The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The NetHydra team has announced the release of NetHydra 2026.2. Formerly knowns as HydraPWK GNU/Linux, NetHydra is a Debian-based Linux distribution with a collection of penetration-testing tools, including tools for information gathering, scanning, stress testing, exploitation, cracking, reversing engineering and forensics. Besides the standard edition called NetHydra "Express",....

Apple today unveiled an exciting lineup for its annual Worldwide Developers Conference (WWDC), taking place June 8-12.

Features

• Added Railpack as a beta build pack option with build-time environment support, config merging, examples, and deployment smoke coverage (#9117, resolves #5282).
• Added configurable application stop grace periods for manual stops, previews, and deployments (#9746, fixes #5620).
• Added structured audit logging for API mutations, webhook events, authentication, and authorization outcomes (#9842).
• Added per-server configurable SSH connection timeouts and exposed the setting through the API and UI (#9844).
• Added deployment skipping for webhook commits and PR/MR titles containing [skip ci] or [skip cd] (#9861).
• Added instance-level MCP support with read-only tools for Coolify resources and API/UI enablement controls (#9862).
• Added application deployment configuration diff tracking so pending changes and build-impacting changes are surfaced before redeploy (#10183, fixes #8357).
• Added a collapsible sidebar with persisted state, tooltips, and a compact team menu (#9945).
• Added a Gitea runner service template (#9961).

Fixes

• Fixed OAuth user matching by normalizing email addresses before lookup (#9488, fixes #9487).
• Fixed SMTP notification validation by setting a default encryption value (#9543).
• Fixed database backup max storage validation to allow decimal values (#9801, fixes #9794).
• Fixed Dockerfile build pack builds by using BuildKit-supported host networking (#9811, fixes #9804).
• Fixed generated HEX magic environment secrets so encoded values have the expected length (#9820).
• Fixed server reachability notifications by dispatching them through an event path without blocking retry loops (#9843, fixes #9830).
• Fixed large file-volume editing in the UI by blocking editable payloads over 5 MiB (#9851, fixes #4701).
• Fixed deployment commit resolution to use the application git_commit_sha when no commit is explicitly provided (#9865, closes #9204).
• Fixed database imports to allow .dmp files (#9869).
• Fixed invalid or undecryptable Sentinel tokens by regenerating them automatically (#9874).
• Fixed scheduled task server resolution when relationships are missing (#9922, fixes #9916).
• Fixed preview image tags so different commits on the same PR do not reuse shared tags (#10066, fixes #5538).
• Fixed custom nginx configuration updates from the API by correctly decoding payloads and supporting clearing the value (#10067, fixes #9975).
• Fixed API token expiration warnings so sent-warning state persists and failed notifications can retry (#10184).
• Fixed terminal reliability with heartbeat handling, idle timeouts, reconnect replay, and preserved scrollback.
• Fixed deployment and log views so auto-scroll pauses when users scroll up and resumes at the bottom.
• Fixed realtime server dependencies by replacing Axios with the native HTTP client (#10065).
• Fixed nginx Docker images to use patched official packages and HTTPS package repositories (#10026).
• Fixed Docmost templates to require a mail driver before startup.

Improvements

• Improved Railpack behavior with Docker buildx validation, safer shell argument handling, scoped build-time variables, better port handling, and updated helper versions (#9117, resolves #5282).
• Improved MCP resource listing performance and changed enable/disable routes to POST for state-changing actions (#9862).
• Improved standalone database lookup coverage for KeyDB, Dragonfly, and ClickHouse (#9862).
• Suppressed noisy Horizon failed-job entries for expected deployment and timeout failures on cloud instances (#9871).
• Synced service templates from next and disabled the stale LiteQueen template (#9884, #10006).
• Bumped follow-redirects in the realtime Docker package to 1.16.0 (#9690).
• Bumped phpseclib/phpseclib to 3.0.52 (#9952).
• Improved Vite dev-server host, port, and CORS configuration for local development.
• Improved collapsed sidebar spacing, deployment indicator alignment, and environment-variable dirty indicators.

Breaking Changes

• Removed the deprecated Docker Compose application API endpoint; service creation should use POST /api/v1/services instead.
• Changed MCP enable/disable endpoints from GET to POST (#9862).

What's Changed

• fix: normalize oauth emails before matching users by @tristanbob in #9488
• fix(validation): allow decimals for database backups max storage by @ShadowArcanist in #9801
• fix: use --network host for Dockerfile buildpack builds by @nehemiyawicks in #9811
• build(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docker/coolify-realtime by @dependabot[bot] in #9690
• feat(observability): add structured audit log channel for API and webhook events by @andrasbacsai in #9842
• fix(server): reliably dispatch reachability notifications via event by @andrasbacsai in #9843
• feat(server): add configurable SSH connection timeout per server by @andrasbacsai in #9844
• fix(storages): block UI editing of file volumes exceeding 5 MiB by @andrasbacsai in #9851
• feat(webhook): skip deployment on [skip ci]/[skip cd] commit markers by @andrasbacsai in #9861
• docs(design): migrate design system from .ai/ to DESIGN.md by @andrasbacsai in #9863
• fix(deployments): use app git_commit_sha when commit not explicitly set by @andrasbacsai in #9865
• fix(backup): add .dmp to allowed extensions for database import by @odinfono in #9869
• fix(notifications): set default SMTP encryption value to prevent false validation error by @ShadowArcanist in #9543
• chore(templates): sync service-templates from next by @andrasbacsai in #9884
• fix(sentinel): auto-regenerate invalid or undecryptable tokens by @andrasbacsai in #9874
• feat(horizon): suppress failed job entries for deployment/timeout errors on cloud by @andrasbacsai in #9871
• feat(mcp): add instance-level MCP server toggle via API and UI by @andrasbacsai in #9862
• fix(scheduled-task): guard against undefined relationships in server() method by @andrasbacsai in #9922
• feat(ui): add collapsible sidebar with tooltip and team menu by @andrasbacsai in #9945
• fix(magic env) HEX secrets creating double the length of their name by @yipfram in #9820
• fix(docker): use HTTPS for nginx apk repository by @andrasbacsai in #10026
• feat(buildpack): add railpack as a build pack option by @adiologydev in #9117
• build(deps): bump phpseclib/phpseclib from 3.0.51 to 3.0.52 by @dependabot[bot] in #9952
• fix(realtime): remove axios dependency by @andrasbacsai in #10065
• chore(service): disable litequeen by @ShadowArcanist in #10006
• feat(service): gitea runner by @michalzarddev in #9961
• fix(deployment): include commit in preview image tags by @andrasbacsai in #10066
• fix(applications): decode custom nginx API payloads by @andrasbacsai in #10067
• feat(applications): add configurable stop grace period by @hendricius in #9746
• fix(api-tokens): persist expiration warning state by @andrasbacsai in #10184
• feat(deployments): track application configuration diffs by @andrasbacsai in #10183
• v4.1.0 by @andrasbacsai in #9841

New Contributors

• @tristanbob made their first contribution in #9488
• @nehemiyawicks made their first contribution in #9811
• @odinfono made their first contribution in #9869
• @michalzarddev made their first contribution in #9961

Full Changelog: v4.0.0...v4.1.0

Bug fixes

• block unsafe compose include file reads (#2630 by @kmendell)
• add missing gRPC/ws tunnel commands (#2636 by @kmendell)
• unable to use templates due to 'not found' error (#2634 by @kmendell)
• retry rate limited update checks (#2639 by @kmendell)
• prevent projects from disappearing when projects folder is unreadable (#2641 by @kmendell)
• release notes not populated for manager instance (#2643 by @kmendell)

Other

• publish manager and agent image tags (#2645 by @kmendell)
• use trivy-db mirrors from arcane-tools (#2646 by @kmendell)

Full Changelog: v1.19.3...v1.19.4

1.19.4

1.19.4

1.19.4

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. This week in DistroWatch Weekly:
Review: Sylve on FreeBSD
News: Debian commits to reproducible builds, Debian publishes updated install media, Haiku introduces SMP support on ARM64 processors, Rocky Linux creates opt-in security repository, Fedora reconsiders AI tools, KDE receives generous donation
Questions and answers: The benefit of BleachBit
Released last week:....