Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• 85b49de: scan: flex-col inputs (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])

Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

Part-DB 2.9.1

Improvements

• Removed MPN fallback from LCSC barcode scanner, the SPN field is used instead for part matching (#1302)
• Automatically detect the delimiter on generic CSV BOM imports

Bug fixes

• Fixed intendation of EDA visibility checkboxes
• Fixed SAML login button (#1308, thanks to @mowoe)
• Fixed problem of GenericWeb info provider when used behind traefik (#1296)
• Fixed 500 error, when mapping in generic CSV BOM import fails (#1298)
• Fixed 500 error with displaying part prices, when a user has a currency preference different of base currency, and there is no conversion rate known for it (#1317)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated kicad symbols

New Contributors

• @mowoe made their first contribution in #1308

Full Changelog: v2.9.0...v2.9.1

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes an ftp/sftp issue with shares

• GHSA-67rw-2x62-mqqm: when a share is created for just one or more files inside a folder, it was possible to use FTP or SFTP to access the other files inside that folder by guessing the filenames
  • so ignore this issue if you did not enable ftp or sftp in the server config
• it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
• NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option
• password-protected shares were not affected through SFTP, only FTP

this release also fixes GHSA-rcp6-88mm-9vgf but that one is nothing to worry about

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• features? in this econonmy?? ain't nobody got time for that

🩹 bugfixes

• 66f1ef6 GHSA-67rw-2x62-mqqm (shares)
• 9f9d30f GHSA-rcp6-88mm-9vgf (the other thing)

🌠 fun facts

• the first cve is still by far the worst, none of the others even close... so at least that's nice
  • if you saw the cve notification and got all worked up, here's some comfy music to relax and upgrade copyparty to

⚠️ not the latest version!

✨ New Features & Improvements

• @directus/system-data
  • Updated latest models for Anthropic, Google, and OpenAI providers (#26865 by @bryantgillespie)
• @directus/ai
  • Updated latest models for Anthropic, Google, and OpenAI providers (#26865 by @bryantgillespie)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed creation of related item with empty or default state (#26844 by @powerseed)
  • Added field level MIME type restriction to file-image interface (#26831 by @AlexGaillard)
  • Fixed AI tool approval flow hanging after approving provider-executed tools. (#26839 by @bryantgillespie)
  • Fixed custom Vue operation options to persist edited values in Flow settings. (#26832 by @AbdelhamidKhald)
  • Fixed an invalid filter for M2M interfaces when the item Id is null (#26857 by @ComfortablyCoding)
  • Fixed folder navigation state being lost when reopening file selection drawer (#26649 by @costajohnt)
  • Enforced MIME type allow list on remaining v-uploads missed in first round (#26821 by @robluton)
  • Fixed client side validation breaking in drawer when dynamic variable is present. (#26795 by @powerseed)
  • Fixed Visual Editor stripping trailing slashes from URLs (#26823 by @formfcw)
  • Enabled conditional styling for string fields in pie and donut charts. (#26776 by @vizzv)
  • Updated AI SDK dependencies to latest version (#26856 by @bryantgillespie)
  • Fixed save-as-copy failing on collections with many duplication fields (#26814 by @gaetansenn)
  • Improved redirect handling (#26870 by @br41nslug)
  • Fixed unable to click on m2o fields arrow icon to open drawer (#26822 by @robluton)
• @directus/api
  • Updated AI SDK dependencies to latest version (#26856 by @bryantgillespie)
  • Improved redirect handling (#26870 by @br41nslug)
  • Fixed countAll generating an incorrect query (#26774 by @tysoncung)
  • Updated TUS validation (#26869 by @br41nslug)
  • Fixed AI assistant Fields tool call inconsistency (#26819 by @powerseed)
  • Added support for disabling OpenAPI output using OPENAPI_ENABLED (#26868 by @br41nslug)
  • Bumped underscore, tar, lodash, dompurify dependencies (#26860 by @br41nslug)
  • Fixed deleteMany returning unexpected error for non-admin with empty array (#26759 by @ComfortablyCoding)
• @directus/env
  • Added support for disabling OpenAPI output using OPENAPI_ENABLED (#26868 by @br41nslug)

📦 Published Versions

• @directus/app@15.5.1
• @directus/api@34.0.1
• @directus/ai@1.3.0
• @directus/composables@11.2.15
• create-directus-extension@11.0.31
• @directus/env@5.6.1
• @directus/extensions@3.0.21
• @directus/extensions-registry@3.0.21
• @directus/extensions-sdk@17.0.11
• @directus/memory@3.1.4
• @directus/pressure@3.0.19
• @directus/schema-builder@0.0.16
• @directus/storage-driver-azure@12.0.19
• @directus/storage-driver-cloudinary@12.0.19
• @directus/storage-driver-gcs@12.0.19
• @directus/storage-driver-s3@12.1.5
• @directus/storage-driver-supabase@3.0.19
• @directus/system-data@4.3.0
• @directus/themes@1.2.6
• @directus/types@14.3.1
• @directus/utils@13.3.1
• @directus/validation@2.0.19

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes a vulnerability

GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• version-checker (thx @icxes!) c6965f0
  • default-disabled; you must choose a URL to grab security advisories from to enable it
  • periodically checks the security advisories and shows a warning in the controlpanel if you're running a vulnerable version
  • can optionally panic and shutdown the server if you prefer that
  • man, the timing on this though... absolute cinema

🩹 bugfixes

• fix nohtml not being aware that SVG images can execute javascript 1c9f894
  • a new volflag noscript was also added; nohtml will automatically enable noscript, but noscript can also be useful on its own; see readme
• various upload rules fixes:
  • #1335 rotf couldn't handle trailing slash (thx @NecRaul!) 8e20506
  • #1337 rotn didn't always count correctly (thx @NecRaul!) 23d4a62
  • rotn didn't apply to dupes 00e821d
• combining rp-loc and site was a bit jank (thx @new-sashok724!) 31b2384
• global-option idp-store: 2 would result in excessive config reloading 1272de9
• fix fd-leak when indexing certain compressed files, including epub books 8b5ac23
• forget-ip: fix sqlite cursor-locking 37123e3

🔧 other changes

• #1316 Chinese translation got a huge makeover (thx @satgo1546 and @lxdlam!) b015274
• #1324 better rclone advice on the connect-page 8941701
• static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54

🌠 fun facts

• according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!

⚠️ not the latest version!

Part-DB 2.9.0

New feautures

• Sidebar trees keep track of page navigations. If you open a certain category, the treenode will be hightlighted
• Show a "Show password" toggle on all password inputs, including login form
• Made form fields wider on large monitors, to remove useless whitespace
• Reset opcache after update manager update (thanks @Sebbeben, PR #1288)
• Allow to create manual backups and download them from the WebUI (thanks @Sebbeben, PR #1255)
• Added user_barcode_filter to API (thanks @MayNiklas, PR #1280)
• Show manufacturing status in project BOM table (thanks @mkne, #1289)
• Create a part lot with quantity, user barcode and order number based on digikey, lcsc or mouser barcode, to reduce amount of manual input

Bug fixes

• Do not scroll sidebar to top, when clicking a tree node
• Fixed description field on KiCAD 9.0.5 and 9.0.6 (#1289)
• Generate correct url for part lots barcode content label placeholders (#1268)
• Correctly import files, where only children elements are specified and no parent field (#1272)
• Clear the input after selecting an option in tomselect (#1264)

Miscellaneous

• Updated dependencies

Full Changelog: v2.8.1...v2.9.0

Part-DB 2.8.1

Bug fixes

• Security hardening for some endpoints
• Fixed minor unauthorized information leackage in IPN generation endpoint (#1283)
• Fixed problem with creating digikey parts from barcode when it contained a CREF (#1283)
• Use cache:pool:clear --all for more thorough cache clearing in update process
• Moved settings cache to cache.system adapter, to ensure its cleared on cache:clear (prevents #1279)
• Fixed problem that flash messages were not shown in admin pages

Miscellaneous

• Updated dependencies
• Updated kicad library files

Full Changelog: v2.8.0...v2.8.1

⚠️ Potential Breaking Changes

Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772)
Backward Compatibility: If you have an existing version with the key draft and a custom name other than “Draft”, the display name will be standardized to “Draft” (i.e. transformed) to support the new global versioning feature. The version content and functionality remain unchanged.

Added field permission and version access checks to Visual Editor (#26772)
The field access checks require an update of the @directus/visual-editing library to v2.0.0.

Fixed password reset sending emails to external auth provider users (#26627)
requestPasswordReset now throws a Forbidden error for external auth provider users.

✨ New Features & Improvements

• @directus/app
  • Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772 by @formfcw)
  • Persisted table column widths to localStorage (#26767 by @HZooly)
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Added field permission and version access checks to Visual Editor (#26772 by @formfcw)
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Added version support for visual editing in live preview (#26772 by @formfcw)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added version support to Visual Editor (#26772 by @formfcw)
• @directus/api
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Added lower_case_table_names support for mysql (#26736 by @licitdev)
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/system-data
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added version support to Visual Editor (#26772 by @formfcw)
• @directus/types
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
• @directus/sdk
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
• @directus/ai
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
• @directus/utils
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/constants
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/env
  • Added JSON field selection support (#26500 by @br41nslug)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed v-select group click handler to respect item-level selectable property (#26650 by @alvarosabu)
  • Fixed license modal is not responsive on mobile screens (#26758 by @powerseed)
  • Fixed unsaved changes dialog showing collaborative variant when not in a collaborative session (#26713 by @formfcw)
  • Updated vue-split-panel dependency (#26709 by @HZooly)
  • Fixed datetime picker not closing after selecting a date (#26719 by @alvarosabu)
  • Added some missing translation keys for directus_settings and directus_roles. (#26744 by @powerseed)
  • Upgraded reka-ui to 2.8.2 for timefield two-digit hour fix (#26724 by @alvarosabu)
  • Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)
  • Enabled “Navigate to Item” button for non-editable relational fields (#26711 by @HZooly)
  • Fixed auto-refresh on mobile by preserving sidebar state via Teleport (#26731 by @HZooly)
  • Fixed an issue where duplicated fields kept validation rules referencing the original field name. (#26602 by @vizzv)
  • Fixed drawer not scrolling to top when validation errors occur (#26741 by @robluton)
  • Fixed reset confirm state after flow error (#26803 by @HZooly)
  • Fixed performance degradation when editing forms with large GeoJSON geometry fields by using selective shallow cloning for geometry values. (#26560 by @alvarosabu)
  • Fixed extra tab stop in AI assistant header caused by a focusable VIcon inside VButton. (#26796 by @Mugesh13102001)
  • Guarded nav-bar and sidebar size stores against non-finite values (#26695 by @HZooly)
  • Added lower_case_table_names support for mysql (#26736 by @licitdev)
  • Fixed batch editing translations creating duplicate junction rows (#26597 by @HZooly)
  • Fixed block editor deleting blocks on save-and-stay (#26808 by @formfcw)
  • Fixed MIME type restriction for URL uploads and ensure file/s interfaces respect restricted URL uploads (#26691 by @AlexGaillard)
  • Fixed decimal and bigInteger display formatting (#26637 by @HZooly)
  • Add MIME type restriction option to select file/s interfaces (#26647 by @AlexGaillard)
  • Migrated large field selection requests to use the SDK (#26605 by @ComfortablyCoding)
  • Fixed tags interface not resolving variable strings in raw editor mode (#26739 by @HZooly)
  • Fixed Header interface spacing issue (#26786 by @LZylstra)
  • Fixed insightsStore.saveChanges to send requests only when the corresponding action array is non-empty (#26753 by @deepDiverPaul)
  • Constrained display template images in header bar to text line-height (#26680 by @HZooly)
  • Added Ask User Tool to AI Assistant (#26633 by @bryantgillespie)
• @directus/api
  • Fixed MIME type restriction for URL uploads and ensure file/s interfaces respect restricted URL uploads (#26691 by @AlexGaillard)
  • Fixed filter rule type mismatch causing database error instead of returning INVALID_QUERY (#26629 by @dstockton)
  • Fixed IPTC metadata key casing in getMetadata so that description, title, and tags are correctly populated from IPTC data. (#26672 by @danielbuechele)
  • Replaced ip-matching dependency with node blocklist (#26806 by @br41nslug)
  • Fixed AI tool schema to not allow null for trigger and accountability fields in flow input validation. (#26763 by @rijkvanzanten)
  • Returned 500 Internal server error for permanent filesystem write failures instead of 503 service unavailable (#26761 by @aryanrichhariya1234-lang)
  • Bumped axios, rollup, basic-ftp, fast-xml-parser, serialize-javascript,nodemailer, vite, tar, minimatch, qs, undici, (#26787 by @br41nslug)
    axios-cache-interceptor dependencies
  • Add auth audit hook for tracking login attempts (#26702 by @AlexGaillard)
  • Fixed GraphQL groupBy with function field (#26706 by @ComfortablyCoding)
  • Prevented encrypted field decryption failures from crashing settings reads when the SECRET has changed. Fields that can't be decrypted now return null and log a warning instead of throwing. (#26764 by @bryantgillespie)
• @directus/specs

  • Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)

    :::notice
    requestPasswordReset now throws a Forbidden error for external auth provider users.
    :::

• @directus/env
  • Increased the default QUERYSTRING_ARRAY_LIMIT from 100 to 500 (#26737 by @AlexGaillard)
• @directus/utils
  • Replaced ip-matching dependency with node blocklist (#26806 by @br41nslug)
• @directus/sdk
  • Updated ReadProviderOutput type to include the label field (#26645 by @kheiner)

📦 Published Versions

• @directus/app@15.5.0
• @directus/api@34.0.0
• @directus/ai@1.2.0
• @directus/composables@11.2.14
• @directus/constants@14.2.0
• create-directus-extension@11.0.30
• @directus/env@5.6.0
• @directus/extensions@3.0.20
• @directus/extensions-registry@3.0.20
• @directus/extensions-sdk@17.0.10
• @directus/memory@3.1.3
• @directus/pressure@3.0.18
• @directus/schema-builder@0.0.15
• @directus/specs@12.0.1
• @directus/storage-driver-azure@12.0.18
• @directus/storage-driver-cloudinary@12.0.18
• @directus/storage-driver-gcs@12.0.18
• @directus/storage-driver-s3@12.1.4
• @directus/storage-driver-supabase@3.0.18
• @directus/system-data@4.2.0
• @directus/themes@1.2.5
• @directus/types@14.3.0
• @directus/utils@13.3.0
• @directus/validation@2.0.18
• @directus/sdk@21.2.0

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Part-DB 2.8.0

New features

• Allow to add parts from barcode scans of LCSC, digikey and other vendor labels (thanks @swdee)
• Allow to scan LCSC labels
• Added Amazon info provider via Canopy API
• Added an optional HTML sandbox for attachments, allowing to view interactive BOM HTML files inside Part-DB (#1150)
• Add option to disable special character keybindings (#1251, thanks @MayNiklas)
• Improve working with an external barcode scanner, allow scanning barcodes from everywhere
• Make KiCad API better cachable (#1241, thanks @Sebbeben)
• Make parameters and order informations visible in KiCad (#1241, thanks @Sebbeben)
• Show EDA value and reference in part tables (#1266, thanks @hrueger)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated KiCad library autocomplete lists
• Security hardening of attachments

New Contributors

• @hrueger made their first contribution in #1266

Full Changelog: v2.7.1...v2.8.0

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🩹 bugfixes

• #1311 fix login (broke in v1.20.9) ecdfd2d

🔧 other changes

• warn that config-reload doesn't do global-options a29037a

🌠 fun facts

• rushing out a cve-fix in the wee hours of the morning before the 9-5 is a great idea that never goes wrong
  • 10/10 will probably do again

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-62cr-6wp5-q43h could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801

known issue: login broken, fix roughly 8pm UTC tonight

🔧 other changes

• webdav: dav-port can be used as an alternative to daw d21242f

⚠️ not the latest version!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• #1298 add Hungarian translation (thx @sonacl!) eefb181 f37c3b9
• #1299 chown now accepts 4-digit values (thx @new-sashok724!) 5a7504f

🩹 bugfixes

• audioplayer skip-silence:
  • #1303 clamp ffwd to safe values (thx @icxes!) f5e70c7
  • fix crash on folderchange f1a433a

🔧 other changes

• due to legal reasons, the docker-images and bootable flashdrive are now unable to create thumbnails of HEVC/h265 videos and heif/heic images 1bec91d
  • this primarily means photos/videos taken with iphones (and maybe some samsung phones)
  • on the bright side, this has made the docker-images much smaller; ac is now half the size it used to be, and iv / dj are each 97 MiB smaller

🌠 fun facts

• if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend
  • goes oddly well with sakuraburst - deconstructing nature

⚠️ not the latest version!

What's Changed

• Add outbound heartbeat monitoring to external services by @amirhmoradi in #1729
• Add experimental GPU monitoring for Apple Silicon by @raccettura. (#1747, #1746, docs)
• Add nvtop integration for GPU monitoring. (#1508)
• Add GPU_COLLECTOR environment variable to manually specify the GPU collector(s).
• SMART: add eMMC health via sysfs by @VACInc in #1736
• Add DISABLE_SSH environment variable to disable SSH agent functionality. (#1061)
• Add fingerprint command to the agent. (#1726)
• Include GTT memory in AMD GPU metrics and improve device name lookup. (#1569)
• Improve multiplexed logs detection for Podman. (#1755)
• Harden against Docker API path traversal.
• Fix issue where the agent could report incorrect root disk I/O when running in Docker. (#1737)
• Show system uptime in the system table by @svenvg93 in #1719
• Retry Docker check on non-200 HTTP response by @ElioDiNino in #1754
• Allow precise value entry for alerts via text input by @svenvg93 in #1718
• Add version flag to agent by @svenvg93 in #1639
• Fix race issue with meter threshold colors.
• Add InstallMethod parameter to Windows install script.
• Update Go version and dependencies.

New Contributors

• @VACInc made their first contribution in #1736
• @amirhmoradi made their first contribution in #1729
• @ElioDiNino made their first contribution in #1754
• @raccettura made their first contribution in #1747

Full Changelog: v0.18.3...v0.18.4

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#6026)

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#6026)

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#6023)

✨ New Features & Improvements

• @directus/app
  • Added collaboration state (is viewing, is editing) and minor design updates (#26574 by @alvarosabu)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed translation interface being disabled when delete permission not allowed (#26669 by @AlexGaillard)
  • Fixed item comparison failing when special characters are present in manual primary keys (#26668 by @AlexGaillard)
  • Fixed non-editable state for relational fields with custom permissions (#26676 by @HZooly)
  • Added restriction of allowed MIME types to the system file upload interface (#26646 by @AlexGaillard)
• @directus/api
  • Added restriction of allowed MIME types to the system file upload interface (#26646 by @AlexGaillard)

📦 Published Versions

• @directus/app@15.4.0
• @directus/api@33.3.1

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

Part-DB 2.7.1

Bug fixes

• Fixed problem that stocktake date of part lot was required when editing part (#1250)
• Fixed problem that part tables had wrong sorting on initial loading
• Fixed german translations related to update manager
• Fixed visual styling of lot table

✨ New Features & Improvements

• @directus/app
  • Added activity logging for explicit user logout (#26638 by @JamesW1)
• @directus/api
  • Added activity logging for explicit user logout (#26638 by @JamesW1)
• @directus/constants
  • Added activity logging for explicit user logout (#26638 by @JamesW1)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed date picker month select offset (#26655 by @HZooly)
  • Fixed issue with opening multiple drawers when editing tree view item (#26656 by @AlexGaillard)
  • Fixed vertical alignment of button fields set to half-width by restoring align-self: baseline in form-field component. (#26653 by @omkarg01)
• @directus/api
  • Fixed GraphQL groupBy collision when a field is named group (#26626 by @dstockton)

📦 Published Versions

• @directus/app@15.3.0
• @directus/api@33.3.0
• @directus/composables@11.2.13
• @directus/constants@14.1.0
• create-directus-extension@11.0.29
• @directus/env@5.5.3
• @directus/extensions@3.0.19
• @directus/extensions-registry@3.0.19
• @directus/extensions-sdk@17.0.9
• @directus/memory@3.1.2
• @directus/pressure@3.0.17
• @directus/schema-builder@0.0.14
• @directus/storage-driver-azure@12.0.17
• @directus/storage-driver-cloudinary@12.0.17
• @directus/storage-driver-gcs@12.0.17
• @directus/storage-driver-s3@12.1.3
• @directus/storage-driver-supabase@3.0.17
• @directus/themes@1.2.4
• @directus/types@14.2.1
• @directus/utils@13.2.2
• @directus/validation@2.0.17

Part-DB 2.7.0

New features

• Allow to set GTIN / EAN numbers for parts
• Some info providers allow to provide GTIN infos
• Allow to mark if supplier prices contain VAT or not. This is especially useful in combination with info providers
• Allow to restrict on which element types attachment types can be applied. For example the "Avatars" attachmen type can only be shown on user attachments
• Added ability to stocktake part lots from info page. This easily allows for setting a specific amount, instead of just adding/removing from an database value. The stocktake date is stored, to give a hint on how reliable the amount left is.
• Delegate part retrieval to buerklin info provider when an buerklin URL is given (@mkne, PR #1235)
• Added API endpoint for label generation (@MayNiklas, PR #1234)
• Added functions to twig labels to retrieve associated parts. This allows to print all parts contained in a storage location (#1239)

Improvements

• Performance optimizations for parts tables
• Autofocus fields for easier workflow (@d-buchmann, PR #1240)
• Allow more functions and filters in twig labels

Bug fixes

• Fixed issue when parts contained % in name (@d-buchmann, PR #1238)
• Do not show a 500 error, if twig labels contains invalid code
• Fixed german translations

Docker

• Removed nodejs from docker images as it is only needed for frontend building. This makes images ~ 25% smaller
• Optimized docker image build flow

Miscellaneous

• Updated dependencies
• Updated GNU Unifont to 17.0.3

Full Changelog: v2.6.0...v2.7.0

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

• now possible to upload/delete files while the filesystem-indexer is still busy d44ea24 0ca4c1b
  • global-option fika decides which actions to allow while still indexing; default is upload+copy+delete
  • full deduplication is only guaranteed if this option is set blank, as dupes are allowed while indexing
• #1266 browsers can request thumbnails as jxl images, and view jxl files in the gallery (thx @intelfx!) b2711e0 720c83b 93ffc65 a65a30b a7a25de 59de5e2 16403d8 48c1017 0e8913c
  • only works in browsers which support jxl, which is FINALLY happening (sure took a while)
  • some notes on memory/RAM usage though -- it is fine on Alpine Linux, so docker is also fine, just don't enable mimalloc
    • jxl can be disabled with global-option th-no-jxl if necessary on baremetal deployments until libvips fixes this
• #1265 audioplayer can "skip silence" now (thx @icxes!) 6694998
• #1287 opensearch support for opds (thx @philips!) 84e687a
• #1276 option rw-edit is the list of file-extensions that can be edited as textfiles with only permissions read+write (default is md like before); all other files still require read+write+delete 312f48e d692838
• #1288 option to customize the links copied when selecting files and pressing ctrl-c (thx @icxes!) e5d0a05
• docker: add env-var DI_PREPARTY to run an arbitrary script during startup, for customizations and such bf01ca4

🩹 bugfixes

• #1279 the textfile-viewer would refuse to load huge documents when hotlinked f02e9cf
• #1280 the custom rightclick-menu was enabled in the textfile viewer fc8a4b8
• #1262 logtail now works on windows; would previously take an exclusive-lock on the monitored file, as windows does by default a368fc6

🔧 other changes

• volumes are hidden from the treeview if the name starts with a dot 76041fd
• #1277 descript.ion files no longer require the e2d and e2t options to be enabled 4cb4e82
• chunked PUT-uploads are now terminated if they exceed a configured size limit dfadb5a
• #1282 improved compatibility with GraalPy (thx @vgskye!) e8609b8
• #1292 #1296 updated Esperanto translation (thx @slashdevslashurandom!) 418bf2f 914f84c
• thumbnails: use libvips as fallback for rawpy 27ae2e1
  • libvips doesn't support .arw files (sony) yet, so still need rawpy
• make server config slightly easier:
  • improve xff warnings 96aeb89
  • warn if config-values are quoted 598df44
  • lowercase headernames in configs fd09638

🌠 fun facts

• the fika option sends the filesystem-indexer on a coffee break
• exci wants me to mention aoi yuuki here for some reason :^) so here's gekisou gungnir

⚠️ not the latest version!