PocketBase - Package Updates

Package Updates

[1.14.9]

• Update pocketbase to 0.36.8
• Full Changelog
• Fixed OAuth2 client secret reset when serializing a cached collection model.

Package Updates

• Update pocketbase to 0.36.9
• Full Changelog
• Updated the Discord AuthUser.Name field to use global_name (#​7603; thanks @​HansHans135).
• Fixed settings SMTP password clear persistence.
• Added extra OAuth2 checks when downloading the avatar URL to prevent internal network probing requests in case of a malicious/vulnerable vendor.
• Updated modernc.org/sqlite to v1.48.2 (vfs and other error path related fixes).
• Updated min Go GitHub action version to 1.26.2 because it comes with some minor security fixes.
• Other small improvements (updated $apis.static JSVM documentation, fixed comment typos, added missing file close on seek error, etc.).

Package Updates

[1.15.0]

• Update pocketbase to 0.37.1
• Full Changelog
• Fixed number field input values normalization (#7646).
• Allow opening collections in new tab on middle click.
• Show collection name in the page title on initial load.
• New UI rewritten from scratch and with support for external customizations in mind.
• Added optional no_ui build tag to exclude the UI from bundling with the executable (#7548).
• Exported the internal JSVM bind functions (#7600).
• Updated modernc.org/sqlite to v1.49.1 (SQLite 3.53.0).

Package Updates

[1.15.1]

• Update pocketbase to 0.37.2
• Full Changelog
• Fixed autoexpandable input in Firefox (#7648).
• Slightly adjusted the dark theme colors for better readability (#7648).
• Removed unnecessary tags stripping from the displayed log attributes (#7649).
• Workarounded Safari freeze caused by a buggy CSS popover property (#7650).

Package Updates

[1.15.2]

• Update pocketbase to 0.37.3
• Full Changelog
• Fixed total count load on page back/forward navigation.
• Fixed editor floating dialogs position when scrolling (#7653).
• Enabled text wrapping for the API rule fields.
• Added view query sample loading indicator.
• Other minor light UI contrast and styles improvements.

Package Updates

[1.15.3]

• Update pocketbase to 0.37.4
• Full Changelog
• Added backups list scroll container (#7655).
• Optimized record upsert and preview modals data loading to minimize layout jumps.
• Fixed SMTP IPv6 network address format (#7659).
• Fixed autocomplete selection not properly updating the underlying input value (#7664).
• Added ghupdate.BaseURL config option (#7665).
• Added dummy bcrypt password check for the failure auth path to minimize enumeration timing attacks when registrations are disabled.
• Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
• Fixed a pre-hijacking OAuth2 linking vulnerability (#7662; thanks @Alardiians for reporting it privately).
• Bumped Go and npm dependencies.

Package Updates

[1.15.4]

• Update pocketbase to 0.37.5
• Full Changelog
• Fixed password fields not being detected as changed (#7670).
• Added the local time zone name next to the date field label.
• Reload trusted proxy info UI after settings save.
• Other minor improvements (skips the duplicated record ids from the IN expand list, reordered confirm-email-change error checks to minimize enumeration attacks, etc.).

Package Updates

[1.16.0]

• Update pocketbase to 0.38.0
• Full Changelog
• Fixed UI logs pagination when no custom range is specified.
• Fixed default CSP not allowing audio/video previews (#7677).
• Serve fixed Content-Type for .xlsx, .docx and .pptx files to allow previews on iOS (#7467).
• Changed settings app URL input to type="text" for compatibility with earlier versions (#7681).
• Added an internal watcher to sync various runtime states between multiple PocketBase processes (e.g. memory store) using the same pb_data.
• Added new Superuser IPs/CIDR subnets whitelist setting.
• Added rate limit option to exclude IPs/CIDR subnets (#6410).

Package Updates

[1.16.1]

• Update pocketbase to 0.38.1
• Full Changelog
• Silenced the superuser IPs confirmation if there is no change.
• Updated the experimental UI extensions APIs to allow top-level await in the initialization script.
• Force unset the auth state of existing realtime connections on user password, collection secret, etc. changes.
• Added error marker for each collection tab and fixed the styles of the raw errors tooltip.
• Fixed indexes collection update error (#7689).
• Updated modernc.org/sqlite to v1.50.1 (SQLite 3.53.1).
• Other minor fixes (updated API preview examples, fixed code comment typos, etc.).

Package Updates

[1.16.2]

• Update pocketbase to 0.38.2
• Full Changelog
• Added RealtimeConnectRequestEvent.MaxTimeout field to specify the absolute max duration a realtime connection can remain open (default to 30mins).
• Added extra checks for the connected user IP in the realtime APIs to prevent bruteforce guest subscription update attempts and to serve as an extra protection for the "all-in-one" OAuth2 realtime handler.
• Don't reset the records list pagination on record update (#7694).
• Updated all golang.org/x/ packages to cover the recent security fixes (none of them should be a critical issue in PocketBase but nonetheless it is advised to update).