Cloudron Forum

[2.29.1] Update NodeBB to 4.13.2 Full Changelog register service worker on safari (2ec0987) closes #14355 dont flash unread notif for topics (0e8544b) uids used for priv check (bd7bf5b) dont allow global mods gdpr export (39299bd) prevent uploading thumbs if user does not have upload:image privilege (72defdc) dont mark nids that you don't own read/unread (001e45d) bind hooks module in admin/settings/email define() (#14352) (86fd621) translator.escape chat messages & teasers (7ef400b) closes #14346, make nodebb global available in src/cli (620ab63) closes #14344, fix cron jobs (d23efb4)

[1.22.0] Update hedgedoc to 1.11.0 Full Changelog GHSA-6c2w-8w96-3pcv reports a possible HTML injection via the localpart of an email address. GHSA-qj78-mjch-wwrv reports a possible Denial-of-Service attack using the YAML frontmatter parsing. GHSA-8v9p-5j95-826j reports a possible CSRF attack vector in the GitHub Gist export. GHSA-2f9f-w8xq-276v reports a rate-limiting bypass by abusing the CF-Connecting-IP header. When using Cloudflare in front of HedgeDoc, you should set rateLimitUsingCloudflare in the config.json or CMD_RATE_LIMIT_USING_CLOUDFLARE as environment variable to true. Added a warning page when clicking external links Improve the config.json.example file, which is used by bin/setup Allow configuration of login / signup rate-limits Allow configuration of Cloudflare usage in regards of rate-limits Several improvements in the documentation at https://docs.hedgedoc.org

[1.37.17] Update uv to 0.11.22 Full Changelog Publish wheels before sdists in uv publish (#19831) Add TY and RUFF env vars for providing paths for binaries used by uv format and uv check (#19821) Allow configuring preview features in uv.toml and pyproject.toml (#18437) Update the lockfile during uv check --no-sync (#19909) Update string marker ordering semantics to match upstream clarified rules (#19808) Reject extras that have the same normalized name (#19871) Reject invalid UTF-8 URL credentials (#19814) Fix transparent Python upgrades in project environments (#19890) Fix incorrect output from uv tree --invert (#19910) Fix handling of workspace-exclusive dependency groups in uv tree (#19905)

[3.14.0] Update Stirling-PDF to 2.13.0 Full Changelog Fix Teams and MCP settings pages by @jbrunton96 in #6605 MCP OAuth discovery fix + Supabase consent page by @Frooodle in #6608 Fix PDF text selection locked out on touch devices by @Frooodle in #6656 fix(viewer): wire Ctrl+A to select all text in the PDF by @Frooodle in #6517 Change default language to en-US and add US language by @Frooodle in #6621 PAYG: pay-as-you-go billing metered automation/AI/API + one-time free grant by @ConnorYoh in #6589 Feature/v2/smartfolders rebuild by @reecebrowne in #6480 Add cloud-aware delete and version history to My Files by @Frooodle in #6704 add prerendered Open Graph previews and OG card generator by @Frooodle in #6661 Fix inverted link toolbar in rotated PDFs (#6518) by @MattSaito in #6684

[1.37.0] Update whitebophir to 2.11.3 Full Changelog

[1.58.2] Update LimeSurvey to 7.0.3+260618 Full Changelog New feature: Extended integrity check to look for orphaned old_question tables (Carsten Schmitz) New feature: Additional check to find orphaned subquestions in integrity check (Carsten Schmitz) Fixed issue: Remove any superflous subquestions on ranking question type before DB migration (Carsten Schmitz) Fixed issue: Ranking subquestions are written as ranking type (Carsten Schmitz) Fixed issue: Extended integrity check to also catch questions that should not have answer options and should not have subquestions (#5064) (Carsten Schmitz)

[3.16.2] Update metabase to 0.62.2.4 Full Changelog

[1.14.3] Update leantime to 3.9.5 Full Changelog Mobile API Endpoints - Added session-scoped mobile endpoints for the notifications inbox and calendar (#3529) Blueprints Canvas - Fixed a 404 error when adding or editing canvas items (#3544) Editor Mentions - The @mention dropdown now appears directly beneath the caret (#3530) General Fixes - Resolved several recently reported bugs (#3532) symfony/yaml - Promoted to a production dependency (#3543)

[1.1.1] added Multi-Workspace Mode support

[2.45.0] Update Lychee to 7.6.0 Full Changelog Async reverse-geocoding, configurable rate limit, remove Wikimedia map provider by @Copilot in #4275 feat(036): fix direct photo links in large paginated albums via ?page=N by @ildyria in #4294 feat(35) Chunked Archive Download by @ildyria in #4300 feat(34): add bulk album edit by @ildyria in #4296 feat: Add setting to disable embed endpoints and UI. by @ildyria in #4316 feat(37): improved admin panel by @ildyria in #4312 feat(white-label): hide Lychee SE / version branding on login form and all public surfaces by @Copilot in #4335 Fix SSRF on TOCTOU by @ildyria in #4344 Feature 041: supply title/description at upload time; return expected_id in response by @Copilot in #4385 Add support for uploading folders by drag&drop by @ildyria in #4417

[0.3.1] Update urlaubsverwaltung to 6.0.0-RC1 Full Changelog Access validation for "me"-Controller #6231 Keyboard navigation is not supported in search results #6247 Search input is not highlighted in mobile view while results are active #6250

[2.4.3] Update osTicket to 1.18.4 Full Changelog security: Latest Patches 06/2026 (52c366f, 5afdf54, c54a6ac, 1e39bf1, feccb6a, 6eb6b98, 078516e, 98abb05, e52e010, fd96bba, 7bbd8ab, ba6217a, 580e1c8, b535782, 5963797, d590a97, eaebe01, b4cc092, d457c14, 5600f94, 5ff9795, 119cefe, b4ede88, 2a0c388, 6558b33)

[3.0.0] ️ WARNING ️ | [GUIDE] Directus v12 migration | Directus 12 requires a license Update directus to 12.0.2 Full Changelog Added support for non-interactive mode (#27577 by @pklenovic) Fixed user count for users with conflicting direct policy and role (#27720 by @ComfortablyCoding) Added keyboard-editable date entry directly in the datetime field. The field shows its formatted value at rest and swaps to editable date segments on focus, while a calendar button still opens the picker popup. (#27693 by @robluton) Added inline editing support to the JSON repeater interface. (#26863 by @bryantgillespie) Fixed revision snapshots being assigned to the wrong items during batch updates when read order differs (#27407 by @luciemdx) Changed license to MSCL-1.0-GPL (#27417) Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607) Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160) Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner) Added JSON filtering, alias and sorting support (#26981 by @br41nslug)