github axpdev-lab/aeroftp v3.1.8
AeroFTP v3.1.8
on GitHub

latest releases: v3.7.9, v3.7.8, v3.7.7...
one month ago

[3.1.8] - 2026-03-29

Desktop Security Hardening

Security

  • Sigstore updater verification: In-app updates now verify .sigstore.json bundles against GitHub OIDC workflow identity before installing. Artifacts that fail verification are deleted automatically
  • Linux update helper hardening: The privileged helper now receives SHA-256 from the backend and re-verifies integrity before executing dpkg/rpm, closing the TOCTOU gap
  • AI backend approval system: All mutative AI tools require a cryptographic grant issued by the Rust backend and confirmed via native OS dialog. Grants are single-use (or session-scoped for non-destructive tools), expire after 2 min / 8 hours, and are bound to tool + session
  • Plugin tools under approval: Plugin tools called by the AI now go through the same backend grant flow as built-in tools
  • Vault keyring default: The vault passphrase is now stored in the OS credential manager (GNOME Keyring, macOS Keychain, Windows Credential Manager) instead of cleartext on disk. Legacy vaults are migrated automatically on first launch
  • Keyring fallback: When the system keyring is unavailable on first launch, AeroFTP bootstraps into master password mode instead of failing
  • Plugin registry disabled: Remote plugin fetch and install are disabled until the registry supports cryptographic authentication. Local plugins continue to work
  • server_exec in NEVER_AUTO_APPROVE: Credential-backed server execution tool now always requires explicit approval, even in Extreme mode

Changed

  • SECURITY.md restructured: Concise policy document with deep links to docs.aeroftp.app/security for full technical details
  • Security documentation: 6 new pages on docs.aeroftp.app covering overview, AI security, supply chain, privacy, audits, and vulnerability disclosure

Fixed

  • keyring crate mock backend: Fixed missing platform features in Cargo.toml that caused the keyring crate to compile with an in-memory mock backend on all platforms, which would have caused irrecoverable vault passphrase loss on app restart
  • Nextcloud trash button: Restricted to Nextcloud/FeliCloud WebDAV providers only
  • LargeIconsGrid performance: Virtualized with react-virtuoso for large directories
  • DOMPurify CVE: Overridden to 3.3.3 (CVE mutation-XSS via monaco-editor)
  • Clippy lint fixes: Resolved Cow<str>.as_ref() ambiguity in sync.rs and aeroftp_cli.rs triggered by sigstore dependency

Downloads:

  • Windows: .msi installer, .exe, or .zip portable (no installation required)
  • macOS: .dmg disk image
  • Linux: .deb, .rpm, .snap, or .AppImage
Check out latest releases or
releases around axpdev-lab/aeroftp v3.1.8

Don't miss a new aeroftp release

NewReleases is sending notifications on new releases.

Get notifications