v0.18.3 Release

To update the prebuilt executable you can run ./pocketbase update.

• Exposed a global JSVM readerToString(reader) helper function to allow reading Go io.Reader values (#3273).
  This was added mainly because some payment providers may require the entire raw body in order to verify a webhook event.

• Bumped the GitHub action to use min Go 1.21.1 for the prebuilt executable since it contains some minor html/template and net/http security fixes.

v0.18.2 Release

To update the prebuilt executable you can run ./pocketbase update.

• Prevent breaking the record form in the Admin UI in case the browser's localStorage quota has been exceeded when uploading or storing large editor field values (#3265).

• Updated docs and missing JSVM typings.

• Exposed additional crypto primitives under the $security.* JSVM namespace (#3273):

  // HMAC with SHA256
  $security.hs256("hello", "secret")
  
  // HMAC with SHA512
  $security.hs512("hello", "secret")
  
  // compare 2 strings with a constant time
  $security.equal(hash1, hash2)

v0.18.1 Release

To update the prebuilt executable you can run ./pocketbase update.

• Excluded the local temp dir introduced with v0.17.3 from the backups (#3261).

v0.18.0 Release

To update the prebuilt executable you can run ./pocketbase update.

• Simplified the serve command to accept domain name(s) as argument to reduce any additional manual hosts setup that sometimes previously was needed when deploying on production (#3190).

  ./pocketbase serve yourdomain.com

• Added fields wildcard (*) support.

• Added option to upload a backup file from the Admin UI (#2599).

• Registered a custom Deflate compressor to speedup (nearly 2-3x) the backups generation for the sake of a small zip size increase.
  Based on several local tests, pb_data of ~500MB (from which ~350MB+ are several hundred small files) results in a ~280MB zip generated for ~11s (previously it resulted in ~250MB zip but for ~35s).

• Added the application name as part of the autogenerated backup name for easier identification (#3066).

• Added new SmtpConfig.LocalName option to specify a custom domain name (or IP address) for the initial EHLO/HELO exchange (#3097).
  This is usually required for verification purposes only by some SMTP providers, such as on-premise Gmail SMTP-relay.

• Added NoDecimal number field option.

• editor field improvements:

  • Added new "Strip urls domain" option to allow controlling the default TinyMCE urls behavior (default to false for new content).
  • Normalized pasted text while still preserving links, lists, tables, etc. formatting (#3257).

• Added option to auto generate admin and auth record passwords from the Admin UI.

• Added JSON validation and syntax highlight for the json field in the Admin UI (#3191).

• Added datetime filter macros:

  // all macros are UTC based
  @second     - @now second number (0-59)
  @minute     - @now minute number (0-59)
  @hour       - @now hour number (0-23)
  @weekday    - @now weekday number (0-6)
  @day        - @now day number
  @month      - @now month number
  @year       - @now year number
  @todayStart - beginning of the current day as datetime string
  @todayEnd   - end of the current day as datetime string
  @monthStart - beginning of the current month as datetime string
  @monthEnd   - end of the current month as datetime string
  @yearStart  - beginning of the current year as datetime string
  @yearEnd    - end of the current year as datetime string
  

• Added cron expression macros (#3132):

  @yearly   - "0 0 1 1 *"
  @annually - "0 0 1 1 *"
  @monthly  - "0 0 1 * *"
  @weekly   - "0 0 * * 0"
  @daily    - "0 0 * * *"
  @midnight - "0 0 * * *"
  @hourly   - "0 * * * *"
  

• ⚠️ Added offset argument Dao.FindRecordsByFilter(collection, filter, sort, limit, offset, [params...]).
  If you don't need an offset, you can set it to 0.

• To minimize the footguns with Dao.FindFirstRecordByFilter() and Dao.FindRecordsByFilter(), the functions now supports an optional placeholder params argument that is safe to be populated with untrusted user input.
  The placeholders are in the same format as when binding regular SQL parameters.

  // unsanitized and untrusted filter variables
  status := "..."
  author := "..."
  
  app.Dao().FindFirstRecordByFilter("articles", "status={:status} && author={:author}", dbx.Params{
    "status": status,
    "author": author,
  })
  
  app.Dao().FindRecordsByFilter("articles", "status={:status} && author={:author}", "-created", 10, 0, dbx.Params{
    "status": status,
    "author": author,
  })

• Added JSVM $mails.* binds for the corresponding Go mails package functions.

• Added JSVM helper crypto primitives under the $security.* namespace:

  $security.md5(text)
  $security.sha256(text)
  $security.sha512(text)

• ⚠️ Fill the LastVerificationSentAt and LastResetSentAt fields only after a successfull email send (#3121).

• ⚠️ Skip API fields json transformations for non 20x responses (#3176).

• ⚠️ Changes to tests.ApiScenario struct:

  • The ApiScenario.AfterTestFunc now receive as 3rd argument *http.Response pointer instead of *echo.Echo as the latter is not really useful in this context.

    // old
    AfterTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo)
    
    // new
    AfterTestFunc: func(t *testing.T, app *tests.TestApp, res *http.Response)

  • The ApiScenario.TestAppFactory now accept the test instance as argument and no longer expect an error as return result (#3025).

    // old
    TestAppFactory: func() (*tests.TestApp, error)
    
    // new
    TestAppFactory: func(t *testing.T) *tests.TestApp

    Returning a nil app instance from the factory results in test failure. You can enforce a custom test failure by calling t.Fatal(err) inside the factory.

• Bumped the min required TLS version to 1.2 in order to improve the cert reputation score.

• Reduced the default JSVM prewarmed pool size to 25 to reduce the initial memory consumptions (you can manually adjust the pool size with --hooksPool=50 if you need to, but the default should suffice for most cases).

• Update gocloud.dev dependency to v0.34 and explicitly set the new NoTempDir fileblob option to prevent the cross-device link error introduced with v0.33.

• Other minor Admin UI and docs improvements.

v0.17.7 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed the autogenerated down migrations to properly revert the old collection rules in case a change was made in up (#3192; thanks @impact-merlinmarek).
  Existing down migrations can't be fixed but that should be ok as usually the down migrations are rarely used against prod environments since they can cause data loss and, while not ideal, the previous old behavior of always setting the rules to null/nil is safer than not updating the rules at all.

• Updated some Go deps.

v0.17.6 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed JSVM require() file path error when using Windows-style path delimiters (#3163).

v0.17.5 Release

To update the prebuilt executable you can run ./pocketbase update.

• Small fix to add quotes around the wrapped view query columns introduced in v0.17.4.

v0.17.4 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed Views record retrieval when numeric id is used (#3110).
  With this fix we also now properly recognize CAST(... as TEXT) and CAST(... as BOOLEAN) as text and bool fields.

• Fixed relation "Cascade delete" tooltip message (#3098).

• Fixed jsvm error message prefix on failed migrations (#3103; thanks @nzhenev).

• Disabled the initial Admin UI admins counter cache when there are no initial admins to allow detecting externally created accounts (eg. with the admin command) (#3106).

• Downgraded google/go-cloud dependency to v0.32.0 until v0.34.0 is released to prevent the os.TempDir cross-device link error since too many users complained about it.

v0.17.3 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed Docker cross-device link error when creating pb_data backups on a local mounted volume (#3089).
  It could still fail if the OS temp directory is on a different mount. As a workaround for this case you can try to explicitly set TMPDIR env variable. With the next release of google/go-cloud dependency we'll explicitly set the temp files to be created in the same dir as the uploaded/renamed files.

• Fixed the error messages for relation to views (#3090).

• Always reserve space for the scrollbar to reduce the layout shifts in the Admin UI records listing due to the deprecated overflow:overlay.

• Enabled lazy loading for the Admin UI thumb images.

v0.17.2 Release

To update the prebuilt executable you can run ./pocketbase update.

• Soft-deprecated $http.send({ data: object, ... }) in favour of $http.send({ body: rawString, ... })
  to allow sending non-JSON body with the request (#3058).
  The existing data prop will still work, but it is recommended to use body instead (to send JSON you can use JSON.stringify(...) as body value).

• Added core.RealtimeConnectEvent.IdleTimeout field to allow specifying a different realtime idle timeout duration per client basis (#3054).

• Fixed apis.RequestData deprecation log note (#3068; thanks @gungjodi).