v4.2.0

What's Changed

• fixed split errors for username and password on login
• fixed default expiration not being overridable
• fixed broken link when uploading partial files
• fixed long code blocks being unreadable
• fixed flameshot script for mac (uses absolute path from flameshot.app)
• added new gps metadata remover (subject to bugs but shouldn't bug as it's been tested thoroughly)
• added download button on file table view
• added discord oauth allowlist/denylist
• added the option to use environment variable to configure zipline (not documented but will be soon)
  • if an environment variable is set, the corresponding setting input in the server settings page will be disabled and will have no effect on zipline since environment variables will always take priority over the database set settings.
  • there is a helper script to convert settings into environment variables
• added better caching for version api
• using up-to-date aws sdk as blackblaze fixed their shortcomings
• cookie age is 2 weeks
• new "midnight pink" theme

Pulls Merged

• Optimize view for long code blocks by @curet-dev in #823
• chore: update ESLint config by @lajczi in #826

Full Changelog: v4.1.2...v4.2.0

v4.1.2

Hotfix

This update fixes a bug introduced by updating a dependency in v4.1.1.
If you had issue uploading files while having the remove gps metadata setting turned on, this update now fixes that

Full Changelog: v4.1.1...v4.1.2

v4.1.1

What's Changed

• fixed being able to scroll when zoomed in on image on view route
• fixed passkeys not deletable
• fixed passwords being sent in query string
• fixed video/ogg (and other audio files that can have video streams) mimetype breaking thumbnail gen
• added small (1-5 seconds, mostly 1) ratelimits for a bunch of POST/PATCH/DELETE methods on the API which should stop users that spam buttons (for some reason) from doing too much stuff
• updated dependencies

Pulls Merged

• Add the service_healthy requirement to Zipline's depends_on: by @Joshfindit in #811

New Contributors

• @Joshfindit made their first contribution in #811

Full Changelog: v4.1.0...v4.1.1

v4.1.0

What's Changed

• the "default" theme set in settings is now exposed on the view routes

• better partial upload file checking, now handled by the server without trusting the client

• version checking, new version checking api: https://github.com/diced/zipline-version
  

  • you can host your own version checking api (view the repo above!) if you do not want to send requests to my cloudflare worker (a docker image is coming soon, so you can just add it to your docker-compose)
  • you can disable version checking in the settings
  • shows up at the bottom of the sidebar, above external links. clicking the version will open a modal with a lot of information about the current/latest versions

• new options to show on view-routes
  

  • show folder option: shows a link if the folder is public, if it isn't it shows the name
  • show tags option: shows a list of tags next to the name
  • show mimetype option (has been existing since v4): shows the file mimetype

• DATASOURCE_S3_SUBDIRECTORY introduced to limit zipline uploads to a "subdirectory"

• overhauled querystring system, reloading on pages with options will persist

• fixed s3 multipart uploads

• fixed import-dir script

• fixed oauth route, you will be able to unlink/link providers without errors

• fixed no mimetypes on s3 uploads

• fixed upload button showing up on disabled upload folders

• fixed overwritten sessions when logging in with webauthn keys

• fixed s3 access testing, no longer requires list-buckets permissions

• fixed removed avatar fetching every 30 seconds, now only updates on page loads

• fixed more debug logs when oauth fails

• fixed DEBUG logs, better handling now

• fixed better image width/height sizing

Pulls Merged

• Add: Discord auto continue on OAuth screen by @bigbenster702 in #795
• fix filenames with special characters like spaces + fix mime type uploads for bash uploader by @rlko in #786
• ci: node.js 23 -> 24 by @lajczi in #809

New Contributors

• @bigbenster702 made their first contribution in #795
• @rlko made their first contribution in #786
• @lajczi made their first contribution in #809

Full Changelog: v4.0.2...v4.1.0

v4.0.2

Roadmap Website

The roadmap website has been updated to show estimated release windows for new features and future versions. It can be accessed through the same link: https://zipline.diced.sh/roadmap

What's Changed

• fixed security vuln with Math.random
• fixed s3 max sockets issue
• fixed v3 imports requiring a .stats property
• fixed v3 imports limiting at 1 mb per request
• fixed upload route not redirecting to /view for text/ files
• fixed syntax highlighting
• fixed empty lines being filtered out of code renderer
• fixed s3 erroring on 204 status codes
• updated next.js 15.2.4 (vuln that doesn't effect zipline, but to be safe!)
• added new midnight blue and orange themes
• added files per page selector for gallery view

Pulls Merged

• Midnight Theme, Files Page Improvements & Bug Fixes by @curet-dev in #753
• Improved Pagination - Files per Page Selector by @curet-dev in #757

New Contributors

• @curet-dev made their first contribution in #753

Full Changelog: v4.0.1...v4.0.2

v4.0.1

What's Changed

• fixed many import bugs
• fixed ziplinectl not running
• fixed oauth redirect uri not being used when provided
• fixed view page on firefox (smh)
• fixed sessions being overwritten in many different cases
• fixed external links area not scrolling
• fixed passkey appearing even when disabled
• fixed oauth saving (a restart shouldn't be needed now)
• fixed titles overflowing out of the page or container
• fixed gps metadata not clearing
• fixed api errors not erroring properly to the user
• fixed url passwords only working when logged in
• fixed hex parsing for discord webhook embed color
• fixed unsupported headers in s3
• fixed combobox being hidden when in a small container
• add default state to oidc oauth (fixes authentik)
• add warning when enabling embeds to enable view routes
• add ishare support
• add x-zipline-domain random domain selection (comma separated list of domains)
• add cross-env to support environment variables on windows (smh)
• add ranged requests to non view-routes (i'm sorry 😭 i forgot)
• add anonymous folder uploads: send a link to your friends to which they can upload files to without having an account!

Pulls Merged

• feat: add github issue template by @TacticalTechJay in #696
• Randomized Domain Selection support for Files and URL Shortener by @nobodys-tools in #713
• Updated package.json, pnpm-lock.yaml and register.tsx by @loefey in #727
• Update ExternalAuthButton.tsx by @Madelyyn in #737

New Contributors

• @nobodys-tools made their first contribution in #713
• @loefey made their first contribution in #727
• @Madelyyn made their first contribution in #737

Full Changelog: v4.0.0...v4.0.1

v4.0.0

🎊 Thanks for waiting for the next big release for Zipline! This has been in the works for over 2 years now, and it's finally gotten to a point where it's ready to be released. 🎉

New documentation website

The docs website has been updated to reflect new v4 features + has a new coat of paint. Visit it here: zipline.diced.sh. If you wish to visit the old v3 docs, they are available at v3.zipline.diced.sh.

Migrating from v3 to v4 ⬆️

Please use the migration docs to assist you.

Important! ⚠️

If you have something that auto-updates Zipline whenever a new tag is released, we highly recommend that you turn this off before updating to v4.

State of v3 🔒

v3 will still be developed for a little while. We are only going to be focusing on large bugs or security vulnerabilities.

If you wish to continue using v3, you can use the following docker images:

• ghcr.io/diced/zipline:v3-trunk - this image updates every time a new commit is out on the v3 branch
• ghcr.io/diced/zipline:v3 - this image updates every time a new v3.*.* release comes out (most likely never...)
  • currently, this image will be the same as using the :v3.7.13 tag

v4 docker images 🆕

v4 will be taking over the trunk branch, and with that it will also be taking over the latest and trunk tag.

• ghcr.io/diced/zipline (ghcr.io/diced/zipline:latest) - v4 builds from now on
• ghcr.io/diced/zipline:v4 - continues serving v4 builds (for those who were using v4 while beta testing)
• ghcr.io/diced/zipline:trunk - only updates whenever there are new commits to the trunk branch.

What's changed

• Revamp API
• Revamp offloaded tasks, like thumbnail generation and partial uploads
• Revamp invites system
• Revamped expiring/deletesAt files
• Revamped all dashboard pages
• Everything revamped tbh
• More variables + conditional variables
• Import v3 database
• --skip-next skips loading next.js
• edit stuff
  • url properties, file properties
• urls can have passwords
• support OIDC providers like authentik, authelia, etc.
• quotas per user
• allow configuring of a terms of service link
• utility scripts moved to dashboard
• new zipline-ctl cli utility
• /api/healthcheck that can be used as a healthcheck in docker compose
• upload options on the dashboard are persisted (localStorage)
• Files, URLs, Invites, Users, Folders pages have a table and card view selector
  • Tables can be filtered, sorted
• File tags (can be created on the files page)
• x-zipline-folder header to auto add to a folder
• warnings when deleting stuff like files, urls, etc. (can be disabled)
• bulk transactions for files (delete, favorite, add to folder)
• script/sharex generation is better with the new options
• passkey login
• login page redesign
• tons of environment variables are now moved to the settings page
• partial uploads when using s3 use multipart uploads
• removed ability to view exif data
• removed zero-width space urls
• honestly there's a lot more, you can figure out yourself 😂

Pulls merged

• fix: incorrect password autocompletes by @Vetlix in #557
• Add Catppuccin Themes (v4) by @cswimr in #562
• add support for DATASOURCE_S3_FORCE_PATH_STYLE by @Creationsss in #658
• add support for TZ by @Arlind-dev in #660
• Add checks variable modifiers by @Stef-00012 in #662
• fix: sharex url shortening config by @dilllxd in #664
• Add exists conditional modifier to date, fix parser regex by @Stef-00012 in #666
• Hopefully last pr for conditional modifiers by @Stef-00012 in #667

New Contributors

• @Creationsss made their first contribution in #658
• @Arlind-dev made their first contribution in #660
• @Stef-00012 made their first contribution in #662
• @dilllxd made their first contribution in #664

v3.7.13

What's Changed

• s3 file requests are fixed now
• ranged file requests actually work as intended
• reserved routes check uses regex so you can use stuff like /rrrrr now works
• fixed #673
• fixed #659 (how has this issue existed for 2 years?)
• fixed #670
• fixed #685
• fixed #657 (possibly?)
• no longer support files that aren't in the db
• no longer support supabase datasource, use their s3 endpoint now
• new: on view routes, click anywhere on the page to zoom into the image
• new: on the home page, an alert (dismissible by clicking the x) will tell you about v4, and to consider turning off auto updaters that update zipline every time a new release is out

Pulls merged

• Woah, I think this is a lot. by @TacticalTechJay in #683
• A super cool zoom machine by @TacticalTechJay in #686
• Fixing my way downtown. by @TacticalTechJay in #692

Full Changelog: v3.7.12...v3.7.13

v3.7.12

What's Changed

• fixed xss vuln given /auth/login?url=javascript:<code> will execute said code.
• fixed s3 ranged requests

Full Changelog: v3.7.11...v3.7.12

v3.7.11

⚠️ Important ⚠️

• Vulnerability within oauth
  • Versions affected: anything past v3.6.0
  • Providers affected: Google
  • The vulnerability is caused due to a backwards compatibility fallback method of trying to find a oauth user, this fallback method would not rely on the provider's ID but instead just the username + provider name. This meant that as long as the determined username was the same, two google accounts with the same username will point to the same user if linked.
  • This doesn't effect discord or github, since they have unique usernames.
• If you don't use oauth, you are totally fine to continue using previous versions at your own risk.

What's Changed

• feat(ci): push to docker hub by @wdhdev in #613
• fix: code scroll overflow handling by @quantum5 in #620
• Update README.md by @Rovoska in #627
• fix(repo): update devcontainer defaults to use bundled postgres by @Hegi in #585
• feat: proper range request handling by @ari-party in #635
• fix: Check if route was set to /r, as it's reserved. by @TacticalTechJay in #643

New Contributors

• @quantum5 made their first contribution in #620
• @Rovoska made their first contribution in #627
• @Hegi made their first contribution in #585

Full Changelog: v3.7.10...v3.7.11