✨ New Features & Improvements

• @directus/app
  • Added keyboard navigation to the cards layout (#26976 by @HZooly)
  • Added native Tabs group interface. Uninstall the extension if currently using it to avoid unintended side effects. (#26836 by @bryantgillespie)
  • Added bulk folder deletion from the files grid with move-up or delete-all options (#26886 by @HZooly)
  • Used shorter tooltip delay for disabled elements (#26965 by @HZooly)
• @directus/utils
  • Added parseNow utility to resolve the $NOW dynamic variable (#26954 by @costajohnt)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed calendar picker crash when using dynamic variables (e.g. $NOW) (#26954 by @costajohnt)
  • Updated relationship_not_setup wording to clarify it may also result from missing permissions (#26918 by @Ikromjon1998)
  • Restored useItem support for custom query options like fields and deep by adding an optional extra query parameter and updating affected call sites. (#26985 by @LZylstra)
• @directus/api
  • Fixed file replacement returning Forbidden (#27001 by @ComfortablyCoding)
  • Updated happy-dom, path-to-regexp, picomatch, node-forge, and brace-expansion to address CVEs (#27006 by @br41nslug)
  • Fixed extension auto reload not triggering (#26986 by @ComfortablyCoding)
• @directus/utils
  • Fixed calendar picker crash when using dynamic variables (e.g. $NOW) (#26954 by @costajohnt)
• @directus/schema
  • Fixed MySQL foreignKeys query to include TABLE_NAME in the JOIN condition, preventing a cartesian product when InnoDB statistics on system tables are degraded. (#26964 by @HattoriEnzo)
• @directus/sdk
  • Fixed filter operator typing for date and time fields to support comparison and range operators. (#26957 by @costajohnt)

📦 Published Versions

• @directus/app@15.7.0
• @directus/api@35.0.1
• @directus/composables@11.2.17
• create-directus-extension@11.0.33
• @directus/env@5.7.1
• @directus/extensions@3.0.23
• @directus/extensions-registry@3.0.23
• @directus/extensions-sdk@17.1.1
• @directus/memory@3.1.6
• @directus/pressure@3.0.21
• @directus/schema@13.0.7
• @directus/schema-builder@0.0.18
• @directus/storage-driver-azure@12.0.21
• @directus/storage-driver-cloudinary@12.0.21
• @directus/storage-driver-gcs@12.0.21
• @directus/storage-driver-s3@12.1.7
• @directus/storage-driver-supabase@3.0.21
• @directus/themes@1.3.1
• @directus/types@15.0.1
• @directus/utils@13.4.0
• @directus/validation@2.0.21
• @directus/sdk@21.2.2

• Closed Secure Link vulnerability
• iOS profile now uses external IMAP settings correctly
• Fixed issue with importing contacts from VCF files
• Security improvements

Changelog

• 65612b7 chore: add .DS_Store to .gitignore
• 29e4666 chore: enable windows test build and release binaries
• 38276ab fix: fixes webserver network type

Changelog

• 8234c31 Fix versitygw#1864 to not return parent keys for ListObjectVersions with prefix
• d4ea895 chore(deps): bump actions/download-artifact from 4 to 7
• 7ebe0f8 chore(deps): bump actions/download-artifact from 7 to 8
• 790bac2 chore(deps): bump actions/upload-artifact from 4 to 6
• 892590a chore(deps): bump actions/upload-artifact from 6 to 7
• 6e9f0db chore(deps): bump github.com/clipperhouse/uax29/v2
• 22d49ed chore(deps): bump github.com/gofiber/fiber/v2 from 2.52.11 to 2.52.12
• 496b098 chore(deps): bump goreleaser/goreleaser-action from 6 to 7
• 0530636 chore(deps): bump the dev-dependencies group with 21 updates
• fa9f9ef chore(deps): bump the dev-dependencies group with 4 updates
• 0954428 chore(deps): bump the dev-dependencies group with 7 updates
• 3f2de08 chore: cleanup go.mod with go mod tidy
• fc5c0a3 chore: fix typos and error return wrapping types in posix
• 4fa7d38 chore: fix warning in system.yml github workflow
• af76584 chore: update README.md to highlight new web gui feature
• dc0572b chore: update readme for testing overview
• e7a1231 feat: add cli options to specify webui gateway/admin listing
• b3eac97 feat: add concurrency limiter to scoutfs
• fd0c9df feat: add favicon to all pages in webui
• 599ab1b feat: add multi-address listener for s3/admin/webui
• e2821fc feat: add option to disable s3proxy client data integrity checks
• 4b11f54 feat: add posix concurrency-limiter
• 8550dba feat: add tagging support for directory objects in posix
• 7fb3ded feat: adds Location, x-amz-bucket-arn response headers in CreateBucket
• 2436475 feat: adds checksums for directory objects in posix
• f7814ad feat: adds fiber max connections and in-flight requests limiter
• 9c21299 feat: allow anonymous access for s3proxy backend
• 5ae791b feat: configuration option to disable ACLs
• d03a331 feat: optimize multipart upload checksum calculation.
• 3e26175 feat: replace aws-sdk-go-v2 s3 manager with transfermanager
• 5c918f3 feat: revert ignore object ACL behavior
• 880d4ce feat: update go version to 1.25.0 and golang.org/x/net to 0.51.0
• e702a48 fix: CopyObject with URL-encoded special chars
• da82e5e fix: add missing tests to group-tests map
• 2232efd fix: adds application/xml Content-Type to error responses
• f1577fd fix: correct private canned ACL behavior on bucket creation
• 89aa822 fix: fixes DeleteObject if-match quoted comparison
• 6fafc15 fix: fixes PutBucketCors CORSRules validation
• 46bcc8a fix: fixes object default Content-Type
• 760f252 fix: improve WalkVersions() ancestor-directory guard for prefix filtering
• 3d56636 fix: make webui sidebar responsive on mobile
• 68755ca fix: replace debuglogger.Logf("Internal Error, %v", err) with debuglogger.InternalError(err)
• 4ebe408 fix: store final checksum on CompleteMultipartUpload
• 7695be5 fix: store part checksums at destination path in UploadPartCopy

Changelog

• bcf341b Add "lexical" sort to walker.go
• 73e2df4 Base import of cutdown version of io/fs/walk.go from golang as walker.go
• 0c520a3 Reload TLS certificates on SIGHUP
• bef8f38 Revert of 34da183 and 8e18b43 for backend/walk.go
• a69f5a4 chore(deps): bump actions/checkout from 4 to 6
• 2489d87 chore(deps): bump docker/build-push-action from 5 to 6
• 1dfc77d chore(deps): bump github.com/clipperhouse/uax29/v2
• d2996e1 chore(deps): bump the dev-dependencies group with 2 updates
• e37dfa6 chore(deps): bump the dev-dependencies group with 6 updates
• 82878f4 chore(deps): bump the dev-dependencies group with 7 updates
• 792a3eb chore: add advanced codeql workflow for repo customizations
• f78483a chore: add codeql ignore for embedded 3rd party js assets
• e08539e chore: add dependabot updates for github actions
• 68d7924 feat: add web-based UI for S3 object management and admin operations
• 2e67940 feat: adds delimiter support in ListMultipartUploads
• 6c564fe feat: makes root creds usable for admin subcommand with lower precendence
• 43fd18b fix: admin server debug always enabled when --admin-port option enabled
• 01fc142 fix: correct spelling for debuglogger.InternalError() (#1784)
• 86e2b02 fix: fixes delete markers access for some actions
• 2365f9f fix: fixes list-limiters parsing and validation
• 43559e6 fix: fixes non-existing object deletion with versionId
• f6225aa fix: fixes some write operations blocking in read-only mode
• 12092cf fix: fixes the SignedStreamingPayloadTrailer_success test failure
• 63fcdb3 fix: pin github.com/nats-io/nkeys version to v0.4.12
• f29206a fix: put object on windows when parent directories dont already exists
• 11e5049 fix: remove duplicate cors headers from options router
• 7017ffa fix: removes object metadata loading from posix ListParts
• 8569b15 fix: return not implemented in object actions, if acl header is present
• 03f0be2 fix: reverts the nats-io/nkeys package version to v0.4.12
• 9343860 fix: webui md5 missing error when enabling directory object lock

Changelog

• 7a4dd59 chore(deps): bump github.com/valyala/fasthttp
• 8d16bff chore(deps): bump the dev-dependencies group with 2 updates
• 6198bf4 chore(deps): bump the dev-dependencies group with 20 updates
• 0124398 chore(deps): bump the dev-dependencies group with 6 updates
• d446102 feat: add option for default global cors allow origin headers
• f467b89 feat: adds Location in CompleteMultipartUpload response
• 8073994 feat: adds integration tests for STREAMING-AWS4-HMAC-SHA256-PAYLOAD requests
• cc54aad feat: adds integration tests for STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER requests
• 2561ef9 feat: implements admin CreateBucket endpoint/cli command
• 5aa2a82 fix: Makes precondition headers insensitive to whether the value is quoted
• c2c2306 fix: adds an error route for ?versions subresource with key
• 12e1308 fix: adds versionId in put/get/delete object tagging actions response.
• 9eaaeed fix: bunch of fixes in signed streaming requests
• 657b9ac fix: changes AuthorizationHeaderMalformed error status to 400
• edac345 fix: cleanup sidecar metadata empty dirs
• 7a26aec fix: fix the concurrency issue in integration tests bucket name generation
• d015842 fix: fixes CreateBucket LocationConstraint validation
• a75aa9b fix: fixes if-none-match precondition header logic in object write operations
• cf99b3e fix: fixes invalid/expired x-amz-object-lock-retain-until-date errors
• 2a7e76a fix: fixes missing bucket object lock config error
• c91e5dc fix: fixes the InvalidRetentionPeriod error code and message
• 39ee175 fix: fixes the PutBucketPolicy response status
• 981a34e fix: fixes x-amz-if-match-size parsing
• b78d21c fix: optimize sidecar empty-dir checks
• 9f6bf18 fix: removes Expect from sigv4 ignored headers list
• 06a4512 fix: removes the NoSuchTagSet error in GetObjecTagging
• 61308d2 fix: return NoSuchKey if a precondition header is present and object doesn't exist in PutObject, CompleteMultipartUpload
• 8e0eec0 fix: return null in GetBucketLocation for us-east-1
• 06f4f0a fix: skips object lock check in DeleteObject without versionId.
• 0cab42d xattr: use different namespace prefixes for FreeBSD vs other platforms

Changelog

• d7cbee7 chore(deps): bump the dev-dependencies group with 10 updates
• 55c94f4 chore(deps): bump the dev-dependencies group with 17 updates
• b29d6a0 chore(deps): bump the dev-dependencies group with 23 updates
• cadd791 chore(deps): bump the dev-dependencies group with 6 updates
• d0ec284 feat: adds STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER option in test generation script
• c58f9b2 feat: adds integration tests for unsigned streaming payload trailer uploads
• ce9693e feat: upgrades actions checkout v4 -> v5 and go-setup v5 -> v6
• 0a2a23d fix: Checks that x-amz-decoded-content-length matches the actual payload in unsigned streaming upload
• dfe6abc fix: adds validation for chunk sizes in unsigned streaming trailer upload
• f631cd0 fix: fixes error handling for unsigned streaming upload malformed encoding
• b57764e fix: fixes ipa iam GetUserAccount id parsing panic
• d507f20 fix: fixes the GetObjectAttributes panic in s3 proxy
• d861dc8 fix: fixes unsigned streaming upload parsing and checksum calculation
• 69e107e fix: rejects STREAMING-UNSIGNED-PAYLOAD-TRAILER for all actions, except for PutObject and UploadPart
• 7627deb fix: removes mandatory checksum header check for PutObjectTagging

Changelog

• 2dd442c Allow self-signed certificates
• 45f55c2 auth/vault: add Vault namespace support
• 11bd58c chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0
• cdc4358 chore(deps): bump the dev-dependencies group with 11 updates
• 3a65521 chore(deps): bump the dev-dependencies group with 12 updates
• c3c39e4 chore(deps): bump the dev-dependencies group with 16 updates
• ff973c2 chore(deps): bump the dev-dependencies group with 17 updates
• 703c7cd chore(deps): bump the dev-dependencies group with 17 updates
• 971ae78 chore(deps): bump the dev-dependencies group with 23 updates
• dff3eb0 chore(deps): bump the dev-dependencies group with 23 updates
• 9ae6807 chore(deps): bump the dev-dependencies group with 3 updates
• 6cf3b93 chore(deps): bump the dev-dependencies group with 6 updates
• 40da4a3 chore: cleanup unused constants
• 4c3965d feat: add option to disable strict bucket name checks
• 3c3e9dd feat: add project id support for scoutfs backend
• ce6193b feat: adds bucket policy version support
• 05f8225 feat: adds missing versioning-related bucket policy actions
• a64733b feat: adds projectID prop in IAM user account
• 8d2eeeb feat: adds tagging support for object versions in posix
• d396859 feat: adds the x-amz-expected-bucket-owner check in the gateway
• 7745972 feat: adds x-amz-tagging-count support for HeadObject
• a4dc837 feat: concurrent execution of integration tests
• 64f50cc feat: gracul shutdown of s3api and admin servers
• 12f4920 feat: implements checksum calculation for all actions
• caa7ca0 feat: implements fiber panic recovery
• 9bde1dd feat: implements tagging support for CreateBucket
• 707af47 feat: prevents locked objects overwrite with CopyObject and CompleteMultipartUpload
• d05f25f feat: refactoring of the integration tests
• 7aa733a feat: use docker entrypoint for flexible env var docker config
• ebdda06 fix: adds BadDigest error for incorrect Content-Md5 s
• 9f54a25 fix: adds an error route for object calls with ?uploads query arg
• df74e7f fix: adds checks for x-amz-content-sha256 in anonymous requests
• 4740372 fix: adds error routes to reject x-amz-copy-source for GET, POST, HEAD, DELETErequests
• 9a01185 fix: adds request body check for CopyObject and UploadPartCopy
• 7744dac fix: adds validation for bucket canned ACL
• eae11b4 fix: adds versionId validation for object level actions
• ca6a92b fix: changes empty mp parts error on CompleteMultipartUpload
• a606e57 fix: correct a few object lock behaviors
• 8bb4bcb fix: fixes NoSuchVersion errors for some actions in posix
• 068b04e fix: fixes PutObjectRetention error cases and object lock error code/message.
• 8c3e49d fix: fixes checksum header and algorithm mismatch error
• 5c084b8 fix: fixes locked objects overwrite in versioning-enabled buckets
• 5c3cef6 fix: fixes s3 event and access logs sending in ProcessController
• 6176d9e fix: fixes sigv4 and presigned url auth errors.
• ebf7a03 fix: fixes the bucket/object tagging key/value name validation
• 5bc6852 fix: fixes the checksum type/algo mismatch error in create mp
• 24679a8 fix: fixes the composite checksums in CompleteMultipartUpload
• 54e2c39 fix: fixes the invalid Content-Length error
• 1d0a1d8 fix: fixes the panic in GetBucketVersioning in s3 proxy
• d15d348 fix: fixes the response header names normalizing
• ee67b41 fix: head object should set X-Amz-Bucket-Region on access denied
• 27dc84b fix: implements proper error handling for malformed http requests
• 045bdec fix: makes object metadata keys lowercase in object creation actions
• a057a25 fix: removes content-md5 check from the actions where it's unnecessary
• f435880 fix: removes trailing / for bucket operations in host-style parser
• 932f1c9 fix: sets crc64nvme as defualt checksum for complete mp action

Changelog

• c93d2cd Fix scoutfs backend s3 upload with non-aligned size.
• fbde51b be able to debug LDAP queries; be consistent between GetUserAccount() and ListUserAccounts() on how to build the search filters; objectClasses were missing in GetUserAccount research filter leading to a bad result for example when a posixgGroup have the same name as a posixUser.
• eb0a8ee chore(deps): bump the dev-dependencies group with 10 updates
• 8fb020e chore(deps): bump the dev-dependencies group with 25 updates
• 5aa407d cleanup: ipa iam server debug logging done with debuglogger
• b358e38 cleanup: minor fixes to ldap exported functions and test
• 24b1c45 cleanup: move debuglogger to top level for full project access
• b46a486 cleanup: s3 iam server debug logging done with debuglogger
• 58117c0 feat: add get bucket location frontend handlers
• 8cad7fd feat: add response header overrides for GetObject
• 818e91e feat: adds x-amz-object-size in PutObject response headers
• 4c41b8b feat: changes cors implementation in s3 to store/retreive in meta bucket
• 7a098b9 feat: implement conditional writes
• b3ed763 feat: implements conditional reads for GetObject and HeadObject
• 18e3012 fix: #1527 - case-insensitive x-amz-checksum-mode header value
• 2bb8a1e fix: NotImplemented for GetObject/HeadObject PartNumber
• 6a82213 fix: add keeplive option (CLI and env var)
• 8436202 fix: adds full wildcard and any character match for bucket policy actions
• 8e18b43 fix: lex sort order of listobjects backend.Walk
• 34da183 fix: lex sort order of listobjectversions backend.WalkVersions
• 488a9ac fix: panic in signed-chunk-reader with incorrect debug string
• a4091fd fix: previous pr was not rebased before merging and caused a build error

Changelog

• 936239b DRY of scoutfs integration, alignment testing for scoutfs.MoveData
• e62337f Fix O_TMPFILE Linkat race.
• 8e6dd45 Fix race in GetObject
• 3934bea Lowercase err message.
• 298d4ec Merged scoutfs and posix ListObjects and ListObjectsV2
• f0858a4 Small cleanups.
• 3208247 chore(deps): bump github.com/valyala/fasthttp
• 6e91e87 chore(deps): bump the dev-dependencies group with 18 updates
• 13c7cb4 chore(deps): bump the dev-dependencies group with 19 updates
• 47e49ce chore(deps): bump the dev-dependencies group with 19 updates
• cef2950 chore(deps): bump the dev-dependencies group with 20 updates
• f29337a chore(deps): bump the dev-dependencies group with 20 updates
• 5be9e3b feat: a total refactoring of the gateway middlewares by lowering them from server to router level.
• 36d2a55 feat: add rabbitmq s3 event notification support
• 1eeb7de feat: add versioning dir option to scoutfs backend
• e5850ff feat: adds copy source validation for x-amz-copy-source header.
• f877502 feat: adds integration tests for public buckets.
• 0895ada feat: adds not implemented routes for bucket accelerate configuration actions
• ed92ad3 feat: adds not implemented routes for bucket ecryption actions
• cdccdcc feat: adds not implemented routes for bucket intelligent tiering actions
• 24b88e2 feat: adds not implemented routes for bucket inventory configuration actions
• 025b0ee feat: adds not implemented routes for bucket lifecycle configuration actions
• 5f28a74 feat: adds not implemented routes for bucket logging actions
• 45a1f7a feat: adds not implemented routes for bucket metrics configuration actions
• d784c0a feat: adds not implemented routes for bucket notification configuration actions
• be79fc2 feat: adds not implemented routes for bucket public access block actions
• 88f84bf feat: adds not implemented routes for bucket replication actions
• 6b450a5 feat: adds not implemented routes for bucket request payment actions
• 14a2984 feat: adds not implemented routes for bucket website actions
• 67d0750 feat: adds unit tests for object DELETE and POST operations
• ba76aea feat: adds unit tests for the object HEAD and GET controllers.
• 09031a3 feat: bucket cors implementation
• d90944a feat: implementes GetBucketPolicyStatus s3 action
• 866b07b feat: implementes unit tests for all the bucket action controllers.
• d2038ca feat: implements advanced routing for HeadObject and bucket PUT operations.
• a7c3cb5 feat: implements advanced routing for ListBuckets, HeadBucket and bucket delete operations
• b7c758b feat: implements advanced routing for bucket POST and object PUT operations.
• a3fef42 feat: implements advanced routing for object DELETE and POST actions.
• 56d4e4a feat: implements advanced routing for object GET actions.
• abdf342 feat: implements advanced routing for the admin apis. Adds the debug logging and quite mode for the separate admin server.
• b8456bc feat: implements advanced routing system for the bucket get operations.
• dc16c04 feat: implements integration tests for the new advanced router
• edaf9d6 feat: implements public bucket access for write operations
• 39cef57 feat: implements public bucket access.
• ab571a6 feat: implements unit tests for admin controllers
• 394675a feat: implements unit tests for controller utilities
• 7f9ab35 feat: implements unit tests for object PUT controllers
• 0eadc38 fix: add -1 to azure etag to avoid client sdk verfications
• e134f63 fix: add test cases and fix behavior for head/get range requests
• 3d20a63 fix: adds Acces-Control-Allow-Headers to cors responses
• 7dc213e fix: adds bucket region in ListBuckets result
• 8db1966 fix: adds not implemented routes for bucket analytics s3 actions.
• 4187b4d fix: adds validation for x-amz-content-sha256 header
• 891672b fix: fixes the HeadObject version access control with policies.
• 4395c9e fix: fixes the InvalidBucketAclWithObjectOwnership error code.
• 69ba00a fix: fixes the UploadPart failure with no precalculated checksum header for FULL_OBJECT checksum type
• 2b9e343 fix: fixes the invalid part number marker error description in ListParts
• e74d2c0 fix: fixes the invalid x-amz-mp-object-size header error in CompleteMultipartUpload.
• 0972af0 fix: fixes the nil body reader panic.
• 65cd44a fix: fixes the s3 access logs and metrics manager reporting. Fixes the default cotext keys setter order in the middlewares.
• dafe099 fix: iam ldap reconnect after network disconnects
• e18c4f4 fix: ignores special checksum headers when parsing x-amz-checksum-x headers
• 3363988 fix: makes checksum type and algorithm case insensitive in CreateMultipartUpload
• 7953241 fix: panic in access log when region header not set in request context
• 6306512 fix: update marker/continuation token to be the azure next marker

Changelog

• ee4d0b0 chore(deps): bump the dev-dependencies group with 3 updates
• a915c3f chore(deps): bump the dev-dependencies group with 6 updates
• 36509da chore: use time.Equal for s3proxy time equality checks
• e39ab6f feat: split the vault mount path into kv and auth
• cbd3eb1 fix: ListMultipartUploads pagination panic and duplicate results
• f295df2 fix: add new auth method to update ownership within acl
• 91b904d fix: add retry for iam freeipa http requests
• c196b5f fix: admin bucket actions for s3proxy
• c320108 fix: always log internal server error messages to stderr
• 003bf5d fix: convert deprecated fasthttp VisitAll() to All()
• 08ccf82 fix: refresh expired iam vault tokens when needed

Changelog

• d971e0e chore(deps): bump the dev-dependencies group with 12 updates
• 3aa2042 chore(deps): bump the dev-dependencies group with 18 updates
• b33499c chore(deps): bump the dev-dependencies group with 18 updates
• 23169fa chore(deps): bump the dev-dependencies group with 2 updates
• 532123e chore(deps): bump the dev-dependencies group with 4 updates
• d9300ea feat: add SECURITY.md to define GitHub security policy
• 98a7b7f feat: adds a middleware to validate bucket/object names
• 7b8b483 feat: calculate full object crc for multi-part uploads for compatible checksums
• 458db64 feat: implements public bucket access.
• 7260854 fix: add object path validation util
• 0d73e3e fix: prevent internal request retry to s3proxy backend
• 6541232 fix: s3 backend user bucket listing
• d831985 fix: s3log crash if startTime not defined
• 5ba5327 fix: s3proxy create bucket always returning BucketAlreadyExists

What's Changed

• Add apple-touch-icon link by @y1zhou in #1850
• Fix regression in partition discovery on Docker (#1847)
• Fix UI bug where charts did not display 1m max until next update
• Fix agent detection of Podman when using socket proxy (#1846)
• Fix NVML GPU collection being disabled when nvidia-smi is not in PATH (#1849)
• Reset SMART interval on agent reconnect if the agent hasn't collected SMART data, allowing config changes to take effect immediately

New Contributors

• @y1zhou made their first contribution in #1850

Full Changelog: v0.18.5...v0.18.6

What's Changed

• Add "update available" notification in hub web UI with CHECK_UPDATES=true by @svenvg93 in #1830
• Add Linux mdraid health monitoring by @VACInc in #1750
• Add ports column to containers table (#1481)
• Allow Linux systemd timer monitoring with SERVICE_PATTERNS (#1820)
• Add ZFS ARC support on FreeBSD
• Add optional tabs layout on web UI system page (#1513)
• Improve web UI performance and mobile styles (thanks @steveiliop56 for new mobile menu in #1840)
• Improve disk discovery and I/O device matching (#1811, #1772)
• Improve (likely fix) status alert reliability (#1519)
• Fix temperature collection blocking agent stats on some systems by @Jimbojones1 in #1839
• Fix SMART_INTERVAL consistency across agent reconnects (#1800)
• Fix container health status for Podman (#1475)
• Fix disk usage averaging for extra disk alerts using historical records by @victoreduardo in #1801
• Fix bandwidth alert computation from byte-per-second source (#1770)
• Fix 1m chart view leading to inflated Docker network IO during use
• Fix daylight saving time offset handling in daily quiet hours by @svenvg93 in #1827
• Fix potential nil pointer panics in hub realtime worker and websocket ping
• Fix: bypass NIC auto-filter when interface is explicitly whitelisted via NICS by @svenvg93 in #1805
• Fix ATA device statistics handling for negative values (#1791)
• Fix AMD GPU sysfs filesize misreporting workaround (#1799)
• Fix light flashes when refresh in dark mode by @svenvg93 in #1832
• Fix macOS agent path lookup for macmon (#1746)
• Update Go version and dependencies

New Contributors

• @guidNull made their first contribution in #1764
• @victoreduardo made their first contribution in #1801
• @Jimbojones1 made their first contribution in #1839

Full Changelog: v0.18.4...v0.18.5

⚠️ Potential Breaking Changes

Added support for importing data in the background (#26914)
Imports now automatically time out after 1 hour, with a maximum of 20 running concurrently. These limits can be configured via IMPORT_TIMEOUT and IMPORT_MAX_CONCURRENCY, respectively.

Improved build times using tsdown’s oxc-transform (#26604)
Exports previously available from @directus/types/collab are now exported directly from @directus/types

Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826)
Potential breaking change: The app UI has been shrunk to 90% of its previous size. Extensions that rely on hardcoded px values or the old 14px root font-size may render incorrectly — all app sizing now uses rem based on the 16px browser default.

• @directus/api
  • Added support for importing data in the background (#26914 by @Nitwel)
• @directus/types
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
• @directus/specs
  • Updated fast-xml-parser, qs, minimatch, tar, undici, vue-split-panel and flatted dependencies (#26951 by @br41nslug)

✨ New Features & Improvements

• @directus/app
  • Added support for importing data in the background (#26914 by @Nitwel)
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
  • Added deployment provider link on the run detail page, opening deployments directly in Vercel or Netlify dashboards. (#26888 by @LZylstra)
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)
• @directus/api
  • Added tool search tool for Anthropic AI provider to reduce context usage (#26864 by @bryantgillespie)
  • Added support for setting the secure attribute on OpenID/OAuth2 cookies via the AUTH_<PROVIDER>_COOKIE_SECURE environment variable (#26628 by @dstockton)
  • Updated FilesService.uploadOne to support an optional storage parameter (#26882 by @gaetansenn)
  • Added AI SDK Devtools middleware support for debugging AI Assistant in development only. Added AI telemetry provider (#26678 by @bryantgillespie)
    config for Braintrust and Langfuse, enabling sending traces for observability, usage, and token costs.
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
  • Added support for Redis namespace control (#26943 by @dstockton)
• @directus/errors
  • Added support for importing data in the background (#26914 by @Nitwel)
• @directus/env
  • Added support for importing data in the background (#26914 by @Nitwel)
  • Added support for Redis namespace control (#26943 by @dstockton)
• @directus/system-data
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
• @directus/constants
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
• @directus/extensions-sdk
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)
• @directus/themes
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed filtering out preRegisterCheck === false modules from settings module bar config (#26953 by @AlexGaillard)
  • Prevented uncaught exception when v-menu has no tabbable elements (#26922 by @robluton)
  • Fixed a bug where global draft updates failed for singleton collections (#26910 by @formfcw)
  • Refactored "Clear value(s) on save when hidden" condition so it's applied inside a drawer (#26925 by @AlexGaillard)
  • Added functionality to duplicate access policies (#26889 by @robluton)
  • Reduced width of split panel resize handle to prevent scrollbar interference (#26908 by @robluton)
  • Updated Vite to version 8.0.0 (#26887 by @Nitwel)
  • Corrected field editability for conditional update policies and version items (#26815 by @HZooly)
  • Fixed date picker not emitting value after month/year change. (#26880 by @powerseed)
  • Fixed inconsistent dropdown arrows in visual editor header bar (#26904 by @formfcw)
• @directus/api
  • Added API request counting to telemetry reports. Requests are tracked by HTTP method and cache status. (#26738 by @connorwinston)
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed errors during import not propagated while the file is streaming (#26881 by @Nitwel)
  • Added cache clear CLI command with --system and --data flags (#26898 by @gaetansenn)
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
  • Preserved M2A type info when using named GraphQL fragments (#26920 by @gaetansenn)
  • Added GraphQL resolver deduplication (#26949 by @br41nslug)
  • Fixed aggregation sanitization (#26948 by @br41nslug)
  • Added cross origin opener policy settings (#26947 by @br41nslug)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/types
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Updated FilesService.uploadOne to support an optional storage parameter (#26882 by @gaetansenn)
  • Added GraphQL resolver deduplication (#26949 by @br41nslug)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/env
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Added support for setting the secure attribute on OpenID/OAuth2 cookies via the AUTH_<PROVIDER>_COOKIE_SECURE environment variable (#26628 by @dstockton)
  • Added AI SDK Devtools middleware support for debugging AI Assistant in development only. Added AI telemetry provider (#26678 by @bryantgillespie)
    config for Braintrust and Langfuse, enabling sending traces for observability, usage, and token costs.
  • Added cross origin opener policy settings (#26947 by @br41nslug)
• @directus/ai
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/composables
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/constants
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/errors
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions-registry
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions-sdk
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Updated Vite to version 8.0.0 (#26887 by @Nitwel)
• @directus/format-title
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/memory
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/pressure
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/release-notes-generator
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed generated build (#26959 by @AlexGaillard)
• @directus/schema
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/schema-builder
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-azure
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-cloudinary
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-gcs
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-local
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-s3
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-supabase
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/stores
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/system-data
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/themes
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/update-check
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/utils
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Preserved M2A type info when using named GraphQL fragments (#26920 by @gaetansenn)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/validation
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/sdk
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
  • Fixed function typing in sdk for date and time fields. (#26936 by @costajohnt)

📦 Published Versions

• @directus/app@15.6.0
• @directus/api@35.0.0
• @directus/ai@1.3.1
• @directus/composables@11.2.16
• @directus/constants@14.3.0
• create-directus-extension@11.0.32
• @directus/env@5.7.0
• @directus/errors@2.3.0
• @directus/extensions@3.0.22
• @directus/extensions-registry@3.0.22
• @directus/extensions-sdk@17.1.0
• @directus/format-title@12.1.2
• @directus/memory@3.1.5
• @directus/pressure@3.0.20
• @directus/release-notes-generator@2.0.4
• @directus/schema@13.0.6
• @directus/schema-builder@0.0.17
• @directus/specs@13.0.0
• @directus/storage@12.0.4
• @directus/storage-driver-azure@12.0.20
• @directus/storage-driver-cloudinary@12.0.20
• @directus/storage-driver-gcs@12.0.20
• @directus/storage-driver-local@12.0.4
• @directus/storage-driver-s3@12.1.6
• @directus/storage-driver-supabase@3.0.20
• @directus/stores@2.0.1
• @directus/system-data@4.4.0
• @directus/themes@1.3.0
• @directus/types@15.0.0
• @directus/update-check@13.0.5
• @directus/utils@13.3.2
• @directus/validation@2.0.20
• @directus/sdk@21.2.1

5.40.0 (2026-03-18)

🚀 New feature

• add package manager dropdown before version in bug report template (#25679)

🔥 Bug fix

• add maxwidth to documentactions menu (#25664)
• formatErrorMessages array values formatting (#24196)
• admin: alias singleton frontend deps in vite (#25682)
• content-manager: reduce excessive rerendering in components and dynamic zones (#25631)
• content-manager: skip non-draftAndPublish relations in countDraftRelations (#25453)
• i18n: show locale key in disabled select when editing locale (#25124)

📚 Documentation Changes

• fix docs links in README (#25715)

⚙️ Chore

• use https instead of git url in package.repository.url (#25698)
• content-manager: optimize relations handling in EditView component (#25683)
• core: parallelize and cache dynamic zone populate (#25685)

💅 Enhancement

• resolved filter editability on clicking filter tag (#24057)
• core: remove beta on Document API, enforce deprecation on EntityService API (#25744)

❤️ Thank You

• akash-dabhi-qed @akash-dabhi-qed
• Andrea Cappuccio @hood
• Bassel Kanso @Bassel17
• calm @calm329
• Jamie Howard @jhoward1994
• markkaylor
• mathildeleg @mathildeleg
• Nico André
• Nikolas Rimikis @Leptopoda
• Pierre Wizla
• Varun Chawla @veeceey

5.38.1 (2026-03-11)

Superseded on March 11, 2026 by v5.39.0 due to versioning mistake.
Please use v5.39.0.

5.39.0 (2026-03-11)

🚀 New feature

• expand accordion by default when inserting a new component in a document (#24230)
• content-manager: filter list view by publication status (#25510)

🔥 Bug fix

• added shift+tab to blocks editors (#24122)
• single type publish permission error (#24754)
• es translations (#25655)
• typo 'compatability' to 'compatibility' in error messages (#25535)
• content-manager: export ContentManagerPlugin type for plugin dev… (#24149)
• content-manager: reduce excessive rerendering in relation fields (#25623)
• content-manager: reduce rerenders for conditional fields (#25617)
• content-releases: publish in right order to preserve relations (#25551)
• guided-tour: no overlay in dark mode (#25485)
• openapi: correctly merge plugin router prefix with route paths (#25616)
• types: fix document findOne params (#25613)
• upload: add crossOrigin attribute to image preview (#24946)

⚙️ Chore

• upgrade to glob 13 (#25610)
• upgrade better-sqlite3 to 12.6.2 (#25611)
• remove eslint-plugin-rxjs (#25612)
• upgrade koa to 20.8.4 and minimatch to 10.2.4 (#25624)
• eslintignore coverage (#25649)
• stop adding issues to GitHub projects in issues_handleLabel workflow (#25677)
• update package metadata (#25599)
• *: register vitest dependency in Yarn catalog (#25400)
• core/permissions: ensure engine properly merges conditions (#25569)
• deps: bump js-yaml from 3.14.1 to 3.14.2 (#24858)
• deps: bump qs from 6.14.2 to 6.15.0 (#25555)
• deps: bump jws from 3.2.2 to 3.2.3 (#24981)
• deps: bump elliptic from 6.5.7 to 6.6.1 (#24803)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#24841)
• deps: bump mdast-util-to-hast from 13.2.0 to 13.2.1 (#24950)
• deps: bump jws from 3.2.2 to 3.2.3 (#25652)
• deps: bump tar from 7.5.9 to 7.5.10 (#25642)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#25653)

🚨 Security

• upload: improve mimetype detection for uploads (#25177)

❤️ Thank You

• Adrien L
• Akash Santra @Akash504-ai
• akash-dabhi-qed @akash-dabhi-qed
• Ayoub Hidri @ayhid
• Bassel Kanso @Bassel17
• Ben Irvin
• Brandon Aaron @brandonaaron
• Daniel Garcia @dagadevelop
• Gouttfi @Gouttfi
• jeanvier
• markkaylor
• Nico André
• Nikolas Rimikis @Leptopoda
• Owen Rossi-Keen @Smoke3785

5.38.0 (2026-03-04)

🚀 New feature

• content-manager: add relationOpenMode setting (modal/page/newTab) (#25433)
• email-nodemailer: upgrade to Nodemailer v8 with advanced email features and Admin UI capabilities (#25392)
• i18n: add missing french translations (#23093)

🔥 Bug fix

• typo 'recieved' to 'received' across codebase (#25541)
• markdown editor number list is created with wrong numbers (#24631)
• add i18n for boolean cell values (#22314)
• folder subtitles for folders without assets or subfolders (#22694)
• vite and webpack config when linking ds locally (#25530)
• types: add missing typing for proxy.koa config (#25575)

⚙️ Chore

• bump design-system to v2.2.0 (#25584)
• deps: bump rollup from 4.27.4 to 4.59.0 (#25566)
• upload: add import from url (#25496)

❤️ Thank You

• Adrien L
• Altay Akkus
• Ayoub Hidri @ayhid
• Daniel Garcia @dagadevelop
• Grégory Boutte
• Jorrit Schippers
• markkaylor
• mathildeleg @mathildeleg
• Schero D. @Schero94
• Tewson Seeoun @tewson

5.37.1 (2026-02-26)

🔥 Bug fix

• core: preserve component clone integrity in discard-drafts migration

❤️ Thank You

• Bassel Kanso @Bassel17
• Ben Irvin

5.37.0 (2026-02-26)

🔥 Bug fix

• improve subnav on mobile so it works with banner (#25450)
• layout page broken (#25501)
• add design-system to config (#25435)
• radix ui dialog dependency version (#25549)

📚 Documentation Changes

• fix typos in content-releases frontend intro (#25471)

⚙️ Chore

• add bot and contributor detection to community-label workflow (#25497)
  (#25494))
• docs: revise README for AWS S3 provider updates (#25449)

💅 Enhancement

• improve mobile ux of list view (#25366)

🚨 Security

• feature: add strictParam, addQueryParams, addInputParams (#25528)
• deps: upgrade to tar 7.5.9 (#25504)
• deps: upgrade multiple dependencies (#25506)
• deps: bump bn.js from 4.12.0 to 4.12.3 (#25521)
• deps: bump minimatch from 9.0.3 to 10.2.1 ([#25494]

❤️ Thank You

• Adrien L
• Ayoub Hidri @ayhid
• Ben Irvin
• mathildeleg @mathildeleg
• Pierre Wizla
• Simon Norris @cache-your-dreams
• Ziyi @butcherZ

5.36.1 (2026-02-18)

🔥 Bug fix

• handle undefined tours property (#25290)
• core: handle negative and zero min/max validation for number fields (#25409)
• history: improve error handling and batch deletion in cron jobs (#25425)
• migrations: speed up discard-drafts with bulk batches (#25293)
• ts: ignore generated .strapi folder (#25086)
• utils: bump preferred-pm to fix npm workspace detection (#25406)

⚙️ Chore

• add --no-build-admin option to 'strapi develop' command (#25415)
• */vitest: introduce Vitest and vitest-config package (#25286)
• ci: redirect question issues to GitHub Discussions (#25441)
• deps: bump @casl/ability from 6.5.0 to 6.7.5 (#25430)
• deps: bump qs from 6.14.1 to 6.14.2 (#25444)

🚨 Security

• upgrade to tar 7 (#25380)
• update react-router (#25391)
• deps: upgrade axios from v1.12.2 to v1.13.5 (#25427)

❤️ Thank You

• Andrei L @unrevised6419
• Bassel Kanso @Bassel17
• Ben Irvin
• DMehaffy
• Florent Baldino @Baldinof
• Jamie Howard @jhoward1994
• Jonas Thelemann
• Josh Stuible
• Nico André
• SARGUNESH S V @sargunesh25
• Simen @Eventyret

5.36.0 (2026-02-11)

🚀 New feature

• persistent list view settings (#24246)
• strapi/create: type strapi configs (#21859)
• upload-aws-s3: add extended configuration for S3-compatible providers (#25263)

🔥 Bug fix

• responsive drawer for content history (#25344)
• scrolling in sidenav also scroll content (#25379)
• match database package version (#25389)
• content-manager: preserve origin id when cloning, to fetch relations so they are corrected re-populated (#25307)
• preview-config: allow and await for async handler (#25396)
• upload-aws-s3: use baseUrl even if upload location lacks protocol (#23400)

💅 Enhancement

• improve mobile design for edit view forms (#25320)
• create-strapi-app: add --non-interactive mode for CI and scripts (#25373)

🚨 Security

• upgrade apollo to 4.13.0 (#25375)

❤️ Thank You

• Adrien L
• Andrei L @unrevised6419
• Ben Irvin
• Enrique Carpintero
• jayesh70599 @jayesh70599
• Marian Vonsien @mvo-zyres
• mathildeleg @mathildeleg
• Paul Bratslavsky @PaulBratslavsky
• Schero D. @Schero94

5.35.0 (2026-02-04)

🚀 New feature

• upload: add focal point picker for images (#25267)

🔥 Bug fix

• prevent bulk publish modal from closing during API refetch (#24632)
• update ko.json (#23501)
• mobile actions drawer in content manager edit view (#25243)
• upload: prevent asset deletion when clicking cancel on EditAssetDialog (#25318)

⚙️ Chore

• bump yarn 4.5 to 4.12 (#25284)

💅 Enhancement

• improve mobile design for content history forms (#25338)

🚨 Security

• update multiple subdependencies (#25337)

❤️ Thank You

• Adrien L
• Ben Irvin
• Dhruv Maradiya @Dhruv-Maradiya
• jayesh70599 @jayesh70599
• mathildeleg @mathildeleg
• Niceplugin @niceplugin
• Nico André
• Schero D. @Schero94

5.34.0 (2026-01-28)

🚀 New feature

• update german translations for various components (#24143)
• upload: add retroactive ai metadata generation (#25066)

🔥 Bug fix

• add missing labels to IT locale (#25217)
• form elements mobile adjustments (#25202)
• responsive cm header (#25203)
• run orphan removal for the 'related_type' column (#24833)
• adjust padding for cm subnav (#25253)
• admin: format input error message with values (#23932)
• i18n: ai translation losing unsupported fields (#25247)
• menu: render external links as anchors (#25269)

📚 Documentation Changes

• clarify strapi installation instructions in README (#25016)
• CONTRIBUTING: set link to latest version of .commitlintrc.ts (#25224)

⚙️ Chore

• update pinned elliptic (#25206)
• remove unused imports from react and @strapi/design-system (#25222)
• update pinned dependencies express, qs, body-parser (#25209)
• remove in-app marketplace (#24958)
• update lodash to 4.17.23 (#25244)
• deps: bump lodash-es from 4.17.21 to 4.17.23 (#25239)
• upload: setup future flag for media lib redesign work (#25229)
• ‎.github/workflows: bump outdated GitHub Actions versions (#25233)

💅 Enhancement

• responsiveness consistency for subnav (#25107)

🚨 Security

• update pinned mdast-utils (#25227)
• update pinned js-yaml, node-forge, tmp, and more (#25228)

❤️ Thank You

• Adrien L
• Ben Irvin
• Boaz Poolman
• Jair Ortiz @JairOrtizGutierrez
• Jamie Howard @jhoward1994
• Leonid Vinogradov @leon-win
• Lukas Eipert
• markkaylor
• mathildeleg @mathildeleg
• Nidhi Sharma @Nidhisharma4399
• Pádraic Slattery @pgoslatara
• Ziyi @butcherZ

Changelog

Bug fixes

• 95d722b: fix: test udp (@seriousm4x)

Others

• 8d461e0: add note for DEVICE_IP and DEVICE_MAC availability in cmds (#1716) (@invario)
• 49d4109: gh-actions: remove go and npm, will update manually (@seriousm4x)
• 59b1723: send additional 2 magic packets via IP address for routed WOL (#1718) (@invario)

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

• Updated user creation to only use validated input from registration.
• Updated PHP package versions.
• Updated translations with latest Crowdin changes. (#6064)
• Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
• Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• #1351 add .hidden support (thx @NecRaul!) beb634d 134e378
  • cosmetic filter to exclude specific files from directory listings by adding their filenames to a textfile named .hidden similar to many linux desktop file managers
  • the files are still easily available from various APIs; this is not a security feature, just a way to keep things neat and tidy
• #1381 thumbnail pregeneration 7d6b037
  • usually/generally not a good idea; readme explains it
• shares: now possible to grant the . permission to see dotfiles 66f9c95

🩹 bugfixes

• #1372 #1333 no thumbnails if the server OS was too old to have JXL support and the webbrowser was asking for JXL 1afe48b
• #1363 new-version alert would only appear if the visitor had the Admin permission in the webroot specifically; now A in any volume is sufficient 6eb4f0a
• 66f1ef6 should have blocked mkdir too and now it does (thx @restriction!) ac60a1d
• setting the nohtml or noscript volflags on the webroot would break the web-UI eb028c9
• shares: the -ed global-option did not make dotfiles visible in shares 66f9c95
  • the dots volflag still doesn't, but that one is intentional

🔧 other changes

• tried to stop libvips from gobbling up ram while creating jxl thumbnails; didn't really work abdbd69
  • jxl support in libvips is now default-disabled unless the libc is musl and the allocator is mallocng, which means alpine linux
    • in other words, libvips is still fully enabled in the iv and dj docker images if you do not enable mimalloc
  • all other deployments will now have slightly slower jxl thumbnail generation by using ffmpeg instead (it's fine really)
    • new global-option --th-vips-jxl lets you force-enable it if you dare
• volflags nohtml and noscript now available as global-options --no-html and --no-script 5f3b76c
  • and the -ss paranoia option now also enables --no-html --no-readme --no-logues
• --flo 2 now removes colors from logfiles even if -q is not set 8c6d8a3
• update dompurify to 3.3.3 6a9e6da
• docs:
  • #1360 versus.md: more readable headers (thx @eugenesvk!) e71e190
  • #1367 mention --shr-who in the readme (thx @TWhiteShadow!) 4688410

🌠 fun facts

• it is easter soon edc2017

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

Changelog

Bug fixes

• 105ae4f: fix: static page reload fails, use search param device id, close #1711 (@seriousm4x)

Others

• b00f3a1: fix build (@seriousm4x)
• 4610b54: pnpm update (@seriousm4x)

Npm dependencies

• 4c03494: npm-dep: bump @inlang/paraglide-js from 2.15.0 to 2.15.1 in /frontend (@dependabot[bot])

Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• 85b49de: scan: flex-col inputs (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])