Plik releases

Plik 1.4.2

Hi, today we're releasing Plik 1.4.2 !

Here is the changelog:

New:

• Internationalization (i18n) — the webapp is now fully translated with a language picker.
  12 languages supported: English (en), French (fr), German (de), Spanish (es), Italian (it),
  Dutch (nl), Polish (pl), Portuguese (pt), Russian (ru), Swedish (sv), Hindi (hi), Chinese (zh).
  Locales are hot-reloaded, fallback to English, and the language preference is persisted per user.
• GitHub OAuth2 authentication provider
• Default admin provisioning: set DefaultAdminLogin / DefaultAdminPassword (or env vars
  PLIKD_DEFAULT_ADMIN_LOGIN / PLIKD_DEFAULT_ADMIN_PASSWORD) to automatically create a local
  admin user on first startup — idempotent, skipped if the user already exists
• API token feature flag (FeatureApiTokens) to globally disable token creation and CLI auth
• CLI multi-profile support in .plikrc (profile composition with -P work,zip)
• CLI --update-plikrc to rewrite config in canonical format
• Prefixed opaque API tokens (plik_ prefix + Base62 + CRC32 checksum)
• S3 BucketLookup option for path-style addressing (Cloudflare R2, MinIO)
• S3 buffer-then-decide upload strategy with parallel multipart support
• AssumeHTTPS config option (replaces deprecated EnhancedWebSecurity): controls HSTS header and
  Secure cookie flag; auto-enabled when SslEnabled=true or PlikDomain starts with https://.
  EnhancedWebSecurity is still accepted but logs a deprecation warning at startup.
• Configurable archive compression (EnableArchiveCompression) to reduce CPU load
• Mermaid diagram rendering in Markdown preview (@bodji)
• MCP server profile-aware uploads and list_profiles tool
• Improved CLI --help with grouped sections (auto-injected into docs)

Fix:

• Fix file row layout on mobile to improve filename display (#726)
• Fix download URL construction for DownloadDomain + Path (#723): fixes broken links in
  subpath deployments; DownloadURL field now included in API Configuration and Upload responses
• Exclude SVG from inline file viewer to prevent XSS via crafted SVG uploads (#725)
• Fix extra separator in mobile navigation menu when authentication is disabled (#720)
• Fix light theme surface palette (#720)
• Fix subpath asset loading when deployed behind a reverse proxy (#714)
• Fix S3 signed integer types for PartSize and PartUploadConcurrency
• Fix syntax highlighting for all file extensions
• Fix navbar overflow on medium viewports

Misc:

• Download security headers (X-Content-Type-Options, X-Frame-Options, CSP) are now set
  unconditionally on all file/archive downloads — no config required
• Removed X-XSS-Protection header (deprecated by browsers, potentially harmful)
• /version endpoint now always strips build metadata (GoVersion, git revision, build host/user)
  from public responses; still available for authenticated admins
• Limit body size middleware extracted for cleaner request handling

Dependency upgrades:

• Bump golang.org/x/net to v0.52.0 (fixes GO-2026-4559 HTTP/2 server panic)
• Bump golang.org/x/crypto to v0.49.0
• Bump cloud.google.com/go/storage to v1.61.3
• Bump google.golang.org/api to v0.273.0
• Bump Vite to v8.0.3 (Rolldown bundler, improved build performance)
• Bump Vue to 3.5.31, vue-router to 5.0.4, Tailwind CSS to 4.2.2
• Bump GitHub Actions: checkout v6, setup-go v6, upload-artifact v7, github-script v8, setup-helm v5

Binaries will be built with Go 1.26.1

Faithfully,
The Plik team

Plik 1.4.1

Hi, today we're releasing Plik 1.4.1 !

Here is the changelog :

New :

• Inline video and audio playback in file viewer (@bodji)
• URL deep-linking for file viewer and media timestamps (@bodji)
• Runtime settings and webapp customization (branding, themes, custom footer)
• 10 built-in themes with dark/light/auto mode and user preference persistence
• Improvemets in Home and Admin view (error handling, filtering, bulk token uploads deletion,...)
• Show removed/deleted files in download view and Home/Admin views
• Configurable streaming timeout, cancellation, and retry

Fix :

• Reject E2EE uploads with empty passphrase
• Fix file deletion on versioned S3 buckets (#673)
• Restore backward compat when only DownloadDomain is set (#676)
• Improve mimetype detection with gabriel-vasile/mimetype (#678)
• Prevent text editor auto-detection from overwriting user-edited filename (#677)
• Close file viewer when viewed file is deleted (#675)
• Unify error display with reusable components (#679)

Misc :

• Bump Alpine base image to 3.23
• Bump Go to 1.26.1 (fixes 5 stdlib vulnerabilities)
• Bump minio-go to v7.0.99
• Bump MCP go-sdk to v1.4.0
• Bump golang.org/x/oauth2 to v0.36.0
• Bump google.golang.org/api to v0.269.0

Binaries will be built with Go 1.26.1

Faithfully,
The Plik team

Plik 1.4.0

Hi, today we're releasing Plik 1.4.0 !

Here is the changelog :

Webapp:

• Complete rewrite using Vue 3 + Vite + Tailwind CSS (replacing AngularJS/Bootstrap)
• End-to-End Encryption (E2EE) via Age interoperable CLI <=> Webapp
• Text editor (w/ syntax highlighting + Markdown support) for text file uploads (@bodji)
• Text (w/ syntax highlighting + Markdown support) and image preview in download view
• Filter uploads by properties and sort-by-size in upload listings (home/admin views)
• Filter users with search bar, and sort controls (admin view)
• Help tooltips on upload settings
• User profile pictures from OAuth providers
• Playwright E2E and Vitest unit test suites

Server:

• OIDC authentication provider support (generic OIDC + Keycloak) (@babs)
• HTTP range request support for all storage backends (@duckie)
• FeatureLocalLogin and FeatureDeleteAccount feature flags
• bcrypt(sha256) for upload password hashing
• Download domain restriction with PlikDomain config and CORS
• Comprehensive security hardening (thanks @bewiwi for the audit)
• Prometheus metrics improvements

CLI:

• CLI device authorization flow for browser-based login (--login)
• Json output mode (--json)
• Non-interactive mode (--yes)
• Test suite rewritten from Bash to Golang
• Bash client overhaul: URL encoding, missing features, tests suite

CI/CD:

• New Helm chart for Kubernetes deployment (@bodji)
• Debian packages hosted in a GitHub Pages API repository (@bodji)
• Docker tags for latest vs preview releases
• Build/deploy PR images from pull request comments (@bodji)
• Rewrite context code generator from Perl to Go
• 3x faster Github CI builds
• Client binaries uploaded to the release artifacts
• New makefile tagets to check vulns
• Upgraded all dependencies and builders

Documentation:

• VitePress documentation web site (https://root-gg.github.io/plik/)
• Guides (Installation, Configuration, Docker, Kubernetes, Security)
• Features (CLI, Web UI, Authentication, Encryption, Streaming, MCP)
• Backends (Data, Metadata)
• References (HTTP API, Go SDK, Metrics)
• Architechture (all ARCHITECTURE.md files)
• Operations (Reverse Proxy, Server CLI, Metadata Import/Export, Cross Compilation)
• Helm chart README with helm-docs annotations

AI:

• MCP server for AI assistant integration
• Agents friendly codebase with AGENTS.md ARCHITECTURE.md
• Reusable agentic workflows (code reviews, create commits/PRs, cut releases)

Binaries will be built with Go 1.26.0

Faithfully,
The Plik team