Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🩹 bugfixes

• #1311 fix login (broke in v1.20.9) ecdfd2d

🔧 other changes

• warn that config-reload doesn't do global-options a29037a

🌠 fun facts

• rushing out a cve-fix in the wee hours of the morning before the 9-5 is a great idea that never goes wrong
  • 10/10 will probably do again

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-62cr-6wp5-q43h could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801

known issue: login broken, fix roughly 8pm UTC tonight

🔧 other changes

• webdav: dav-port can be used as an alternative to daw d21242f

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1298 add Hungarian translation (thx @sonacl!) eefb181 f37c3b9
• #1299 chown now accepts 4-digit values (thx @new-sashok724!) 5a7504f

🩹 bugfixes

• audioplayer skip-silence:
  • #1303 clamp ffwd to safe values (thx @icxes!) f5e70c7
  • fix crash on folderchange f1a433a

🔧 other changes

• due to legal reasons, the docker-images and bootable flashdrive are now unable to create thumbnails of HEVC/h265 videos and heif/heic images 1bec91d
  • this primarily means photos/videos taken with iphones (and maybe some samsung phones)
  • on the bright side, this has made the docker-images much smaller; ac is now half the size it used to be, and iv / dj are each 97 MiB smaller

🌠 fun facts

• if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend
  • goes oddly well with sakuraburst - deconstructing nature

⚠️ not the latest version!

What's Changed

• Add outbound heartbeat monitoring to external services by @amirhmoradi in #1729
• Add experimental GPU monitoring for Apple Silicon by @raccettura. (#1747, #1746, docs)
• Add nvtop integration for GPU monitoring. (#1508)
• Add GPU_COLLECTOR environment variable to manually specify the GPU collector(s).
• SMART: add eMMC health via sysfs by @VACInc in #1736
• Add DISABLE_SSH environment variable to disable SSH agent functionality. (#1061)
• Add fingerprint command to the agent. (#1726)
• Include GTT memory in AMD GPU metrics and improve device name lookup. (#1569)
• Improve multiplexed logs detection for Podman. (#1755)
• Harden against Docker API path traversal.
• Fix issue where the agent could report incorrect root disk I/O when running in Docker. (#1737)
• Show system uptime in the system table by @svenvg93 in #1719
• Retry Docker check on non-200 HTTP response by @ElioDiNino in #1754
• Allow precise value entry for alerts via text input by @svenvg93 in #1718
• Add version flag to agent by @svenvg93 in #1639
• Fix race issue with meter threshold colors.
• Add InstallMethod parameter to Windows install script.
• Update Go version and dependencies.

New Contributors

• @VACInc made their first contribution in #1736
• @amirhmoradi made their first contribution in #1729
• @ElioDiNino made their first contribution in #1754
• @raccettura made their first contribution in #1747

Full Changelog: v0.18.3...v0.18.4

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#6026)

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#6026)

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#6023)

✨ New Features & Improvements

• @directus/app
  • Added collaboration state (is viewing, is editing) and minor design updates (#26574 by @alvarosabu)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed translation interface being disabled when delete permission not allowed (#26669 by @AlexGaillard)
  • Fixed item comparison failing when special characters are present in manual primary keys (#26668 by @AlexGaillard)
  • Fixed non-editable state for relational fields with custom permissions (#26676 by @HZooly)
  • Added restriction of allowed MIME types to the system file upload interface (#26646 by @AlexGaillard)
• @directus/api
  • Added restriction of allowed MIME types to the system file upload interface (#26646 by @AlexGaillard)

📦 Published Versions

• @directus/app@15.4.0
• @directus/api@33.3.1

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

Part-DB 2.7.1

Bug fixes

• Fixed problem that stocktake date of part lot was required when editing part (#1250)
• Fixed problem that part tables had wrong sorting on initial loading
• Fixed german translations related to update manager
• Fixed visual styling of lot table

✨ New Features & Improvements

• @directus/app
  • Added activity logging for explicit user logout (#26638 by @JamesW1)
• @directus/api
  • Added activity logging for explicit user logout (#26638 by @JamesW1)
• @directus/constants
  • Added activity logging for explicit user logout (#26638 by @JamesW1)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed date picker month select offset (#26655 by @HZooly)
  • Fixed issue with opening multiple drawers when editing tree view item (#26656 by @AlexGaillard)
  • Fixed vertical alignment of button fields set to half-width by restoring align-self: baseline in form-field component. (#26653 by @omkarg01)
• @directus/api
  • Fixed GraphQL groupBy collision when a field is named group (#26626 by @dstockton)

📦 Published Versions

• @directus/app@15.3.0
• @directus/api@33.3.0
• @directus/composables@11.2.13
• @directus/constants@14.1.0
• create-directus-extension@11.0.29
• @directus/env@5.5.3
• @directus/extensions@3.0.19
• @directus/extensions-registry@3.0.19
• @directus/extensions-sdk@17.0.9
• @directus/memory@3.1.2
• @directus/pressure@3.0.17
• @directus/schema-builder@0.0.14
• @directus/storage-driver-azure@12.0.17
• @directus/storage-driver-cloudinary@12.0.17
• @directus/storage-driver-gcs@12.0.17
• @directus/storage-driver-s3@12.1.3
• @directus/storage-driver-supabase@3.0.17
• @directus/themes@1.2.4
• @directus/types@14.2.1
• @directus/utils@13.2.2
• @directus/validation@2.0.17

Part-DB 2.7.0

New features

• Allow to set GTIN / EAN numbers for parts
• Some info providers allow to provide GTIN infos
• Allow to mark if supplier prices contain VAT or not. This is especially useful in combination with info providers
• Allow to restrict on which element types attachment types can be applied. For example the "Avatars" attachmen type can only be shown on user attachments
• Added ability to stocktake part lots from info page. This easily allows for setting a specific amount, instead of just adding/removing from an database value. The stocktake date is stored, to give a hint on how reliable the amount left is.
• Delegate part retrieval to buerklin info provider when an buerklin URL is given (@mkne, PR #1235)
• Added API endpoint for label generation (@MayNiklas, PR #1234)
• Added functions to twig labels to retrieve associated parts. This allows to print all parts contained in a storage location (#1239)

Improvements

• Performance optimizations for parts tables
• Autofocus fields for easier workflow (@d-buchmann, PR #1240)
• Allow more functions and filters in twig labels

Bug fixes

• Fixed issue when parts contained % in name (@d-buchmann, PR #1238)
• Do not show a 500 error, if twig labels contains invalid code
• Fixed german translations

Docker

• Removed nodejs from docker images as it is only needed for frontend building. This makes images ~ 25% smaller
• Optimized docker image build flow

Miscellaneous

• Updated dependencies
• Updated GNU Unifont to 17.0.3

Full Changelog: v2.6.0...v2.7.0

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• now possible to upload/delete files while the filesystem-indexer is still busy d44ea24 0ca4c1b
  • global-option fika decides which actions to allow while still indexing; default is upload+copy+delete
  • full deduplication is only guaranteed if this option is set blank, as dupes are allowed while indexing
• #1266 browsers can request thumbnails as jxl images, and view jxl files in the gallery (thx @intelfx!) b2711e0 720c83b 93ffc65 a65a30b a7a25de 59de5e2 16403d8 48c1017 0e8913c
  • only works in browsers which support jxl, which is FINALLY happening (sure took a while)
  • some notes on memory/RAM usage though -- it is fine on Alpine Linux, so docker is also fine, just don't enable mimalloc
    • jxl can be disabled with global-option th-no-jxl if necessary on baremetal deployments until libvips fixes this
• #1265 audioplayer can "skip silence" now (thx @icxes!) 6694998
• #1287 opensearch support for opds (thx @philips!) 84e687a
• #1276 option rw-edit is the list of file-extensions that can be edited as textfiles with only permissions read+write (default is md like before); all other files still require read+write+delete 312f48e d692838
• #1288 option to customize the links copied when selecting files and pressing ctrl-c (thx @icxes!) e5d0a05
• docker: add env-var DI_PREPARTY to run an arbitrary script during startup, for customizations and such bf01ca4

🩹 bugfixes

• #1279 the textfile-viewer would refuse to load huge documents when hotlinked f02e9cf
• #1280 the custom rightclick-menu was enabled in the textfile viewer fc8a4b8
• #1262 logtail now works on windows; would previously take an exclusive-lock on the monitored file, as windows does by default a368fc6

🔧 other changes

• volumes are hidden from the treeview if the name starts with a dot 76041fd
• #1277 descript.ion files no longer require the e2d and e2t options to be enabled 4cb4e82
• chunked PUT-uploads are now terminated if they exceed a configured size limit dfadb5a
• #1282 improved compatibility with GraalPy (thx @vgskye!) e8609b8
• #1292 #1296 updated Esperanto translation (thx @slashdevslashurandom!) 418bf2f 914f84c
• thumbnails: use libvips as fallback for rawpy 27ae2e1
  • libvips doesn't support .arw files (sony) yet, so still need rawpy
• make server config slightly easier:
  • improve xff warnings 96aeb89
  • warn if config-values are quoted 598df44
  • lowercase headernames in configs fd09638

🌠 fun facts

• the fika option sends the filesystem-indexer on a coffee break
• exci wants me to mention aoi yuuki here for some reason :^) so here's gekisou gungnir

⚠️ not the latest version!

Changelog

Bug fixes

• 5440ab3: fix: allow users with create permissions to scan for devices (#1611) (@joshuafhiggins)
• 423b2ce: fix: eslint warnings (@seriousm4x)
• d71fd94: fix: some tailwind class name warnings (@seriousm4x)
• 4ec5c7d: fix: wrong gopher url on login page, close #1589 (@seriousm4x)

Others

• 8528003: add Arabic (ar-SA) translation, RTL & fix SSR navigator error. (#1623) (@AliAlQahtani)
• b50951b: add clarity for UPSNAP_PING_PRIVILEGED setting (#1575) (@invario)
• 9e6c2eb: update deps (@seriousm4x)

Go dependencies

• 8dcb32f: go-dep: bump github.com/pocketbase/dbx from 1.11.0 to 1.12.0 in /backend (@dependabot[bot])
• 33143a1: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 8f2e538: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 2db3082: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 16d4b8e: go-dep: bump github.com/prometheus-community/pro-bing in /backend (@dependabot[bot])
• 7afdc41: go-dep: bump golang.org/x/sys from 0.39.0 to 0.40.0 in /backend (@dependabot[bot])
• 8ae36d6: go-dep: bump golang.org/x/sys from 0.40.0 to 0.41.0 in /backend (@dependabot[bot])

Npm dependencies

• 3e645d4: npm-dep: bump @inlang/cli from 3.0.12 to 3.1.2 in /frontend (@dependabot[bot])
• ed7afbe: npm-dep: bump @inlang/cli from 3.1.2 to 3.1.3 in /frontend (@dependabot[bot])
• 758534b: npm-dep: bump @inlang/cli from 3.1.3 to 3.1.4 in /frontend (@dependabot[bot])
• ddea25d: npm-dep: bump @inlang/cli from 3.1.4 to 3.1.5 in /frontend (@dependabot[bot])
• 37943f8: npm-dep: bump @inlang/cli from 3.1.5 to 3.1.6 in /frontend (@dependabot[bot])
• ecac90e: npm-dep: bump @inlang/paraglide-js from 2.10.0 to 2.11.0 in /frontend (@dependabot[bot])
• c0668bf: npm-dep: bump @inlang/paraglide-js from 2.7.2 to 2.8.0 in /frontend (@dependabot[bot])
• 05e266d: npm-dep: bump @inlang/paraglide-js from 2.8.0 to 2.9.0 in /frontend (@dependabot[bot])
• cb55969: npm-dep: bump @inlang/paraglide-js from 2.9.0 to 2.9.1 in /frontend (@dependabot[bot])
• b3895dc: npm-dep: bump @inlang/paraglide-js from 2.9.1 to 2.10.0 in /frontend (@dependabot[bot])
• 02b4f20: npm-dep: bump @sveltejs/kit from 2.49.3 to 2.49.4 in /frontend (@dependabot[bot])
• ec533cd: npm-dep: bump @sveltejs/kit from 2.49.4 to 2.49.5 in /frontend (@dependabot[bot])
• 14dc307: npm-dep: bump @sveltejs/kit from 2.49.5 to 2.50.0 in /frontend (@dependabot[bot])
• b533c1c: npm-dep: bump @sveltejs/kit from 2.50.0 to 2.50.1 in /frontend (@dependabot[bot])
• 4778f5e: npm-dep: bump @sveltejs/kit from 2.50.1 to 2.50.2 in /frontend (@dependabot[bot])
• b239031: npm-dep: bump cron-parser from 5.4.0 to 5.5.0 in /frontend (@dependabot[bot])
• e3e6626: npm-dep: bump daisyui from 5.5.14 to 5.5.17 in /frontend (@dependabot[bot])
• dc49e87: npm-dep: bump daisyui from 5.5.17 to 5.5.18 in /frontend (@dependabot[bot])
• 04b3e27: npm-dep: bump eslint-plugin-svelte from 3.13.1 to 3.14.0 in /frontend (@dependabot[bot])
• c033f25: npm-dep: bump eslint-plugin-svelte from 3.14.0 to 3.15.0 in /frontend (@dependabot[bot])
• c204c18: npm-dep: bump pocketbase from 0.26.5 to 0.26.6 in /frontend (@dependabot[bot])
• cb7c13b: npm-dep: bump pocketbase from 0.26.6 to 0.26.7 in /frontend (@dependabot[bot])
• c7c31fd: npm-dep: bump pocketbase from 0.26.7 to 0.26.8 in /frontend (@dependabot[bot])
• 88d1edb: npm-dep: bump prettier from 3.7.4 to 3.8.0 in /frontend (@dependabot[bot])
• 2bbaedf: npm-dep: bump prettier from 3.8.0 to 3.8.1 in /frontend (@dependabot[bot])
• c57f12e: npm-dep: bump svelte from 5.46.1 to 5.46.3 in /frontend (@dependabot[bot])
• c759a14: npm-dep: bump svelte from 5.46.3 to 5.46.4 in /frontend (@dependabot[bot])
• f52a9fe: npm-dep: bump svelte from 5.46.4 to 5.47.1 in /frontend (@dependabot[bot])
• 484a13f: npm-dep: bump svelte from 5.47.1 to 5.48.0 in /frontend (@dependabot[bot])
• 43cc9c3: npm-dep: bump svelte from 5.48.0 to 5.48.2 in /frontend (@dependabot[bot])
• 4ed1e44: npm-dep: bump svelte from 5.48.2 to 5.48.3 in /frontend (@dependabot[bot])
• cfe488d: npm-dep: bump svelte from 5.48.3 to 5.48.5 in /frontend (@dependabot[bot])
• 6270ebf: npm-dep: bump svelte from 5.48.5 to 5.49.0 in /frontend (@dependabot[bot])
• 34282ec: npm-dep: bump svelte from 5.49.0 to 5.49.1 in /frontend (@dependabot[bot])
• 9b0e58a: npm-dep: bump svelte from 5.49.1 to 5.49.2 in /frontend (@dependabot[bot])
• 6392527: npm-dep: bump svelte from 5.49.2 to 5.50.0 in /frontend (@dependabot[bot])
• 46bc719: npm-dep: bump svelte from 5.50.0 to 5.50.1 in /frontend (@dependabot[bot])
• c5295d5: npm-dep: bump svelte from 5.50.1 to 5.50.2 in /frontend (@dependabot[bot])
• cd64c27: npm-dep: bump svelte-check from 4.3.5 to 4.3.6 in /frontend (@dependabot[bot])
• 4299799: npm-dep: bump typescript-eslint from 8.52.0 to 8.53.0 in /frontend (@dependabot[bot])
• a6402fc: npm-dep: bump typescript-eslint from 8.53.0 to 8.53.1 in /frontend (@dependabot[bot])
• 7062a47: npm-dep: bump typescript-eslint from 8.53.1 to 8.54.0 in /frontend (@dependabot[bot])
• d3daeeb: npm-dep: bump typescript-eslint from 8.54.0 to 8.55.0 in /frontend (@dependabot[bot])

✨ New Features & Improvements

• @directus/app
  • Added Netlify as a deployment provider (#26594 by @yassilah)
• @directus/api
  • Added Netlify as a deployment provider (#26594 by @yassilah)
• @directus/types
  • Added Netlify as a deployment provider (#26594 by @yassilah)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed only focusing on fields that have a schema (#26622 by @Nitwel)
  • Fixed nested group fields losing values when a condition toggles the group's readonly property (#26563 by @HZooly)
  • Fixed useStores, useApi, and useSdk not working inside Pinia stores in extensions (#26438 by @kekekuli)
  • Fixed manual flow triggers not working in drawer (#26617 by @HZooly)
  • Replaced flatpickr with reka ui primitives (#26502 by @alvarosabu)
  • Fixed block editor readOnly toggle race condition (#26640 by @formfcw)
  • Updated editorjs to fix inline link tool bug (#26639 by @AlexGaillard)
  • Fixed metric list labels to no longer be cut off by bar value labels (#26527 by @Prasad7007)
• @directus/api
  • Fixed asset transformation error when using withoutEnlargement with focal point and dimensions larger than the original image. Target dimensions are now clamped to the original image dimensions. (#26608 by @wotan-allfather)
  • Preserved SQL parameterization in relational count subquery and used content-disposition library for folder zip download header (#26592 by @dstockton)
• @directus/extensions-sdk
  • Fixed linking scoped extensions created nested folders (#25957 by @Nitwel)
• @directus/utils
  • Removed node:assert usage from shared utils (#26614 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@15.2.0
• @directus/api@33.2.0
• @directus/composables@11.2.12
• create-directus-extension@11.0.28
• @directus/env@5.5.2
• @directus/extensions@3.0.18
• @directus/extensions-registry@3.0.18
• @directus/extensions-sdk@17.0.8
• @directus/memory@3.1.1
• @directus/pressure@3.0.16
• @directus/schema-builder@0.0.13
• @directus/storage-driver-azure@12.0.16
• @directus/storage-driver-cloudinary@12.0.16
• @directus/storage-driver-gcs@12.0.16
• @directus/storage-driver-s3@12.1.2
• @directus/storage-driver-supabase@3.0.16
• @directus/themes@1.2.3
• @directus/types@14.2.0
• @directus/utils@13.2.1
• @directus/validation@2.0.16

Part-DB 2.6.0

New features

• Experimental update manager, to update Part-DB from the web interface (thanks to @Sebbeben, PR #1217)
• Added Conrad info provider
• Added a generic info provider, to retrieve basic part infos from many shop URLs
• Allow BOM import via SPNs (thanks @MayNiklas, PR #1209)
• Highlight scanned part lot when scanning a barcode (#968)

Miscellaneous

• Updated dependencies

New Contributors

• @Sebbeben made their first contribution in #1217

Full Changelog: v2.5.1...v2.6.0

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed field selection of 20+ fields in the app returns no selection (#26600 by @ComfortablyCoding)
• @directus/api
  • Fixed field selection of 20+ fields in the app returns no selection (#26600 by @ComfortablyCoding)
  • Improved prompts for using Visual Editor elements inside AI Assistant (#26598 by @bryantgillespie)
• @directus/composables
  • Fixed field selection of 20+ fields in the app returns no selection (#26600 by @ComfortablyCoding)
• @directus/env
  • Fixed field selection of 20+ fields in the app returns no selection (#26600 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@15.1.1
• @directus/api@33.1.1
• @directus/composables@11.2.11
• create-directus-extension@11.0.27
• @directus/env@5.5.1
• @directus/extensions-sdk@17.0.7

⚠️ Potential Breaking Changes

Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
To use this feature, update @directus/visual-editing to v1.2.0+ on your website.

Disabled interfaces are not interactive anymore, which includes opening disabled read-only fields in a drawer (#26470 by @formfcw)

✨ New Features & Improvements

• @directus/app
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
  • Added toggle to allow comparing revision to previous revision (#26480 by @robluton)
  • Added relational field support on x-axis of bar chart (#26489 by @JamesW1)
  • Added visual editing support to the live preview split pane, including display options menu, full-width mode with drag-to-expand, and quick access to the Visual Editor module. (#26463 by @bryantgillespie)
  • Changed permission-blocked fields from disabled to non-editable appearance (#26572 by @HZooly)
• @directus/api
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/sdk
  • Fixed race condition and allow accessing the connected state (#26511 by @Nitwel)
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/system-data
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/types
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/errors
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
• @directus/env
  • Added deployment module for triggering deployments from Directus with Vercel as first supported provider (#26473 by @gaetansenn)
  • Added collaborative editing (#26172 by @Nitwel)
• @directus/utils
  • Added collaborative editing (#26172 by @Nitwel)
• @directus/ai
  • Attached prompts, content items, and visual editor elements to AI Assistant Context (#26512 by @bryantgillespie)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
• @directus/memory
  • Added distributed locking (#26172 by @Nitwel)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Replaced deprecated ldapjs with ldapts (#26363 by @dstockton)
  • Fixed an issue where the caret would jump to the end of the input in v-template-input when typing or updating content. (#26520 by @mustafaazad03)
  • Fixed back button navigation on related items (#26553 by @robluton)
  • Fixed table options menu clipping in markdown editor (#26487 by @DamnItAzriel)
  • Hide AI settings page when MCP and AI features are disabled through ENV (#26504 by @bryantgillespie)
  • Updated dependency (#26518 by @rijkvanzanten)
  • Fixed inconsistent disabled state across interfaces (#26470 by @formfcw)
  • Fixed an issue where custom CSS classes applied to PrivateView were not rendered (#26523 by @u12206050)
  • Fixed WYSIWYG interface not rendering when field is named "tooltip" (#26581 by @robluton)
  • Fixed issue preventing sidebar details from being fetched when navigating back (#26542 by @robluton)
  • Fixed Vue warning by passing required prop to interfaces (#26506 by @formfcw)
  • Fixed hardcoded "Loading..." text in field tree by using translation key (#26526 by @sinan-yildiz-marsus)
  • Renamed AI Chat to AI Assistant (#26517 by @bryantgillespie)
• @directus/api
  • Improved error message for system field updates that are not schema.is_indexed (#26548 by @JamesW1)
  • Replaced deprecated ldapjs with ldapts (#26363 by @dstockton)
  • Changed users.last_access display mode to absolute (#26548 by @JamesW1)
• @directus/system-data
  • Added collaborative editing (#26172 by @Nitwel)
  • Added multi-provider AI support with Google and OpenAI-compatible providers. Extracted shared AI types into new @directus/ai package. (#26481 by @bryantgillespie)
  • Changed users.last_access display mode to absolute (#26548 by @JamesW1)
  • Renamed AI Chat to AI Assistant (#26517 by @bryantgillespie)
• @directus/env
  • Fixed LDAP DN properties casted as arrays (#26579 by @ComfortablyCoding)
• @directus/memory
  • Handled empty buffers to prevent errors during race conditions or disconnects (#26172 by @Nitwel)

📦 Published Versions

• @directus/app@15.1.0
• @directus/api@33.1.0
• @directus/ai@1.1.0
• @directus/composables@11.2.10
• create-directus-extension@11.0.26
• @directus/env@5.5.0
• @directus/errors@2.2.0
• @directus/extensions@3.0.17
• @directus/extensions-registry@3.0.17
• @directus/extensions-sdk@17.0.6
• @directus/memory@3.1.0
• @directus/pressure@3.0.15
• @directus/schema-builder@0.0.12
• @directus/storage-driver-azure@12.0.15
• @directus/storage-driver-cloudinary@12.0.15
• @directus/storage-driver-gcs@12.0.15
• @directus/storage-driver-s3@12.1.1
• @directus/storage-driver-supabase@3.0.15
• @directus/system-data@4.1.0
• @directus/themes@1.2.2
• @directus/types@14.1.0
• @directus/utils@13.2.0
• @directus/validation@2.0.15
• @directus/sdk@21.1.0

Notice

• The Windows agent's updated version of LibreHardwareMonitorLib now uses PawnIO instead of WinRing0. If you lose temperature sensors, make sure PawnIO is installed. (See #1657 and #1697.)

• Container NetworkSent and NetworkRecv fields have been deprecated in favor of Bandwidth. Agents will stop populating those fields in 0.19.0, so please update any integrations to prefer Bandwidth. It's available for all containers on hubs >= 0.18.3.

What's Changed

• Add experimental sysfs AMD GPU collector. (#737, #1569)
• Improve container network stats accuracy.
• Fix SHARE_ALL_SYSTEMS for system_details, smart_devices, and systemd_services. (#1660)
• Improve CJK truncation in UI.
• Fix container uptime sorting edge case. (#1696)
• Remove stale systemd services from tracking after deletion. (#1594)
• Update honeypot field name and autofill ignores. (#1011)
• Write health_file to /dev/shm instead of /tmp if available. (#1455)
• Ensure battery current charge doesn't exceed full capacity. (#1668)
• Increase smartctl --scan timeout to 10 seconds. (#1465)
• Update Go dependencies

• Change usermod to addgroup for docker access by @wowi42 in #1641
• fix: update smartctlArgs call to use hasExistingData flag by @nemvince in #1645
• feat: add tooltip to system name in systems table by @Fahleen1 in #1640
• chore: update workflows and templates by @svenvg93 in #1661
• Add SMART_DEVICES_SEPARATOR + allow drives with the same name to be added with different types (e.g. raid controllers) by @jules2689 in #1655
• Chore: Remove Debian package goreleaser workaround by @svenvg93 in #1677
• [Agent] feat: parse ATA device statistics for temperature and future metrics by @sternma in #1689
• [Bug] Restore "Add System" button on mobile. by @svenvg93 in #1687
• Bug: Apply SELinux context after binary replacement by @svenvg93 in #1678
• feat: Added tooltips for navbar buttons to clear meaning of each one by @Fahleen1 in #1636
• Bug: Don't force lowercase text by @svenvg93 in #1682
• fix: update LibreHardwareMonitorLib to 0.9.5 by @bartvdbraak in #1697
• bug: ignore alt key combinations by @svenvg93 in #1698

New Contributors

• @wowi42 made their first contribution in #1641
• @nemvince made their first contribution in #1645
• @Fahleen1 made their first contribution in #1640
• @jules2689 made their first contribution in #1655
• @sternma made their first contribution in #1689
• @bartvdbraak made their first contribution in #1697

Full Changelog: v0.18.2...v0.18.3

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1264 now possible to grant the get permission when creating a share 95b827f
  • the button was already there, but until now it did nothing

🩹 bugfixes

• a safeguard (24141b4) added in v1.20.5 was too strict and would block requests from certain reverseproxies, specifically anything that adds X-Forwarded-HTTP-Version 72224d2

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1240 webdav clients can now set fractional last-modified timestamps (thx @jcwillox!) 296362f
• #1260 add support for running the server with GraalPy (thx @vgskye!) 73d06ea
• #1182 pressing CTRL-C will copy links of selected files to clipboard 9c14972

🩹 bugfixes

• #1248 shares: fix the buttons for extending expiration time b6bf6d5
• #1242 webdav: fix «MacOS Finder» taking forever to connect (thx @freddyheppell!) 8e046fb
• ie11 would spinlock in write-only folders 5c4ba37

🔧 other changes

• fast again! ed6a8d5
  • replaced the connection:close band-aid added in v1.20.4 with a proper fix that doesn't make things slower behind reverseproxies
  • I've tried everything I can think of (with nginx as reverseproxy) and can't notice any difference in behavior, but please let me know if this breaks anything for you 🙏
• #1245 updated Portuguese translation (thx @000yesnt!) 69fa1d1
• #1259 OpenRC: add command to test config (thx @lotsospaghetti!) 79273a7
• #1257 removed the nth global-option because it was never implemented (thx @stackxp!) 22cdc0f
• syntax highlighter: added languages nasm + nix, removed autohotkey + cmake b20d325

🌠 fun facts

• http/1.1 still tends to be faster than http/2 and http/3 for large transfers which is the main reason copyparty hasn't made the change
  • eh, not really a fun fact I suppose ┐( ´ w `)┌

⚠️ not the latest version!

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.3 has been released.

This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.

We strongly advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.

Additional Update Notices

• Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.

Full List of Changes

• Updated application PHP dependencies.
• Updated session-based API authentication to only be active for GET requests.
• Updated page content filtering to remove many common form elements & attributes.
• Updated translations with latest Crowdin changes. (#5997)

Part-DB 2.5.1

Improvements

• When using the "upload files" button automatically determine a fitting attachment type based on extension
• Support SPN columns for all suppliers as columns in BOM imports, not only LCSC (PR#1208, thanks @MayNiklas)

Bug fixes

• Disable the ID search by default, like intended in PR #1184
• Use correct language for sidebar trees, even if no user is logged in
• Prevent ordering of extra column in log tables, as this errors on Postgres and has no real use
• Show an error popup instead of a 500 page when info provider retrieval fails
• Added clear button for part select input in BOMs (#1156)

Miscellaneous

• Updated dependencies
• Updated translations

New Contributors

• @MayNiklas made their first contribution in #1208

Full Changelog: v2.5.0...v2.5.1

• Milestone

This is a release focussing on bug fixing, in particular regressions from the release 1.28.0.

Selected new features ✨:

• New customisable message for closed registrations
• Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy

Improved performance 🏎️:

• Disable counting articles in user labels for Ajax requests (unused)

Many bug fixes 🐛

This release has been made by @Alkarex, @Frenzie, @Inverle and newcomers @ciro-mota, @eveiscoull, @hackerman70000, @Hufschmidt, @johan456789, @martgnz, @mmeier86, @netsho, @neuhaus, @RobLoach, @rupakbajgain.

Full changelog:

• Features
  • Handle Web scraping of text/plain as <pre class="text-plain"> #8340
  • New customisable message for closed registrations #8462
• Bug fixing
  • Fix unwanted expansion of user queries (saved searches) applied to filters #8395
  • Fix encoding of filter actions for labels #8368
  • Fix searching of tags #8425
  • Fix refreshing feeds with token while anonymous refresh is disabled #8371
  • Fix RSS and OPML access by token #8434
  • Fix MySQL/MariaDB transliterator_transliterate fallback (when the php-intl extension is unavailable) #8427
  • Fix regression with MySQL/MariaDB index hint #8460
  • Auto-add lastUserModified database column also during mark-as-read action #8346
  • Do not include hidden feeds when counting unread articles in categories #8357
  • Remove wrong PHP deprecation of OPML export action #8399
  • Fix shortcut for next unread article #8466
  • Fix custom session.cookie-lifetime #8446
  • Fix feed validator button when changing the feed URL #8436
• Performance
  • Disable counting articles in user labels for Ajax requests (unused) #8352
• Security
  • Change Content-Disposition: inline to attachment in f.php #8344
  • Hardened user methods exists, mtime, ctime #26c1102
• Deployment
  • Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy #8392
• SimplePie
  • Update of CURLOPT_ACCEPT_ENCODING #8376, simplepie#960, simplepie#962
  • Fix don’t preserve children inside disallowed <template> element #8443
  • Fixes before PHPStan 2 #8445, simplepie#957
• Extensions
  • Update .gitignore to ignore installed extensions #8372
• UI
  • Add data-category="3" to ease custom CSS styling of articles #8397
  • Fix space between By: and the author’s name #8422
• I18n
  • Improve Brazilian Portuguese #8411
  • Improve Dutch #8403
  • Improve German #8402
  • Improve Polish #8408
  • Improve Spanish #8464
• Misc.
  • Update dev dependencies #8387, #8388, #8389,
    #8390, #8391, #8393,
    #8453

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5970)
• Updated PHP dependency versions.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🩹 bugfixes

• #1235 rightclick-menu: fix creating new files/folders in gridview (thx @SpaceXCheeseWheel!) ffca67f
• #1231 fix http desync if the urlform global-option was changed to get
  • this initial fix only applies when reverse-proxied, in which case copyparty will now always connection:close (don't reuse tcp/uds connections), as giving each client a fresh socket helps avoid all such issues e1eff21 b4fddbc
  • the expected performance impact from this change is near-zero for real use, even if benchmarks show a 40% reduction in requests/sec in the absolute-worst-case (burst of cheap requests)
  • a future version will also fix this issue for non-proxied clients

🔧 other changes

• #1229 updated the Esperanto translation (thx @slashdevslashurandom!) 1142ac2
• #1232 shares: if an external domain is configured, then show both the LAN and external link for each share 81e5eb7

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• send-message-to-serverlog now also available as url-parameter ?smsg=foo 6dcb1ef
  • option smsg configures which HTTP-methods to allow; can be set to GET,POST but default is only POST because GET is dangerous (CSRF)

🩹 bugfixes

• #1227 dillo was not able to login because dillo is more standards-compliant than every other browser (nice) b4df8fa
• a web-scraper which got banned for making malicious requests could remain banned for one request longer than intended (wait why did I fix this) ba67b27
• ?ls was still a bit jank 0a3a807

🌠 fun facts

• this 6AM release was powered by void/mournfinale
• was going to name the release "dilla på dillo" but somehow google-translate thinks that means "fuck on fuck" which would have been inappropriate

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

• v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
• v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled

🧪 new features

• #1212, #1214 range-select in the grid-view by click-and-drag (thx @icxes!) 3e3228e 72c5940
• #134 xattrs (linux extended file attributes) can now be indexed and searchable 8240ef6
• rightclick-menu:
  • #1184 add rename option (thx @stackxp!) 25a8b96
  • #1216 add sharing options (thx @stackxp!) ffb2560
  • #1198, #1206 also works in the search-results view (thx @hackysphere!) 04f612f d32704e
• option to override the domain in certain links, so copyparty returns an external URL even if you're accessing it by a LAN address:
  • #1211 newly created shares 41d3bae
  • #255 newly uploaded files d925553
• new option vol-nospawn (volflag nospawn) to not automatically create the volume's folder on the server's HDD if it doesn't exist
• new option vol-or-crash (volflag assert_root) to intentionally crash on startup if a volume's folder doesn't already exist on the server HDD
• new option --flo to tweak the log-format used by the -lo option for logging to a file 826e84c
• #1197 u2c (commandline uploader): give up and crash if server is offline for longer than 3 minutes (configurable) 67c5d8d

🩹 bugfixes

• #1203 configured chmod/chown rules were not applied when a file was being deduped bef0772
• the unlistc* volflags could not be specified for single-file volumes 2664891
• the defensive renaming of uploaded readmes/logues would assume the default filenames, not considering the recently added option to customize these names c17c3be
• #1191 the ipu option can once again be used to reject connections from certain IP-ranges caf831f
  • this was a regression in v1.19.21 causing the server to crash on startup if such a config was attempted
• some empty folders could be created during startup in certain server-configs with nested volumes 4e67b46
• api: trying to ?ls nested virtual folders could return an error 6675039
• ui/ux:
  • #1179 improve errormessage if audio transcoding fails 7357d46
  • ensure a trailing slash when viewing a folder with the h permission; good for relative links in html-files

🔧 other changes

• #1193, #1194: NixOS improvements (thx @toast003!) 9d223d6 d5a8a34
• truncate huge errormessages from ffmpeg so the log doesn't get flooded 3aebfab
• ui/ux:
  • the dl button (to download selected files individually) now skips folders, since that never worked bc24604
  • #1200 add html classes to make custom styling easier c46cd7f
  • rephrase errormessages from see serverlog to see fileserver log
• docs:
  • mention in the readme that uploading files from a deeply nested folder using a webbrowser on Windows can fail because browsers don't handle the max-pathlen limitation of Windows optimally (not a copyparty-specific issue, but still hits us)

🌠 fun facts

• n/a; no fun has been had since v1.20.0
  • (that's a lie btw, sniffing the airwaves is pretty darn fun 😁)

⚠️ not the latest version!

Part-DB 2.5.0

New features

• Added console command to change database platform (e.g. from sqlite to mysql, or mysql to postgresql)
• Added a ability to search for part IDs from searchfields (thanks @kernchen-brc, #1184)

Improvements

• Do not mark new categories excluded from simulation in KiCAD, to avoid annoying symbols in KiCad (thanks @lukas-runge , #1192)
• Optimized frontend file sizes a bit

Bug fixes

• Fixed OEMSecretsProvider (thanks @d-buchmann, #1187)
• Fixed CSRF issue with barcode scanner (thanks @swdee, #1197)

Miscellaneous

• Updated dependencies

New Contributors

• @kernchen-brc made their first contribution in #1184
• @swdee made their first contribution in #1191
• @lukas-runge made their first contribution in #1192

Full Changelog: v2.4.0...v2.5.0