First-launch web setup wizard. New installs no longer need to hand-edit .env.local - point a browser at the container and the wizard probes the JMAP server(s), configures OAuth/OIDC, generates the session secret, accepts branding uploads, and provisions the initial admin password. Admin storage is now split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps); the legacy ADMIN_DATA_DIR keeps working for existing installs.
Features
Setup: Web setup wizard with multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin
Setup: Admin config/state directory split with optional ADMIN_CONFIG_READONLY for immutable deployments (#226)
Setup: File uploads on the wizard branding step
Setup: Redesigned review step with grouped summary and an advanced toggle for the full config
Setup: Require explicit confirmation when JMAP probe finds no session
Mail: Drag attachments out of the viewer to the local file system (#267)
Mail: Configurable signature position β above or below quoted text (#266)
Mail: Signature position is now searchable from the email behavior settings
Mail: Show avatar in Focused list for compact density and above
Mail: Align Focused list preview with other layout previews
Compose: From-header override in the composer with catch-all auto-reply, replies to an alias on a domain you own pre-fill the alias as the sender even when it isn't a configured identity (#246)
Performance
Mail: Prefetch initial email data on login
Auth: Parallelize login round-trips and drop redundant JMAP re-verify
Fixes
Auth: Skip upstream JMAP reverify for trusted URLs (#237)
Auth: Show account identity in the switcher header instead of the sending alias
Compose: Fall back to the primary identity signature on reply
Setup: Drop redundant first-login banner about removing ADMIN_PASSWORD (#222)
UI: Consistent notice cards for server probe results
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
Bug fixes
Updated watchtower image in watchtower config example (#1363)
Fixed problems of invalid links when AI Web Extractor encounters non-absolute links
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
New features
Added AI powered website scraper to provide detailed part infos even from webshops with little structured data
Added feature to force refresh of info provider search and results, and to skip delegation to specialized providers when using "create part from URL"
Add Docker update support via Watchtower integration by @Sebbeben in #1330
Add Quick Apply and batch update to bulk info provider import by @Sebbeben in #1316
Add 'Add stock' button to part stock info page by @kernchen-brc in #1352
Added 250 and 500 entry to table lengthes menus
Bug fixes
Fix sort order after column reorder on page reload by @wschopohl in #1346
Fixed error making editing of users impossible
Fixed error with converting existing DB to postgresql database (#1362)
Fixed error that original category were changed, if category cloned and eda info changed (#1341)
Keep part table length selection across page loads (#1350)
Updated the token field on the user detail page to require confirmation before regenerating or removing a token, and saved those changes immediately without requiring a page-level save. (#27108 by @LZylstra)
@directus/api
Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
@directus/env
Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
@directus/sdk
Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
π Bug Fixes & Optimizations
@directus/app
Fixed UI freeze when navigating items with WYSIWYG translations for non-admin users (#27154 by @gaetansenn)
Fixed selection not being cleared after running a manual flow from the collection list view sidebar (#27330 by @kropsi)
Fixed "Save as copy" in the file library throwing a 403 Forbidden error (#27181 by @sanskar-soni-9)
Fixed user token not being displayed after generation when collaboration is enabled (#27319 by @LZylstra)
Prevented filter popup being closed when reordering filters (#27324 by @HZooly)
Fixed icon flash in navigation sidebar for bookmarks without an icon (#27329 by @HZooly)
Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
This is a security release to improve attachment related permission checks, and URL validation for webhooks.
Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.
Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.
Full List of Changes
Updated PHP package versions.
Updated attachment actions to align page access check.
Updated URL validation in webhooks to help prevent escaping workarounds.
Fixed issue where exact search term negation would lead to no results. (#6121)
New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin β Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.
Features
Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
Plugins: Theme API v2 with token compiler and skin slot
Plugins: Extension preview page and detailed extension info API
Calendar: Right-click context menu on empty calendar space
Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades
Fixes
Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
Log in
