❌

Lees weergave

↗️

Stable Channel Update for Desktop

βœ‡Google Chrome

The Stable channel has been updated to 146.0.7680.164/165 for Windows/MacΒ  andΒ 146.0.7680.164 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in theΒ Log

Security Fixes and Rewards


Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 8 security fixes. Please see the Chrome Security Page for more information.


[$7000][485397284] High CVE-2026-4673: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18

[TBD][488188166] High CVE-2026-4674: Out of bounds read in CSS. Reported by Syn4pse on 2026-02-27

[TBD][488270257] High CVE-2026-4675: Heap buffer overflow in WebGL. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-02-27

[TBD][488613135] High CVE-2026-4676: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-01

[TBD][490533968] High CVE-2026-4677: Out of bounds read in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-07

[TBD][491164019] High CVE-2026-4678: Use after free in WebGPU. Reported by Google on 2026-03-10

[TBD][491516670] High CVE-2026-4679: Integer overflow in Fonts. Reported by GF, Un3xploitable Of DeadSec on 2026-03-11

[TBD][491869946] High CVE-2026-4680: Use after free in FedCM. Reported by Shaheen Fazim on 2026-03-12


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.


Interested in switching release channels? Find out howΒ here. If you find a new issue, please let us know byΒ filing a bug. TheΒ community help forumΒ is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Google Chrome
  •  
  • ↗️
↗️

v5.40.0

βœ‡Strapi
Door: internal-releases[bot]

5.40.0 (2026-03-18)

πŸš€ New feature

  • add package manager dropdown before version in bug report template (#25679)

πŸ”₯ Bug fix

  • add maxwidth to documentactions menu (#25664)
  • formatErrorMessages array values formatting (#24196)
  • admin: alias singleton frontend deps in vite (#25682)
  • content-manager: reduce excessive rerendering in components and dynamic zones (#25631)
  • content-manager: skip non-draftAndPublish relations in countDraftRelations (#25453)
  • i18n: show locale key in disabled select when editing locale (#25124)

πŸ“š Documentation Changes

  • fix docs links in README (#25715)

βš™οΈ Chore

  • use https instead of git url in package.repository.url (#25698)
  • content-manager: optimize relations handling in EditView component (#25683)
  • core: parallelize and cache dynamic zone populate (#25685)

πŸ’… Enhancement

  • resolved filter editability on clicking filter tag (#24057)
  • core: remove beta on Document API, enforce deprecation on EntityService API (#25744)

❀️ Thank You

  •  
  • ↗️
↗️

v5.38.1

βœ‡Strapi
Door: internal-releases[bot]

5.38.1 (2026-03-11)

Superseded on March 11, 2026 by v5.39.0 due to versioning mistake.
Please use v5.39.0.

  •  
  • ↗️
↗️

v5.39.0

βœ‡Strapi
Door: internal-releases[bot]

5.39.0 (2026-03-11)

πŸš€ New feature

  • expand accordion by default when inserting a new component in a document (#24230)
  • content-manager: filter list view by publication status (#25510)

πŸ”₯ Bug fix

  • added shift+tab to blocks editors (#24122)
  • single type publish permission error (#24754)
  • es translations (#25655)
  • typo 'compatability' to 'compatibility' in error messages (#25535)
  • content-manager: export ContentManagerPlugin type for plugin dev… (#24149)
  • content-manager: reduce excessive rerendering in relation fields (#25623)
  • content-manager: reduce rerenders for conditional fields (#25617)
  • content-releases: publish in right order to preserve relations (#25551)
  • guided-tour: no overlay in dark mode (#25485)
  • openapi: correctly merge plugin router prefix with route paths (#25616)
  • types: fix document findOne params (#25613)
  • upload: add crossOrigin attribute to image preview (#24946)

βš™οΈ Chore

  • upgrade to glob 13 (#25610)
  • upgrade better-sqlite3 to 12.6.2 (#25611)
  • remove eslint-plugin-rxjs (#25612)
  • upgrade koa to 20.8.4 and minimatch to 10.2.4 (#25624)
  • eslintignore coverage (#25649)
  • stop adding issues to GitHub projects in issues_handleLabel workflow (#25677)
  • update package metadata (#25599)
  • *: register vitest dependency in Yarn catalog (#25400)
  • core/permissions: ensure engine properly merges conditions (#25569)
  • deps: bump js-yaml from 3.14.1 to 3.14.2 (#24858)
  • deps: bump qs from 6.14.2 to 6.15.0 (#25555)
  • deps: bump jws from 3.2.2 to 3.2.3 (#24981)
  • deps: bump elliptic from 6.5.7 to 6.6.1 (#24803)
  • deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#24841)
  • deps: bump mdast-util-to-hast from 13.2.0 to 13.2.1 (#24950)
  • deps: bump jws from 3.2.2 to 3.2.3 (#25652)
  • deps: bump tar from 7.5.9 to 7.5.10 (#25642)
  • deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#25653)

🚨 Security

  • upload: improve mimetype detection for uploads (#25177)

❀️ Thank You

  •  
  • ↗️
↗️

v5.38.0

βœ‡Strapi
Door: internal-releases[bot]

5.38.0 (2026-03-04)

πŸš€ New feature

  • content-manager: add relationOpenMode setting (modal/page/newTab) (#25433)
  • email-nodemailer: upgrade to Nodemailer v8 with advanced email features and Admin UI capabilities (#25392)
  • i18n: add missing french translations (#23093)

πŸ”₯ Bug fix

  • typo 'recieved' to 'received' across codebase (#25541)
  • markdown editor number list is created with wrong numbers (#24631)
  • add i18n for boolean cell values (#22314)
  • folder subtitles for folders without assets or subfolders (#22694)
  • vite and webpack config when linking ds locally (#25530)
  • types: add missing typing for proxy.koa config (#25575)

βš™οΈ Chore

  • bump design-system to v2.2.0 (#25584)
  • deps: bump rollup from 4.27.4 to 4.59.0 (#25566)
  • upload: add import from url (#25496)

❀️ Thank You

  •  
  • ↗️
↗️

v5.37.1

βœ‡Strapi
Door: internal-releases[bot]

5.37.1 (2026-02-26)

πŸ”₯ Bug fix

  • core: preserve component clone integrity in discard-drafts migration

❀️ Thank You

  •  
  • ↗️
↗️

v5.37.0

βœ‡Strapi
Door: internal-releases[bot]

5.37.0 (2026-02-26)

πŸ”₯ Bug fix

  • improve subnav on mobile so it works with banner (#25450)
  • layout page broken (#25501)
  • add design-system to config (#25435)
  • radix ui dialog dependency version (#25549)

πŸ“š Documentation Changes

  • fix typos in content-releases frontend intro (#25471)

βš™οΈ Chore

  • add bot and contributor detection to community-label workflow (#25497)
    (#25494))
  • docs: revise README for AWS S3 provider updates (#25449)

πŸ’… Enhancement

  • improve mobile ux of list view (#25366)

🚨 Security

  • feature: add strictParam, addQueryParams, addInputParams (#25528)
  • deps: upgrade to tar 7.5.9 (#25504)
  • deps: upgrade multiple dependencies (#25506)
  • deps: bump bn.js from 4.12.0 to 4.12.3 (#25521)
  • deps: bump minimatch from 9.0.3 to 10.2.1 ([#25494]

❀️ Thank You

  •  
  • ↗️
↗️

v5.36.1

βœ‡Strapi
Door: internal-releases[bot]

5.36.1 (2026-02-18)

πŸ”₯ Bug fix

  • handle undefined tours property (#25290)
  • core: handle negative and zero min/max validation for number fields (#25409)
  • history: improve error handling and batch deletion in cron jobs (#25425)
  • migrations: speed up discard-drafts with bulk batches (#25293)
  • ts: ignore generated .strapi folder (#25086)
  • utils: bump preferred-pm to fix npm workspace detection (#25406)

βš™οΈ Chore

  • add --no-build-admin option to 'strapi develop' command (#25415)
  • */vitest: introduce Vitest and vitest-config package (#25286)
  • ci: redirect question issues to GitHub Discussions (#25441)
  • deps: bump @casl/ability from 6.5.0 to 6.7.5 (#25430)
  • deps: bump qs from 6.14.1 to 6.14.2 (#25444)

🚨 Security

  • upgrade to tar 7 (#25380)
  • update react-router (#25391)
  • deps: upgrade axios from v1.12.2 to v1.13.5 (#25427)

❀️ Thank You

  •  
  • ↗️
↗️

v5.36.0

βœ‡Strapi
Door: internal-releases[bot]

5.36.0 (2026-02-11)

πŸš€ New feature

  • persistent list view settings (#24246)
  • strapi/create: type strapi configs (#21859)
  • upload-aws-s3: add extended configuration for S3-compatible providers (#25263)

πŸ”₯ Bug fix

  • responsive drawer for content history (#25344)
  • scrolling in sidenav also scroll content (#25379)
  • match database package version (#25389)
  • content-manager: preserve origin id when cloning, to fetch relations so they are corrected re-populated (#25307)
  • preview-config: allow and await for async handler (#25396)
  • upload-aws-s3: use baseUrl even if upload location lacks protocol (#23400)

πŸ’… Enhancement

  • improve mobile design for edit view forms (#25320)
  • create-strapi-app: add --non-interactive mode for CI and scripts (#25373)

🚨 Security

  • upgrade apollo to 4.13.0 (#25375)

❀️ Thank You

  •  
  • ↗️
↗️

v5.35.0

βœ‡Strapi
Door: internal-releases[bot]

5.35.0 (2026-02-04)

πŸš€ New feature

  • upload: add focal point picker for images (#25267)

πŸ”₯ Bug fix

  • prevent bulk publish modal from closing during API refetch (#24632)
  • update ko.json (#23501)
  • mobile actions drawer in content manager edit view (#25243)
  • upload: prevent asset deletion when clicking cancel on EditAssetDialog (#25318)

βš™οΈ Chore

  • bump yarn 4.5 to 4.12 (#25284)

πŸ’… Enhancement

  • improve mobile design for content history forms (#25338)

🚨 Security

  • update multiple subdependencies (#25337)

❀️ Thank You

  •  
  • ↗️
↗️

v5.34.0

βœ‡Strapi
Door: internal-releases[bot]

5.34.0 (2026-01-28)

πŸš€ New feature

  • update german translations for various components (#24143)
  • upload: add retroactive ai metadata generation (#25066)

πŸ”₯ Bug fix

  • add missing labels to IT locale (#25217)
  • form elements mobile adjustments (#25202)
  • responsive cm header (#25203)
  • run orphan removal for the 'related_type' column (#24833)
  • adjust padding for cm subnav (#25253)
  • admin: format input error message with values (#23932)
  • i18n: ai translation losing unsupported fields (#25247)
  • menu: render external links as anchors (#25269)

πŸ“š Documentation Changes

  • clarify strapi installation instructions in README (#25016)
  • CONTRIBUTING: set link to latest version of .commitlintrc.ts (#25224)

βš™οΈ Chore

  • update pinned elliptic (#25206)
  • remove unused imports from react and @strapi/design-system (#25222)
  • update pinned dependencies express, qs, body-parser (#25209)
  • remove in-app marketplace (#24958)
  • update lodash to 4.17.23 (#25244)
  • deps: bump lodash-es from 4.17.21 to 4.17.23 (#25239)
  • upload: setup future flag for media lib redesign work (#25229)
  • β€Ž.github/workflows: bump outdated GitHub Actions versions (#25233)

πŸ’… Enhancement

  • responsiveness consistency for subnav (#25107)

🚨 Security

  • update pinned mdast-utils (#25227)
  • update pinned js-yaml, node-forge, tmp, and more (#25228)

❀️ Thank You

  •  
  • ↗️
↗️

v4.0.0-beta.469

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Fixed sporadic SSH "permission denied" errors during key rotation (#8990, fixes #7724)
  • Fixed deployment failures when build server is enabled during restart operations (#9045, fixes #9013)
  • Fixed breadcrumb queries causing out-of-memory crashes (#9048, fixes #9009)
  • Fixed GitHub App webhook endpoint defaulting to IPv4 instead of instance domain (#8948)
  • Fixed Hoppscotch service failing to start due to database health check (#8949)
  • Fixed Docker Compose not respecting preserveRepository for project directory (#8956, fixes #8953)
  • Fixed backup error when S3 storage is missing or deleted (#9038, fixes #9035)
  • Fixed Stripe subscription error handling and resilience (#9030)
  • Fixed Heyform template configuration (#8747)
  • Fixed API resource UUID extraction from route parameters
  • Fixed Docker cleanup stale container warning on cloud instances
  • Fixed Compose file-not-found error now includes git branch info

New Services & Templates

  • Added LibreSpeed service for self-hosted speed testing (#8626)
  • Added imgcompress service for offline image processing (#8763)
  • Updated Databasus to v3.16.2 (#8586)
  • Updated n8n with Postgres and Worker to v2.10.4 (#8807)
  • Updated SeaweedFS images to v4.13 (#8738)
  • Fixed Castopod service port from 8000 to 8080 (#8817)

Improvements

  • Added per-volume control of PR suffix in preview deployments (#9006, fixes #7802, fixes #7343)
  • Added auto-population of FQDN from docker_compose_domains for compose previews (#8963, fixes #8958)
  • Added force deletion option for servers with existing resources (#8962)
  • Added auto-fetch of server metadata after validation (#8964)
  • Added container label escape control to services API (#8955, fixes #8954)
  • Added database environment variable management API endpoints
  • Added storage management API endpoints for applications and backup schedules
  • Added support for comments in bulk environment variable API endpoints
  • Added placeholder hints for magic environment variables
  • Added next billing date and billing interval display for subscriptions
  • Added cache-based deduplication for delayed cron execution
  • Simplified environment variable settings by removing buildtime/runtime options

What's Changed (Github)

  • fix(git): GitHub App webhook endpoint defaults to IPv4 instead of the instance domain by @ShadowArcanist in #8948
  • feat(service): update n8n-with-postgres-and-worker to 2.10.4 by @michachan in #8807
  • Change Castopod service port from 8000 to 8080 by @SeriousM in #8817
  • fix(service): hoppscotch fails to start due to db unhealthy by @ShadowArcanist in #8949
  • fix(api): allow is_container_label_escape_enabled in service operations by @andrasbacsai in #8955
  • fix(docker-compose): respect preserveRepository when injecting --project-directory by @andrasbacsai in #8956
  • feat(server): allow force deletion of servers with resources by @andrasbacsai in #8962
  • feat(compose-preview): populate fqdn from docker_compose_domains by @andrasbacsai in #8963
  • feat(server): auto-fetch server metadata after validation by @andrasbacsai in #8964
  • feat(templates): Add imgcompress service, for offline image processing by @ariqpradipa in #8763
  • fix(template): fix heyform template by @iMuFeng in #8747
  • chore(service): Update SeaweedFS images to version 4.13 by @FabioHAraujo in #8738
  • feat(service): Add librespeed by @diogo24m in #8626
  • feat(service): update databasus to v3.16.2 by @Luzefiru in #8586
  • fix(preview): enable per-volume control of PR suffix in preview deployments by @andrasbacsai in #9006
  • fix: prevent sporadic SSH permission denied on key rotation by @pannous in #8990
  • fix(stripe): add error handling and resilience to subscription operations by @andrasbacsai in #9030
  • fix(backup): throw explicit error when S3 storage missing or deleted by @andrasbacsai in #9038
  • perf(breadcrumb): optimize queries and simplify navigation to fix OOM by @andrasbacsai in #9048
  • fix(deployment): disable build server during restart operations by @andrasbacsai in #9045
  • v4.0.0-beta.469 by @andrasbacsai in #9007

New Contributors

Full Changelog: v4.0.0-beta.468...v4.0.0-beta.469

  •  
  • ↗️
↗️

v4.0.0-beta.468

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Fixed SSH connection retry failures during deployments (#8927, fixes #8926)
  • Fixed deployment type selection when using GitHub/GitLab Apps (#8934, fixes #8917)
  • Fixed deployment authorization endpoint returning incorrect 404 errors (#8931, fixes #8925)
  • Fixed shared variables not resolving in Docker Compose environments (#8930, fixes #8918)
  • Fixed SSH keys not being used for git submodule and LFS operations (#8933, fixes #8895)
  • Added support for scoped npm packages in file path validation (#8928, fixes #8924)

Improvements

  • Added log filtering capability based on log level in deployment logs (#8784)

What's Changed (Github)

Full Changelog: v4.0.0-beta.467...v4.0.0-beta.468

  •  
  • ↗️
↗️

v4.0.0-beta.467

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Fixed command injection vulnerability in health check commands (#8898)
  • Added path validation to prevent command injection in file locations
  • Fixed environment variables being overwritten when changing service domains (#8915, fixes #8912)
  • Fixed Nixpacks deployment failures when application has no domain set (#8902, fixes #6830)
  • Fixed resource deletion failing silently in the danger zone (#8909, fixes #8836)
  • Fixed scheduled task input fields losing focus while editing (#8654, fixes #8647)
  • Added docker_cleanup parameter to API stop endpoints (#8899, fixes #7758)

Improvements

  • Added GitLab source integration with SSH deploy keys and HTTP basic auth (#8910, fixes #5295)
  • Added database-backed proxy config storage with automatic recovery and versioned backups (#8905, fixes #7178)
  • Added server metadata collection and display

What's Changed

  • fix(security): sanitize newlines in health check commands to prevent RCE by @andrasbacsai in #8898
  • fix: prevent scheduled task input fields from losing focus by @sharkcreep87 in #8654
  • fix(api): add docker_cleanup parameter to stop endpoints by @andrasbacsai in #8899
  • fix(deployment): filter null and empty environment variables from nixpacks plan by @andrasbacsai in #8902
  • feat(proxy): add database-backed config storage with disk backups by @andrasbacsai in #8905
  • fix(livewire): add error handling and selectedActions to delete methods by @andrasbacsai in #8909
  • feat(git-sources): add GitLab integration and URL encode credentials by @andrasbacsai in #8910
  • fix(parsers): use firstOrCreate instead of updateOrCreate for environment variables by @andrasbacsai in #8915
  • v4.0.0-beta.467 by @andrasbacsai in #8911

New Contributors

Full Changelog: v4.0.0-beta.466...v4.0.0-beta.467

  •  
  • ↗️
↗️

v4.0.0-beta.466

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Prevent command injection via base64-encoding log drain environment variables
  • Prevent command injection via git reference validation
  • Add sentinel token validation to prevent command injection
  • Require write permission for API validation endpoints
  • Prevent false container exits on failed docker queries (#8860)
  • Track last_online_at and reset database restart state
  • Preserve user-saved environment variables on Docker Compose redeploy (#8894)
  • Fix build-time environment variables breaking Next.js (#8890)
  • Prevent command injection in developer view shared variables (#8889)
  • Make confirmation modal close after dispatching Livewire actions (#8892)
  • Respect keep for rollback setting for Nixpacks build images (#8859)

Dependencies

  • Bump rollup from 4.57.1 to 4.59.0 (#8691)
  • Bump league/commonmark from 2.8.0 to 2.8.1 (#8793)

What's Changed

Full Changelog: v4.0.0-beta.465...v4.0.0-beta.466

  •  
  • ↗️
↗️

v4.0.0-beta.465

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Fixed WebSocket connection and host authorization issues in terminal (#8862, fixes #8856)
  • Fixed environment variable parser capturing trailing braces in bash-style defaults (#8855, fixes #8851)
  • Fixed confirmation modal staying open after database import/restore (#8697, fixes #8689)
  • Fixed nginx.conf mounting error in development mode (#8662)
  • Fixed docker-compose deployment with custom start commands and preserveRepository setting (#8848, fixes #8417)
  • Fixed preview deployment page visibility for deploy key applications (#8579)

Improvements

  • Added configurable timeout for public database TCP proxy connections (#8673, fixes #7743)

What's Changed

  • fix: enable preview deployment page for deploy key applications by @mauritsderuiter95 in #8579
  • fix(docker-compose): respect preserveRepository setting when executing start command by @andrasbacsai in #8848
  • fix(proxy): mounting error for nginx.conf in dev by @Cinzya in #8662
  • feat: add configurable proxy timeout for public database TCP proxy by @brendanlim in #8673
  • fix(database): close confirmation modal after database import/restore by @devrim-1283 in #8697
  • fix(env-parser): capture clean variable names without trailing braces in bash-style defaults by @andrasbacsai in #8855
  • fix(terminal): resolve WebSocket connection and host authorization issues by @andrasbacsai in #8862
  • v4.0.0-beta.465 by @andrasbacsai in #8853

New Contributors

Full Changelog: v4.0.0-beta.464...v4.0.0-beta.465

  •  
  • ↗️
↗️

v4.0.0-beta.464

βœ‡Coolify
Door: andrasbacsai

What's Changed

Security & Fixes

  • Fixed SSH command injection vulnerability (#8748)
  • Resolved 419 session errors with Cloudflare Tunnels and domain-based access (#8749, fixes #5404)
  • Fixed SSH directory permission issues during upgrades (#8635, resolves #6621)
  • Added SSH directory permission auto-fix for new installations (#8635)
  • Prevented command injection in certificate handling via base64 encoding (#8617)
  • Hardened Docker command execution with centralized escaping (#8615)
  • Prevented command injection in health check commands (#8611)
  • Fixed cross-tenant IDOR vulnerability in resource cloning (#8613)
  • Added IPv6 CIDR support for API access IP allowlist (#8750, fixes #8729)
  • Fixed proxy initialization with IPv6 networks on Docker 25+ (#8703, fixes #8649)
  • Fixed CSRF redirect loop during 2FA authentication (#8596)
  • Corrected API permission requirements for POST endpoints (#8600)
  • Added team authorization checks to domains_by_server API (#8616)
  • Fixed Cloudreve service data persistence across restarts (#8740)
  • Fixed Ente Photos join link configuration (#8727)
  • Fixed application rollback to use correct commit SHA (#8576)
  • Fixed deployment detection for BuildKit and secrets (#8565)
  • Resolved team lookup for service relationships (#8559, fix #8431)
  • Added webhook notification status validation (#8557, fix #8448)
  • Fixed deploy key handling when private_key_id is zero (#8563, fixes #8562)
  • Fixed Redis/KeyDB config permissions with custom configurations (#8561, fix #8539)
  • Fixed password field UI flash before Alpine.js initialization (#8599, closes #8592)
  • Fixed GlitchTip webdashboard loading issue (#8249)
  • Fixed Grist service template configuration (#8384)
  • Fixed API documentation schema references (#8239, closes #8229)

New Services & Templates

  • Added Pydio Cells service (#8323)
  • Added Sure service (#8157)
  • Added Spacebot service with custom logo support (#8427)
  • Updated N8N templates to 2.10.2 (#8679)
  • Upgraded Beszel and Beszel Agent to v0.18 (#8513)
  • Disabled Plane service in template suite (#8580)
  • Disabled Pterodactyl Panel and Wings from service templates (#8512)
  • Disabled Minio Community Edition from service templates (#8686)
  • Disabled Maybe service in template suite (#8167)

Features & Improvements

  • Added refund and cancellation management for subscriptions (#8637)
  • Added comment field support to environment variables (#7269, fix #7239)
  • Added command-based health check support for services (#8612)
  • Added scheduled job monitoring dashboard (#8433)
  • Added scheduled tasks CRUD API with authentication and validation (#8428)
  • Made Horizon max time configurable (#8560, fix #8435)
  • Fixed Soketi host binding for IPv6 support (#8619, closes #8584)
  • Fixed scheduler self-healing for stale Redis locks with UI detection (#8618, fixes #8327)
  • Fixed Traefik service label handling for force HTTPS (#8550)
  • Improved security by hardening deployment paths and deploy abilities (#8549)
  • Fixed queue timeout handling in Horizon gracefully (#8360)
  • Fixed missing status variable in Hetzner status checks (#8359)
  • Fixed container filtering in push server job (#8361)
  • Improved proxy error handling on port allocation failure (#8362)
  • Enhanced SSH error tracking with proper Sentry scoping (#8363)

UI & Developer Experience

  • Added container labels header to UI (#8752)
  • Improved project heading navigation spacing (#8564)
  • Fixed datalist border color and added repository selection watcher (#8240)
  • Fixed Docker Compose force HTTPS preference behavior (#8424)
  • Migrated test suite to SQLite in-memory with Pest browser testing (#8364)

  •  
  • ↗️
↗️

v4.0.0-beta.463

βœ‡Coolify
Door: andrasbacsai

Changes

  • feat(database): add official postgres 18 and pgvector 18 support -> You could always change the database image and volume mount path manually and achieve unofficial support that is why this was not added faster
  • feat(ui): add postgres 16 to the UI
  • feat(ui): improve global search with uuid and pr support
  • feat(installer): add tencentos as a supported os
  • feat(service): upgrade checkmate to v3 with all the necessary changes
  • feat(service): upgrade listmonk to v6 with all the necessary changes
  • feat(service): upgrade formbricks to v4 with all the necessary changes
  • feat(service): update pterodactyl version
  • fix(backup): postgres restore arithmetic syntax error
  • fix(validation): add @, / and & support to names and descriptions
  • fix(api): infinite loop with github app with many repos
  • fix(parser): replace dashes and dots in auto generated envs
  • fix(labels): make sure name is slugified
  • fix(ui): make tooltips a bit wider
  • fix(ui): modal issues
    • tooltips can not extend outside the modal causing a scrollbar to appear
    • modals are to wide
    • remove unused minWidth and maxWidth props
  • fix(ui): horizontal overflow on application and service headings
  • fix(validation): enforce url validation for instance domain
  • fix(service): autobase database is not persisted correctly
  • fix(service): supabase studio settings redirect loop
  • fix(service): disable supabase kong response buffering and increase timeouts which fixes large file downloads
  • fix(service): reactive-resume template
    • pinned to v4.3.7 instead of latest (solution provided by #8045 author)
    • added healthchecks for reactive resume and chrome service
  • fix(service): allowed hosts and image version problems with strapi
    • automatically generate vite.config.js with the strapi FQDN
  • fix(service): bluesky pds invite code doesn't generate
  • fix(service): bugsink login fails due to cors
  • fix(service): forgejo login failure
  • fix(service): rocketchat fails to start due to database version incompatibility
  • fix(service): kimai fails to start due to the healthcheck ip not being in the trusted hosts
  • fix(service): activepieces postgres 18 volume mount
  • fix(service): users unable to create their first ente account without SMTP
  • fix(service): seaweedfs logo
  • fix(service): soju svg
  • chore(service): use major version for openpanel
  • build: upgrade postgres client to fix build error
  • refactor(services): improve some service slogans
  • docs(api): improve compose app endpoint deprecation description

New Services

  • added openclaw template
  • added langflow template
  • added bento-pdf
  • added alexandrie template
  • added goatcounter template
  • added satisfactory game server
  • added back soketi-app-manager

Issues

What's Changed (by Github)

New Contributors

Full Changelog: v4.0.0-beta.462...v4.0.0-beta.463

  •  
  • ↗️
↗️

v4.0.0-beta.461

βœ‡Coolify
Door: andrasbacsai

Changes

  • feat(service): add service database restore/import support
  • feat(api): add url update support to services api
  • feat(api): add more allowed fields to application api endpoints
    • added dockerfile_location as it is needed for Dockerfile deployments to work properly
    • added is_spa which can be used together with is_static
    • added is_auto_deploy_enabled and is_force_https_enabled
  • feat(api): allow to escape special characters in labels
  • feat(api): add tag filtering on the applications list endpoint
  • feat(api): improve docker_compose_domains with conflict checking and force_domain_override support
  • feat(notifications): add mattermost notifications (an open source slack alternative)
  • feat: add application logs link to preview deployments PR comment
  • feat(magic): add LOWERCASEUSER as magic variable which are sometimes required e.g. as docker registry username
  • feat(ui): show server name on resource card
  • feat(ui): improve sidebar menu items styling
  • feat(install): add postmarketos to the supported distributions
  • feat(ui): make git repository dropdown searchable
  • feat(service): upgrade n8n template to v2 with all the necessary changes
  • feat(service): upgrade trigger.dev template to v4 with all the necessary changes
  • feat(service): upgrade uptime kuma to version 2 with all the necessary changes
  • feat(service): upgrade docker registry template to v3 with all the necessary changes
  • feat(service): upgrade postgresus to databasus
  • feat(service): improve matrix templates by adding postgres and improving naming
  • feat(service): add healthchecks to evolution-api service
  • feat(services): update authentik
  • feat: allow more characters specifically Unicode alpha-numeric characters contained in \p{L}, \p{M}, \p{N} when validating while still not allowing any unsafe characters
  • feat(lang): add missing chinese translation keys
  • feat(lang): update portuguese language keys
  • feat(ui): add port mapping format to helper and fix typo
  • perf: optimize destinationsByServer query
  • fix(env): environment variable sorting not working
  • fix(git): trigger deployments when watch paths is empty and not just when they are null
  • fix(backup): database restores with custom db name with backup all databases not working
  • fix(logdrain): use deployment server and not build server settings
  • fix(service): twenty template and enable it again
  • fix(docker): use dynamic OS ID for ubuntu based OSs to use the correct Docker repository URL
  • fix: instance public ips initialization validation
  • fix: cast docker version to int for proper comparison
  • fix: making the db public does not instant save the port
  • fix(log): preserve leading whitespace in logs
  • fix(logs): remove hardcoded 2000 line limit
  • fix(api): remove incorrect uuid format from cuid2 parameters in openapi spec
  • fix(api): applications post and patch endpoints
    • remove docker_compose_raw from post and patch endpoints, as the compose file is sourced from git and should not be manually settable via the api
    • improve the documentation for docker_compose_domains (URLs)
    • enhanced array validation for docker_compose_domains by validating each array field and verifying which fields are allowed
    • set a custom array validation error message, as the default message is not really clear
    • show an error if the user attempts to set domains when the build pack is dockercompose
    • validate that the domains in docker_compose_domains are proper URLs and include a valid scheme (http or https)
  • fix(api): include docker_compose_domains in domain conflict check via Application::ownedByCurrentTeamAPI
  • fix(api): is_static and connect_to_docker_network fields where not updating on some endpoints
  • fix(api): if domains field is empty clear the fqdn column which allows to remove all URLs from the domains field
  • fix(api): check for domain conflicts within the current request
  • fix(api): deprecate application create compose endpoint as it is an unstable duplicate of the services endpoint
  • fix(api): one click service name and description cannot be set during creation
  • fix(api): create service endpoint validation and docs
    • if service type and docker_compose_raw is filled show an error
    • if service type is not valid show an error with all valid service types
    • remove enum from service type docs as it always gets outdated
  • fix(api): encoding checks for compose files, nginx configurations, dockerfiles, database configs and labels
    • switch from ASCII to UTF-8 to allow special characters, emojis and more
  • fix(api): remove environments from projects API endpoint docs
  • fix(api): docs for bulk env update response
  • fix: APP_NAME env in development
    • using a different APP_NAME for development might seem like a good idea but it is annoying and causes issues when debugging, especially with Redis as it is used as the key prefix
  • fix(preview): docker compose preview URLs
  • fix: 404 on /settings for root user on cloud instance
  • fix(ui): empty network destinations when cloning a resource
  • fix(ui): instance public ips ui validation
  • fix(ui): images inside coolify changelog
  • fix(ui): domain input whitespace trimming in instance settings
  • fix(ui): change password visibility eye icon based on state
  • fix(ui): hide Already registered? button from the /register page when there are 0 users as clicking on it would just redirect you back to /register
  • fix(ui): improve volume mount warning for compose applications
  • fix(service): remove start command from unleash template
  • fix(service): add instagram envs to postiz template
  • fix(service): budibase worker envs
  • fix(service): correct POSTGRES_HOST in freshrss
  • fix(service): use fqdn for server host in sequin template
  • fix(service): wireguard easy host to use fqdn
  • fix(service): signoz metrics env
  • chore(deps): update composer and node dependencies
  • chore(docker): add healthchecks to dev services
  • chore(service): update weblate service
  • chore(service): update rybbit service
  • chore(service): improve mosquitto template
  • refactor(service): remove unused envs from hoppscotch
  • refactor(api): remove old stale domains update code from services endpoints
  • refactor(api): update application create endpoints docs to specify that Dockerfile and Docker Image deployment type are without git
  • refactor(api): application urls (domains) validation
    • rename fqdn to urls as that is what it actually is
    • improve URL validation to allow urls without a TLD
    • improve error messages to make it clear that URLs are needed
    • improve code by combining some actions
  • docs(api): improve domains API docs
  • docs(api): make docker_compose_raw description more clear

Security Fixes

  • fix(env): only cat .env file in development to not expose all ENVs in deployment logs
  • fix(env): only show final nixpacks plan variables section in development to not expose all ENVs in deployment logs

New Services

  • added seaweedfs template
  • added uptime kuma v2 with mariadb and mysql
  • added autobase template
  • added sftpgo template
  • added esphome template
  • added linkding and linkding plus template
  • added open archiver template
  • added cloudreve template
  • added booklore template
  • added sessy template
  • added chibisafe template
  • added mage-ai template
  • added TrailBase template
  • added calibre web automated with downloader template
  • added silverbullet template
  • added nocobase template
  • added hatchet template
  • added redmine template
  • added glpi template

Issues

What's Changed (Github)

New Contributors

Full Changelog: v4.0.0-beta.460...v4.0.0-beta.461

  •  
  • ↗️
↗️

v4.0.0-beta.462

βœ‡Coolify
Door: andrasbacsai

Optimize queries, views with caches and prevent N+1 queries.

tldr: some views are faster

  •  
  • ↗️
↗️

v4.0.0-beta.460

βœ‡Coolify
Door: andrasbacsai

What's Changed

Fixes

  • Fix back navigation in global search resource selection (#7798, fixes #7739)
  • Fix restart count not resetting when manually stopping resources (#7784)
  • Fix Traefik proxy UI refresh timing issue after version update (#7783, fixes #7732)
  • Fix build pack UI reactivity when switching between build packs (#7780)
  • Fix upgrade modal loading indicators visibility in light mode (#7770)
  • Fix broken hyperlinks to Sentinel page on metrics pages (#7752)
  • Fix terminal sudo access for non-root users to access Docker socket
  • Fix Keydb and Redis configuration using base64 encoding instead of temp files
  • Fix 30-day metrics interval page freeze with data downsampling (#7787)

Improvements

  • Add SPA navigation helper for smoother page transitions
  • Refactor application general settings view for improved maintainability

What's Changed (Github)

Full Changelog: v4.0.0-beta.459...v4.0.0-beta.460

  •  
  • ↗️
↗️

5.3.2-beta.0

βœ‡UpSnap
Door: github-actions[bot]

Note

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.

Changelog

Bug fixes

Others

  •  
  • ↗️
↗️

Minecraft 26.1-rc-3 (snapshot) Released

βœ‡Minecraft
26.1 Release Candidate 3 (known as 26.1-rc-3 in the launcher) is the third and final release candidate for Java Edition 26.1, released on March 23, 2026. Full changelog: https://minecraft.wiki/Java_Edition_26.1-rc-3
  •  
  • ↗️
↗️

Distribution Release: ML4W OS 2.12.0

βœ‡DistroWatch
Door: distro@distrowatch.com
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. Stephan Raabe has published a new version of ML4W OS, an Arch Linux-based distribution featuring a heavily customised Hyprland tiling compositor and with advanced configuration of Hyprland using its "dotfiles". The new release, version 2.12.0, delivers a new Welcome App, several new keybindings and a variety of minor....
  •  
  • ↗️
↗️

BookStack v26.03.2

βœ‡BookStack
Door: ssddanbrown

Security Release

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

  • Updated user creation to only use validated input from registration.
  • Updated PHP package versions.
  • Updated translations with latest Crowdin changes. (#6064)
  • Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
  • Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

  •  
  • ↗️
↗️

dothidden

βœ‡Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

πŸ§ͺ new features

  • #1351 add .hidden support (thx @NecRaul!) beb634d 134e378
    • cosmetic filter to exclude specific files from directory listings by adding their filenames to a textfile named .hidden similar to many linux desktop file managers
    • the files are still easily available from various APIs; this is not a security feature, just a way to keep things neat and tidy
  • #1381 thumbnail pregeneration 7d6b037
  • shares: now possible to grant the . permission to see dotfiles 66f9c95

🩹 bugfixes

  • #1372 #1333 no thumbnails if the server OS was too old to have JXL support and the webbrowser was asking for JXL 1afe48b
  • #1363 new-version alert would only appear if the visitor had the Admin permission in the webroot specifically; now A in any volume is sufficient 6eb4f0a
  • 66f1ef6 should have blocked mkdir too and now it does (thx @restriction!) ac60a1d
  • setting the nohtml or noscript volflags on the webroot would break the web-UI eb028c9
  • shares: the -ed global-option did not make dotfiles visible in shares 66f9c95
    • the dots volflag still doesn't, but that one is intentional

πŸ”§ other changes

  • tried to stop libvips from gobbling up ram while creating jxl thumbnails; didn't really work abdbd69
    • jxl support in libvips is now default-disabled unless the libc is musl and the allocator is mallocng, which means alpine linux
      • in other words, libvips is still fully enabled in the iv and dj docker images if you do not enable mimalloc
    • all other deployments will now have slightly slower jxl thumbnail generation by using ffmpeg instead (it's fine really)
      • new global-option --th-vips-jxl lets you force-enable it if you dare
  • volflags nohtml and noscript now available as global-options --no-html and --no-script 5f3b76c
    • and the -ss paranoia option now also enables --no-html --no-readme --no-logues
  • --flo 2 now removes colors from logfiles even if -q is not set 8c6d8a3
  • update dompurify to 3.3.3 6a9e6da
  • docs:

🌠 fun facts

πŸ’Ύ what to download?

download link is it good? description
copyparty-sfx.py βœ… the best πŸ‘ runs anywhere! only needs python
copyparty-en.py βœ… also good same but english-only, no i18n
a docker image it's ok good if you prefer docker πŸ‹
copyparty.exe ⚠️ acceptable for win8 or later; built-in thumbnailer
u2c.exe ⚠️ acceptable CLI uploader as a win7+ exe (video)
copyparty.pyz ⚠️ acceptable similar to the regular sfx, mostly worse
copyparty-en.pyz ⚠️ acceptable english-only, no smb-server
copyparty32.exe ⛔️ dangerous for win7 -- never expose to the internet!
cpp-winpe64.exe ⛔️ dangerous runs on 64bit WinPE, otherwise useless
bootable usb ┐(οΎŸβˆ€οΎŸ)β”Œ a surprisingly useful joke (x86_64)
  • except for u2c.exe, all of the options above are mostly equivalent
  • the zip and tar.gz files below are just source code
  • python packages are available at PyPI

  •  
  • ↗️
↗️

DistroWatch Weekly, Issue 1165

βœ‡DistroWatch
Door: distro@distrowatch.com
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. This week in DistroWatch Weekly:
Review: Argent Linux 1.5.3
News: Manjaro team goes on strike, AlmaLinux improves NVIDIA driver support and introduces RISC-V packages, systemd introduces age tracking
Questions and answers: Disk space required by Linux
Released last week: Peropesis 3.2, Asahi Linux 43, Parted Magic 2026_03_20, Emmabuntus DE6-1.01, antiX 26,....
  •  
  • ↗️
❌