🚀 Release v0.29.9#4734
Merged
Merged
Conversation
The empty-records branch of `main()` returned without calling `process.exit(0)`, leaving the Drizzle Postgres connection pool holding the event loop open. The `migrate-auth-secret` process then hangs indefinitely after printing "No 2FA records found, nothing to migrate." causing the upstream `0.29.3.sh` security migration script (which calls this via `docker exec`) to never reach its final `docker service update` step that mounts the new Docker Secret. Operators end up with the new secret created but the dokploy service still configured with the hardcoded `BETTER_AUTH_SECRET`, while believing the migration completed. Match the success branch a few lines below which already does `process.exit(0)`, and the pattern used in sibling scripts `reset-password.ts` and `reset-2fa.ts`. Closes #4392
…t-on-empty fix(migrate-auth-secret): exit cleanly when there are no 2FA records
Adds an "Import" option to the Create Service dropdown that lets users paste a base64-encoded compose export, preview the template (compose YAML, domains, envs, mounts) before confirming, and create the service only on confirm. Adds a `previewTemplate` tRPC procedure that processes the base64 without touching the DB, with server access validation via session.
feat(compose): add import from base64 in create service dropdown
- Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories. - Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec. - Improved commit message formatting to include source and release information for all repositories. - Ensured successful synchronization messages for each repository after the version update.
- Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter. - Implemented permission checks to ensure users have access to the requested logs. - Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context. Resolve Dokploy/mcp#14
- Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization. - Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization. This enhancement improves security and access control within the deployment management system.
- Added validation to prevent users from being invited with the owner role in the organization and user routers. - Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role. This change enhances role management and security within the organization structure. https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh
- Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active. - This change enhances security by preventing unauthorized access from previous sessions after a password change. Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3
* fix: copy Dokploy server IP when clicking server badge When a service runs on the local Dokploy server (no remote server), clicking the server badge did nothing because `data.server` is null. Now falls back to the server IP from settings so the badge always copies an IP address. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(copy-ip): implement IP address copying functionality across database service components - Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis). - Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action. - Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>
…of register, and build for extra. (#4382)
… routes (#4468) * fix: allow square brackets in zip drop path validation for Next.js dynamic routes ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts, pages/[slug].tsx) were rejected by readValidDirectory because the path regex did not include square bracket characters. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…es (#4470) shouldDeploy passed undefined/null entries from commit.modified straight into micromatch, which throws "Expected input to be a string" and fails every webhook deployment when watch paths are configured. Filter out non-string values before matching.
…t accidental submission (#4422) Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>
Upgraded next dependency in apps/dokploy to 16.2.6 exactly. Verified typescript typecheck passes successfully.
…nforce-sso) (#4511) * feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) - Add `remoteServersOnly` field to webServerSettings: prevents creating services on the local Dokploy VM, forcing all deployments to remote servers. Validated in all 8 service routers (application, compose, postgres, mysql, mongo, redis, mariadb, libsql). - Add `enforceSSO` field to webServerSettings: hides the email/password login form and shows only the SSO button on the login page. - Both settings are enterprise-only (enterpriseProcedure) and self-hosted-only (blocked at the API level when IS_CLOUD=true). - UI toggles added to the SSO settings page under a new "Self-hosted Restrictions" card (hidden in cloud). Login page reads enforceSSO from getServerSideProps to avoid client-side flash. - Migrations: 0167_fresh_goliath.sql, 0168_long_justice.sql * fix: add missing final newlines to migration files * refactor: improve code formatting for better readability in multiple components - Adjusted formatting in `add-application.tsx`, `add-compose.tsx`, and `add-database.tsx` to enhance readability by adding line breaks and consistent indentation. - Updated `toggle-enforce-sso.tsx` to simplify the Switch component's props. - Reformatted imports in `index.tsx` and `sso.tsx` for consistency. - Cleaned up conditional statements in various router files for improved clarity. * fix: add enforceSSO to test mock
…eys is enabled for members (#4512)
On settings/servers, a long server name in the card title (h3) did not wrap and overflowed its container, overlapping nearby content and squeezing the three-dots actions menu until it disappeared. Allow the title block to shrink and wrap (min-w-0 + break-words), keep the server icon and the actions trigger from being crushed (shrink-0), and add gap between the title and the actions button.
… docker config (#4485) The compose/stack deploy command runs under `env -i PATH="$PATH"`, which clears the environment except for PATH. That strips HOME, so when the generated command is `docker stack deploy --prune --with-registry-auth` the docker CLI cannot resolve `~/.docker/config.json` (e.g. `/root/.docker/config.json`) and ships no registry credentials to the swarm. Private-registry images then fail to pull on the nodes: image registry.example.com/... could not be accessed on a registry to record its digest. Each node will access ... independently while the deploy still logs "Docker Compose Deployed: ✅". Keep PATH isolation but preserve HOME so docker can read its config for both `stack deploy --with-registry-auth` and `compose up -d --build`. Add a regression test asserting the generated command preserves `HOME="$HOME"` for both stack and docker-compose deploys. Fixes #4401 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…4526) * fix: scope dokploy-server schedules to organization instead of user Replaces userId with organizationId on the schedule table so that global (dokploy-server) schedules are shared across all owners and admins of the same organization, while remaining isolated between different organizations. Includes a data migration that backfills organizationId from the owner membership record for any existing dokploy-server schedules. Closes #4300 * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
- Added a new `forward_auth_settings` table to manage authentication domains and their configurations. - Introduced UI components for handling forward authentication, including enabling/disabling SSO for domains and selecting SSO providers. - Updated existing tests to include validation for the new `forwardAuthProviderId` field in domain configurations. - Enhanced the dashboard to integrate forward authentication management, allowing users to configure SSO settings directly from the application interface. This update improves the flexibility and security of application authentication by allowing integration with various identity providers.
#4683) Auth forms (login, register, 2FA, backup-code, reset-password) had no method attribute, defaulting to GET. react-hook-form's handleSubmit preventDefault()s only after hydration; submitting in the pre-hydration or no-JS window triggers a native GET to the current URL, leaking email/password into the URL, history, access logs and Referer header. Setting method="post" makes the native fallback a POST so credentials go in the request body instead. Normal JS submit path is unchanged. Verified in a browser: GET (?email&password) -> POST (clean URL). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* feat: update dependencies and enhance UI components in Dokploy - Updated various package versions in pnpm-lock.yaml to improve compatibility and performance, including React and Tailwind CSS. - Modified components.json to change the styling to "radix-nova" and added new properties for icon library and menu color. - Refactored multiple components to use updated class names for better styling consistency and responsiveness. - Removed unused Radix UI components from package.json to streamline dependencies. - Adjusted layout and styling in several dashboard components for improved user experience and visual appeal. - Enhanced tooltip and form item components for better accessibility and usability. * refactor: enhance UI components in HandleCertificate and SidebarLogo - Updated the HandleCertificate component to improve dialog content height and textarea styling for better usability. - Adjusted the SidebarLogo component layout to enhance alignment and spacing, ensuring a more consistent appearance across the sidebar. - Implemented responsive design adjustments to textarea elements, preventing overflow and improving user experience. * refactor: improve UI consistency and styling across dashboard components - Updated Card components in ShowDeployments, ShowSchedules, and ShowVolumeBackups to remove unnecessary border styles for a cleaner look. - Enhanced TabsList components in ShowProviderForm and ShowProviderFormCompose by adding a variant for improved visual distinction. - Adjusted spacing in AdvancedEnvironmentSelector for better layout and readability. - Removed redundant border classes in Service component for a more streamlined design. * [autofix.ci] apply automated fixes * chore: update package dependencies and refactor email rendering - Upgraded React and React DOM to version 19.2.7 across multiple packages for improved performance and compatibility. - Updated TSX to version 4.22.4 in various package.json files. - Refactored email rendering from `renderAsync` to `render` in notification utilities and email templates for consistency. - Adjusted Tailwind configuration usage in email templates to utilize a centralized configuration file. These changes enhance the overall stability and maintainability of the codebase. * refactor: update badge variants across dashboard components - Changed badge variant from "outline-solid" to "outline" in multiple components including columns, show-domains, and various deployment tables for consistency in styling. - Updated button variants in billing and project templates to align with the new badge styling. - Enhanced input components to support password generation and error messaging, improving user experience. These changes streamline the UI and ensure a cohesive design across the application. * refactor: clean up calendar component imports and structure - Removed redundant imports of icons from lucide-react and streamlined the import statements for better readability. - Adjusted the placement of type imports to enhance code organization. These changes improve the maintainability and clarity of the calendar component. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
) - Introduced a new mapping schema to handle user claims for OIDC providers, allowing for customizable mapping of claims to user fields. - Implemented default mapping logic for Azure and generic providers, ensuring appropriate claim handling based on the issuer. - Enhanced the registration dialog UI to include fields for claim mapping, improving user experience and configurability. - Updated parsing logic to accommodate claim mapping in OIDC configuration. This update enhances the flexibility of OIDC integration by allowing users to define how claims from identity providers map to application user fields.
… their own (#4713) The canAccessToGitProviders legacy override only granted read access, so members with the Git Providers toggle enabled could not add providers — the create/delete endpoints require gitProviders.create / gitProviders.delete. This mirrors how the SSH Keys toggle already grants read/create/delete. The git-provider remove endpoint now restricts non owner/admin roles to deleting only their own providers (matching the ownership model used for visibility and sharing), while owner/admin can still delete any provider in the organization. Closes #4695
* prevent social icons from overlapping in onboarding layout * fixed the alignment social icon forms * revert * fix: adjust spacing in social sign-in section of registration page Updated the layout of the social sign-in options by adding a gap between the elements to improve visual clarity and user experience. --------- Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
cloneGitRepository runs `ssh-keyscan <host> >> known_hosts` as one step of a `set -e` script. Hosts whose SSH endpoint waits for the client's identification string first — Hugging Face's hf.co among them — never complete the keyscan handshake, so it exits 1 and `set -e` aborts the deploy before `git clone` ever runs. Make ssh-keyscan non-fatal and let the real ssh client record the host key on first connect (StrictHostKeyChecking=accept-new), which reaches hosts ssh-keyscan can't scan. Same TOFU trust model, so no regression; GitHub/GitLab/Gitea still pre-seed and verify known_hosts as before.
Branch names containing '#' (e.g. feat#123) were rejected by VALID_BRANCH_REGEX when saving a git provider configuration, even though '#' is a legal git ref character. Add '#' to the allowed character set. The change propagates to the backend zod schemas and all provider UI forms, since they share this constant. '#' is not a shell injection vector: the regex still rejects every character needed to terminate a command (; | & $ ( ) ` newline space quotes), and '#' only starts a shell comment at the beginning of a word, never mid-argument as in 'git clone --branch feat#123'. Fixes #4585
The RequestPath in the request log table was truncated to 82 characters with an ellipsis when it exceeded 100 characters, hiding part of the route. Show the full path and let it wrap with flex-wrap and break-all. Fixes #4642
The nightly access-log-cleanup job hardcoded "dokploy-traefik" as the container name when sending SIGUSR1. In Docker Swarm mode Traefik runs as a service task named "dokploy-traefik.1.<task-id>", so `docker exec dokploy-traefik` fails every night with "No such container". The log file is rotated (inode changes) but Traefik never reopens it, leaving the on-disk access.log frozen while real logs go to a deleted file handle. Resolve the running container id dynamically with `docker ps --filter`, matching the pattern already used elsewhere in the codebase, so it works for both standalone and swarm deployments. Skip gracefully if no running container is found. Closes #4620
* fix: use github owner login for webhook deploy matching * fix: prefer github owner name for webhook matching Что: - Инвертирован порядок fallback для GitHub webhook owner: сначала repository.owner.name, затем repository.owner.login. - Обновлен focused regression test для приоритета owner.name и fallback на owner.login. Зачем: - Выполнить maintainer review request в PR #4674 и сохранить совместимость deploy matching для payload без owner.name. Риски: - Не выявлены для push/tag matching; preview pull_request путь использует тот же helper, но отдельным PR-event тестом не покрыт. Проверки: - Команды и результаты: git diff --check -- apps/dokploy/pages/api/deploy/github.ts apps/dokploy/__test__/deploy/github-webhook-handler.test.ts - passed; CI=true corepack pnpm --dir apps/dokploy exec vitest --config __test__/vitest.config.ts run __test__/deploy/github-webhook-handler.test.ts --reporter=verbose - passed, 1 file / 4 tests; CI=true corepack pnpm exec biome check apps/dokploy/pages/api/deploy/github.ts apps/dokploy/__test__/deploy/github-webhook-handler.test.ts - exit 0, reported existing Number.parseInt radix info at github.ts:464; mandatory QA subagent Boyle - pass. - Ограничения: repo-wide format-and-lint, typecheck, build, and test не запускались для этого точечного review fix. What: - Inverted the GitHub webhook owner fallback order to prefer repository.owner.name before repository.owner.login. - Updated the focused regression test for owner.name precedence and owner.login fallback. Why: - Address the maintainer review request in PR #4674 while preserving deploy matching for payloads without owner.name. Risks: - None identified for push/tag matching; the preview pull_request path uses the same helper but is not covered by a dedicated PR-event test. Checks: - Commands and results: git diff --check -- apps/dokploy/pages/api/deploy/github.ts apps/dokploy/__test__/deploy/github-webhook-handler.test.ts - passed; CI=true corepack pnpm --dir apps/dokploy exec vitest --config __test__/vitest.config.ts run __test__/deploy/github-webhook-handler.test.ts --reporter=verbose - passed, 1 file / 4 tests; CI=true corepack pnpm exec biome check apps/dokploy/pages/api/deploy/github.ts apps/dokploy/__test__/deploy/github-webhook-handler.test.ts - exit 0, reported existing Number.parseInt radix info at github.ts:464; mandatory QA subagent Boyle - pass. - Limitations: repo-wide format-and-lint, typecheck, build, and test were not run for this targeted review fix.
Replaced existing color definitions in the whitelabeling settings with the oklch color format for improved color management and consistency. This change enhances the customization capabilities of the theme while maintaining compatibility with Tailwind CSS v4. No functional changes were made to the application behavior.
…4729) * fix(domain): validate hostname format to reject invalid characters Underscores and other invalid characters were accepted in domain inputs with no validation, causing Let's Encrypt to silently fail certificate issuance while Dokploy fell back to a self-signed cert. Fixes #4716 * fix(create-server): update SSH key label for clarity in server creation form
…#4730) apiKeys and nested user were returned without column projection, shipping secrets (key, permissions, metadata) and unused fields to every page that prefetches user.get, causing the /dashboard/home SSR payload to exceed Next.js's 128kB warning threshold.
…eck in allByType (#4733) Members with access to a schedule's application/compose got a 401 on deployment.allByType because it passed the scheduleId straight into checkServicePermissionAndAccess, which expects a service id.
Update Redis default image from redis:7 to redis:8 in: - packages/server/src/setup/redis-setup.ts (internal Redis setup) - packages/server/src/services/ai.ts (AI service template examples) - apps/dokploy/components/dashboard/project/add-database.tsx (UI default) Redis 8 provides better performance according to benchmarks while maintaining stability. Closes #4172.
) * feat(databases): add copy button to User and Database Name fields Adds an enableCopyButton prop to the Input component and uses it on the User, Database Name, and Internal Host fields across Postgres, MySQL, MariaDB, MongoDB, Redis, and Libsql credential views. Closes #4495 * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* fix(backup): redact S3 credentials from logs and error output (#4621) S3 backup credentials (access key + secret) were logged in plaintext to Dokploy service stdout via logger.info in getBackupCommand() and console.error in keepLatestNBackups(). Any operator with access to service logs could recover S3 credentials. Added redactRcloneCredentials() pure function that masks --s3-access-key-id and --s3-secret-access-key values with [REDACTED]. Applied to both the structured logger call and the error handler. Closes #4621 * fix(backups): redact sensitive information in error logs during web server backup process Updated error handling in the web server backup function to redact Rclone credentials from error messages before logging and notification. This change enhances security by preventing sensitive data exposure in logs. --------- Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
The Ollama detection matched any URL containing "ollama", which hides the API Key field for Ollama Cloud (ollama.com) and drops the key from the createOllama() client, so cloud requests go out unauthenticated. Narrow the rule to localhost-only Ollama and forward the API key as a Bearer header when provided. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR promotes changes from
canarytomainfor version v0.29.9.🔍 Changes Include:
✅ Pre-merge Checklist: