coollabsio/coolify v4.0.0-beta.471

on GitHub

What's Changed

Security & Fixes

• Harden model mass assignment protection across all models (#9282)
• Scope server and project queries to current team (#9230)
• Harden GetLogs component with locked properties and input validation (#9229)
• Add validation and escaping for Docker network names (#9228)
• Add URL validation for notification webhook fields (#9224)
• Use server-side config for password reset URL generation (#9193)
• Add input validation for install/build/start command fields (#9227)
• Add input validation for resource limit fields (#9238)
• Add IP validation for custom DNS servers input (#9239)
• Add URL validation for proxy redirect input (#9241)
• Add input validation for server advanced settings page (#9242)
• Add input validation for sentinel configuration (#9243)
• Add input validation for database backup timeout (#9245)
• Add input validation for emails configuration (#9259)
• Add input validation for database public port and proxy timeout
• Add validation to block unsafe webhook URLs
• Use random_int() for email change verification codes (#9226)
• Move admin route into middleware group (#9225)
• Enforce team-scoped project/env lookups in onboarding
• Add input validation for port exposes and port mappings fields

New Services & Templates

• Added ElectricSQL template (#8190)

Fixes

• Fix intermittent pre-deployment command failures (#9165, fixes #9076)
• Fix Grafana GF_SERVER_DOMAIN using FQDN instead of URL (#9080, fixes #5307)
• Fix listmonk db config env typo (#9250)
• Fix Langfuse by pinning ClickHouse version to avoid init errors
• Fix cloning persistent volumes with missing uuid (#9290, fixes #9270)
• Fix redirect value not persisting in setRedirect (#9279)
• Fix cloud subscription notification links (#9296)
• Fix slash branches in public repo URLs
• Fix shared env vars resolving on wrong server
• Fix database SSL/status state and clone writes
• Fix auto-generate missing CA cert on SSL regeneration
• Fix backup notification failures affecting backup status (fixes #9088)
• Fix backup retention enforcement and stale execution cleanup
• Fix password visibility toggle using Alpine state
• Fix GitHub branch state when refreshing repositories

Improvements

• Shared server environment variables (#7764)
• Refresh repos on private GitHub app (#8621)
• Support Docker image tags for preview deployments
• Add preserve repository option to deployment API (#8371)
• Implement exponential backoff for unreachable servers (#9184)
• Improve scheduled task single view UX (#9266)
• Add two-step confirmation to enable self-registration (#9277)
• Add public port timeout configuration for databases
• Make textarea monospace opt-in and improve multiline toggle

What's Changed (Github)

• fix(backup): prevent notification failures from affecting backup status by @andrasbacsai in #9162
• fix(preview-env): ensure auto-created preview env vars inherit runtime/buildtime flags by @andrasbacsai in #9164
• fix(api): validate server ownership in domains endpoint and scope activity lookups by @andrasbacsai in #9166
• fix(backup): validate MongoDB collection names in backup input by @andrasbacsai in #9168
• fix(terminal): apply authorization middleware to terminal bootstrap routes by @andrasbacsai in #9169
• fix(livewire): add Locked attributes and consolidate container name validation by @andrasbacsai in #9171
• fix(livewire): add input validation to unmanaged container operations by @andrasbacsai in #9172
• feat(deployment): add command_hidden flag to hide command text in logs by @andrasbacsai in #9167
• fix(deployment): normalize whitespace in pre/post deployment commands by @andrasbacsai in #9173
• fix(storage): consistent path validation and escaping for file volumes by @andrasbacsai in #9176
• fix(backup): use escapeshellarg for credentials in backup commands by @andrasbacsai in #9175
• fix(storage): use escapeshellarg for volume names in shell commands by @andrasbacsai in #9185
• refactor: simplify remote process chain and harden ActivityMonitor by @andrasbacsai in #9189
• Add URL validation for GitHub source fields by @andrasbacsai in #9190
• refactor: split invitation endpoint into GET/POST flow by @andrasbacsai in #9192
• fix: sanitize error output in server validation logs by @andrasbacsai in #9197
• fix: use server-side config for password reset URL generation by @andrasbacsai in #9193
• refactor: move admin route into middleware group by @andrasbacsai in #9225
• Add URL validation for notification webhook fields by @andrasbacsai in #9224
• refactor: use random_int() for email change verification codes by @andrasbacsai in #9226
• fix: add input validation for install/build/start command fields by @andrasbacsai in #9227
• refactor: scope server and project queries to current team by @andrasbacsai in #9230
• fix: add validation and escaping for Docker network names by @andrasbacsai in #9228
• fix(application): persist redirect value in setRedirect by @andrasbacsai in #9279
• fix: harden GetLogs Livewire component properties by @andrasbacsai in #9229
• feat(api): Add support for Preserve Repository During Deployment in API by @ahmadw13 in #8371
• fix(clone): exclude uuid when replicating persistent volumes by @andrasbacsai in #9290
• fix(notification): updated cloud subscription links to valid url by @ShadowArcanist in #9296
• feat(ui): add two step confirmation to enable self registration by @ShadowArcanist in #9277
• fix(service): listmonk db config env typo by @mxswd in #9250
• fix(service): pin clickhouse version on Langfuse service to avoid error during clickhouse init by @GauthierPLM in #9236
• fix(service): use FQDN instead of URL for Grafana GF_SERVER_DOMAIN by @xidik12 in #9080
• feat(service): Add ElectricSQL by @matfire in #8190
• refactor: define explicit fillable attributes on all Eloquent models by @andrasbacsai in #9282
• fix(validation): add input validation for database public port and proxy timeout by @ShadowArcanist in #9272
• feat(ui): improve schedule task single view for better UX by @ShadowArcanist in #9266
• fix(validation): add input validation for emails configuration by @ShadowArcanist in #9259
• fix(validation): add input validation for database backup timeout by @ShadowArcanist in #9245
• fix(validation): add input validation for sentinel configuration by @ShadowArcanist in #9243
• fix(validation): add input validation for server advanced settings page by @ShadowArcanist in #9242
• fix(validation): add URL validation for proxy redirect input by @ShadowArcanist in #9241
• fix(validation): add input validation for port exposes and port mappings fields by @ShadowArcanist in #9240
• fix(validation): add IP validation for custom DNS servers input by @ShadowArcanist in #9239
• fix(validation): add input validation for resource limit fields by @ShadowArcanist in #9238
• feat: refresh repos on private github app by @adiologydev in #8621
• feat: Shared server environment variables by @ShadowArcanist in #7764
• chore(deps): bump aws/aws-sdk-php from 3.371.3 to 3.374.2 by @dependabot[bot] in #9222
• chore(deps): bump picomatch by @dependabot[bot] in #9178
• build(deps): bump league/commonmark from 2.8.1 to 2.8.2 by @dependabot[bot] in #9047
• build(deps): bump phpseclib/phpseclib from 3.0.49 to 3.0.50 by @dependabot[bot] in #9044
• feat(jobs): implement exponential backoff for unreachable servers by @andrasbacsai in #9184
• fix(deployment): resolve intermittent pre-deployment command failures by @andrasbacsai in #9165
• v4.0.0-beta.471 by @andrasbacsai in #9206

New Contributors

• @mxswd made their first contribution in #9250
• @xidik12 made their first contribution in #9080
• @matfire made their first contribution in #8190

Full Changelog: v4.0.0-beta.470...v4.0.0-beta.471