v4.3.2

What's changed

• fixed invites redirecting for no reason
• fixed invites error handling ui
• fixed urls not being URL encoded and handled properly
• fixed title not updating on web dashboard
• fixed aws sdks breaking functionality with other providers (downgraded)
• added "trust proxies" option that will trust proxies zipline is behind (forwarding certain proxied headers)
• added support for reading env vars from a file:
  • simply append _FILE to the end of a normal environment var, and set its value to a file path that zipline has access to read
  • zipline will read that file and set the correct value in the config
  • this was added for use in docker secrets
  • along with this new vars were added for defining the database: DATABASE_USERNAME, DATABASE_PASSWORD, DATABASE_HOST, DATABASE_PORT, DATABASE_NAME (all of them must be present, OR, just DATABASE_URL.)
• added file name to the file upload response
• added the ability to reorder and disable certain fields in the file table on the dashboard

Full Changelog: v4.3.1...v4.3.2

v4.3.1

What's Changed

• fixed db migrations
• fixed bypass local login for oauth
• fixed invites redirecting even though they are valid
• fixed legacy /r/<id> redirect
• fixed not being able to view other user's files from the admin page

thanks for bearing with the shaky 4.3 release lol

Full Changelog: v4.3.0...v4.3.1

v4.3.0

What's Changed

• new: removed next.js in favor for a more traditional SPA built with Vite and React-Router
  • there should be little to no difference for users, most of the changes are under the hood!
  • the docker image is ~500mb smaller now
  • builds are quicker than ever, 10 seconds (on M4 Pro) compared to up to 20-30 seconds
    • skipping typechecking makes it even faster.
• new: extraCss property in themes
• new: asciinema .cast files are now rendered in the dashboard
• new: PDFs are rendered in the dashboard (browsers with built-in PDF viewers are only supported, most modern browsers like Chrome, Firefox, and Safari all support this)
• new: image compression formats - no longer only supports jpegs. configure to your liking with webp, jpg, png, and jxl (if supported)
• new: thumbnail output format - no longer only outputs jpegs. configure to webp, jpg, or png.
• new: build scripts (cleans up package.json)
• new: better max-views handling
  • this fixed an issue where on max-views = 1, the file would not be viewable
  • the new method counts views on a per-ip and per-file basis, for every 5 seconds
• fixed ishare icon
• fixed dropzone loading z-index
• fixed partials not rejected on normal upload
• fixed date normalization on SSR routes
• fixed metrics being shown even when admin only is enabled
• fixed deselecting items in selects
• fixed passwords being reset when editing urls
• fixed the user object not being included on the variable parser on text file viewing

Pulls Merged

• remove next.js in favor of client-side only by @diced in #857

What's Next

stuff that will most likely be included in the v4.4 release, but won't be available on trunk while being developed

• currently working on #875 (migrating from Prisma to drizzle-orm)

Full Changelog: v4.2.3...v4.3.0

v4.2.3

What's Changed

• hotfix for uploads not uploading correctly
• fixed some environment variables incorrectly defined #858

Pulls Merged

• Fix environment variable mismatch when comparing to docs & change data type of RATELIMIT_WINDOW by @snipcola in #858

New Contributors

• @snipcola made their first contribution in #858

Full Changelog: v4.2.2...v4.2.3

v4.2.2

Warning

Security Vulnerability: All v4 versions affected, /api/user/files/transaction has a vulnerability in which any authenticated user is allowed to modify/delete files owned by other users. This is only possible if the attacker knows the file ID's and is making authenticated requests. All users are strongly advised to update immediately. If there are no other users you don't really need to worry ig.

What's changed

• fixed multiple db connections on offloaded threads
• ⚠️ fixed any user file modification/deletion on transactional api
• mostly under the hood changes
  • refactor upload logic
  • refactor thumbnail logic
  • updated packages
  • nix flake uses devenv now for easier postgres/minio setup

Full Changelog: v4.2.1...v4.2.2

v4.2.1

What's Changed

• fixed typos regarding random words separator
• fixed visual bugs and enhanced the web ui
• fixed discord oauth not working (this was due to a faulty implementation of a allow/deny list)
• fixed handling custom components in custom themes
• fixed favoriting files in the transactional api
• fixed errors when uploading a file with the same prefix as another file
• added nix dev shell for my own use (and others if you want), just run nix develop!

Pulls Merged

• Predefined Domains (Dropdown) by @curet-dev in #822

Full Changelog: v4.2.0...v4.2.1

v4.2.0

What's Changed

• fixed split errors for username and password on login
• fixed default expiration not being overridable
• fixed broken link when uploading partial files
• fixed long code blocks being unreadable
• fixed flameshot script for mac (uses absolute path from flameshot.app)
• added new gps metadata remover (subject to bugs but shouldn't bug as it's been tested thoroughly)
• added download button on file table view
• added discord oauth allowlist/denylist
• added the option to use environment variable to configure zipline (not documented but will be soon)
  • if an environment variable is set, the corresponding setting input in the server settings page will be disabled and will have no effect on zipline since environment variables will always take priority over the database set settings.
  • there is a helper script to convert settings into environment variables
• added better caching for version api
• using up-to-date aws sdk as blackblaze fixed their shortcomings
• cookie age is 2 weeks
• new "midnight pink" theme

Pulls Merged

• Optimize view for long code blocks by @curet-dev in #823
• chore: update ESLint config by @lajczi in #826

Full Changelog: v4.1.2...v4.2.0

v4.1.2

Hotfix

This update fixes a bug introduced by updating a dependency in v4.1.1.
If you had issue uploading files while having the remove gps metadata setting turned on, this update now fixes that

Full Changelog: v4.1.1...v4.1.2

v4.1.1

What's Changed

• fixed being able to scroll when zoomed in on image on view route
• fixed passkeys not deletable
• fixed passwords being sent in query string
• fixed video/ogg (and other audio files that can have video streams) mimetype breaking thumbnail gen
• added small (1-5 seconds, mostly 1) ratelimits for a bunch of POST/PATCH/DELETE methods on the API which should stop users that spam buttons (for some reason) from doing too much stuff
• updated dependencies

Pulls Merged

• Add the service_healthy requirement to Zipline's depends_on: by @Joshfindit in #811

New Contributors

• @Joshfindit made their first contribution in #811

Full Changelog: v4.1.0...v4.1.1

v4.1.0

What's Changed

• the "default" theme set in settings is now exposed on the view routes

• better partial upload file checking, now handled by the server without trusting the client

• version checking, new version checking api: https://github.com/diced/zipline-version
  

  • you can host your own version checking api (view the repo above!) if you do not want to send requests to my cloudflare worker (a docker image is coming soon, so you can just add it to your docker-compose)
  • you can disable version checking in the settings
  • shows up at the bottom of the sidebar, above external links. clicking the version will open a modal with a lot of information about the current/latest versions

• new options to show on view-routes
  

  • show folder option: shows a link if the folder is public, if it isn't it shows the name
  • show tags option: shows a list of tags next to the name
  • show mimetype option (has been existing since v4): shows the file mimetype

• DATASOURCE_S3_SUBDIRECTORY introduced to limit zipline uploads to a "subdirectory"

• overhauled querystring system, reloading on pages with options will persist

• fixed s3 multipart uploads

• fixed import-dir script

• fixed oauth route, you will be able to unlink/link providers without errors

• fixed no mimetypes on s3 uploads

• fixed upload button showing up on disabled upload folders

• fixed overwritten sessions when logging in with webauthn keys

• fixed s3 access testing, no longer requires list-buckets permissions

• fixed removed avatar fetching every 30 seconds, now only updates on page loads

• fixed more debug logs when oauth fails

• fixed DEBUG logs, better handling now

• fixed better image width/height sizing

Pulls Merged

• Add: Discord auto continue on OAuth screen by @bigbenster702 in #795
• fix filenames with special characters like spaces + fix mime type uploads for bash uploader by @rlko in #786
• ci: node.js 23 -> 24 by @lajczi in #809

New Contributors

• @bigbenster702 made their first contribution in #795
• @rlko made their first contribution in #786
• @lajczi made their first contribution in #809

Full Changelog: v4.0.2...v4.1.0