UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
Changelog
Bug fixes
105ae4f: fix: static page reload fails, use search param device id, close #1711 (@seriousm4x)
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.
We strongly advise that you update your instance if you use permissions to control page visibility.
Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.
Full List of Changes
Updated queries used for pages in markdown exports.
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
Improvements
Removed MPN fallback from LCSC barcode scanner, the SPN field is used instead for part matching (#1302)
Automatically detect the delimiter on generic CSV BOM imports
Fixed problem of GenericWeb info provider when used behind traefik (#1296)
Fixed 500 error, when mapping in generic CSV BOM import fails (#1298)
Fixed 500 error with displaying part prices, when a user has a currency preference different of base currency, and there is no conversion rate known for it (#1317)
Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.
Full List of Changes
Released in v26.03
Added new module system to the theme system. (#5998)
Added logical theme events for page content render and pre-save. (#6049)
Added logical theme event and class to allow inserting custom views before/after others. (#5998)
Added logical theme event to allow customising the OIDC authentication URL. (#6014)
Updated book delete to return to the parent shelf in a shelf context. (#6029)
Updated book read API endpoint to provide parent shelf information. (#6006)
Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
Updated description for per-page display limits. (#6005)
Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
Updated translations with latest Crowdin changes. (#6007)
Fixed empty extra space showing for descriptions when the input is left empty. (#5724)
This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.
We advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.
Full List of Changes
Updated page revision diffs to use content filtering.
Updated preference change redirect with stronger origin checks.
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)
⚠️ ATTN: this release fixes an ftp/sftp issue with shares
GHSA-67rw-2x62-mqqm: when a share is created for just one or more files inside a folder, it was possible to use FTP or SFTP to access the other files inside that folder by guessing the filenames
so ignore this issue if you did not enable ftp or sftp in the server config
it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option
password-protected shares were not affected through SFTP, only FTP
this release also fixes GHSA-rcp6-88mm-9vgf but that one is nothing to worry about
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)
⚠️ ATTN: this release fixes a vulnerability
GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894
#1324 better rclone advice on the connect-page 8941701
static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54
🌠 fun facts
according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!
After upgrade, you need to run php bin/console doctrine:migrations:migrate (or equivalent) as webserver user after upgrade.. If you are running a docker container, use sudo docker exec --user=www-data partdb php bin/console doctrine:migrations:migrate, or sudo -E inside the docker container, to ensure that the migrations are applied to the correct database.
Tip
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
New feautures
Sidebar trees keep track of page navigations. If you open a certain category, the treenode will be hightlighted
Show a "Show password" toggle on all password inputs, including login form
Made form fields wider on large monitors, to remove useless whitespace
Reset opcache after update manager update (thanks @Sebbeben, PR #1288)
Allow to create manual backups and download them from the WebUI (thanks @Sebbeben, PR #1255)
Added user_barcode_filter to API (thanks @MayNiklas, PR #1280)
Show manufacturing status in project BOM table (thanks @mkne, #1289)
Create a part lot with quantity, user barcode and order number based on digikey, lcsc or mouser barcode, to reduce amount of manual input
Bug fixes
Do not scroll sidebar to top, when clicking a tree node
Fixed description field on KiCAD 9.0.5 and 9.0.6 (#1289)
Generate correct url for part lots barcode content label placeholders (#1268)
Correctly import files, where only children elements are specified and no parent field (#1272)
Clear the input after selecting an option in tomselect (#1264)
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
Bug fixes
Security hardening for some endpoints
Fixed minor unauthorized information leackage in IPN generation endpoint (#1283)
Fixed problem with creating digikey parts from barcode when it contained a CREF (#1283)
Use cache:pool:clear --all for more thorough cache clearing in update process
Moved settings cache to cache.system adapter, to ensure its cleared on cache:clear (prevents #1279)
Fixed problem that flash messages were not shown in admin pages
Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772)
Backward Compatibility: If you have an existing version with the key draft and a custom name other than “Draft”, the display name will be standardized to “Draft” (i.e. transformed) to support the new global versioning feature. The version content and functionality remain unchanged.
Added field permission and version access checks to Visual Editor (#26772)
The field access checks require an update of the @directus/visual-editing library to v2.0.0.
Fixed password reset sending emails to external auth provider users (#26627) requestPasswordReset now throws a Forbidden error for external auth provider users.
✨ New Features & Improvements
@directus/app
Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772 by @formfcw)
Persisted table column widths to localStorage (#26767 by @HZooly)
Added field permission and version access checks to Visual Editor (#26772 by @formfcw)
Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
(OpenAI, Anthropic, Gemini).
Added version support for visual editing in live preview (#26772 by @formfcw)
Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
Added version support to Visual Editor (#26772 by @formfcw)
Added lower_case_table_names support for mysql (#26736 by @licitdev)
Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
(OpenAI, Anthropic, Gemini).
Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
@directus/ai
Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
(OpenAI, Anthropic, Gemini).
@directus/utils
Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
(OpenAI, Anthropic, Gemini).
Fixed v-select group click handler to respect item-level selectable property (#26650 by @alvarosabu)
Fixed license modal is not responsive on mobile screens (#26758 by @powerseed)
Fixed unsaved changes dialog showing collaborative variant when not in a collaborative session (#26713 by @formfcw)
Updated vue-split-panel dependency (#26709 by @HZooly)
Fixed datetime picker not closing after selecting a date (#26719 by @alvarosabu)
Added some missing translation keys for directus_settings and directus_roles. (#26744 by @powerseed)
Upgraded reka-ui to 2.8.2 for timefield two-digit hour fix (#26724 by @alvarosabu)
Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)
Enabled “Navigate to Item” button for non-editable relational fields (#26711 by @HZooly)
Fixed auto-refresh on mobile by preserving sidebar state via Teleport (#26731 by @HZooly)
Fixed an issue where duplicated fields kept validation rules referencing the original field name. (#26602 by @vizzv)
Fixed drawer not scrolling to top when validation errors occur (#26741 by @robluton)
Fixed reset confirm state after flow error (#26803 by @HZooly)
Fixed performance degradation when editing forms with large GeoJSON geometry fields by using selective shallow cloning for geometry values. (#26560 by @alvarosabu)
Fixed extra tab stop in AI assistant header caused by a focusable VIcon inside VButton. (#26796 by @Mugesh13102001)
Guarded nav-bar and sidebar size stores against non-finite values (#26695 by @HZooly)
Added lower_case_table_names support for mysql (#26736 by @licitdev)
Prevented encrypted field decryption failures from crashing settings reads when the SECRET has changed. Fields that can't be decrypted now return null and log a warning instead of throwing. (#26764 by @bryantgillespie)
@directus/specs
Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)
:::notice requestPasswordReset now throws a Forbidden error for external auth provider users.
:::
@directus/env
Increased the default QUERYSTRING_ARRAY_LIMIT from 100 to 500 (#26737 by @AlexGaillard)
@directus/utils
Replaced ip-matching dependency with node blocklist (#26806 by @br41nslug)
@directus/sdk
Updated ReadProviderOutput type to include the label field (#26645 by @kheiner)
After upgrade, you need to run php bin/console doctrine:migrations:migrate (or equivalent) as webserver user after upgrade.. If you are running a docker container, use sudo docker exec --user=www-data partdb php bin/console doctrine:migrations:migrate, or sudo -E inside the docker container, to ensure that the migrations are applied to the correct database.
Tip
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
New features
Allow to add parts from barcode scans of LCSC, digikey and other vendor labels (thanks @swdee)
Allow to scan LCSC labels
Added Amazon info provider via Canopy API
Added an optional HTML sandbox for attachments, allowing to view interactive BOM HTML files inside Part-DB (#1150)
Add option to disable special character keybindings (#1251, thanks @MayNiklas)
Improve working with an external barcode scanner, allow scanning barcodes from everywhere
Make KiCad API better cachable (#1241, thanks @Sebbeben)
Make parameters and order informations visible in KiCad (#1241, thanks @Sebbeben)
Show EDA value and reference in part tables (#1266, thanks @hrueger)
this primarily means photos/videos taken with iphones (and maybe some samsung phones)
on the bright side, this has made the docker-images much smaller; ac is now half the size it used to be, and iv / dj are each 97 MiB smaller
🌠 fun facts
if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend
This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.
This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.
This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.
This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.
We advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.
Additional Update Notices
Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.
If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.
You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.
Full List of Changes
Added new option for more granular page filter control.
Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
After upgrade, you need to run php bin/console doctrine:migrations:migrate (or equivalent) as webserver user after upgrade.. If you are running a docker container, use sudo docker exec --user=www-data partdb php bin/console doctrine:migrations:migrate, or sudo -E inside the docker container, to ensure that the migrations are applied to the correct database.
Tip
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
Bug fixes
Fixed problem that stocktake date of part lot was required when editing part (#1250)
Fixed problem that part tables had wrong sorting on initial loading
Fixed german translations related to update manager
After upgrade, you need to run php bin/console doctrine:migrations:migrate (or equivalent) as webserver user after upgrade.. If you are running a docker container, use sudo docker exec --user=www-data partdb php bin/console doctrine:migrations:migrate, or sudo -E inside the docker container, to ensure that the migrations are applied to the correct database.
Tip
If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
New features
Allow to set GTIN / EAN numbers for parts
Some info providers allow to provide GTIN infos
Allow to mark if supplier prices contain VAT or not. This is especially useful in combination with info providers
Allow to restrict on which element types attachment types can be applied. For example the "Avatars" attachmen type can only be shown on user attachments
Added ability to stocktake part lots from info page. This easily allows for setting a specific amount, instead of just adding/removing from an database value. The stocktake date is stored, to give a hint on how reliable the amount left is.
Delegate part retrieval to buerklin info provider when an buerklin URL is given (@mkne, PR #1235)
Added API endpoint for label generation (@MayNiklas, PR #1234)
Added functions to twig labels to retrieve associated parts. This allows to print all parts contained in a storage location (#1239)
Log in
