v4.0.0

🎊 Thanks for waiting for the next big release for Zipline! This has been in the works for over 2 years now, and it's finally gotten to a point where it's ready to be released. 🎉

New documentation website

The docs website has been updated to reflect new v4 features + has a new coat of paint. Visit it here: zipline.diced.sh. If you wish to visit the old v3 docs, they are available at v3.zipline.diced.sh.

Migrating from v3 to v4 ⬆️

Please use the migration docs to assist you.

Important! ⚠️

If you have something that auto-updates Zipline whenever a new tag is released, we highly recommend that you turn this off before updating to v4.

State of v3 🔒

v3 will still be developed for a little while. We are only going to be focusing on large bugs or security vulnerabilities.

If you wish to continue using v3, you can use the following docker images:

• ghcr.io/diced/zipline:v3-trunk - this image updates every time a new commit is out on the v3 branch
• ghcr.io/diced/zipline:v3 - this image updates every time a new v3.*.* release comes out (most likely never...)
  • currently, this image will be the same as using the :v3.7.13 tag

v4 docker images 🆕

v4 will be taking over the trunk branch, and with that it will also be taking over the latest and trunk tag.

• ghcr.io/diced/zipline (ghcr.io/diced/zipline:latest) - v4 builds from now on
• ghcr.io/diced/zipline:v4 - continues serving v4 builds (for those who were using v4 while beta testing)
• ghcr.io/diced/zipline:trunk - only updates whenever there are new commits to the trunk branch.

What's changed

• Revamp API
• Revamp offloaded tasks, like thumbnail generation and partial uploads
• Revamp invites system
• Revamped expiring/deletesAt files
• Revamped all dashboard pages
• Everything revamped tbh
• More variables + conditional variables
• Import v3 database
• --skip-next skips loading next.js
• edit stuff
  • url properties, file properties
• urls can have passwords
• support OIDC providers like authentik, authelia, etc.
• quotas per user
• allow configuring of a terms of service link
• utility scripts moved to dashboard
• new zipline-ctl cli utility
• /api/healthcheck that can be used as a healthcheck in docker compose
• upload options on the dashboard are persisted (localStorage)
• Files, URLs, Invites, Users, Folders pages have a table and card view selector
  • Tables can be filtered, sorted
• File tags (can be created on the files page)
• x-zipline-folder header to auto add to a folder
• warnings when deleting stuff like files, urls, etc. (can be disabled)
• bulk transactions for files (delete, favorite, add to folder)
• script/sharex generation is better with the new options
• passkey login
• login page redesign
• tons of environment variables are now moved to the settings page
• partial uploads when using s3 use multipart uploads
• removed ability to view exif data
• removed zero-width space urls
• honestly there's a lot more, you can figure out yourself 😂

Pulls merged

• fix: incorrect password autocompletes by @Vetlix in #557
• Add Catppuccin Themes (v4) by @cswimr in #562
• add support for DATASOURCE_S3_FORCE_PATH_STYLE by @Creationsss in #658
• add support for TZ by @Arlind-dev in #660
• Add checks variable modifiers by @Stef-00012 in #662
• fix: sharex url shortening config by @dilllxd in #664
• Add exists conditional modifier to date, fix parser regex by @Stef-00012 in #666
• Hopefully last pr for conditional modifiers by @Stef-00012 in #667

New Contributors

• @Creationsss made their first contribution in #658
• @Arlind-dev made their first contribution in #660
• @Stef-00012 made their first contribution in #662
• @dilllxd made their first contribution in #664

v3.7.13

What's Changed

• s3 file requests are fixed now
• ranged file requests actually work as intended
• reserved routes check uses regex so you can use stuff like /rrrrr now works
• fixed #673
• fixed #659 (how has this issue existed for 2 years?)
• fixed #670
• fixed #685
• fixed #657 (possibly?)
• no longer support files that aren't in the db
• no longer support supabase datasource, use their s3 endpoint now
• new: on view routes, click anywhere on the page to zoom into the image
• new: on the home page, an alert (dismissible by clicking the x) will tell you about v4, and to consider turning off auto updaters that update zipline every time a new release is out

Pulls merged

• Woah, I think this is a lot. by @TacticalTechJay in #683
• A super cool zoom machine by @TacticalTechJay in #686
• Fixing my way downtown. by @TacticalTechJay in #692

Full Changelog: v3.7.12...v3.7.13

v3.7.12

What's Changed

• fixed xss vuln given /auth/login?url=javascript:<code> will execute said code.
• fixed s3 ranged requests

Full Changelog: v3.7.11...v3.7.12

v3.7.11

⚠️ Important ⚠️

• Vulnerability within oauth
  • Versions affected: anything past v3.6.0
  • Providers affected: Google
  • The vulnerability is caused due to a backwards compatibility fallback method of trying to find a oauth user, this fallback method would not rely on the provider's ID but instead just the username + provider name. This meant that as long as the determined username was the same, two google accounts with the same username will point to the same user if linked.
  • This doesn't effect discord or github, since they have unique usernames.
• If you don't use oauth, you are totally fine to continue using previous versions at your own risk.

What's Changed

• feat(ci): push to docker hub by @wdhdev in #613
• fix: code scroll overflow handling by @quantum5 in #620
• Update README.md by @Rovoska in #627
• fix(repo): update devcontainer defaults to use bundled postgres by @Hegi in #585
• feat: proper range request handling by @ari-party in #635
• fix: Check if route was set to /r, as it's reserved. by @TacticalTechJay in #643

New Contributors

• @quantum5 made their first contribution in #620
• @Rovoska made their first contribution in #627
• @Hegi made their first contribution in #585

Full Changelog: v3.7.10...v3.7.11

v3.7.10

What's Changed

• fixed path traversal (update if you are v3.4 and above)
  • this is only exploitable if the user is logged in
• Add Catppuccin themes by @cswimr in #560
• fix: audio & video scrubbing by @ari-party in #576
• fix: hyprland is no longer wlroots-based by @polymo1 in #581
• file ordering for viewing other user files
• thumbnails for videos show up on folder file viewing
• fixed ratelimit bypass on uploading
• views are incremented on view/code routes
• files are deleted when they reach maxViews on view routes

(sorry for double release - forgot to change the version)

New Contributors

• @MateiSR made their first contribution in #575
• @ari-party made their first contribution in #576
• @polymo1 made their first contribution in #581

Full Changelog: v3.7.9...v3.7.10

v3.7.9

What's changed

• ampm modifier for dates
• x-zipline-folder header (the value should be a folder id)
  • this automatically adds the file you are uploading to the folder

Bugs fixed

• fixed {file.size::bytes} not working on some conditions #532
• fixed image resizing in view route #527

Full Changelog: v3.7.8...v3.7.9

v3.7.8

What's changed

• new year new zipline update
• better alignment for thumbnails
• folder viewing fixed
• thumbnails show up in folder views
• max width and height on videos/images on view route
• new locale and tz options for date variables: {file.createdAt::locale::en-US,America/Los_Angeles}

Pulls Merged

• Fixed Discord Mobile Video Embeded Res Bug by @L7NEG in #509
• fix(shorten): typo by @wdhdev in #513
• Add autohotkey file extension (.ahk) to mimes.json by @SeaswimmerTheFsh in #511
• fix: Merge create endpoint into register and prevent non admins from … by @TacticalTechJay in #517
• Improve error handling for file expiry by @Wingysam in #519
• fix: prisma deletion errors by @Vetlix in #522

New Contributors

• @L7NEG made their first contribution in #509
• @wdhdev made their first contribution in #513
• @SeaswimmerTheFsh made their first contribution in #511
• @Wingysam made their first contribution in #519

Full Changelog: v3.7.7...v3.7.8

v3.7.7

What's changed

• Prisma version mismatch hotfix ([email protected] now), sorry about the issues yesterday!
• Better styling in view file card and upload file dropzone
• Password protected non-media files can be viewed now
  • /r route supports ?password={password} query now!

Pulls merged

• Enhance view file and file upload view by @TheZoker in #494

New Contributors

• @TheZoker made their first contribution in #494

Full Changelog: v3.7.6...v3.7.7

v3.7.6

What's changed

• dupe fixed fixed fr
• updated packages
• files above int limit (2gb) now work

Pulls merged

• Update Flameshot.tsx by @neomoth in #490
• Allow uploads of files bigger than 2GiB by @kashalls in #484

New Contributors

• @neomoth made their first contribution in #490

Full Changelog: v3.7.5...v3.7.6

v3.7.5

What's changed

• og:video type
• fixed oauth notnull
• fixed no file size on folders page
• new UPLOADER+RANDOM_WORDS_SEPERATOR for gfycat format
• fixed non english characters encoding (cyrillic, japanese, chinese, korean, and hindi were tested but anything should work)
• fixed import file script to include size of file
• warning shown when theres no public/adjectives or public/animals files for gfycat format
• fixed overwriting existing files when using NAME format
• custom redirect_uri for discord/google oauth
• new whitelisted user ids for discord oauth

Pulls merged

• fix: missing og video type by @thereis in #462
• Fix util method to check if variable is not null by @kashalls in #458
• fix: Lack of size...??? by @TacticalTechJay in #465
• Allow Redirect URI Configuration by @Digital39999 in #469

New Contributors

• @thereis made their first contribution in #462
• @kashalls made their first contribution in #458
• @Digital39999 made their first contribution in #469

Full Changelog: v3.7.4...v3.7.5