New features

• show pull usage and limits (if applicable) (#2458 by @kmendell)
• automated docker api re-negotiation (#2471 by @kmendell)
• implement node label management with system and user label separation (#2479 by @SplinterHead)
• allow mTLS auth for edge agents (#2116 by @kmendell)
• implement multi-file swarm git sync and host path mapping (#2457 by @SplinterHead)
• ability to archive projects (#2519 by @kmendell)
• redesigned updater center for arcane self updates (#2558 by @kmendell)

CLI - New features

• arcane-cli update channels and self-update (#2517 by @kmendell)

Bug fixes

• git sync file size limitations not being respected (#2427 by @kmendell)
• default secret and config UID/GID to "0" to prevent parsing errors (#2422 by @SplinterHead)
• resolve project status using effective compose project name (#2198 by @GiulioSavini)
• block compose self-redeploy when arcane manages itself (#2404 by @GiulioSavini)
• scope named volume sources to stack in service mounts (#2430 by @GiulioSavini)
• card overview headers missaligned on layout(5fd35e4 by @kmendell)
• include files not created with new projects (#2463 by @kmendell)
• tables are laggy when lots of rows are rendered (#2468 by @kmendell)
• buildkit not using the image exporter (#2469 by @kmendell)
• swarm scale mode and replicas fixes (#2470 by @kmendell)
• prevent slog-gin panic on tunneled requests (#2467 by @lohrbini)
• don't clear real image records when marking ref-aliases up to date (#2474 by @GiulioSavini)
• restrict git repository management to admins and block credential reuse on URL changes (#2504 by @kmendell)
• show loading state immediately on swarm service actions (#2475 by @GiulioSavini)
• allow mtls when tls is not managed by arcane (#2503 by @kmendell)
• skip excluded containers when collecting images for auto-update pull (#2473 by @GiulioSavini)
• remove double verification of mTLS certificates (#2505 by @kmendell)
• image update checks fail on mobile due to incorrect id (#2506 by @kmendell)
• add registry.gitlab.com to trustedAuthDelegations (#2507 by @kmendell)
• accent color allows non color values to be saved (#2513 by @kmendell)
• handle directory-sync file paths that Docker previously created as directories (#2508 by @kmendell)
• improve login form autofill compatibility (#2514 by @MikeO7)
• use in-memory trivy DB backend on 32-bit architectures to prevent mmap allocation failure (#2529 by @kmendell)
• allow force removing of images (#2530 by @kmendell)
• set docker config directory to avoid errors around config.json (#2557 by @kmendell)
• remove double loading of env overides and settings, use in memory cache instead (#2562 by @kmendell)
• show compose-labeled image updates in project updates (#2563 by @kmendell)
• gotify token decryption missing from auto heal and prune notifications(e28c4a4 by @kmendell)
• regenerate apikey dialog shows behind sheet(b7a8ec7 by @kmendell)
• always use dockerhub credentials if available (#2567 by @kmendell)
• agent api token fallbacks and guards (#2568 by @kmendell)

CLI - Bug fixes

• use correct checksum for updater(d645d4d by @kmendell)
• replace the arcane-cli located on PATH during update(a1e0c4a by @kmendell)

Dependencies

• bump github.com/moby/moby/client from 0.4.0 to 0.4.1 in /types (#2441 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.0+incompatible to 29.4.1+incompatible in /backend (#2443 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.4 to 1.18.1 in /cli (#2444 by @dependabot[bot])
• bump github.com/moby/moby/api from 1.54.1 to 1.54.2 in /backend (#2445 by @dependabot[bot])
• bump prettier from 3.8.2 to 3.8.3 (#2449 by @dependabot[bot])
• migrate to pnpm v11.0.0(4a94c5c by @kmendell)
• upgrade frontend dependencies (#2461 by @kmendell)
• bump github.com/docker/cli from 29.4.1+incompatible to 29.4.2+incompatible in /backend (#2490 by @dependabot[bot])
• bump github.com/samber/slog-gin from 1.21.0 to 1.21.1 in /backend (#2481 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.1 to 1.57.2 in /backend (#2489 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.24 to 6.1.26 (#2485 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.15 to 1.19.16 in /backend (#2487 by @dependabot[bot])
• bump ghcr.io/devcontainers/features/node from 1.7.1 to 2.0.0 (#2480 by @dependabot[bot])
• bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 in /backend (#2482 by @dependabot[bot])
• bump pnpm to 11.0.6(0e47b40 by @kmendell)
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.16 to 1.32.17 in /backend (#2536 by @dependabot[bot])
• bump github.com/shirou/gopsutil/v4 from 4.26.3 to 4.26.4 in /backend (#2542 by @dependabot[bot])
• bump golang.org/x/text from 0.36.0 to 0.37.0 in /backend (#2540 by @dependabot[bot])
• bump github.com/charmbracelet/fang from 0.4.4 to 1.0.0 in /cli (#2532 by @dependabot[bot])
• bump @codemirror/view from 6.41.1 to 6.42.1 (#2535 by @dependabot[bot])
• bump golang.org/x/time from 0.14.0 to 0.15.0 in /backend (#2538 by @dependabot[bot])
• bump react-dom from 19.2.5 to 19.2.6 (#2541 by @dependabot[bot])
• bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /backend in the go_modules group across 1 directory (#2544 by @dependabot[bot])
• bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#2533 by @dependabot[bot])
• bump react-email from 6.0.1 to 6.1.1 (#2537 by @dependabot[bot])
• bump golang.org/x/net from 0.53.0 to 0.54.0 in /backend (#2539 by @dependabot[bot])
• bump pnpm to v11.0.9(5f43b7e by @kmendell)
• remove react-email/preview-server(685f9c3 by @kmendell)
• bump github.com/nicholas-fedor/shoutrrr from 0.14.3 to 0.15.0 in /backend (#2547 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.2+incompatible to 29.4.3+incompatible in /backend (#2548 by @dependabot[bot])
• bump golang.org/x/mod from 0.35.0 to 0.36.0 in /backend (#2550 by @dependabot[bot])
• bump google.golang.org/grpc from 1.80.0 to 1.81.0 in /backend (#2551 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in /backend (#2553 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.26 to 6.1.28 (#2549 by @dependabot[bot])

Other

• make login screen padding more centered (#2429 by @kmendell)
• sidebar grouping and edge cases (#2188 by @cabaucom376)
• consolidate helpers and dedupe boilerplate code (#2437 by @kmendell)
• split ws_handler and skip pagination counts when not needed (#2440 by @kmendell)
• cleanup frontend with more universal components (#2459 by @kmendell)
• frontend ui cleanup and fixes (#2515 by @kmendell)
• use charm logging instead of logrus for arcane-cli (#2518 by @kmendell)
• move job bootstrap into job service (#2523 by @kmendell)
• streamline remote environment logic (#2524 by @kmendell)

Full Changelog: v1.18.1...v1.19.0

1.6.4 (2026-05-11)

New: Web Setup Wizard

First-launch web setup wizard. New installs no longer need to hand-edit .env.local - point a browser at the container and the wizard probes the JMAP server(s), configures OAuth/OIDC, generates the session secret, accepts branding uploads, and provisions the initial admin password. Admin storage is now split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps); the legacy ADMIN_DATA_DIR keeps working for existing installs.

Features

• Setup: Web setup wizard with multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin
• Setup: Admin config/state directory split with optional ADMIN_CONFIG_READONLY for immutable deployments (#226)
• Setup: File uploads on the wizard branding step
• Setup: Redesigned review step with grouped summary and an advanced toggle for the full config
• Setup: Require explicit confirmation when JMAP probe finds no session
• Mail: Drag attachments out of the viewer to the local file system (#267)
• Mail: Reading Pane at Bottom mail layout (#262)
• Mail: Configurable signature position – above or below quoted text (#266)
• Mail: Signature position is now searchable from the email behavior settings
• Mail: Show avatar in Focused list for compact density and above
• Mail: Align Focused list preview with other layout previews
• Compose: From-header override in the composer with catch-all auto-reply, replies to an alias on a domain you own pre-fill the alias as the sender even when it isn't a configured identity (#246)

Performance

• Mail: Prefetch initial email data on login
• Auth: Parallelize login round-trips and drop redundant JMAP re-verify

Fixes

• Auth: Skip upstream JMAP reverify for trusted URLs (#237)
• Auth: Show account identity in the switcher header instead of the sending alias
• Compose: Fall back to the primary identity signature on reply
• Setup: Drop redundant first-login banner about removing ADMIN_PASSWORD (#222)
• UI: Consistent notice cards for server probe results

i18n

• Add missing translation keys across 15 locales

1.19.0

1.19.0

1.19.0

Apple and Google collaborate with the GSMA to roll out end-to-end encrypted RCS messaging in beta, enhancing cross-platform communication security.

• View downloads
• View release notes

• View downloads
• View release notes

• View downloads
• View release notes

• View downloads
• View release notes

• View downloads
• View release notes

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• is_ip_in_cidr expression function for CIDR matching.

Changed

• Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
• Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

• JMAP:
  • Patching ids containing digits in JSON Pointers fails.
  • Patching nested objects with null values fails.
• External directories:
  • SQL: Return Failed instead of Error when the query returns no results.
  • LDAP: Impersonation fails when the user has not logged in before.
• Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
• Bootstrap: Timeout after 30 seconds when probing the data store.
• HTTP: Use permissive CORS headers for .well-known endpoints.
• ACME:
  • Include apex domains when requesting certificates for subdomains.
  • Use the public suffix list to determine the zone name when no origin is provided.
• MTA:
  • Allow rescheduling recipients with permanent failures.
  • Process reports using original RCPT before rewriting.
• Autodiscover v2 endpoint unreachable.
• DNS update (via dns-update crate):
  • OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
  • Route53: Fix changeset error resolution.
  • deSEC: Use empty subname for apex records instead of @, which the API rejects.
  • Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
• iCalendar/JSCalendar (via calcard crate):
  • Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
  • Fixed duration parsing for zero duration PT0S.

---

Check binary attestation here

5.45.1 (2026-05-11)

🔥 Bug fix

• prevent single-type switch crashes and refresh schema after CTB updates (c9db1321d837f8024f0f9f2c4ab38645b535613c)

❤️ Thank You

• Adrien L @Adzouz
• Ben Irvin
• Jamie Howard

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. This week in DistroWatch Weekly:
Review: Fedora 44
News: Fedora plans to provide AI tools, problems with Ubuntu's new coreutils, TrueNAS extends development cycle, postmarketOS improves boot splash screen, Redox ports tmux
Questions and answers: What to do about all the extra fonts?
Released last week: OmniOS r151058, Omarchy 3.7.0, Parrot....