Added AI chat sidebar (#26259 by @rijkvanzanten)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed an issue where input focus ring disappears on hover (#26315 by @formfcw)
  • Fixed display template not appearing for relations inside translations on new items (#26219 by @gaetansenn)
  • Ensured the created revision uses the correct label (#26289 by @vizzv)
  • Added reactive primaryKey prop to useFlows composable (#26287 by @AlexGaillard)
• @directus/api
  • Added redirect validation (#26346 by @br41nslug)
  • Moved fetchRolesTree,fetchGlobalAccess, fetchGlobalAccessForUser and fetchGlobalAccessForRoles to the public utility package (#26248 by @ComfortablyCoding)
  • Updated synchronization of remotely stored extensions (#26192 by @br41nslug)
  • Fixed missing accountability for files.upload when TUS is enabled (#26247 by @br41nslug)
• @directus/types
  • Moved fetchRolesTree,fetchGlobalAccess, fetchGlobalAccessForUser and fetchGlobalAccessForRoles to the public utility package (#26248 by @ComfortablyCoding)
  • Updated synchronization of remotely stored extensions (#26192 by @br41nslug)
• @directus/storage-driver-cloudinary
  • Updated synchronization of remotely stored extensions (#26192 by @br41nslug)
• @directus/storage-driver-supabase
  • Updated synchronization of remotely stored extensions (#26192 by @br41nslug)
• @directus/extensions-sdk
  • Updated esbuild dependency from 0.25.12 to 0.26.0 (#26215 by @dependabot)
• @directus/system-data
  • Updated esbuild dependency from 0.25.12 to 0.26.0 (#26215 by @dependabot)
• @directus/sdk
  • Updated esbuild dependency from 0.25.12 to 0.26.0 (#26215 by @dependabot)
• @directus/themes
  • Made both sidebars resizable (#26259 by @rijkvanzanten)
• @directus/utils
  • Preserved Error when passed to run-script operation (#26234 by @gaetansenn)
• @directus/composables
  • Set default sidebar shadow to false (#26259 by @rijkvanzanten)

📦 Published Versions

• @directus/app@14.4.0
• @directus/api@32.2.0
• @directus/composables@11.2.8
• create-directus-extension@11.0.24
• @directus/env@5.3.3
• @directus/errors@2.1.0
• @directus/extensions@3.0.15
• @directus/extensions-registry@3.0.15
• @directus/extensions-sdk@17.0.4
• @directus/memory@3.0.13
• @directus/pressure@3.0.13
• @directus/schema-builder@0.0.10
• @directus/storage-driver-azure@12.0.13
• @directus/storage-driver-cloudinary@12.0.13
• @directus/storage-driver-gcs@12.0.13
• @directus/storage-driver-s3@12.0.13
• @directus/storage-driver-supabase@3.0.13
• @directus/stores@2.0.0
• @directus/system-data@3.5.0
• @directus/themes@1.2.0
• @directus/types@13.5.0
• @directus/utils@13.1.0
• @directus/validation@2.0.13
• @directus/sdk@20.3.0

Security Release

• Update Instructions
• Update details on blog

BookStack v25.11.6 has been released.

This is a security release to address a vulnerability in our dependencies related to XML
handling, which could allow users to replay SAML authentication requests with specially crafted & manipulated requests.

It's strongly advised to update if you're using SAML authentication for BookStack.

Full List of Changes

• Updated application PHP dependencies.

Part-DB 2.3.0

New features

• Added the ability to define custom part states (PR #1053, thanks to @webdevinition)
• Added the ability to automatically suggest and generate IPNs (PR #1054, thanks to @webdevinition)
• Added experimental ability to rename datastructure types with the new synonym system, which allows you to define domain specific names for concepts of "parts", "categories", etc. (thanks @webdevinition)

Improvements

• Improved ability to determine category from info provider (#1113)
• Do not require a trailing slash for DEFAULT_URI (#1118)
• Define preview images for partkeepr imports (#1115)

Bug fixes

• Allow long URLs for attachments (#1022)
• Fixed issues related to mass import form (#1102, #1103, #1104)

Docker

• Added COMPOSER_EXTRA_PACKAGES env to docker containers, to install additional composer packages, like email bridges (#1138)

Miscellaneous

• Improved translations
• Updated dependencies
• Improved documentation

New Contributors

• @webdevinition made their first contribution in #1053
• @Copilot made their first contribution in #1124

Full Changelog: v2.2.1...v2.3.0