[1.7.1]
Update Ackee to 3.5.1
Full Changelog
Several dependencies have been updated to their latest versions to bring in security patches and improvements
ackee-tracker has been updated to fix an issue where visits were not recorded when the website had an empty document.referrer. You might have seen lower visit counts since version 3.5.0 when your website had no referrer, e.g., when visiting it directly or via bookmarks.
[1.14.12]
Update AdGuardHome to 0.107.73
Full Changelog
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
Incorrect client IP logging in failed authentication attempts when using a proxy ([#8198]).
Incorrect logger behavior in case -v flag is added.
[1.25.1]
Update ampache to 7.9.1
Full Changelog
Translations 2026-02-20
Config version 87
Add cli_no_color to disable colors for cli output
Add user_create_apikey to add an API Key to the account when a new user is created
admin:updateUser: Reset user API key, Stream token, RSS token and access level
admin:listUsers: Add -a|--apikey parameter to print the user API key
admin:listUsers: Only print user from username or user id. If both are set use username
Return an error when all items in scrobble call are not found
Custom CSS path folder
MPD status incorrectly stopping processes
[1.7.0]
Update answer to 2.0.0
Full Changelog
New: AI Assistant feature (@shuashuai @LinkinStars #1479)
New: MCP server feature (@LinkinStars @shuashuai #1480)
New: API Keys feature (@LinkinStars @shuashuai #1482)
New: Editor plugin support (@robinv8 #1481)
Fixed: Add user in the Admin, no result prompt after submission (@bimakw #1457)
Fixed: Fix/external id notification (@IfDougelseSa #1465)
Fixed: fix: expand avatar column length from 1024 to 2048 (@csouls #1463)
Fixed: When the input type of SchemeForm is a number, the default value of 0 is not displayed.@shuashuai
[1.97.1]
Update audiobookshelf to 2.33.1
Full Changelog
API Keys not respecting user enabled/disabled flag
Podcast episode update endpoint sanitizes HTML for subtitle
Playlist & collection create/update endpoints strip HTML tags from name
More strings translated
Belarusian by @pavel-miniutka
German by @fabianjuelich
Spanish by @cyphra
Thanks for reporting here @gardinermichael . We have in fact hidden the app package because there were many issues with it and we couldn't manage to get it to be stable . Maybe we should revisit this.
[1.36.3]
Update uv to 0.11.3
Full Changelog
Add progress bar for hashing phase in uv publish (#18752)
Add support for ROCm 7.2 (#18730)
Emit abi3t tags for every abi3 version (#18777)
Expand uv workspace metadata with dependency information from the lock (#18356)
Implement support for PEP 803 (#18767)
Pretty-print platform in built wheel errors (#18738)
Publish installers to /installers/uv/latest on the mirror (#18725)
Show free-threaded Python in built-wheel errors (#18740)
Add --ignore and --ignore-until-fixed to uv audit (#18737)
Bump simple API cache (#18797)
[1.6.6]
Update beszel to 0.18.7
Full Changelog
Add more disk I/O metrics (utilization, read/write time, await, queue depth) (#1866)
Add ability to copy alerts between systems by @svenvg93 (#1853)
Add SENSORS_TIMEOUT environment variable (#1871)
Replace distatus/battery with an internal implementation by @svenvg93 (#1872)
Restrict universal token API to non-superuser accounts (#1870)
Fix macOS ARM64 crashes by upgrading gopsutil to v4.26.3 (#1881, #796)
Fix text size for system names in grid view by @Malith-Rukshan (#1860)
Fix NVMe capacity reporting for Apple SSDs by @svenvg93 (#1873)
Fix Windows root disk detection when the executable is not on the root disk (#1863)
Fix nested virtual filesystem inclusion in Docker when mounting host root by @svenvg93 (#1859)
The app supports a caldav endpoints so if you have a system which can sync this into some other provider it should already work. Currently the Calendar app itself does not have any way to actively reach out into other services. I guess the question here is which part in your setup is the single source of truth regarding the events. That one would be the server and the rest become clients. Wondering what the use-case is to have two such event stores itself.
(Same answer really to the contacts topic)
Hello @luckow
This is not documented very well.
Had to look into the Castopod code to find the URL path to the API.
https://github.com/ad-aures/castopod/blob/bc041702dd8058ae8e1831b9609827c911a5a626/modules/Api/Rest/V1/Config/RestApi.php#L35
public string $gateway = 'api/rest/v1/';
So the full URL would be https://castopod.cloudron.dev/api/rest/v1/podcasts
curl https://castopod.cloudron.dev/api/rest/v1/podcasts
[]
After creating one:
curl https://castopod.cloudron.dev/api/rest/v1/podcasts
[{"id":1,"guid":"2bdee7b8-8131-5888-b4da-713d7b3a124a","actor_id":1,"handle":"demopadcast","title":"Demo Podcast","description_markdown":"DESC","description_html":"<p>DESC</p>\n","cover_id":3,"banner_id":null,"language_code":"en","category_id":1,"parental_advisory":null,"owner_name":"james","owner_email":"james@cloudron.example","is_owner_email_removed_from_feed":true,"publisher":"","type":"episodic","medium":"podcast","copyright":"","episode_description_footer_markdown":null,"episode_description_footer_html":null,"is_blocked":false,"is_completed":false,"is_locked":true,"imported_feed_url":null,"new_feed_url":null,"payment_pointer":null,"location_name":null,"location_geo":null,"location_osm":null,"verify_txt":"","custom_rss":null,"is_published_on_hubs":false,"partner_id":null,"partner_link_url":null,"partner_image_url":null,"is_premium_by_default":false,"created_by":1,"updated_by":1,"published_at":null,"created_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"updated_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"feed_url":"https://castopod.cloudron.dev/@demopadcast/feed.xml","actor_display_name":"Demo Podcast","cover_url":"https://castopod.cloudron.dev/media/podcasts/demopadcast/cover.jpg","categories":[{"id":1,"parent_id":null,"code":"arts","apple_category":"Arts","google_category":"Arts","translated":"Arts"}]}]
[1.29.7]
Update changedetection.io to 0.54.8
Full Changelog
CVE-2026-35490 - Authentication Bypass via Decorator Ordering
Extendable theme pluggy implementation by @dgtlmoon in #4011
[1.50.1]
Update chatwoot to 4.12.1
Full Changelog
Fixed an issue where AI Assist returned a 404 error in the Community Edition.
Fixed a regression introduced in v4.8.0 where webhook payloads for message_created and message_updated were sending channel-rendered HTML instead of the original raw message content.
[0.5.0]
Update contacts to 0.5.0
Remove app internal app passwords in favor of built-in Cloudron ones
Improve phone number search
Various UI fixes
Update dependencies
@jypelle this is possible if the package is adjusted to have the config file available in /app/data and a script to restart/reload the relevant service.
[2.10.0]
Update cubby to 2.10.0
Improve error feedback on new file or folder creation
Various relogin state fixes to not lose target resource
Ensure public shares can be reopened after session failure
Update dependencies
[1.11.1]
Update dawarich to 1.6.1
Full Changelog
Info badge on import form suggesting users zip large files (200MB+) before uploading.
Missing SVG icons for activity breakdown (ship, circle).
Fix compressed zip files failing to import with "No such file or directory" error. Rubyzip needs to re-open the source zip for compressed entries, but the temp file could be garbage collected before extraction completes #2446.
Fix anomaly filter crashing on large imports (millions of points) due to loading all points into memory at once. Speed-based filtering now processes data in monthly chunks.
[2.17.2]
Update directus to 11.17.2
Full Changelog
@directus/app
Moved useShortcut and translateShortcut in @directus/composables (#26979 by @HZooly)
added timezone support to datetime display (#26184 by @u12206050)
Added comparison modal checkbox to allow viewing only modified fields (#27010 by @robluton)
@directus/composables
Moved useShortcut and translateShortcut in @directus/composables (#26979 by @HZooly)
@directus/app
Fixed alias fields being included when selecting all fields in export (#26775 by @tysoncung)
Fixed invite acceptance error to display correctly on the frontend and allow for error translation (#26971 by @faizkhairi)
Fixed relational field removals inside groups not persisting on draft items (#26917 by @HZooly)
[2.7.0]
Update distribution to 3.1.0
Full Changelog
Fixes CVE-2026-35172
Fixes CVE-2026-33540
Adds support for tag pagination (#4360, #4353)
Fixes default credentials in Azure storage provider (#4619)
Drops support for go1.23 and go1.24 and updates to go1.25
fix: implement JWK thumbprint for Ed25519 public keys by @zhangyoufu in #4626
fix: Annotate code block from validation.indexes configuration docs by @anzoman in #4629
feat: extract redis config to separate struct by @shanduur in #4620
Fix: resolve issue #4478 by using a temporary file for non-append writes by @onporat in #4624
fix: set OTEL traces to disabled by default by @jcpunk in #4671
[1.19.0]
Update documenso to 2.8.0
Full Changelog
fix: upgrade @libpdf/core by @Mythie in #2569
fix: upgrade @libpdf/core by @Mythie in #2572
feat: add pdf image renderer by @dguyen in #2554
fix(i18n): mark dropdown and radio placeholder for translation by @mKoonrad in #2537
fix: show current month data and add caching by @ephraimduncan in #2573
feat: add embedded envelopes by @dguyen in #2564
fix: performance improvements by @dguyen in #2581
feat: implement template search functionality by @catalinpit in #2376
feat: auto-disable telemetry when license key is configured by @ephraimduncan in #2562
fix: make signing page left-hand sidebar collapsible by @catalinpit in #2541
[1.14.3]
Update docuseal to 2.4.3
Full Changelog
Fix unicode and right-to-left text in the Stamp field.
Memory usage optimization
Manage e-signature templates, submissions, and submitters with the terminal or AI agent.
https://github.com/docusealco/docuseal-cli
Compare Source
[1.13.2]
Update dolibarr to 23.0.2
Full Changelog
FIX: #37412 Better fix
FIX: #37461 #37511 Accountancy - Bank journal - Problem of cache (#37603)
FIX: #37482
FIX: #37551 Accounting - Use better rights on create / export entry (#37555)
FIX: #37707
FIX: #37707 Can pay supplier invoices with the same parent company
FIX: Accountancy - Need more information about mandatory step in various journal (#37573)
FIX: - Added user filtering for displaying leave in the calendar (#37385)
FIX: Add http code 503 on deadlock
FIX: API Warehouse : Error 401 when getting warehouse by id (backport from 22)
[1.7.1]
Update easyappointments to 1.5.2
Full Changelog
Fix the GTag script URL html rendering (#1666)
Fix the "Load More" JS error in secretaries page (#1677)
Fix the PHP compatibility error of the appointments index API endpoint (#1678)
Catch individual email delivery exceptions (#1670)
Apply permission checks to the appointment and unavailability search (#1753)
Make sure the sync button is visible on provider log in (#1749)
Update unavailable dates after applying appointment data while rescheduling (#1662)
Make sure that any-provider does not include hidden providers while generating availability (#1733)
Provide "text" version of the emails in addition to HTML (#1711)
Trigger webhook requests when managing records via the API (#1676)
[1.18.2]
Update Emby.Releases to 4.9.3.0
Full Changelog
Add user option to set user's auto remote quality
Add library option to use legacy folder scanning method
Music transcoding fixes
Add landing tab option for book libraries
Support volume control with youtube trailer player
Update mixed content tabs to combine Movies & Shows
Fix maintenance mode blocking some settings screens
Fix embedded audio fields not getting rescanned on file changes
Fix loss of genre and collection images after deleting a movie
Fix latest section not showing items for some channel plugins
[2.0.0]
Update fider to 0.33.0
Full Changelog
Please note new license changes
Open Core Licensing: Some features (content moderation, search indexing) are now gated as pro features, with a new commercial licensing system using separate private/public key environment variables.
Content Moderation (Pro): Admins can now moderate posts and comments before they go public, trust or block individual users, and manage pending content from a dedicated admin page. Content moderation is available as a pro feature.
Revamped UI: The home page and post detail view have been refreshed with a cleaner design, better dark mode support, improved mobile layouts, and post details now open in a modal without a full page reload.
Security: Sign-in email links now use a strong 64-character key (manual entry still uses a 6-digit code for convenience).
Fixed search with hyphenated words
Option to keep failing webhooks enabled rather than auto-disabling them
Fixed issue adding links via the toolbar button
Fixed filter/sort state persisting when navigating back from a post
Fixed vote listing issues
Post tags now update live in the listing without a page reload
[1.1.1]
Update fmd-server to 0.14.1
Full Changelog
Initial translation support, by @warioishere (#64)
Translate web interface in many languages (thank you translators!)
Fix hosting in sub-directory (#132)
Graceful shutdown when SIGINT or SIGTERM is received (#139)
[3.11.8]
Update firefly-iii to 6.5.9
Full Changelog
Issue 12004 (Test notification buttons always generate an error) reported by @IDevJoe
Issue 12014 (Converting a transaction to a transfer and setting the destination account to one with a different currency breaks the audit log) reported by @avee87
[2.8.7]
Update formbricks to 4.8.7
Full Changelog
fix: prevent language switch from breaking survey orientation and resetting language on auto-save (backport #7654) by @Dhruwang in #7658
fix: multilang button overflow (backport #7656) by @Dhruwang in #7659
fix: multi-lang toggle covering arabic text (backport #7657) by @Dhruwang in #7660
[1.16.3]
Update freescout to 1.8.212
Full Changelog
Take limit_user_customer_visibility parameter into account when merging customers (Security)
Check if conversation IDs match when marking thread as read (Security)
Fixed fetching emails with deeply nested HTML (#5304)
Fixed "Passing null to parameter" error in Html2Text (#5306)
Fixed "Incomplete object" error on Status page (#5307)
@joseph
As I understood it, not even that.
MEDIA_ROOT is where all media uploaded gets stored.
MUSIC_DIRECTORY_PATH is like an import folder where you can manually upload files that then get imported.
But I am not 100 % certain, it is still confusing for me.
[4.161.0]
Update ghost to 6.26.0
Full Changelog
Restored Renovate automerge rebasing - Hannah Wolfe
Added slug to members tier filter search - Rob Lester
Yes, it's only jekyll. Not an expert on next.js but I think it also needs a backend right ? If so, you have to create a custom package - https://docs.cloudron.io/packaging/tutorial/
[1.23.1]
Update gogs to 0.14.2
Full Changelog
Security: Cross-repository LFS object overwrite via missing content hash verification. #8166 - GHSA-gmf8-978x-2fg2
Security: Stored XSS via data URI in issue comments. #8174 - GHSA-xrcr-gmf5-2r8j
Security: Release tag option injection in release deletion. #8175 - GHSA-v9vm-r24h-6rqm
Security: Stored XSS in branch and wiki views through author and committer names. #8176 - GHSA-vgvf-m4fw-938j
Security: DOM-based XSS via issue meta selection on the issue page. #8178 - GHSA-vgjm-2cpf-4g7c
Unable to update files via web editor and API. #8184
[2.4.2]
Update grafana to 12.4.2
Full Changelog
Analytics tab: Improve voice over accessibility (Enterprise)
Dashboards a11y: Do not open time zonemenu on focus #120388, @idastambuk
Dashboards: Resolve display names by identity in version history #120273, @ivanortegaalba
Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @kevinwcyu
Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @mmandrus
IAM: Handle NULL team_member.external column to fix dashboard loading #120179, @difro
Plugins: Fix installer IsDisabled condition #120568, @andresmgot
Plugins: Forward PLUGIN_UNIX_SOCKET_DIR to plugin processes to fix tmp dir in restricted environments #120275, @HarshadaGawas05
Security: Fixes CVE-2026-27876
Security: Fixes CVE-2026-27877
IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked.
1.8.6 - 1.8.13 - Upstream has removed all 1.7.50.x packages. See https://discourse.getgrav.org/t/upgrade-to-grav-v1-7-50-9-not-working/29222/4
1.9.0 - had incorrect beta version update
[1.10.0]
Update greenlight to 3.8.0
Full Changelog
Contains multiple security fixes that will not be be made public before April 3, 2026
Display protected recording formats only if a recording is protectable (#6196)
Multiple gem + package updates
Add optional Accessibility Statement Link (#6184)
Allow Admins to send password reset emails for local users (#6197)
Add RTL support (#6187)
Add disableFormControls functionality to JoinCard (#6217)
Language Updates
[1.0.0]
Update grist-core to 1.7.12
Full Changelog
Airtable imports are now smoother, and the import lands in your current workspace instead of somewhere unexpected. Suggestions got a visual refresh with automatic comparison highlighting as you type. Forms are more accessible, and the API now has a cellFormat=typed option so you can get properly typed values back without guessing.
If you include Grist Labs extensions in your build, there's a new automations UI that lets you set up triggers on your data. You can define conditions on any table, then fire off email notifications or webhooks when rows match. You can send dynamic emails to different recipients based on column values, filter with Python conditions, and monitor everything from a delivery log. Automations are a Grist Labs extension: a paid feature with a 30-day trial, and free for individuals and small orgs (under $1M annual funding). Proprietary features fund the development of grist-core.
New cellFormat=typed option for both the REST API and Custom Widget API, providing consistent, self-describing values that preserve type information for Ref, RefList, Attachments, Date, and DateTime columns
Reduce GRIST_LOG_API_DETAILS logging: omit body and result, add docId (#2175)
Improve accessibility of Undo / Redo action buttons (#2167)
Add max length on text inputs in forms (#2097)
Fix document icon when the second word of the doc name is an emoji (#2170)
Fix unreadable dark mode colors in banners (#2138)
Hide admin panel links in grist-desktop (#2181)
Remove the H / Ctrl+Shift+H shortcut from the "Use as table headers" command
Hello @albertbeaufrand and welcome to the Cloudron Forum
This topic is a duplication of https://forum.cloudron.io/post/97415 and will be merged into it.
Please read the responses above to get the full answer to your question.
[1.21.4]
Update hedgedoc to 1.10.7
Full Changelog
Random colors for user's cursors and selections are now always in hex format to avoid conversion errors
Correctly close realtime connections if they disconnect during connection creation
manage_users CLI does not silently drop errors
[1.9.1]
Update humhub to 1.18.1
Full Changelog
Fix #8003: Migration::foreignIndexExists() doesn't find tables in braces
Fix #8002: Comment dropdowns truncated (e.g. to select a title)
Fix #8007: Fix unsaved changes warning on Profile Edit page
Fix #8008: Space Tour Wrong Target for "Preferences" menu
Fix #8013: Fix error displaying on update a module
Fix #8009: Administration Group label misplaced
Fix #8012: Modal backdrop over the account deletion modal for new Users
Enh #8017: Exclude vendor from module i18n extract
Fix #8020: Some email notifications are missing auto-contrast for the button text color
Fix #8027: Cannot register if showRegistrationForm is disabled
[1.98.2]
Update immich to 2.6.3
Full Changelog
fix(mobile): remove upload timeout by @mertalev in #27237
fix(web): prevent horizontal scroll bar in asset viewer side panel by @michelheusschen in #27270
fix(web): shifting motion image button by @YarosMallorca in #27275
fix(server): filter out empty search suggestions by @michelheusschen in #27292
fix: incorrect asset face sync by @bwees in #27243
Hello @nichu42
Sorry for the delay.
We had a misconfiguration for the CI where the updates were not picked up correctly.
App updates should be available now.
[1.22.10]
Update invoiceninja to 5.13.14
Full Changelog
Fixes for react build
Add group by filter for reports
Add filtering for payment types
Add filtering by assigned users and client ids
[1.13.5]
Update jellyfin to 10.11.8
Full Changelog
Handle folders without associated library in FixLibrarySubtitleDownloadLanguages [MR #16540], by @Shadowghost
Fix subtitle saving [MR #16539], by @MBR-0001
Fix querying media with language filters [MR #16538], by @MBR-0001
[1.12.1]
Update Jirafeau to 4.7.1
Full Changelog
Fixed another possibility to bypass the checks for CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066 (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
The default value of max_upload_chunk_size_bytes was set to 5000000. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
Stupid question but when using this does a copy of a user's joplin nots remain on the server or do notes just pass through? My understanding is that webdav files can grow pretty big
[1.17.8]
Update kanboard to 1.2.52
Full Changelog
fix: revoke public tokens for inactive users
fix: use timing-safe comparison for token validation
fix: validate task ownership before applying property changes
fix: enforce visibility controls for public and unprivileged access
fix: use parameterized queries in task finder and iCal
Hello @ikalou and @andreasdueren
This is a known issue.
I have merged your new topic into this existing one.
Scroll up to find the solution and description of this issue.
[2.44.0]
Update kimai to 2.50.0
Full Changelog
Removed support for file:// urls in Markdown (new parsedown package) (#5835)
Fix missing macro in export print template (when rendering user preferences) (#5835)
Fix timesheets with breaks did not work in "weekly hours" screen (#5835)
Allow to customise statistic queries (#5827)
Running TURN server on port 443 only matters for setups where a Client is unable to contact the server on non-port 443. This is only common in some ultra locked down intranet setups.
[1.12.2]
Update leantime to 3.7.3
Full Changelog
fix: backend bug fixes from phase-0 modernization branch by @marcelfolaron in #3289
feat(tokens): add design system CSS custom property definitions by @marcelfolaron in #3290
fix: accessibility, view system, and composer improvements from phase-0 by @marcelfolaron in #3292
fix: ticket PATCH 500 errors, quick-add group context, and UI fixes by @marcelfolaron in #3313
fix: address 6 GitHub issues - session, calendar, postgres, todos, users, ldap by @marcelfolaron in #3315
fix: PostgreSQL ROUND(double precision, int) error on ticket queries (#3301) by @marcelfolaron in #3317
fix: PostgreSQL ROUND error, missing zp_canvas.color migration, and 3.7.2 changelog by @marcelfolaron in #3318
[1.1.6]
Update rag_api to 0.7.3
Full Changelog
fix: add missing averaged_perceptron_tagger_eng NLTK package by @MieszkoMakuch in #265
fix: add missing msoffcrypto-tool package for xlsx file support by @ABHIJITH-EA in #264
fix: Resolve MongoDB Atlas Document Upload Failures and Cross-Batch ID Collisions by @mfish911 in #266
[1.21.0]
Update linkwarden to 2.14.0
Full Changelog
Improved team collaboration
Improved tag browsing with pagination
Faster interface with optimistic rendering
Platform upgrades: Next.js 15 and Expo 54
Improved user experience
Security improvements for submitted links
[1.16.0]
Update listmonk to 6.1.0
Full Changelog
v6.1.0 has important security fixes in addition to several improvements and general bug fixes.
This version has fixes for multiple campaign/list permission validation issues in multi-user environments.
New global Privacy setting to disable view and click tracking.
Ability to proxy S3 media files through listmonk instead of linking to S3 directly.
Lettermint bounce webhook provider.
New global data refresh button on admin nav that works across all pages.
A new 'Duplicate' button to visual e-mail builder block UI options.
PATCH /api/subscribers/:id endpoint for partial subscriber updates.
New granular campaigns:send permission, separate from campaigns:manage for finer access control.
New altbody param to /api/tx for sending multipart plaintext bodies in transactional mails.
[1.17.10]
Update loomio to 3.0.21
Full Changelog
Changes to the Discussion and Poll templates UI. I've had people tell me they couldn't find how to create a template. Now there is a New template button, which opens the example templates page, you can use an example as the starting point for a new template.
Fewer discussion templates in a group by default. Updates to the Sense Check poll options, so they're more helpful.
Materialize default discussion templates as DB records by @robguthrie in #12182
Discussion template UI improvements by @robguthrie in #12181
Add opening_at to polls for scheduled voting by @robguthrie in #12174
Poll template updates by @robguthrie in #12184
This release also addresses a minor security issue, where a member of a group could see the names of secret subgroups they did not belong to, if they inspected the server responses of the reports controller.
[2.44.3]
Update Lychee to 7.5.3
Full Changelog
Composer update by @ildyria in #4216
Added and improved German translations by @hyazinthh in #4217
Fix XSS in /feed by @ildyria in #4218
[1.17.7]
Update mastodon to 4.5.7
Full Changelog
Add --suspended-only option to tootctl emoji purge (#37828 and #37861 by @ClearlyClaire and @mjankowski)
Fix emoji data not being properly cached (#37858 by @ChaosExAnima)
Fix delete & redraft of pending posts (#37839 by @ClearlyClaire)
Fix processing separate key documents without the ActivityStreams context (#37826 by @ClearlyClaire)
Fix custom emojis not being purged on domain suspension (#37808 by @ClearlyClaire)
Fix users without special permissions being able to stream disabled timelines (#37791 by @ClearlyClaire)
Fix processing of object updates with duplicate hashtags (#37756 by @ClearlyClaire)
Hello @mononym
Good thing we have already created the matrix auth service as an app.
But I am not 100% sure if this migration tool will work since it is specific for the ESS Community version.
Will need to test this.
[1.26.0]
Update mattermost to 11.5.1
Full Changelog
Mattermost Platform Release 11.5.1 contains multiple new quality of life improvements, including CJK Database Search, AI Channel Summarization, Agents Web Search, User Authoritative Source, and Channel Auto-Translation.
I know you posted this years ago, but if someone comes by this topic. You select the product (e.g. MaxMind GeoLite City), enter your API Key and hit "Fetch IP Lookup Data Store".
[image: 1774617868420-screenshot-2026-03-27-092349.png]
[1.37.0]
Update mealie to 3.14.0
Full Changelog
The NLP parser now leverages your units database to more accurately parse ingredients with custom units. This is especially handy for non-English recipes, as the NLP data is trained exclusively off of English data. If you're used to using the brute force parser, give the NLP parser a go and see how it fares!
You can now automatically show past days in the meal planner on first load:
feat: Auto-merge Renovate dependency updates @hay-kot (#7280)
feat: Clarification of site settings @Choromanski (#7321)
feat: Add days in the past selector on meal planner @arnassavickas (#6857)
feat: Pass user defined units as custom units to parse_ingredient function. @strangetom (#7334)
fix: Use latest python image as base @dswd (#7276)
fix: Release Commit @Choromanski (#7274)
fix: Fix create token API page @michael-genson (#7325)
@Package-Updates Hi there, would it be possible to update the regular Minecraft server package to something like ver. 26.1.1 or slightly older? 1.21.11 is no longer playable with an up-to-date game.
Or can I somehow trick Minecraft to connect nonetheless?
Regards from Germany
[1.6.13]
Update v2 to 2.2.19
Full Changelog
Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages.
Verify OIDC ID token signatures and claims.
Prevent OAuth identity overwrite when already linked.
Clear PKCE verifier and CSRF state after use.
Validate HTTP status from Google userinfo endpoint.
Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication.
Use constant-time comparison for token validation.
Fix potential DoS when truncating large untrusted input in templates.
Reject oversized favicons.
The app package runs the cron job as outlined in https://github.com/monicahq/monica/blob/4.x/docs/installation/providers/generic.md#4-configure-cron-job
Can you open a webterminal into the app and run it manually via:
sudo -E -u www-data php /app/code/artisan schedule:run
and see if it shows an error or sends the mails then?
I did a clean install of n8n and it installed quickly. So something is/was up with my old n8n instance. Not a huge problem, I'll just migrate my workflows to the new and archive the old instance.
[1.28.1]
Update navidrome to 0.61.1
Full Changelog
This patch release addresses a WebP performance regression on low-power hardware introduced in v0.61.0, adds a new EnableWebPEncoding config option and a configurable UI cover art size, and includes several Subsonic API and translation fixes.
| New | EnableWebPEncoding | Opt-in to WebP encoding for resized artwork. When false (default), Navidrome uses JPEG/PNG (preserving the original source format), avoiding the WebP WASM encoder overhead that caused slow image processing on low-power hardware in v0.61.0. Set to true to re-enable WebP output. Replaces the internal DevJpegCoverArt flag. (#5286) | false |
| New | UICoverArtSize | Size (in pixels, 2001200) of cover art requested by the web UI. It was increased from 300px to 600px in 0.61.0; now configurable and defaulting to 300px to reduce image encoding load on low-power hardware. Users on capable hardware can raise it for sharper thumbnails. (#5286) | 300 |
| Changed | DevArtworkMaxRequests | Default lowered from max(4, NumCPU) to max(2, NumCPU/2) to reduce load on low-power hardware. (#5286). (Note: this is an internal configuration and can be removed in future releases) | max(2, NumCPU/2) |
| Removed | DevJpegCoverArt | Replaced by the user-facing EnableWebPEncoding option. (#5286) | |
[2.26.0]
Update NodeBB to 4.10.0
Full Changelog
add /world as a potential home page route (58d3aa7)
add category selector to /world quick composer (2f5021e)
ability to show only local posts in /world (44e65b8)
#14094, notification drawer UX improvements (6c01a5d)
allow 3 profile pics (#14092) (533ae69)
category group actor outbox, #14083 (b317cdd)
improve idempotency of ap test (8ca34e7)
call syncfollowcounts on unfollow as well (ebe709d)
sync follow counts on local and remote follows, #14105 (44e78e4)
cold load redirect should only affect guests (cc60667)
[1.24.0]
Update ntfy to 2.21.0
Full Changelog
This release adds the ability to verify email addresses using the smtp-sender-verify flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.
Add verified email recipients feature with smtp-sender-verify config flag, allowing server admins to require email
address verification before sending email notifications (#1681)
[1.8.1]
Update ollama to 0.20.2
Full Changelog
app: default app home view to new chat instead of launch by @jmorganca in #15312
bench: add prompt calibration, context size flag, and NumCtx reporting by @dhiltgen in #15158
model/parsers: fix gemma4 arg parsing when quoted strings contain " by @drifkin in #15254
ggml: skip cublasGemmBatchedEx during graph reservation by @jessegross in #15301
gemma4: enable flash attention by @dhiltgen in #15296
ggml: fix ROCm build for cublasGemmBatchedEx reserve wrapper by @jessegross in #15305
model/parsers: rework gemma4 tool call handling by @drifkin in #15306
[1.5.0]
Update omeka-s-module-Ldap to 0.7.0
Full Changelog
Add update hook on existing ldap user
Improve attributes retrieval by asking all ldap attributes and using it
potentially in another module
[1.25.0]
Update DocumentServer to 9.3.0
Full Changelog
Implemented the ability to add hyperlinks to images, shapes, or groups
Implemented all settings for texture fills for images
Updated macro recording in documents, spreadsheets, and presentations
Added Multiple pages view
Added the Zoom to 100% and Multiple pages buttons to the View tab
Changed the appearance of comments. Now a users color is used and the beginning and end of the comment are displayed
Implemented the ability to select words/paragraphs by double/triple-clicking the mouse
Added saving to the MD format
Moved header and footer settings to a separate Header & Footer tab
Added support for new functions: REGEXTEST, REGEXREPLACE, REGEXEXTRACT
[1.8.3]
Update openhab-distro to 5.1.3
Full Changelog
Restore model validation not to fail on diagnostic errors for rules and scripts
Fix community marketplace discourse parsing
Align x-axis and query to daysOfMonth for aggregated series
zwave: Fix zwave network map display in 5.1.x
item-state-preview: Fix toggle switch not being fully re-rendered on Item change
useStatesStore: Fix error in expression tester with =items formula
[3.47.3]
Update openproject to 17.2.3
Full Changelog
CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string
The =n operator in cost reports did not appropriately treat user input
This vulnerability was reported by user Ochk0 through a GitHub security advisory. Thank you for responsibly disclosing your findings.
For more information, please see the GitHub advisory #GHSA-5rrm-6qmq-2364
Hi @girish so I learned something while setting up my Radicale and OWC. It seems like the calendar client publishing in to the ICS in Radicale (or wherever your ICS source lives) can matter. When I used the Calendar app on macOS I saw no descriptions. When I used Thunderbird I do. You can see it on my live page that has the OWC page in an iframe https://kb.filewave.com/books/community-engagement/page/customer-event-schedule and if you click on events in the agenda then the description shows.
I think initially I was also hoping to show description on the Agenda page without clicking on an event but originally I was bothered that I just couldn't get description to show up. So now it does at least show up when you click an event. I haven't looked at why Calendar doesn't make a summary that shows and Thunderbird does but I'm fine using Thunderbird to put events in my calendar feed.
[3.2.10]
Update open-webui to 0.8.11
Full Changelog
Responses API streaming improvements. The OpenAI proxy now properly handles tool call streaming and re-invocations in the Responses API, preventing duplicate tool calls and preserving output during model re-invocations. Commit, Commit, Commit, Commit
Responses API stateful sessions. Administrators can now enable experimental stateful session support via the ENABLE_RESPONSES_API_STATEFUL environment variable, allowing compatible backends to store responses server-side with previous_response_id anchoring for improved multi-turn conversations. Commit
File viewing pagination. The view_file and view_knowledge_file tools now support pagination with offset and max_chars parameters, allowing models to read large files in chunks. Commit
Knowledge search scoping. The search_knowledge_files tool now respects model-attached knowledge, searching only within attached knowledge bases and files when available. Commit
Tool HTML embed context. Tools can now return custom context alongside HTML embeds by using a tuple format, providing the LLM with actionable information instead of a generic message. #22691
Trusted role header configuration. Administrators can now configure the WEBUI_AUTH_TRUSTED_ROLE_HEADER environment variable to set user roles (admin, user, or pending) via a trusted header from their identity provider or reverse proxy. #22523
OIDC authorization parameter injection. Administrators can now inject extra parameters into the OIDC authorization redirect URL via the OAUTH_AUTHORIZE_PARAMS environment variable, enabling IdP pre-selection for brokers like CILogon and Keycloak. #22863, Commit
Google OAuth session persistence. Administrators can now configure Google OAuth to issue refresh tokens via the GOOGLE_OAUTH_AUTHORIZE_PARAMS environment variable, preventing OAuth sessions from expiring after one hour and ensuring tools and integrations that rely on OAuth tokens remain functional. #22652
Embed prompt confirmation. Interactive tool embeds can now submit prompts to the chat without requiring same-origin access, showing a confirmation dialog for cross-origin requests to prevent abuse. #22908
Tool binary response handling. Tool servers can now return binary data such as images, which are properly processed and displayed in chat for both multimodal and non-multimodal models. Commit, Commit
osTicket has finally officially announced osTicket 2.0, with an RC1 being released "shortly". They launched a new site https://next.osticket.com/ to showcase the work that has been done and a video demo.
[1.21.1]
Update outline to 1.6.1
Full Changelog
A bug affecting file and image upload in the editor was fixed in #11803
MCP: Now has tools to move documents within a collection in #11799
MCP: Now supports API key header authentication in #11798
Added Tahoe-compatible icon variants for PWA in #11762
Fixed a race condition when editing title while doc is saving would reset the title in #11764
Added support for the new GitLab work_items URL structure in #11795
Print layout now respects full-width option by @wmTJc9IK0Q in #11768
Fixed a page hang with corrupted PNG upload in #11783
Improved validation of SMTP_FROM_EMAIL and SMTP_REPLY_EMAIL in #11784
Custom port is now preserved in OAuth metadata URLs when self-hosted behind a reverse proxy in #11791
[1.6.1]
Update owncast to 0.2.4
Full Changelog
Lots of localization changes, both in how they work across the web application, and adding more support for them. So more places should show more languages.
The backend refactor continues with more splitting things off into standalone data repositories and services.
Higher bitrates can now be selected in the video encoding settings.
There's a new webhook that fires when you get a new Fediverse follower.
Admin: add line divider in sidebar #4098
Display shortcut keys of hide/show chat in Dropdown menu #4096
Create a custom Translation component #4428
Add support for pluralization in the new Translation component #4440
Add support for translations in the web project #3950
Add server status as a default field in all webhooks #4384
You can still install it like this https://my.<cloudron>/#/appstore/rocks.paperwork.cloudronapp . But note that it was last updated 3 years ago. I tried to build a new version with latest with PHP a year ago and the app was not even building anymore. They have been re-writing a new version for a couple of years now.
[4.6.5]
Update PeerTube to 8.1.5
Full Changelog
Fix infinite loop when processing some GIF images
Correctly inject custom admin colors in dark theme
Fix broken player when loading the page in background
The upstream project has not released in almost 3 years now.
We had to build from develop to get some PHP 8 support going, but there are bugs like https://github.com/phpservermon/phpservermon/issues/1196 , https://github.com/phpservermon/phpservermon/issues/1232 .
There's also a bunch of basic issues:
Normal user cannot login after admin user logs in. Some issue related to service worker.
LDAP functionality is incomplete
Hi,
It looks like the package is gone from the cloudron supported apps, has anyone tried self-hosting it by following the official method as presented in their doc, with success? (https://docs.postiz.com/quickstart)
[1.11.3]
Update PrivateBin to 2.0.3
Full Changelog
FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
[2.10.0]
Update prometheus to 3.10.0
Full Changelog
[CHANGE] Alerting: Add alertmanager dimension to following metrics: prometheus_notifications_dropped_total, prometheus_notifications_queue_capacity, prometheus_notifications_queue_length. #16355
[CHANGE] UI: Hide expanded alert annotations by default, enabling more information density on the /alerts page. #17611
[FEATURE] AWS SD: Add MSK Role. #17600
[FEATURE] PromQL: Add fill() / fill_left() / fill_right() binop modifiers for specifying default values for missing series. #17644
[FEATURE] Web: Add OpenAPI 3.2 specification for the HTTP API at /api/v1/openapi.yaml. #17825
[FEATURE] Dockerfile: Add distroless image variant using UID/GID 65532 and no VOLUME declaration. Busybox image remains default. #17876
[FEATURE] Web: Add on-demand wall time profiling under <URL>/debug/pprof/fgprof. #18027
[ENHANCEMENT] PromQL: Add more detail to histogram quantile monotonicity info annotations. #15578
[ENHANCEMENT] Alerting: Independent alertmanager sendloops. #16355
[ENHANCEMENT] TSDB: Experimental support for early compaction of stale series in the memory with configurable threshold stale_series_compaction_threshold in the config file. #16929
[2.8.0]
Update rallly to 4.8.1
Full Changelog
This patch fixes a client-side crash on the registration page and enables click and drag behaviour on the poll table view component.
Notification settings Configure global notification preferences (new responses, new comments) from your account settings. (#2254)
Per-poll notification muting Mute notifications for individual polls using the bell icon in the poll admin view, replacing the previous watcher-based system. (#2268)
Success dialog after poll creation After creating a poll, you'll see a shareable invite link with copy-to-clipboard before being taken to the poll page. (#2281)
User avatars in participant list Profile pictures now display alongside participants in poll views for better visual recognition. (#2284)
Improved time zone selector Replaced the modal-based selector with an inline searchable combobox showing city names and UTC offsets. (#2261)
Improved error page Errors now show a user-friendly page with localized messaging and quick navigation links (home, create poll, support, GitHub). (#2220)
SMTP_TLS_SERVERNAME env var Allows explicit SNI configuration for SMTP servers hosting multiple certificates. (#2298)
Poll description missing from scheduled events Poll descriptions are now correctly passed through when booking a poll as a calendar event. (#2202)
Crash on deleted poll Accessing a poll that no longer exists now shows a proper 404 page instead of crashing. (#2218)
[3.11.1]
Update redmine to 6.1.2
Full Changelog
Defect #43661: Unsafe eval usage in AttachmentsHelper
Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).
Just installed ReleaseBell to monitor the apps I am packaging.
But it's not accurate
Shows https://github.com/windmill-labs/windmill as v1.457.0 but the actual GitHub page shows 1.645.0
Is there some config I should be changing ?
Actually, just noticed it has 2 entries for windmill ( a starred project ), the other showing 1.573.0
[3.1.0]
Update Rocket.Chat to 8.2.1
Full Changelog
(#39508 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
(#39517 by @dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.
This release focuses on security, stability, and usability improvements.
SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports.
The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability.
Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain.
OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path.
Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @ prefix.
The release also delivers a broad set of reliability and security fixes. It resolves a persistent Enterprise plan active pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth.
Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters.
[2.9.5]
Update roundcubemail to 1.6.15
Full Changelog
SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke, reported by class_nzm.
Fix regression where mail search would fail on non-ascii search criteria (#10121)
Fix regression where some data url images could get ignored/lost (#10128)
Fix SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke
Given that the upstream project is not maintained anymore, we have hidden this in the appstore.
I had also submitted a PR upstream for a basic issue which is ignored - https://github.com/aliasaria/scrumblr/pull/161
@girish said:
@rmdes @odie I have updated the app to use symlinks under /app/data/bridges. You can add new bridges there or delete some symlink and add your own.
Thank you! Works excellent!
[1.4.0]
Update serpbear to 3.1.0
Full Changelog
add subdomain matching functionality (4533737), closes #324
enhance error handling and response structure in scraper functions (4f394c2)
minor ui issue (eecf88a)
prevent corrupt failed queue file to reset the app settings (c306fa0), closes #328
resolves broken google ads oauth of instances behind reverse proxy (a988b13), closes #326
resolves cron issue with certain port mapping config (d86616a)
resolves issue that prevents refreshing all keywords when one fails (77cfa2f)
[1.4.1]
Update sftpgo to 2.7.1
Full Changelog
SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
Enforced password validation rules also when applied through a group.
Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
Unified path handling: Prior to this release, the backslash character (\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.
[2.18.0]
Update Shaarli to 0.16.0
Full Changelog
v0.x branches and tags will no longer be maintained after v0.16. Always upgrade to the latest release to receive bugfixes and security patches.
docs: update PHP version compatibility table
fix stored XSS via suggested tags (GHSA-g3xq-mj52-f8pg)
build(deps): update frontend build dependencies (js-yaml/glob)
@girish said in SickChill unlisted from app store:
I hope they atleast bring back the issue tracker
Out of interest, why does this matter for Cloudron?
BTW, someone has replied to the thread I started on Discord informing me that the master releases are these https://pypi.org/project/sickchill/
Doesn't look like there has been a new one since March though.
[1.3.0]
Update shiori to 1.8.0
Full Changelog
feat(apiv1): refactor tags api (#1075)
feat: add PWA support share functionality (#1060)
feat: add apis to handle bookmark tags (#1081)
feat: allow tag filtering and count retrieval via api v1 (#1079)
feat: improve SQLite performance (#1024)
feat: reverts message in json output and allows configuration (#1082)
feat: support proxy forward headers authentication (#1105)
fix: auth validation on existing sessions, rely on token only (#1069)
fix: incorrectly set cookie's expires value in login.js (#1049)
fix: parse pocket new CSV format (#1112
[1.19.0]
Update snipe-it to 8.4.0
Full Changelog
Added "reset to default" for theme, preview for effects in profile by @snipe in #18347
Add SCIM url to admin settings index view by @snipe in #18358
Fixed #18325: Ensure existing permission group users are maintained when editing a group by @dylang3 in #18326
Replaced deprecated Symfony Request::get() usage by @joelpittet in #18363
Bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #18349
Bump actions/cache from 4 to 5 by @dependabot[bot] in #18348
Fixed #18384: Remove backticks in bulk-actions.blade.php to avoid unintentional shell_exec() call by @dylang3 in #18388
Fixed #18377 - make min for names consistent by @snipe in #18392
Fixed: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519 by @joelpittet in #18391
Just checked on this again but it seems statping-ng is not going forward much . https://github.com/statping-ng/statping-ng/tags says the release was almost a year ago.
[1.33.16]
Update syncthing to 2.0.15
Full Changelog
Database backend switched from LevelDB to SQLite. There is a migration on
first launch which can be lengthy for larger setups. The new database is
easier to understand and maintain and, hopefully, less buggy.
The logging format has changed to use structured log entries (a message
plus several key-value pairs). Additionally, we can now control the log
level per package, and a new log level WARNING has been inserted between
INFO and ERROR (which was previously known as WARNING...). The INFO level
has become more verbose, indicating the sync actions taken by Syncthing. A
new command line flag --log-level sets the default log level for all
packages, and the STTRACE environment variable and GUI has been updated
to set log levels per package. The --verbose and --logflags command
line options have been removed and will be ignored if given.
packages, and the STTRACE environment variable and GUI has been updated
[1.12.4]
Update recipes to 2.6.4
Full Changelog
added Household setup page and default creation to welcome stepper
added django migration records to admin
fixed food shopping sub endpoint not validating amount and unit inputs https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554
fixed a shared user could make changes to a book trough the API https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f
fixed style tags allowed in rendered markdown could lead to CSS injection in third party clients that did not properly clean the output on the frontend https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9hhh-g2fc-r8x2
fixed recipe batch update endpoint could be used to update private recipes of other space members if the ID was known https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5
fixed performance issues on some admin views
fixed admins can accidentally lock themselves out of their space
fixed category order jumping in shopping list when checking and not having any supermarket selected #4446
fixed selecting no supermarket in shopping not working
@timconsidine said in Teddit Subscriptions no longer working:
Just FYI - my LibReddit - selfhosted as Docker on another VPS = is still working.
But now it is down.
Maybe they have caught up with me.
@Sam_uk we have unlisted TLDraw by now. Please see https://forum.cloudron.io/topic/10806/no-more-updates-to-tldraw . The license and company direction has changed.
[2.5.0]
Update transmission to 4.1.0
Full Changelog
Improved TP download performance. (#6508)
Added support for IPv6 and dual-stack UDP trackers. (#6687)
Support trackers that only support the old BEP-7 with &ipv4= and &ipv6=. (#7481)
New JSON-RPC 2.0-compliant RPC API. (#7269)
Added optional sequential downloading. (#4795)
Use native icons for menus and toolbars: SF Symbols on macOS, Segoe Fluent on Windows 11, Segoe MDL2 on Windows 10, and XDG standard icon names everywhere else. (#7819, Qt Client)
Fixed 4.0.6 bug where Transmission might spam HTTP tracker announces. (#7086)
Improved libtransmission code to use less CPU. (#4876, #5645, #5715, #5734, #5740, #5792, #6103, #6111, #6325, #6549, #6589, #6712, #7027, #7744, #7800)
Avoid unnecessary heap memory allocations. (#5519, #5520, #5522, #5527, #5540, #5649, #5666, #5672, #5676, #5720, #5722, #5725, #5726, #5768, #5788, #5830, #6542)
Slightly reduced latency when sending protocol messages to peers. (#5394)
[1.28.2]
Update Trilium to 0.102.2
Full Changelog
Improved request handling for SVG content in share routes
Improved request handling for SVG content in the main API
Enhanced content rendering in the Mermaid diagram editor
Fixed toast notifications to properly escape content
Added validation for the docName attribute in the document renderer
Marked docName as a sensitive attribute in the commons module
Added Electron fuses to harden the desktop application against external abuse
Improved application integrity checks
Added MIME type validation for image uploads via ETAPI
Aligned attachment upload validation with note upload validation
[1.24.3]
Update vaultwarden to 1.35.4
Full Changelog
GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Update Rust and Crates and GHA by @BlackDex in #6843
hide remember 2fa token by @stefan0xC in #6852
fix(send_invite): invite links by @proofofcopilot in #6824
Misc organization fixes by @BlackDex in #6867
[1.75.0]
Update verdaccio to 6.4.0
Full Changelog
Package Filter Plugins (#5786, #5548) by @vsugrob, @pyhp2017 @juanpicado @juanpicado
Block a compromised package version
Block an entire malicious scope
Quarantine recently published versions
Freeze registry to a point in time
Whitelist trusted packages within blocked rules
fix(deps): Updated lodash to v4.18.1 (#5777)
fix(deps): Updated core @verdaccio/* dependencies (#5674, #5780)
fix(middleware): stream is not readable (http 500) #5655 @mbtools
fix: handle missing host header in URL basename resolution eabde8c @juanpicado
[1.22.1]
Update vikunja to 2.2.2
Full Changelog
Require admin access to list link shares (5cd5dc4)
Hide link sharing section in UI for non-admin users (74d1bdd)
(auth) Reject disabled/locked users in OIDC callback
(auth) Reject disabled/locked users in API token middleware
(auth) Return correct error type for locked users in OIDC callback
(auth) Reject disabled/locked users in CheckUserCredentials
(auth) Skip profile updates for disabled LDAP users
(caldav) Replace href with pathname from parseURL for api base
(frontend) OrigUrlToCheck references the same object as urlToCheck
(openid) Merge VikunjaGroups and ExtraSettingsLinks from userinfo
[2.5.6]
Update wallabag to 2.6.14
Full Changelog
Change version in wallabag.yml by @nicosomb in #8251
Fix deprecation by @j0k3r in #8267
Add annotations filter to entries API endpoint by @skn in #8346
Update dependencies by @yguedidi in #8435
Bump deps (mostly for siteconfig) by @j0k3r in #8489
Fix reading time computation for short entries by @andreadecorte in #8332
Fix urls parameter when sending many urls to be stored using the API by @j0k3r in #8488
Prepare 2.6.14 by @j0k3r in #8494
[1.21.0]
Update Wallos to 4.8.0
Full Changelog
add openai compatible host for ai recommendations (99c30e7)
enable ai recommendations at a schedule (99c30e7)
move update banner to the dashboard (99c30e7)
handle some ai responses that come in a different format (99c30e7)
[1.38.1]
Update weblate to 5.16.2
Full Changelog
New setting <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-PUBLIC_ENGAGE" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">PUBLIC_ENGAGE</code></span></a> to make the engage page public even with <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-REQUIRE_LOGIN" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">REQUIRE_LOGIN</code></span></a>.
Improved matching in <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/memory.html" class="reference internal"><span class="doc">Translation Memory</span></a>.
Show the number of strings waiting for review in listings.
Avoid displaying confusing status icons for ghost languages on project or category level.
Fixed missing plural source strings when creating new bilingual plural units.
Crash on certain pages with nested categories.
Improved API validation when adding strings.
Disabled throttling for incoming webhooks.
Avoid displaying non-actionable ghost languages.
Fixed highlighting in the translation editor.
[4.104.0]
Update wekan to 8.42
Full Changelog
Fix SSO login is broken.
Export Card to Excel. Part 2.
Fixed 2nd new card should not have text of 1st card, it should be empty.
Fix: prevent cards from disappearing after dragging in List view.
Fixed Board lost its member list or permissions.
Export Card to Excel and related fixes. Part 1.
[2.14.0]
Update woodpecker to 3.13.0
Full Changelog
Update quic-go/qpack & quic-go/quic-go #5885
fix: updateRepoPermissions to cleanup old permissions #5790
Add cli contexts #5929
Use repo-user for api call of cron #5967
Close opened file on LogFind #5961
Delete/Deactivate repo ignores missing repo at forge #5953
Correctly update repo permissions #5928
Revert repos pagination for GH and BB #5924
fix: send correct argument to rpc call for name/url #5922
fix: secrets-file flag #5909
Problems with Flameshot, GNU+Linux, Wayland, keyboard short-cuts?
Check out this blog for solutions and save time, especially if you use Bazzite as your operating system.
https://wanderingmonster.dev/blog/flameshot-xbackbone-linux/
Could be. Cloudron uses the default URL size - https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
If you want to experiment, edit the file in /etc/nginx/applications/*conf and then systemctl restart nginx .
