[1.14.12]
Update AdGuardHome to 0.107.73
Full Changelog
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
Incorrect client IP logging in failed authentication attempts when using a proxy ([#8198]).
Incorrect logger behavior in case -v flag is added.
[1.25.1]
Update ampache to 7.9.1
Full Changelog
Translations 2026-02-20
Config version 87
Add cli_no_color to disable colors for cli output
Add user_create_apikey to add an API Key to the account when a new user is created
admin:updateUser: Reset user API key, Stream token, RSS token and access level
admin:listUsers: Add -a|--apikey parameter to print the user API key
admin:listUsers: Only print user from username or user id. If both are set use username
Return an error when all items in scrobble call are not found
Custom CSS path folder
MPD status incorrectly stopping processes
[1.7.0]
Update answer to 2.0.0
Full Changelog
New: AI Assistant feature (@shuashuai @LinkinStars #1479)
New: MCP server feature (@LinkinStars @shuashuai #1480)
New: API Keys feature (@LinkinStars @shuashuai #1482)
New: Editor plugin support (@robinv8 #1481)
Fixed: Add user in the Admin, no result prompt after submission (@bimakw #1457)
Fixed: Fix/external id notification (@IfDougelseSa #1465)
Fixed: fix: expand avatar column length from 1024 to 2048 (@csouls #1463)
Fixed: When the input type of SchemeForm is a number, the default value of 0 is not displayed.@shuashuai
[1.97.1]
Update audiobookshelf to 2.33.1
Full Changelog
API Keys not respecting user enabled/disabled flag
Podcast episode update endpoint sanitizes HTML for subtitle
Playlist & collection create/update endpoints strip HTML tags from name
More strings translated
Belarusian by @pavel-miniutka
German by @fabianjuelich
Spanish by @cyphra
Thanks for reporting here @gardinermichael . We have in fact hidden the app package because there were many issues with it and we couldn't manage to get it to be stable . Maybe we should revisit this.
[1.36.6]
Update uv to 0.11.6
Full Changelog
Do not remove files outside the venv on uninstall (#18942)
Validate and heal wheel RECORD during installation (#18943)
Avoid uv cache clean errors due to Win32 path normalization (#18856)
[1.6.6]
Update beszel to 0.18.7
Full Changelog
Add more disk I/O metrics (utilization, read/write time, await, queue depth) (#1866)
Add ability to copy alerts between systems by @svenvg93 (#1853)
Add SENSORS_TIMEOUT environment variable (#1871)
Replace distatus/battery with an internal implementation by @svenvg93 (#1872)
Restrict universal token API to non-superuser accounts (#1870)
Fix macOS ARM64 crashes by upgrading gopsutil to v4.26.3 (#1881, #796)
Fix text size for system names in grid view by @Malith-Rukshan (#1860)
Fix NVMe capacity reporting for Apple SSDs by @svenvg93 (#1873)
Fix Windows root disk detection when the executable is not on the root disk (#1863)
Fix nested virtual filesystem inclusion in Docker when mounting host root by @svenvg93 (#1859)
That sounds like a classic timezone issue. Allday appointments don't really need timezone information, but lots of client still include them.
And when a client then parses it, that wants to use a different timezone you end up with an appointment that is shown over multiple days because it starts at e.g. 1:00 and not 0:00 because of the timezone.
Calendars are not as easy as they look.
Hello @luckow
This is not documented very well.
Had to look into the Castopod code to find the URL path to the API.
https://github.com/ad-aures/castopod/blob/bc041702dd8058ae8e1831b9609827c911a5a626/modules/Api/Rest/V1/Config/RestApi.php#L35
public string $gateway = 'api/rest/v1/';
So the full URL would be https://castopod.cloudron.dev/api/rest/v1/podcasts
curl https://castopod.cloudron.dev/api/rest/v1/podcasts
[]
After creating one:
curl https://castopod.cloudron.dev/api/rest/v1/podcasts
[{"id":1,"guid":"2bdee7b8-8131-5888-b4da-713d7b3a124a","actor_id":1,"handle":"demopadcast","title":"Demo Podcast","description_markdown":"DESC","description_html":"<p>DESC</p>\n","cover_id":3,"banner_id":null,"language_code":"en","category_id":1,"parental_advisory":null,"owner_name":"james","owner_email":"james@cloudron.example","is_owner_email_removed_from_feed":true,"publisher":"","type":"episodic","medium":"podcast","copyright":"","episode_description_footer_markdown":null,"episode_description_footer_html":null,"is_blocked":false,"is_completed":false,"is_locked":true,"imported_feed_url":null,"new_feed_url":null,"payment_pointer":null,"location_name":null,"location_geo":null,"location_osm":null,"verify_txt":"","custom_rss":null,"is_published_on_hubs":false,"partner_id":null,"partner_link_url":null,"partner_image_url":null,"is_premium_by_default":false,"created_by":1,"updated_by":1,"published_at":null,"created_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"updated_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"feed_url":"https://castopod.cloudron.dev/@demopadcast/feed.xml","actor_display_name":"Demo Podcast","cover_url":"https://castopod.cloudron.dev/media/podcasts/demopadcast/cover.jpg","categories":[{"id":1,"parent_id":null,"code":"arts","apple_category":"Arts","google_category":"Arts","translated":"Arts"}]}]
[1.29.7]
Update changedetection.io to 0.54.8
Full Changelog
CVE-2026-35490 - Authentication Bypass via Decorator Ordering
Extendable theme pluggy implementation by @dgtlmoon in #4011
[1.50.1]
Update chatwoot to 4.12.1
Full Changelog
Fixed an issue where AI Assist returned a 404 error in the Community Edition.
Fixed a regression introduced in v4.8.0 where webhook payloads for message_created and message_updated were sending channel-rendered HTML instead of the original raw message content.
@jypelle this is possible if the package is adjusted to have the config file available in /app/data and a script to restart/reload the relevant service.
[2.10.0]
Update cubby to 2.10.0
Improve error feedback on new file or folder creation
Various relogin state fixes to not lose target resource
Ensure public shares can be reopened after session failure
Update dependencies
[1.11.1]
Update dawarich to 1.6.1
Full Changelog
Info badge on import form suggesting users zip large files (200MB+) before uploading.
Missing SVG icons for activity breakdown (ship, circle).
Fix compressed zip files failing to import with "No such file or directory" error. Rubyzip needs to re-open the source zip for compressed entries, but the temp file could be garbage collected before extraction completes #2446.
Fix anomaly filter crashing on large imports (millions of points) due to loading all points into memory at once. Speed-based filtering now processes data in monthly chunks.
[2.17.2]
Update directus to 11.17.2
Full Changelog
@directus/app
Moved useShortcut and translateShortcut in @directus/composables (#26979 by @HZooly)
added timezone support to datetime display (#26184 by @u12206050)
Added comparison modal checkbox to allow viewing only modified fields (#27010 by @robluton)
@directus/composables
Moved useShortcut and translateShortcut in @directus/composables (#26979 by @HZooly)
@directus/app
Fixed alias fields being included when selecting all fields in export (#26775 by @tysoncung)
Fixed invite acceptance error to display correctly on the frontend and allow for error translation (#26971 by @faizkhairi)
Fixed relational field removals inside groups not persisting on draft items (#26917 by @HZooly)
[2.7.0]
Update distribution to 3.1.0
Full Changelog
Fixes CVE-2026-35172
Fixes CVE-2026-33540
Adds support for tag pagination (#4360, #4353)
Fixes default credentials in Azure storage provider (#4619)
Drops support for go1.23 and go1.24 and updates to go1.25
fix: implement JWK thumbprint for Ed25519 public keys by @zhangyoufu in #4626
fix: Annotate code block from validation.indexes configuration docs by @anzoman in #4629
feat: extract redis config to separate struct by @shanduur in #4620
Fix: resolve issue #4478 by using a temporary file for non-append writes by @onporat in #4624
fix: set OTEL traces to disabled by default by @jcpunk in #4671
[1.19.0]
Update documenso to 2.8.0
Full Changelog
fix: upgrade @libpdf/core by @Mythie in #2569
fix: upgrade @libpdf/core by @Mythie in #2572
feat: add pdf image renderer by @dguyen in #2554
fix(i18n): mark dropdown and radio placeholder for translation by @mKoonrad in #2537
fix: show current month data and add caching by @ephraimduncan in #2573
feat: add embedded envelopes by @dguyen in #2564
fix: performance improvements by @dguyen in #2581
feat: implement template search functionality by @catalinpit in #2376
feat: auto-disable telemetry when license key is configured by @ephraimduncan in #2562
fix: make signing page left-hand sidebar collapsible by @catalinpit in #2541
[1.14.3]
Update docuseal to 2.4.3
Full Changelog
Fix unicode and right-to-left text in the Stamp field.
Memory usage optimization
Manage e-signature templates, submissions, and submitters with the terminal or AI agent.
https://github.com/docusealco/docuseal-cli
Compare Source
[1.13.2]
Update dolibarr to 23.0.2
Full Changelog
FIX: #37412 Better fix
FIX: #37461 #37511 Accountancy - Bank journal - Problem of cache (#37603)
FIX: #37482
FIX: #37551 Accounting - Use better rights on create / export entry (#37555)
FIX: #37707
FIX: #37707 Can pay supplier invoices with the same parent company
FIX: Accountancy - Need more information about mandatory step in various journal (#37573)
FIX: - Added user filtering for displaying leave in the calendar (#37385)
FIX: Add http code 503 on deadlock
FIX: API Warehouse : Error 401 when getting warehouse by id (backport from 22)
[1.7.1]
Update easyappointments to 1.5.2
Full Changelog
Fix the GTag script URL html rendering (#1666)
Fix the "Load More" JS error in secretaries page (#1677)
Fix the PHP compatibility error of the appointments index API endpoint (#1678)
Catch individual email delivery exceptions (#1670)
Apply permission checks to the appointment and unavailability search (#1753)
Make sure the sync button is visible on provider log in (#1749)
Update unavailable dates after applying appointment data while rescheduling (#1662)
Make sure that any-provider does not include hidden providers while generating availability (#1733)
Provide "text" version of the emails in addition to HTML (#1711)
Trigger webhook requests when managing records via the API (#1676)
[1.18.2]
Update Emby.Releases to 4.9.3.0
Full Changelog
Add user option to set user's auto remote quality
Add library option to use legacy folder scanning method
Music transcoding fixes
Add landing tab option for book libraries
Support volume control with youtube trailer player
Update mixed content tabs to combine Movies & Shows
Fix maintenance mode blocking some settings screens
Fix embedded audio fields not getting rescanned on file changes
Fix loss of genre and collection images after deleting a movie
Fix latest section not showing items for some channel plugins
[2.0.0]
Update fider to 0.33.0
Full Changelog
Please note new license changes
Open Core Licensing: Some features (content moderation, search indexing) are now gated as pro features, with a new commercial licensing system using separate private/public key environment variables.
Content Moderation (Pro): Admins can now moderate posts and comments before they go public, trust or block individual users, and manage pending content from a dedicated admin page. Content moderation is available as a pro feature.
Revamped UI: The home page and post detail view have been refreshed with a cleaner design, better dark mode support, improved mobile layouts, and post details now open in a modal without a full page reload.
Security: Sign-in email links now use a strong 64-character key (manual entry still uses a 6-digit code for convenience).
Fixed search with hyphenated words
Option to keep failing webhooks enabled rather than auto-disabling them
Fixed issue adding links via the toolbar button
Fixed filter/sort state persisting when navigating back from a post
Fixed vote listing issues
Post tags now update live in the listing without a page reload
[1.1.1]
Update fmd-server to 0.14.1
Full Changelog
Initial translation support, by @warioishere (#64)
Translate web interface in many languages (thank you translators!)
Fix hosting in sub-directory (#132)
Graceful shutdown when SIGINT or SIGTERM is received (#139)
[3.11.8]
Update firefly-iii to 6.5.9
Full Changelog
Issue 12004 (Test notification buttons always generate an error) reported by @IDevJoe
Issue 12014 (Converting a transaction to a transfer and setting the destination account to one with a different currency breaks the audit log) reported by @avee87
[2.8.7]
Update formbricks to 4.8.7
Full Changelog
fix: prevent language switch from breaking survey orientation and resetting language on auto-save (backport #7654) by @Dhruwang in #7658
fix: multilang button overflow (backport #7656) by @Dhruwang in #7659
fix: multi-lang toggle covering arabic text (backport #7657) by @Dhruwang in #7660
[1.16.3]
Update freescout to 1.8.212
Full Changelog
Take limit_user_customer_visibility parameter into account when merging customers (Security)
Check if conversation IDs match when marking thread as read (Security)
Fixed fetching emails with deeply nested HTML (#5304)
Fixed "Passing null to parameter" error in Html2Text (#5306)
Fixed "Incomplete object" error on Status page (#5307)
@joseph
As I understood it, not even that.
MEDIA_ROOT is where all media uploaded gets stored.
MUSIC_DIRECTORY_PATH is like an import folder where you can manually upload files that then get imported.
But I am not 100 % certain, it is still confusing for me.
[4.162.0]
Update ghost to 6.27.0
Full Changelog
Added ability to put a share button on posts (#26866) - Peter Zimon
Added CDN base URL support for theme and public assets - Murat orlu
Updated Source to v1.5.3 - Ghost CI
Updated Casper to v5.10.3 - Ghost CI
Yes, it's only jekyll. Not an expert on next.js but I think it also needs a backend right ? If so, you have to create a custom package - https://docs.cloudron.io/packaging/tutorial/
[1.23.1]
Update gogs to 0.14.2
Full Changelog
Security: Cross-repository LFS object overwrite via missing content hash verification. #8166 - GHSA-gmf8-978x-2fg2
Security: Stored XSS via data URI in issue comments. #8174 - GHSA-xrcr-gmf5-2r8j
Security: Release tag option injection in release deletion. #8175 - GHSA-v9vm-r24h-6rqm
Security: Stored XSS in branch and wiki views through author and committer names. #8176 - GHSA-vgvf-m4fw-938j
Security: DOM-based XSS via issue meta selection on the issue page. #8178 - GHSA-vgjm-2cpf-4g7c
Unable to update files via web editor and API. #8184
[2.4.2]
Update grafana to 12.4.2
Full Changelog
Analytics tab: Improve voice over accessibility (Enterprise)
Dashboards a11y: Do not open time zonemenu on focus #120388, @idastambuk
Dashboards: Resolve display names by identity in version history #120273, @ivanortegaalba
Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @kevinwcyu
Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @mmandrus
IAM: Handle NULL team_member.external column to fix dashboard loading #120179, @difro
Plugins: Fix installer IsDisabled condition #120568, @andresmgot
Plugins: Forward PLUGIN_UNIX_SOCKET_DIR to plugin processes to fix tmp dir in restricted environments #120275, @HarshadaGawas05
Security: Fixes CVE-2026-27876
Security: Fixes CVE-2026-27877
IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked.
1.8.6 - 1.8.13 - Upstream has removed all 1.7.50.x packages. See https://discourse.getgrav.org/t/upgrade-to-grav-v1-7-50-9-not-working/29222/4
1.9.0 - had incorrect beta version update
[1.0.0]
Update grist-core to 1.7.12
Full Changelog
Airtable imports are now smoother, and the import lands in your current workspace instead of somewhere unexpected. Suggestions got a visual refresh with automatic comparison highlighting as you type. Forms are more accessible, and the API now has a cellFormat=typed option so you can get properly typed values back without guessing.
If you include Grist Labs extensions in your build, there's a new automations UI that lets you set up triggers on your data. You can define conditions on any table, then fire off email notifications or webhooks when rows match. You can send dynamic emails to different recipients based on column values, filter with Python conditions, and monitor everything from a delivery log. Automations are a Grist Labs extension: a paid feature with a 30-day trial, and free for individuals and small orgs (under $1M annual funding). Proprietary features fund the development of grist-core.
New cellFormat=typed option for both the REST API and Custom Widget API, providing consistent, self-describing values that preserve type information for Ref, RefList, Attachments, Date, and DateTime columns
Reduce GRIST_LOG_API_DETAILS logging: omit body and result, add docId (#2175)
Improve accessibility of Undo / Redo action buttons (#2167)
Add max length on text inputs in forms (#2097)
Fix document icon when the second word of the doc name is an emoji (#2170)
Fix unreadable dark mode colors in banners (#2138)
Hide admin panel links in grist-desktop (#2181)
Remove the H / Ctrl+Shift+H shortcut from the "Use as table headers" command
Hello @albertbeaufrand and welcome to the Cloudron Forum
This topic is a duplication of https://forum.cloudron.io/post/97415 and will be merged into it.
Please read the responses above to get the full answer to your question.
[1.21.4]
Update hedgedoc to 1.10.7
Full Changelog
Random colors for user's cursors and selections are now always in hex format to avoid conversion errors
Correctly close realtime connections if they disconnect during connection creation
manage_users CLI does not silently drop errors
[1.9.1]
Update humhub to 1.18.1
Full Changelog
Fix #8003: Migration::foreignIndexExists() doesn't find tables in braces
Fix #8002: Comment dropdowns truncated (e.g. to select a title)
Fix #8007: Fix unsaved changes warning on Profile Edit page
Fix #8008: Space Tour Wrong Target for "Preferences" menu
Fix #8013: Fix error displaying on update a module
Fix #8009: Administration Group label misplaced
Fix #8012: Modal backdrop over the account deletion modal for new Users
Enh #8017: Exclude vendor from module i18n extract
Fix #8020: Some email notifications are missing auto-contrast for the button text color
Fix #8027: Cannot register if showRegistrationForm is disabled
[1.99.0]
Update immich to 2.7.2
Full Changelog
fix: csp quotes by @bo0tzz in #27592
fix(ml): downgrade numpy by @mertalev in #27591
fix(server): library import batch size by @mertalev in #27595
Hello @nichu42
Sorry for the delay.
We had a misconfiguration for the CI where the updates were not picked up correctly.
App updates should be available now.
[1.22.12]
Update invoiceninja to 5.13.16
Full Changelog
Fixes for regression on Profit/Loss report
Enforce client id checks for Microsoft + Google OAuth
Stubs for Poland Peppol
[1.13.5]
Update jellyfin to 10.11.8
Full Changelog
Handle folders without associated library in FixLibrarySubtitleDownloadLanguages [MR #16540], by @Shadowghost
Fix subtitle saving [MR #16539], by @MBR-0001
Fix querying media with language filters [MR #16538], by @MBR-0001
[1.12.1]
Update Jirafeau to 4.7.1
Full Changelog
Fixed another possibility to bypass the checks for CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066 (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
The default value of max_upload_chunk_size_bytes was set to 5000000. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
Stupid question but when using this does a copy of a user's joplin nots remain on the server or do notes just pass through? My understanding is that webdav files can grow pretty big
[1.17.8]
Update kanboard to 1.2.52
Full Changelog
fix: revoke public tokens for inactive users
fix: use timing-safe comparison for token validation
fix: validate task ownership before applying property changes
fix: enforce visibility controls for public and unprivileged access
fix: use parameterized queries in task finder and iCal
[1.6.0]
Update keycloak to 26.6.0
Full Changelog
JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
The Keycloak Test Framework, replacing the previous Arquillian-based solution.
JWT Authorization Grant (supported)
Federated client authentication (supported)
New guide about Demonstrating Proof-of-Possession (DPoP)
Identity Brokering APIs V2 (preview)
Step-up authentication for SAML (preview)
Hello @ikalou and @andreasdueren
This is a known issue.
I have merged your new topic into this existing one.
Scroll up to find the solution and description of this issue.
[2.44.0]
Update kimai to 2.50.0
Full Changelog
Removed support for file:// urls in Markdown (new parsedown package) (#5835)
Fix missing macro in export print template (when rendering user preferences) (#5835)
Fix timesheets with breaks did not work in "weekly hours" screen (#5835)
Allow to customise statistic queries (#5827)
Running TURN server on port 443 only matters for setups where a Client is unable to contact the server on non-port 443. This is only common in some ultra locked down intranet setups.
[1.12.2]
Update leantime to 3.7.3
Full Changelog
fix: backend bug fixes from phase-0 modernization branch by @marcelfolaron in #3289
feat(tokens): add design system CSS custom property definitions by @marcelfolaron in #3290
fix: accessibility, view system, and composer improvements from phase-0 by @marcelfolaron in #3292
fix: ticket PATCH 500 errors, quick-add group context, and UI fixes by @marcelfolaron in #3313
fix: address 6 GitHub issues - session, calendar, postgres, todos, users, ldap by @marcelfolaron in #3315
fix: PostgreSQL ROUND(double precision, int) error on ticket queries (#3301) by @marcelfolaron in #3317
fix: PostgreSQL ROUND error, missing zp_canvas.color migration, and 3.7.2 changelog by @marcelfolaron in #3318
[1.1.6]
Update rag_api to 0.7.3
Full Changelog
fix: add missing averaged_perceptron_tagger_eng NLTK package by @MieszkoMakuch in #265
fix: add missing msoffcrypto-tool package for xlsx file support by @ABHIJITH-EA in #264
fix: Resolve MongoDB Atlas Document Upload Failures and Cross-Batch ID Collisions by @mfish911 in #266
[1.21.0]
Update linkwarden to 2.14.0
Full Changelog
Improved team collaboration
Improved tag browsing with pagination
Faster interface with optimistic rendering
Platform upgrades: Next.js 15 and Expo 54
Improved user experience
Security improvements for submitted links
[1.16.0]
Update listmonk to 6.1.0
Full Changelog
v6.1.0 has important security fixes in addition to several improvements and general bug fixes.
This version has fixes for multiple campaign/list permission validation issues in multi-user environments.
New global Privacy setting to disable view and click tracking.
Ability to proxy S3 media files through listmonk instead of linking to S3 directly.
Lettermint bounce webhook provider.
New global data refresh button on admin nav that works across all pages.
A new 'Duplicate' button to visual e-mail builder block UI options.
PATCH /api/subscribers/:id endpoint for partial subscriber updates.
New granular campaigns:send permission, separate from campaigns:manage for finer access control.
New altbody param to /api/tx for sending multipart plaintext bodies in transactional mails.
[1.17.10]
Update loomio to 3.0.21
Full Changelog
Changes to the Discussion and Poll templates UI. I've had people tell me they couldn't find how to create a template. Now there is a New template button, which opens the example templates page, you can use an example as the starting point for a new template.
Fewer discussion templates in a group by default. Updates to the Sense Check poll options, so they're more helpful.
Materialize default discussion templates as DB records by @robguthrie in #12182
Discussion template UI improvements by @robguthrie in #12181
Add opening_at to polls for scheduled voting by @robguthrie in #12174
Poll template updates by @robguthrie in #12184
This release also addresses a minor security issue, where a member of a group could see the names of secret subgroups they did not belong to, if they inspected the server responses of the reports controller.
[2.44.4]
Update Lychee to 7.5.4
Full Changelog
Add disabling preloading check in FixTree console by @ildyria in #4226
Fixing discussion #4230 SyntaxError: [sprintf] unexpected placeholder by @TheBullRing in #4231
Fix MySQL error 1390 (too many placeholders) in album/photo deletion path by @Copilot in #4225
Enhance German translation by @hyazinthh in #4239
Finalize German translation by @hyazinthh in #4241
Fix vite 8 building a broken frontend by @ildyria in #4242
Trivy ignore update by @ildyria in #4251
Add turkish template by @ildyria in #4253
Fix notifications by @hyazinthh in #4255
Fix 'rename' string and make ellipses consistent for German by @hyazinthh in #4256
[1.17.7]
Update mastodon to 4.5.7
Full Changelog
Add --suspended-only option to tootctl emoji purge (#37828 and #37861 by @ClearlyClaire and @mjankowski)
Fix emoji data not being properly cached (#37858 by @ChaosExAnima)
Fix delete & redraft of pending posts (#37839 by @ClearlyClaire)
Fix processing separate key documents without the ActivityStreams context (#37826 by @ClearlyClaire)
Fix custom emojis not being purged on domain suspension (#37808 by @ClearlyClaire)
Fix users without special permissions being able to stream disabled timelines (#37791 by @ClearlyClaire)
Fix processing of object updates with duplicate hashtags (#37756 by @ClearlyClaire)
[1.132.0]
Update synapse to 1.151.0
Full Changelog
Fix KNOWN_ROOM_VERSIONS.__contains__ raising TypeError for non-string keys, which could cause /sync to fail for rooms with a NULL room version in the database. Bug introduced in #19589 as part of v1.151.0rc1. (#19649)
[1.26.0]
Update mattermost to 11.5.1
Full Changelog
Mattermost Platform Release 11.5.1 contains multiple new quality of life improvements, including CJK Database Search, AI Channel Summarization, Agents Web Search, User Authoritative Source, and Channel Auto-Translation.
I know you posted this years ago, but if someone comes by this topic. You select the product (e.g. MaxMind GeoLite City), enter your API Key and hit "Fetch IP Lookup Data Store".
[image: 1774617868420-screenshot-2026-03-27-092349.png]
[1.37.0]
Update mealie to 3.14.0
Full Changelog
The NLP parser now leverages your units database to more accurately parse ingredients with custom units. This is especially handy for non-English recipes, as the NLP data is trained exclusively off of English data. If you're used to using the brute force parser, give the NLP parser a go and see how it fares!
You can now automatically show past days in the meal planner on first load:
feat: Auto-merge Renovate dependency updates @hay-kot (#7280)
feat: Clarification of site settings @Choromanski (#7321)
feat: Add days in the past selector on meal planner @arnassavickas (#6857)
feat: Pass user defined units as custom units to parse_ingredient function. @strangetom (#7334)
fix: Use latest python image as base @dswd (#7276)
fix: Release Commit @Choromanski (#7274)
fix: Fix create token API page @michael-genson (#7325)
[1.6.13]
Update v2 to 2.2.19
Full Changelog
Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages.
Verify OIDC ID token signatures and claims.
Prevent OAuth identity overwrite when already linked.
Clear PKCE verifier and CSRF state after use.
Validate HTTP status from Google userinfo endpoint.
Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication.
Use constant-time comparison for token validation.
Fix potential DoS when truncating large untrusted input in templates.
Reject oversized favicons.
The app package runs the cron job as outlined in https://github.com/monicahq/monica/blob/4.x/docs/installation/providers/generic.md#4-configure-cron-job
Can you open a webterminal into the app and run it manually via:
sudo -E -u www-data php /app/code/artisan schedule:run
and see if it shows an error or sends the mails then?
I did a clean install of n8n and it installed quickly. So something is/was up with my old n8n instance. Not a huge problem, I'll just migrate my workflows to the new and archive the old instance.
[1.28.1]
Update navidrome to 0.61.1
Full Changelog
This patch release addresses a WebP performance regression on low-power hardware introduced in v0.61.0, adds a new EnableWebPEncoding config option and a configurable UI cover art size, and includes several Subsonic API and translation fixes.
| New | EnableWebPEncoding | Opt-in to WebP encoding for resized artwork. When false (default), Navidrome uses JPEG/PNG (preserving the original source format), avoiding the WebP WASM encoder overhead that caused slow image processing on low-power hardware in v0.61.0. Set to true to re-enable WebP output. Replaces the internal DevJpegCoverArt flag. (#5286) | false |
| New | UICoverArtSize | Size (in pixels, 2001200) of cover art requested by the web UI. It was increased from 300px to 600px in 0.61.0; now configurable and defaulting to 300px to reduce image encoding load on low-power hardware. Users on capable hardware can raise it for sharper thumbnails. (#5286) | 300 |
| Changed | DevArtworkMaxRequests | Default lowered from max(4, NumCPU) to max(2, NumCPU/2) to reduce load on low-power hardware. (#5286). (Note: this is an internal configuration and can be removed in future releases) | max(2, NumCPU/2) |
| Removed | DevJpegCoverArt | Replaced by the user-facing EnableWebPEncoding option. (#5286) | |
[2.26.2]
Update NodeBB to 4.10.2
Full Changelog
add unreadNids to /api/notifications (8357234)
use file.exists instead of try/catch to detect missing email logo (#14154) (4366bdd)
closes #14151, handle null req.body (62b65e6)
remove optional (20e751f)
#14147, dont create wrong backlinks (0568ef4)
user image og:image (fb48ab3)
closes #14133, don't modify displayName for system groups (af0e3d9)
try a save point in retry (203f4cc)
try upsert type if it fails (991e977)
on exit, dont write analytics data on all nodes (6c4e928)
[1.24.0]
Update ntfy to 2.21.0
Full Changelog
This release adds the ability to verify email addresses using the smtp-sender-verify flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.
Add verified email recipients feature with smtp-sender-verify config flag, allowing server admins to require email
address verification before sending email notifications (#1681)
[1.5.0]
Update omeka-s-module-Ldap to 0.7.0
Full Changelog
Add update hook on existing ldap user
Improve attributes retrieval by asking all ldap attributes and using it
potentially in another module
[1.8.3]
Update openhab-distro to 5.1.3
Full Changelog
Restore model validation not to fail on diagnostic errors for rules and scripts
Fix community marketplace discourse parsing
Align x-axis and query to daysOfMonth for aggregated series
zwave: Fix zwave network map display in 5.1.x
item-state-preview: Fix toggle switch not being fully re-rendered on Item change
useStatesStore: Fix error in expression tester with =items formula
[3.47.3]
Update openproject to 17.2.3
Full Changelog
CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string
The =n operator in cost reports did not appropriately treat user input
This vulnerability was reported by user Ochk0 through a GitHub security advisory. Thank you for responsibly disclosing your findings.
For more information, please see the GitHub advisory #GHSA-5rrm-6qmq-2364
Hi @girish so I learned something while setting up my Radicale and OWC. It seems like the calendar client publishing in to the ICS in Radicale (or wherever your ICS source lives) can matter. When I used the Calendar app on macOS I saw no descriptions. When I used Thunderbird I do. You can see it on my live page that has the OWC page in an iframe https://kb.filewave.com/books/community-engagement/page/customer-event-schedule and if you click on events in the agenda then the description shows.
I think initially I was also hoping to show description on the Agenda page without clicking on an event but originally I was bothered that I just couldn't get description to show up. So now it does at least show up when you click an event. I haven't looked at why Calendar doesn't make a summary that shows and Thunderbird does but I'm fine using Thunderbird to put events in my calendar feed.
[3.2.10]
Update open-webui to 0.8.11
Full Changelog
Responses API streaming improvements. The OpenAI proxy now properly handles tool call streaming and re-invocations in the Responses API, preventing duplicate tool calls and preserving output during model re-invocations. Commit, Commit, Commit, Commit
Responses API stateful sessions. Administrators can now enable experimental stateful session support via the ENABLE_RESPONSES_API_STATEFUL environment variable, allowing compatible backends to store responses server-side with previous_response_id anchoring for improved multi-turn conversations. Commit
File viewing pagination. The view_file and view_knowledge_file tools now support pagination with offset and max_chars parameters, allowing models to read large files in chunks. Commit
Knowledge search scoping. The search_knowledge_files tool now respects model-attached knowledge, searching only within attached knowledge bases and files when available. Commit
Tool HTML embed context. Tools can now return custom context alongside HTML embeds by using a tuple format, providing the LLM with actionable information instead of a generic message. #22691
Trusted role header configuration. Administrators can now configure the WEBUI_AUTH_TRUSTED_ROLE_HEADER environment variable to set user roles (admin, user, or pending) via a trusted header from their identity provider or reverse proxy. #22523
OIDC authorization parameter injection. Administrators can now inject extra parameters into the OIDC authorization redirect URL via the OAUTH_AUTHORIZE_PARAMS environment variable, enabling IdP pre-selection for brokers like CILogon and Keycloak. #22863, Commit
Google OAuth session persistence. Administrators can now configure Google OAuth to issue refresh tokens via the GOOGLE_OAUTH_AUTHORIZE_PARAMS environment variable, preventing OAuth sessions from expiring after one hour and ensuring tools and integrations that rely on OAuth tokens remain functional. #22652
Embed prompt confirmation. Interactive tool embeds can now submit prompts to the chat without requiring same-origin access, showing a confirmation dialog for cross-origin requests to prevent abuse. #22908
Tool binary response handling. Tool servers can now return binary data such as images, which are properly processed and displayed in chat for both multimodal and non-multimodal models. Commit, Commit
osTicket has finally officially announced osTicket 2.0, with an RC1 being released "shortly". They launched a new site https://next.osticket.com/ to showcase the work that has been done and a video demo.
[1.21.1]
Update outline to 1.6.1
Full Changelog
A bug affecting file and image upload in the editor was fixed in #11803
MCP: Now has tools to move documents within a collection in #11799
MCP: Now supports API key header authentication in #11798
Added Tahoe-compatible icon variants for PWA in #11762
Fixed a race condition when editing title while doc is saving would reset the title in #11764
Added support for the new GitLab work_items URL structure in #11795
Print layout now respects full-width option by @wmTJc9IK0Q in #11768
Fixed a page hang with corrupted PNG upload in #11783
Improved validation of SMTP_FROM_EMAIL and SMTP_REPLY_EMAIL in #11784
Custom port is now preserved in OAuth metadata URLs when self-hosted behind a reverse proxy in #11791
[1.6.1]
Update owncast to 0.2.4
Full Changelog
Lots of localization changes, both in how they work across the web application, and adding more support for them. So more places should show more languages.
The backend refactor continues with more splitting things off into standalone data repositories and services.
Higher bitrates can now be selected in the video encoding settings.
There's a new webhook that fires when you get a new Fediverse follower.
Admin: add line divider in sidebar #4098
Display shortcut keys of hide/show chat in Dropdown menu #4096
Create a custom Translation component #4428
Add support for pluralization in the new Translation component #4440
Add support for translations in the web project #3950
Add server status as a default field in all webhooks #4384
You can still install it like this https://my.<cloudron>/#/appstore/rocks.paperwork.cloudronapp . But note that it was last updated 3 years ago. I tried to build a new version with latest with PHP a year ago and the app was not even building anymore. They have been re-writing a new version for a couple of years now.
[4.6.5]
Update PeerTube to 8.1.5
Full Changelog
Fix infinite loop when processing some GIF images
Correctly inject custom admin colors in dark theme
Fix broken player when loading the page in background
[1.16.2]
Update penpot to 2.14.2
Full Changelog
Add protection for stale JS asset cache to force reload on version mismatch Github #8638
Normalize newsletter opt-in checkbox across different register flows Github #8839
Fix PathData corruption root causes across WASM and CLJS (unsafe transmute and byteOffset handling)
Handle corrupted PathData segments gracefully instead of crashing
Fix swapped move-to/line-to type codes in PathData binary readers
Fix non-integer row/column values in grid cell position inputs Github #8869
Fix nil path content crash by exposing safe public API Github #8806
Fix infinite recursion in get-frame-ids for thumbnail extraction Github #8807
Fix stale-asset detector missing protocol-dispatch errors
Ignore Zone.js toString TypeError in uncaught error handler Github #8804
The upstream project has not released in almost 3 years now.
We had to build from develop to get some PHP 8 support going, but there are bugs like https://github.com/phpservermon/phpservermon/issues/1196 , https://github.com/phpservermon/phpservermon/issues/1232 .
There's also a bunch of basic issues:
Normal user cannot login after admin user logs in. Some issue related to service worker.
LDAP functionality is incomplete
Hello @valexico
@Valexico said:
Are you speaking of a major release ?
No, the next minor release will include this fix.
Until then, you can either set the port in pocketbase to 587 if incoming fails is enabled on your Cloudron. (not persistent across restarts)
Or you change the mail domain from my to e.g. mail. (persistent across restarts)
Hi,
It looks like the package is gone from the cloudron supported apps, has anyone tried self-hosting it by following the official method as presented in their doc, with success? (https://docs.postiz.com/quickstart)
[1.11.3]
Update PrivateBin to 2.0.3
Full Changelog
FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
[2.10.0]
Update prometheus to 3.10.0
Full Changelog
[CHANGE] Alerting: Add alertmanager dimension to following metrics: prometheus_notifications_dropped_total, prometheus_notifications_queue_capacity, prometheus_notifications_queue_length. #16355
[CHANGE] UI: Hide expanded alert annotations by default, enabling more information density on the /alerts page. #17611
[FEATURE] AWS SD: Add MSK Role. #17600
[FEATURE] PromQL: Add fill() / fill_left() / fill_right() binop modifiers for specifying default values for missing series. #17644
[FEATURE] Web: Add OpenAPI 3.2 specification for the HTTP API at /api/v1/openapi.yaml. #17825
[FEATURE] Dockerfile: Add distroless image variant using UID/GID 65532 and no VOLUME declaration. Busybox image remains default. #17876
[FEATURE] Web: Add on-demand wall time profiling under <URL>/debug/pprof/fgprof. #18027
[ENHANCEMENT] PromQL: Add more detail to histogram quantile monotonicity info annotations. #15578
[ENHANCEMENT] Alerting: Independent alertmanager sendloops. #16355
[ENHANCEMENT] TSDB: Experimental support for early compaction of stale series in the memory with configurable threshold stale_series_compaction_threshold in the config file. #16929
[2.8.0]
Update rallly to 4.8.1
Full Changelog
This patch fixes a client-side crash on the registration page and enables click and drag behaviour on the poll table view component.
Notification settings Configure global notification preferences (new responses, new comments) from your account settings. (#2254)
Per-poll notification muting Mute notifications for individual polls using the bell icon in the poll admin view, replacing the previous watcher-based system. (#2268)
Success dialog after poll creation After creating a poll, you'll see a shareable invite link with copy-to-clipboard before being taken to the poll page. (#2281)
User avatars in participant list Profile pictures now display alongside participants in poll views for better visual recognition. (#2284)
Improved time zone selector Replaced the modal-based selector with an inline searchable combobox showing city names and UTC offsets. (#2261)
Improved error page Errors now show a user-friendly page with localized messaging and quick navigation links (home, create poll, support, GitHub). (#2220)
SMTP_TLS_SERVERNAME env var Allows explicit SNI configuration for SMTP servers hosting multiple certificates. (#2298)
Poll description missing from scheduled events Poll descriptions are now correctly passed through when booking a poll as a calendar event. (#2202)
Crash on deleted poll Accessing a poll that no longer exists now shows a proper 404 page instead of crashing. (#2218)
Just installed ReleaseBell to monitor the apps I am packaging.
But it's not accurate
Shows https://github.com/windmill-labs/windmill as v1.457.0 but the actual GitHub page shows 1.645.0
Is there some config I should be changing ?
Actually, just noticed it has 2 entries for windmill ( a starred project ), the other showing 1.573.0
[3.2.0]
Update Rocket.Chat to 8.3.1
Full Changelog
(#40080 by @dionisio-bot) Fixes a bug that could remove all of a user's subscriptions when the user was re-added to a room while still banned.
[2.9.5]
Update roundcubemail to 1.6.15
Full Changelog
SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke, reported by class_nzm.
Fix regression where mail search would fail on non-ascii search criteria (#10121)
Fix regression where some data url images could get ignored/lost (#10128)
Fix SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke
@girish said:
@rmdes @odie I have updated the app to use symlinks under /app/data/bridges. You can add new bridges there or delete some symlink and add your own.
Thank you! Works excellent!
[0.7.0]
Update rustfs to 1.0.0-alpha.92
Full Changelog
fix(capacity): harden scope registry, scan symlink guard, and test temp dir cleanup by @houseme in #2432
fix(capacity): ignore future write buckets by @overtrue in #2440
fix(iam): return policy JSON object from info_policy (#2395) by @GatewayJ in #2436
fix(filemeta): accept nil legacy pool metadata by @weisd in #2459
fix(ecstore): avoid duplicate keys in ListObjectsV2 by @weisd in #2467
Given that the upstream project is not maintained anymore, we have hidden this in the appstore.
I had also submitted a PR upstream for a basic issue which is ignored - https://github.com/aliasaria/scrumblr/pull/161
[1.4.0]
Update serpbear to 3.1.0
Full Changelog
add subdomain matching functionality (4533737), closes #324
enhance error handling and response structure in scraper functions (4f394c2)
minor ui issue (eecf88a)
prevent corrupt failed queue file to reset the app settings (c306fa0), closes #328
resolves broken google ads oauth of instances behind reverse proxy (a988b13), closes #326
resolves cron issue with certain port mapping config (d86616a)
resolves issue that prevents refreshing all keywords when one fails (77cfa2f)
[1.4.1]
Update sftpgo to 2.7.1
Full Changelog
SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
Enforced password validation rules also when applied through a group.
Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
Unified path handling: Prior to this release, the backslash character (\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.
[2.18.0]
Update Shaarli to 0.16.0
Full Changelog
v0.x branches and tags will no longer be maintained after v0.16. Always upgrade to the latest release to receive bugfixes and security patches.
docs: update PHP version compatibility table
fix stored XSS via suggested tags (GHSA-g3xq-mj52-f8pg)
build(deps): update frontend build dependencies (js-yaml/glob)
@girish said in SickChill unlisted from app store:
I hope they atleast bring back the issue tracker
Out of interest, why does this matter for Cloudron?
BTW, someone has replied to the thread I started on Discord informing me that the master releases are these https://pypi.org/project/sickchill/
Doesn't look like there has been a new one since March though.
[1.3.0]
Update shiori to 1.8.0
Full Changelog
feat(apiv1): refactor tags api (#1075)
feat: add PWA support share functionality (#1060)
feat: add apis to handle bookmark tags (#1081)
feat: allow tag filtering and count retrieval via api v1 (#1079)
feat: improve SQLite performance (#1024)
feat: reverts message in json output and allows configuration (#1082)
feat: support proxy forward headers authentication (#1105)
fix: auth validation on existing sessions, rely on token only (#1069)
fix: incorrectly set cookie's expires value in login.js (#1049)
fix: parse pocket new CSV format (#1112
[1.19.1]
Update snipe-it to 8.4.1
Full Changelog
Fixed RB-20713: Improved validation of license seat update api endpoint by @marcusmoore in #18576
Fixed #18600 - add filesystem check on health checker by @snipe in #18606
Added maintenances seeder by @snipe in #18612
Added model number as a separate field, added sorting by @snipe in #18613
Fix deprecated string interpolation in controllers by @joelpittet in #18609
Bumped Debugbar to v4 by @marcusmoore in #18485
Adds #11741 currently assigned license table to license checkout by @Godmartinz in #17964
#5947 - roll up bulk asset checkout email by @marcusmoore in #18095
Fixes (hopefully) RB #19772 Unexpected EOF by @spencerrlongg in #18614
Fixed #18797: Fix link to components in asset view by @marcusmoore in #18799
Just checked on this again but it seems statping-ng is not going forward much . https://github.com/statping-ng/statping-ng/tags says the release was almost a year ago.
[1.33.17]
Update syncthing to 2.0.16
Full Changelog
Database backend switched from LevelDB to SQLite. There is a migration on first launch which can be lengthy for larger setups. The new database is easier to understand and maintain and, hopefully, less buggy.
The logging format has changed to use structured log entries (a message plus several key-value pairs). Additionally, we can now control the log level per package, and a new log level WARNING has been inserted between INFO and ERROR (which was previously known as WARNING...). The INFO level has become more verbose, indicating the sync actions taken by Syncthing. A new command line flag --log-level sets the default log level for all packages, and the STTRACE environment variable and GUI has been updated to set log levels per package. The --verbose and --logflags command line options have been removed and will be ignored if given.
Deleted items are no longer kept forever in the database, instead they are forgotten after fifteen months. If your use case require deletes to take effect after more than a fifteen month delay, set the --db-delete-retention-interval command line option or corresponding environment variable to zero, or a longer time interval of your choosing.
Modernised command line options parsing. Old single-dash long options are no longer supported, e.g. -home must be given as --home. Some options have been renamed, others have become subcommands. All serve options are now also accepted as environment variables. See syncthing --help and syncthing serve --help for details.
Rolling hash detection of shifted data is no longer supported as this effectively never helped. Instead, scanning and syncing is faster and more efficient without it.
A "default folder" is no longer created on first startup.
Multiple connections are now used by default between v2 devices. The new default value is to use three connections: one for index metadata and two for data exchange.
The following platforms unfortunately no longer get prebuilt binaries for download at syncthing.net and on GitHub, due to complexities related to cross compilation with SQLite:
The handling of conflict resolution involving deleted files has changed. A delete can now be the winning outcome of conflict resolution, resulting in the deleted file being moved to a conflict copy.
fix(protocol): verify compressed message length before decompression by @calmh in #10595
[1.12.4]
Update recipes to 2.6.4
Full Changelog
added Household setup page and default creation to welcome stepper
added django migration records to admin
fixed food shopping sub endpoint not validating amount and unit inputs https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554
fixed a shared user could make changes to a book trough the API https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f
fixed style tags allowed in rendered markdown could lead to CSS injection in third party clients that did not properly clean the output on the frontend https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9hhh-g2fc-r8x2
fixed recipe batch update endpoint could be used to update private recipes of other space members if the ID was known https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5
fixed performance issues on some admin views
fixed admins can accidentally lock themselves out of their space
fixed category order jumping in shopping list when checking and not having any supermarket selected #4446
fixed selecting no supermarket in shopping not working
@timconsidine said in Teddit Subscriptions no longer working:
Just FYI - my LibReddit - selfhosted as Docker on another VPS = is still working.
But now it is down.
Maybe they have caught up with me.
@Sam_uk we have unlisted TLDraw by now. Please see https://forum.cloudron.io/topic/10806/no-more-updates-to-tldraw . The license and company direction has changed.
[2.5.0]
Update transmission to 4.1.0
Full Changelog
Improved TP download performance. (#6508)
Added support for IPv6 and dual-stack UDP trackers. (#6687)
Support trackers that only support the old BEP-7 with &ipv4= and &ipv6=. (#7481)
New JSON-RPC 2.0-compliant RPC API. (#7269)
Added optional sequential downloading. (#4795)
Use native icons for menus and toolbars: SF Symbols on macOS, Segoe Fluent on Windows 11, Segoe MDL2 on Windows 10, and XDG standard icon names everywhere else. (#7819, Qt Client)
Fixed 4.0.6 bug where Transmission might spam HTTP tracker announces. (#7086)
Improved libtransmission code to use less CPU. (#4876, #5645, #5715, #5734, #5740, #5792, #6103, #6111, #6325, #6549, #6589, #6712, #7027, #7744, #7800)
Avoid unnecessary heap memory allocations. (#5519, #5520, #5522, #5527, #5540, #5649, #5666, #5672, #5676, #5720, #5722, #5725, #5726, #5768, #5788, #5830, #6542)
Slightly reduced latency when sending protocol messages to peers. (#5394)
[1.28.2]
Update Trilium to 0.102.2
Full Changelog
Improved request handling for SVG content in share routes
Improved request handling for SVG content in the main API
Enhanced content rendering in the Mermaid diagram editor
Fixed toast notifications to properly escape content
Added validation for the docName attribute in the document renderer
Marked docName as a sensitive attribute in the commons module
Added Electron fuses to harden the desktop application against external abuse
Improved application integrity checks
Added MIME type validation for image uploads via ETAPI
Aligned attachment upload validation with note upload validation
[1.24.3]
Update vaultwarden to 1.35.4
Full Changelog
GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Update Rust and Crates and GHA by @BlackDex in #6843
hide remember 2fa token by @stefan0xC in #6852
fix(send_invite): invite links by @proofofcopilot in #6824
Misc organization fixes by @BlackDex in #6867
[1.23.0]
Update vikunja to 2.3.0
Full Changelog
(auth) Normalize API base URL to prevent refresh cookie path mismatch
(auth) Add retry and logging for token refresh failures
(auth) Enforce TOTP on OIDC callback for users with 2FA enabled
(background) Use targeted column update when removing background
(caldav) Add tags and sync token to collections (#2482)
(caldav) Resolve lint issues in caldavtests package
(caldav) Skip tests for known CalDAV bugs and fix timing issues
(caldav) Escape user-controlled strings per RFC 5545 in VCALENDAR output
(caldav) Enforce task read authorization on GetTasksByUIDs
(caldav) Reject GetResource when URL project mismatches task project
[2.5.6]
Update wallabag to 2.6.14
Full Changelog
Change version in wallabag.yml by @nicosomb in #8251
Fix deprecation by @j0k3r in #8267
Add annotations filter to entries API endpoint by @skn in #8346
Update dependencies by @yguedidi in #8435
Bump deps (mostly for siteconfig) by @j0k3r in #8489
Fix reading time computation for short entries by @andreadecorte in #8332
Fix urls parameter when sending many urls to be stored using the API by @j0k3r in #8488
Prepare 2.6.14 by @j0k3r in #8494
[1.21.0]
Update Wallos to 4.8.0
Full Changelog
add openai compatible host for ai recommendations (99c30e7)
enable ai recommendations at a schedule (99c30e7)
move update banner to the dashboard (99c30e7)
handle some ai responses that come in a different format (99c30e7)
[1.38.1]
Update weblate to 5.16.2
Full Changelog
New setting <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-PUBLIC_ENGAGE" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">PUBLIC_ENGAGE</code></span></a> to make the engage page public even with <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-REQUIRE_LOGIN" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">REQUIRE_LOGIN</code></span></a>.
Improved matching in <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/memory.html" class="reference internal"><span class="doc">Translation Memory</span></a>.
Show the number of strings waiting for review in listings.
Avoid displaying confusing status icons for ghost languages on project or category level.
Fixed missing plural source strings when creating new bilingual plural units.
Crash on certain pages with nested categories.
Improved API validation when adding strings.
Disabled throttling for incoming webhooks.
Avoid displaying non-actionable ghost languages.
Fixed highlighting in the translation editor.
[4.104.0]
Update wekan to 8.42
Full Changelog
Fix SSO login is broken.
Export Card to Excel. Part 2.
Fixed 2nd new card should not have text of 1st card, it should be empty.
Fix: prevent cards from disappearing after dragging in List view.
Fixed Board lost its member list or permissions.
Export Card to Excel and related fixes. Part 1.
[2.14.0]
Update woodpecker to 3.13.0
Full Changelog
Update quic-go/qpack & quic-go/quic-go #5885
fix: updateRepoPermissions to cleanup old permissions #5790
Add cli contexts #5929
Use repo-user for api call of cron #5967
Close opened file on LogFind #5961
Delete/Deactivate repo ignores missing repo at forge #5953
Correctly update repo permissions #5928
Revert repos pagination for GH and BB #5924
fix: send correct argument to rpc call for name/url #5922
fix: secrets-file flag #5909
Problems with Flameshot, GNU+Linux, Wayland, keyboard short-cuts?
Check out this blog for solutions and save time, especially if you use Bazzite as your operating system.
https://wanderingmonster.dev/blog/flameshot-xbackbone-linux/
Could be. Cloudron uses the default URL size - https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
If you want to experiment, edit the file in /etc/nginx/applications/*conf and then systemctl restart nginx .
