Skip to content

pocketbase

v0.39.4 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 14d API Development
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

authentication backend go realtime

Affected surfaces

auth

ReleasePort's take

Moderate signal
editorial:auto 14d

The redirectURL validator has been removed from the authWithOAuth2Code() API endpoint.

Why it matters: Affects applications relying on mandatory URL validation; trigger is the removal in version v0.39.4.

Summary

AI summary

Removed redirectURL validator from authWithOAuth2Code() code‑token exchange endpoint.

Changes in this release

Breaking High

Removes required validator for redirectURL in authWithOAuth2Code endpoint

Removes required validator for redirectURL in authWithOAuth2Code endpoint

Source: llm_adapter@2026-06-14

Confidence: high
Feature Medium

Enables sorting by the first implicit presentable relation field

Enables sorting by the first implicit presentable relation field

Source: llm_adapter@2026-06-14

Confidence: high
Dependency Low

Updates goja and related golang.org/x/* dependencies for regex improvements

Updates goja and related golang.org/x/* dependencies for regex improvements

Source: llm_adapter@2026-06-14

Confidence: high
Bugfix Low

Fixes minor UI issues: tooltip clear on hovered element removal, optional before element sortable fix

Fixes minor UI issues: tooltip clear on hovered element removal, optional before element sortable fix

Source: llm_adapter@2026-06-14

Confidence: high
Full changelog

To update the prebuilt executable you can run ./pocketbase update.

  • Removed redirectURL required validator from the code->token exchange endpoint (aka. authWithOAuth2Code()) (#7734).
    Note that OAuth2 providers have their own validations and whether it is allowed to be empty or not could depend on the configured OAuth2 app (in most cases it is required and the redirect address must match with the initial value submitted with the authorization request).

  • Enabled sorting by the first implicit presentable relation field (#7735).

  • Other minor UI fixes (tooltip clear on hovered element removal, optional before element sortable fix, etc.).

  • Updated goja and the related golang.org/x/* dependencies (regex support improvements).

Breaking Changes

  • Removed `redirectURL` required validator from the authWithOAuth2Code() endpoint.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pocketbase

Get notified when new releases ship.

Sign up free

About pocketbase

Open Source realtime backend in 1 file

All releases →

Related context

Beta — feedback welcome: [email protected]