github knadh/listmonk v6.1.0
on GitHub

8 hours ago

listmonk-logo

v6.1.0 has important security fixes in addition to several improvements and general bug fixes.

As always, take a backup of your Postgres database before upgrading.

Security

This version has fixes for multiple campaign/list permission validation issues in multi-user environments.

What's new

  • New global Privacy setting to disable view and click tracking.
  • Ability to proxy S3 media files through listmonk instead of linking to S3 directly.
  • Lettermint bounce webhook provider.
  • New global data refresh button on admin nav that works across all pages.
  • A new 'Duplicate' button to visual e-mail builder block UI options.
  • PATCH /api/subscribers/:id endpoint for partial subscriber updates.
  • New granular campaigns:send permission, separate from campaigns:manage for finer access control.
  • New altbody param to /api/tx for sending multipart plaintext bodies in transactional mails.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker 

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

  • 1b5e8d3 Bump picomatch from 2.3.1 to 2.3.2 in /frontend/email-builder (#2973)
  • 86c94c8 Fix users without certain list permissions being able to see list names on subs.
  • 50564c6 Remove unpredictable/useless 'back' button from public forms. Closes #1834.
  • e9c1da1 Add new campaigns:send permission and separate it from campaigns:manage.
  • 00bae68 Update go-pop3 with BOM fix. Closes #2959.
  • 24817d5 Add PATCH /api/subscribers/:id to partially modify subscribers. Closes #1681.
  • 1d57248 Add a 'Duplicate' button to visual e-mail builder block UI options. Closes #2852.
  • deeb3fb Fix minor UI issues on analytics page. Closes #2446.
  • 4e5e713 Exclude non-http hrefs on the UI when adding @TrackLink. Closes #2859.
  • 010655f Don't make 'tracklink' checkbox on the UI on by default and remember last preference. Closes #2858. Closes #2862.
  • 678d4ed Cleanup and optimize images on the static homepage.
  • 501f305 Exclude roles API queries from Settings UI for users who don't have that perm. Closes #2965.
  • 1525852 feat: add Lettermint as bounce webhook provider (#2935)
  • cfd865b Bump yaml from 1.10.2 to 1.10.3 in /frontend/email-builder (#2968)
  • 8702932 Bump picomatch from 2.3.1 to 2.3.2 in /frontend (#2969)
  • 0ee89f9 Fix deleted lists breaking campaign query. Closes #2908.
  • e908cc3 Refactor and improve Cypress test scaffolding.
  • 678c36d Fix incorrect permission check in CSV import blocklisting.
  • db82035 Wipe user sessions from DB on password reset/change.
  • 347f597 Fix serveral missing permission checks across multiple handlers.
  • 171a597 Bump flatted from 3.3.1 to 3.4.2 in /frontend/email-builder (#2960)
  • d3e8c4c Bump flatted from 3.3.2 to 3.4.2 in /frontend (#2962)
  • c60ea79 Fix % encoded URLs breaking with TrackLink. Closes #2947.
  • e35bf87 Fix incorrect timestamps in dashboard analytics materialized views. (#2952)
  • 5f4f360 Fix attachments incorrectly accuring for every recipient in test mails. Closes #2949.
  • 1e3d311 Add expiry+TTL to Altcha CAPTCHA tokens. Closes #2684.
  • 915ee04 Skip windows/arm-32 bit builds in goreleaser (which was breaking) that was removed in go 1.26
  • be7b60a Add new 'altbody' param to /api/tx to send multipart plaintext bodies in transactional mails. Closes #2486
  • 1d33d95 Bump Hodor to 0.3.4 (adds python3, shellcheck, file, diffstat) (#2943)
  • bf24c3f build: bump Go version to 1.26.1 to fix stdlib CVEs (#2941)
  • 00180b6 Hodor: require hodor-review label to run, re-run on subsequent pushes (#2940)
  • 3adacba Fix Hodor: use docker run directly (0.3.2 entrypoint changed) (#2939)
  • ece5a63 Fix pipe batch hanging and corrupting campaign runtime state if NextSubscribers() throws an error.
  • 97b72e9 Fix pre-existing non-permitted lists on a subscriber being wiped incorrectly on update. Closes #2902.
  • ee7bccc Throw an error if there isn't a single permitted list in subscriber create/update. Closes #2905.
  • b628510 Fix potential hanging campaign pipes if the pipe queue ever becomes full.
  • 16d5e54 Fix incorrect subscriber checkpoint in campaign stats update.
  • 0f32991 Apply improvements to Danish i18n (#2928)
  • 0808015 feat: add Lettermint SMTP preset (#2932)
  • 458bca1 Bump immutable from 5.0.3 to 5.1.5 in /frontend (#2936)
  • 19b53d8 Add Hodor AI code review workflow (#2937)
  • c8b1f6f Standardize spelling of "opt-in" in docs. (#2931)
  • 8b63364 Update security-reports.md (#2929)
  • 62778d7 Bump rollup from 4.30.1 to 4.59.0 in /frontend (#2926)
  • 7396276 Bump rollup from 4.24.4 to 4.59.0 in /frontend/email-builder (#2925)
  • 2e9f0e0 Updated Danish translation (#2927)
  • fdd7dbb Incorporate SOURCE_DATE_EPOCH in build. Closes #2802.
  • 7fd5ed0 Add Hodor AI code review workflow (#2923)
  • 756c5aa Fix nightly docker push workflow.
  • c6bf543 Add a link to security reporting docs to SECURITY.md
  • d0fb8d6 Add a global data refresh button on top nav that works on all pages (#2861)
  • c381e4c Add global setting to disable view and click tracking (#2920)
  • 07078eb Bump systeminformation from 5.28.5 to 5.31.1 in /frontend (#2910)
  • 97de0b1 Add docker-compose.override.yml to .gitignore (#2917)
  • 7b64b8b Add a page on security reporting listing down recurring non-issue reports.
  • 6d5787b Skip non-available email- messenger during campaign creation and default to 'email'. Closes #2901.
  • c417df6 Fix untranslated 'Delete' string on lists page. Closes #2904.
  • 68c8614 Change docker manifest to docker buildx imagetools in nightly job to fix manifest error.
  • 5436d08 Add --amend to nightly Docker build (after it stopped working randomly).
  • cc14bcb Bump qs from 6.14.1 to 6.14.2 in /frontend (#2906)
  • 8cf9a7f Bump axios from 1.12.0 to 1.13.5 in /frontend (#2899)
  • 5a8ecfb Add support for proxying S3 media files through a custom path (#2863)
  • 0d9e66a Increase campaign/template preview modal height. Closes #2857.
  • f5bec86 Display campaign name + subject in subscriber activity tab on the UI. Closes #2874.
  • e7b09fd Fix incorrect skipping of +1 count in sliding window check. Closes #2894.
  • 8d1b9fd Add substring matching to list search like campaign search. Closes #2896.
  • dce582a Fix bounce POP scanner incorrectly returning errors while scanning. Closes #2884.
  • c5631eb Update de language (#2895)
  • 2adee6a fix: Update dev Dockerfile to use Go 1.24.1 to match go.mod (#2879)
  • 3c73267 Bump lodash from 4.17.21 to 4.17.23 in /frontend (#2881)
  • 881bcd6 Add automated nightly releases.
  • 577036a Increase GitHub issue auto-close interval to 5 months.
  • fff3c7f update listmonk TypeScript SDK scope from @solytude to @maloma (#2875)
  • 6006048 fix: convert forwardemail webhook truthsource property to string (#2869)
  • 29c406f Add left/right float options to TinyMCE image popup. Closes #2865.
  • cd1bb1b Docs update to OIDC - adds Google Workspace / Google Cloud (#2866)
  • 267263a Update release details on the static homepage.
  • 504a142 Upgrade smtppool lib to handle 421 rate limit errors.
  • 480fe5f Improve i18n Taiwan Chinese translation quality (#2856)
  • 2d99952 Add warning icon to subscribers:sql_query permission and link to docs on the Roles UI.
  • 83bdad3 Add detailed docs on the risks of the subscribers:sql_query permission and Postgres privileges.
  • 4e50088 docs: add @solytude/listmonk TypeScript SDK to community SDKs (#2849)
Check out latest releases or
releases around knadh/listmonk v6.1.0

Don't miss a new listmonk release

NewReleases is sending notifications on new releases.

Get notifications