New features

• show pull usage and limits (if applicable) (#2458 by @kmendell)
• automated docker api re-negotiation (#2471 by @kmendell)
• implement node label management with system and user label separation (#2479 by @SplinterHead)
• allow mTLS auth for edge agents (#2116 by @kmendell)
• implement multi-file swarm git sync and host path mapping (#2457 by @SplinterHead)
• ability to archive projects (#2519 by @kmendell)
• redesigned updater center for arcane self updates (#2558 by @kmendell)

CLI - New features

• arcane-cli update channels and self-update (#2517 by @kmendell)

Bug fixes

• git sync file size limitations not being respected (#2427 by @kmendell)
• default secret and config UID/GID to "0" to prevent parsing errors (#2422 by @SplinterHead)
• resolve project status using effective compose project name (#2198 by @GiulioSavini)
• block compose self-redeploy when arcane manages itself (#2404 by @GiulioSavini)
• scope named volume sources to stack in service mounts (#2430 by @GiulioSavini)
• card overview headers missaligned on layout(5fd35e4 by @kmendell)
• include files not created with new projects (#2463 by @kmendell)
• tables are laggy when lots of rows are rendered (#2468 by @kmendell)
• buildkit not using the image exporter (#2469 by @kmendell)
• swarm scale mode and replicas fixes (#2470 by @kmendell)
• prevent slog-gin panic on tunneled requests (#2467 by @lohrbini)
• don't clear real image records when marking ref-aliases up to date (#2474 by @GiulioSavini)
• restrict git repository management to admins and block credential reuse on URL changes (#2504 by @kmendell)
• show loading state immediately on swarm service actions (#2475 by @GiulioSavini)
• allow mtls when tls is not managed by arcane (#2503 by @kmendell)
• skip excluded containers when collecting images for auto-update pull (#2473 by @GiulioSavini)
• remove double verification of mTLS certificates (#2505 by @kmendell)
• image update checks fail on mobile due to incorrect id (#2506 by @kmendell)
• add registry.gitlab.com to trustedAuthDelegations (#2507 by @kmendell)
• accent color allows non color values to be saved (#2513 by @kmendell)
• handle directory-sync file paths that Docker previously created as directories (#2508 by @kmendell)
• improve login form autofill compatibility (#2514 by @MikeO7)
• use in-memory trivy DB backend on 32-bit architectures to prevent mmap allocation failure (#2529 by @kmendell)
• allow force removing of images (#2530 by @kmendell)
• set docker config directory to avoid errors around config.json (#2557 by @kmendell)
• remove double loading of env overides and settings, use in memory cache instead (#2562 by @kmendell)
• show compose-labeled image updates in project updates (#2563 by @kmendell)
• gotify token decryption missing from auto heal and prune notifications(e28c4a4 by @kmendell)
• regenerate apikey dialog shows behind sheet(b7a8ec7 by @kmendell)
• always use dockerhub credentials if available (#2567 by @kmendell)
• agent api token fallbacks and guards (#2568 by @kmendell)

CLI - Bug fixes

• use correct checksum for updater(d645d4d by @kmendell)
• replace the arcane-cli located on PATH during update(a1e0c4a by @kmendell)

Dependencies

• bump github.com/moby/moby/client from 0.4.0 to 0.4.1 in /types (#2441 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.0+incompatible to 29.4.1+incompatible in /backend (#2443 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.4 to 1.18.1 in /cli (#2444 by @dependabot[bot])
• bump github.com/moby/moby/api from 1.54.1 to 1.54.2 in /backend (#2445 by @dependabot[bot])
• bump prettier from 3.8.2 to 3.8.3 (#2449 by @dependabot[bot])
• migrate to pnpm v11.0.0(4a94c5c by @kmendell)
• upgrade frontend dependencies (#2461 by @kmendell)
• bump github.com/docker/cli from 29.4.1+incompatible to 29.4.2+incompatible in /backend (#2490 by @dependabot[bot])
• bump github.com/samber/slog-gin from 1.21.0 to 1.21.1 in /backend (#2481 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.1 to 1.57.2 in /backend (#2489 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.24 to 6.1.26 (#2485 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.15 to 1.19.16 in /backend (#2487 by @dependabot[bot])
• bump ghcr.io/devcontainers/features/node from 1.7.1 to 2.0.0 (#2480 by @dependabot[bot])
• bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 in /backend (#2482 by @dependabot[bot])
• bump pnpm to 11.0.6(0e47b40 by @kmendell)
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.16 to 1.32.17 in /backend (#2536 by @dependabot[bot])
• bump github.com/shirou/gopsutil/v4 from 4.26.3 to 4.26.4 in /backend (#2542 by @dependabot[bot])
• bump golang.org/x/text from 0.36.0 to 0.37.0 in /backend (#2540 by @dependabot[bot])
• bump github.com/charmbracelet/fang from 0.4.4 to 1.0.0 in /cli (#2532 by @dependabot[bot])
• bump @codemirror/view from 6.41.1 to 6.42.1 (#2535 by @dependabot[bot])
• bump golang.org/x/time from 0.14.0 to 0.15.0 in /backend (#2538 by @dependabot[bot])
• bump react-dom from 19.2.5 to 19.2.6 (#2541 by @dependabot[bot])
• bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /backend in the go_modules group across 1 directory (#2544 by @dependabot[bot])
• bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#2533 by @dependabot[bot])
• bump react-email from 6.0.1 to 6.1.1 (#2537 by @dependabot[bot])
• bump golang.org/x/net from 0.53.0 to 0.54.0 in /backend (#2539 by @dependabot[bot])
• bump pnpm to v11.0.9(5f43b7e by @kmendell)
• remove react-email/preview-server(685f9c3 by @kmendell)
• bump github.com/nicholas-fedor/shoutrrr from 0.14.3 to 0.15.0 in /backend (#2547 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.2+incompatible to 29.4.3+incompatible in /backend (#2548 by @dependabot[bot])
• bump golang.org/x/mod from 0.35.0 to 0.36.0 in /backend (#2550 by @dependabot[bot])
• bump google.golang.org/grpc from 1.80.0 to 1.81.0 in /backend (#2551 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in /backend (#2553 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.26 to 6.1.28 (#2549 by @dependabot[bot])

Other

• make login screen padding more centered (#2429 by @kmendell)
• sidebar grouping and edge cases (#2188 by @cabaucom376)
• consolidate helpers and dedupe boilerplate code (#2437 by @kmendell)
• split ws_handler and skip pagination counts when not needed (#2440 by @kmendell)
• cleanup frontend with more universal components (#2459 by @kmendell)
• frontend ui cleanup and fixes (#2515 by @kmendell)
• use charm logging instead of logrus for arcane-cli (#2518 by @kmendell)
• move job bootstrap into job service (#2523 by @kmendell)
• streamline remote environment logic (#2524 by @kmendell)

Full Changelog: v1.18.1...v1.19.0

1.6.4 (2026-05-11)

New: Web Setup Wizard

First-launch web setup wizard. New installs no longer need to hand-edit .env.local - point a browser at the container and the wizard probes the JMAP server(s), configures OAuth/OIDC, generates the session secret, accepts branding uploads, and provisions the initial admin password. Admin storage is now split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps); the legacy ADMIN_DATA_DIR keeps working for existing installs.

Features

• Setup: Web setup wizard with multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin
• Setup: Admin config/state directory split with optional ADMIN_CONFIG_READONLY for immutable deployments (#226)
• Setup: File uploads on the wizard branding step
• Setup: Redesigned review step with grouped summary and an advanced toggle for the full config
• Setup: Require explicit confirmation when JMAP probe finds no session
• Mail: Drag attachments out of the viewer to the local file system (#267)
• Mail: Reading Pane at Bottom mail layout (#262)
• Mail: Configurable signature position – above or below quoted text (#266)
• Mail: Signature position is now searchable from the email behavior settings
• Mail: Show avatar in Focused list for compact density and above
• Mail: Align Focused list preview with other layout previews
• Compose: From-header override in the composer with catch-all auto-reply, replies to an alias on a domain you own pre-fill the alias as the sender even when it isn't a configured identity (#246)

Performance

• Mail: Prefetch initial email data on login
• Auth: Parallelize login round-trips and drop redundant JMAP re-verify

Fixes

• Auth: Skip upstream JMAP reverify for trusted URLs (#237)
• Auth: Show account identity in the switcher header instead of the sending alias
• Compose: Fall back to the primary identity signature on reply
• Setup: Drop redundant first-login banner about removing ADMIN_PASSWORD (#222)
• UI: Consistent notice cards for server probe results

i18n

• Add missing translation keys across 15 locales

1.19.0

1.19.0

1.19.0

5.45.1 (2026-05-11)

🔥 Bug fix

• prevent single-type switch crashes and refresh schema after CTB updates (c9db1321d837f8024f0f9f2c4ab38645b535613c)

❤️ Thank You

• Adrien L @Adzouz
• Ben Irvin
• Jamie Howard

• Milestone

This is a major release.

Feature highlights✨:

• New sort order preferences at global, category, and feed levels
• Use feed-provided icon
• New option to hide sidebar by default
• Show time since when a feed has problems
• New functions to handle plural in internationalisation
• New cli/purge.php to apply purge policy from command line

Bug fixes highlights 🐛:

• Improve support of PHP 8.5+
• Several fixes related to searches

Security highlights 🛡:

• Limit cURL to protocols HTTP, HTTPS

UI highlights 🖼:

• Improve mobile view with multiple lines when thumbnails and summaries are shown
• Several themes improved

Extensions highlights 🧩:

• New Webhook extension for automated RSS notifications
• New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM

This release has been made by @Alkarex, @Inverle, @Kiblyn11, @math-GH, @rupakbajgain, @xtmd and newcomers @polybjorn, @olivluca, @tomasodehnal, @PeterVavercak, @mrtnrdl, @ale-rt, @cweiske, @rid3r45, @gabbihive, @drosell271, @Kachelkaiser, @zanivann, @nanos, @bowencool, @pe1uca, @matheusroberson, @DenuxPlays, @rlrs, @chanse-syres, @IEEE-754, @umaidshahid, @michi-onl

Full changelog:

• Features
  • New sort order preferences at global, category, and feed levels #8234
  • New filtering by date of Server modification date #8131, #8576
    • Corresponding search operator, e.g. mdate:P1D for finding articles modified by the author / server during the past day.
    • Especially useful for optimising the API synchronisation.
  • Use feed-provided icon #8633
  • New option to automatically mark new articles as read if an identical GUID already exists in the same category #8673
  • Automatic feed visibility/priority during search #8609
  • Add feed visibility filter to statistics view unread dates #8489
  • Add option to enable/disable notifications, also for PWA #8458
  • Add a form to create new user queries on the User Queries page #8623
  • Allow WebSub hub push from same private network #8450
  • Support category field in JSON feed import #8786
• Bug fixing
  • Fix wrong search toString in case of regex-looking string #8479
  • Fix article last seen date in case of feed errors #8646
  • Fix search expansion with backslash #8497
  • Fix user query parsing #8543
  • Fix search in shared user queries #8789
  • Fix redirect to wrong view after mark as read in reader and global views #8552
  • Fix SQLite paging when sorting by article length #8594
  • Fix change sorting during paging #8688
  • Fix SQL keyset pagination when sorting by category name #8597
  • Fix SQL duplicates in the user labels when sorting randomly #8626
  • Fix wrong error redirect in subscription management #8625
  • Fix do not include hidden feeds when counting total number of unread articles #8715
  • Update user modify date when changing extensions UserJS / UserCSS #8607
  • Non-strict OPML export #eedefb
• Security
  • Limit cURL to protocols HTTP, HTTPS #8713
  • Better sanitise favicon URLs #8714
  • New setting for <iframe> referrer allow list #8672
  • Fix email validation and allow error page for unverified email users #8582
  • Add allowfullscreen to <iframe> #8467
  • Rewrite Set-Cookie using native PHP support of SameSite #8447, #8778
    • Sanitize lifetime of session cookies from session.cookie-lifetime in php.ini
  • Update to <meta name="referrer" content="no-referrer" /> from deprecated never #8725
  • Preventive measure against search ingestion #8777
• UI
  • New option to hide sidebar by default #8528
  • Improve mobile view with multiple lines when thumbnails and summaries are shown #8631
  • New option to disable unread counter in tab title and favicon #8728
  • Show time since when a feed has problems #8670
  • Improve add feed UI #8683
  • Improve slider behaviour when using navigate back button #8496, #8524
  • Improve consistency of slider behaviour after submitting form #8612
  • Create dynamic favicons from SVG instead of PNG canvas #8577, #8588
  • Only display scrollbar everywhere if there's an overflow (especially for Chromium) #8542
  • Fix CSS padding of .content pre code #8620
  • Fix wrong navigation buttons layout on Chromium #8606
  • Fix don’t mark as read if middle click is outside of article link #8553
  • More robust JS #8595
  • Fix sidebar slide animation at narrow viewports #8747
  • Visually dim disabled users in user management table #8768
  • Improve multiple UI themes #8711, #8732,
    #8733, #8734, #8735,
    #8736, #8737, #8738,
    #8739, #8743, #8746,
    #8749, #8761, #8781,
    #8784, #8785
  • Various UI and style improvements: #8537, #8538,
    #8541, #8624, #8731,
    #8774
• Deployment
  • Also push Docker images to GitHub registry #8669
  • Improve support of PHP 8.5+ using Pdo\Mysql #8526
  • Add support for Podman in Makefile #8456
  • Re-add database status in installation check #8510
  • Docker / CLI: Allow chown/chmod to fail with warning #8635
• Extensions
  • New Webhook extension for automated RSS notifications Extensions#456
  • New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM Extensions#458
  • New extension methods to get typed configuration values #8696
  • New hook: Minz_HookType::ActionExecute #8599, #8603
  • New hook to modify the list of feeds to actualize #8655, #8675
  • Allow passing Minz_HookType as hook name in registerHook() #8600
  • Return more info and status from httpGet() #8700
  • Make httpGet() cache nullable #8705
  • Allow extensions’ configuration UI to use select-input-changer JavaScript helper #8721
• SimplePie
  • Bump upstream #8628, simplepie#71
  • New function get_icon_url() for feed favicon simplepie#974
  • Fix Undefined array key in get_thumbnail() #8634, simplepie#970
  • Fix int types for enclosures #8702, simplepie#975
  • Fix HTTPS headers given to SimplePie, e.g. for some HTTP/2 cases #8742
• CLI
  • New cli/purge.php to apply purge policy #8740
• I18n
  • CLI validate language directory names #8767
  • New functions to handle plural, and new timeago() #8670
  • Improve German #8491, #8557, #8689,
    #8704
  • Improve Italian #8517, #8519, #8554,
    #8555, #8556, #8566
  • Improve Latvian #6553
  • Improve Polish #8536
  • Improve Portuguese #8649
  • Improve Simplified Chinese #8474, #8475, #8476
  • Improve Traditional Chinese #8709, #8716, #8723,
    #8730, #8748
  • Improve Spanish #8572
• Misc.
  • Initial conventions for AI agents and humans: AGENTS.md, SKILLS.md, instructions.md #8478
  • Update to CSSXPath 1.5.0 #8642
  • Update to PHPMailer 7.0.2 #8483
  • SQL improve PHP syntax uniformity #8604
  • Trim SQL whitespace before parenthesis #8522
  • Improve PHP code #8627, #8644, #8753,
    #8697
  • Add dev legacy rules PHPCS 3 #8645
  • Update dev dependencies #8469, #8480, #8499,
    #8545, #8546, #8547,
    #8617, #8638, #8660,
    #8661, #8662, #8663,
    #8664, #8665, #8666,
    #8667, #8668, #8685,
    #8752, #8754, #8755,
    #8756, #8757, #8758,
    #8772, #8798

Changelog

Bug fixes

• 1a60020: fix: binding_property_non_reactive (@seriousm4x)
• 19daaf8: fix: eager fetch on device card (@seriousm4x)

Others

• 91fe074: Add i18n el-GR (#1734) (@nikmak88)
• 6aa2345: build(deps): bump cookie from 0.6.0 to 1.1.1 in /frontend (@dependabot[bot])
• 9494c34: update deps (@seriousm4x)

1.6.3 (2026-05-08)

Features

• Mail: Lift 5-account cap on HTTP/2
• Mail: Import .eml files via folder right-click menu

Fixes

• Mail: Trim leading whitespace from email list preview
• Mail: Fall back when only the truncation indicator remains in email preview
• Mail: Hide files/contacts nav items when JMAP server lacks support
• Viewer: Preserve emoji colors in dark mode
• Viewer: Prevent white-on-white in dark mode for nested bgcolor containers
• Viewer: Render plain-text-only emails as text, not HTML
• Viewer: Render HTML-only emails and redesign external content prompt
• Viewer: Pad Word/Outlook HTML email rendering
• Compose: Redesign quick reply to match sender/banner layout
• Compose: Disable StarterKit's bundled link/underline to avoid duplicate extensions
• Sharing: Request shareWith explicitly so calendar/address book shares survive a re-login (#257)
• UI: Strip leading punctuation when computing avatar initials
• Mobile: Hide email hover actions

i18n

• Add missing translation keys across 15 locales

1.6.2 (2026-05-06)

Features

• Plugins: Hot-reload and dev-folder loading for live plugin development
• Plugins: On-demand src/ bundling via esbuild
• Plugins: New http:fetch permission and httpOrigins manifest field
• Plugins: onBeforeEmailSend hook with fromEmail exposed on OutgoingEmail
• Plugins: Project EmailReadView for the email-banner slot and expose auth results
• Plugins: Ingest icon, banner, and screenshots from the source repo
• Plugins: Restrict plugin and theme install/uninstall to the admin dashboard
• Mail: Multi-server JMAP support
• Settings: Fulltext search across the settings sidebar
• Settings: Sub-result rows with highlight in settings search
• Settings: Surface plugin settings as search sub-results
• Settings: Remove experimental tags from themes, plugins, and sender favicons
• Viewer: Redesigned external-mail banner above attachments
• Calendar: Calendar invitation banner expands on row click
• Calendar: Calendar invitation banner is now collapsible

Fixes

• Admin: Collapse admin panel into a single tabbed page
• Plugins: Inline plugin configure panel to avoid dev-mode hang
• Plugins: Resolve PLUGIN_DEV_DIR plugins in admin config route
• Plugins: Add missing body type assertion in createPluginAPI fetch options
• Plugins: Propagate settingsSchema
• Settings: Highlight plugin and theme cards in search results
• Settings: Open plugin card on first click of a setting sub-result
• Settings: Drop ghost sub-results from account and language search
• Settings: Improve search highlight styling
• Viewer: Show notification banners above attachments
• Viewer: Rework S/MIME banner to match calendar invitation
• Viewer: Close PDF preview on Escape before email viewer
• Viewer: Render PDF previews via <object> with blob: in object-src CSP (#253)
• Calendar: Align invitation icon with sender avatar column
• Calendar: Fix invitation picker clipping (#250)
• Auth: Read activeAccountId from authStore in account selectors
• UI: Adjust toast item border radius and progress bar styles
• UI: Remove fly-in animation from context menu submenus
• i18n: Add missing Czech flag icon

i18n

• Add missing translation keys across 15 locales

5.45.0 (2026-05-06)

🚀 New feature

• extended ctb api for plugins (ad7cb5d5d7)
• sort based on publish status (#25689)
• admin: api token supports admin permissions and admin user ownership (#25657)
• content-manager: add Zod 4 foundation utilities (#25574)

🔥 Bug fix

• issue with plugin content type uid (f768670d38)
• style issues (2f42e5fe44)
• opt out of the ct backup strategy for plugin content types (5936814932)
• build errors (520ecfc6d5)
• enforce minimum length (f2b6c2bcd0)
• prevent trailing ? in URL when params is empty object (#25724, #25900)
• dynamically update rate limit prefix key based on route (#24818)
• admin: clean up lazy component registration warnings (#25015)
• admin: type addMenuLink with optional Component for menu-only links (#26198)
• content-manager: prevent crash on detached DZ component (#26148)
• content-type-builder: preserve plugin CT identity in AI chat transform (0be48848fa)
• database: run cleanOrderColumns updates sequentially (#26134)
• database: run cleanOrderColumns updates sequentially (#26134)
• review-workflows: implement incremental loading in assignee dropdown (#25967)
• upload: sharp concurrency and cache leads to OOM (#26046)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Ben Irvin
• Boaz Poolman
• DMehaffy
• Dominik Juriga @dominik-juriga
• guoyangzhen
• Jamie Howard
• markkaylor
• Nico André
• Niels Kaspers @nielskaspers
• Pierre Wizla
• Ziyi @butcherZ

Part-DB 2.11.1

Bug fixes

• Updated watchtower image in watchtower config example (#1363)
• Fixed problems of invalid links when AI Web Extractor encounters non-absolute links

Improvements

• Improved UserAgent randomizer for web scraper

Part-DB 2.11.0

New features

• Added AI powered website scraper to provide detailed part infos even from webshops with little structured data
• Added feature to force refresh of info provider search and results, and to skip delegation to specialized providers when using "create part from URL"
• Add Docker update support via Watchtower integration by @Sebbeben in #1330
• Add Quick Apply and batch update to bulk info provider import by @Sebbeben in #1316
• Add 'Add stock' button to part stock info page by @kernchen-brc in #1352
• Added 250 and 500 entry to table lengthes menus

Bug fixes

• Fix sort order after column reorder on page reload by @wschopohl in #1346
• Fixed error making editing of users impossible
• Fixed error with converting existing DB to postgresql database (#1362)
• Fixed error that original category were changed, if category cloned and eda info changed (#1341)
• Keep part table length selection across page loads (#1350)

Miscellaneous

• Updated dependencies
• Updated KiCad symbols and footprint list

Full Changelog: v2.10.0...v2.11.0

1.6.1 (2026-05-04)

Features

• Updates: Update-available detection with non-dismissible notice and dev-reload refresh
• Plugins: New plugin hooks for compose, attachments, search, lifecycle, and routing
• Sharing: Share indicators for calendars and contacts, updated JMAP capabilities (#244)
• Mail: Auto-add recipients to trusted senders when replying
• Identity: Sanitize identity display name to prevent invalid From headers

Fixes

• Mobile: Synchronize mobile submenu view with browser history for better navigation
• Viewer: Update email viewer styles to improve overflow handling
• Auth: Ensure cookieSlot consistency during account updates in auth store
• Auth: Thread per-account cookie slot through OAuth flows
• Calendar: Square the colored left marker on calendar events
• About: Show git commit in About instead of "unknown"

i18n

• Update mailbox context menu translations across 12 locales

1.6.0 (2026-05-01)

Features

• Deployment: Subpath deployment support via NEXT_PUBLIC_BASE_PATH environment variable
• Mail: Image attachment thumbnails and preview chips
• Mobile: Reworked mobile mail viewer toolbar
• Mobile: Mobile-friendly settings panel
• Mobile: Mobile-friendly admin panel
• Mail: Redesigned expanded details panel
• Mailbox: Show full path in mailbox context menu header with intelligent path shortening

Fixes

• Viewer: Respect per-email dark mode toggle when "always show in light mode" is on
• Navigation: Scroll apps list in navigation rail to prevent overflow
• Context menu: Clamp submenu inside viewport
• Context menu: Prevent context menu from clipping below viewport
• Context menu: Prevent jump and animation on open
• Mail: Stop silently destroying emails when trash mailbox isn't found (#195)
• Mail: Preserve list scroll position when tagging an email
• Mail: Render below-header overflow popup outside clipped row
• Mail: Collapse below-header attachments to single row with overflow pill
• Push: Fix push preview JMAP query
• Tour: Navigate tour to mailbox when starting from another page
• i18n: Add useTranslations for "selected emails" and "cancel" on email list batch operations

i18n

• Translate SPF/DKIM/DMARC tooltips
• Add missing keys across 14 locales

1.5.4 (2026-05-01)

Features

• PWA: Web push notifications for new inbox mail (#233), with click-through to open the message
• Composer: Insert and edit tables in rich-text emails (#236)
• Mail: Configurable sub-addressing delimiter character (#239)
• i18n: Turkish localization
• i18n: Missing keys filled in across 15 locales

Fixes

• Mail: Set In-Reply-To and References headers on replies (#234)
• Mail: Persist htmlBody in drafts to preserve rich formatting (#236)
• Auth: Pin JMAP auth verification to the configured server URL (#237)
• Auth: Evict unrecoverable basic-auth accounts on reload
• Notifications: Scope new-mail notifications to genuine inbox deliveries
• Notifications: Extend PushVerification timeout and clean up leftover subscriptions
• Viewer: Smooth out body load to prevent flicker on first render
• Viewer: Prevent iframe flash when loading images or trusting the sender
• Viewer: Pad bare HTML emails like plain-text mails for consistent layout
• Viewer: Light-mode override now only affects body content
• Viewer: Detect <style> tag when applying padding
• Viewer: Drop iframe border-radius
• Calendar: Localize event start date in detail popover and event modal
• Dev: Include http protocol in connect-src for development mode CSP

✨ New Features & Improvements

• @directus/app
  • Updated the token field on the user detail page to require confirmation before regenerating or removing a token, and saved those changes immediately without requiring a page-level save. (#27108 by @LZylstra)
• @directus/api
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/env
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
• @directus/sdk
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed UI freeze when navigating items with WYSIWYG translations for non-admin users (#27154 by @gaetansenn)
  • Fixed selection not being cleared after running a manual flow from the collection list view sidebar (#27330 by @kropsi)
  • Fixed "Save as copy" in the file library throwing a 403 Forbidden error (#27181 by @sanskar-soni-9)
  • Fixed user token not being displayed after generation when collaboration is enabled (#27319 by @LZylstra)
  • Prevented filter popup being closed when reordering filters (#27324 by @HZooly)
  • Fixed icon flash in navigation sidebar for bookmarks without an icon (#27329 by @HZooly)
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/api
  • Removed duplicate @directus/schema-builder dependency (#27166 by @ComfortablyCoding)
  • Bumped basic-ftp, liquidjs, xmldom, protobufjs, vite dependencies (#27335 by @br41nslug)
  • Fixed flows not awaiting reload (#27137 by @Nitwel)
  • Fixed VERSION_SAVE activity/revisions not respecting collection tracking settings (#27096 by @yogeshwaran-c)
  • Denied creating collections with / in name (#27114 by @costajohnt)
• @directus/types
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/visual-editing
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
  • Fixed the edit handler firing twice when clicking an overlay button directly (#27157 by @formfcw)
• @directus/utils
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/sdk
  • Fixed SDK types linking to directus_access junction collection (#27152 by @yogeshwaran-c)
• @directus/composables
  • Fixed useShortcut attempting to access document before available (#27155 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@15.10.0
• @directus/api@35.2.0
• @directus/composables@11.4.1
• create-directus-extension@11.0.36
• @directus/env@5.8.0
• @directus/extensions@3.0.25
• @directus/extensions-registry@3.0.26
• @directus/extensions-sdk@17.1.4
• @directus/memory@3.1.8
• @directus/pressure@3.0.22
• @directus/schema-builder@0.0.20
• @directus/storage-driver-azure@12.0.22
• @directus/storage-driver-cloudinary@12.0.22
• @directus/storage-driver-gcs@12.0.22
• @directus/storage-driver-s3@12.1.8
• @directus/storage-driver-supabase@3.0.22
• @directus/themes@1.3.3
• @directus/types@15.0.3
• @directus/utils@13.4.1
• @directus/validation@2.0.23
• @directus/visual-editing@2.0.1
• @directus/sdk@21.3.0
• @directus/sandbox@0.0.0

Security Release

• Update Instructions
• Update details on blog

This is a security release to improve attachment related permission checks, and URL validation for webhooks.

Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.

Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated attachment actions to align page access check.
• Updated URL validation in webhooks to help prevent escaping workarounds.
• Fixed issue where exact search term negation would lead to no results. (#6121)

5.44.0 (2026-04-29)

🚀 New feature

• deploy to cloud homepage widget (#25774)

🔥 Bug fix

• add responseType to getFetchClient for non-JSON responses (#25974)
• prevent browser defaults for Ctrl+I and other modifier shortcuts in Firefox (#26050)
• contain absolute descendants in OverflowingItem (#26133)
• content-manager: prevent duplicate React key in homepage recent-documents widget (#26084)
• content-manager: optimize document layout hooks (#26005)
• database: make 5.0.0-02-created-document-id migration idempotent (#26045)
• document-service: support delete selection params (#25097)
• document-service: preserve self-referential relations during publish and discard (#25890)
• document-service: discard-draft 500 on self-referential manyToMany relations (#26152)
• i18n: preserve non-localized media when creating a locale (#26031)
• openapi: documentation plugin generates OpenAPI with incorrect ID parameter (#26067)
• review-workflows: pass locale params to useDocument in StageSelect and AssigneeSelect (#26104)
• types: align Service.Generic index signature with Controller.Generic (#25475)

📚 Documentation Changes

• add AGENTS.md universal agent guide (#26018)

⚙️ Chore

• release v5.43.0 update develop (#26100)
• upgrade contributor docs dependencies (#26073)
• deps: bump multiple dependencies (#26103)
• deps: bump @xmldom/xmldom from 0.8.12 to 0.8.13 (#26098)
• deps: bump and dedupe pinned subdeps (#26139)
• examples: migration performance benchmark harness + mariadb/sqlite + anti-pattern schemas (#26036)
• scripts/release: fix experimental peer dependencies install (#26083)

💅 Enhancement

• add ESM syntax support for Vite .mts config file (#25238)
• i18n: improve Russian translations of tours section in admin package (#25221)
• translations: update czech translations (#25824)

❤️ Thank You

• Adrien L @Adzouz
• akash-dabhi-qed @akash-dabhi-qed
• Ayoub Hidri @ayhid
• Bassel Kanso @Bassel17
• Ben Irvin
• DMehaffy
• Filip Ónodi @fonodi
• Jamie Howard @jhoward1994
• Kellen Bolger
• Laurens Kling @laurenskling
• Leonid Vinogradov
• Nico André
• otociulis @otociulis
• Simon Norris @cache-your-dreams
• Ziyi @butcherZ

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.28

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.28

Changes

• allow filtering out members-only videos in subscriptions (closes #971) (5d96a58)

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

Bug fixes

• validation failed when creating git sync(d7a8bc1 by @kmendell)

Full Changelog: v1.18.0...v1.18.1

1.18.1

1.18.1

1.18.1

New features

• full control over prune options (#2372 by @kmendell)
• add UI to create and edit custom templates (#2351 by @mohamedhagag)
• add raw inspect tab to container detail view (#2368 by @GiulioSavini)
• universal environment dashboard (#2241 by @kmendell)
• add dedicated healthcheck tab for containers (#2384 by @kmendell)
• resource updates overview page (#2204 by @kmendell)
• add ability to deploy Docker Swarm stacks from Git repo with GitOps updates (#2412 by @SplinterHead)

Bug fixes

• handle deferred file close errors in docker build copy helper(3cdc1dd by @kmendell)
• datetime displays now respect the app's selected locale (#2366 by @GiulioSavini)
• guard volume file browser against non-mountable driver types (#2364 by @GiulioSavini)
• actually redeploy swarm stack when saving edits (#2365 by @GiulioSavini)
• set all api endpoints to use auth by default and explicitly remove auth for public endpoints (#2377 by @kmendell)
• add version label to environment cards (#2379 by @kmendell)
• always show save button on template pages (#2402 by @GiulioSavini)
• fall back to user cache dir when /tmp is not writable (#2408 by @GiulioSavini)
• skip image update checks for services with build config (#2403 by @GiulioSavini)
• tolerate undefined env vars in GitSync compose validation (#2380 by @GiulioSavini)
• pin trivy digest to 0.70.0(686248c by @kmendell)
• null user_id for env bootstrap keys + H2 support for registry fetches (#2370 by @GiulioSavini)
• incorrect conversion of linux runtime identity types (#2410 by @kmendell)
• pre-create volumes with driver_opts before stack deploy (#2407 by @GiulioSavini)
• show host CPU/RAM in System Overview instead of Arcane container limits (#2343 by @GiulioSavini)
• compose update indicator not refreshing when a new image is pulled(e367e1f by @kmendell)

Dependencies

• bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.0 in /backend in the go_modules group across 1 directory (#2383 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 in /backend in the go_modules group across 1 directory (#2388 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.2 to 5.1.3 in /backend (#2398 by @dependabot[bot])
• bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6 in /cli (#2391 by @dependabot[bot])
• bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 in /cli (#2390 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.3 to 1.17.4 in /cli (#2392 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.14 to 1.19.15 in /backend (#2396 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.0 to 1.57.1 in /backend (#2400 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.14 to 1.32.16 in /backend (#2401 by @dependabot[bot])
• bump to go 1.26.2(f01ce6c by @kmendell)
• bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /backend in the go_modules group across 1 directory (#2417 by @dependabot[bot])

Other

• remove useless assignment of bytes variables(7b610e3 by @kmendell)
• use specific cosign id token(a5fd68a by @kmendell)
• use specific cosign id token(369c7b8 by @kmendell)
• use non-interactive mode for cosign(53f286b by @kmendell)
• use manual cosign key(0995de3 by @kmendell)
• use cosign v3 syntax(1b5dd7b by @kmendell)
• simplify version info dialog(dbad484 by @kmendell)
• redesigned login screen (#2389 by @kmendell)
• use arcane/tools image for volume browser and trivy scans (#2409 by @kmendell)

Full Changelog: v1.17.4...v1.18.0

1.18.0

1.18.0

1.18.0

Bug fixes

• truncate long image refs in container table (#2318 by @GiulioSavini)
• project icons not loading when used with yaml/env aliases (#2324 by @kmendell)
• surface actual compose load error instead of generic 'no compose file found' (#2326 by @mkaltner)
• project max depth not working for filesystem discovery (#2325 by @kmendell)
• Locale selector background was inconsistent (#2348 by @RJMurg)
• light mode contrast for container stats CPU/memory monitor (#2344 by @GiulioSavini)
• keep project build context as container path so local builder can stat it (#2346 by @GiulioSavini)
• preserve webhook URL query params in generic notification provider (#2345 by @GiulioSavini)
• surface registry fetch errors in GET /templates/registries (#2355 by @GiulioSavini)
• detect provider-level failures in generic webhook notifications (#2356 by @GiulioSavini)
• skip gitops-managed projects in filesystem cleanup (#2354 by @GiulioSavini)
• Update Projects button only updates project containers (#2289 by @GiulioSavini)
• svelte reactivity issues in project editors (#2329 by @kmendell)
• send notification on single container update (#2357 by @GiulioSavini)

Dependencies

• bump github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 in /cli (#2303 by @dependabot[bot])
• bump prettier from 3.8.1 to 3.8.2 (#2313 by @dependabot[bot])
• bump @codemirror/view from 6.40.0 to 6.41.0 (#2306 by @dependabot[bot])
• bump @sveltejs/kit from 2.55.0 to 2.57.1 in the npm_and_yarn group across 1 directory (#2327 by @dependabot[bot])
• bump extractions/setup-just from 3 to 4 (#2331 by @dependabot[bot])
• bump pnpm/action-setup from 5 to 6 (#2333 by @dependabot[bot])
• bump actions/github-script from 8 to 9 (#2330 by @dependabot[bot])
• bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 in /backend (#2334 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.2 to 1.17.3 in /cli (#2332 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.13 to 6.1.14 (#2336 by @dependabot[bot])
• bump golang.org/x/mod from 0.34.0 to 0.35.0 in /backend (#2335 by @dependabot[bot])
• bump svelte from 5.55.0 to 5.55.3 (#2338 by @dependabot[bot])

Other

• add missing permissions for attestations(8362f97 by @kmendell)

Full Changelog: v1.17.3...v1.17.4