pocketbase releases

To update the prebuilt executable you can run ./pocketbase update.

• Fixed UI logs pagination when no custom range is specified.

• Fixed default CSP not allowing audio/video previews (#7677).

• Serve fixed Content-Type for .xlsx, .docx and .pptx files to allow previews on iOS (#7467).

• Changed settings app URL input to type="text" for compatibility with earlier versions (#7681).

• Added an internal watcher to sync various runtime states between multiple PocketBase processes (e.g. memory store) using the same pb_data.
  This is helpful in case for example a separate PocketBase console command change the collections or application settings while the server is still running.
  The watcher is debounced and implemented by watching the special pb_data/.notify dir as a workaround to avoid depending on OS and SQLite driver specific APIs.

• Added new Superuser IPs/CIDR subnets whitelist setting.
  The optional setting can be changed from the UI under Dasboard > Settings > Application > Superuser IPs.
  To avoid lockout in case your superuser IP change, the ips whitelist can be updated also via the superuser ips console command:

  # note: --dir is optional and defaults to pb_data next to the executable
  
  # clear whitelisted IPs
  ./pocketbase superuser ips --dir=/custom/path/to/pb_data
  
  # OR change the whitelisted IPs to 127.0.0.1 and 10.0.0.0 (replace with your real IP(s))
  ./pocketbase superuser ips 127.0.0.1 10.0.0.0 --dir=/custom/path/to/pb_data
  

• Added rate limit option to exclude IPs/CIDR subnets (#6410).

• Bumped min Go GitHub action version to 1.26.3 because it comes with some minor bug and security fixes.

• (Backported from v0.38.0) Bumped min Go GitHub action version to 1.26.3 because it comes with some minor bug and security fixes.

To update the prebuilt executable you can run ./pocketbase update.

• Fixed password fields not being detected as changed (#7670).

• Added the local time zone name next to the date field label.

• Reload trusted proxy info UI after settings save.

• Other minor improvements (skips the duplicated record ids from the IN expand list, reordered confirm-email-change error checks to minimize enumeration attacks, etc.).

• (Backported from v0.37.4) Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
  In case the userinfo data is not sufficient, some of the providers now send a separate list emails request in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the email verification if an ENV variable is configured).

• (Backported from v0.37.4) ⚠️ Fixed a pre-hijacking OAuth2 linking vulnerability (#7662).

To update the prebuilt executable you can run ./pocketbase update.

[!IMPORTANT]
This release include a security fix related to #7662.

• Added backups list scroll container (#7655).

• Optimized record upsert and preview modals data loading to minimize layout jumps.

• Fixed SMTP IPv6 network address format (#7659).

• Fixed autocomplete selection not properly updating the underlying input value (#7664).

• Added ghupdate.BaseURL config option (#7665).

• Added dummy bcrypt password check for the failure auth path to minimize enumeration timing attacks when registrations are disabled.

• Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
  In case the userinfo data is not sufficient, some of the providers now send a separate list emails request in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the email verification if an ENV variable is configured).

• ⚠️ Fixed a pre-hijacking OAuth2 linking vulnerability (#7662; thanks @Alardiians for reporting it privately).

• Bumped Go and npm dependencies.

To update the prebuilt executable you can run ./pocketbase update.

• Fixed total count load on page back/forward navigation.

• Fixed editor floating dialogs position when scrolling (#7653).

• Enabled text wrapping for the API rule fields.

• Added view query sample loading indicator.

• Other minor light UI contrast and styles improvements.

To update the prebuilt executable you can run ./pocketbase update.

• Fixed autoexpandable input in Firefox (#7648).

• Slightly adjusted the dark theme colors for better readability (#7648).

• Removed unnecessary tags stripping from the displayed log attributes (#7649).

• Workarounded Safari freeze caused by a buggy CSS popover property (#7650).

To update the prebuilt executable you can run ./pocketbase update.

• Minor UI bugfixes:
  • Fixed number field input values normalization (#7646).
  • Allow opening collections in new tab with middle click.
  • Show collection name in the page title on initial load.

To update the prebuilt executable you can run ./pocketbase update.

• New UI rewritten from scratch and with support for external customization in mind.

  Note that as explained in #7612 the new UI kit and extensions APIs will intentionally remain undocumented until "Stage 2" completion (there no ETAs).

  The new UI also introduced several other small improvements:

  • ~2MB smaller bundle size.
  • Dark mode and theming support.
  • Basic responsive/mobile support (it is far from perfect but certainly more usable than before).
  • Help text option for the collection fields.
  • Lifted the max nested level restriction of presentable relations (children are lazy loaded).
  • Lighter rules autocomplete.
  • Live view query preview.
  • Insert of an audio/video embed tag in the richtext editor from a collection file.
  • Option to bulk export records as JSON.
  • Local search history for all searchbars.
  • API rules overview across all collections.
  • Very basic ERD-like visualization for the collections structure and relations.
  • New stepped logs chart visualization with panning support.
  • listAuthMethods() (aka. /api/collection/{col}/auth-methods) now returns the OAuth2 provider logo for each provider as inlined SVG string in its response data.
    ⚠️ Note that if your app for whatever reason rely on the dashboard OAuth2 logos available under /_/images/oauth2/* they are still available for now but will be removed in future versions and it is recommended to use the new inline SVGs!

• Added optional no_ui build tag to exclude the UI from bundling with the executable (#7548).

  go build -tags no_ui
  

• Exported the internal JSVM bind functions (#7600).

  jsvm.BindCore(vm)
  jsvm.BindDbx(vm)
  jsvm.BindSecurity(vm)
  jsvm.BindOS(vm)
  jsvm.BindFilepath(vm)
  jsvm.BindHTTP(vm)
  jsvm.BindFilesystem(vm)
  jsvm.BindForms(vm)
  jsvm.BindMails(vm)
  jsvm.BindApis(vm)
  

• Updated modernc.org/sqlite to v1.49.1 (SQLite 3.53.0).