5.40.0 (2026-03-18)

🚀 New feature

• add package manager dropdown before version in bug report template (#25679)

🔥 Bug fix

• add maxwidth to documentactions menu (#25664)
• formatErrorMessages array values formatting (#24196)
• admin: alias singleton frontend deps in vite (#25682)
• content-manager: reduce excessive rerendering in components and dynamic zones (#25631)
• content-manager: skip non-draftAndPublish relations in countDraftRelations (#25453)
• i18n: show locale key in disabled select when editing locale (#25124)

📚 Documentation Changes

• fix docs links in README (#25715)

⚙️ Chore

• use https instead of git url in package.repository.url (#25698)
• content-manager: optimize relations handling in EditView component (#25683)
• core: parallelize and cache dynamic zone populate (#25685)

💅 Enhancement

• resolved filter editability on clicking filter tag (#24057)
• core: remove beta on Document API, enforce deprecation on EntityService API (#25744)

❤️ Thank You

• akash-dabhi-qed @akash-dabhi-qed
• Andrea Cappuccio @hood
• Bassel Kanso @Bassel17
• calm @calm329
• Jamie Howard @jhoward1994
• markkaylor
• mathildeleg @mathildeleg
• Nico André
• Nikolas Rimikis @Leptopoda
• Pierre Wizla
• Varun Chawla @veeceey

5.38.1 (2026-03-11)

Superseded on March 11, 2026 by v5.39.0 due to versioning mistake.
Please use v5.39.0.

5.39.0 (2026-03-11)

🚀 New feature

• expand accordion by default when inserting a new component in a document (#24230)
• content-manager: filter list view by publication status (#25510)

🔥 Bug fix

• added shift+tab to blocks editors (#24122)
• single type publish permission error (#24754)
• es translations (#25655)
• typo 'compatability' to 'compatibility' in error messages (#25535)
• content-manager: export ContentManagerPlugin type for plugin dev… (#24149)
• content-manager: reduce excessive rerendering in relation fields (#25623)
• content-manager: reduce rerenders for conditional fields (#25617)
• content-releases: publish in right order to preserve relations (#25551)
• guided-tour: no overlay in dark mode (#25485)
• openapi: correctly merge plugin router prefix with route paths (#25616)
• types: fix document findOne params (#25613)
• upload: add crossOrigin attribute to image preview (#24946)

⚙️ Chore

• upgrade to glob 13 (#25610)
• upgrade better-sqlite3 to 12.6.2 (#25611)
• remove eslint-plugin-rxjs (#25612)
• upgrade koa to 20.8.4 and minimatch to 10.2.4 (#25624)
• eslintignore coverage (#25649)
• stop adding issues to GitHub projects in issues_handleLabel workflow (#25677)
• update package metadata (#25599)
• *: register vitest dependency in Yarn catalog (#25400)
• core/permissions: ensure engine properly merges conditions (#25569)
• deps: bump js-yaml from 3.14.1 to 3.14.2 (#24858)
• deps: bump qs from 6.14.2 to 6.15.0 (#25555)
• deps: bump jws from 3.2.2 to 3.2.3 (#24981)
• deps: bump elliptic from 6.5.7 to 6.6.1 (#24803)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#24841)
• deps: bump mdast-util-to-hast from 13.2.0 to 13.2.1 (#24950)
• deps: bump jws from 3.2.2 to 3.2.3 (#25652)
• deps: bump tar from 7.5.9 to 7.5.10 (#25642)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#25653)

🚨 Security

• upload: improve mimetype detection for uploads (#25177)

❤️ Thank You

• Adrien L
• Akash Santra @Akash504-ai
• akash-dabhi-qed @akash-dabhi-qed
• Ayoub Hidri @ayhid
• Bassel Kanso @Bassel17
• Ben Irvin
• Brandon Aaron @brandonaaron
• Daniel Garcia @dagadevelop
• Gouttfi @Gouttfi
• jeanvier
• markkaylor
• Nico André
• Nikolas Rimikis @Leptopoda
• Owen Rossi-Keen @Smoke3785

5.38.0 (2026-03-04)

🚀 New feature

• content-manager: add relationOpenMode setting (modal/page/newTab) (#25433)
• email-nodemailer: upgrade to Nodemailer v8 with advanced email features and Admin UI capabilities (#25392)
• i18n: add missing french translations (#23093)

🔥 Bug fix

• typo 'recieved' to 'received' across codebase (#25541)
• markdown editor number list is created with wrong numbers (#24631)
• add i18n for boolean cell values (#22314)
• folder subtitles for folders without assets or subfolders (#22694)
• vite and webpack config when linking ds locally (#25530)
• types: add missing typing for proxy.koa config (#25575)

⚙️ Chore

• bump design-system to v2.2.0 (#25584)
• deps: bump rollup from 4.27.4 to 4.59.0 (#25566)
• upload: add import from url (#25496)

❤️ Thank You

• Adrien L
• Altay Akkus
• Ayoub Hidri @ayhid
• Daniel Garcia @dagadevelop
• Grégory Boutte
• Jorrit Schippers
• markkaylor
• mathildeleg @mathildeleg
• Schero D. @Schero94
• Tewson Seeoun @tewson

5.37.1 (2026-02-26)

🔥 Bug fix

• core: preserve component clone integrity in discard-drafts migration

❤️ Thank You

• Bassel Kanso @Bassel17
• Ben Irvin

5.37.0 (2026-02-26)

🔥 Bug fix

• improve subnav on mobile so it works with banner (#25450)
• layout page broken (#25501)
• add design-system to config (#25435)
• radix ui dialog dependency version (#25549)

📚 Documentation Changes

• fix typos in content-releases frontend intro (#25471)

⚙️ Chore

• add bot and contributor detection to community-label workflow (#25497)
  (#25494))
• docs: revise README for AWS S3 provider updates (#25449)

💅 Enhancement

• improve mobile ux of list view (#25366)

🚨 Security

• feature: add strictParam, addQueryParams, addInputParams (#25528)
• deps: upgrade to tar 7.5.9 (#25504)
• deps: upgrade multiple dependencies (#25506)
• deps: bump bn.js from 4.12.0 to 4.12.3 (#25521)
• deps: bump minimatch from 9.0.3 to 10.2.1 ([#25494]

❤️ Thank You

• Adrien L
• Ayoub Hidri @ayhid
• Ben Irvin
• mathildeleg @mathildeleg
• Pierre Wizla
• Simon Norris @cache-your-dreams
• Ziyi @butcherZ

5.36.1 (2026-02-18)

🔥 Bug fix

• handle undefined tours property (#25290)
• core: handle negative and zero min/max validation for number fields (#25409)
• history: improve error handling and batch deletion in cron jobs (#25425)
• migrations: speed up discard-drafts with bulk batches (#25293)
• ts: ignore generated .strapi folder (#25086)
• utils: bump preferred-pm to fix npm workspace detection (#25406)

⚙️ Chore

• add --no-build-admin option to 'strapi develop' command (#25415)
• */vitest: introduce Vitest and vitest-config package (#25286)
• ci: redirect question issues to GitHub Discussions (#25441)
• deps: bump @casl/ability from 6.5.0 to 6.7.5 (#25430)
• deps: bump qs from 6.14.1 to 6.14.2 (#25444)

🚨 Security

• upgrade to tar 7 (#25380)
• update react-router (#25391)
• deps: upgrade axios from v1.12.2 to v1.13.5 (#25427)

❤️ Thank You

• Andrei L @unrevised6419
• Bassel Kanso @Bassel17
• Ben Irvin
• DMehaffy
• Florent Baldino @Baldinof
• Jamie Howard @jhoward1994
• Jonas Thelemann
• Josh Stuible
• Nico André
• SARGUNESH S V @sargunesh25
• Simen @Eventyret

5.36.0 (2026-02-11)

🚀 New feature

• persistent list view settings (#24246)
• strapi/create: type strapi configs (#21859)
• upload-aws-s3: add extended configuration for S3-compatible providers (#25263)

🔥 Bug fix

• responsive drawer for content history (#25344)
• scrolling in sidenav also scroll content (#25379)
• match database package version (#25389)
• content-manager: preserve origin id when cloning, to fetch relations so they are corrected re-populated (#25307)
• preview-config: allow and await for async handler (#25396)
• upload-aws-s3: use baseUrl even if upload location lacks protocol (#23400)

💅 Enhancement

• improve mobile design for edit view forms (#25320)
• create-strapi-app: add --non-interactive mode for CI and scripts (#25373)

🚨 Security

• upgrade apollo to 4.13.0 (#25375)

❤️ Thank You

• Adrien L
• Andrei L @unrevised6419
• Ben Irvin
• Enrique Carpintero
• jayesh70599 @jayesh70599
• Marian Vonsien @mvo-zyres
• mathildeleg @mathildeleg
• Paul Bratslavsky @PaulBratslavsky
• Schero D. @Schero94

5.35.0 (2026-02-04)

🚀 New feature

• upload: add focal point picker for images (#25267)

🔥 Bug fix

• prevent bulk publish modal from closing during API refetch (#24632)
• update ko.json (#23501)
• mobile actions drawer in content manager edit view (#25243)
• upload: prevent asset deletion when clicking cancel on EditAssetDialog (#25318)

⚙️ Chore

• bump yarn 4.5 to 4.12 (#25284)

💅 Enhancement

• improve mobile design for content history forms (#25338)

🚨 Security

• update multiple subdependencies (#25337)

❤️ Thank You

• Adrien L
• Ben Irvin
• Dhruv Maradiya @Dhruv-Maradiya
• jayesh70599 @jayesh70599
• mathildeleg @mathildeleg
• Niceplugin @niceplugin
• Nico André
• Schero D. @Schero94

5.34.0 (2026-01-28)

🚀 New feature

• update german translations for various components (#24143)
• upload: add retroactive ai metadata generation (#25066)

🔥 Bug fix

• add missing labels to IT locale (#25217)
• form elements mobile adjustments (#25202)
• responsive cm header (#25203)
• run orphan removal for the 'related_type' column (#24833)
• adjust padding for cm subnav (#25253)
• admin: format input error message with values (#23932)
• i18n: ai translation losing unsupported fields (#25247)
• menu: render external links as anchors (#25269)

📚 Documentation Changes

• clarify strapi installation instructions in README (#25016)
• CONTRIBUTING: set link to latest version of .commitlintrc.ts (#25224)

⚙️ Chore

• update pinned elliptic (#25206)
• remove unused imports from react and @strapi/design-system (#25222)
• update pinned dependencies express, qs, body-parser (#25209)
• remove in-app marketplace (#24958)
• update lodash to 4.17.23 (#25244)
• deps: bump lodash-es from 4.17.21 to 4.17.23 (#25239)
• upload: setup future flag for media lib redesign work (#25229)
• ‎.github/workflows: bump outdated GitHub Actions versions (#25233)

💅 Enhancement

• responsiveness consistency for subnav (#25107)

🚨 Security

• update pinned mdast-utils (#25227)
• update pinned js-yaml, node-forge, tmp, and more (#25228)

❤️ Thank You

• Adrien L
• Ben Irvin
• Boaz Poolman
• Jair Ortiz @JairOrtizGutierrez
• Jamie Howard @jhoward1994
• Leonid Vinogradov @leon-win
• Lukas Eipert
• markkaylor
• mathildeleg @mathildeleg
• Nidhi Sharma @Nidhisharma4399
• Pádraic Slattery @pgoslatara
• Ziyi @butcherZ

Changelog

Bug fixes

• 95d722b: fix: test udp (@seriousm4x)

Others

• 8d461e0: add note for DEVICE_IP and DEVICE_MAC availability in cmds (#1716) (@invario)
• 49d4109: gh-actions: remove go and npm, will update manually (@seriousm4x)
• 59b1723: send additional 2 magic packets via IP address for routed WOL (#1718) (@invario)

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

• Updated user creation to only use validated input from registration.
• Updated PHP package versions.
• Updated translations with latest Crowdin changes. (#6064)
• Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
• Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• #1351 add .hidden support (thx @NecRaul!) beb634d 134e378
  • cosmetic filter to exclude specific files from directory listings by adding their filenames to a textfile named .hidden similar to many linux desktop file managers
  • the files are still easily available from various APIs; this is not a security feature, just a way to keep things neat and tidy
• #1381 thumbnail pregeneration 7d6b037
  • usually/generally not a good idea; readme explains it
• shares: now possible to grant the . permission to see dotfiles 66f9c95

🩹 bugfixes

• #1372 #1333 no thumbnails if the server OS was too old to have JXL support and the webbrowser was asking for JXL 1afe48b
• #1363 new-version alert would only appear if the visitor had the Admin permission in the webroot specifically; now A in any volume is sufficient 6eb4f0a
• 66f1ef6 should have blocked mkdir too and now it does (thx @restriction!) ac60a1d
• setting the nohtml or noscript volflags on the webroot would break the web-UI eb028c9
• shares: the -ed global-option did not make dotfiles visible in shares 66f9c95
  • the dots volflag still doesn't, but that one is intentional

🔧 other changes

• tried to stop libvips from gobbling up ram while creating jxl thumbnails; didn't really work abdbd69
  • jxl support in libvips is now default-disabled unless the libc is musl and the allocator is mallocng, which means alpine linux
    • in other words, libvips is still fully enabled in the iv and dj docker images if you do not enable mimalloc
  • all other deployments will now have slightly slower jxl thumbnail generation by using ffmpeg instead (it's fine really)
    • new global-option --th-vips-jxl lets you force-enable it if you dare
• volflags nohtml and noscript now available as global-options --no-html and --no-script 5f3b76c
  • and the -ss paranoia option now also enables --no-html --no-readme --no-logues
• --flo 2 now removes colors from logfiles even if -q is not set 8c6d8a3
• update dompurify to 3.3.3 6a9e6da
• docs:
  • #1360 versus.md: more readable headers (thx @eugenesvk!) e71e190
  • #1367 mention --shr-who in the readme (thx @TWhiteShadow!) 4688410

🌠 fun facts

• it is easter soon edc2017

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

Changelog

Bug fixes

• 105ae4f: fix: static page reload fails, use search param device id, close #1711 (@seriousm4x)

Others

• b00f3a1: fix build (@seriousm4x)
• 4610b54: pnpm update (@seriousm4x)

Npm dependencies

• 4c03494: npm-dep: bump @inlang/paraglide-js from 2.15.0 to 2.15.1 in /frontend (@dependabot[bot])

Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• 85b49de: scan: flex-col inputs (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])

Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

Part-DB 2.9.1

Improvements

• Removed MPN fallback from LCSC barcode scanner, the SPN field is used instead for part matching (#1302)
• Automatically detect the delimiter on generic CSV BOM imports

Bug fixes

• Fixed intendation of EDA visibility checkboxes
• Fixed SAML login button (#1308, thanks to @mowoe)
• Fixed problem of GenericWeb info provider when used behind traefik (#1296)
• Fixed 500 error, when mapping in generic CSV BOM import fails (#1298)
• Fixed 500 error with displaying part prices, when a user has a currency preference different of base currency, and there is no conversion rate known for it (#1317)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated kicad symbols

New Contributors

• @mowoe made their first contribution in #1308

Full Changelog: v2.9.0...v2.9.1

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes an ftp/sftp issue with shares

• GHSA-67rw-2x62-mqqm: when a share is created for just one or more files inside a folder, it was possible to use FTP or SFTP to access the other files inside that folder by guessing the filenames
  • so ignore this issue if you did not enable ftp or sftp in the server config
• it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
• NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option
• password-protected shares were not affected through SFTP, only FTP

this release also fixes GHSA-rcp6-88mm-9vgf but that one is nothing to worry about

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• features? in this econonmy?? ain't nobody got time for that

🩹 bugfixes

• 66f1ef6 GHSA-67rw-2x62-mqqm (shares)
• 9f9d30f GHSA-rcp6-88mm-9vgf (the other thing)

🌠 fun facts

• the first cve is still by far the worst, none of the others even close... so at least that's nice
  • if you saw the cve notification and got all worked up, here's some comfy music to relax and upgrade copyparty to

⚠️ not the latest version!

✨ New Features & Improvements

• @directus/system-data
  • Updated latest models for Anthropic, Google, and OpenAI providers (#26865 by @bryantgillespie)
• @directus/ai
  • Updated latest models for Anthropic, Google, and OpenAI providers (#26865 by @bryantgillespie)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed creation of related item with empty or default state (#26844 by @powerseed)
  • Added field level MIME type restriction to file-image interface (#26831 by @AlexGaillard)
  • Fixed AI tool approval flow hanging after approving provider-executed tools. (#26839 by @bryantgillespie)
  • Fixed custom Vue operation options to persist edited values in Flow settings. (#26832 by @AbdelhamidKhald)
  • Fixed an invalid filter for M2M interfaces when the item Id is null (#26857 by @ComfortablyCoding)
  • Fixed folder navigation state being lost when reopening file selection drawer (#26649 by @costajohnt)
  • Enforced MIME type allow list on remaining v-uploads missed in first round (#26821 by @robluton)
  • Fixed client side validation breaking in drawer when dynamic variable is present. (#26795 by @powerseed)
  • Fixed Visual Editor stripping trailing slashes from URLs (#26823 by @formfcw)
  • Enabled conditional styling for string fields in pie and donut charts. (#26776 by @vizzv)
  • Updated AI SDK dependencies to latest version (#26856 by @bryantgillespie)
  • Fixed save-as-copy failing on collections with many duplication fields (#26814 by @gaetansenn)
  • Improved redirect handling (#26870 by @br41nslug)
  • Fixed unable to click on m2o fields arrow icon to open drawer (#26822 by @robluton)
• @directus/api
  • Updated AI SDK dependencies to latest version (#26856 by @bryantgillespie)
  • Improved redirect handling (#26870 by @br41nslug)
  • Fixed countAll generating an incorrect query (#26774 by @tysoncung)
  • Updated TUS validation (#26869 by @br41nslug)
  • Fixed AI assistant Fields tool call inconsistency (#26819 by @powerseed)
  • Added support for disabling OpenAPI output using OPENAPI_ENABLED (#26868 by @br41nslug)
  • Bumped underscore, tar, lodash, dompurify dependencies (#26860 by @br41nslug)
  • Fixed deleteMany returning unexpected error for non-admin with empty array (#26759 by @ComfortablyCoding)
• @directus/env
  • Added support for disabling OpenAPI output using OPENAPI_ENABLED (#26868 by @br41nslug)

📦 Published Versions

• @directus/app@15.5.1
• @directus/api@34.0.1
• @directus/ai@1.3.0
• @directus/composables@11.2.15
• create-directus-extension@11.0.31
• @directus/env@5.6.1
• @directus/extensions@3.0.21
• @directus/extensions-registry@3.0.21
• @directus/extensions-sdk@17.0.11
• @directus/memory@3.1.4
• @directus/pressure@3.0.19
• @directus/schema-builder@0.0.16
• @directus/storage-driver-azure@12.0.19
• @directus/storage-driver-cloudinary@12.0.19
• @directus/storage-driver-gcs@12.0.19
• @directus/storage-driver-s3@12.1.5
• @directus/storage-driver-supabase@3.0.19
• @directus/system-data@4.3.0
• @directus/themes@1.2.6
• @directus/types@14.3.1
• @directus/utils@13.3.1
• @directus/validation@2.0.19

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes a vulnerability

GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• version-checker (thx @icxes!) c6965f0
  • default-disabled; you must choose a URL to grab security advisories from to enable it
  • periodically checks the security advisories and shows a warning in the controlpanel if you're running a vulnerable version
  • can optionally panic and shutdown the server if you prefer that
  • man, the timing on this though... absolute cinema

🩹 bugfixes

• fix nohtml not being aware that SVG images can execute javascript 1c9f894
  • a new volflag noscript was also added; nohtml will automatically enable noscript, but noscript can also be useful on its own; see readme
• various upload rules fixes:
  • #1335 rotf couldn't handle trailing slash (thx @NecRaul!) 8e20506
  • #1337 rotn didn't always count correctly (thx @NecRaul!) 23d4a62
  • rotn didn't apply to dupes 00e821d
• combining rp-loc and site was a bit jank (thx @new-sashok724!) 31b2384
• global-option idp-store: 2 would result in excessive config reloading 1272de9
• fix fd-leak when indexing certain compressed files, including epub books 8b5ac23
• forget-ip: fix sqlite cursor-locking 37123e3

🔧 other changes

• #1316 Chinese translation got a huge makeover (thx @satgo1546 and @lxdlam!) b015274
• #1324 better rclone advice on the connect-page 8941701
• static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54

🌠 fun facts

• according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!

⚠️ not the latest version!

Part-DB 2.9.0

New feautures

• Sidebar trees keep track of page navigations. If you open a certain category, the treenode will be hightlighted
• Show a "Show password" toggle on all password inputs, including login form
• Made form fields wider on large monitors, to remove useless whitespace
• Reset opcache after update manager update (thanks @Sebbeben, PR #1288)
• Allow to create manual backups and download them from the WebUI (thanks @Sebbeben, PR #1255)
• Added user_barcode_filter to API (thanks @MayNiklas, PR #1280)
• Show manufacturing status in project BOM table (thanks @mkne, #1289)
• Create a part lot with quantity, user barcode and order number based on digikey, lcsc or mouser barcode, to reduce amount of manual input

Bug fixes

• Do not scroll sidebar to top, when clicking a tree node
• Fixed description field on KiCAD 9.0.5 and 9.0.6 (#1289)
• Generate correct url for part lots barcode content label placeholders (#1268)
• Correctly import files, where only children elements are specified and no parent field (#1272)
• Clear the input after selecting an option in tomselect (#1264)

Miscellaneous

• Updated dependencies

Full Changelog: v2.8.1...v2.9.0

Part-DB 2.8.1

Bug fixes

• Security hardening for some endpoints
• Fixed minor unauthorized information leackage in IPN generation endpoint (#1283)
• Fixed problem with creating digikey parts from barcode when it contained a CREF (#1283)
• Use cache:pool:clear --all for more thorough cache clearing in update process
• Moved settings cache to cache.system adapter, to ensure its cleared on cache:clear (prevents #1279)
• Fixed problem that flash messages were not shown in admin pages

Miscellaneous

• Updated dependencies
• Updated kicad library files

Full Changelog: v2.8.0...v2.8.1

⚠️ Potential Breaking Changes

Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772)
Backward Compatibility: If you have an existing version with the key draft and a custom name other than “Draft”, the display name will be standardized to “Draft” (i.e. transformed) to support the new global versioning feature. The version content and functionality remain unchanged.

Added field permission and version access checks to Visual Editor (#26772)
The field access checks require an update of the @directus/visual-editing library to v2.0.0.

Fixed password reset sending emails to external auth provider users (#26627)
requestPasswordReset now throws a Forbidden error for external auth provider users.

✨ New Features & Improvements

• @directus/app
  • Added support for a global draft version that is automatically available for all items when versioning is enabled (#26772 by @formfcw)
  • Persisted table column widths to localStorage (#26767 by @HZooly)
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Added field permission and version access checks to Visual Editor (#26772 by @formfcw)
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Added version support for visual editing in live preview (#26772 by @formfcw)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added version support to Visual Editor (#26772 by @formfcw)
• @directus/api
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Added lower_case_table_names support for mysql (#26736 by @licitdev)
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/system-data
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
  • Added version support to Visual Editor (#26772 by @formfcw)
• @directus/types
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
• @directus/sdk
  • Implemented RBAC for deployment module (#26683 by @gaetansenn)
  • Supported provider webhooks for deployment real-time updates (#26683 by @gaetansenn)
• @directus/ai
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
• @directus/utils
  • Added image and PDF upload support to Directus AI Assistant with a provider adapter pattern for 3 major providers (#26722 by @bryantgillespie)
    (OpenAI, Anthropic, Gemini).
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/constants
  • Added JSON field selection support (#26500 by @br41nslug)
• @directus/env
  • Added JSON field selection support (#26500 by @br41nslug)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed v-select group click handler to respect item-level selectable property (#26650 by @alvarosabu)
  • Fixed license modal is not responsive on mobile screens (#26758 by @powerseed)
  • Fixed unsaved changes dialog showing collaborative variant when not in a collaborative session (#26713 by @formfcw)
  • Updated vue-split-panel dependency (#26709 by @HZooly)
  • Fixed datetime picker not closing after selecting a date (#26719 by @alvarosabu)
  • Added some missing translation keys for directus_settings and directus_roles. (#26744 by @powerseed)
  • Upgraded reka-ui to 2.8.2 for timefield two-digit hour fix (#26724 by @alvarosabu)
  • Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)
  • Enabled “Navigate to Item” button for non-editable relational fields (#26711 by @HZooly)
  • Fixed auto-refresh on mobile by preserving sidebar state via Teleport (#26731 by @HZooly)
  • Fixed an issue where duplicated fields kept validation rules referencing the original field name. (#26602 by @vizzv)
  • Fixed drawer not scrolling to top when validation errors occur (#26741 by @robluton)
  • Fixed reset confirm state after flow error (#26803 by @HZooly)
  • Fixed performance degradation when editing forms with large GeoJSON geometry fields by using selective shallow cloning for geometry values. (#26560 by @alvarosabu)
  • Fixed extra tab stop in AI assistant header caused by a focusable VIcon inside VButton. (#26796 by @Mugesh13102001)
  • Guarded nav-bar and sidebar size stores against non-finite values (#26695 by @HZooly)
  • Added lower_case_table_names support for mysql (#26736 by @licitdev)
  • Fixed batch editing translations creating duplicate junction rows (#26597 by @HZooly)
  • Fixed block editor deleting blocks on save-and-stay (#26808 by @formfcw)
  • Fixed MIME type restriction for URL uploads and ensure file/s interfaces respect restricted URL uploads (#26691 by @AlexGaillard)
  • Fixed decimal and bigInteger display formatting (#26637 by @HZooly)
  • Add MIME type restriction option to select file/s interfaces (#26647 by @AlexGaillard)
  • Migrated large field selection requests to use the SDK (#26605 by @ComfortablyCoding)
  • Fixed tags interface not resolving variable strings in raw editor mode (#26739 by @HZooly)
  • Fixed Header interface spacing issue (#26786 by @LZylstra)
  • Fixed insightsStore.saveChanges to send requests only when the corresponding action array is non-empty (#26753 by @deepDiverPaul)
  • Constrained display template images in header bar to text line-height (#26680 by @HZooly)
  • Added Ask User Tool to AI Assistant (#26633 by @bryantgillespie)
• @directus/api
  • Fixed MIME type restriction for URL uploads and ensure file/s interfaces respect restricted URL uploads (#26691 by @AlexGaillard)
  • Fixed filter rule type mismatch causing database error instead of returning INVALID_QUERY (#26629 by @dstockton)
  • Fixed IPTC metadata key casing in getMetadata so that description, title, and tags are correctly populated from IPTC data. (#26672 by @danielbuechele)
  • Replaced ip-matching dependency with node blocklist (#26806 by @br41nslug)
  • Fixed AI tool schema to not allow null for trigger and accountability fields in flow input validation. (#26763 by @rijkvanzanten)
  • Returned 500 Internal server error for permanent filesystem write failures instead of 503 service unavailable (#26761 by @aryanrichhariya1234-lang)
  • Bumped axios, rollup, basic-ftp, fast-xml-parser, serialize-javascript,nodemailer, vite, tar, minimatch, qs, undici, (#26787 by @br41nslug)
    axios-cache-interceptor dependencies
  • Add auth audit hook for tracking login attempts (#26702 by @AlexGaillard)
  • Fixed GraphQL groupBy with function field (#26706 by @ComfortablyCoding)
  • Prevented encrypted field decryption failures from crashing settings reads when the SECRET has changed. Fields that can't be decrypted now return null and log a warning instead of throwing. (#26764 by @bryantgillespie)
• @directus/specs

  • Fixed password reset sending emails to external auth provider users (#26627 by @dstockton)

    :::notice
    requestPasswordReset now throws a Forbidden error for external auth provider users.
    :::

• @directus/env
  • Increased the default QUERYSTRING_ARRAY_LIMIT from 100 to 500 (#26737 by @AlexGaillard)
• @directus/utils
  • Replaced ip-matching dependency with node blocklist (#26806 by @br41nslug)
• @directus/sdk
  • Updated ReadProviderOutput type to include the label field (#26645 by @kheiner)

📦 Published Versions

• @directus/app@15.5.0
• @directus/api@34.0.0
• @directus/ai@1.2.0
• @directus/composables@11.2.14
• @directus/constants@14.2.0
• create-directus-extension@11.0.30
• @directus/env@5.6.0
• @directus/extensions@3.0.20
• @directus/extensions-registry@3.0.20
• @directus/extensions-sdk@17.0.10
• @directus/memory@3.1.3
• @directus/pressure@3.0.18
• @directus/schema-builder@0.0.15
• @directus/specs@12.0.1
• @directus/storage-driver-azure@12.0.18
• @directus/storage-driver-cloudinary@12.0.18
• @directus/storage-driver-gcs@12.0.18
• @directus/storage-driver-s3@12.1.4
• @directus/storage-driver-supabase@3.0.18
• @directus/system-data@4.2.0
• @directus/themes@1.2.5
• @directus/types@14.3.0
• @directus/utils@13.3.0
• @directus/validation@2.0.18
• @directus/sdk@21.2.0

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Part-DB 2.8.0

New features

• Allow to add parts from barcode scans of LCSC, digikey and other vendor labels (thanks @swdee)
• Allow to scan LCSC labels
• Added Amazon info provider via Canopy API
• Added an optional HTML sandbox for attachments, allowing to view interactive BOM HTML files inside Part-DB (#1150)
• Add option to disable special character keybindings (#1251, thanks @MayNiklas)
• Improve working with an external barcode scanner, allow scanning barcodes from everywhere
• Make KiCad API better cachable (#1241, thanks @Sebbeben)
• Make parameters and order informations visible in KiCad (#1241, thanks @Sebbeben)
• Show EDA value and reference in part tables (#1266, thanks @hrueger)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated KiCad library autocomplete lists
• Security hardening of attachments

New Contributors

• @hrueger made their first contribution in #1266

Full Changelog: v2.7.1...v2.8.0