v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)
π§ͺ new features
#1351 add .hidden support (thx @NecRaul!) beb634dc 134e378e
cosmetic filter to exclude specific files from directory listings by adding their filenames to a textfile named .hidden similar to many linux desktop file managers
the files are still easily available from various APIs; this is not a security feature, just a way to keep things neat and tidy
#1381 thumbnail pregeneration 7d6b037d
usually/generally not a good idea; readme explains it
#1372 #1333 no thumbnails if the server OS was too old to have JXL support and the webbrowser was asking for JXL 1afe48b8
#1363 new-version alert would only appear if the visitor had the Admin permission in the webroot specifically; now A in any volume is sufficient 6eb4f0ad
66f1ef63 should have blocked mkdir too and now it does (thx @restriction!) ac60a1da
setting the nohtml or noscript volflags on the webroot would break the web-UI eb028c92
shares: the -ed global-option did not make dotfiles visible in shares 66f9c950
the dots volflag still doesn't, but that one is intentional
π§ other changes
tried to stop libvips from gobbling up obscene amounts of ram while creating jxl thumbnails abdbd69a
libvips is now default-disabled unless the libc is musl and the allocator is mallocng, which means alpine linux, which means the docker image with mimalloc disabled
all other deployments will now have slightly slower jxl thumbnail generation by using ffmpeg instead (it's fine really)
new global-option --th-vips-jxl lets you force-enable it if you dare
volflags nohtml and noscript now available as global-options --no-html and --no-script 5f3b76c8
and the -ss paranoia option now also enables --no-html --no-readme --no-logues
--flo 2 now removes colors from logfiles even if -q is not set 8c6d8a3c
update dompurify to 3.3.3 6a9e6da8
docs:
#1360 versus.md: more readable headers (thx @eugenesvk!) e71e1900
#1367 mention --shr-who in the readme (thx @TWhiteShadow!) 4688410f
