• Milestone

This is a major release.

Feature highlights✨:

• New sort order preferences at global, category, and feed levels
• Use feed-provided icon
• New option to hide sidebar by default
• Show time since when a feed has problems
• New functions to handle plural in internationalisation
• New cli/purge.php to apply purge policy from command line

Bug fixes highlights 🐛:

• Improve support of PHP 8.5+
• Several fixes related to searches

Security highlights 🛡:

• Limit cURL to protocols HTTP, HTTPS

UI highlights 🖼:

• Improve mobile view with multiple lines when thumbnails and summaries are shown
• Several themes improved

Extensions highlights 🧩:

• New Webhook extension for automated RSS notifications
• New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM

This release has been made by @Alkarex, @Inverle, @Kiblyn11, @math-GH, @rupakbajgain, @xtmd and newcomers @polybjorn, @olivluca, @tomasodehnal, @PeterVavercak, @mrtnrdl, @ale-rt, @cweiske, @rid3r45, @gabbihive, @drosell271, @Kachelkaiser, @zanivann, @nanos, @bowencool, @pe1uca, @matheusroberson, @DenuxPlays, @rlrs, @chanse-syres, @IEEE-754, @umaidshahid, @michi-onl

Full changelog:

• Features
  • New sort order preferences at global, category, and feed levels #8234
  • New filtering by date of Server modification date #8131, #8576
    • Corresponding search operator, e.g. mdate:P1D for finding articles modified by the author / server during the past day.
    • Especially useful for optimising the API synchronisation.
  • Use feed-provided icon #8633
  • New option to automatically mark new articles as read if an identical GUID already exists in the same category #8673
  • Automatic feed visibility/priority during search #8609
  • Add feed visibility filter to statistics view unread dates #8489
  • Add option to enable/disable notifications, also for PWA #8458
  • Add a form to create new user queries on the User Queries page #8623
  • Allow WebSub hub push from same private network #8450
  • Support category field in JSON feed import #8786
• Bug fixing
  • Fix wrong search toString in case of regex-looking string #8479
  • Fix article last seen date in case of feed errors #8646
  • Fix search expansion with backslash #8497
  • Fix user query parsing #8543
  • Fix search in shared user queries #8789
  • Fix redirect to wrong view after mark as read in reader and global views #8552
  • Fix SQLite paging when sorting by article length #8594
  • Fix change sorting during paging #8688
  • Fix SQL keyset pagination when sorting by category name #8597
  • Fix SQL duplicates in the user labels when sorting randomly #8626
  • Fix wrong error redirect in subscription management #8625
  • Fix do not include hidden feeds when counting total number of unread articles #8715
  • Update user modify date when changing extensions UserJS / UserCSS #8607
  • Non-strict OPML export #eedefb
• Security
  • Limit cURL to protocols HTTP, HTTPS #8713
  • Better sanitise favicon URLs #8714
  • New setting for <iframe> referrer allow list #8672
  • Fix email validation and allow error page for unverified email users #8582
  • Add allowfullscreen to <iframe> #8467
  • Rewrite Set-Cookie using native PHP support of SameSite #8447, #8778
    • Sanitize lifetime of session cookies from session.cookie-lifetime in php.ini
  • Update to <meta name="referrer" content="no-referrer" /> from deprecated never #8725
  • Preventive measure against search ingestion #8777
• UI
  • New option to hide sidebar by default #8528
  • Improve mobile view with multiple lines when thumbnails and summaries are shown #8631
  • New option to disable unread counter in tab title and favicon #8728
  • Show time since when a feed has problems #8670
  • Improve add feed UI #8683
  • Improve slider behaviour when using navigate back button #8496, #8524
  • Improve consistency of slider behaviour after submitting form #8612
  • Create dynamic favicons from SVG instead of PNG canvas #8577, #8588
  • Only display scrollbar everywhere if there's an overflow (especially for Chromium) #8542
  • Fix CSS padding of .content pre code #8620
  • Fix wrong navigation buttons layout on Chromium #8606
  • Fix don’t mark as read if middle click is outside of article link #8553
  • More robust JS #8595
  • Fix sidebar slide animation at narrow viewports #8747
  • Visually dim disabled users in user management table #8768
  • Improve multiple UI themes #8711, #8732,
    #8733, #8734, #8735,
    #8736, #8737, #8738,
    #8739, #8743, #8746,
    #8749, #8761, #8781,
    #8784, #8785
  • Various UI and style improvements: #8537, #8538,
    #8541, #8624, #8731,
    #8774
• Deployment
  • Also push Docker images to GitHub registry #8669
  • Improve support of PHP 8.5+ using Pdo\Mysql #8526
  • Add support for Podman in Makefile #8456
  • Re-add database status in installation check #8510
  • Docker / CLI: Allow chown/chmod to fail with warning #8635
• Extensions
  • New Webhook extension for automated RSS notifications Extensions#456
  • New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM Extensions#458
  • New extension methods to get typed configuration values #8696
  • New hook: Minz_HookType::ActionExecute #8599, #8603
  • New hook to modify the list of feeds to actualize #8655, #8675
  • Allow passing Minz_HookType as hook name in registerHook() #8600
  • Return more info and status from httpGet() #8700
  • Make httpGet() cache nullable #8705
  • Allow extensions’ configuration UI to use select-input-changer JavaScript helper #8721
• SimplePie
  • Bump upstream #8628, simplepie#71
  • New function get_icon_url() for feed favicon simplepie#974
  • Fix Undefined array key in get_thumbnail() #8634, simplepie#970
  • Fix int types for enclosures #8702, simplepie#975
  • Fix HTTPS headers given to SimplePie, e.g. for some HTTP/2 cases #8742
• CLI
  • New cli/purge.php to apply purge policy #8740
• I18n
  • CLI validate language directory names #8767
  • New functions to handle plural, and new timeago() #8670
  • Improve German #8491, #8557, #8689,
    #8704
  • Improve Italian #8517, #8519, #8554,
    #8555, #8556, #8566
  • Improve Latvian #6553
  • Improve Polish #8536
  • Improve Portuguese #8649
  • Improve Simplified Chinese #8474, #8475, #8476
  • Improve Traditional Chinese #8709, #8716, #8723,
    #8730, #8748
  • Improve Spanish #8572
• Misc.
  • Initial conventions for AI agents and humans: AGENTS.md, SKILLS.md, instructions.md #8478
  • Update to CSSXPath 1.5.0 #8642
  • Update to PHPMailer 7.0.2 #8483
  • SQL improve PHP syntax uniformity #8604
  • Trim SQL whitespace before parenthesis #8522
  • Improve PHP code #8627, #8644, #8753,
    #8697
  • Add dev legacy rules PHPCS 3 #8645
  • Update dev dependencies #8469, #8480, #8499,
    #8545, #8546, #8547,
    #8617, #8638, #8660,
    #8661, #8662, #8663,
    #8664, #8665, #8666,
    #8667, #8668, #8685,
    #8752, #8754, #8755,
    #8756, #8757, #8758,
    #8772, #8798

Changelog

Bug fixes

• 1a60020: fix: binding_property_non_reactive (@seriousm4x)
• 19daaf8: fix: eager fetch on device card (@seriousm4x)

Others

• 91fe074: Add i18n el-GR (#1734) (@nikmak88)
• 6aa2345: build(deps): bump cookie from 0.6.0 to 1.1.1 in /frontend (@dependabot[bot])
• 9494c34: update deps (@seriousm4x)

1.6.3 (2026-05-08)

Features

• Mail: Lift 5-account cap on HTTP/2
• Mail: Import .eml files via folder right-click menu

Fixes

• Mail: Trim leading whitespace from email list preview
• Mail: Fall back when only the truncation indicator remains in email preview
• Mail: Hide files/contacts nav items when JMAP server lacks support
• Viewer: Preserve emoji colors in dark mode
• Viewer: Prevent white-on-white in dark mode for nested bgcolor containers
• Viewer: Render plain-text-only emails as text, not HTML
• Viewer: Render HTML-only emails and redesign external content prompt
• Viewer: Pad Word/Outlook HTML email rendering
• Compose: Redesign quick reply to match sender/banner layout
• Compose: Disable StarterKit's bundled link/underline to avoid duplicate extensions
• Sharing: Request shareWith explicitly so calendar/address book shares survive a re-login (#257)
• UI: Strip leading punctuation when computing avatar initials
• Mobile: Hide email hover actions

i18n

• Add missing translation keys across 15 locales

1.6.2 (2026-05-06)

Features

• Plugins: Hot-reload and dev-folder loading for live plugin development
• Plugins: On-demand src/ bundling via esbuild
• Plugins: New http:fetch permission and httpOrigins manifest field
• Plugins: onBeforeEmailSend hook with fromEmail exposed on OutgoingEmail
• Plugins: Project EmailReadView for the email-banner slot and expose auth results
• Plugins: Ingest icon, banner, and screenshots from the source repo
• Plugins: Restrict plugin and theme install/uninstall to the admin dashboard
• Mail: Multi-server JMAP support
• Settings: Fulltext search across the settings sidebar
• Settings: Sub-result rows with highlight in settings search
• Settings: Surface plugin settings as search sub-results
• Settings: Remove experimental tags from themes, plugins, and sender favicons
• Viewer: Redesigned external-mail banner above attachments
• Calendar: Calendar invitation banner expands on row click
• Calendar: Calendar invitation banner is now collapsible

Fixes

• Admin: Collapse admin panel into a single tabbed page
• Plugins: Inline plugin configure panel to avoid dev-mode hang
• Plugins: Resolve PLUGIN_DEV_DIR plugins in admin config route
• Plugins: Add missing body type assertion in createPluginAPI fetch options
• Plugins: Propagate settingsSchema
• Settings: Highlight plugin and theme cards in search results
• Settings: Open plugin card on first click of a setting sub-result
• Settings: Drop ghost sub-results from account and language search
• Settings: Improve search highlight styling
• Viewer: Show notification banners above attachments
• Viewer: Rework S/MIME banner to match calendar invitation
• Viewer: Close PDF preview on Escape before email viewer
• Viewer: Render PDF previews via <object> with blob: in object-src CSP (#253)
• Calendar: Align invitation icon with sender avatar column
• Calendar: Fix invitation picker clipping (#250)
• Auth: Read activeAccountId from authStore in account selectors
• UI: Adjust toast item border radius and progress bar styles
• UI: Remove fly-in animation from context menu submenus
• i18n: Add missing Czech flag icon

i18n

• Add missing translation keys across 15 locales

5.45.0 (2026-05-06)

🚀 New feature

• extended ctb api for plugins (ad7cb5d5d7)
• sort based on publish status (#25689)
• admin: api token supports admin permissions and admin user ownership (#25657)
• content-manager: add Zod 4 foundation utilities (#25574)

🔥 Bug fix

• issue with plugin content type uid (f768670d38)
• style issues (2f42e5fe44)
• opt out of the ct backup strategy for plugin content types (5936814932)
• build errors (520ecfc6d5)
• enforce minimum length (f2b6c2bcd0)
• prevent trailing ? in URL when params is empty object (#25724, #25900)
• dynamically update rate limit prefix key based on route (#24818)
• admin: clean up lazy component registration warnings (#25015)
• admin: type addMenuLink with optional Component for menu-only links (#26198)
• content-manager: prevent crash on detached DZ component (#26148)
• content-type-builder: preserve plugin CT identity in AI chat transform (0be48848fa)
• database: run cleanOrderColumns updates sequentially (#26134)
• database: run cleanOrderColumns updates sequentially (#26134)
• review-workflows: implement incremental loading in assignee dropdown (#25967)
• upload: sharp concurrency and cache leads to OOM (#26046)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Ben Irvin
• Boaz Poolman
• DMehaffy
• Dominik Juriga @dominik-juriga
• guoyangzhen
• Jamie Howard
• markkaylor
• Nico André
• Niels Kaspers @nielskaspers
• Pierre Wizla
• Ziyi @butcherZ

Part-DB 2.11.1

Bug fixes

• Updated watchtower image in watchtower config example (#1363)
• Fixed problems of invalid links when AI Web Extractor encounters non-absolute links

Improvements

• Improved UserAgent randomizer for web scraper

Part-DB 2.11.0

New features

• Added AI powered website scraper to provide detailed part infos even from webshops with little structured data
• Added feature to force refresh of info provider search and results, and to skip delegation to specialized providers when using "create part from URL"
• Add Docker update support via Watchtower integration by @Sebbeben in #1330
• Add Quick Apply and batch update to bulk info provider import by @Sebbeben in #1316
• Add 'Add stock' button to part stock info page by @kernchen-brc in #1352
• Added 250 and 500 entry to table lengthes menus

Bug fixes

• Fix sort order after column reorder on page reload by @wschopohl in #1346
• Fixed error making editing of users impossible
• Fixed error with converting existing DB to postgresql database (#1362)
• Fixed error that original category were changed, if category cloned and eda info changed (#1341)
• Keep part table length selection across page loads (#1350)

Miscellaneous

• Updated dependencies
• Updated KiCad symbols and footprint list

Full Changelog: v2.10.0...v2.11.0

1.6.1 (2026-05-04)

Features

• Updates: Update-available detection with non-dismissible notice and dev-reload refresh
• Plugins: New plugin hooks for compose, attachments, search, lifecycle, and routing
• Sharing: Share indicators for calendars and contacts, updated JMAP capabilities (#244)
• Mail: Auto-add recipients to trusted senders when replying
• Identity: Sanitize identity display name to prevent invalid From headers

Fixes

• Mobile: Synchronize mobile submenu view with browser history for better navigation
• Viewer: Update email viewer styles to improve overflow handling
• Auth: Ensure cookieSlot consistency during account updates in auth store
• Auth: Thread per-account cookie slot through OAuth flows
• Calendar: Square the colored left marker on calendar events
• About: Show git commit in About instead of "unknown"

i18n

• Update mailbox context menu translations across 12 locales

1.6.0 (2026-05-01)

Features

• Deployment: Subpath deployment support via NEXT_PUBLIC_BASE_PATH environment variable
• Mail: Image attachment thumbnails and preview chips
• Mobile: Reworked mobile mail viewer toolbar
• Mobile: Mobile-friendly settings panel
• Mobile: Mobile-friendly admin panel
• Mail: Redesigned expanded details panel
• Mailbox: Show full path in mailbox context menu header with intelligent path shortening

Fixes

• Viewer: Respect per-email dark mode toggle when "always show in light mode" is on
• Navigation: Scroll apps list in navigation rail to prevent overflow
• Context menu: Clamp submenu inside viewport
• Context menu: Prevent context menu from clipping below viewport
• Context menu: Prevent jump and animation on open
• Mail: Stop silently destroying emails when trash mailbox isn't found (#195)
• Mail: Preserve list scroll position when tagging an email
• Mail: Render below-header overflow popup outside clipped row
• Mail: Collapse below-header attachments to single row with overflow pill
• Push: Fix push preview JMAP query
• Tour: Navigate tour to mailbox when starting from another page
• i18n: Add useTranslations for "selected emails" and "cancel" on email list batch operations

i18n

• Translate SPF/DKIM/DMARC tooltips
• Add missing keys across 14 locales

1.5.4 (2026-05-01)

Features

• PWA: Web push notifications for new inbox mail (#233), with click-through to open the message
• Composer: Insert and edit tables in rich-text emails (#236)
• Mail: Configurable sub-addressing delimiter character (#239)
• i18n: Turkish localization
• i18n: Missing keys filled in across 15 locales

Fixes

• Mail: Set In-Reply-To and References headers on replies (#234)
• Mail: Persist htmlBody in drafts to preserve rich formatting (#236)
• Auth: Pin JMAP auth verification to the configured server URL (#237)
• Auth: Evict unrecoverable basic-auth accounts on reload
• Notifications: Scope new-mail notifications to genuine inbox deliveries
• Notifications: Extend PushVerification timeout and clean up leftover subscriptions
• Viewer: Smooth out body load to prevent flicker on first render
• Viewer: Prevent iframe flash when loading images or trusting the sender
• Viewer: Pad bare HTML emails like plain-text mails for consistent layout
• Viewer: Light-mode override now only affects body content
• Viewer: Detect <style> tag when applying padding
• Viewer: Drop iframe border-radius
• Calendar: Localize event start date in detail popover and event modal
• Dev: Include http protocol in connect-src for development mode CSP

✨ New Features & Improvements

• @directus/app
  • Updated the token field on the user detail page to require confirmation before regenerating or removing a token, and saved those changes immediately without requiring a page-level save. (#27108 by @LZylstra)
• @directus/api
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/env
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
• @directus/sdk
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed UI freeze when navigating items with WYSIWYG translations for non-admin users (#27154 by @gaetansenn)
  • Fixed selection not being cleared after running a manual flow from the collection list view sidebar (#27330 by @kropsi)
  • Fixed "Save as copy" in the file library throwing a 403 Forbidden error (#27181 by @sanskar-soni-9)
  • Fixed user token not being displayed after generation when collaboration is enabled (#27319 by @LZylstra)
  • Prevented filter popup being closed when reordering filters (#27324 by @HZooly)
  • Fixed icon flash in navigation sidebar for bookmarks without an icon (#27329 by @HZooly)
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/api
  • Removed duplicate @directus/schema-builder dependency (#27166 by @ComfortablyCoding)
  • Bumped basic-ftp, liquidjs, xmldom, protobufjs, vite dependencies (#27335 by @br41nslug)
  • Fixed flows not awaiting reload (#27137 by @Nitwel)
  • Fixed VERSION_SAVE activity/revisions not respecting collection tracking settings (#27096 by @yogeshwaran-c)
  • Denied creating collections with / in name (#27114 by @costajohnt)
• @directus/types
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/visual-editing
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
  • Fixed the edit handler firing twice when clicking an overlay button directly (#27157 by @formfcw)
• @directus/utils
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/sdk
  • Fixed SDK types linking to directus_access junction collection (#27152 by @yogeshwaran-c)
• @directus/composables
  • Fixed useShortcut attempting to access document before available (#27155 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@15.10.0
• @directus/api@35.2.0
• @directus/composables@11.4.1
• create-directus-extension@11.0.36
• @directus/env@5.8.0
• @directus/extensions@3.0.25
• @directus/extensions-registry@3.0.26
• @directus/extensions-sdk@17.1.4
• @directus/memory@3.1.8
• @directus/pressure@3.0.22
• @directus/schema-builder@0.0.20
• @directus/storage-driver-azure@12.0.22
• @directus/storage-driver-cloudinary@12.0.22
• @directus/storage-driver-gcs@12.0.22
• @directus/storage-driver-s3@12.1.8
• @directus/storage-driver-supabase@3.0.22
• @directus/themes@1.3.3
• @directus/types@15.0.3
• @directus/utils@13.4.1
• @directus/validation@2.0.23
• @directus/visual-editing@2.0.1
• @directus/sdk@21.3.0
• @directus/sandbox@0.0.0

Security Release

• Update Instructions
• Update details on blog

This is a security release to improve attachment related permission checks, and URL validation for webhooks.

Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.

Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated attachment actions to align page access check.
• Updated URL validation in webhooks to help prevent escaping workarounds.
• Fixed issue where exact search term negation would lead to no results. (#6121)

5.44.0 (2026-04-29)

🚀 New feature

• deploy to cloud homepage widget (#25774)

🔥 Bug fix

• add responseType to getFetchClient for non-JSON responses (#25974)
• prevent browser defaults for Ctrl+I and other modifier shortcuts in Firefox (#26050)
• contain absolute descendants in OverflowingItem (#26133)
• content-manager: prevent duplicate React key in homepage recent-documents widget (#26084)
• content-manager: optimize document layout hooks (#26005)
• database: make 5.0.0-02-created-document-id migration idempotent (#26045)
• document-service: support delete selection params (#25097)
• document-service: preserve self-referential relations during publish and discard (#25890)
• document-service: discard-draft 500 on self-referential manyToMany relations (#26152)
• i18n: preserve non-localized media when creating a locale (#26031)
• openapi: documentation plugin generates OpenAPI with incorrect ID parameter (#26067)
• review-workflows: pass locale params to useDocument in StageSelect and AssigneeSelect (#26104)
• types: align Service.Generic index signature with Controller.Generic (#25475)

📚 Documentation Changes

• add AGENTS.md universal agent guide (#26018)

⚙️ Chore

• release v5.43.0 update develop (#26100)
• upgrade contributor docs dependencies (#26073)
• deps: bump multiple dependencies (#26103)
• deps: bump @xmldom/xmldom from 0.8.12 to 0.8.13 (#26098)
• deps: bump and dedupe pinned subdeps (#26139)
• examples: migration performance benchmark harness + mariadb/sqlite + anti-pattern schemas (#26036)
• scripts/release: fix experimental peer dependencies install (#26083)

💅 Enhancement

• add ESM syntax support for Vite .mts config file (#25238)
• i18n: improve Russian translations of tours section in admin package (#25221)
• translations: update czech translations (#25824)

❤️ Thank You

• Adrien L @Adzouz
• akash-dabhi-qed @akash-dabhi-qed
• Ayoub Hidri @ayhid
• Bassel Kanso @Bassel17
• Ben Irvin
• DMehaffy
• Filip Ónodi @fonodi
• Jamie Howard @jhoward1994
• Kellen Bolger
• Laurens Kling @laurenskling
• Leonid Vinogradov
• Nico André
• otociulis @otociulis
• Simon Norris @cache-your-dreams
• Ziyi @butcherZ

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.28

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.28

Changes

• allow filtering out members-only videos in subscriptions (closes #971) (5d96a58)

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

Bug fixes

• validation failed when creating git sync(d7a8bc1 by @kmendell)

Full Changelog: v1.18.0...v1.18.1

1.18.1

1.18.1

1.18.1

New features

• full control over prune options (#2372 by @kmendell)
• add UI to create and edit custom templates (#2351 by @mohamedhagag)
• add raw inspect tab to container detail view (#2368 by @GiulioSavini)
• universal environment dashboard (#2241 by @kmendell)
• add dedicated healthcheck tab for containers (#2384 by @kmendell)
• resource updates overview page (#2204 by @kmendell)
• add ability to deploy Docker Swarm stacks from Git repo with GitOps updates (#2412 by @SplinterHead)

Bug fixes

• handle deferred file close errors in docker build copy helper(3cdc1dd by @kmendell)
• datetime displays now respect the app's selected locale (#2366 by @GiulioSavini)
• guard volume file browser against non-mountable driver types (#2364 by @GiulioSavini)
• actually redeploy swarm stack when saving edits (#2365 by @GiulioSavini)
• set all api endpoints to use auth by default and explicitly remove auth for public endpoints (#2377 by @kmendell)
• add version label to environment cards (#2379 by @kmendell)
• always show save button on template pages (#2402 by @GiulioSavini)
• fall back to user cache dir when /tmp is not writable (#2408 by @GiulioSavini)
• skip image update checks for services with build config (#2403 by @GiulioSavini)
• tolerate undefined env vars in GitSync compose validation (#2380 by @GiulioSavini)
• pin trivy digest to 0.70.0(686248c by @kmendell)
• null user_id for env bootstrap keys + H2 support for registry fetches (#2370 by @GiulioSavini)
• incorrect conversion of linux runtime identity types (#2410 by @kmendell)
• pre-create volumes with driver_opts before stack deploy (#2407 by @GiulioSavini)
• show host CPU/RAM in System Overview instead of Arcane container limits (#2343 by @GiulioSavini)
• compose update indicator not refreshing when a new image is pulled(e367e1f by @kmendell)

Dependencies

• bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.0 in /backend in the go_modules group across 1 directory (#2383 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 in /backend in the go_modules group across 1 directory (#2388 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.2 to 5.1.3 in /backend (#2398 by @dependabot[bot])
• bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6 in /cli (#2391 by @dependabot[bot])
• bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 in /cli (#2390 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.3 to 1.17.4 in /cli (#2392 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.14 to 1.19.15 in /backend (#2396 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.0 to 1.57.1 in /backend (#2400 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.14 to 1.32.16 in /backend (#2401 by @dependabot[bot])
• bump to go 1.26.2(f01ce6c by @kmendell)
• bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /backend in the go_modules group across 1 directory (#2417 by @dependabot[bot])

Other

• remove useless assignment of bytes variables(7b610e3 by @kmendell)
• use specific cosign id token(a5fd68a by @kmendell)
• use specific cosign id token(369c7b8 by @kmendell)
• use non-interactive mode for cosign(53f286b by @kmendell)
• use manual cosign key(0995de3 by @kmendell)
• use cosign v3 syntax(1b5dd7b by @kmendell)
• simplify version info dialog(dbad484 by @kmendell)
• redesigned login screen (#2389 by @kmendell)
• use arcane/tools image for volume browser and trivy scans (#2409 by @kmendell)

Full Changelog: v1.17.4...v1.18.0

1.18.0

1.18.0

1.18.0

Bug fixes

• truncate long image refs in container table (#2318 by @GiulioSavini)
• project icons not loading when used with yaml/env aliases (#2324 by @kmendell)
• surface actual compose load error instead of generic 'no compose file found' (#2326 by @mkaltner)
• project max depth not working for filesystem discovery (#2325 by @kmendell)
• Locale selector background was inconsistent (#2348 by @RJMurg)
• light mode contrast for container stats CPU/memory monitor (#2344 by @GiulioSavini)
• keep project build context as container path so local builder can stat it (#2346 by @GiulioSavini)
• preserve webhook URL query params in generic notification provider (#2345 by @GiulioSavini)
• surface registry fetch errors in GET /templates/registries (#2355 by @GiulioSavini)
• detect provider-level failures in generic webhook notifications (#2356 by @GiulioSavini)
• skip gitops-managed projects in filesystem cleanup (#2354 by @GiulioSavini)
• Update Projects button only updates project containers (#2289 by @GiulioSavini)
• svelte reactivity issues in project editors (#2329 by @kmendell)
• send notification on single container update (#2357 by @GiulioSavini)

Dependencies

• bump github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 in /cli (#2303 by @dependabot[bot])
• bump prettier from 3.8.1 to 3.8.2 (#2313 by @dependabot[bot])
• bump @codemirror/view from 6.40.0 to 6.41.0 (#2306 by @dependabot[bot])
• bump @sveltejs/kit from 2.55.0 to 2.57.1 in the npm_and_yarn group across 1 directory (#2327 by @dependabot[bot])
• bump extractions/setup-just from 3 to 4 (#2331 by @dependabot[bot])
• bump pnpm/action-setup from 5 to 6 (#2333 by @dependabot[bot])
• bump actions/github-script from 8 to 9 (#2330 by @dependabot[bot])
• bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 in /backend (#2334 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.2 to 1.17.3 in /cli (#2332 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.13 to 6.1.14 (#2336 by @dependabot[bot])
• bump golang.org/x/mod from 0.34.0 to 0.35.0 in /backend (#2335 by @dependabot[bot])
• bump svelte from 5.55.0 to 5.55.3 (#2338 by @dependabot[bot])

Other

• add missing permissions for attestations(8362f97 by @kmendell)

Full Changelog: v1.17.3...v1.17.4

1.17.4

1.5.2 (2026-04-27)

Features

• Plugins: New composer-sidebar slot and ui:composer-sidebar permission — plugins can now render a panel on either side of the New Message dialog. See repos/subway-surfers for an example
• Plugins: Manifests can declare frameOrigins — a strictly-validated list of https://host origins the plugin needs to embed. The proxy reads the union from enabled plugins and merges it into the host CSP frame-src, so the host CSP no longer needs to know about specific embed providers
• Calendar/Contacts: JMAP sharing for calendars and address books
• i18n: Czech language support

Fixes

• Security: Validate URLs before outbound fetch
• Calendar: Prevent drag creation on touch events in the time grid
• Contacts: Emit RFC 9553 name kinds and decode QUOTED-PRINTABLE in vCard import (#224, #187)
• Mail: Hide preview line in compact density to match settings preview (#223)
• Proxy: Inline matcher for Next.js proxy and drop unnecessary Node.js runtime config
• i18n: Portuguese fixes for "ficheiro" and "contactos" variants

Changelog

Others

• cc605ac: Added shutdown group (#1732) (@mabbas007)
• b297f3a: Format pending countdown as MM:SS (#1727) (@phuonganh2601)
• af655d3: build(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend (@dependabot[bot])
• 6df1205: update deps (@seriousm4x)

Github Actions

• aabd8c1: gh-action: bump dependabot/fetch-metadata from 2 to 3 (@dependabot[bot])
• 24e218b: gh-action: bump pnpm/action-setup from 5 to 6 (@dependabot[bot])

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.26

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.26

Changes

• implement time-clipped downloads (closes #969, replaces #907) (4f83174)
• title filter for subscriptions (closes #968) (91ee831)
• Bump aquasecurity/trivy-action in the github-actions group (d89a5dd)

1.5.1 (2026-04-25)

Features

• Stalwart: OAuth auto-setup with dialog and validation for origin and issuer URLs
• Mail: Right-click context menu on the folders sidebar
• Mail: Replace folder prompt() calls with a proper modal dialog
• Calendar: Add 'Today' button to the desktop calendar toolbar
• Junk: Setting to show avatars in the Junk folder

Fixes

• Admin: Restore admin panel after Stalwart v0.16 REST API removal
• Viewer: Restore broken viewer toolbar actions and improve the mobile menu (#220)
• Folders: Stop flicker on background folder refresh
• Email: Preserve search/filter on batch move and archive
• Email: Preserve search/filter when moving emails via drag-drop
• i18n: Improve Korean flag

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• #1410 #376 #1224 new option --glang to autoselect UI-translation based on webbrowser's language (thx @stackxp!) ec3e0e7
• #1407 #1384 option to automatically switch between list-view and grid-view depending on folder contents (thx @icxes!) 822fa71 660ed7a 961a273
• #1447 audioplayer can now play bcstm / bfstm / brstm files (nintendo 3ds/wii bgm) 3a9ff67
• #1389 add 1000-based filesize-units in addition to 1024-based 43773f2
• #1395 reloc-by-wark, a pair of hooks to rename incoming uploads to a hash of the file contents 1e7de5d
• option --rlo to change the logrotate-counter for -lo 8b98688
• add --certkey to specify certificate and key as separate files 8c7cdf8
  • but the built-in HTTPS server should still not be trusted
• config-files can now use OS environment-variables anywhere in the [global] config section cbd82b6 e52bbed
  • by default, only the syntax ${VAR} is supported, not $VAR or %VAR%
  • previously, a small handful of global-options already supported this (c lo hist dbpath ssl_log), but they also supported the $VAR syntax, which is no longer the case
  • if the old $VAR syntax is detected, copyparty will crash on startup, suggesting the following remedies (choose one!) in the log:
    1. update the config-value to the new ${VAR} syntax (recommended)
    2. allow the old syntax with global-option --env-expand 1 (risky)
    3. ignore the old syntax and only expand the new syntax with global-option --env-expand 2
    4. disable all environment-variable expansions with PRTY_NO_ENVEXPAND=1

🩹 bugfixes

• #1437 webdav clients can now PROPFIND a file with depth: infinite which at least webdav4 does e00f2b4
• #1392 navigating into a subfolder using a dks dirkey (default-disabled) could fail 228c3df
• #1446 #1330 #1362 fix some small edgecases with the rightclick-menu (thx @icxes!) 874e0e7
• #1403 #1396 audioplayer: fix ui-crash when folder contains an m3u-file and sort-order is changed during playback (thx @icxes!) 198f631
• #1428 #1427 when --magic was enabled, nameless uploads of textfiles would get the file-extension .ssa instead of .txt (thx @Scotsguy!) ed516dd
• #1449 on some filesystems, the tail/follow function would spam the log with reopened at byte XXX 8173018
• #1401 on windows, a spec-violating basic-upload could delay that upload by a few seconds 6fb1287
• on macOS, u2c would clear the terminal on exit, even with -ns 238887c
• audio-files in a videofile trenchcoat did not thumbnail correctly 1066dc3

🔧 other changes

• #1387 added gentoo packaging (thx @mid-kid!) fb5384f
• #1425 improved FreeBSD / OpenBSD support (thx @chilledfrogs!) f561318 745d82f
• #1352 new handler: fail2ban (thx @Lomaiin!) 26e663d
• improve errormessage when the server's OS-HDD blips out of existence d1517d0
• #1439 improve IPv6 autoban IP-range (thx @SnowSquire!) f6dc1e2
• ensure opus transcodes will at most have 2 audio channels (stereo) b31f290
• #1417 smb-server: probably add IPv6 support a5d859d
• --list-nics and --list-ips to show autodetected network-adapters and IPs 8d4363d
• docs:
  • nixos module-override example (thx @Scotsguy!) 0b16e87
  • make it even more obvious that --allow-csrf is a bad idea 9a724b0
  • mention --urlform get to disable message-to-serverlog ac05b4f
  • readme: improve shadowing phrasing 003c68d
  • devnotes: explain the vendored dependencies 971f8ef

🌠 fun facts

• this release includes code written at abs(unit)
  • btw that pdp had an IPv6 lease and browsed the internet :^)
    • hasn't connected to copyparty though (yet...)
• this release was powered by 一体いつから (TaKo Hardcore bootleg) followed by Fighting My Way (YUPPUN Hardcore Remix) (shd is a good dj)

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI