[29.0] - 2026-04-04
Breaking Changes
- Rename: "SMTP Relay" renamed to "SMTP Bridge" throughout the application
- Environment variables:
SMTP_RELAY_*renamed toSMTP_BRIDGE_*(old names still accepted for backward compatibility) - Database settings keys migrated automatically via V29 migration
- JSON API:
smtp_relay_*fields renamed tosmtp_bridge_*in setup endpoints - Frontend routes:
/settings/smtp-relaychanged to/settings/smtp-bridge - UI labels: "SMTP Relay" changed to "SMTP Bridge"
- Environment variables:
- Workspace: Enforce team member limits via
MAX_USERSenv var (0 = unlimited), with checks on invite, accept invitation, and direct add — API key users are excluded from the count - Security: Fixed SSRF vulnerability in
/api/detect-faviconendpoint by adding a safe HTTP client with private IP blocking, DNS rebinding protection, scheme validation, and response size limits - Security: Upgraded happy-dom to 20.8.9 in notification center and picomatch to 4.0.4 in console
- Improvement: SMTP EHLO hostname now defaults to the from-email domain instead of the SMTP host, improving compatibility with strict providers (#301)
- Security: Updated lodash/lodash-es to 4.18.x, brace-expansion to 5.0.5, and yaml to 2.8.3 to fix prototype pollution, code injection, ReDoS, and stack overflow vulnerabilities