License Enforcement

Directus 12 introduces active license enforcement. Self-hosted instances run on the Core tier by default. Higher limits and additional features require a valid license. See Licensing for a complete overview.

This change affects instances previously using features that now require a license, including:

• SSO — SSO login will no longer work. Users who authenticate through SSO will be unable to log in and must be converted to email and password users to regain access.
• Custom permission rules — custom rules on access policies will be ignored.
• Custom or self-hosted LLMs — connections to custom LLMs will no longer work.
• AI Translations — AI-powered translations are not available.

Enforcement is immediate on new instances. Instances upgrading to Directus 12 get a 30-day grace period from the time of upgrade, after which these are enforced unless a license that enables them is configured.

If your instance uses any of these features, add a license that includes them to continue to do so. If your instance uses only Core tier features, no action is required.

Changed license to MSCL-1.0-GPL (#27417)

• Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).

Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)

• The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.

Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)

• Health checks are cached by default and shared across multi-instance deployments
  • /server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks
  • cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix

Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*

• Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.

Replaced status field with archived boolean in collection settings @alvarosabu (#27397)

• Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field

Deprecated the VResizeable component @formfcw (#27437)

• Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.

Updated type system, borders, and theme variables @formfcw (#27437)

• Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
• Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
• Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state

Updated module navigation bar spacing and styling @HZooly (#27437)

• Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required — these props will simply no longer have any effect.

Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)

• Breaking change — new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.

Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)

• Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.

Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)

• Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
• Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.

Removed the extra confirmation step from the publish flow @alvarosabu (#27487)

• Breaking change — new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.

Updated sidebar styles @formfcw (#27437)

• Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required — these props will simply no longer have any effect.
• Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required — these props will simply no longer have any effect.

Refactored focus ring from border/box-shadow to outline @formfcw (#27437)

• Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema — custom themes referencing these will lose their focus overrides silently
• Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color

Updated header bar elements and deprecated the headline slot @formfcw (#27437)

• Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.

• @directus/app

  • Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
  • Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
  • Removed the extra confirmation step from the publish flow @alvarosabu (#27487 by @alvarosabu)

• @directus/api

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)

• @directus/themes

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/types

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/extensions

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/extensions-registry

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/extensions-sdk

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/format-title

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/memory

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/pressure

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/release-notes-generator

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/update-check

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/validation

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/schema

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/schema-builder

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/specs

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-cloudinary

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-supabase

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-azure

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-gcs

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-local

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-s3

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/stores

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• create-directus-extension

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• create-directus-project

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/env

  • Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607 by @br41nslug)

• @directus/sdk

  • Fixed the outdated updateExtension command and added missing deleteExtension and extension registry commands (#27314 by @kheiner)

    ::notice

    • updateExtension now accepts an id instead of bundle and name
      :::

  • Refactor sdk error to use class over object (#27417 by @ComfortablyCoding)

    :::warning
    Requests that fail will now throw a RequestError instead of returning a response with an error property.
    :::

✨ New Features & Improvements

• @directus/app

  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)

  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)

  • Fixed Image Editor save button to use split button @HZooly (#27437 by @formfcw)

  • Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)

  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)

  • Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)

  • Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)

  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)

  • Updated Visual Editor header bar buttons @formfcw (#27437 by @formfcw)

  • Updated content route middleware to handle singleton collections and draft flow via route guards @alvarosabu (#27397 by @formfcw)

  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)

  • Updated module bar buttons style @HZooly (#27437 by @formfcw)

  • Deprecated the VResizeable component @formfcw (#27437 by @formfcw)

  • Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)

  • Added tresjs shader background for public pages @alvarosabu (#27428 by @alvarosabu)

  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)

  • Rendered non-clickable version menu without directus_versions read access @alvarosabu (#27461 by @alvarosabu)

  • Added item-less draft creation flow for versioned collections @alvarosabu (#27397 by @formfcw)

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated Visual Editor popover/modal action buttons @formfcw (#27437 by @formfcw)

  • Updated UI for the Draft & Publish workflow @formfcw (#27437 by @formfcw)

  • Updated mobile appearance of drawer sidebar @formfcw (#27437 by @formfcw)

  • Moved Promote/Publish button to header actions @alvarosabu (#27397 by @formfcw)

  • Updated primary header actions to show label and replace outlined header action buttons @formfcw (#27437 by @formfcw)

  • Updated SearchInput component to match the new design @formfcw (#27437 by @formfcw)

  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)

  • Refactored header bar action slots and reorganized CTAs @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.

    :::

  • Added navigation logic on discarding item-less versions @alvarosabu (#27397 by @formfcw)

  • Put the sidebar into the content area @HZooly (#27437 by @formfcw)

  • Updated color system for VChip and VersionMenu components @formfcw (#27437 by @formfcw)

  • Updated content section spacing and drawer content spacing @HZooly (#27437 by @formfcw)

  • Extracted the card subheader into a reusable subheader component @HZooly (#27437 by @formfcw)

  • Added version select to collection page @alvarosabu (#27397 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)

  • Added version query param guards on content-item route @alvarosabu (#27397 by @formfcw)

  • Improved bookmark flow @formfcw (#27450 by @formfcw)

  • Forwarded theme tokens and i18n strings from Studio to the visual-editing iframe @formfcw (#27469 by @formfcw)

  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)

  • Introduced VersionChip component @formfcw (#27437 by @formfcw)

  • Updated theme preview component to match the new design @formfcw (#27437 by @formfcw)

  • Updated collab avatar indicator design @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)

  • Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)

  • Extracted reusable ModuleBarButton component @formfcw (#27437 by @formfcw)

  • Moved client-validation to promote version workflow instead of save version @alvarosabu (#27397 by @formfcw)

  • Added Create New action to publish split menu with shortcut @alvarosabu (#27425 by @alvarosabu)

• @directus/api
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
  • Improved AI assistant prompt caching support across providers. (#27545 by @bryantgillespie)
• @directus/constants
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
• @directus/env
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/system-data
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Updated directus_oauth_* system collection visibility to match other system collections (#27682 by @hanneskuettner)
• @directus/types
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
• @directus/errors
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
• @directus/composables
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added version select to collection page @alvarosabu (#27397 by @formfcw)
• @directus/themes
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
• @directus/utils
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/sdk
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
• @directus/specs
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/visual-editing
  • Redesigned the editable-element overlay with theming, RTL support and improved a11y @formfcw (#27469 by @formfcw)
• @directus/memory
  • Added TTL support for local KV and cache stores (#27160 by @ComfortablyCoding)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
  • Limited mobile sidebar width so the overlay can be tapped to close it @HZooly (#27437 by @formfcw)
  • Bumped vue-tsc to 3.1.8 (#27437 by @formfcw)
  • Fixed tick rendering when count exceeds display limit in v-slider (#27644 by @HZooly)
  • Fixed icon alignment in v-divider component @HZooly (#27437 by @formfcw)
  • Fixed v-dialog returning focus to opener instead of an autofocused child on close @formfcw (#27464 by @formfcw)
  • Fixed flow handle button alignment in flow editor @HZooly (#27437 by @formfcw)
  • Shown "Import in background" checkbox only when a file is selected @HZooly (#27437 by @formfcw)
  • Fixed sidebar reopening at minimum size after being collapsed via drag handle @HZooly (#27437 by @formfcw)
  • Capped datepicker year to prevent invalid date (#27659 by @HZooly)
  • Bumped Vitest to 3.2.6 (#27686 by @br41nslug)
  • Fixed EXTENSIONS_PATH and EXTENSIONS_LOCATION env vars not being respected by the Vite dev server (#27642 by @HZooly)
  • Added notice on license page with oig link (#27661 by @robluton)
  • Fixed vue console warnings related to the comparison modal (#27538 by @formfcw)
  • Fixed bug on tooltip value when decimals is 0 in pie chart panel (#27356 by @Prateet-Github)
  • Fixed misaligned filter editor in search bar @formfcw (#27454 by @formfcw)
  • Added missing collection note translations for the directus_oauth_* system collections (#27682 by @hanneskuettner)
  • Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
  • Fixed default favicon path to resolve against the instance root path instead of the site origin. (#27095 by @singhvishalkr)
  • Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
  • Fixed search input not trimming whitespace, causing queries with leading or trailing spaces to return no results (#27359 by @khanahmad4527)
  • Added minor copy change to license onboarding and license key interface (#27651 by @robluton)
  • Fixed calendar layout toolbar responsiveness @HZooly (#27437 by @formfcw)
  • Updated license request links. (#27652 by @HZooly)
  • Fixed the error handling (try-catch) when saving a field in Directus Studio. (#27486 by @baguse)
  • Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
  • Fixed AI assistant "Clear conversation" not canceling in-flight requests, causing them to continue running in the background (#27646 by @levgiorg)
  • Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
  • Removed unsupported json filter function from the studio (#27669 by @sourav-18)
  • Fixed bookmark icon and color not showing in header @formfcw (#27437 by @formfcw)
  • Fixed UI freeze caused by WYSIWYG interface when its non-editable state toggles @formfcw (#27515 by @formfcw)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
• @directus/api
  • Bumped Vitest to 3.2.6 (#27686 by @br41nslug)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
  • Fixed nested deep query parameters being dropped when filters use dynamic variables (#27676 by @mazen-salah)
  • Fixed bulk creation of itemless drafts always fails (#27683 by @ComfortablyCoding)
  • Fixed SSO resolver erroring when admin is not defined (#27662 by @ComfortablyCoding)
  • Fixed Postgres numeric overflow errors being misattributed to an unrelated field (#27690 by @MahinAnowar)
  • Fixed registration email verification tokens to use the configured secret fallback when SECRET is missing. (#27406 by @rijkvanzanten)
  • Bumped axios, js-cookie, samlify, systeminformation, simple-git, fast-uri dependencies (#27589 by @br41nslug)
  • Fixed MCP OAuth dynamic client registration defaults and metadata responses. (#27628 by @hanneskuettner)
  • Prevented setting a custom user provider when not entitled to SSO (#27675 by @ComfortablyCoding)
  • Fixed aliased relational fields in GraphQL queries, fragments and REST queries (#27054 by @AlexGaillard)
  • Fixed active seat processing not accounting for user/role changes (#27662 by @ComfortablyCoding)
  • Removed dead isMinimumAppPermission function (#27662 by @ComfortablyCoding)
  • Fixed failed itemless drafts being dropped from version reads when limit=-1 (#27578 by @alvarosabu)
  • Added a namespace to shares cache keys (#27707 by @br41nslug)
  • Updated IP blocking (#27606 by @br41nslug)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
  • Fixed singletons allowing multiple itemless versions (#27532 by @formfcw)
  • Fixed issue causing duplicate admin roles on first admin creation (#27663 by @robluton)
  • Fixed non custom permissions denied irrespective of if entitled (#27662 by @ComfortablyCoding)
• @directus/constants
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
• @directus/system-data
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/types
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/utils
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/sdk
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
  • Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
• @directus/ai
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/release-notes-generator
  • Ignored private workspace packages when generating release notes (#27637 by @licitdev)

📦 Published Versions

• @directus/app@16.0.0
• @directus/api@36.0.0
• @directus/ai@1.3.2
• @directus/composables@11.5.0
• @directus/constants@14.4.0
• create-directus-extension@12.0.0
• create-directus-project@13.0.0
• @directus/env@6.0.0
• @directus/errors@2.4.0
• @directus/extensions@4.0.0
• @directus/extensions-registry@4.0.0
• @directus/extensions-sdk@18.0.0
• @directus/format-title@13.0.0
• @directus/memory@4.0.0
• @directus/pressure@4.0.0
• @directus/release-notes-generator@3.0.0
• @directus/schema@14.0.0
• @directus/schema-builder@1.0.0
• @directus/specs@14.0.0
• @directus/storage@13.0.0
• @directus/storage-driver-azure@13.0.0
• @directus/storage-driver-cloudinary@13.0.0
• @directus/storage-driver-gcs@13.0.0
• @directus/storage-driver-local@13.0.0
• @directus/storage-driver-s3@13.0.0
• @directus/storage-driver-supabase@4.0.0
• @directus/stores@3.0.0
• @directus/system-data@4.5.0
• @directus/themes@2.0.0
• @directus/types@16.0.0
• @directus/update-check@14.0.0
• @directus/utils@13.5.0
• @directus/validation@3.0.0
• @directus/visual-editing@2.1.0
• @directus/sdk@22.0.0

5.48.0 (2026-06-10)

🚀 New feature

• add optional openapi spec route (#26239)
• openapi: gate endpoint access with config (#26574)

🔥 Bug fix

• upload returns unsigned URL on update media info (#25195)
• widgets show error when role has no access to mainfield of ct (#26537)
• admin: return empty object for empty json body in fetch client (#26277)
• build: build does not run install; add install-deps arg (#26483)
• ci: run build:size as full command for compressed-size-action v3 (#26556)
• ci: restore allowed paths-filter pin (#26575)
• content-manager: use ReadonlyArray for layout prop and fix Repeatable test fixture (#26522)
• content-manager: raise z-index of code block language selector (#25010, #26324)
• core: validate numeric inputs before DB unique checks (#26101)
• database: restore join-table relation sort order in components (#26553)
• database: avoid double finalising completed transactions (#26122)
• upload: folder navigation bugs in Media Library (#26515)
• upload: preserve animation frames in GIF and WebP images (#26126)
• utils: ignore empty sort when building orderBy (#26427)

📚 Documentation Changes

• openapi: add contributor documentation (#26410)

⚙️ Chore

• remove experimental-dev example app (#26552)
• update .gitignore for AI tooling directories (#26526)
• deps: bump axios from 1.16.1 to 1.17.0 (#26539)
• deps: bump the testing-library group across 1 directory with 2 updates (#26506)
• deps: bump actions/setup-node from 4 to 6 (#26496)
• deps: bump actions/stale from 10 to 10.2.0 (#26497)
• deps: bump preactjs/compressed-size-action from 2 to 3 (#26498)
• deps: resolve vulnerable transitive deps via lockfile dedupe and resolutions (#26540)
• deps: bump cheerio from 1.0.0 to 1.2.0 (#26569)
• deps: bump dorny/paths-filter from 3.0.3 to 4.0.1 (#26566)
• deps: bump actions/download-artifact from 4.3.0 to 8.0.1 (#26564)
• deps-dev: bump the eslint group across 1 directory with 10 updates (#26500)
• deps-dev: bump @types/delegates from 1.0.0 to 1.0.3 (#26570)
• deps-dev: bump the nx group across 1 directory with 2 updates (#26502)
• repo: skip change freeze ownership check when freeze disabled (#26474)

💅 Enhancement

• core/core: rounded thin borders for startup banner (#26273)
• graphql: use discriminated unions instead of unsafe type casting (#25913)
• upgrade: unhide and document upgrade to command (#26446)

🚨 Security

• deps: patch uuid (GHSA-w5hq-g745-h8pq) and qs DoS advisories (9aef801f35)
• deps: scope uuid/qs resolutions to affected descriptors (38b6831652)

❤️ Thank You

• Andrei L @unrevised6419
• Andrei Varapayeu @thisavoropaev
• Arav Menon @Arav-Menon
• Aurélien GEORGET
• Ben Irvin
• Dante Calderon @dantehemerson
• Jamie Howard @jhoward1994
• Maksim Zhukau @MaksZhukov
• mathildeleg @mathildeleg
• Nico André

2.0.2

2.0.2

Bug fixes

• update dockerfiles to use correct linker path for version details(725c003 by @kmendell)
• newly synced git content does not show without a refresh (#2870 by @kmendell)
• incorrect height on dashboard cards on smaller screens (#2878 by @kmendell)
• add missing swarm-identity endpoint in edge tunnel (#2886 by @kmendell)
• activities stream using main context causing app to hang at certain places (#2887 by @kmendell)
• x-arcane.icon-light/icon-dark overwriting service-level icons (#2888 by @kmendell)
• bind mounts fail to update after git syncs (#2891 by @kmendell)
• normalize git repo url, and allow changing of repo url (#2892 by @kmendell)

Performance improvements

• group-aware container pagination and table layout fixes (#2890 by @kmendell)

Dependencies

• bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 in /backend (#2866 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.17 to 1.19.22 in /backend (#2859 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.2 to 1.58.3 in /backend (#2855 by @dependabot[bot])
• bump svelte from 5.56.1 to 5.56.2 (#2862 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.18 to 1.32.23 in /backend (#2864 by @dependabot[bot])
• bump github.com/docker/cli from 29.5.2+incompatible to 29.5.3+incompatible in /backend (#2865 by @dependabot[bot])
• bump charm.land/bubbletea/v2 from 2.0.6 to 2.0.7 in /cli (#2869 by @dependabot[bot])
• bump github.com/mattn/go-runewidth from 0.0.23 to 0.0.24 in /cli (#2868 by @dependabot[bot])
• bump marked from 18.0.4 to 18.0.5 (#2858 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.33 to 6.1.34 (#2861 by @dependabot[bot])
• bump @codemirror/autocomplete from 6.20.2 to 6.20.3 (#2852 by @dependabot[bot])

Other

• reduce handler duplication and cleanup (#2889 by @kmendell)

Full Changelog: v2.0.1...v2.0.2

2.0.2

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.10

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.10

Changes

• upgrade yt-dlp from 2026.3.17 to 2026.6.9 (e30a24f)

Security Release

• Update Instructions
• Update details on blog

This is a security release to address the following vulnerabilities:

• Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
• The file:// protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.
  • This protocol is now filtered from interactive content.
• The search system could be abused to cause errors and fill logs.

Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.

Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (LinkedIn), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated translations with the latest Crowdin changes.
• Updated content allow-filtering to only allow the file:// protocol on anchor hrefs, instead of in all dynamic content.
• Updated attachment update handling to validate permissions before request content.
• Fixed numeric handling issue in tag search when using non-standard numbers.

⚠️ Note: This is the final Strapi 4 release ⚠️

No further updates to Strapi 4 will be published, this release serves as the final version of Strapi 4 which is considered EOL (End-Of-Life) as of April 30th, 2026. All Strapi users should migrate to Strapi 5: https://docs.strapi.io/cms/migration/v4-to-v5/introduction-and-faq

Also please note, this does include Strapi Customers as well. Strapi Cloud will still continue to function with Strapi 4 but that may be subject change in the near future without warning.

What's Changed

Security

• Fixed a critical vulnerability where relational filtering could expose sensitive data through insufficient query sanitization. See GHSA-rjg2-95x7-8qmx / CVE-2026-27886.
• Upgraded tar to v7 to address security warnings.
• Applied v4 dependency security and maintenance updates.

Fixes

• Enforced unique admin email validation when updating the authenticated user profile.

Compatibility

• Added Node.js 22 support for Strapi v4.

Full Changelog: v4.26.1...v4.26.2

Part-DB 2.12.1

Security fixes

• CRITICAL: Fixed issue that users with editing rights could execute arbitary php code in the docker installations by uploading phar files
• MEDIUM: Fixed XSS issue in unsanatized log entry extra. Due to the Content-Security-Policy this has limited impact, as no arbitrary javascript can be executed.
• MEDIUM: The APP_SECRET env must be changed to prevent forgery of REMEMBERME tokens. To be doable an attacker requires to know the secret password hash of a user, which is not obtainable without another security issue. Administrators will see an warning banner on the homepage, asking to change the APP_SECRET.

Generate an new random 32 character string with openssl rand -hex 32 and put the value for APP_SECRET into your .env.local or the environment section of the docker-compose.yaml.

Other changes

• Updated dependencies to fix known security issues in symfony and twig
• Updated KiCad symbol and footprint lists

Bug fixes

• update gomodule imports to /v2(6cb4913 by @kmendell)
• decrypting of notification tokens failing (#2850 by @kmendell)

Dependencies

• bump updater module to new module name(50c0847 by @kmendell)

Full Changelog: v2.0.0...v2.0.1

2.0.1

2.0.1

2.0.1

New features

• use DHI images for base docker image (b73eb4c by @wrycu)
• full rbac permissions (1500646 by @kmendell)
• full background activity tasks (3d2c9ef by @kmendell)
• new account page and small ui tweaks and fixes (526e6d6 by @kmendell)
• better universal dashboard ui tweaks (986333b by @kmendell)
• support for federated credentials for workflow automation (818d306 by @kmendell)
• icon catalog and passthrough (72c6f23 by @kmendell)
• customizable font size per user (#2848 by @kmendell)

Bug fixes

• decouple context for activities (2afd24a by @kmendell)
• add the ability to cancel ongoing activities (fb11a53 by @kmendell)
• show all environment activities (0a6be65 by @kmendell)
• trivy scans not using arcane registries credentials (5d29ce3 by @kmendell)
• make updater service skip swarm containers and make checks more robust (ef0cec6 by @kmendell)
• incorrect paths for activity syncing(9d06074 by @kmendell)
• add global csrf middleware (c922327 by @kmendell)
• better rbac frontend UX for selecting permissions (23e24b6 by @kmendell)
• project auto update not updating container properly (a6a106a by @kmendell)
• diagnostic logs not formatted correctly(eed265c by @kmendell)
• image update checks timeout for no reason (45e229c by @kmendell)
• fix project update order and authentication (793ae89 by @kmendell)
• events create rbac role removed cause its pointless (864a581 by @kmendell)
• validate claim value and role ID in OIDC mapping functions (fa0c147 by @kmendell)
• annotate jwt placeholder secret(bfec449 by @kmendell)
• prune long running stuck jobs (9dbf241 by @kmendell)
• project sync depth not respected during FS sync (09737ce by @kmendell)
• skip checking for updates on pinned digests (760a88d by @kmendell)

Dependencies

• use node version 26.x.x(7b0c9c0 by @kmendell)
• bump pnpm to v11.5.2(d236ee9 by @kmendell)
• upgrade to sveltekit v3 (2709b6b by @kmendell)
• upgrade to tanstack-table v9 (d81c19e by @kmendell)

Other

• remove deprecated services and logic (576865d by @kmendell)
• consolidate frontend types and utils(0d579fa by @kmendell)
• use distroless images over DHI to support all platforms(86b7f60 by @kmendell)
• updated tab bar design(f621fe4 by @kmendell)
• consolidate frontend logic / components (538465a by @kmendell)
• modernize and refactor deduped logic (22e7336 by @kmendell)
• modernize backend code (6e89cff by @kmendell)
• add new go linters and refactor functions (93eefa2 by @kmendell)
• generate services and jobs from google/wire (aa5f767 by @kmendell)
• better RBAC layout filters and catalog (da70b3f by @kmendell)
• use getarcaneapp/updater module (35a0f2b by @kmendell)
• register each gitsync job individually (f1e9f44 by @kmendell)
• enhance updater functionality with restart status and options handling (c8dd0ce by @kmendell)
• migrate from golang-migrate to goose for database (3cdc8a4 by @kmendell)
• cleanup duplicated frontend code (2b68577 by @kmendell)
• update email template design(#2841 by @kmendell)

Full Changelog: v1.20.0...v2.0.0

2.0.0

2.0.0

2.0.0

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.06

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.06

Changes

• add option for following nightly yt-dlp releases (closes #999) (ee20512)

⚠️ Potential Breaking Changes

Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)

• Health checks are cached by default and shared across multi-instance deployments

• /server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks

• cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix

• @directus/api

  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)

✨ New Features & Improvements

• @directus/api
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/types
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
• @directus/env
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/memory
  • Added TTL support for local KV and cache stores (#27160 by @ComfortablyCoding)
• @directus/system-data
  • Updated directus_oauth_* system collection visibility to match other system collections (#27682 by @hanneskuettner)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
  • Fixed tick rendering when count exceeds display limit in v-slider (#27644 by @HZooly)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
  • Capped datepicker year to prevent invalid date (#27659 by @HZooly)
  • Fixed EXTENSIONS_PATH and EXTENSIONS_LOCATION env vars not being respected by the Vite dev server (#27642 by @HZooly)
  • Added notice on license page with oig link (#27661 by @robluton)
  • Fixed bug on tooltip value when decimals is 0 in pie chart panel (#27356 by @Prateet-Github)
  • Added missing collection note translations for the directus_oauth_* system collections (#27682 by @hanneskuettner)
  • Fixed search input not trimming whitespace, causing queries with leading or trailing spaces to return no results (#27359 by @khanahmad4527)
  • Added minor copy change to license onboarding and license key interface (#27651 by @robluton)
  • Updated license request links. (#27652 by @HZooly)
  • Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
  • Removed unsupported json filter function from the studio (#27669 by @sourav-18)
• @directus/api
  • Fixed nested deep query parameters being dropped when filters use dynamic variables (#27676 by @mazen-salah)
  • Fixed bulk creation of itemless drafts always fails (#27683 by @ComfortablyCoding)
  • Prevented setting a custom user provider when not entitled to SSO (#27675 by @ComfortablyCoding)
  • Fixed aliased relational fields in GraphQL queries, fragments and REST queries (#27054 by @AlexGaillard)
  • Fixed failed itemless drafts being dropped from version reads when limit=-1 (#27578 by @alvarosabu)
  • Fixed singletons allowing multiple itemless versions (#27532 by @formfcw)
  • Fixed issue causing duplicate admin roles on first admin creation (#27663 by @robluton)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
• @directus/sdk
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
  • Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
• @directus/constants
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)

📦 Published Versions

• @directus/app@16.0.0-rc.1
• @directus/api@36.0.0-rc.1
• @directus/composables@11.5.0-rc.1
• @directus/constants@14.4.0-rc.1
• create-directus-extension@12.0.0-rc.1
• @directus/env@6.0.0-rc.1
• @directus/extensions@4.0.0-rc.1
• @directus/extensions-registry@4.0.0-rc.1
• @directus/extensions-sdk@18.0.0-rc.1
• @directus/memory@4.0.0-rc.1
• @directus/pressure@4.0.0-rc.1
• @directus/schema-builder@1.0.0-rc.1
• @directus/storage-driver-azure@13.0.0-rc.1
• @directus/storage-driver-cloudinary@13.0.0-rc.1
• @directus/storage-driver-gcs@13.0.0-rc.1
• @directus/storage-driver-s3@13.0.0-rc.1
• @directus/storage-driver-supabase@4.0.0-rc.1
• @directus/system-data@4.5.0-rc.1
• @directus/themes@2.0.0-rc.1
• @directus/types@16.0.0-rc.1
• @directus/utils@13.5.0-rc.1
• @directus/validation@3.0.0-rc.1
• @directus/sdk@22.0.0-rc.1

New features

• add removeOrphans option to project deploy/redeploy (#2785 by @khanhx)
• prune idle volume browser helper containers (#2767 by @Zgrill2)

Bug fixes

• slog-go nil pointer dereference (#2781 by @lohrbini)
• dashboard card buttons paddings overlaps(c1a0bda by @kmendell)
• disable schema display on text selection(058f062 by @kmendell)
• clear / check for default jwt secret(ae914bd by @kmendell)

Dependencies

• bump date-fns from 4.2.1 to 4.3.0 (#2745 by @dependabot[bot])
• bump @sveltejs/kit from 2.60.1 to 2.61.1 (#2748 by @dependabot[bot])
• bump docker/login-action from 4.1.0 to 4.2.0 (#2739 by @dependabot[bot])
• bump eps1lon/actions-label-merge-conflict from 3 to 3.0.3 (#2743 by @dependabot[bot])
• bump depot/build-push-action from 1.17.0 to 1.18.0 (#2738 by @dependabot[bot])
• bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#2740 by @dependabot[bot])
• bump github/codeql-action from 4.35.5 to 4.36.0 (#2741 by @dependabot[bot])
• bump github.com/nicholas-fedor/shoutrrr from 0.15.0 to 0.15.1 (#2747 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.30 to 6.1.33 (#2744 by @dependabot[bot])
• bump react-email from 6.2.0 to 6.3.3 (#2749 by @dependabot[bot])
• bump react and @types/react (#2821 by @dependabot[bot])
• bump svelte from 5.55.9 to 5.56.1 (#2798 by @dependabot[bot])
• bump react-email from 6.3.3 to 6.5.0 (#2806 by @dependabot[bot])
• bump prettier-plugin-svelte from 4.0.1 to 4.1.0 (#2811 by @dependabot[bot])
• bump react-dom from 19.2.6 to 19.2.7 (#2799 by @dependabot[bot])
• bump @xyflow/svelte from 1.5.2 to 1.6.0 (#2809 by @dependabot[bot])
• bump eps1lon/actions-label-merge-conflict from 3.0.3 to 3.1.0 (#2801 by @dependabot[bot])
• bump date-fns from 4.3.0 to 4.4.0 (#2810 by @dependabot[bot])
• bump github/codeql-action from 4.36.0 to 4.36.1 (#2800 by @dependabot[bot])
• bump to go 1.26.4(31efe1a by @kmendell)

Full Changelog: v1.19.5...v1.20.0

1.20.0

1.20.0

1.20.0

1.7.3 (2026-06-04)

Features

• Mail: Inline attachment preview — reliable MIME detection with inline PDF on desktop and mobile
• Mail: Preview composer attachments inline (click to open)
• Mail: Preview .eml (message/rfc822) attachments like an email
• Mail: Read receipts (MDN, RFC 8098)
• Mail: Editable, layout-preserving quote island when replying
• Mail: Surface the most severe SPF result and hide the "via" badge on spoofed mail
• Calendar: Per-viewer colors for shared calendars (#345)
• Filters: Extended filter rules — attachment field and multi-value conditions
• Settings: New built-in themes — Aurora Glass and Elastic
• Settings: Theme cards render as a mini mailbox mockup from theme colors, with light/dark variant chips
• Plugins: Localizable sandboxed plugins (manifest locales + api.i18n.t)
• Plugins: /api/translate proxy and email body exposed to plugins
• Admin: Toggle for search-engine indexing (robots)
• Admin: passwordHashFile in admin.json
• Admin: sessionSecretFile and oauthClientSecretFile for file-based secrets in JSON config
• PWA: Configurable install screenshots (per-domain)
• i18n: Hungarian locale support

Fixes

• Files: Store Files as real FileNode hierarchy, migrate legacy flat-named files on load, and list folders via FileNode/get so they are visible (#379)
• Files: Treat a blob-less FileNode as the only folder signal and migrate legacy dir-markers
• Mail: Empty Trash for shared and group folders (#387)
• Mail: Move mail from a shared group inbox to a personal inbox (#375)
• Mail: Preserve the HTML signature when sending a quick reply
• Mail: Stop body clipping under the fold when the email sets html/body height: 100%
• Mail: Drop single-letter R:/I: subject prefix tokens and deduplicate localized reply/forward prefixes
• Mail: No more 404 console spam for missing sender favicons
• Auth: Discover OIDC metadata server-side to avoid CORS failures (#382)
• Send: Route the Sent copy to the shared-mailbox account on per-identity send
• Routing: Honour basePath in the plugin sandbox, http.post proxy, and branding
• i18n: Localize the PWA install prompt, reply/forward quote header (incl. sender address), <html lang>, and per-locale <head> description; add missing settings.folders.role_memos key
• Themes: Plugin slot iframes inherit host font and color tokens
• Theme: Gate preview "open in new tab" on inline-safe MIME types
• Appearance: Move Themes settings into the Appearance category with a distinct tab icon; clicking the active theme is a no-op
• UI: Fix invisible dark-mode borders (border token collided with secondary)
• UI: Remove the 16px empty strip beside the collapsed sidebar
• UI: Align top bars to a uniform h-14 height and the account selector header to the search/reply toolbars
• UI: Close pane gaps by centering the resize handle on the seam
• Settings: Fix section gears permanently hijacking the active tab

5.47.1 (2026-06-03)

🔥 Bug fix

• deleteMany respects filters combined with relation (#25420)
• improve i18n plugin translations (#22714)
• resolve ajv ReDoS vulnerability by forcing ajv@8.18.0 (#26141)
• admin: use ISO 639-1 da for Danish admin locale (#26322)
• content-manager: documentId(s) shown for relation when entry title set to numeric field (#25622)
• content-manager: guard repeatable field .map() crash on relation… (#26421)
• content-manager: fix frontend validation if not using "draft and publish" (#25300)
• core: skip session secret check for API-only apps (#26390)
• data-transfer: preserve core store when config stage is excluded (#26484)
• deps: upgrade koa-session to v7.0.2 (#26140)
• homepage: homepage count-documents slow on large D&P tables (#26370)
• i18n: preserve non-localized field inheritance (#26367)
• strapi: preserve tsbuildinfo across develop restarts (#26264)
• upgrade: simplify registry URL resolution (#25027)

📚 Documentation Changes

• security: overhaul vulnerability reporting policy (#26393)

⚙️ Chore

• admin: remove punycode dependency (#26189)
• deps: bump axios from 1.16.0 to 1.16.1 (#26456)
• deps: bump express-rate-limit from 8.2.1 to 8.5.2 (#26457)
• deps: bump @hono/node-server from 1.19.9 to 1.19.14 (#26458)
• deps: bump qs from 6.15.0 to 6.15.2 (#26417)
• deps: bump @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.4 (#26256)
• deps: bump hono from 4.11.9 to 4.12.23 (#26455)
• deps: bump @tootallnate/once from 2.0.0 to 2.0.1 (#26218)
• docs: migrate docusaurus config to typescript (#26471)
• mcp: clarify registration lifecycle and simplify error messages (#26517)
• upload: remove aiMetadataJobsCleanup cron job (#26442)

💅 Enhancement

• core: lazy-load node-schedule and umzug at boot (#26267)
• core: eliminate @strapi/typescript-utils from boot path (#26270)
• core/core: lazy-load typescript-utils in Strapi and compile (#26266)
• strapi: hash-cache peer-dep check; demote env-vars log to debug (#26269)
• strapi: lazy-require worker-only deps in dev primary (#26268)

❤️ Thank You

• Andrei L @unrevised6419
• Aurélien GEORGET
• Ben Irvin @innerdvations
• DMehaffy @derrickmehaffy
• Jamie Howard @jhoward1994
• Jayesh Patel @itsmejay80
• Jonas Thelemann
• José Luis @SalahAdDin
• markkaylor @markkaylor
• mehmet turac @mturac
• Michael Olund
• Nico André @nclsndr
• Paul Bratslavsky @PaulBratslavsky
• pksr @pksr
• Subh aush singh
• Vishal Kumar Singh @singhvishalkr
• Weijie Sun @swjcpy

Changelog

• 3cf10d8 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob
• cd3f2ff chore(deps): bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1
• deda805 chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2
• 325ab6e chore(deps): bump the dev-dependencies group with 19 updates
• fbe2a4b chore(deps): bump the dev-dependencies group with 7 updates
• 2ed8b78 chore(deps): bump the dev-dependencies group with 9 updates
• e4fa31c chore: fix sidecar flag in runtests to correctly pass test option
• db3478d chore: update go package dependencies
• 861c5f5 feat: add bucket metrics tag when request specifies a bucket
• d1fba07 feat: add custom route and middleware options
• 8ae566d feat: add new ErrNoSpaceLeftOnDevice API error for ENOSPC errors
• 20939bd feat: extract gateway runtime into embeddable package
• 9f786b3 feat: global error refactoring
• cb609e4 feat: replace webui client-side name filter with server-side prefix filter
• d2fa265 feat: support sha512, md5, xxhash3, xxhash64, xxhash128 data integrity checksums
• e6aa9de fix: apply CORS middleware to admin CreateBucket route
• 8d5b2be fix: check PutObjectTagging/LegalHold/Retention permissions on PutObject,CopyObject and CreateMultipartUpload
• e137e8d fix: connection early termination resulting in internal error
• a5fc7c1 fix: decode URL hash in webui before parsing bucket/prefix
• 5774702 fix: enforce required SignedHeaders validation for SigV4 requests
• 0e165ed fix: expose x-amz-storage-class in CORS response headers
• 4ef090d fix: fix empty ownership control rules panic
• fe3cfbf fix: forward slash url encoded used as bucket/key separator
• ed1ad6b fix: honor explicit public bucket policy deny
• 2c0844a fix: ignore implicit directories for Get/HeadObject
• cd0b4e6 fix: normalize object keys during bucket policy evaluation
• e69d073 fix: reject SigV2 requests
• eecc1a7 fix: reject invalid PostObject keys
• 27971f2 fix: remove unsigned chunk reader caching
• d498d48 fix: replace misleading webui CORS error toast with generic network error message
• dd27c6c fix: scoutfs multipart alignment check for last part
• bb3cdd9 fix: skip integration tests not compatible in sidecar
• 5cb5541 fix: store object multipart upload metadata compressed

Changelog

Features

• 66ba9d9: feat: Add language pt-BR (Portuguese Brazilian) (#1743) (@antraxbr666)

Others

• 24bdf67: update deps (@seriousm4x)

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.05.30

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.05.30

Changes

• styling improvements (897d52c)

⚠️ Potential Breaking Changes

Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*
Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.

Replaced status field with archived boolean in collection settings @alvarosabu (#27397)
Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field

Deprecated the VResizeable component @formfcw (#27437)

• Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.

Updated type system, borders, and theme variables @formfcw (#27437)

• Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
• Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
• Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state

Updated module navigation bar spacing and styling @HZooly (#27437)

• Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required — these props will simply no longer have any effect.

Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)

• Breaking change — new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.

Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)

• Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.

Changed license to MSCL-1.0-GPL (#27417)

• Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).

Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)

• Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
• Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.

Removed the extra confirmation step from the publish flow @alvarosabu (#27487)

• Breaking change — new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.

Updated sidebar styles @formfcw (#27437)

• Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required — these props will simply no longer have any effect.
• Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required — these props will simply no longer have any effect.

Refactored focus ring from border/box-shadow to outline @formfcw (#27437)

• Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema — custom themes referencing these will lose their focus overrides silently
• Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color

Updated header bar elements and deprecated the headline slot @formfcw (#27437)

• Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.

Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)
The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.

• @directus/app
  • Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
  • Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
  • Removed the extra confirmation step from the publish flow @alvarosabu (#27487 by @alvarosabu)
• @directus/api
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/themes

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/types

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/extensions
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/extensions-registry
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/extensions-sdk
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/format-title
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/memory
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/pressure
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/release-notes-generator
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/update-check
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/validation
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/schema
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/schema-builder
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/specs
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-cloudinary
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-supabase
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-azure
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-gcs
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-local
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-s3
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/stores
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• create-directus-extension
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• create-directus-project
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/env
  • Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607 by @br41nslug)
• @directus/sdk

  • Refactor sdk error to use class over object (#27417 by @ComfortablyCoding)

    :::warning
    Requests that fail will now throw a RequestError instead of returning a response with an error property.
    :::

✨ New Features & Improvements

• @directus/app

  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)

  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)

  • Fixed Image Editor save button to use split button @HZooly (#27437 by @formfcw)

  • Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)

  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)

  • Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)

  • Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)

  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)

  • Updated Visual Editor header bar buttons @formfcw (#27437 by @formfcw)

  • Updated content route middleware to handle singleton collections and draft flow via route guards @alvarosabu (#27397 by @formfcw)

  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)

  • Updated module bar buttons style @HZooly (#27437 by @formfcw)

  • Deprecated the VResizeable component @formfcw (#27437 by @formfcw)

  • Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)

  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)

  • Rendered non-clickable version menu without directus_versions read access @alvarosabu (#27461 by @alvarosabu)

  • Added item-less draft creation flow for versioned collections @alvarosabu (#27397 by @formfcw)

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated Visual Editor popover/modal action buttons @formfcw (#27437 by @formfcw)

  • Updated UI for the Draft & Publish workflow @formfcw (#27437 by @formfcw)

  • Updated mobile appearance of drawer sidebar @formfcw (#27437 by @formfcw)

  • Moved Promote/Publish button to header actions @alvarosabu (#27397 by @formfcw)

  • Updated primary header actions to show label and replace outlined header action buttons @formfcw (#27437 by @formfcw)

  • Updated SearchInput component to match the new design @formfcw (#27437 by @formfcw)

  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)

  • Refactored header bar action slots and reorganized CTAs @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.

    :::

  • Added navigation logic on discarding item-less versions @alvarosabu (#27397 by @formfcw)

  • Put the sidebar into the content area @HZooly (#27437 by @formfcw)

  • Updated color system for VChip and VersionMenu components @formfcw (#27437 by @formfcw)

  • Updated content section spacing and drawer content spacing @HZooly (#27437 by @formfcw)

  • Extracted the card subheader into a reusable subheader component @HZooly (#27437 by @formfcw)

  • Added version select to collection page @alvarosabu (#27397 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)

  • Added version query param guards on content-item route @alvarosabu (#27397 by @formfcw)

  • Improved bookmark flow @formfcw (#27450 by @formfcw)

  • Forwarded theme tokens and i18n strings from Studio to the visual-editing iframe @formfcw (#27469 by @formfcw)

  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)

  • Introduced VersionChip component @formfcw (#27437 by @formfcw)

  • Updated theme preview component to match the new design @formfcw (#27437 by @formfcw)

  • Updated collab avatar indicator design @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)

  • Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)

  • Extracted reusable ModuleBarButton component @formfcw (#27437 by @formfcw)

  • Moved client-validation to promote version workflow instead of save version @alvarosabu (#27397 by @formfcw)

  • Added Create New action to publish split menu with shortcut @alvarosabu (#27425 by @alvarosabu)

• @directus/api
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/constants
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
• @directus/env
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/system-data
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/types
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/errors
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
• @directus/composables
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added version select to collection page @alvarosabu (#27397 by @formfcw)
• @directus/themes
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
• @directus/utils
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/sdk
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
• @directus/specs
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/visual-editing
  • Redesigned the editable-element overlay with theming, RTL support and improved a11y @formfcw (#27469 by @formfcw)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Limited mobile sidebar width so the overlay can be tapped to close it @HZooly (#27437 by @formfcw)
  • Bumped vue-tsc to 3.1.8 (#27437 by @formfcw)
  • Fixed icon alignment in v-divider component @HZooly (#27437 by @formfcw)
  • Fixed v-dialog returning focus to opener instead of an autofocused child on close @formfcw (#27464 by @formfcw)
  • Fixed flow handle button alignment in flow editor @HZooly (#27437 by @formfcw)
  • Shown "Import in background" checkbox only when a file is selected @HZooly (#27437 by @formfcw)
  • Fixed sidebar reopening at minimum size after being collapsed via drag handle @HZooly (#27437 by @formfcw)
  • Fixed vue console warnings related to the comparison modal (#27538 by @formfcw)
  • Fixed misaligned filter editor in search bar @formfcw (#27454 by @formfcw)
  • Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
  • Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
  • Fixed calendar layout toolbar responsiveness @HZooly (#27437 by @formfcw)
  • Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
  • Fixed bookmark icon and color not showing in header @formfcw (#27437 by @formfcw)
  • Fixed UI freeze caused by WYSIWYG interface when its non-editable state toggles @formfcw (#27515 by @formfcw)
• @directus/api
  • Fixed registration email verification tokens to use the configured secret fallback when SECRET is missing. (#27406 by @rijkvanzanten)
  • Bumped axios, js-cookie, samlify, systeminformation, simple-git, fast-uri dependencies (#27589 by @br41nslug)
  • Fixed MCP OAuth dynamic client registration defaults and metadata responses. (#27628 by @hanneskuettner)
  • Updated IP blocking (#27606 by @br41nslug)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/constants
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
• @directus/system-data
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/types
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/utils
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/ai
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/release-notes-generator
  • Ignored private workspace packages when generating release notes (#27637 by @licitdev)

📦 Published Versions

• @directus/app@16.0.0-rc.0
• @directus/api@36.0.0-rc.0
• @directus/ai@1.3.2-rc.0
• @directus/composables@11.5.0-rc.0
• @directus/constants@14.4.0-rc.0
• create-directus-extension@12.0.0-rc.0
• create-directus-project@13.0.0-rc.0
• @directus/env@6.0.0-rc.0
• @directus/errors@2.4.0-rc.0
• @directus/extensions@4.0.0-rc.0
• @directus/extensions-registry@4.0.0-rc.0
• @directus/extensions-sdk@18.0.0-rc.0
• @directus/format-title@13.0.0-rc.0
• @directus/memory@4.0.0-rc.0
• @directus/pressure@4.0.0-rc.0
• @directus/release-notes-generator@3.0.0-rc.0
• @directus/schema@14.0.0-rc.0
• @directus/schema-builder@1.0.0-rc.0
• @directus/specs@14.0.0-rc.0
• @directus/storage@13.0.0-rc.0
• @directus/storage-driver-azure@13.0.0-rc.0
• @directus/storage-driver-cloudinary@13.0.0-rc.0
• @directus/storage-driver-gcs@13.0.0-rc.0
• @directus/storage-driver-local@13.0.0-rc.0
• @directus/storage-driver-s3@13.0.0-rc.0
• @directus/storage-driver-supabase@4.0.0-rc.0
• @directus/stores@3.0.0-rc.0
• @directus/system-data@4.5.0-rc.0
• @directus/themes@2.0.0-rc.0
• @directus/types@16.0.0-rc.0
• @directus/update-check@14.0.0-rc.0
• @directus/utils@13.5.0-rc.0
• @directus/validation@3.0.0-rc.0
• @directus/visual-editing@2.1.0-rc.0
• @directus/sdk@22.0.0-rc.0