Changelog

Release notes, security updates, and feature milestones.

  • Post not found regression -- Restored two-step post lookup: prefers id field (URL convention), falls back to numericId. The 5.3.3 commit incorrectly removed these, causing posts to not be found when navigating via URL. Adjacent post navigation uses id for deterministic ordering.
  • ThemeProvider crash on settings page -- Removed the if (!mounted) return <>{children}</> guard from ThemeContext that rendered children outside the provider during SSR/initial render, causing useTheme() to throw. The provider now always wraps children with the default "dark" theme until client hydration.
  • Post navigation bug -- Fixed ambiguous query in getAdjacentPosts() that matched across both id and numericId fields (which can diverge). Now performs a two-step lookup (prefer id, fallback to numericId) and sorts exclusively by id for deterministic post resolution. Pressing A/D keys no longer jumps to unrelated posts.
  • Tags not displaying -- Added tags: 1 to the post listing API .select() projection and added tag rendering to the PostGrid component. Tags saved during upload now appear as purple pills on post cards (up to 3, with "+N" overflow indicator).
  • Comment formatting broken -- Implemented parseCommentFormatting() utility that converts markdown syntax (**bold**, *italic*, __underline__, ~~strikethrough~~) to React elements. Added Underline and Strikethrough buttons to both Comment.tsx and CommentList.tsx formatting toolbars. Updated DOMPurify allowed tags to include <u> and <s>. Fixed CommentList preview to render formatted text instead of raw string.
  • Sitemap not updating -- Added missing revalidatePath() calls to moderation post deletion (/sitemap_uploads.xml), tag deletion (/sitemap_tags.xml), comment deletion by author/mod (/sitemap_comments.xml), and ban/unban actions (/sitemap_users.xml). Reduced sitemap cache headers from 3600s to 300s. Removed /moderation/public from sitemap index (it's a page, not a sub-sitemap).
  • Meta tags duplication -- Fixed title duplication (f0ck.org | f0ck.org) by using { absolute: title } in generateMetadata() and all page-level metadata exports. The layout template "%s | f0ck.org" now only applies to pages without explicit metadata.
  • robots.txt blocking public pages -- Consolidated robots.txt into Next.js robots.ts Metadata API. /moderation/public is now allowed for crawling; only private routes (/api/, /account/, /admin/, /settings/, auth routes, /upload) are blocked. Removed static public/robots.txt which was ignored by Next.js App Router.
  • Footer links -- Added "Free ShareX & Flameshot host" (https://sx.f0ck.org) and "f0ck TeamSpeak" (teamspeak://ts.f0ck.org) to the site footer.
  • Ko-fi / Support Us links -- Removed all Ko-fi donation links from Footer, Help page, and Terms page. Crypto donation addresses on Help page preserved.

  • Post detail "Post not found" error -- Fixed undefined variable id in src/app/api/posts/[id]/route.ts:92 -- changed to rawId. Posts without tags previously caused a ReferenceError resulting in a 500 response, displayed as "Post not found" in the client.
  • Comment links pointing to wrong posts -- Fixed numericId/id drift in comments API normalization. The canonicalId pattern (p.numericId || p.id) was overwriting p.id with numericId when they differed, causing comment links to go to wrong posts. Now only sets numericId from id if missing -- original id is preserved.
  • Comment link ID priority -- Changed all post link construction across Comment.tsx, CommentList.tsx, notificationService.ts, UserProfile.tsx, and RecentActivity.tsx to prefer id over numericId, matching the user-facing URL convention.

  • Comment link Object Object -- Fixed ObjectId-to-string conversion in notificationService, reported-comments API, Comment.tsx post links, and CommentList.tsx comment ID mapping. Comment fragment links now correctly resolve to the intended comment instead of showing [object Object].
  • Comment POST response ID -- Added explicit id = _id.toString() in the comments POST handler to ensure consistent string IDs in API responses.
  • Upload tag assignment -- Tag inputs are now disabled during upload to prevent stale tag state. Replaced shared currentTag state with per-item state to avoid cross-item input pollution.
  • Video upload temp file cleanup -- Fixed potential temp file leak in getVideoMetadata() by adding a settled flag and proper cleanup in both resolve and reject paths.
  • Video upload MIME type whitelist -- Added video/x-mov to the upload route whitelist for consistency with the upload library.
  • Dependabot security -- Updated nodemailer from 8.0.11 to 9.0.1 to fix GHSA-p6gq-j5cr-w38f (arbitrary file read / SSRF via raw option). All 23 open Dependabot alerts addressed -- 0 vulnerabilities remaining.
  • Version -- Bumped to 5.3.1 in package.json.
  • npm dependencies -- nodemailer 9.0.1 (security fix).

  • Admin user management -- New /api/admin/users endpoint for administrators to list, search, and modify user roles (user, premium, moderator, admin, banned) and grant/revoke premium status.
  • Footer link -- Added "ZNC bouncer" link to https://znc.f0ck.org in the site footer.
  • Comment post linking -- Fixed ObjectId query in /api/posts/[id] to prevent NaN branches when resolving ObjectId URLs (kilo-code-bot review).
  • Comment fragment preview -- Consolidated try-block in checkForCommentFragment, added status filter to only load approved comments for SEO metadata.
  • Adjacent post navigation -- Query now includes { id: numericId } for legacy numeric route compatibility.
  • Sitemap safety -- Both comment sitemap and main sitemap now filter out unsafe-rated posts when indexing comment URLs.
  • npm dependencies -- Updated packages to latest stable versions.
  • Version -- Bumped to 5.3.0 in package.json and README.
  • CHANGELOG -- Fixed typo "Keep a Keep a Changelog" to "Keep a Changelog".

  • Comment post linking -- Fixed critical bug where comments linked to wrong post IDs (e.g. comment on post/300 linked to post/25). Root cause was id vs numericId field divergence in Post model. All comment API routes now consistently resolve and return numericId as canonical post identifier.
  • Comment API post lookup -- GET and POST /api/comments now search by { $or: [{ numericId }, { id }] } instead of only { id }, ensuring correct post resolution regardless of which field matches.
  • Comment POST response -- Fixed postObjectId?.id (which returned ObjectId hex string) to use the actual numeric post ID.
  • CommentList data mapping -- Post ID mapping now prioritizes numericId over _id for consistent URL generation.
  • Tag upload limit -- Increased max tags from 15 to 30 across all upload paths (normalizeInputTags, validateUploadParams, client-side validation in FileList, BatchTagging, upload page).
  • Sitemap comment URLs -- Comments sitemap now resolves numeric post IDs via batch lookup instead of using raw ObjectId strings in URLs.
  • Sitemap post filtering -- Unsafe-rated posts excluded from sitemap for better SEO quality.
  • User profile Recent Activity overflow -- Added min-w-0, break-words, truncate classes to prevent long titles/content from breaking layout.
  • Post page adjacent post navigation -- Fixed to use numericId for navigation and _id for fallback lookup.
  • Post page metadata -- Removed noindex for unsafe content -- all posts are now indexable.
  • Root layout title -- Changed from "Free ShareX Host" to "f0ck.org - Anonymous Imageboard".
  • Site metadata name -- Changed from "Free ShareX Host" to "f0ck.org" across all pages.
  • Moderation public page -- Redesigned from card-based list to structured table layout with consistent columns (Action, Time, Details, Reason).
  • Filter hover effects -- Removed hover:-translate-y lift animations from filter containers and buttons on /posts/, /tags/, and /users/ pages for a cleaner, more static appearance.
  • Tags page -- Added missing <Footer /> component to /tags/ page.

  • Dynamic version display on homepage pulled from package.json environment variable.
  • Public moderation log page at /moderation/public with read-only activity wall.
  • API endpoint /api/moderation/public-activity for anonymous access to moderation actions.
  • video/x-mov MIME type support for .mov video uploads.
  • Footer: Removed sx.f0ck.org link, Teamspeak entry moved to Ko-fi Support link (already in place).
  • Rules page: Removed Discord integration section, added "Reporting Content" guidelines.
  • Navigation: Desktop "Home" link now uses gradient styling matching footer.
  • Tag validation: Now allows underscores in tag names for better compatibility.
  • Validation error messages: Improved specificity for unsupported file types.
  • Upload rejects fewer-than-3 tags and normalizes/dedupes/lowercases tag input before persistence.
  • Post tag editor now creates tags via /api/tags and persists additions with PUT /api/posts/[id]/tags; spacebar no longer triggers tag creation.
  • Post page tag enrichment uses one $in query instead of N+1 findOne calls and matches case-insensitively.
  • Moderation delete path decrements author uploads for posts and invokes comment stats cleanup for comment deletions.
  • Sitemap revalidation added for /api/user profile updates and pool membership changes.
  • Comment timestamps now link to the matching comments view for the post instead of fragment-only anchors.
  • Post page exposes a Mod Log shortcut for moderators/admins.
  • Account statistics tiles for likes, favorites and tags are now clickable filters.
  • Updated dependency versions to address Dependabot advisories.

[Unreleased]

  • Comment formatting toolbar with Bold, Italic, Link, and Preview actions in comment forms.
  • Anonymous-user hint in comment forms indicating no account is required.
  • Post thumbnails in comment listings next to "Comment on:" references.
  • Changelog page now uses collapsible version sections with search/filter and section item counts.
  • Settings page redesigned with SettingRow/SectionHeader layout and animated Switch component.
  • Privacy settings moved to the bottom of the account page and now auto-save via PUT /api/user.
  • EmojiPicker renders through a React Portal to prevent z-index stacking issues.
  • Account bio enforces a 250-character limit with visual feedback at thresholds.
  • Post navigation (getAdjacentPosts) now respects content rating filter from query parameter when navigating between posts.
  • Posts page pagination crash from circular URL/state sync when infinite scroll is disabled.
  • Tag filter removal now uses index-based deletion to avoid stale-closure failures.
  • Comment and report modal layering corrected with portal rendering and elevated z-index values.
  • PostFilter "More" button now uses flex-shrink-0 to avoid compression on small screens.
  • Comment timestamp links now correctly point to /post/{id}#comment-{id} instead of /comments?postId=..., restoring the expected navigation behavior.
  • Comment "Comment on:" section now shows a clickable thumbnail of the linked post, enabling quick navigation and visual context.
  • User profile stats aggregation (/api/users/[username]) -- Fixed duplicate $lookup for pools (was counting pools twice) and added missing $lookup for posts (reported 0 uploads for all users). Stats are now computed correctly in a single aggregation pipeline.
  • Banned users can no longer log in -- Added explicit role === "banned" check in auth.ts credentials flow and refresh-session callback, blocking both new sessions and existing JWT renewal.
  • Changelog page now shows a more informative error with searched file paths when CHANGELOG.md cannot be read from the filesystem.
  • Footer now includes a "Mod View" link to /moderation/public for transparent moderation access by all users and visitors.
  • Explicit empty catch blocks replaced with console.warn() logging for improved debuggability.
  • Previously banned users with valid sessions could still refresh their JWT; the refresh callback now invalidates the token and forces logout.

  • PNG upload error -- Resolved a.pipeThrough is not a function crash by aligning processUpload to the existing Readable.toWeb(Readable.from(...)) pattern already used in /api/upload and assemble-chunks routes, restoring PNG/Web Stream compatibility with file-type v22.
  • Chunked image upload rejection -- The assemble-chunks route no longer rejects all non-video uploads; PNG, JPEG, and other image formats are now accepted after chunk reassembly.
  • Chunk metadata safety -- Malformed or undefined chunk meta.json values (tags, contentRating) no longer crash chunk assembly; tags are validated as arrays and content ratings are coerced to the supported set before being persisted.
  • Legacy PNG MIME support -- image/x-png is now whitelisted across upload entry points, preventing false rejections on older browser-reported PNG types.
  • Client paste path validation -- Clipboard-paste uploads in the dropzone now apply the same type/size filter as drag-and-drop, removing a bypass for oversized or unsupported pasted PNGs.

  • Comment formatting toolbar -- Bold, Italic, Link, and Preview buttons in comment creation/reply/edit forms.
  • Comment anonymous hint -- Shows "No account needed" text for unauthenticated users in comment form.
  • Comment post thumbnails -- Comment listings now show post thumbnails next to "Comment on:" links.
  • Blog system -- /f0ck/blog/ listing and detail pages with RSS feed at /api/blog/rss.
  • Dynamic sitemap -- Sitemap now includes public user profiles and individual comment pages alongside posts, tags, and pools.
  • Changelog page redesign -- Collapsible version sections, search/filter, collapsible subsections with item counts, back-to-top button, compact summary badges per version.
  • Settings page redesign -- Polished animated Switch component with checkmark/X icons, improved setting row layout with descriptions, better section grouping.
  • Comment mobile responsiveness -- Action buttons wrap on mobile, responsive mention dropdown, scrollable formatting toolbar.
  • EmojiPicker portal rendering -- Now renders via React Portal to document.body to prevent z-index stacking issues.
  • Privacy settings placement -- Moved to bottom of account page, after security integrations section.
  • Post navigation skipping unsafe/sketchy posts -- getAdjacentPosts no longer filters by content rating -- navigation always finds the truly adjacent post regardless of rating.
  • Posts page pagination crash -- Fixed circular dependency between URL sync and page state that caused infinite offset loop when infinite scroll was disabled.
  • Tag filter double-click -- Changed from value-based to index-based tag removal using ref to avoid stale closure.
  • Comment z-index layering -- Emoji picker and report modal now properly layer above comments via portal rendering and z-index fixes.
  • PostFilter "More" button overflow -- Added flex-shrink-0 to prevent button compression on smaller screens.
  • Comment report modal z-index -- Bumped to z-[10000] to render above emoji picker.
  • Account bio character limit -- Enforced 250 character limit with visual feedback (yellow at 200+, red at 250).
  • Privacy settings not saving -- Privacy toggles now auto-save to backend via PUT /api/user with 500ms debounce and status feedback.

API -- /api/user

  • MongoDB password projection error corrected -- GET /api/user now returns 500 because the aggregation pipeline mixed inclusion (password: 1) with exclusion (password: 0) in the same $project stage. Fixed by removing the inclusion; only password: 0 is used, preventing MongoServerError: Invalid $project. Ref: src/app/api/user/route.ts.

EmojiPicker & GifSelector -- runtime crash

  • onClose is not a function crash fixed in both EmojiPicker (src/components/EmojiPicker.tsx) and GifSelector (src/components/GifSelector.tsx): onClose is now an optional prop with a default no-op, so components render safely even when the prop is omitted.
  • CommentList comment creation form (src/app/comments/components/CommentList.tsx): EmojiPicker and GifSelector instances in the comment creation box now receive the correct onClose callback and no longer depend on a non-existent wrapper onClick handler.
  • PostDetails comment composition box (src/app/posts/components/PostDetails.tsx): EmojiPicker and GifSelector both receive onClose callbacks, matching the implementation already present in the inline Comment reply box.

Navigation labels swapped

  • Posts list pagination (src/app/posts/components/PostsPage.tsx): Left arrow button was labelled "Next" but navigated to the previous page; right arrow button was labelled "Previous" but navigated forward. Both labels swapped to read Previous / Next, matching the Math.max(1, p-1) and Math.min(totalPages, p+1) action handlers.

Post-level navigation labels swapped

  • Single-post post navigator (src/app/posts/components/PostNavigation.tsx): Previous button was wired to nextPostId (higher-ID / newer post, not the older one) and Next button was wired to previousPostId. JSX conditionals swapped so that Previous is shown only when previousPostId exists and navigates to the older post, while Next is shown only when nextPostId exists and navigates to the newer post.

Footer

  • Discord server link removed from footer (src/components/Footer.tsx); TeamSpeak 3 ts3server://ts.f0ck.org link retained as the sole external chat link.

Next.js Image config

  • images.qualities: [75, 95] added to next.config.mjs so that quality={95} used in PostDetails.tsx is an allowed value and the Next.js build/DevTools warning disappears.

Account page -- session fallback for avatar

  • AccountCard initial avatarUrl state (src/app/account/components/AccountCard.tsx) falls back to session?.user?.avatar (the value already known to NextAuth at login), preventing a flash of the default avatar before the /api/user profile API completes.

Google indexing / SEO

  • Added src/app/sitemap.ts so that Google and other search-engines can discover /posts, /comments, /account, /moderation, /f0ck/changelog, /rules, /terms, and /help -- previously only the homepage was listed in any indexable source.
  • Changelog page file-access path candidates expanded (src/app/f0ck/changelog/page.tsx) to include an absolute project-root fallback, so CHANGELOG.md reliably loads even in standalone Docker/prod contexts where process.cwd() points to the server working directory rather than the source tree root.

  • Phase 0-1-1: Critical SSRF hardened with env var fallback + DNS resolution checks; production data-leak (console.log) removed from PostDetails.tsx; ModActionsPanel action whitelist via TypeScript as const.
  • Phase 0-1-2: ESLint reduced 56 to 26 warnings (0 errors); let to const x8; 4 HTML-entity escapes; 4 require() to ESM imports; 11 react-hooks/exhaustive-deps fixes.
  • Phase 0-1-3: ErrorBoundary class component with getDerivedStateFromError + Try-Again reset; ThemeContext SSR hydration fixed; module-level side-effects removed from layout.tsx.
  • Phase 0-1-4: Tag validation fixed (max 15 tags, per-tag length/regex check inside loop); normalizeInputTags helper added; tag persistence fallback (new Tag().save() when findOrCreate fails); chunk upload tags forwarded via meta.json side-channel; N+1 tag query batched to $in; Tag model regex accepts hyphens.
  • Phase 0-1-5: LiveWall component with AbortController polling; QuickActions onTabChange wired; PostModerator 8 dead typeof toast !== 'undefined' guards removed; ModLog action types fixed (feature/unfeature to MARK_AS_AD/REMOVE_AD).
  • Phase 0-1-6: Comment creation form UI added to unified CommentList; stale closure fixed in handleLoadMore; 3 replace() to replaceAll() fixes in GIF/content rendering; /post/[id] page renders inline CommentList; 1,798 lines of dead code removed across 6 old comment files.
  • Phase 0-1-7: PostNavigation label direction corrected; content-rating filter reads ?rating= from URL; keyboard navigation fixed (A = older, D = newer); PostNavigation wrapped in Suspense boundary; getImageUrlWithCacheBuster regex fixed with g flag.
  • Phase 0-1-8: CommentsPage ingestion path quarantined (no longer imported into posts detail routes); CommentModeration uses unified component; CommentFilter and CommentList refactored to shared component shape.
  • Phase 0-1-9: Manifest page with layout/content/PDF route; Values page (8 hacker values); Community page with guidelines; History page with milestones; API documentation page; Blog system with data/listing/detail pages/API/RSS.
  • Phase 0-1-10: Vitest config with setupFiles; test env vars/hooks; 18 navigation filter tests; 30 tag E2E tests; 48 new tests all passing.
  • Phase 0-1-11: AddToPoolModal enhanced (search, loading, error); Pool API permission checks with moderator override; contributor tracking on pool actions; Pools field added to User model; Pool stats on user profiles.
  • Phase 0-1-12: Full build, lint, test pass; CHANGELOG and README updated; 66 tests (65 passing, 1 pre-existing TS check unrelated).
  • Tag model type enum now includes 'meta' alongside general/character/copyright/artist.
  • User model privacySettings now has showPools field with isProfilePrivate defaulting to false.
  • Account page: _maxAge: '0' added to profile-fetch requests to ensure uncached data.
  • Tag edit/count facade backed by service abstractions; view-layer tags delegate to orchestrator.
  • Upload edge validated; pool-edit guarded; narrative system refactored with unambiguous results.
  • Help system migrated to dynamic sub-page layout.
  • Session-update token-hardening prevents privileged-field overwrite from client-triggered updates; identity-field refresh avoids stale session during auth transitions.
  • Changelog blank-line rendering preserves intentional empty lines from Markdown; list-typo and indentation preserved.
  • Tag edit endpoint infinite-loop corrected; stale user-state after anonymous upload countered.
  • comments/filter-users route pruning; error-format contract explicitly checked.
  • Post count updated via ModLog pipeline; creative writing filter response corrected.
  • User-list deduplication.
  • Pool bug categorisation: in-place tag/pool editor page loading.
  • Watermark placement corrected on CMD+Shift+2; embed page layout removed; test-administration contract hardened.

  • file-type upgraded from v21 to v22 with migration to new stream-based API (fileTypeFromStream).
  • eslint upgraded from v9 to v10 with full Flat Config migration (languageOptions, globals, js.configs.recommended).
  • typescript upgraded from 5.9 to 6.0.3.
  • @types/react upgraded to 19.2.18, @types/react-dom to 19.2.6, @types/node to 25.7.0.
  • Dependency Stack Refresh -- All production dependencies updated to latest stable versions:
    • eslint: 9.39.2 to 10.3.0
    • file-type: 21.3.0 to 22.0.1 (breaking: stream-based API)
    • typescript: 5.9.3 to 6.0.3
    • next: 16.2.6 (unchanged, latest stable)
    • react/react-dom: 19.2.6 (unchanged, latest stable)
    • tailwindcss/@tailwindcss/postcss/@tailwindcss/forms: 4.3.0 (unchanged, latest stable)
    • @types/react: 19.2.14 to 19.2.18
    • @types/react-dom: 19.2.3 to 19.2.6
    • @types/node: 25.6.2 to 25.7.0
    • eslint-config-next: 16.2.6 (unchanged)
  • ESLint 10 Flat Config Migration (eslint.config.mjs):
    • Added js.configs.recommended as base config.
    • Consolidated env, globals, parserOptions into unified languageOptions block.
    • Imported globals from globals npm package (globals.browser, globals.node, globals.es2021).
    • Removed deprecated @eslint/eslintrc import pattern.
    • All react-hooks rules retained at warn level for backward compatibility.
  • file-type v22 Migration:
    • fileTypeFromBuffer() replaced with fileTypeFromStream(Readable.from(buffer)) in:
      • src/lib/upload.ts
      • src/app/api/upload/route.ts
      • src/app/api/upload/assemble-chunks/route.ts
      • src/app/api/user/avatar/route.ts
    • Added import { Readable } from 'stream' where needed.
  • Security Overrides Expanded in package.override:
    • Added transitive dependency pins: glob-parent, send, mime, qs, path-parse, debug, ms, lodash.merge.
    • Ensures all transitive dependencies locked to known-safe versions.
  • 7 Dependabot advisories addressed via transitive dependency overrides:
    • glob-parent >= 6.0.2 (path traversal)
    • send >= 1.2.0 (DoS)
    • mime >= 4.0.0 (content-type sniffing)
    • qs >= 6.14.0 (prototype pollution)
    • path-parse >= 1.0.7 (ReDoS)
    • debug >= 4.4.3 (ReDoS)
    • ms >= 2.1.3 (ReDoS)
    • lodash.merge >= 4.6.2 (prototype pollution)
  • npm audit passes with 0 vulnerabilities.
  • Broken fileTypeFromBuffer calls now use v22-compatible fileTypeFromStream with Readable wrapper.
  • ESLint build passes cleanly on v10 with updated Flat Config.
  • TypeScript compilation compatible with v6 strict mode.
  • Next.js 16.2.6, React 19.2.6, and TailwindCSS 4.3.0 remain the stable foundation -- no breaking changes in these packages since last release.
  • This release is fully backward-compatible for end users; all changes are internal dependency upgrades and security hardening.

  • Secure FFmpeg-based media processing pipeline for uploaded videos with H.264/AAC normalization.
  • Image optimization pipeline with automatic WebP output for storage and bandwidth efficiency.
  • Extended pools domain capabilities:
    • create/edit/delete pool lifecycle
    • visibility and content rating controls
    • moderation-safe pool management operations
  • Universal report flow for posts and comments with actionable moderation reasons.
  • Expanded moderation action center:
    • bulk target support
    • reason preset support
    • report-clearing operations
  • Dedicated in-app project namespace:
    • /f0ck as a new project-native landing route
    • /f0ck/changelog as in-app release notes
  • /changelog redirect route for consistent external entry points.
  • Dedicated metadata coverage for:
    • /changelog
    • /f0ck/changelog
    • /f0ck
  • Runtime logo-discovery API at /api/logos for dynamic .png logo selection.
  • Privacy persistence and enforcement flow across account, profile, and feed entry points.
  • Tag activity live-stat aggregation for newPostsToday and newPostsThisWeek.
  • Changelog rendering is now sourced directly from Markdown and displayed in structured release cards.
  • Changelog page visual system has been reworked:
    • wider content canvas
    • more readable vertical rhythm
    • mono-styled release title treatment
    • section badges for release categories
  • Release version headers are anchor-linkable from both sidebar and in-card title.
  • Changelog renderer normalizes display text by stripping emoji glyphs.
  • Changelog markdown typography now applies explicit spacing and list indentation rules for long-form readability.
  • Random logo selection no longer uses hardcoded paths and now discovers available logos from public/logos.
  • Moderation dashboard width and density were tuned for large-screen operational workflows.
  • Post and tag filter behavior is aligned for consistent intersection logic.
  • Notifications and tags pagination contracts are aligned between backend response and frontend consumption.
  • Legacy password route now delegates to a central password policy flow with compatibility headers.
  • Changelog blank-line rendering now preserves intentional empty lines from Markdown.
  • Changelog list rendering now keeps correct list indentation and spacing.
  • Mention autocomplete reliability and dropdown lifecycle handling in post comments.
  • GIF handling in post comments now supports independent selection/removal without clearing typed text.
  • Favorite API compatibility by returning both favoriteCount and favoritesCount.
  • Tag filter deduplication and duplicate key issues in active tag rendering flow.
  • User stats navigation query consistency for:
    • liked_by
    • favorited_by
    • disliked_by
  • Compile regression in users/[username]/activity caused by duplicate imports.
  • Notifications pagination behavior (page, limit, hasMore) and load-more UI state drift.
  • Comments and tag-detail page restoration to full component rendering paths.
  • Dependabot alert #74 resolved by upgrading nodemailer to 8.0.5 (GHSA-vvjj-xcjg-gr5g).
  • Session update hardening prevents privileged token field overwrite from client-triggered updates.
  • Identity field refresh during token/session update avoids stale user identity state.
  • Upload route hardening:
    • strict chunk metadata validation
    • safer chunk assembly filename handling
  • URL import temporary file ownership model enforced per user scope.
  • Expanded SSRF defenses:
    • protocol restrictions
    • redirect-hop validation
    • private/internal target blocking
    • payload size limits
  • Additional rate limits on sensitive upload and user-search paths.
  • Atomic report-write safeguards against duplicate report race conditions.
  • Unified path sanitization and base containment checks in image/thumbnail/file routes.
  • Regex escaping for username-query APIs to prevent pattern abuse and false-positive matches.
  • Moderator/admin authorization enforcement for tag mutation endpoints.
  • Post-release security patches (2026-04-10):
    • Fixed path traversal vulnerability in moderation thumbnail regeneration.
    • Fixed password hash exposure in user API aggregation.
    • (Reverted: anonymous uploads remain allowed with ownership validation)
    • Fixed tempFilePath ownership bypass -- now validates for both authenticated and anonymous users.
    • Added pagination to reported posts endpoint to prevent memory exhaustion.
    • Added input validation (length limits, whitelists) to moderation actions.
    • Added pagination bounds to posts API (max 100, min 1).
    • Fixed unhandled promise in user API lastSeen update.
    • Added ObjectId validation in reports API.
  • Live tag activity counters are computed from current DB state on request.
  • Privacy settings are persisted in user documents and enforced in profile, activity, and feed APIs.
  • User list responses are privacy-aware and redact hidden profile fields where required.
  • This is still part of the larger 5.0.0-beta rollout and remains under active stabilization.
  • This entry intentionally serves as the main comprehensive reference for the current beta milestone.

  • More deterministic account-registration error semantics for duplicate username/email handling.
  • Improved fallback handling paths for media previews and selector overlays.
  • Discord OAuth username handling now preserves actual provider identity instead of synthetic fallback naming.
  • Discord OAuth email ingestion now maps cleanly to account profile fields.
  • Registration race condition around duplicate username/email writes.
  • GIF/emoji selector layering and z-index issues in comment composition UI.
  • Video thumbnail fallback behavior for comments containing video posts.
  • Pool navigation assumptions around non-numeric IDs (ObjectId-safe behavior).
  • Error-message quality for registration collisions (clear username/email conflict reporting).
  • Platform-facing UI copy moved to consistent English output.
  • HTML language attribute switched to en for semantic correctness and crawler/accessibility consistency.
  • Authentication and registration messaging normalized for cleaner frontend handling.
  • 4.7.1-beta focused on high-impact correctness fixes ahead of the larger 5.0.0-beta stabilization cycle.

  • Upload progress UI improvements for multi-file flows with retry-friendly feedback.
  • Timezone utility layer for consistent day/week windows in statistics.
  • Scheduled tag-stat maintenance endpoint for periodic counter resets.
  • Additional database indexes for high-frequency query paths.
  • XSS vulnerability in the comment edit endpoint.
  • Video thumbnail behavior in comment-list rendering.
  • Mobile GIF picker positioning and viewport overlap handling.
  • Tag stats daily/weekly counter logic with timezone-aware boundaries.
  • Pool sorting behavior for most_items and related query edge cases.
  • Stats update drift in tag-removal flows.
  • Avatar caching behavior improved to reduce unnecessary reloads.
  • Discord and tag query performance improved through targeted index coverage.
  • Upload and media pipelines aligned for better operational stability during heavy usage.
  • 4.7.0-beta was the foundation release that stabilized media, stats, and moderation-adjacent workflows before 4.7.1-beta and 5.0.0-beta.

Showing 14 of 14 versions