ntfy - Package Updates

Package Updates

[1.21.0]

• Update ntfy to 2.18.0
• Full Changelog
• Add experimental PostgreSQL support as an alternative database backend (message cache, user manager, web push subscriptions) via database-url config option (#​1114/#​1619, thanks to @​brettinternet for reporting)
• Preserve <br> line breaks in HTML-only emails received via SMTP (#​690, #​1620, thanks to @​uzkikh for the fix and to @​teastrainer for reporting)

Package Updates

[1.22.0]

• Update ntfy to 2.19.0
• Full Changelog
• 888850d Add blurp

Package Updates

[1.22.1]

• Update ntfy to 2.19.1
• Full Changelog
• This is a bugfix release to avoid PostgreSQL insert failures due to invalid UTF-8 messages. It also fixes database-url validation incorrectly rejecting postgresql:// connection strings.
• Fix invalid UTF-8 in HTTP headers (e.g. Latin-1 encoded text) causing PostgreSQL insert failures and dropping entire message batches
• Fix database-url validation rejecting postgresql:// connection strings (#​1657/#​1658)

Package Updates

[1.22.2]

• Update ntfy to 2.19.2
• Full Changelog
• This is another small bugfix release for PostgreSQL, avoiding races between primary and read replica, as well as to further reduce primary load.
• Bug fixes + maintenance:
• Fix race condition in web push subscription causing FK constraint violation when concurrent requests hit the same endpoint
• Route authorization query to read-only database replica to reduce primary database load

Package Updates

[1.23.0]

• Update ntfy to 2.20.0
• Full Changelog
• Add S3-compatible object storage as an alternative attachment store via attachment-cache-dir config option (#​1656/#​1672)
• Reject invalid e-mail addresses (e.g. multiple comma-separated recipients) with HTTP 400
• Add OpenRC init service file (#​1650, thanks to @​ageru for the contribution)
• Important note: With this release, ntfy will take full control over the attachment directory or S3 bucket. Files/objects in the configured attachment-cache-dir that match the message ID format (12 chars, matching ^[A-Za-z0-9]{12}$), and have no entries in the message database will be deleted. Do not use a directory or S3 bucket as attachment-cache-dir that is also used for something else.

Package Updates

[1.24.0]

• Update ntfy to 2.21.0
• Full Changelog
• This release adds the ability to verify email addresses using the smtp-sender-verify flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.
• Add verified email recipients feature with smtp-sender-verify config flag, allowing server admins to require email
• address verification before sending email notifications (#​1681)

Package Updates

[1.25.0]

• Update ntfy to 2.22.0
• Full Changelog
• Tighten web push endpoint allow-list regex to prevent SSRF via unanchored pattern matching (GHSA-w9hq-5jg7-q4j7, thanks to @MightyNawaf for reporting)
• Fix web app not allowing access tokens to be changed to never expire (#1693/#1694, thanks to @lastsamurai26 for reporting and to @ShipItAndPray for fixing)
• Fix web app crashing on account page for tokens without a last access time (#1651, #1684, thanks to @Pulsar7 and @rzhli for reporting)

Package Updates

[1.25.1]

• fix: update doc links from /apps/ to /packages/

Package Updates

[1.26.0]

• Update ntfy to 2.23.0
• Full Changelog
• Add per-visitor rate limit on new topic creations (visitor-topic-creation-limit-burst / visitor-topic-creation-limit-replenish, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map
• Remove stacktrace-js, stacktrace-gps, humanize-duration, and js-base64 from the web app to reduce dependency and security footprint
• Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (GHSA-j8hr-p342-xrmh, thanks to @Venukamatchi for reporting)

Package Updates

[1.27.0]

• Update ntfy to 2.24.0
• Full Changelog
• Fix case-insensitive ACL topic matching on SQLite: an access control rule for secret no longer also matches a request for SECRET. SQLite's LIKE is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).
• Add opt-in in-memory ACL cache (auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers
• Add ntfy --version flag to the CLI (#1722, #1748, thanks to @sskender for the contribution, and @Saucy9607 for reporting)
• Extend account token automatically from the PWA service worker, so installed PWAs don't get logged out (#1669, #1203, #1533, thanks to @nihalgonsalves for the contribution)
• Fix rel attribute on auto-linked notification URLs so noreferrer/noopener are actually applied (#1720, thanks to @dmitrylyzo for the contribution)
• Add systemd sandboxing/hardening to the ntfy.service unit (#1467, thanks to @Velocifyer for the contribution)
• Fix cmd package build on macOS (darwin) so the server compiles from source (#1631, #1696, thanks to @ShipItAndPray for the contribution, and @XYenon for reporting)