Cloudron Forum

[1.45.0] Update languagetool to 67944e7

[1.19.2] Update core to 2026.5.2 Full Changelog Fix ValueError for non-numeric value in LG ThinQ ([@LG-ThinQ-Integration] - [#166300]) (lg_thinq docs) Fix non unique_id for Comelit ([@chemelli74] - [#169756]) (comelit docs) Fix local API incorrectly marking devices as unavailable in Overkiz ([@iMicknl] - [#170118]) (overkiz docs) Fix homematicip_cloud config entry setup crash after migration to 2026.5.0 ([@lackas] - [#170156]) (homematicip_cloud docs) Fix MQTT device discovery not using shared QoS and encoding options ([@jbouwh] - [#170195]) (mqtt docs) Add target flow level and mode end time sensors to Duco integration ([@ronaldvdmeer] - [#169298]) (duco docs) Fix fractional setpoints in Matter climate not rounded ([@TheJulianJES] - [#170442]) (matter docs) Fix duplicate doorbell events when entity becomes unavailable ([@jbouwh] - [#170354]) (alexa docs) Fix hassio.backup_partial AttributeError when folders are specified ([@agners] - [#170312]) (hassio docs) Migrate Duco to python-duco-connectivity and remove temperature sensors ([@ronaldvdmeer] - [#170237]) (duco docs) (breaking-change)

[1.13.4] Update dolibarr to 23.0.3 Full Changelog FIX: #36589 (#38037) FIX: broken feature with api auth and Multicompany transverse mode (#37868) FIX: do not print Extrafields in PDF if printable is 0 (#37789) FIX: draft invoice paid when add absolute discount == remain to pay (#38104) FIX: IDOR on messaging.php - Credit Aksoum Abderrahmane FIX: Some remaining cross-customer object creation on API (proposal, orders) - Credit Mitch311 FIX: Can use AI module to make SSRF call. Credit Dilip FIX: #GHSA-crgg-h74r-2m8r (#37636) FIX: SQL Injection via Operator Injection in Contract Service List SEC: Better sanitization param for GETPOST of htmlheader of website page - See commit bbbbb56

[2.94.0] Update searxng to d7e8b7c

[1.26.0] Update ntfy to 2.23.0 Full Changelog Add per-visitor rate limit on new topic creations (visitor-topic-creation-limit-burst / visitor-topic-creation-limit-replenish, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map Remove stacktrace-js, stacktrace-gps, humanize-duration, and js-base64 from the web app to reduce dependency and security footprint Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (GHSA-j8hr-p342-xrmh, thanks to @Venukamatchi for reporting)

[1.99.0] Update audiobookshelf to 2.35.0 Full Changelog Access token refresh grace period (fixes frequently needing to re-login) #4630 by @nichwall in #5004 Listening sessions from Android app showing device name as Abs iOS RSS feeds serving m4b files with incorrect Content-Type #5041 by @brandonfhall in #5221 Book & podcast descriptions from audio files are sanitized cancel_scan and set_log_listener socket events validate account type and log level

[1.42.0] Update weblate to 2026.5 Full Changelog Added MDX files support for translating Markdown text while preserving JSX syntax, with File format parameters shared with Markdown files for line wrapping, code blocks, front matter, and placeholder handling. Added extended LLM translation context for automatic suggestions, covering string context, explanations, secondary-language translations, plurals, failing checks, and placeholders. CSV and XLSX downloads in Downloading translations now export plural strings as separate plural-form rows that can be imported back. Hardened search previews and Automatic suggestions suggestion origins against XSS, and stopped exposing database error details in upload failures. Screenshot URL uploads, remote HTML extraction in JavaScript localization CDN, and URL health-check redirects now reject internal or non-public targets by default. Per-project access tokens expiring today now remain valid until the end of the day. The dos-eol flag is no longer supported. Use the dos_eol File format parameters instead. The set_language_team project attribute has been replaced with the po_set_language_team file format parameter at the component level; see File format parameters. Weblate now uses calendar versioning for releases, see Release cycle. The upgrading policy was changed, and upgrades are only supported from the current or previous calendar year.

[4.8.0] Update etherpad-lite to 3.1.0 Full Changelog Self-update Tier 4 (autonomous in a maintenance window). Set updates.tier: "autonomous" together with updates.maintenanceWindow: {"start":"HH:MM","end":"HH:MM","tz":"local"|"utc"} to constrain autonomous updates to a nightly window. The scheduler snaps scheduledFor forward to the next window opening when grace would otherwise land outside the window, and defers the fire when the window has closed by the timer callback. Cross-midnight windows (end < start) are supported; DST transitions are absorbed by host wall-clock arithmetic. A missing or malformed window degrades the policy to Tier 3 with an explicit policy.reason of maintenance-window-missing / maintenance-window-invalid; an admin banner surfaces the misconfiguration so autonomous behaviour is not silently disabled. The admin update page shows a "Maintenance window" section with the parsed window summary, the next opening, and a "deferred until <iso>" subtitle on the scheduled panel when the timer has been snapped forward. Closes #7607 (#7753). Updater real SMTP via nodemailer (new top-level mail.* block). Replaces the "(would send email)" stub. New settings: mail.host, mail.port, mail.secure, mail.from, mail.auth.{user,pass}. mail.host=null keeps the legacy log-only behaviour. The nodemailer dependency is lazy-imported on first send so installs that don't configure mail pay no runtime cost; the transport is cached on the full SMTP options tuple so a reloadSettings() change to host/port/credentials invalidates the cache. settings.json.docker reads MAIL_HOST / MAIL_FROM / MAIL_PORT / MAIL_SECURE from env. Send errors are logged warn and swallowed so a transient SMTP failure can never poison the updater state machine.

[1.7.0] Update v2 to 2.3.0 Full Changelog Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support. Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores. Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status. Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. Cap the maximum entry limit to 1000 across the UI, API, and storage layer. Fix incorrect read/starred toggling in Google Reader API. Fix handling of slow HTTP headers. Fix "open in new tab" behavior for redirected external entry links.

[1.22.0] Update Wallos to 4.9.0 Full Changelog allow multiple filters on the settings page (0fef959) filter by notification status (0fef959) lifetime subscriptions (0fef959) rework icons (0fef959) sort graphs on the statistics page by usage (0fef959) don't use mbstring (0fef959) migrations using double quotes (0fef959) ntfy notifications with strange chars (0fef959) null array on empty subscription list (0fef959) open 3 dot menu abone for the subscriptions at the bottom (0fef959)

[4.170.0] Update ghost to 6.39.0 Full Changelog Changed comments to be enabled by default (#27913) - Hannah Wolfe Added a built-in theme code editor (#27656) - John O'Nolan Migrated redirects download to YAML - Fabien O'Carroll Fixed {{#social_accounts}} emitting "twitter" as the type for X (#27871) - Hannah Wolfe

[1.79.0] Update verdaccio to 6.7.1 Full Changelog feat: update Node.js to 24 Bumps the project's Node.js baseline to 24 across runtime and container, and adds a startup warning for users still on an older (but supported) Node. Node 24 bump: .nvmrc 22 24; Dockerfile base image node:22.22.1-alpine node:24.15.0-alpine (builder + runtime). Soft-deprecation warning: new RECOMMENDED_NODE_VERSION = '22' and isVersionRecommended() in src/lib/cli/utils.ts; the init command logs a warn at startup when Node is below the recommendation. MIN_NODE_VERSION stays at '18' no hard break. Tests: unit tests for isVersionRecommended and the init warning path. Compatibility: minimum supported Node remains 18 (warning only); recommended is 22+; Docker images ship Node 24.

[3.12.0] Update metabase to 0.61.1.4 Full Changelog

[1.16.11] Update freescout to 1.8.220 Full Changelog After installing this releases replies sent by agents to the previously received email notifications will not be sent to customers. Only replies to the newly received email notifications will be sent. This is a breaking change. Add configurable threshold to suppress transient fetch errors in Logs Monitoring (#5399) Clear JS and CSS builds when clearing cache. Check hash in replies to user email notifications (Security: GHSA-6r38-6mcf-2ww3) Fixed checking trusted hosts during installation. Activate the module right after activating the license.

[1.12.6] Update dawarich to 1.7.8 Full Changelog Self-hosters running OIDC-only sign-in: the ALLOW_EMAIL_PASSWORD_REGISTRATION env var no longer doubles as a login gate. Email/password sign-in is now controlled by the new ALLOW_EMAIL_PASSWORD_LOGIN env var (defaults to true). To preserve OIDC-only sign-in after upgrade, set ALLOW_EMAIL_PASSWORD_LOGIN=false. Visit detection now uses PostGIS spatial clustering for faster, more accurate stops; the iteration-based detector is removed. Places are now strictly per-user. Suggestion, photo-geotagging, and reverse-geocoding all use your own place catalogue exclusively; no places are shared across users. Existing shared places have been backfilled to their most-active owner. Self-hosted single-user instances see no behaviour change. "Re-run detection on full history" button under Settings Visits. Confirmed visits and named places are preserved. Account lockout after 10 failed 2FA attempts (30-minute auto-unlock or password reset). Applies to both the mobile API (POST /api/v1/auth/otp_challenge) and the web sign-in flow. Backup codes still work during a lockout so users with one stored can recover immediately. A notification email is sent to the account owner when a lockout is triggered. #2575 Fix support of FIT files from Garmin Connect. #2686 Email/password login is now shown alongside the OIDC button on self-hosted instances by default, instead of being hidden whenever OIDC is configured. Operators who want to enforce OIDC-only sign-in can set ALLOW_EMAIL_PASSWORD_LOGIN=false. See the upgrade note above. #2495 GPX import now streams the file rather than loading the entire XML into memory, so multi-hundred-MB GPX files (e.g. long-running activity exports) no longer OOM the Sidekiq worker. #2296 Tracks recorded by multiple devices on the same account (phone + watch + GPS unit) no longer get merged into one zigzagging track on the map. Each device's points are kept on their own track, and Map v2 draws routes per-device. #337, #1726 Importing a Google Records.json export with positions from more than one device no longer "teleports" between devices and inflates distance travelled; points are scoped per-device using Google's deviceTag. #337