Update updates-patch-minor

[truenasbot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
cloudflare/cloudflared	patch	2026.6.0 → 2026.6.1
databasus/databasus	minor	v3.44.0 → v3.45.0
fnsys/dockhand	patch	v1.0.34 → v1.0.35
ghcr.io/amruthpillai/reactive-resume	patch	v5.1.8 → v5.1.9
ghcr.io/cleanuparr/cleanuparr	patch	2.9.13 → 2.9.14
ghcr.io/esphome/esphome (source)	patch	2026.6.0 → 2026.6.1
ghcr.io/getarcaneapp/manager	minor	v2.0.3 → v2.1.0
ghcr.io/gtsteffaniak/filebrowser	minor	1.3.3-stable → 1.4.0-stable
ghcr.io/home-operations/jackett (source)	patch	0.24.2079 → 0.24.2080
ghcr.io/juanfont/headscale	patch	v0.29.0 → v0.29.1
ghcr.io/n8n-io/n8n (source)	patch	2.27.2 → 2.27.3
ghcr.io/n8n-io/runners (source)	patch	2.27.2 → 2.27.3
ghcr.io/neptunehub/audiomuse-ai	minor	2.2.0-nvidia → 2.3.0-nvidia
ghcr.io/neptunehub/audiomuse-ai	minor	2.2.0-noavx2 → 2.3.0-noavx2
ghcr.io/neptunehub/audiomuse-ai	minor	2.2.0 → 2.3.0
ghcr.io/netbirdio/netbird	minor	0.72.4-rootless → v0.73.0-rootless
ghcr.io/netbirdio/netbird	minor	0.72.4 → v0.73.0
ghcr.io/shlinkio/shlink	patch	5.1.3 → 5.1.4
ghcr.io/slskd/slskd (source)	minor	0.24.5 → 0.25.1
ghcr.io/stalwartlabs/stalwart	minor	v0.15.5 → v0.16.9
ghcr.io/stirling-tools/stirling-pdf	minor	2.12.0 → 2.13.0
ghcr.io/ulsklyc/oikos	patch	0.74.4 → 0.74.6
ghcr.io/ulsklyc/yuvomi	patch	0.74.4 → 0.74.6
ghcr.io/windmill-labs/windmill	minor	1.729.0 → 1.732.0
ixsystems/cron	patch	1.0.6 → 1.0.7
jgraph/drawio (source)	minor	30.0.4 → 30.2.4
netbirdio/netbird-server	minor	0.72.4 → 0.73.0
searxng/searxng (source)	patch	2026.6.18-bd73cc09e → 2026.6.19-fe1848673

---

Release Notes

cloudflare/cloudflared (cloudflare/cloudflared)

v2026.6.1

Compare Source

SHA256 Checksums:

cloudflared-amd64.pkg: 1c939cee0a953b30c91854fba114dc3a46f79570110fc5168703cd62afb65d82
cloudflared-arm64.pkg: acfcd577408f504254b4a207fbe6883d4c45fc1f9ae3b883bb3a493f412a1f8d
cloudflared-darwin-amd64.tgz: 3f74d697045ecf56dd2fbeb42f59767ecdf4067c409d55f080563923e8a1bb32
cloudflared-darwin-arm64.tgz: ae6ee90188ae5833c687ce937c3693e28403677607c06c65a2ff2b6a022f50e4
cloudflared-fips-linux-amd64: a22276b23500f75763604fd9bff7ece607f705ad62469344606bd662dbd3793d
cloudflared-fips-linux-amd64.deb: 4d8eb632229cec4df97d9cb03c23517f4bdada7189be3fd76a604233526b9b86
cloudflared-fips-linux-x86_64.rpm: dedcba9c1fed53fded13114c0ed968fbfa93eccc8d14b1ed147e5fdbebdee21e
cloudflared-linux-386: a9ded87fef4bbe2da6d44c8159f6e97df5811c24e4cf082d5426cefc1eb9a5aa
cloudflared-linux-386.deb: 7ef10a9544a5cba8025ac0f8ddf3c368e9c98f0160354017f62b4ad21237449c
cloudflared-linux-386.rpm: 27d5c887bee8071bf70c33955427adf40c6aed16074950f36988a269a392c1fe
cloudflared-linux-aarch64.rpm: 3291e4f9a7b65f97f318b0ac5d542148a3eb2a0b59a98a74d88e7777ef75f3ff
cloudflared-linux-amd64: 5861a10a438fe8ddcfebb3b830f83966cbf193edafce0fe2eeb198fbae1f7a22
cloudflared-linux-amd64.deb: ccd02ec216c62bfa573395d8f72cb2e91e95cbdf8726a8acc06b3e2d9aa31526
cloudflared-linux-arm: c07674eb6e13172d031e3ddc55c8817ed2a36ce00b0d42693e178c4317f9c1b8
cloudflared-linux-arm.deb: b10df091a66704198932a1563e2403cd71edf2bb0278d517bf5a8263b0732912
cloudflared-linux-arm.rpm: 934a2c6819056047dcd7475ffc3e8fcd64917f2977c418d39bc00532a7be61e6
cloudflared-linux-arm64: 59816ce9b16db71f5bc2a86d59b3632a96c8c3ee934bde2bc8641ee83a6070eb
cloudflared-linux-arm64.deb: bd03edd14de32ff38230ec9356e7fad0f32455558b2052d693bf51b7814f3ad4
cloudflared-linux-armhf: c742494eb1f90f6d43bbb07ef660e565e0baae15e49e4041626ac4d413d39072
cloudflared-linux-armhf.deb: a5242ccd0ee70d247eb70a161f6dd6fe5ddff0c6a5e4ea537202b7e9432755c8
cloudflared-linux-armhf.rpm: ff25adfd0aedb32ad5aa5a2efc343caf21b5137d6a5a8761d5f379df4238f853
cloudflared-linux-x86_64.rpm: 9690d870856b4396c8071ee7082acfc340b701013bc498635522e50889e49aa4
cloudflared-windows-386.exe: 52f63fb7055e5797e79585b0e1dbfb397046b1ed5edee29901d433dc16b94042
cloudflared-windows-386.msi: 4d3ff388a19c85bfe6de2f04b037963f7aee9dca6223ebb37b885d4d50762ecd
cloudflared-windows-amd64.exe: 5253e66f1f493c4e13539749f1aa86fd0c61e3072900fec29a44ba046a6d97e2
cloudflared-windows-amd64.msi: f20f932b6c0ddab4db18f7fa596d0a76cbd77bf3fa4572ade0b99d42c85f8a84

databasus/databasus (databasus/databasus)

v3.45.0

Compare Source

Changelog

[3.45.0] - 2026-06-18

✨ Features

• helm: Add ServiceAccount and extraVolumes support for Pod Security Standards (issue #​614) (899a4a4)

🐛 Bug Fixes

• verification: Decode renamed postgresqlLogical field in agent assignment (14845f8)
• verification: Align agent DTO field with backend postgresqlLogical key (ba2bc06)
• security: Harden runtime Docker image (issue #​613) (cbfbe76)

🐳 Docker

• Image: databasus/databasus:v3.45.0
• Platforms: linux/amd64, linux/arm64

amruthpillai/reactive-resume (ghcr.io/amruthpillai/reactive-resume)

v5.1.9

Compare Source

Highlights

• Better multilingual PDF rendering. PDF generation now uses script-aware Noto fallback stacks for Korean, Japanese, Traditional and Simplified Chinese, Arabic, Hebrew, and Thai, so non-Latin resumes render more reliably in the live preview and exported PDFs. #​3158
• Hide Link Underline setting. Resume page settings now include a dedicated Hide Link Underline option that is saved with the resume and respected by PDF templates. 5fb4976ec, #​3134
• Sponsor placements. The landing page and docs now include optional sponsor placements for Atlas Cloud, controlled by a new feature flag so deployments can opt in when appropriate. f14d8ce69

Resume Builder & Rendering

• Added the Hide Link Underline page option to the builder, resume schema, default resume data, import path, and shared PDF link rendering. 5fb4976ec, 90a9bb9cf, #​3134
• Fixed mixed CJK and Latin word wrapping so CJK text can still break per character without splitting Latin words letter by letter. #​3136
• Added locale and content-aware PDF fallback fonts for Korean, Japanese, Chinese, Arabic, Hebrew, and Thai, while keeping CJK-specific line breaking limited to CJK scripts. #​3158
• Fixed redacted resume access checks so placeholder resume data uses a non-empty name. #​3138

AI, MCP & Self-Hosting

• Fixed AI resume analysis when model responses wrap JSON in Markdown code fences. #​3142
• Added FLAG_DISABLE_API_RATE_LIMIT for trusted self-hosted deployments that need to disable authentication API rate limiting, and documented it in the Docker self-hosting guide. #​3149
• Added FLAG_SHOW_SPONSORS, sponsor assets, landing-page placement, docs navigation, and README sponsor information for Atlas Cloud. f14d8ce69
• Fixed the MCP PDF download test mock to match the current tool behavior. #​3144

Localization & Maintenance

• Synced translation catalogs from Crowdin across the app. #​3132, #​3135, #​3148, #​3162
• Updated workspace dependencies and refreshed linting/tooling configuration. 042d076ef, 37faf592b, ef5ff30b

Full Changelog: v5.1.8...v5.1.9

esphome/esphome (ghcr.io/esphome/esphome)

v2026.6.1

Compare Source

• [core] Honor transferred address cache in has_resolvable_address esphome#17025 by @​bdraco
• [build] Skip target-platform deps when populating host unit-test config esphome#17039 by @​swoboda1337
• [uptime] Revert timestamp sensor device_class to timestamp esphome#17037 by @​swoboda1337
• [esp32] Support esphome idedata with the native ESP-IDF toolchain esphome#17040 by @​swoboda1337
• [esp32] Don't overwrite PlatformIO's factory.bin esphome#17042 by @​swoboda1337
• [logger] Hold recursion guard while draining the task log buffer esphome#17044 by @​bdraco
• Bump bundled esphome-device-builder to 1.0.10 esphome#17051 by @​esphome[bot]

getarcaneapp/arcane (ghcr.io/getarcaneapp/manager)

v2.1.0

Compare Source

New features

• add project file tree management (#​2893 by @​NeurekaSoftware)
• upgrade all environments button (#​2941 by @​kmendell)
• add support for riscv64 (#​2949 by @​kmendell)

CLI - New features

• add registries create command (#​2874 by @​manawenuz)

Bug fixes

• fix tables rows not flex redering to use the full table width (#​2928 by @​kmendell)
• add missing healthcheck cli command (#​2929 by @​kmendell)
• allow setting the data directroy for non docker installs (#​2931 by @​kmendell)
• fix dind path mappings for projects and swarm (#​2939 by @​kmendell)
• projects disapearing after fs sync (#​2940 by @​kmendell)
• compose edits lost when view is resized (#​2946 by @​kmendell)
• activity status only showing on first browser tab (#​2951 by @​kmendell)
• properly contstrain rbac endpoints (#​2950 by @​kmendell)
• send notifications on a context detached from the completed activity (#​2980 by @​kmendell)

CLI - Bug fixes

• fix completion command from being duplicated(df721a1 by @​kmendell)

Dependencies

• bump @​codemirror/merge from 6.12.1 to 6.12.2 (#​2975 by @​dependabot[bot])
• bump github.com/getarcaneapp/arcane/types/v2 from 2.0.1 to 2.0.3 in /cli (#​2952 by @​dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.24 to 1.32.25 in /backend (#​2963 by @​dependabot[bot])
• bump prettier from 3.8.3 to 3.8.4 (#​2971 by @​dependabot[bot])
• bump golang.org/x/net from 0.55.0 to 0.56.0 in /backend (#​2959 by @​dependabot[bot])
• bump prettier-plugin-svelte from 4.1.0 to 4.1.1 (#​2969 by @​dependabot[bot])
• bump react-email from 6.5.0 to 6.6.0 (#​2960 by @​dependabot[bot])
• bump charm.land/lipgloss/v2 from 2.0.3 to 2.0.4 in /cli (#​2954 by @​dependabot[bot])
• bump github.com/nicholas-fedor/shoutrrr from 0.16.0 to 0.16.1 in /backend (#​2965 by @​dependabot[bot])
• bump github.com/labstack/echo/v4 from 4.15.2 to 4.15.4 in /backend (#​2966 by @​dependabot[bot])
• bump @​sveltejs/kit from 3.0.0-next.2 to 3.0.0-next.4 (#​2967 by @​dependabot[bot])
• bump @​tanstack/virtual-core from 3.17.0 to 3.17.1 (#​2972 by @​dependabot[bot])
• bump tanstack/table to beta 12(37ac71f by @​kmendell)
• bump react-email from 6.6.0 to 6.6.3 (#​2983 by @​dependabot[bot])
• bump actions/checkout from 6 to 6.0.3 (#​2981 by @​dependabot[bot])
• bump pnpm to v11.8.0(fdb7ec3 by @​kmendell)

Other

• upload apk artfacts to alpine nexus repo(c31d9b9 by @​kmendell)
• consolidate duplicated logic in project and notification services (#​2934 by @​kmendell)
• redesign update all environments view (#​2943 by @​kmendell)

Full Changelog: getarcaneapp/arcane@v2.0.3...v2.1.0

Jackett/Jackett (ghcr.io/home-operations/jackett)

v0.24.2080

Compare Source

Changes:

• ea383a6 magnetcat: bump domains

This list of changes was auto generated.

shlinkio/shlink (ghcr.io/shlinkio/shlink)

v5.1.4

Compare Source

Added

• Nothing

Changed

• Nothing

Deprecated

• Nothing

Removed

• Nothing

Fixed

• #​2625 Fix MySQL connections failing with [3159] Connections using insecure transport are prohibited when DB_USE_ENCRYPTION=true against a server requiring TLS.

slskd/slskd (ghcr.io/slskd/slskd)

v0.25.1

Compare Source

What's Changed

• Add case for legacy docker behavior (running as root) by @​jpdillingham in #​1708
• Fix bug preventing configuration changes from being applied by @​jpdillingham in #​1711

Full Changelog: slskd/slskd@0.25.0...0.25.1

v0.25.0

Compare Source

🎉 Big Release!

This release contains a number of mostly unrelated changes.

Licensing

I have added 'Additional Terms' to the AGPLv3 that clarify the conditions under which folks can distribute and modify slskd, which Section 7 of the AGPLv3 allows. These terms include preservation of notices and licenses (already required by the AGPLv3, the terms spell the requirements out explicitly), mandatory identification of modifications (again, already required), mandatory rebranding (renaming forks to something that won't be confused with slskd), and the mandatory modification of the client version supplied to the server at login.

The full text of these Additional Terms can be found at the bottom of the LICENSE in the root of the repository. I've also added a NOTICE in the hopes that folks will be drawn to it and see that the LICENSE includes Additional Terms, and I've added a FORKING.md that explains the new terms in plain English.

To explain why I've done this, I'll share an excerpt from FORKING.md:

The requirements exist for two reasons, and both are about the people who use the software.

The first is to make sure users always know they are using software licensed under the AGPL. That matters because the AGPL gives users meaningful rights: the right to know that the source code exists, the right to access it, and the right to understand what they are running. Those rights only mean something if users are actually informed of them. Requiring that the full LICENSE be included with every distribution, and that license notices be preserved everywhere they appear, ensures that no user ever ends up with a copy of this software that hides or obscures the terms under which it was released.

The second is to make sure users understand who made the software they are using. They should be able to tell where it came from, who maintains it, what has been changed and by whom, and whether it is the original project or a fork. A user who installs a fork deserves to know it is a fork. The requirements around naming, branding, source file headers, and identification notices all serve this goal. They are not intended to discourage forking, they are intended to make sure that anyone who uses a fork has an accurate picture of what they have.

With AI becoming mainstream it is now incredibly easy to fork a project and manipulate it in ways that are harmful to users and/or the server(s) the software connects to. This behavior, unfortunately, is permissible under the AGPLv3. All I can do is ensure that users aren't deceived into using these untrusted and potentially harmful forks.

Docker User/Permissions

The slskd Docker container now supports both Docker's built in --user/user: and the Linuxserver/*arr style PUID/PGID methods for running the container as a specific user. The built-in method is objectively superior, but I noticed that people frequently got hung up on permissions because they were using PUID/PGID without understanding that it wasn't supported.

These methods are mutually exclusive; users must choose one or the other. Users should also be aware that when using the PUID/PGID method, the container will chown the mounted /app directory on startup. This may be unexpected, but it is the intended behavior. The chown isn't recursive; users will need to do that themselves if needed.

Examples in the README and Docker docs have been updated to reflect these changes. I welcome any feedback about the approach in the Dockerfile or contents of the docs.

Configuration May Be Broken

Users who have configured things under the global, groups, or integration keys in the configuration file will find that the app will log an error and exit early until they apply the necessary changes. This is unfortunate, but the alternative was to not do that and allow people to continue using the app without their configuration being respected.

Pull request #​1704 outlines the changes and provides an example of what needs to be done by correcting the configuration docs. tl;dr:

1. Rename the global key to transfers
2. Move all limits keys so that they appear nested under the upload key of the associated group
3. Rename the integration key to integrations

These changes were made to make room for upcoming features (stay tuned!). The rename of the integration key was admittedly not necessary for that, but I figured I would sneak it in.

What's Changed

• BREAKING: Move all transfer options under a 'transfers' key by @​jpdillingham in #​1672
• Add errors for deprecated keys by @​jpdillingham in #​1698
• Update docs to reflect config changes by @​jpdillingham in #​1704
• Append Additional Terms to the AGPLv3 license by @​jpdillingham in #​1675
• Adjust NOTICE indent, add license info to startup banner by @​jpdillingham in #​1690
• Fix "Search Again" by @​rfletcher in #​1666
• Fix bug causing an error when updating the config file while the app is running by @​jpdillingham in #​1682
• fix favicon.ico relative path by @​deepsweet in #​1696
• Add BatchId and Attempts to Transfers database, change migration naming scheme by @​jpdillingham in #​1670
• Add the ability to specify base delay for exponential backoff, add onRetry delegate for Retry.Do by @​jpdillingham in #​1671
• Interlock updates of shared scanner vars by @​jpdillingham in #​1687
• Add support for PUID/PGID to Docker by @​jpdillingham in #​1695
• Bump Soulseek.NET to 9.0.0, set minor version to 760 by @​jpdillingham in #​1674
• Bump picomatch from 2.3.1 to 2.3.2 in /src/web by @​dependabot[bot] in #​1684
• Bump flatted from 3.2.7 to 3.4.2 in /src/web by @​dependabot[bot] in #​1676
• Bump yaml in /src/web by @​dependabot[bot] in #​1680
• Bump Soulseek.NET to 10.0.0 by @​jpdillingham in #​1691
• Bump lodash from 4.17.23 to 4.18.1 in /src/web by @​dependabot[bot] in #​1692
• Bump lodash-es from 4.17.23 to 4.18.1 in /src/web by @​dependabot[bot] in #​1689
• Upgrade to .NET 10 by @​jpdillingham in #​1693
• Bump axios from 1.13.5 to 1.15.0 in /src/web by @​dependabot[bot] in #​1694

New Contributors

• @​rfletcher made their first contribution in #​1666
• @​deepsweet made their first contribution in #​1696

Full Changelog: slskd/slskd@0.24.5...0.25.0

stalwartlabs/stalwart (ghcr.io/stalwartlabs/stalwart)

v0.16.9

Compare Source

[0.16.9] - 2026-06-15

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• ACME: Allow specifying a preferred certificate chain.

Changed

Fixed

• JMAP: */changes methods leak ids of non-shared objects (reported by @​5ud0er).
• Sieve: Do not allow invalid certs in http_header function.
• FoundationDB: Fix read version cache expiration logic.
• MTA: Re-scheduling or editing a queued message reports success but persists nothing for recipients in a non-default virtual queue.
• CardDAV: Version requests included in address-data are ignored.
• ACME: Add freshness check when renewing certificates.
• Autodiscover v2: Read email address from query parameters.
• Sieve: Do not keep copies of redirected messages when keep is not specified.
• Registry: Object ids are parsed as numbers.

---

Check binary attestation here

v0.16.8

Compare Source

[0.16.8] - 2026-06-06

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• OAuth: Rework access tokens to an AES-256-GCM-SIV AEAD format that carries the account name for proxy routing.
• Added more internal TLDs to the domain validation.

Fixed

• MTA:
  • Sub-addressing with external directories returns 550 Mailbox not found.
  • Disabled aliases continue receiving messages.
• JMAP for File Storage: FileNode/get returns a stale state string.
• Make SieveSystemInterpreter.defaultReturnPath and MtaQueueQuota.match optional expressions.
• Rate limiter panics when periods under 1 second are used.
• CalDAV/CardDAV: Calendar events, contacts, calendars and address books deleted via JMAP do not write a vanished tombstone.
• DNS updater: bump to dns-update-v0.5.1.

---

Check binary attestation here

v0.16.7

Compare Source

[0.16.7] - 2026-05-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• RateLimit header fields for HTTP (draft-ietf-httpapi-ratelimit-headers-10)
• MTA: Implement spamtest in trusted Sieve scripts.

Changed

Fixed

• Log rejected messages to tracing store.
• MTA:
  • Always update next DSN notify times.
  • Expand lists and resolve catch-all addresses when building autogenerated messages.
• Sharing: Includes resource that themselves carry a direct ACL grant and are leaves.
• Tasks cannot be deleted in OSS builds.
• Directory: Per-domain external directory resolution fails.
• DNS updater: Keep external TXT records when updating RRSet.
• HTTP: Reject requests from blocked IPs when Keep-Alive is enabled.

---

Check binary attestation here

v0.16.6

Compare Source

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Added 58 new DNS provider integrations (see dns-update crate for details).
• DNS updater: Log DNS record types and values.
• Sieve: Allow User Sieve scripts to access orcpt.
• MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

• Bump JMAP File Storage to draft-ietf-jmap-filenode-14.
• Accept password hashes with $ or { prefixes as secure secrets.

Fixed

• DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
• JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
• IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
• DNS updater:
  • Skip v=spf1 a -all records for apex domains.
  • RFC2136 TSIG: regression related to multiplexer.
  • Route53: Chunk TXT records when they exceed 255 characters.
• ACME:
  • Update defaultCertificateId when renewing a certificate that is currently set as default.
  • Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
• Allow internal TLDs and special characters in e-mail addresses.
• Websocket: Perform case insensitive matching during upgrade.
• LDAP: Synchronize accounts when expanding mailing list recipients.
• Sieve: replace action adds an extra From header.
• ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.

---

Check binary attestation here

v0.16.5

Compare Source

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• is_ip_in_cidr expression function for CIDR matching.

Changed

• Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
• Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

• JMAP:
  • Patching ids containing digits in JSON Pointers fails.
  • Patching nested objects with null values fails.
• External directories:
  • SQL: Return Failed instead of Error when the query returns no results.
  • LDAP: Impersonation fails when the user has not logged in before.
• Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
• Bootstrap: Timeout after 30 seconds when probing the data store.
• HTTP: Use permissive CORS headers for .well-known endpoints.
• ACME:
  • Include apex domains when requesting certificates for subdomains.
  • Use the public suffix list to determine the zone name when no origin is provided.
• MTA:
  • Allow rescheduling recipients with permanent failures.
  • Process reports using original RCPT before rewriting.
• Autodiscover v2 endpoint unreachable.
• DNS update (via dns-update crate):
  • OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
  • Route53: Fix changeset error resolution.
  • deSEC: Use empty subname for apex records instead of @, which the API rejects.
  • Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
• iCalendar/JSCalendar (via calcard crate):
  • Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
  • Fixed duration parsing for zero duration PT0S.

---

Check binary attestation here

v0.16.4

Compare Source

[0.16.4] - 2026-05-05

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

• Live tracing in community and OSS versions.
• Timezone changes from the AccountSettings object return invalidProperties.
• mail-parser panic with certain messages containing corrupted attachments.
• Pagination by anchor for queued messages, tasks and metrics.
• Spam filter: Use original instead of rewritten RCPT on checks.
• JMAP:
  • References in nested objects not resolved.
  • AddressBook/query fetches wrong resources.
• Import tool fails to restore registry entries.
• FDB: Allow multiple FoundationDB instances in the same process.
• Autoconfig: Return %EMAILADDRESS% when no email address is provided.
• Quota: Include Sieve scripts in quota recalculations.

---

Check binary attestation here

v0.16.3

Compare Source

[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
• App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

• Directory:
  • Invalidate caches when group memberships change on an external directory.
  • OIDC: errors instead of "failed to decode token".
  • OIDC: Recovery admin access.
  • User impersonation.
• Tasks:
  • Delete locked tasks.
  • Queue pagination by anchor.
• Log viewer: All events show as INFO.
• Registry: Allow changing object variants.
• Node id renewal.
• DNS Updater: Fix Route53 serialization format.

---

Check binary attestation here

v0.16.2

Compare Source

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

---

Check binary attestation here

v0.16.1

Compare Source

[0.16.1] - 2026-04-25

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Extract username from JWT token.
• system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Changed

Fixed

• JMAP:
  • Invalid receivedAt headers after importing (#​2939).
  • Sorting order issues when emails lack receivedAt headers.
• IMAP: Fix BINARY fetch responses (#​2940).
• WebDAV: Fix ACL validation for target folders.
• ACME: Allow requesting apex domain certificates.
• Hostname issues:
  • Accept RFC 6761 reserved TLDs during bootstrap.
  • Allow hostnames without TLDs in remote server settings.
• Reverse proxy issues.
• OSS builds.
• DNS Updater:
  • RFC2136: TSIG secret not base64 decoded.
  • Google DNS: Chunk TXT records when they exceed 255 characters.
  • Cloudflare:
    • Fix CAA record updates.
    • Check zone subdomains when finding zones

---

Check binary attestation here

v0.16.0

Compare Source

[0.16.0] - 2026-04-20

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Web UI rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes.
• CLI rewritten from the ground up to use the JMAP management API.
• Security enhancements:
  • Password strength enforcement using the zxcvbn algorithm
  • Password expiration, rotation policies and IP address restrictions for user accounts
  • App Passwords with limited access (#​1609), labels (#​2255), IP address restrictions and expiration dates
  • API keys with limited access, labels, IP address restrictions and expiration dates
  • Auto-ban comments and details about the triggering event (#​1321)
  • Auto-ban expiration after a configurable time period (#​964)
• DNS Management:
  • Automatic DNS management of MX, TXT, CNAME, SRV, CAA and TLSA records (#​463 #​1017 #​1419 #​2438 #​1370 #​1406 #​1371)
  • Automatic update of TLSA records when ACME certificates change (#​1664)
  • RFC2136 SIG(0) support (#​856)
  • Route53 provider support (contributed by @​jimmystewpot)
  • Google Cloud DNS provider support (contributed by @​jimmystewpot)
  • Bunny provider support (contributed by @​angeloanan)
  • Porkbun provider support (contributed by @​jeffesquivels)
  • DNSimple provider support (contributed by @​NelsonVides)
  • Spaceship provider support (contributed by @​matserix)
• DKIM:
  • Automatic DKIM key generation, rotation and DNS management (#​368 #​961)
  • Store DKIM keys in the database (#​1264)
  • Ignore insecure signatures when verifying DKIM (#​1068 #​467)
• ACME/TLS:
  • DNS-PERSIST-01 ACME challenge support (#​2837)
  • Renew certificates on demand, view certificate details (#​675 #​1162 #​2566)
  • CAA record support (#​468) with accounturi parameter (#​1933)
  • TLSA records publishing restricted to 3 1 1 and 2 1 1 (#​2193)
• OIDC and OAuth:
  • JWT token validation without requesting userinfo from the OIDC provider.
  • Audience (aud) claim (#​2603) and scope validation support.
  • Groups support (#​1448)
  • RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
• LDAP:
  • Separate filter for groups (#​1841)
  • Improve support for OpenLDAP schemas (#​760)
  • Improve and simplify LDAP settings (#​2194 #​2174)
• Directory:
  • Masked email addresses for enhanced privacy (Enterprise)
  • Domain aliases (#​583)
  • E-mail alias descriptions and option to disable aliases (#​506)
  • Account archiving and un-deletion (#​2767) (Enterprise)
  • Per-domain directory backends (Enterprise)
• Account configuration and discovery:
  • Automatic Configuration of Email, Calendar, and Contact Server Settings (draft-mailmaint-uaautoconf-04) (#​2201)
  • MS Autodiscover V2 support (#​679)
• Sieve: Allow deactivating scripts without deleting them (#​1251).
• Tracing: Enable events only mode (#​2276)
• Clustering:
  • Automatic cluster node ID generation and management.
  • Unified cluster management (#​960)
  • Outbound MTA role (#​1692)

Changed

• Replaced REST API with JMAP API (#​2262 #​959 #​1480)
• Removed support for Authenticated Received Chain (ARC) sealing (learn more).
• Directory: Removed smtp, imap and memory directory backends.
• Use aws-lc for cryptographic operations instead of ring.
• Use rustls-platform-verifier for TLS certificate verification instead of webpki (#​247).

Fixed

• Directory:
  • Cannot remove built-in "admin" role from user once it was assigned (#​1467)
  • Delete associated records (#​963)
  • Updated Role permissions not applied (#​2038)
  • Recreated account cannot log in until server is restarted (#​1469)
  • Subaddressing does not work for groups (#​475)
  • New LDAP aliases are rejected (#​1318).
  • Validate account and group names (#​2209)
• MTA:
  • RCPT TO stage settings improvements (#​2217 #​394)
  • Relay to IP addresses (#​838)
  • Duplicate delivery inverted check
  • SASL challenge responses include invalid Go ahead text
• JMAP:
  • Fix inMailboxOtherThan query logic.
  • Fix hasAttachment search field (#​2778)
• IMAP:
  • Increment argument max length to 8000 bytes
  • ACL: Add RIGHTS capability (#​2762)
  • ACL: Fix ACL SET permission override.
• WebDAV:
  • Return 304 NOT_MODIFIED on If-None-Match
  • Use RFC 2616 instead of RFC 1123 for date formatting
  • Fix ACL container/item mismatch in reports.
  • CalDAV: Allow organized properties to be present in PUT requests if they are equal to the existing ones.
  • CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler
• Configuration: Prefix parsing issues (#​2495)
• OIDC: JWKS Exposes Symmetric Signing Key
• SQLite: Fix thread pool exhaustion.
• PostgreSQL: Use clean recycling method on connection pool
• Meilisearch: Make id sorteable.
• ACME: Fix wrong origin for subdomain updates (#​2360)
• Spam filter: Skip invalid messages during training.
• Calendar: Include minutes in localized invite templates (#​2828)
• HTTP: Fix 204 CORS preflight responses

---

Check binary attestation here

Stirling-Tools/Stirling-PDF (ghcr.io/stirling-tools/stirling-pdf)

v2.13.0: 2.13.0 MCP, files UI tweaks and bug fixes

Compare Source

This release contains some cool updates but mostly backend enabler work for features to come as well as enabling us to redeploy our online https://stirling.com/app back to a familiar UI.

This release also contains:

• MCP page (WIP)
• Support for ctrl A selection in PDF viewer
• New US language (now default)
• Improved my files UI and file deletion menus
• Open Graph previews (web links)

And bug fixes for:

• Bug fix for text selection on laptops/touchscreen devices
• Bug fix for ultra-lite docker not merging

What's Changed

Bug Fixes (please note most of these are related to SaaS not OSS product, we will be making the separation in notes clearer in next release)

• Fix Teams and MCP settings pages by @​jbrunton96 in #​6605
• MCP OAuth discovery fix + Supabase consent page by [@​Frooodle](https://r

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.