coollabsio/coolify v4.0.0-beta.436

on GitHub

This release brings essential fixes and improvements that build on the foundation laid in v4.0.0-beta.435, focusing on security patches, Livewire modernization, API enhancements, and service template additions.

🚀 Major Features

Complete Livewire Legacy Model Binding Migration (#6862)

Modernized 25+ Livewire components from legacy binding to explicit properties, enabling future-proof architecture.

Migration Scope:

• ✅ 25+ components migrated
• ✅ 150+ explicit properties added
• ✅ 0 legacy bindings remaining
• ✅ legacy_model_binding flag disabled

Major Components:

• Application/General.php (53 fields) - Largest migration
• Security/PrivateKey/Show.php (4 fields)
• Storage/Form.php (8 fields)
• Source/Github/Change.php (16 fields)
• Project/Shared/* (ResourceLimits, HealthChecks, Storages)
• Service/* (StackForm, EditDomain, EditCompose, Database)
• All Database General components (8 database types)

Critical Fixes:

• 🐛 Collection/string confusion in EditDomain
• 🐛 Parent component sync after save
• 🐛 Empty FQDN field on load
• 🐛 Lifecycle hooks not firing
• 🐛 Duplicate HTML IDs with auto-generated unique IDs
• 🐛 Fixed Monaco editor @entangle errors

Statistics: 1,715 additions, 532 deletions, 46 files changed

Authentication Pages Redesign (#6906)

Aligned all auth pages with new onboarding design for consistent user experience.

Pages Updated:

• login, register, forgot-password, reset-password
• two-factor-challenge, confirm-password

Design Changes:

• Removed white/gray card backgrounds
• Consistent centered layout with large Coolify heading
• Color-coded alerts with icons
• Segmented auto-advancing 2FA input
• Paste-compatible 2FA code entry
• Updated email error messages for security (prevents enumeration)
• Applied border styling to match onboarding

Admin User Deletion Command (#6907)

New comprehensive command for deleting users with full resource cleanup.

Features:

• Full resource cleanup (applications, databases, services)
• Team ownership transfers and management
• Server deletion for user-owned teams
• Stripe integration (cloud instances)
• Safety features: dry-run mode, phase confirmations, state tracking
• Instance agnostic (works on self-hosted and cloud)

Replaces:

• admin:remove-user (deleted)
• cloud:delete-user (now deprecated alias)

Bug Fixes:

• Correct resource filtering by team ownership
• Fixed relationship access (using method calls)
• Proper lock management with Ctrl+C handling
• Stripe cancellation after DB commit
• Self-hosted support (skips Stripe operations)

✨ Core Features

API Enhancements (#6899)

Added three new API endpoints with comprehensive documentation.

Cancel Deployment API

• POST /api/v1/deployments/{uuid}/cancel
• Cancel queued/in_progress deployments
• Docker container cleanup with docker rm -f
• Process termination by PID
• Detailed cancellation logging

Database Backup Creation API

• POST /api/v1/databases/{uuid}/backups
• Cron expressions and predefined frequencies
• S3 storage integration with validation
• Retention policy configuration (local and S3)
• Optional immediate backup trigger
• Authorization via manageBackups gate

List GitHub Apps API

• GET /api/v1/github-apps
• Team-owned and system-wide apps
• Sensitive data filtering (client_secret, webhook_secret)
• Team isolation enforced

Test Coverage: 30+ tests across 3 comprehensive suites

Service Templates

New Templates:

• SigNoz (#5386) - Observability platform with:

  • Telemetry configuration
  • SMTP and Alert Manager setup
  • OTEL collector with healthcheck
  • Latest tags for all services
  • JWT secret auto-generation

• Cap (#6011) - Open-source Loom alternative

  • S3 storage support (local/remote)
  • Environment variable documentation
  • Co-authored by @ShadowArcanist

Template Updates:

• Ente Photos (#6883) - Added SMTP configuration
• n8n (#6835) - Updated to v1.114.4 with deprecation env vars
• Plausible (#6475) - Fixed swapped clickhouse configs
• Shlink (#6475) - Fixed double https:// issue

🔒 Critical Security Fixes

Session Management (#6893)

CRITICAL: Fixed password changes not invalidating user sessions.

• Changed isDirty() to wasChanged() in updated() hooks
• Sessions now properly invalidated on password change
• Prevents session hijacking after password reset
• Fixed in 3 locations:
  • DeletesUserSessions trait (password changes)
  • InstanceSettings (helper_version changes)
  • ServerSetting (sentinel service restart)

Test Coverage: 15 tests across 3 suites

Privilege Escalation (#6884)

Fixed critical privilege escalation vulnerability in team invitation system.

Command Injection Prevention (#6887)

Secured git ls-remote operations against command injection attacks.

TrustHosts Middleware (#6889)

Implemented middleware to handle FQDN and IP address trust logic for improved security.

🐛 Bug Fixes

Deployment & Build

• Null Environment Variables (#6886)

  • Handle null values in bash escaping functions
  • Prevents deployment failures
  • 29 tests passing

• Docker Compose Parsing (#6891, #6895)

  • Fixed array labels in preg_match
  • Added type checks before processing labels
  • Handles array label values by converting to strings
  • Unit tests added

UI/UX

• Service Textarea Focus (#6897)

  • Removed wire:model.blur causing form dirty state reset
  • Fixed jarring UI flicker on domains input
  • Changed to deferred synchronization

• Input Focus Styling (#6900)

  • Updated to border-left focus instead of ring-based
  • Consistent styling with input-sticky utility

• Hetzner Cloud Rendering (#6902)

  • Fixed onboarding back button navigation
  • Proper state restoration with $currentState

• Ports Exposes Null (#6901)

  • Added default value for Docker Compose Example
  • Fixes NOT NULL constraint violation

📝 Documentation & Infrastructure

GHCR Cleanup Workflow (#6903)

Automated cleanup of untagged container images from GitHub Container Registry.

Features:

• Deletes only untagged versions (keeps all tagged images)
• Runs every 6 hours + manual trigger
• Up to 100 versions per run
• Testing phase on coolify-testing-host image

Expected Impact:

• Current: 16,000+ untagged versions
• Reduces storage bloat
• Faster registry operations

Service Updates

• Preview Deployment Updates (#6876)

  • Added service name in update job for better tracking

• API Enabled in Dev (#6890)

  • API enabled by default in development mode
  • Production remains secure (disabled by default)

📊 Statistics

• 25 merged PRs since v4.0.0-beta.435
• ~3,000+ lines added
• ~700+ lines removed
• 80+ files changed
• 60+ new tests
• 2 new service templates
• 3 major template updates
• 4 critical security fixes

🙏 Credits

Thank you to all contributors since v435:

@andrasbacsai, @GauthierPLM, @titouv, @ariqpradipa, @xwxfox, @yipfram, @stylefieber, @ShadowArcanist, @thereis

And thanks to everyone who reported issues and helped test!

Generated by Andras & Jean-Claude, hand-in-hand.

What's Changed

• fix: prevent command injection in git ls-remote operations by @andrasbacsai in #6887
• fix: handle null environment variable values in bash escaping by @andrasbacsai in #6886
• fix: critical privilege escalation in team invitation system by @andrasbacsai in #6884
• Enable API by default in development mode by @andrasbacsai in #6890
• feat: implement TrustHosts middleware to handle FQDN and IP address trust logic by @andrasbacsai in #6889
• Fix preg_match error with array labels by @andrasbacsai in #6895
• Fix: Domains input dirty state reset on blur by @andrasbacsai in #6897
• fix: docker compose parsing by @andrasbacsai in #6891
• fix: use wasChanged() instead of isDirty() in updated hooks by @andrasbacsai in #6893
• feat: include service name in preview deployment updates by @thereis in #6876
• Update input focus styling to border-left by @andrasbacsai in #6900
• Seed Docker Compose Example with ports_exposes by @andrasbacsai in #6901
• Add Cancel Deployment API endpoint by @andrasbacsai in #6899
• Fix Hetzner Cloud rendering in onboarding by @andrasbacsai in #6902
• Add GHCR untagged image cleanup workflow by @andrasbacsai in #6903
• Update auth pages to match onboarding design by @andrasbacsai in #6906
• Update Coolify text size on auth pages by @andrasbacsai in #6908
• Admin command for deleting users by @andrasbacsai in #6907
• Complete Livewire legacy model binding migration (25+ components) by @andrasbacsai in #6862
• feat(service): add signoz template by @GauthierPLM in #5386
• Update plausible.yaml and shlink.yaml - clickhouse config contents were swapped; fixing double https:// issue in shlink web app by @stylefieber in #6475
• feat(service): add cap service by @titouv in #6011
• Update n8n template by @yipfram in #6835
• Add proxyscotch service compose file by @xwxfox in #6853
• feat(templates): add SMTP configuration to ente-photos compose templates by @ariqpradipa in #6883
• v4.0.0-beta.436 by @andrasbacsai in #6898

New Contributors

• @stylefieber made their first contribution in #6475
• @titouv made their first contribution in #6011
• @xwxfox made their first contribution in #6853
• @ariqpradipa made their first contribution in #6883

Full Changelog: v4.0.0-beta.435...v4.0.0-beta.436