Plik 1.4.2

Plik 1.4.2

Hi, today we're releasing Plik 1.4.2 !

Here is the changelog:

New:

• Internationalization (i18n) — the webapp is now fully translated with a language picker.
  12 languages supported: English (en), French (fr), German (de), Spanish (es), Italian (it),
  Dutch (nl), Polish (pl), Portuguese (pt), Russian (ru), Swedish (sv), Hindi (hi), Chinese (zh).
  Locales are hot-reloaded, fallback to English, and the language preference is persisted per user.
• GitHub OAuth2 authentication provider
• Default admin provisioning: set DefaultAdminLogin / DefaultAdminPassword (or env vars
  PLIKD_DEFAULT_ADMIN_LOGIN / PLIKD_DEFAULT_ADMIN_PASSWORD) to automatically create a local
  admin user on first startup — idempotent, skipped if the user already exists
• API token feature flag (FeatureApiTokens) to globally disable token creation and CLI auth
• CLI multi-profile support in .plikrc (profile composition with -P work,zip)
• CLI --update-plikrc to rewrite config in canonical format
• Prefixed opaque API tokens (plik_ prefix + Base62 + CRC32 checksum)
• S3 BucketLookup option for path-style addressing (Cloudflare R2, MinIO)
• S3 buffer-then-decide upload strategy with parallel multipart support
• AssumeHTTPS config option (replaces deprecated EnhancedWebSecurity): controls HSTS header and
  Secure cookie flag; auto-enabled when SslEnabled=true or PlikDomain starts with https://.
  EnhancedWebSecurity is still accepted but logs a deprecation warning at startup.
• Configurable archive compression (EnableArchiveCompression) to reduce CPU load
• Mermaid diagram rendering in Markdown preview (@bodji)
• MCP server profile-aware uploads and list_profiles tool
• Improved CLI --help with grouped sections (auto-injected into docs)

Fix:

• Fix file row layout on mobile to improve filename display (#726)
• Fix download URL construction for DownloadDomain + Path (#723): fixes broken links in
  subpath deployments; DownloadURL field now included in API Configuration and Upload responses
• Exclude SVG from inline file viewer to prevent XSS via crafted SVG uploads (#725)
• Fix extra separator in mobile navigation menu when authentication is disabled (#720)
• Fix light theme surface palette (#720)
• Fix subpath asset loading when deployed behind a reverse proxy (#714)
• Fix S3 signed integer types for PartSize and PartUploadConcurrency
• Fix syntax highlighting for all file extensions
• Fix navbar overflow on medium viewports

Misc:

• Download security headers (X-Content-Type-Options, X-Frame-Options, CSP) are now set
  unconditionally on all file/archive downloads — no config required
• Removed X-XSS-Protection header (deprecated by browsers, potentially harmful)
• /version endpoint now always strips build metadata (GoVersion, git revision, build host/user)
  from public responses; still available for authenticated admins
• Limit body size middleware extracted for cleaner request handling

Dependency upgrades:

• Bump golang.org/x/net to v0.52.0 (fixes GO-2026-4559 HTTP/2 server panic)
• Bump golang.org/x/crypto to v0.49.0
• Bump cloud.google.com/go/storage to v1.61.3
• Bump google.golang.org/api to v0.273.0
• Bump Vite to v8.0.3 (Rolldown bundler, improved build performance)
• Bump Vue to 3.5.31, vue-router to 5.0.4, Tailwind CSS to 4.2.2
• Bump GitHub Actions: checkout v6, setup-go v6, upload-artifact v7, github-script v8, setup-helm v5

Binaries will be built with Go 1.26.1

Faithfully,
The Plik team

Plik 1.4.1

Plik 1.4.1

Hi, today we're releasing Plik 1.4.1 !

Here is the changelog :

New :

• Inline video and audio playback in file viewer (@bodji)
• URL deep-linking for file viewer and media timestamps (@bodji)
• Runtime settings and webapp customization (branding, themes, custom footer)
• 10 built-in themes with dark/light/auto mode and user preference persistence
• Improvemets in Home and Admin view (error handling, filtering, bulk token uploads deletion,...)
• Show removed/deleted files in download view and Home/Admin views
• Configurable streaming timeout, cancellation, and retry

Fix :

• Reject E2EE uploads with empty passphrase
• Fix file deletion on versioned S3 buckets (#673)
• Restore backward compat when only DownloadDomain is set (#676)
• Improve mimetype detection with gabriel-vasile/mimetype (#678)
• Prevent text editor auto-detection from overwriting user-edited filename (#677)
• Close file viewer when viewed file is deleted (#675)
• Unify error display with reusable components (#679)

Misc :

• Bump Alpine base image to 3.23
• Bump Go to 1.26.1 (fixes 5 stdlib vulnerabilities)
• Bump minio-go to v7.0.99
• Bump MCP go-sdk to v1.4.0
• Bump golang.org/x/oauth2 to v0.36.0
• Bump google.golang.org/api to v0.269.0

Binaries will be built with Go 1.26.1

Faithfully,
The Plik team

Plik 1.4.0

Plik 1.4.0

Hi, today we're releasing Plik 1.4.0 !

Here is the changelog :

Webapp:

• Complete rewrite using Vue 3 + Vite + Tailwind CSS (replacing AngularJS/Bootstrap)
• End-to-End Encryption (E2EE) via Age interoperable CLI <=> Webapp
• Text editor (w/ syntax highlighting + Markdown support) for text file uploads (@bodji)
• Text (w/ syntax highlighting + Markdown support) and image preview in download view
• Filter uploads by properties and sort-by-size in upload listings (home/admin views)
• Filter users with search bar, and sort controls (admin view)
• Help tooltips on upload settings
• User profile pictures from OAuth providers
• Playwright E2E and Vitest unit test suites

Server:

• OIDC authentication provider support (generic OIDC + Keycloak) (@babs)
• HTTP range request support for all storage backends (@duckie)
• FeatureLocalLogin and FeatureDeleteAccount feature flags
• bcrypt(sha256) for upload password hashing
• Download domain restriction with PlikDomain config and CORS
• Comprehensive security hardening (thanks @bewiwi for the audit)
• Prometheus metrics improvements

CLI:

• CLI device authorization flow for browser-based login (--login)
• Json output mode (--json)
• Non-interactive mode (--yes)
• Test suite rewritten from Bash to Golang
• Bash client overhaul: URL encoding, missing features, tests suite

CI/CD:

• New Helm chart for Kubernetes deployment (@bodji)
• Debian packages hosted in a GitHub Pages API repository (@bodji)
• Docker tags for latest vs preview releases
• Build/deploy PR images from pull request comments (@bodji)
• Rewrite context code generator from Perl to Go
• 3x faster Github CI builds
• Client binaries uploaded to the release artifacts
• New makefile tagets to check vulns
• Upgraded all dependencies and builders

Documentation:

• VitePress documentation web site (https://root-gg.github.io/plik/)
• Guides (Installation, Configuration, Docker, Kubernetes, Security)
• Features (CLI, Web UI, Authentication, Encryption, Streaming, MCP)
• Backends (Data, Metadata)
• References (HTTP API, Go SDK, Metrics)
• Architechture (all ARCHITECTURE.md files)
• Operations (Reverse Proxy, Server CLI, Metadata Import/Export, Cross Compilation)
• Helm chart README with helm-docs annotations

AI:

• MCP server for AI assistant integration
• Agents friendly codebase with AGENTS.md ARCHITECTURE.md
• Reusable agentic workflows (code reviews, create commits/PRs, cut releases)

Binaries will be built with Go 1.26.0

Faithfully,
The Plik team

Plik 1.4-RC5

Plik 1.4-RC5

Hi, today we're releasing the fifth release candidate of the next plik major version 1.4 !

Here is the changelog :

New :

• Default to Age encryption, deprecate OpenSSL/PGP backends
• Global --yes CLI flag for non-interactive mode
• Admin user management with search, filters, and sort controls (#636)
• CLI fakedb command to generate test databases
• Debian packages with APT repository on GitHub Pages
• Playwright E2E and Vitest unit test suites for webapp and CLI

Fix :

• Comprehensive security hardening across all layers (#620-#629)
• E2EE passphrase modal hardening
• Hide Edit Account button for OAuth providers
• Fix admin quota inputs and modal overlay dismiss
• CLI: filter RC releases from stable builds and fix double login on first run (#642)
• Docker: fix PR build version string (#639, #640)

Documentation :

• Add plikd server CLI documentation
• Helm chart README with helm-docs annotations (#641)

Binaries will be built with Go 1.26.0

Faithfully,
The plik team

1.4-RC4

Plik 1.4-RC4

Hi, today we're releasing the fourth release candidate of the next plik major version 1.4 !

Here is the changelog :

New :

• End-to-End Encryption (E2EE) via Age (@camathieu)
• MCP server for AI assistant integration (@camathieu)
• Display user profile pictures from OAuth providers (@bodji)
• CLI --json output flag and redirect all prints to stderr (@camathieu)
• Concurrent uploads with local status updates for improved UX (@camathieu)
• Upload progress count and remaining file count in webapp (@camathieu)
• Add icons to upload sidebar settings (@bodji)
• Enforce non-empty comments when feature is forced (@camathieu)
• New Helm chart for plik (@bodji)

Fix :

• Harden authentication providers and session handling
• Improve E2EE passphrase editing UX
• Upload error handling with per-file retry
• Add darwin/arm64 to client build targets
• Block messaging app link preview bots from downloading one-shot/streaming files
• S3 Content-MD5 compatibility mode for strict providers (@Yamiyorunoshura)

Helm :

• Improve Helm chart after review
• Add dbPersistence PVC for SQLite database (v0.3.0) (@bodji)
• Improve secrets management (v0.3.1) (@bodji)
• Unify Helm chart release with app release pipeline

Documentation :

• Reorder user documentation sections
• Add MCP upload example screenshot
• Add agentic dev workflows and contributing docs

Binaries will be built with Go 1.26.0

Faithfully,
The plik team

1.4-RC3

Plik 1.4-RC3

Hi, today we're releasing the third release candidate of the next plik major version 1.4 !

Here is the changelog :

New :

• CLI device authorization flow for browser-based login (#567)
• FeatureLocalLogin and FeatureDeleteAccount feature flags (#524)
• OIDC: parse id_token claims, enforce email_verified, harden sub validation (@babs)
• OIDC: synthesize display name from given_name + family_name
• Webapp: auto-display inline viewer for single text file uploads (@bodji)
• Docker: add :preview tag for all releases (stable and pre-release)
• CI: allow deploying PR images from pull request comments (@bodji)

Fix :

• Prevent incorrect Docker tagging in PR builds (@bodji)
• Resolve pre-existing lint warnings
• Validate auth method is configured when authentication is enabled

Documentation :

• Document metadata import/export (#583)
• Add Windows "Send to Plik" guide (#565)
• Document Docker user permissions and persistent storage (#585)

Binaries will be built with Go 1.26.0

Faithfully,
The plik team

1.4-RC2

Plik 1.4-RC2

Hi, today we're releasing the second release candidate of the next Plik major version 1.4 !

You can preview it with the binaries or rootgg/plik:1.4-RC2
We are still adding new feature and hunting bugs for a stable 1.4.0 release

Here is the changelog :
New :

• Webapp: WYSIWYG with code syntax highlighting for text file uploads
• Webapp: immediate navigation to download view during upload (#570)
• Webapp: filename validation (1024 char limit) and inline upload error banner
• Webapp: JSON validate & prettify buttons in code editor
• Webapp: code editor — fix highlighting, slim deps, lazy-load
• Webapp: add Documentation link to top bar
• Webapp: add 'Never expires' TTL option to upload sidebar
• Allow CLI client page access without authentication (#569)
• Allow building a Docker image on a pull request comment (@bodji)
• Optimize: extract client builds and publish as release assets

Fix :

• Fix redirect for authenticated users away from login page
• Fix docs search bar overflow on mobile and add scrollable menu
• Fix flaky CI tests (dynamic port allocation + metrics timestamp)
• Fix Keycloak redirect URI handling (preserve ListenPort from config)
• Prevent pre-release (-RC) from overwriting Docker :latest tag
• Fix file cancel delay for server cleanup before refresh
• Fix docs deploy build pipeline

Infrastructure :

• CI: parallelize test jobs and add make test-backend target
• Docs: add VitePress documentation site
• Docs: document available Prometheus metrics
• Bump markdown-it 14.1.0 → 14.1.1 (security)

Binaries will be built with Go 1.26.0

Faithfully,
The Plik team

1.4-RC1

Plik 1.4-RC1

Hi, today we're releasing the first release candidate of the next plik major version 1.4 !

You can preview it with the binaries or rootgg/plik:1.4-RC1
We are still adding new feature and hunting bugs for a stable 1.4.0 release

Here is the changelog :

New :

• Complete webapp rewrite using Vue 3 + Vite (replacing AngularJS)
• OIDC authentication provider support (generic OIDC + Keycloak) (@babs)
• Webapp customization: custom js/css support
• User preference: disable authentication button (#486)
• Prometheus metrics improvements

Fix :

• MacOS server build flags
• Basic auth password hashing
• File descriptor leak
• S3 minimum part size
• Format string warnings
• Various typo fixes
• E2E test improvements and OIDC test coverage

Dependency Updates :

• Upgraded to Go 1.26.0
• golang.org/x/crypto 0.45.0 (CVE fixes)
• Various dependency security updates

Binaries will be built with Go 1.26.0

Faithfully,
The plik team

1.3.8

Plik 1.3.8

Hi, today we're releasing Plik 1.3.8 !
Here is the changelog :

New :

• Add user max upload size
• Add uploads list in admin panel
• Prometheus metrics
• Add feature flag to upload text (#485)
• Adding TLS option, to choose TLS version (@ludovic Houdayer)

Fix :

• Fix create user password parameter (#489)
• Fix commas break the format in curl attachments (@NeumoNeumo)
• Set cleaning interval to 5-10 minutes instead of 2-3 hours

Binaries have been built with Go 1.21.1

Faithfully,
The plik team

1.3.7

Plik 1.3.7

Hi, today we're releasing Plik 1.3.7 !
Here is the changelog :

New :

• Create/Edit users settings from web UI
• Add Text button to open the copy paste dialog
• Add maxFileSize and maxTTL default values to admin view
• Add /health endpoint

Fix :

• Fix create empty upload with authentication forced
• Automatically strip server URL trailing slash in Plik client
• Fix content-type detection for files smaller than 1KB
• Remove empty parent directories in file data backend
• Fix the use of deprecated key derivation
• Make SourceIP middleware remove zone from ip addreses

Binaries have been built with Go 1.20.5

Faithfully,
The plik team