Skip to content

chore(deps): update binwiederhier/ntfy docker tag to v2.25.0#65

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/binwiederhier-ntfy-2.x
Open

chore(deps): update binwiederhier/ntfy docker tag to v2.25.0#65
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/binwiederhier-ntfy-2.x

Conversation

@renovate

@renovate renovate Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
binwiederhier/ntfy (source) minor v2.22.0v2.25.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

binwiederhier/ntfy (binwiederhier/ntfy)

v2.25.0

Compare Source

This release adds password reset via email, and reworks email verification to use durable, link-based magic links (replacing the old in-memory 6-digit codes). Email stays optional at signup; a user can reset their password only once they have a verified "primary" (recovery)email.

All of this work is probably not useful for self-hosters, but it hopefully will be useful for me, since I do have to reset accounts on a regular basis.

Security issues:

  • Generate access tokens, IDs, and magic-link tokens with a cryptographically secure RNG (crypto/rand) instead of a clock-seeded PRNG

Features:

  • Add password reset via emailed magic link, with a "Forgot password" link on the login page and a ntfy user reset-pass CLI command for admins
  • Rework email verification to use durable, single-use, expiring magic links instead of in-memory 6-digit codes, and add a "primary" email (used for account recovery and as the X-Email: yes target) with verified/unverified state in the account UI
  • You can now clear/read messages and delete messages with a GET request (#​1771, thanks to @​lemmi for reporting and to @​wunter8 for implementing)
  • Add a reload button to the web app's action bar when running as an installed PWA, which clears the service worker caches and hard-refreshes the app
  • Add a "Back to app" link to the web app's login, signup, and password-reset pages (alongside the existing links), which previously had no way back to the app

Bug fixes + maintenance:

  • X-Email: yes (also true/1) now sends to your primary verified email regardless of the smtp-sender-verify setting (previously it was rejected unless verification was enabled); it requires being logged in with a verified address
  • Grant users full access to their own sync topic (st_...) so cross-device subscription sync works under auth-default-access: deny-all (#​733, #​1795, thanks to @​lmorchard for the contribution)
  • Support HTTP (non-TLS) S3-compatible endpoints by preserving the endpoint scheme, e.g. for a local MinIO instance (#​1794, #​1734, thanks to @​sskender for the contribution, and @​Kernald for reporting)
  • Stop silently stripping spaces from passwords while typing in the web app's login, signup, and password-reset forms (#​1246, thanks to @​aldem for reporting)
  • Update web app dependencies, including major-version upgrades to Vite (6 -> 8, now Rolldown-based), Material UI (5 -> 9), and Dexie (3 -> 4) (#​1800, #​1764, #​1767, #​1762, #​1766, #​1765, thanks Dependabot)
  • Play notification sounds in the web app even when the Notification API is unavailable, e.g. over plain HTTP or in browsers without notification support (#​1772, thanks to @​mitya12342 for the contribution)
  • Stop escaping <, >, and & as \u003c/\u003e/\u0026 in JSON responses (#​1511, #​1512, thanks to @​wunter8 for the contribution)
  • Fix the web app navbar not reflecting a topic reservation (lock icon, and "Reserve topic" -> "Change reservation"/"Remove reservation" menu) until a page reload, by persisting reservation and display-name changes onto already-subscribed topics during account sync
  • Reduce the web app's initial bundle size by ~300 KB (~50 KB gzipped) by lazy-loading the emoji picker dataset and the Markdown renderer, and by importing Material UI icons individually

v2.24.0

Compare Source

The main feature for this release is an in-memory ACL cache (auth-access-cache) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.

Security issues:

  • Fix case-insensitive ACL topic matching on SQLite: an access control rule for secret no longer also matches a request for SECRET. SQLite's LIKE is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).

Features:

  • Add opt-in in-memory ACL cache (auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers
  • Add ntfy --version flag to the CLI (#​1722, #​1748, thanks to @​sskender for the contribution, and @​Saucy9607 for reporting)

Bug fixes + maintenance:

v2.23.0

Compare Source

Features:

  • Add per-visitor rate limit on new topic creations (visitor-topic-creation-limit-burst / visitor-topic-creation-limit-replenish, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map

Bug fixes + maintenance:

  • Remove stacktrace-js, stacktrace-gps, humanize-duration, and js-base64 from the web app to reduce dependency and security footprint
  • Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (GHSA-j8hr-p342-xrmh, thanks to @​Venukamatchi for reporting)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@InputObject2 InputObject2 force-pushed the main branch 11 times, most recently from bce835b to 01bc70b Compare May 23, 2026 03:21
@renovate renovate Bot changed the title chore(deps): update binwiederhier/ntfy docker tag to v2.23.0 chore(deps): update binwiederhier/ntfy docker tag to v2.24.0 Jun 4, 2026
@renovate renovate Bot force-pushed the renovate/binwiederhier-ntfy-2.x branch from 9e7456a to 1b2dace Compare June 4, 2026 20:46
@renovate renovate Bot changed the title chore(deps): update binwiederhier/ntfy docker tag to v2.24.0 chore(deps): update binwiederhier/ntfy docker tag to v2.25.0 Jun 25, 2026
@renovate renovate Bot force-pushed the renovate/binwiederhier-ntfy-2.x branch from 1b2dace to 81a212c Compare June 25, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants