What's Changed

Security & Fixes

• Allow quoted arguments in custom Docker run options (#9481, fixes #9343)
• Patched Alpine packages in helper, realtime, and development Docker images (#9437)
• Bumped Alexandrie images to address upstream security advisory (#9434)

New Services & Templates

• Added Grimmory one-click service, the successor to Booklore (#9109)
• Comprehensive Supabase template update to latest versions (#8316)
• Allow overriding GOTRUE_SITE_URL in Supabase for separate frontend domains (#9079, fixes #5581)
• Added sensible CORS defaults to Directus templates (#9081, fixes #5024)
• Updated Rivet template to v2.2.0 (#9378)
• Updated Convex to current latest version (#9392)
• Fixed LibreChat healthcheck and upgraded Meilisearch image (#9358)
• Fixed n8n task-runners health check (#9309, fixes #9306)
• Increased Nextcloud healthcheck interval to prevent worker exhaustion (#9440, fixes #9439)
• Updated Nextcloud healthcheck endpoint to /status.php (#9470)
• Fixed Netbird client volume path so settings persist across restarts (#9484)
• Corrected Minecraft template category to games (#9387)
• Corrected several template categories that were set incorrectly (#9449)

Improvements

• Removed Algora bounty program references from community docs and templates (#9436)

What's Changed (Github)

• fix(services): bump images of alexandrie to fix security issue by @Smaug6739 in #9434
• feat(service): update Convex to current latest version by @sebous in #9392
• fix(template): Minecraft was on wrong category by @Iisyourdad in #9387
• feat(service): update Rivet to v2.2.0 by @yipfram in #9378
• fix(service): fix librechat healthcheck and update dependencies by @GauthierPLM in #9358
• fix(service): n8n task-runners health check fails by @frank-netkey in #9309
• feat(service): add grimmory by @RickyWanga in #9109
• fix(service): directus cors not applied in preflight requests by @xidik12 in #9081
• feat(service): update Supabase to current latest versions by @Vadko in #8316
• fix(service): allow overriding GOTRUE_SITE_URL in Supabase template by @xidik12 in #9079
• fix(service): nextcloud workers exhaustion due to low interval healthcheck by @ShadowArcanist in #9440
• fix(docker): add apk upgrade to helper, realtime, and development Dockerfiles by @andrasbacsai in #9437
• chore(community): remove Algora bounty program references by @andrasbacsai in #9436
• chore(service): update nextcloud healthcheck endpoint by @ShadowArcanist in #9470
• fix(validation): allow quoted docker run options in custom config by @andrasbacsai in #9481
• build(deps-dev): bump vite from 7.3.0 to 7.3.2 by @dependabot[bot] in #9457
• fix(service): Several templates on wrong catagory. by @Iisyourdad in #9449
• fix(service): netbird-client wrong volume path by @iamimmanuelraj in #9484
• v4.0.0-beta.472 by @andrasbacsai in #9492

New Contributors

• @sebous made their first contribution in #9392
• @Iisyourdad made their first contribution in #9387
• @frank-netkey made their first contribution in #9309
• @RickyWanga made their first contribution in #9109
• @iamimmanuelraj made their first contribution in #9484

Full Changelog: v4.0.0-beta.471...v4.0.0-beta.472

What's Changed

Security & Fixes

• Harden model mass assignment protection across all models (#9282)
• Scope server and project queries to current team (#9230)
• Harden GetLogs component with locked properties and input validation (#9229)
• Add validation and escaping for Docker network names (#9228)
• Add URL validation for notification webhook fields (#9224)
• Use server-side config for password reset URL generation (#9193)
• Add input validation for install/build/start command fields (#9227)
• Add input validation for resource limit fields (#9238)
• Add IP validation for custom DNS servers input (#9239)
• Add URL validation for proxy redirect input (#9241)
• Add input validation for server advanced settings page (#9242)
• Add input validation for sentinel configuration (#9243)
• Add input validation for database backup timeout (#9245)
• Add input validation for emails configuration (#9259)
• Add input validation for database public port and proxy timeout
• Add validation to block unsafe webhook URLs
• Use random_int() for email change verification codes (#9226)
• Move admin route into middleware group (#9225)
• Enforce team-scoped project/env lookups in onboarding
• Add input validation for port exposes and port mappings fields

New Services & Templates

• Added ElectricSQL template (#8190)

Fixes

• Fix intermittent pre-deployment command failures (#9165, fixes #9076)
• Fix Grafana GF_SERVER_DOMAIN using FQDN instead of URL (#9080, fixes #5307)
• Fix listmonk db config env typo (#9250)
• Fix Langfuse by pinning ClickHouse version to avoid init errors
• Fix cloning persistent volumes with missing uuid (#9290, fixes #9270)
• Fix redirect value not persisting in setRedirect (#9279)
• Fix cloud subscription notification links (#9296)
• Fix slash branches in public repo URLs
• Fix shared env vars resolving on wrong server
• Fix database SSL/status state and clone writes
• Fix auto-generate missing CA cert on SSL regeneration
• Fix backup notification failures affecting backup status (fixes #9088)
• Fix backup retention enforcement and stale execution cleanup
• Fix password visibility toggle using Alpine state
• Fix GitHub branch state when refreshing repositories

Improvements

• Shared server environment variables (#7764)
• Refresh repos on private GitHub app (#8621)
• Support Docker image tags for preview deployments
• Add preserve repository option to deployment API (#8371)
• Implement exponential backoff for unreachable servers (#9184)
• Improve scheduled task single view UX (#9266)
• Add two-step confirmation to enable self-registration (#9277)
• Add public port timeout configuration for databases
• Make textarea monospace opt-in and improve multiline toggle

What's Changed (Github)

• fix(backup): prevent notification failures from affecting backup status by @andrasbacsai in #9162
• fix(preview-env): ensure auto-created preview env vars inherit runtime/buildtime flags by @andrasbacsai in #9164
• fix(api): validate server ownership in domains endpoint and scope activity lookups by @andrasbacsai in #9166
• fix(backup): validate MongoDB collection names in backup input by @andrasbacsai in #9168
• fix(terminal): apply authorization middleware to terminal bootstrap routes by @andrasbacsai in #9169
• fix(livewire): add Locked attributes and consolidate container name validation by @andrasbacsai in #9171
• fix(livewire): add input validation to unmanaged container operations by @andrasbacsai in #9172
• feat(deployment): add command_hidden flag to hide command text in logs by @andrasbacsai in #9167
• fix(deployment): normalize whitespace in pre/post deployment commands by @andrasbacsai in #9173
• fix(storage): consistent path validation and escaping for file volumes by @andrasbacsai in #9176
• fix(backup): use escapeshellarg for credentials in backup commands by @andrasbacsai in #9175
• fix(storage): use escapeshellarg for volume names in shell commands by @andrasbacsai in #9185
• refactor: simplify remote process chain and harden ActivityMonitor by @andrasbacsai in #9189
• Add URL validation for GitHub source fields by @andrasbacsai in #9190
• refactor: split invitation endpoint into GET/POST flow by @andrasbacsai in #9192
• fix: sanitize error output in server validation logs by @andrasbacsai in #9197
• fix: use server-side config for password reset URL generation by @andrasbacsai in #9193
• refactor: move admin route into middleware group by @andrasbacsai in #9225
• Add URL validation for notification webhook fields by @andrasbacsai in #9224
• refactor: use random_int() for email change verification codes by @andrasbacsai in #9226
• fix: add input validation for install/build/start command fields by @andrasbacsai in #9227
• refactor: scope server and project queries to current team by @andrasbacsai in #9230
• fix: add validation and escaping for Docker network names by @andrasbacsai in #9228
• fix(application): persist redirect value in setRedirect by @andrasbacsai in #9279
• fix: harden GetLogs Livewire component properties by @andrasbacsai in #9229
• feat(api): Add support for Preserve Repository During Deployment in API by @ahmadw13 in #8371
• fix(clone): exclude uuid when replicating persistent volumes by @andrasbacsai in #9290
• fix(notification): updated cloud subscription links to valid url by @ShadowArcanist in #9296
• feat(ui): add two step confirmation to enable self registration by @ShadowArcanist in #9277
• fix(service): listmonk db config env typo by @mxswd in #9250
• fix(service): pin clickhouse version on Langfuse service to avoid error during clickhouse init by @GauthierPLM in #9236
• fix(service): use FQDN instead of URL for Grafana GF_SERVER_DOMAIN by @xidik12 in #9080
• feat(service): Add ElectricSQL by @matfire in #8190
• refactor: define explicit fillable attributes on all Eloquent models by @andrasbacsai in #9282
• fix(validation): add input validation for database public port and proxy timeout by @ShadowArcanist in #9272
• feat(ui): improve schedule task single view for better UX by @ShadowArcanist in #9266
• fix(validation): add input validation for emails configuration by @ShadowArcanist in #9259
• fix(validation): add input validation for database backup timeout by @ShadowArcanist in #9245
• fix(validation): add input validation for sentinel configuration by @ShadowArcanist in #9243
• fix(validation): add input validation for server advanced settings page by @ShadowArcanist in #9242
• fix(validation): add URL validation for proxy redirect input by @ShadowArcanist in #9241
• fix(validation): add input validation for port exposes and port mappings fields by @ShadowArcanist in #9240
• fix(validation): add IP validation for custom DNS servers input by @ShadowArcanist in #9239
• fix(validation): add input validation for resource limit fields by @ShadowArcanist in #9238
• feat: refresh repos on private github app by @adiologydev in #8621
• feat: Shared server environment variables by @ShadowArcanist in #7764
• chore(deps): bump aws/aws-sdk-php from 3.371.3 to 3.374.2 by @dependabot[bot] in #9222
• chore(deps): bump picomatch by @dependabot[bot] in #9178
• build(deps): bump league/commonmark from 2.8.1 to 2.8.2 by @dependabot[bot] in #9047
• build(deps): bump phpseclib/phpseclib from 3.0.49 to 3.0.50 by @dependabot[bot] in #9044
• feat(jobs): implement exponential backoff for unreachable servers by @andrasbacsai in #9184
• fix(deployment): resolve intermittent pre-deployment command failures by @andrasbacsai in #9165
• v4.0.0-beta.471 by @andrasbacsai in #9206

New Contributors

• @mxswd made their first contribution in #9250
• @xidik12 made their first contribution in #9080
• @matfire made their first contribution in #8190

Full Changelog: v4.0.0-beta.470...v4.0.0-beta.471