Bug fixes

• improve environment proxy error handling (#2649 by @kmendell)
• align local BuildKit load/push exporter (#2650 by @kmendell)
• PUID and PGID being set on project subfolder on every startup (#2656 by @kmendell)
• system upgrade doesnt support non unix socket docker hosts (#2651 by @kmendell)
• resizing window discards edits in compose editors (#2719 by @kmendell)
• only validate project name if it has changed (#2720 by @kmendell)
• make Arcane reverse-proxy aware to resolve connection issues (#2717 by @kmendell)
• tolerate undefined typed env vars in GitOps sync (#2721 by @kmendell)
• show all container ip's in list view (#2726 by @kmendell)

Dependencies

• bump pnpm to v11.1.3(fb8f2f5 by @kmendell)
• bump devalue to 5.8.1(2ed772d by @kmendell)
• bump ws to 8.20.1(47c4f81 by @kmendell)
• bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 in /backend in the go_modules group across 1 directory (#2654 by @dependabot[bot])
• bump @sveltejs/kit from 2.58.0 to 2.60.1 in the npm_and_yarn group across 1 directory (#2662 by @dependabot[bot])
• bump github.com/containerd/containerd/v2 from 2.3.0 to 2.3.1 in /backend in the go_modules group across 1 directory (#2663 by @dependabot[bot])
• bump golang.org/x/crypto from 0.51.0 to 0.52.0 in /backend (#2664 by @dependabot[bot])
• bump github.com/docker/cli from 29.5.0+incompatible to 29.5.2+incompatible in /backend (#2666 by @dependabot[bot])
• bump github.com/compose-spec/compose-go/v2 from 2.10.2 to 2.11.0 in /backend (#2665 by @dependabot[bot])
• bump date-fns from 4.1.0 to 4.2.1 (#2675 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.3 to 5.1.4 in /backend (#2670 by @dependabot[bot])
• bump go.podman.io/image/v5 from 5.39.2 to 5.40.0 in /backend (#2667 by @dependabot[bot])
• bump github.com/compose-spec/compose-go/v2 from 2.10.2 to 2.11.0 in /types (#2668 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.19.1 to 1.19.4 in /cli (#2669 by @dependabot[bot])
• bump marked from 18.0.3 to 18.0.4 (#2679 by @dependabot[bot])
• bump svelte from 5.55.7 to 5.55.9 (#2672 by @dependabot[bot])
• bump @codemirror/autocomplete from 6.20.1 to 6.20.2 (#2673 by @dependabot[bot])
• bump @codemirror/legacy-modes from 6.5.2 to 6.5.3 (#2671 by @dependabot[bot])
• bump pnpm to v11.2.2(74f7ec4 by @kmendell)
• bump react and @types/react (#2682 by @dependabot[bot])
• bump frontend deps(7fe4f34 by @kmendell)
• bump prettier-plugin-svelte from 3.5.2 to 4.0.1(a2fbf3e by @kmendell)
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.16 to 1.19.17 in /backend (#2705 by @dependabot[bot])
• bump golang.org/x/net from 0.54.0 to 0.55.0 in /backend (#2696 by @dependabot[bot])
• bump golang from 1.26-trixie to 1.26.3-trixie in /docker (#2708 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.18 in /backend (#2700 by @dependabot[bot])
• bump golangci/golangci-lint-action from 9 to 9.2.0 (#2714 by @dependabot[bot])
• bump github/codeql-action from 4 to 4.35.5 (#2713 by @dependabot[bot])
• bump @uiw/codemirror-themes from 4.25.9 to 4.25.10 (#2712 by @dependabot[bot])
• bump depot/build-push-action from 1 to 1.17.0 (#2716 by @dependabot[bot])
• bump docker/login-action from 4 to 4.1.0 (#2715 by @dependabot[bot])
• bump react-email from 6.1.1 to 6.2.0 (#2711 by @dependabot[bot])

Other

• run workflows on breaking branches(993d27f by @kmendell)

Full Changelog: v1.19.4...v1.19.5

1.19.5

1.19.5

1.19.5

1.7.1 (2026-05-22)

Features

• Admin: Expose PWA branding fields in the admin Branding tab
• Pro: Hide empty-state placeholder and collapse the viewer pane in Pro mode so the mail list fills the space

Fixes

• Mail: Preserve inline images when replying (#163)
• Filters: Use the canonical INBOX mailbox in Sieve filter paths (#313)
• Mail: Resolve destination account id to the local namespace on cross-account mailbox drop

1.7.0 (2026-05-21)

New: Pro mode (experimental)

Opt-in tabbed multi-pane interface for power users. Open multiple mail, calendar, contacts, and file views side-by-side, drag tabs to reorder or split panes at the edges, and work across all logged-in accounts in one shell, cross-account email moves, a unified inbox with search, account-split calendar/contacts/files sidebars, and a per-account "From" dropdown in the composer. Enable from Settings → Appearance; the proInterface preference is per-device and not synced.

Pro mode is experimental and we need your feedback to shape it. If something feels off, breaks, or is missing, please don't hesitate to open an issue or start a discussion on GitHub!

Breaking Changes

• Plugins: Plugins now run inside a null-origin iframe sandbox and talk to the host over a postMessage RPC bridge. The in-process plugin runtime is gone; the bundled in-tree plugins have been migrated. Third-party plugins built against the old in-process API need to be ported to the sandboxed runtime.
• Plugins: Server-managed bundles must be Ed25519-signed by the host and approved by an admin before they load. The host public key is served from /api/plugin-signing-pubkey and each bundle response carries the signature in the X-Bundle-Signature header. User-uploaded bundles still load unsigned, but managed marketplace and dev-folder bundles do not.
• Plugins: bundleHash is now a full SHA-256 over the bundle. Legacy short hashes are migrated on first load; any out-of-band tooling that pinned the old hash format needs to be updated.

Features

• Pro: Tabbed shell with drag-to-reorder, drag-to-edge to split, side-by-side panes, and pane-aware responsive layout with a scoped sidebar overlay
• Pro: Auto-redirect to the Pro shell when Pro mode is on; proInterface is kept per-device instead of syncing
• Pro: Multi-account mail sidebar with client routing and a per-account mailbox cache
• Pro: Unified mailbox always visible, with full-text search
• Pro: Cross-account email moves
• Pro: Multi-account calendar sidebar split into owned vs shared per account
• Pro: Multi-account contacts and a cross-account file picker
• Pro: Composer From dropdown grouped by account
• Plugins: Per-plugin admin approval workflow with Ed25519 bundle signing verified on load
• Plugins: Marketplace update flow for installed plugins and themes
• Setup: Allow the setup wizard over plain HTTP with a dismissable warning gate
• Setup: Warn when the JMAP URL points at a local-only host
• Account: List and reorder logged-in accounts from settings (#282)
• Mail: Mobile handoff page with JMAP authentication verification for cross-device OAuth
• Mail: Pluggable reply/forward quote header (#295)
• Calendar: Support multiple flexible event reminders (#170)
• Admin: Expose PWA, app identity, and extension directory keys in the JSON config (#312)
• Admin: Surface OAuth scope settings and wire up orphaned admin policy gates

Security

• Plugins: Pin parent origin in the iframe bridge to block cross-frame postMessage
• Plugins: Ignore plugin-supplied target in ui.openExternalUrl to block host-frame hijack
• Plugins: Validate plugin/theme id in marketplace install to block path traversal
• Plugins: Prevent plugin config from leaking to non-admin users
• Admin: Gate admin routes against cross-origin CSRF
• Auth: Bind Stalwart auth context to the credential, not the cookie-claimed username
• Auth: Validate OAuth discovery endpoints against SSRF
• Mail: Tighten HTML sanitization at plain-text email, signature, and i18n render sites
• Mail: Block script-bearing MIME types from inline attachment preview
• Mail: Escape print-window fields and re-sanitize body to block XSS
• S/MIME: Stop persisting passphrases in sessionStorage
• API: Correct regex for valid API POST path validation

Fixes

• Mail: Serialize draft autosave with send to stop replies stalling in Drafts (#303)
• Mail: Omit empty cc/bcc from Email/set so the server does not emit a bare Cc: header (#301)
• Mobile: Allow adding contacts from the mail recipient popover (#306)
• Mobile: Prevent dual-scroll and use full width for mail content
• Mobile: OAuth handoff flow
• Calendar: Scope iCal subscriptions per JMAP account; fix refresh and clear
• Calendar: iCal subscription refresh, rollback, and URL normalization
• Calendar: Show avatars in the calendar/address book sharing menu
• Contacts: Normalize malformed contact photo data URIs (#307)
• Identity: Clear identity signature fields when emptied
• Identity: Show size cap on identity signature fields
• Identity: Allow table-based layouts in the HTML signature sanitizer
• Plugins: Load globals.css and Geist font in the plugin sandbox iframe
• Plugins: Sync plugin slot iframe height with reported content height
• Plugins: Use plugin slot offer snapshots for useSyncExternalStore
• Plugins: Trust the directory version on marketplace install and update
• Filters: Prevent duplication of Bulwark rules with literal braces in values
• Setup: Defer setup wizard HTTP detection to avoid hydration mismatch
• Routing: Anchor unmatched URLs into main so 404 renders
• Routing: Respect server-resolved locale on first visit (#309)
• Routing: Split app into (main)/(sandbox) route groups so the plugin iframe hydrates properly
• Files: Stop parent directory navigation from jumping to root
• Build: Stop pulling node:dns into the client bundle via OAuth discovery
• UI: Toggle recipient popover when clicking the name again
• UI: Remove white halo around photo avatars

i18n

• Add missing translation keys across 16 locales

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those.

Upgrade is generally advised, but strongly so where multi-factor authentication is used & considered as a critical layer of defense.

Thanks to Stephen O. / Sakusen (Codeberg, Website) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated MFA verification routes with rate limiting.

• Milestone

This is bug-fix release for 1.29.0.

Feature highlights✨:

• Accept .txt import of feed URLs in additional to e.g. OPML
• New CLI for automatic periodic SQLite export with retention
• More feed info: last received date, publication date

Bug fixes highlights 🐛:

• Fix cookies with some browsers
• Fix search in shared user queries with empty results

UI highlights 🖼:

• Improve Web browsers compatibility

This release has been made by @Alkarex, @Frenzie, @IEEE-754, @Inverle, @McFev, @ciro-mota, @cweiske, @polybjorn and newcomer @mzl2233

Full changelog:

• Features
  • Accept .txt import of feed URLs in additional to e.g. OPML #8818, #8837
  • New CLI for automatic periodic SQLite export with retention #8819
  • More feed info: last received date, publication date #8799
• Bug fixing
  • Fix cookies with some browsers #8867
  • Fix search in shared user queries with empty results #8863
  • Fix XML errors with loading invalid OPML in lib_opml library #8652, #8853,
    lib_opml#48, lib_opml#51
  • Fix ensure maximum number of feeds also with Dynamic OPML #8832
  • Fix click mark as read #8817
• UI
  • Improve browser compatibility to keep mobile navigation at the bottom #8833
  • Improve support of older/simpler Web browsers/engines such as SeaMonkey #8810,
    #8811, #8813,
  • Improve Swage theme #8842
  • Rename Nord theme to Nord #8805
  • Replace GIF spinner by CSS spinner #8804, #8812
  • Various UI and style improvements: #8800, #8816,
• I18n
  • Improve Brazilian Portuguese #8846
  • Improve Dutch #8868
  • Improve German #8840
  • Improve Polish #8854
  • Improve Russian #8861
  • Improve Traditional Chinese #8849
• Misc.
  • Update dev dependencies #8858, #8864

5.46.1 (2026-05-20)

🔥 Bug fix

• FK violation publishing self-relation parent & child in one release (#26147)
• move session-manager jwt check from register to bootstrap (#25412)
• admin: remove year 2041 limit on date/datetime pickers (#26209)
• content-manager: fix getMainField context for component list/edit configure views (#25509, #26124)
• database: respect nested sort in populate for join-table relations (#26361)
• graphql: inherit publication state for i18n localizations (#22163)
• migrations: guard inverseJoinColumn access in discard-drafts migration (#26331)
• review-workflows: add assignee and review stage to list view filters (#26171)
• review-workflows: message when single stage (#26229)
• upgrade: use pnpm install when project prefers pnpm (#26246)
• upgrade: align scoped @strapi packages in devDependencies (#26248)

⚙️ Chore

• sonarcloud security review (#25949)
• deps: bump ip-address from 10.1.0 to 10.2.0 (#26222)
• deps: bump @protobufjs/utf8 from 1.1.0 to 1.1.1 (#26311)
• deps: bump axios from 1.15.1 to 1.15.2 (#26177)
• deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#26253)
• deps: bump fast-uri from 3.0.1 to 3.1.2 (#26254)
• eslint: migrate .eslintrc + .eslintignore to .eslintrc.cjs (#26216)

🚨 Security

• deps: upgrade multiple dependencies (#26326)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Ben Irvin
• Garrett Heaver @garrettheaver
• jmichalec-vl
• Maksim Zhukau @MaksZhukov
• Simen @Eventyret
• Simon Norris @cache-your-dreams
• Westley Marchment

Bug fixes

• block unsafe compose include file reads (#2630 by @kmendell)
• add missing gRPC/ws tunnel commands (#2636 by @kmendell)
• unable to use templates due to 'not found' error (#2634 by @kmendell)
• retry rate limited update checks (#2639 by @kmendell)
• prevent projects from disappearing when projects folder is unreadable (#2641 by @kmendell)
• release notes not populated for manager instance (#2643 by @kmendell)

Other

• publish manager and agent image tags (#2645 by @kmendell)
• use trivy-db mirrors from arcane-tools (#2646 by @kmendell)

Full Changelog: v1.19.3...v1.19.4

1.19.4

1.19.4

1.19.4

1.6.7 (2026-05-17)

Features

• Contacts: vCard 4.0 parsing and generation support
• Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page
• Admin: Allow admin password overwrite during setup recovery
• Setup: HTTPS requirement warning in the setup wizard
• Mobile: Show details toggle and expandable panel for sender info

Performance

• Calendar: Speed up calendar invitation banner load

Security

• Mail: Sandbox thread email HTML in srcDoc iframe with a CSP <meta> tag
• Admin: Redact sensitive config secrets from the admin API response
• Admin: Make impersonation cookies session-only

Fixes

• Auth: Read OAUTH_SCOPES at runtime instead of build time
• Auth: Use a relative Location header in redirects
• Auth: Adopt orphan session cookie on first SPA load
• Mail: Per-account push subscriptions so multi-account notifications work (#298)
• Mail: Close attachment preview when clicking outside the content area
• Mail: Pin quick reply to the bottom for short emails
• Mail: Show "no body content" instead of an infinite skeleton for bodyless emails
• Mail: Show contact popup when clicking the sender name in the email header
• Mail: Prevent long addresses from overflowing email details columns (#297)
• Mobile: Align quick reply with the mobile bottom toolbar
• Mobile: Respect safe-area insets on mobile bottom bars
• Mobile: Pad safe-area-inset-top
• UI: Apply dark background to the email content wrapper in dark mode
• UI: Improve dark mode background colors in the email viewer
• UI: Add viewport export with initialScale: 1
• UI: Strip the Stalwart master-user % suffix from the displayed account
• Plugins: Warn and block install when the app version is below the plugin's minAppVersion
• Plugins: Register app-top-banner in plugin-store SLOT_NAMES
• Plugins: Carry configSchema + settingsSchema through marketplace install
• Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing

i18n

• Add missing translation keys across 16 locales

Bug fixes

• remove gzip middleware from agent endpoints (#2627 by @kmendell)

Full Changelog: v1.19.2...v1.19.3

1.19.3

1.19.3

1.19.3

Bug fixes

• remove intel-gpu-tools from docker images since its has no effect currently(fea78a5 by @kmendell)
• allow hiding default networks on typology view (#2594 by @kmendell)
• refresh project detail runtime status (#2602 by @kmendell)
• allow LOGIN email authentication type (#2603 by @kmendell)
• keep session across backend version bumps (#2607 by @kmendell)
• missing store prefix on test connection form(5f1645f by @kmendell)
• swarm engine not respecting cpu limits (#2617 by @kmendell)
• only perform auto pairing on edge edgent not direct (#2622 by @kmendell)
• container cache leak from docker subscription (#2624 by @kmendell)

Performance improvements

• increase loading times of project list view (#2596 by @kmendell)

Dependencies

• bump to go 1.26.3(8e819fe by @kmendell)
• bump all go deps(6817e70 by @kmendell)
• bump the npm_and_yarn group across 1 directory with 2 updates (#2600 by @dependabot[bot])
• bump svelte from 5.55.5 to 5.55.7 in the npm_and_yarn group across 1 directory (#2601 by @dependabot[bot])
• bump github.com/danielgtaylor/huma/v2 from 2.37.3 to 2.38.0 in /backend (#2612 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.3+incompatible to 29.5.0+incompatible in /backend (#2613 by @dependabot[bot])
• bump google.golang.org/grpc from 1.81.0 to 1.81.1 in /backend (#2610 by @dependabot[bot])
• bump prettier-plugin-svelte from 3.5.1 to 3.5.2 (#2618 by @dependabot[bot])

Other

• create admin role middleware for each endpoint (#2593 by @kmendell)
• consolidate digest and image updater logic (#2623 by @kmendell)

Full Changelog: v1.19.1...v1.19.2

1.19.2

1.19.2

1.19.2

1.6.6 (2026-05-15)

Features

• Mail: Sync onboarding completion state across devices so the welcome flow only runs once per account (#285)
• Mail: Distinct icons for Shared, Important, Memos, Scheduled, and Snoozed folders (#288)
• Compose: Raise HTML identity signature length cap to 50,000 characters
• Compose: Allow <img> tags in HTML identity signatures for inline logos and banners

Fixes

• Files: Hide Files settings entry and sidebar nav when the filesEnabled policy is off (#291)
• Admin: Honor the cookieSameSite admin config override instead of always defaulting (#284)
• UI: Standardize punctuation in tooltips and inline comments across locales

i18n

• Add Danish localization
• Clean up Danish locale wiring and sort the language picker alphabetically (#286)

Changelog

Bug fixes

• 7b8bcfa: fix: switch cron-parser to named import (CronExpressionParser) (#1737) (@codeanish)

5.46.0 (2026-05-13)

🚀 New feature

• close button for the trial banner (3fd5f9fd56)
• adding collapse button (901465b1e2)
• updating design after Claude comments (d1cb08f76e)
• getting that button to stick while the banner doesn't (f04fe97a75)
• add preview support to images and videos (#25216)
• content-manager: add possibility to customize blocks (#22063)
• email: replace sendmail package with nodemailer in provider (#25893)

🔥 Bug fix

• making button float better (c5396f1c18)
• using isValid & adding translations (59498861f7)
• auto-expand and scroll to newly added dynamic zone components (#26044)
• keep draft link on x-to-one relations non-dp to dp (#26179)
• long component names overflow in dynamic zone picker (#26010)
• remove await from several telemetry calls to prevent blocking (#24743)
• admin: resolve prism is not defined (#25660)
• admin: handle 204 no-content response in fetch client (#25416)
• content-manager: local-storage was not updated if filters were removed (#26240)
• content-manager: skip draft/modified count queries for non-D&P content types (#26049)
• core/admin: admin and content api tokens retro-compatibility (#26313)
• core/core: validation uses injected strapi instance (#26211)
• database: morph typeField wins over same-name fields in populate (#26120)
• database: append primary key to ORDER BY for paginated selects (#26032)
• db: deterministic schema hash by sorting tables before hashing (#26202)
• graphql: isolate root query args per root field (#26178)
• test: check button attribute differently (#26212)
• utils: throw ValidationError for all invalid query params (not just sort) (#25894)

⚙️ Chore

• adding translations for the banner (e696d94627)
• turkish translations for cloud (#26223)
• .github: bump CI runners to node 24 (#26231)
• ai: ignore .agents/local-skills and .agents/local-state for local only harness (#26276)
• deps: bump eslint-plugin-react (#26227)
• deps: migrate msw 1.x → 2.13.4 across admin test suites (#26065)
• deps: upgrade typedoc to 0.28.19 and related plugins (#26082)
• security: mark Strapi v4 as End of Life (#26162)
• upload: add concurrentUploadSize config (#26053)

❤️ Thank You

• Alanderson Zelindro da Rosa
• Andrei L @unrevised6419
• Anslem @ace2016
• Ben Irvin
• Christian Dreier
• DMehaffy
• Florent Baldino @Baldinof
• guoyangzhen
• Jamie Howard @jhoward1994
• markkaylor
• mathildeleg @mathildeleg
• Nico André
• Nicolò
• ozzy @ddoemonn
• Rémi de Juvigny @remidej
• Simen @Eventyret
• Simon Norris

1.6.5 (2026-05-13)

Features

• Protocol: Register as the system handler for mailto: and webcal: links from a new protocol handler settings page
• Protocol: Account picker for protocol links when multiple accounts are connected
• Protocol: Import-or-subscribe choice for detected webcal calendars
• Protocol: Reuse the open PWA/session for mailto: links instead of always opening a new tab
• UI: Route account avatars through the shared Avatar component for consistent fallbacks (#278)

Fixes

• Calendar: Support HTTP basic auth in iCal subscription URLs (#275)
• Admin: Honor admin-uploaded favicon in root metadata (#274)
• Admin: Honor NEXT_PUBLIC_BASE_PATH in admin sidebar nav links (#271)
• UI: Broaden body font stack so Thai (and other non-Latin scripts) render correctly in subjects, sender names, and other chrome (#265)

Bug fixes

• show archived switch overlapping projects search bar(d02a05c by @kmendell)
• show correct environments types in filter (#2578 by @kmendell)
• build history not being updated after builds are completed (#2586 by @kmendell)
• incorrect backend arg used for trivy on 32bit hosts (#2587 by @kmendell)
• updater api authorization checks (#2588 by @kmendell)
• deny non hmac jwt requests(d568d03 by @kmendell)
• add rate limiting to webhooks and auth endpoints, and add caching to user session (#2591 by @kmendell)

Other

• add mobile device custom redirect url for oidc (#2580 by @kmendell)
• migrate off gin to use echo for backend router (#2582 by @kmendell)
• store user sessions in database with proper jti (#2590 by @kmendell)

Full Changelog: v1.19.0...v1.19.1

1.19.1

1.19.1

1.19.1