Cloudron Forum

[4.8.0] Update etherpad-lite to 3.1.0 Full Changelog Self-update Tier 4 (autonomous in a maintenance window). Set updates.tier: "autonomous" together with updates.maintenanceWindow: {"start":"HH:MM","end":"HH:MM","tz":"local"|"utc"} to constrain autonomous updates to a nightly window. The scheduler snaps scheduledFor forward to the next window opening when grace would otherwise land outside the window, and defers the fire when the window has closed by the timer callback. Cross-midnight windows (end < start) are supported; DST transitions are absorbed by host wall-clock arithmetic. A missing or malformed window degrades the policy to Tier 3 with an explicit policy.reason of maintenance-window-missing / maintenance-window-invalid; an admin banner surfaces the misconfiguration so autonomous behaviour is not silently disabled. The admin update page shows a "Maintenance window" section with the parsed window summary, the next opening, and a "deferred until <iso>" subtitle on the scheduled panel when the timer has been snapped forward. Closes #7607 (#7753). Updater real SMTP via nodemailer (new top-level mail.* block). Replaces the "(would send email)" stub. New settings: mail.host, mail.port, mail.secure, mail.from, mail.auth.{user,pass}. mail.host=null keeps the legacy log-only behaviour. The nodemailer dependency is lazy-imported on first send so installs that don't configure mail pay no runtime cost; the transport is cached on the full SMTP options tuple so a reloadSettings() change to host/port/credentials invalidates the cache. settings.json.docker reads MAIL_HOST / MAIL_FROM / MAIL_PORT / MAIL_SECURE from env. Send errors are logged warn and swallowed so a transient SMTP failure can never poison the updater state machine.

[1.7.0] Update v2 to 2.3.0 Full Changelog Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support. Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores. Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status. Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. Cap the maximum entry limit to 1000 across the UI, API, and storage layer. Fix incorrect read/starred toggling in Google Reader API. Fix handling of slow HTTP headers. Fix "open in new tab" behavior for redirected external entry links.

[1.22.0] Update Wallos to 4.9.0 Full Changelog allow multiple filters on the settings page (0fef959) filter by notification status (0fef959) lifetime subscriptions (0fef959) rework icons (0fef959) sort graphs on the statistics page by usage (0fef959) don't use mbstring (0fef959) migrations using double quotes (0fef959) ntfy notifications with strange chars (0fef959) null array on empty subscription list (0fef959) open 3 dot menu abone for the subscriptions at the bottom (0fef959)

[4.170.0] Update ghost to 6.39.0 Full Changelog Changed comments to be enabled by default (#27913) - Hannah Wolfe Added a built-in theme code editor (#27656) - John O'Nolan Migrated redirects download to YAML - Fabien O'Carroll Fixed {{#social_accounts}} emitting "twitter" as the type for X (#27871) - Hannah Wolfe

[1.79.0] Update verdaccio to 6.7.1 Full Changelog feat: update Node.js to 24 Bumps the project's Node.js baseline to 24 across runtime and container, and adds a startup warning for users still on an older (but supported) Node. Node 24 bump: .nvmrc 22 24; Dockerfile base image node:22.22.1-alpine node:24.15.0-alpine (builder + runtime). Soft-deprecation warning: new RECOMMENDED_NODE_VERSION = '22' and isVersionRecommended() in src/lib/cli/utils.ts; the init command logs a warn at startup when Node is below the recommendation. MIN_NODE_VERSION stays at '18' no hard break. Tests: unit tests for isVersionRecommended and the init warning path. Compatibility: minimum supported Node remains 18 (warning only); recommended is 22+; Docker images ship Node 24.

[3.12.0] Update metabase to 0.61.1.4 Full Changelog

[2.7.20] Update mirotalksfu to 2.2.67

[1.16.11] Update freescout to 1.8.220 Full Changelog After installing this releases replies sent by agents to the previously received email notifications will not be sent to customers. Only replies to the newly received email notifications will be sent. This is a breaking change. Add configurable threshold to suppress transient fetch errors in Logs Monitoring (#5399) Clear JS and CSS builds when clearing cache. Check hash in replies to user email notifications (Security: GHSA-6r38-6mcf-2ww3) Fixed checking trusted hosts during installation. Activate the module right after activating the license.

[1.12.6] Update dawarich to 1.7.8 Full Changelog Self-hosters running OIDC-only sign-in: the ALLOW_EMAIL_PASSWORD_REGISTRATION env var no longer doubles as a login gate. Email/password sign-in is now controlled by the new ALLOW_EMAIL_PASSWORD_LOGIN env var (defaults to true). To preserve OIDC-only sign-in after upgrade, set ALLOW_EMAIL_PASSWORD_LOGIN=false. Visit detection now uses PostGIS spatial clustering for faster, more accurate stops; the iteration-based detector is removed. Places are now strictly per-user. Suggestion, photo-geotagging, and reverse-geocoding all use your own place catalogue exclusively; no places are shared across users. Existing shared places have been backfilled to their most-active owner. Self-hosted single-user instances see no behaviour change. "Re-run detection on full history" button under Settings Visits. Confirmed visits and named places are preserved. Account lockout after 10 failed 2FA attempts (30-minute auto-unlock or password reset). Applies to both the mobile API (POST /api/v1/auth/otp_challenge) and the web sign-in flow. Backup codes still work during a lockout so users with one stored can recover immediately. A notification email is sent to the account owner when a lockout is triggered. #2575 Fix support of FIT files from Garmin Connect. #2686 Email/password login is now shown alongside the OIDC button on self-hosted instances by default, instead of being hidden whenever OIDC is configured. Operators who want to enforce OIDC-only sign-in can set ALLOW_EMAIL_PASSWORD_LOGIN=false. See the upgrade note above. #2495 GPX import now streams the file rather than loading the entire XML into memory, so multi-hundred-MB GPX files (e.g. long-running activity exports) no longer OOM the Sidekiq worker. #2296 Tracks recorded by multiple devices on the same account (phone + watch + GPS unit) no longer get merged into one zigzagging track on the map. Each device's points are kept on their own track, and Map v2 draws routes per-device. #337, #1726 Importing a Google Records.json export with positions from more than one device no longer "teleports" between devices and inflates distance travelled; points are scoped per-device using Google's deviceTag. #337

[0.14.0] Update rustfs to 1.0.0-beta.3 Full Changelog fix(object-lock): materialize default retention metadata by @GatewayJ in #2824 fix: 2827 lifecycle days next midnight by @cxymds in #2833 fix(security): document unsafe and TLS overrides by @overtrue in #2835 feat: add features option to build script by @giter in #2834 fix(replication): handle version ID format mismatch with AWS S3 by @ajax-bakun-n in #2829 feat(rustfs): add ftps/webdav defaults to info output by @houseme in #2845 feat(targets): complete redis mysql postgres target wiring by @houseme in #2842 feat(targets): add AMQP support for notify and audit by @houseme in #2879 feat: enhance WebDAV support with features and directory operations (#2856) by @houseme in #2892 feat(sftp): add SFTPv3 protocol support by @simon-escapecode in #2875

[1.16.1] Update pocketbase to 0.38.1 Full Changelog Silenced the superuser IPs confirmation if there is no change. Updated the experimental UI extensions APIs to allow top-level await in the initialization script. Force unset the auth state of existing realtime connections on user password, collection secret, etc. changes. Added error marker for each collection tab and fixed the styles of the raw errors tooltip. Fixed indexes collection update error (#7689). Updated modernc.org/sqlite to v1.50.1 (SQLite 3.53.1). Other minor fixes (updated API preview examples, fixed code comment typos, etc.).

[4.23.1] Update n8n to 2.20.9 Full Changelog core: Prevent proxy layer accumulation in ObservableObject (#30505) (4394fe4) core: Preserve nested arrays in VM expression engine output (#30334) (067939a) core: Preserve AxiosHeaders instance when applying OpenAI vendor defaults (#30285) (979aa28)