v4.0.2

Roadmap Website

The roadmap website has been updated to show estimated release windows for new features and future versions. It can be accessed through the same link: https://zipline.diced.sh/roadmap

What's Changed

• fixed security vuln with Math.random
• fixed s3 max sockets issue
• fixed v3 imports requiring a .stats property
• fixed v3 imports limiting at 1 mb per request
• fixed upload route not redirecting to /view for text/ files
• fixed syntax highlighting
• fixed empty lines being filtered out of code renderer
• fixed s3 erroring on 204 status codes
• updated next.js 15.2.4 (vuln that doesn't effect zipline, but to be safe!)
• added new midnight blue and orange themes
• added files per page selector for gallery view

Pulls Merged

• Midnight Theme, Files Page Improvements & Bug Fixes by @curet-dev in #753
• Improved Pagination - Files per Page Selector by @curet-dev in #757

New Contributors

• @curet-dev made their first contribution in #753

Full Changelog: v4.0.1...v4.0.2

v4.0.1

What's Changed

• fixed many import bugs
• fixed ziplinectl not running
• fixed oauth redirect uri not being used when provided
• fixed view page on firefox (smh)
• fixed sessions being overwritten in many different cases
• fixed external links area not scrolling
• fixed passkey appearing even when disabled
• fixed oauth saving (a restart shouldn't be needed now)
• fixed titles overflowing out of the page or container
• fixed gps metadata not clearing
• fixed api errors not erroring properly to the user
• fixed url passwords only working when logged in
• fixed hex parsing for discord webhook embed color
• fixed unsupported headers in s3
• fixed combobox being hidden when in a small container
• add default state to oidc oauth (fixes authentik)
• add warning when enabling embeds to enable view routes
• add ishare support
• add x-zipline-domain random domain selection (comma separated list of domains)
• add cross-env to support environment variables on windows (smh)
• add ranged requests to non view-routes (i'm sorry 😭 i forgot)
• add anonymous folder uploads: send a link to your friends to which they can upload files to without having an account!

Pulls Merged

• feat: add github issue template by @TacticalTechJay in #696
• Randomized Domain Selection support for Files and URL Shortener by @nobodys-tools in #713
• Updated package.json, pnpm-lock.yaml and register.tsx by @loefey in #727
• Update ExternalAuthButton.tsx by @Madelyyn in #737

New Contributors

• @nobodys-tools made their first contribution in #713
• @loefey made their first contribution in #727
• @Madelyyn made their first contribution in #737

Full Changelog: v4.0.0...v4.0.1

v4.0.0

🎊 Thanks for waiting for the next big release for Zipline! This has been in the works for over 2 years now, and it's finally gotten to a point where it's ready to be released. 🎉

New documentation website

The docs website has been updated to reflect new v4 features + has a new coat of paint. Visit it here: zipline.diced.sh. If you wish to visit the old v3 docs, they are available at v3.zipline.diced.sh.

Migrating from v3 to v4 ⬆️

Please use the migration docs to assist you.

Important! ⚠️

If you have something that auto-updates Zipline whenever a new tag is released, we highly recommend that you turn this off before updating to v4.

State of v3 🔒

v3 will still be developed for a little while. We are only going to be focusing on large bugs or security vulnerabilities.

If you wish to continue using v3, you can use the following docker images:

• ghcr.io/diced/zipline:v3-trunk - this image updates every time a new commit is out on the v3 branch
• ghcr.io/diced/zipline:v3 - this image updates every time a new v3.*.* release comes out (most likely never...)
  • currently, this image will be the same as using the :v3.7.13 tag

v4 docker images 🆕

v4 will be taking over the trunk branch, and with that it will also be taking over the latest and trunk tag.

• ghcr.io/diced/zipline (ghcr.io/diced/zipline:latest) - v4 builds from now on
• ghcr.io/diced/zipline:v4 - continues serving v4 builds (for those who were using v4 while beta testing)
• ghcr.io/diced/zipline:trunk - only updates whenever there are new commits to the trunk branch.

What's changed

• Revamp API
• Revamp offloaded tasks, like thumbnail generation and partial uploads
• Revamp invites system
• Revamped expiring/deletesAt files
• Revamped all dashboard pages
• Everything revamped tbh
• More variables + conditional variables
• Import v3 database
• --skip-next skips loading next.js
• edit stuff
  • url properties, file properties
• urls can have passwords
• support OIDC providers like authentik, authelia, etc.
• quotas per user
• allow configuring of a terms of service link
• utility scripts moved to dashboard
• new zipline-ctl cli utility
• /api/healthcheck that can be used as a healthcheck in docker compose
• upload options on the dashboard are persisted (localStorage)
• Files, URLs, Invites, Users, Folders pages have a table and card view selector
  • Tables can be filtered, sorted
• File tags (can be created on the files page)
• x-zipline-folder header to auto add to a folder
• warnings when deleting stuff like files, urls, etc. (can be disabled)
• bulk transactions for files (delete, favorite, add to folder)
• script/sharex generation is better with the new options
• passkey login
• login page redesign
• tons of environment variables are now moved to the settings page
• partial uploads when using s3 use multipart uploads
• removed ability to view exif data
• removed zero-width space urls
• honestly there's a lot more, you can figure out yourself 😂

Pulls merged

• fix: incorrect password autocompletes by @Vetlix in #557
• Add Catppuccin Themes (v4) by @cswimr in #562
• add support for DATASOURCE_S3_FORCE_PATH_STYLE by @Creationsss in #658
• add support for TZ by @Arlind-dev in #660
• Add checks variable modifiers by @Stef-00012 in #662
• fix: sharex url shortening config by @dilllxd in #664
• Add exists conditional modifier to date, fix parser regex by @Stef-00012 in #666
• Hopefully last pr for conditional modifiers by @Stef-00012 in #667

New Contributors

• @Creationsss made their first contribution in #658
• @Arlind-dev made their first contribution in #660
• @Stef-00012 made their first contribution in #662
• @dilllxd made their first contribution in #664

v3.7.13

What's Changed

• s3 file requests are fixed now
• ranged file requests actually work as intended
• reserved routes check uses regex so you can use stuff like /rrrrr now works
• fixed #673
• fixed #659 (how has this issue existed for 2 years?)
• fixed #670
• fixed #685
• fixed #657 (possibly?)
• no longer support files that aren't in the db
• no longer support supabase datasource, use their s3 endpoint now
• new: on view routes, click anywhere on the page to zoom into the image
• new: on the home page, an alert (dismissible by clicking the x) will tell you about v4, and to consider turning off auto updaters that update zipline every time a new release is out

Pulls merged

• Woah, I think this is a lot. by @TacticalTechJay in #683
• A super cool zoom machine by @TacticalTechJay in #686
• Fixing my way downtown. by @TacticalTechJay in #692

Full Changelog: v3.7.12...v3.7.13

v3.7.12

What's Changed

• fixed xss vuln given /auth/login?url=javascript:<code> will execute said code.
• fixed s3 ranged requests

Full Changelog: v3.7.11...v3.7.12

v3.7.11

⚠️ Important ⚠️

• Vulnerability within oauth
  • Versions affected: anything past v3.6.0
  • Providers affected: Google
  • The vulnerability is caused due to a backwards compatibility fallback method of trying to find a oauth user, this fallback method would not rely on the provider's ID but instead just the username + provider name. This meant that as long as the determined username was the same, two google accounts with the same username will point to the same user if linked.
  • This doesn't effect discord or github, since they have unique usernames.
• If you don't use oauth, you are totally fine to continue using previous versions at your own risk.

What's Changed

• feat(ci): push to docker hub by @wdhdev in #613
• fix: code scroll overflow handling by @quantum5 in #620
• Update README.md by @Rovoska in #627
• fix(repo): update devcontainer defaults to use bundled postgres by @Hegi in #585
• feat: proper range request handling by @ari-party in #635
• fix: Check if route was set to /r, as it's reserved. by @TacticalTechJay in #643

New Contributors

• @quantum5 made their first contribution in #620
• @Rovoska made their first contribution in #627
• @Hegi made their first contribution in #585

Full Changelog: v3.7.10...v3.7.11

v3.7.10

What's Changed

• fixed path traversal (update if you are v3.4 and above)
  • this is only exploitable if the user is logged in
• Add Catppuccin themes by @cswimr in #560
• fix: audio & video scrubbing by @ari-party in #576
• fix: hyprland is no longer wlroots-based by @polymo1 in #581
• file ordering for viewing other user files
• thumbnails for videos show up on folder file viewing
• fixed ratelimit bypass on uploading
• views are incremented on view/code routes
• files are deleted when they reach maxViews on view routes

(sorry for double release - forgot to change the version)

New Contributors

• @MateiSR made their first contribution in #575
• @ari-party made their first contribution in #576
• @polymo1 made their first contribution in #581

Full Changelog: v3.7.9...v3.7.10

v3.7.9

What's changed

• ampm modifier for dates
• x-zipline-folder header (the value should be a folder id)
  • this automatically adds the file you are uploading to the folder

Bugs fixed

• fixed {file.size::bytes} not working on some conditions #532
• fixed image resizing in view route #527

Full Changelog: v3.7.8...v3.7.9

v3.7.8

What's changed

• new year new zipline update
• better alignment for thumbnails
• folder viewing fixed
• thumbnails show up in folder views
• max width and height on videos/images on view route
• new locale and tz options for date variables: {file.createdAt::locale::en-US,America/Los_Angeles}

Pulls Merged

• Fixed Discord Mobile Video Embeded Res Bug by @L7NEG in #509
• fix(shorten): typo by @wdhdev in #513
• Add autohotkey file extension (.ahk) to mimes.json by @SeaswimmerTheFsh in #511
• fix: Merge create endpoint into register and prevent non admins from … by @TacticalTechJay in #517
• Improve error handling for file expiry by @Wingysam in #519
• fix: prisma deletion errors by @Vetlix in #522

New Contributors

• @L7NEG made their first contribution in #509
• @wdhdev made their first contribution in #513
• @SeaswimmerTheFsh made their first contribution in #511
• @Wingysam made their first contribution in #519

Full Changelog: v3.7.7...v3.7.8

v3.7.7

What's changed

• Prisma version mismatch hotfix ([email protected] now), sorry about the issues yesterday!
• Better styling in view file card and upload file dropzone
• Password protected non-media files can be viewed now
  • /r route supports ?password={password} query now!

Pulls merged

• Enhance view file and file upload view by @TheZoker in #494

New Contributors

• @TheZoker made their first contribution in #494

Full Changelog: v3.7.6...v3.7.7