❌

Normale weergave

Ontvangen β€” 21 April 2026 ⏭ Coolify

v4.0.0-beta.474

βœ‡Coolify
Door: andrasbacsai
21 April 2026 om 12:31

What's Changed

Security & Fixes

  • Prevent data loss when persistent containers (databases, apps, services) are accidentally pruned during service deletion (#9654, fixes #9582)
  • Fix S3 storage backup endpoints returning 500 in API context (#9655, fixes #9581)
  • Encrypt manual webhook secrets and strengthen HMAC signature verification (#9652)
  • Fix Rocky Linux installer to use correct RHEL Docker repository (#9541, fixes #8730)
  • Harden authentication: upgrade email verification hash and fix invitation link login (#9672)
  • Validate and rate-limit feedback endpoint (#9653)
  • Tighten volume name and path validation with shell argument escaping (#9666)
  • Validate backup upload file type and size limits (#9667)
  • Tighten S3 endpoint URL validation (#9668)
  • Harden dev helper version validation and build argument escaping (#9670)
  • Strengthen team scoping across resource creation flows (#9651)
  • Fix SSH repository URLs with custom ports being mangled (#9425)
  • Fix healthcheck path validation rejecting commas and semicolons (#9223)
  • Fix database credential validation and shell escaping across Postgres, MySQL, MariaDB (#9674, #9676, #9681, #9682)
  • Improve shell command tokenization for install, build, and start commands (#9684)
  • Return stable generic error messages for API 5xx responses (#9669)

Improvements

  • Add optional expiration for API tokens with advance notification warning before expiry (#9677)
  • Add DELETE API endpoint to remove preview deployments by pull request ID (#9614)
  • Mark Docker Swarm support as deprecated ahead of v5 removal (#9621)
  • Categorize application advanced settings into logical sections (#9234)
  • Improve service settings layout with dedicated advanced page and clearer headings (#9027)
  • Display memory limit fields in a single row (#9232)
  • Add info callout to clone resource section listing excluded items (#9233)
  • Add architecture warning for service templates with platform limitations (#8390)
  • Improve domain port+path format documentation in the UI (#8331)

What's Changed (Github)

  • fix(installer): use RHEL Docker repo for Rocky Linux by @andrasbacsai in #9541
  • fix(dev): add Docker volume path mapping to testing-host for database deployments by @cyface in #9534
  • feat(ui): categorize application advanced settings into logical sections by @ShadowArcanist in #9234
  • feat(ui): add info callout to clone resource section about excluded items by @ShadowArcanist in #9233
  • feat(ui): display memory limit fields in single row by @ShadowArcanist in #9232
  • fix(healthcheck): user input is rejected if path contains comma and semicolon by @ShadowArcanist in #9223
  • feat(ui): improve service settings UX, headings, and helper text for clarity by @ShadowArcanist in #9027
  • feat(services): add architecture warning by @Cinzya in #8390
  • Added extra documentation on format for port+path for domains by @JamesPeters98 in #8331
  • fix(git): preserve ssh scheme URLs with custom ports by @Iisyourdad in #9425
  • refactor: tighten team scoping on resource creation and admin nav by @andrasbacsai in #9651
  • build(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot[bot] in #9580
  • refactor(webhook): encrypt manual webhook secrets and tighten HMAC verification by @andrasbacsai in #9652
  • feat(api): add DELETE endpoint for preview deployments by PR id by @andrasbacsai in #9614
  • refactor(api): validate and throttle feedback endpoint by @andrasbacsai in #9653
  • fix(server): exclude persistent resources from container prune by @andrasbacsai in #9654
  • fix(api): use explicit team ID for S3 storage lookup in backup endpoints by @andrasbacsai in #9655
  • refactor(volumes): validate input and escape shell args by @andrasbacsai in #9666
  • refactor(backup): validate database backup upload file type and size by @andrasbacsai in #9667
  • refactor(storage): tighten S3 endpoint URL validation by @andrasbacsai in #9668
  • refactor(settings): harden dev_helper_version validation and escape build args by @andrasbacsai in #9670
  • refactor(api): return stable generic error messages for 5xx responses by @andrasbacsai in #9669
  • [v5.x] chore: mark v4 docker swarm support as deprecated by @peaklabs-dev in #9621
  • refactor: harden auth, CLI input, and scheduled-log viewer by @andrasbacsai in #9672
  • fix(database): mount guard, healthcheck CMD exec-form, port input layout by @andrasbacsai in #9674
  • fix(database): credential format validation with dirty-value escape hatch by @andrasbacsai in #9676
  • feat(security): add expiration support for API tokens by @andrasbacsai in #9677
  • fix(database): tighten Postgres init script filename handling by @andrasbacsai in #9681
  • refactor(database): align Postgres SSL chown escaping with MySQL by @andrasbacsai in #9682
  • refactor(validation): tokenize shell-safe command pattern by @andrasbacsai in #9684
  • v4.0.0-beta.474 by @andrasbacsai in #9542

New Contributors

Full Changelog: v4.0.0-beta.473...v4.0.0-beta.474

  •  
  • ↗️
❌