Skip to main content

0.6.1

ยท 388 words

Excalibur 0.6.1 is a hotfix release fixing a bug with name obfuscation on the app.

Appโ€‹

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed an issue where trying to upgrade existing files to use obfuscated names would prematurely timeout if there are a lot of files to process

Serverโ€‹

โœจ New Featuresโ€‹

  • โœจ Added a new endpoint /api/files/count to count the number of items in the user's file system

0.6.0

ยท 14938 words

Welcome to Excalibur 0.6.0! This release brings significant security improvements, numerous bug fixes, and performance improvements. Here are some of the highlights:

  • New Authentication Protocol: Excalibur now uses the state-of-the-art Augmented Password-based Authenticated Key Exchange (aPAKE) protocol OPAQUE-3DH as the default authentication protocol instead of the legacy Secure Remote Password (SRP) protocol.
  • Database-Backed Filesystem: Excalibur moved away from relying on operating-system file management to a database-backed filesystem for a more "logical" organization of files and folders.
  • File Name Obfuscation: File and folder names can now be obfuscated to the server and other users for enhanced privacy.
  • More Sorting Options: Added more sorting options for the file explorer page, including file size, file type, and creation time.

The Excalibur documentation website was also updated in this release.

Do note that there are several breaking changes to Excalibur in this version. Please follow the 0.6 upgrade guide to upgrade your Excalibur instance to version 0.6. Do also take note of all the breaking changes made to the server API if you are using it.

Read all about the changes to Excalibur below. Enjoy!

Appโ€‹

๐Ÿ”’๏ธ Securityโ€‹

  • ๐Ÿ”’๏ธ Overridden version minima of dependencies in pnpm-workspace.yaml to address security vulnerabilities:
    • CVE-2026-34601, CVE-2026-41674, CVE-2026-41675, CVE-2026-41672, CVE-2026-41673: @xmldom/xmldom to 0.8.13

โœจ New Featuresโ€‹

  • โœจ Implemented the OPAQUE-3DH protocol to replace the Secure Remote Password (SRP) protocol for increased security

  • โœจ Implemented obfuscation of file and folder names

    • That is, file and folder names would appear to be obfuscated to the server and to other users
    • Names are obfuscated using a key derived from the vault key
    • New users can toggle this feature while signing up
    • This feature is disabled by default for existing users, but can be enabled in the "server settings" submenu

  • โœจ Added more sorting options for the file explorer page:

    • File size
    • File type
    • Creation time

  • โœจ Added creation times to file and folder listings

  • ๐Ÿ’„ Added a new server settings submenu that contains the server vault key

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ”„ Changed default login protocol from Secure Remote Password (SRP) to OPAQUE-3DH

    • Old accounts can still log in using SRP
    • An option to upgrade to OPAQUE-3DH will be shown when logging in with SRP

  • ๐Ÿ”„ Changed default registration protocol from Secure Remote Password (SRP) to OPAQUE-3DH

  • ๐Ÿšธ Updated registration flow so that users are automatically logged in after registration

  • ๐Ÿšธ Made the file change listener attempt to reconnect to the server upon initial disconnect

  • ๐Ÿ’„ Split up settings page's contents into multiple subpages for cleaner navigation

  • ๐Ÿ’„ Made the scrollbar for the file explorer breadcrumbs look nicer

  • ๐Ÿ’„ Updated file explorer interface to display the file listener status (i.e., connected or disconnected)

  • ๐Ÿ’„ Added current running Excalibur version to update dialog (to allow comparing with the latest release version)

  • โšฐ๏ธ Removed vault key dialog

    • The vault key is now shown in the server settings submenu

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed an issue where the login page still shows the user being logged in even though they are not

๐Ÿ—‘๏ธ Deprecationsโ€‹

  • ๐Ÿ—‘๏ธ Deprecated Secure Remote Password (SRP) related code
    • Code will be removed in a future update

โ™ป๏ธ Code Refactoringโ€‹

  • ๐Ÿšš Renamed lib/security to lib/auth in the main package

โฌ†๏ธ Dependenciesโ€‹

  • ๐Ÿ”’๏ธ Added minimum age that dependencies need to be released before accepting updates

  • โž• Added mime dependency

  • โž• Added seedrandom dependency (and @types/seedrandom as a development dependency)

  • โž– Removed @vitejs/plugin-legacy dependency

  • โฌ†๏ธ Updated Ionic dependencies:

    • @ionic/core from 8.8.2 to 8.8.6
    • @ionic/react from 8.8.2 to 8.8.6
    • @ionic/react-router from 8.8.2 to 8.8.6

  • โฌ†๏ธ Updated Vite dependencies:

    • vite from 7.3.1 to 8.0.12
    • vite-plugin-node-polyfills from 0.25.0 to 0.26.0
    • vitest from 4.1.2 to 4.1.5
    • @vitejs/plugin-react from 5.1.4 to 6.0.1

  • โฌ†๏ธ Updated Capacitor dependencies:

    • @capacitor/android from 8.2.0 to 8.3.3
    • @capacitor/app from 8.0.1 to 8.1.0
    • @capacitor/core from 8.2.0 to 8.3.3
    • @capacitor/cli from 8.2.0 to 8.3.3
    • @capacitor/keyboard from 8.0.2 to 8.0.3

  • โฌ†๏ธ Updated Electron dependencies:

    • electron from 39.2.7 to 41.5.1
    • electron-vite from 5.0.0 to 6.0.0-beta.1

  • โฌ†๏ธ Updated TailwindCSS dependencies:

    • tailwindcss from 4.2.1 to 4.3.0
    • @tailwindcss/vite from 4.2.1 to 4.3.0

  • โฌ†๏ธ Updated React dependencies:

    • react from 19.2.4 to 19.2.5
    • react-dom from 19.2.4 to 19.2.5

  • โฌ†๏ธ Updated immer from 11.1.4 to 11.1.8

  • โฌ†๏ธ Updated baseline-browser-mapping from 2.10.7 to 2.10.29

  • ๐Ÿ“Œ Pinned typescript development dependency version to 5.x.x (currently 5.9.3)

  • โฌ†๏ธ Updated ESLint development dependencies:

    • eslint from 9.39.3 to 9.39.4
    • @eslint/js from 9.39.2 to 9.39.4
    • eslint-plugin-chai-friendly from 1.1.0 to 1.2.0
    • eslint-plugin-cypress from 6.1.0 to 6.4.1
    • eslint-plugin-react-hooks from 7.0.1 to 7.1.1
    • typescript-eslint from 8.56.1 to 8.59.2

  • โฌ†๏ธ Updated Prettier development dependencies:

    • prettier from 3.8.1 to 3.8.3
    • prettier-plugin-tailwindcss from 0.7.2 to 0.8.0

  • โฌ†๏ธ Updated globals development dependency from 17.4.0 to 17.6.0

  • โฌ†๏ธ Updated lint-staged development dependency from 16.3.3 to 16.4.0

  • โฌ†๏ธ Updated start-server-and-test development dependency from 2.1.5 to 3.0.4

  • โฌ†๏ธ Updated cypress development dependency from 15.11.0 to 15.14.2

  • โฌ†๏ธ Updated @types/node development dependency from 25.5.0 to 25.6.2

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿ”จ Added a new update_deps.py script to automate the generation of dependency updates' news fragments
  • ๐Ÿงน Moved MIME type determination into client (instead of being on the server)
  • ๐Ÿงน Configured some E2E tests to not run other tests in the suite if any one of the tests fails
  • ๐Ÿงน Added more Cypress end-to-end tests:
    • Item renaming
    • Item deletion
  • ๐Ÿงน Split the tests that were originally in crud.cy.ts into multiple files for more modular testing
  • ๐Ÿงน Migrated the android FolderOpenerPlugin to Kotlin
  • ๐Ÿงน Updated .browserslistrc to Ionic v8 versions
  • ๐Ÿงน Updated GitHub action android-actions/setup-android to v4
  • ๐Ÿงน Updated GitHub action pnpm/action-setup to v5

Serverโ€‹

๐Ÿ’ฅ Breaking Changesโ€‹

  • ๐Ÿ’ฅ Changed CLI options for the start command:

    • Renamed --enable-cors/--disable-cors to --enable-cors-validation/--no-cors-validation (since --disable-cors was misleading)

  • ๐Ÿ’ฅ Added a new option --auth-protocol to the excalibur user add command

    • It defaults to the new OPAQUE authentication mechanism (OPAQUE-3DH)
    • For SRP compatibility, use --auth-protocol=SRP

  • ๐Ÿ’ฅ The File type no longer returns a mimetype value; it is up to the client to derive the MIME type of the file. This affects the following endpoints:

    • /api/files/search (which returns a list of file-score pairs)
    • /api/files/list/{path} (which returns a list of files or directories)

  • ๐Ÿ’ฅ Certain endpoints' response content have been removed as their response codes sufficiently indicate the success/failure of the operation. In particular, these endpoints now no longer return any content for the 200 OK status code:

    • /api/files/move (previously returned Item Moved)
    • /api/files/mkdir/{path} (previously returned Directory created)
    • /api/files/rename/{path} (previously returned Item renamed)
    • /api/files/upload/{path} (previously returned File uploaded)

  • ๐Ÿ’ฅ We will now use uv's 0.10.x series to build and install the server package, updating the minimum version from 0.9.30 in pyproject.toml and GitHub actions to 0.10.9

โœจ New Featuresโ€‹

  • โœจ Implemented the OPAQUE-3DH protocol to replace the Secure Remote Password (SRP) protocol

    • Added a new registration endpoint (/api/auth/opaque/register) to handle OPAQUE registration flows
      • This endpoint also allows existing users using SRP to upgrade to OPAQUE
    • Added a new login endpoint (/api/auth/opaque) to handle OPAQUE login flows

  • โœจ Implemented a new database-backed file management system, moving away from relying on operating-system file management

    • Folders are now "logical" and not tied to actual directories on the filesystem
    • Files' names are now stored in the database instead of on the filesystem
    • Files are now stored in a single directory on the filesystem, with their database ID as the filename

  • โœจ Added new endpoints to get and edit additional user info (/api/users/info/{username} and /api/users/edit-info/{username} respectively)

    • These additional user info are used solely by the client; the server does not use them

  • โœจ Added a new endpoint (/api/files/all) to get all files and folders in the user's file system

  • โœจ Added a new backup command to the CLI (excalibur backup)

  • โœจ Made responses return X-Content-Type-Options and X-Frame-Options headers

    • The values are X-Content-Type-Options: nosniff and X-Frame-Options: DENY

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ—ƒ๏ธ Modified the Excalibur database:

    • Modified the User table:
      • Added auth_protocol, additional_info, and registration_record fields
      • Made srp_group, srp_salt, and srp_verifier fields optional (since they are not used for the OPAQUE-3DH protocol)
    • Added the FSItem table

  • ๐Ÿ—ƒ๏ธ Added authentication protocol information (auth_protocol) to be returned by the security details endpoint (/api/users/security/{username})

  • ๐Ÿ—ƒ๏ธ The File and Directory types now return a creation_time field representing the creation timestamp of the item. This affects the following endpoints:

    • /api/files/search (which returns a list of file-score pairs)
    • /api/files/list/{path} (which returns a list of files or directories)

  • ๐Ÿ—‘๏ธ The following endpoints no longer return the corresponding response codes:

    • /api/files/download/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • /api/files/upload/{path}: Removed
      • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
      • 414 URI Too Long, corresponding to a file path that is too long
    • /api/files/mkdir/{path}: Removed
      • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
      • 414 URI Too Long, corresponding to a directory path that is too long
    • /api/files/list/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • /api/files/check/path/{path}: Removed
      • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
      • 414 URI Too Long, corresponding to a directory path that is too long
    • /api/files/check/dir/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • /api/files/delete/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • /api/files/move/{path}: Removed
      • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
      • 414 URI Too Long, corresponding to a path that is too long
    • /api/files/rename/{path}: Removed
      • 406 Not Acceptable, corresponding to an "Illegal or invalid path", replacing it with 400 Bad Request corresponding to an "Illegal or invalid name"
      • 414 URI Too Long, corresponding to a path that is too long

    The documentation has been updated to reflect these changes.

  • ๐Ÿงน Subdirectories returned by /api/files/list/{path} will no longer have items returned

    • Previously, any subdirectories' items field would be set to null. Now the field is omitted entirely

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed a bug where unbounded timestamps in the future were allowed as timestamps during the Proof-of-Possession (PoP) validation process

    • Now only timestamps within the configured tolerance are allowed

  • ๐Ÿ› Fixed wrong exception being returned if the WebSocket credentials are incorrect

  • ๐Ÿ› Fixed certain CLI commands (i.e., excalibur db ui and excalibur test) returning incorrect error codes

  • ๐Ÿ› Fixed an issue where multiple file listener connections with the same communications UUID from the authentication token would override each other, causing all non-latest connections to not receive any updates from the server

  • ๐Ÿ› Fixed a bug where returning nothing in some endpoints gives "Response content shorter than Content-Length" internal server errors

  • โœ๏ธ Fixed typo in the add user endpoint documentation.

๐Ÿ—‘๏ธ Deprecationsโ€‹

  • ๐Ÿ”ฅ Removed old operating-system file management code

    • Please migrate to the new system using the excalibur db migrate-files command

  • ๐Ÿ—‘๏ธ Deprecated Secure Remote Password (SRP) related code

    • Users can still register and log in with SRP, but it is recommended to use OPAQUE-3DH instead
    • Endpoints and code relating to SRP will be removed in a future update

โฌ†๏ธ Dependenciesโ€‹

  • ๐Ÿ”’๏ธ Added minimum age that dependencies need to be released before accepting updates

  • โž– Removed watchdog dependency

  • โฌ†๏ธ Updated fastapi from 0.135.2 to 0.136.1

  • โฌ†๏ธ Updated gitpython from 3.1.46 to 3.1.50

  • โฌ†๏ธ Updated packaging from 26.0 to 26.2

  • โฌ†๏ธ Updated pydantic from 2.12.5 to 2.13.4

  • โฌ†๏ธ Updated pydantic-settings from 2.13.1 to 2.14.1

  • โฌ†๏ธ Updated tomlkit from 0.14.0 to 0.15.0

  • โฌ†๏ธ Updated typer from 0.24.1 to 0.25.1

  • โฌ†๏ธ Updated uvicorn from 0.41.0 to 0.46.0

  • โฌ†๏ธ Updated ipython development dependency from 9.10.0 to 9.10.1

  • โฌ†๏ธ Updated pytest development dependency from 9.0.2 to 9.0.3

  • โฌ†๏ธ Updated rapidfuzz dependency from 3.14.3 to 3.14.5

  • โฌ†๏ธ Updated ruff development dependency from 0.15.6 to 0.15.12

  • โฌ†๏ธ Updated sqlmodel dependency from 0.0.37 to 0.0.38

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿงน Changed the scheme name of the HTTPBearer instance from "SRP-Identity" to "Auth-Identity".
  • ๐Ÿง‘โ€๐Ÿ’ป Added an option to return the ACK as a string for the debug /api/auth/ack endpoint (as_string=true)
  • ๐Ÿ”จ Added a new update_deps.py script to automate the generation of dependency updates' news fragments
  • ๐Ÿงน Fixed bug in the internal _add_new_field() function present in the excalibur config update command

0.5.1

ยท 1340 words

Excalibur 0.5.1 includes minor changes to the app to improve the overall experience for users.

Appโ€‹

โœจ New Featuresโ€‹

  • ๐Ÿ’„ Added directory item count to the file explorer page

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ’„ Made the breadcrumbs on the top of the file explorer scrollable

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed scrollbar appearing on the search dialog if the main window size is too small

โฌ†๏ธ Dependenciesโ€‹

  • โฌ†๏ธ Updated Capacitor dependencies:

    • @capacitor/keyboard from 8.0.1 to 8.0.2

  • โฌ†๏ธ Updated Ionic dependencies:

    • @ionic/core from 8.8.1 to 8.8.2
    • @ionic/react from 8.8.1 to 8.8.2
    • @ionic/react-router from 8.8.1 to 8.8.2

  • โฌ†๏ธ Updated TailwindCSS dependencies:

    • tailwindcss from 4.2.1 to 4.2.2
    • @tailwindcss/vite from 4.2.1 to 4.2.2

  • โฌ†๏ธ Updated baseline-browser-mapping dependency from 2.10.7 to 2.10.11

  • โฌ†๏ธ Updated vitest development dependency from 4.1.0 to 4.1.2

Serverโ€‹

โฌ†๏ธ Dependenciesโ€‹

  • โฌ‡๏ธ Downgraded sqlalchemy from 2.0.48 to 2.0.44
  • โฌ†๏ธ Updated fastapi from 0.135.1 to 0.135.2
  • โฌ†๏ธ Updated ruff development dependency from 0.15.6 to 0.15.8

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿ› Fixed an internal issue where running the alembic database revision creation command would fail
    • This is related to the downgrade of the SQLAlchemy version

0.5.0

ยท 9682 words

Excalibur 0.5 includes many new features and improvements to the project. Here are some of the highlights:

  • Refreshed Interface: We've updated the user interface of the Excalibur app to follow Material Design 3 and to use TailwindCSS's colours.
  • File Upload Progress: Previously the upload progress of files was left as indeterminate. Now it shows the actual progress of the upload!
  • New Move Dialog: The old move dialog was a bit clunky and unpolished. In this update, we've replaced it with a new, more user-friendly dialog.
  • File Searching: You can now search for files in the Excalibur app. You can also just download the files directly from the search results!

The Excalibur documentation website was also updated in this release.

Do note that there are some breaking changes to the Excalibur server in this release. Please follow the 0.5 upgrade guide to upgrade your Excalibur instance to version 0.5.

Read all about the changes to Excalibur below. Enjoy!

Appโ€‹

๐Ÿ”’๏ธ Securityโ€‹

  • ๐Ÿ”’๏ธ Amended some POST requests to have their bodies encrypted
    • Specifically, the /api/files/mkdir, /api/files/move, and /api/files/rename endpoints used to send their POST bodies in the clear. Now they are encrypted using the shared end-to-end encryption key
  • ๐Ÿ”’๏ธ Path parameters will now be encrypted by default
  • ๐Ÿ”’๏ธ Overridden version minima of several dependencies in pnpm-workspace.yaml to address security vulnerabilities:
    • CVE-2026-25547: @isaacs/brace-expansion to 5.0.1
    • CVE-2025-69873: ajv to 6.14.0
    • CVE-2026-25639: axios to 1.13.5
    • CVE-2026-2739: bn.js@<4.12.3 to 5.2.3 and bn.js@>=5.0.0 <5.2.3 to 5.2.3
    • CVE-2026-32141: flatted to 3.4.0
    • CVE-2026-26996, CVE-2026-27903, and CVE-2026-27904: minimatch@<3.1.4 to 3.1.4, minimatch@>=5.0.0 <5.1.8 to 5.1.8, minimatch@>=9.0.0 <9.0.7 to 9.0.7, and minimatch@>=10.0.0 <10.2.3 to 10.2.3
    • CVE-2026-2391: qs to 6.14.2
    • CVE-2026-27606: rollup to 4.59.0
    • CVE-2026-26960, CVE-2026-29786, and CVE-2026-31802: tar to 7.5.11
    • CVE-2026-31988: yauzl to 3.2.1

โœจ New Featuresโ€‹

  • ๐Ÿ’„ Refreshed the look of the app
    • Updated colour palette for light and dark modes
    • Changed look of some components to match Material Design 3
  • ๐Ÿšธ Added file upload progress to all upload jobs
  • โœจ Created a new move dialog
  • โœจ Added ability to search for files
  • โœจ Added a crypto key strength option in the settings
    • The default key strength is 128 bits; you can change it to 192 or 256 bits as needed
  • โœจ Added caps lock indicator to login page

๐Ÿ”„ Changesโ€‹

  • ๐Ÿšธ Changed the way toasts are displayed to allow new toasts to replace old ones
  • ๐Ÿšธ Modified the server compatibility message to include the version of Excalibur that is incompatible with the server
  • โœ๏ธ Changed "Operations" to "Crypto" in the settings

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed an issue where the toast popup on the file explorer will block the floating action button's actions

โ™ป๏ธ Code Refactoringโ€‹

  • โ™ป๏ธ Allowed ExEF strength to be configured independently of the given encryption key
  • โšฐ๏ธ Removed heartbeat check
    • Heartbeat check is no longer necessary as the client can simply observe the responses to the requests made to the server
  • โ™ป๏ธ Changed Cypress.env() calls to Cypress.expose() in tests, following the advice of this migration guide
  • โ™ป๏ธ Replaced references to process.env.NODE_ENV === "development" and the like with a reference to the new IS_DEV constant
  • ๐Ÿ”ง Configured Android project to use Daemon JVM Toolchains

โฌ†๏ธ Dependenciesโ€‹

  • โฌ†๏ธ Updated Capacitor dependencies:

    • @capacitor/android from 8.0.0 to 8.2.0
    • @capacitor/app from 8.0.0 to 8.0.1
    • @capacitor/cli from 8.0.0 to 8.2.0
    • @capacitor/core from 8.0.0 to 8.2.0
    • @capacitor/filesystem from 8.0.0 to 8.1.2
    • @capacitor/keyboard from 8.0.0 to 8.0.1
    • @capacitor/preferences from 8.0.0 to 8.0.1
    • @capacitor/privacy-screen from 2.0.0 to 2.0.1
    • @capawesome/capacitor-file-picker from 8.0.0 to 8.0.2
    • capacitor-blob-writer from 1.1.19 to 1.1.20

  • โฌ†๏ธ Updated ESLint development dependencies:

    • eslint from 9.39.2 to 9.39.3
    • eslint-plugin-cypress from 5.2.1 to 6.1.0
    • eslint-plugin-react-refresh from 0.4.26 to 0.5.2
    • typescript-eslint from 8.52.0 to 8.56.1

  • โฌ†๏ธ Updated Electron dependencies:

    • dmg-builder from 26.4.0 to 26.8.1
    • electron-builder from 26.4.0 to 26.8.1
    • electron-builder-squirrel-windows from 26.4.0 to 26.8.1
    • electron-updater from 6.7.3 to 6.8.3

  • โฌ†๏ธ Updated Ionic dependencies:

    • @ionic/core from 8.7.16 to 8.8.1
    • @ionic/react from 8.7.16 to 8.8.1
    • @ionic/react-router from 8.7.16 to 8.8.1

  • โฌ†๏ธ Updated React dependencies:

    • react from 19.2.3 to 19.2.4
    • react-dom from 19.2.3 to 19.2.4

  • โฌ†๏ธ Updated TailwindCSS dependencies:

    • tailwindcss from 4.1.18 to 4.2.1
    • @tailwindcss/vite from 4.1.18 to 4.2.1

  • โฌ†๏ธ Updated Vite dependencies:

    • vite-plugin-node-polyfills from 0.24.0 to 0.25.0
    • vitest from 4.0.16 to 4.1.0
    • @vitejs/plugin-react from 5.1.2 to 5.1.4

  • โฌ†๏ธ Updated immer from 11.1.3 to 11.1.4

  • โฌ†๏ธ Updated cypress development dependency from 15.8.2 to 15.11.0

  • โฌ†๏ธ Updated globals development dependency from 17.0.0 to 17.4.0

  • โฌ†๏ธ Updated lint-staged development dependency from 16.2.7 to 16.3.3

  • โฌ†๏ธ Updated prettier development dependency from 3.7.4 to 3.8.1

  • โฌ†๏ธ Updated type dependencies:

    • @types/node from 25.0.6 to 25.5.0
    • @types/react from 19.2.8 to 19.2.14

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿง‘โ€๐Ÿ’ป Added some internal test pages for development purposes:
    • TestPage (/dev/test): Basic test page for development
    • ExEFPage (/dev/exef): Test page for ExEF encryption/decryption

Serverโ€‹

๐Ÿ”’๏ธ Securityโ€‹

  • ๐Ÿ”’๏ธ Path parameters can now be specified as encrypted by adding the X-Encrypted: true header
    • The encrypted value must use the ExEF and be URL-safe base64 encoded
  • ๐Ÿ”’๏ธ Overridden version minima of pyjwt in pyproject.toml to 2.12.0 to address CVE-2026-32597 (#15)

๐Ÿ’ฅ Breaking Changesโ€‹

  • ๐Ÿ’ฅ Changed CLI options for the start command:
    • --host can now be specified with -h
    • --port can now be specified with -p
    • --encrypt-responses/--no-encrypt-responses no longer has the short forms of -e/-E
    • --delay no longer has the short form of -d
    • --enable-cors/--disable-cors no longer has the short forms of -c/-C
    • --clean-up-logs/--no-clean-up-logs can now be specified with -c/-C
  • ๐Ÿ’ฅ Removed heartbeat endpoint (/api/well-known/heartbeat)
    • We removed this endpoint as its use is no longer necessary. We assume that the client will be able to discern whether they are still connected to the server by observing the responses to the requests made to the server
    • Accordingly, the default template value of the logging.no_log_endpoints configuration option was updated to remove this endpoint
  • ๐Ÿ’ฅ Changed the path in upload file endpoint (/api/files/upload/{path:path}) to be the file path instead of the file's containing directory; also removed the name query parameter
  • ๐Ÿ’ฅ Renamed /api/files/list/{path}'s with_exef_header query parameter to include_exef_size

โœจ New Featuresโ€‹

  • โœจ Added new file searching endpoint at /api/files/search
  • ๐Ÿ”ง Added a crypto key strength configuration field
    • The default key strength is 128 bits; you can change it to 192 or 256 bits as needed
  • โœจ Added a new CLI option to the start command to enable or disable Proof of Possession (PoP) checking
    • It is recommended to only disable PoP checking when debugging

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ”ง Added the /api/docs endpoint as a default endpoint that is ignored in the logging.no_log_endpoints field
  • ๐Ÿ—ƒ๏ธ Updated DuckDB from 1.3 Ossivalis to 1.4 Andium (LTS)

โ™ป๏ธ Code Refactoringโ€‹

  • โ™ป๏ธ Replace references to os.getenv and os.environ with calls to functions in env.py for easier management and less repeated code
  • โ™ป๏ธ Renamed internal use of EXCALIBUR_SERVER_POP_ENABLED to EXCALIBUR_SERVER_ENABLE_POP
  • โ™ป๏ธ Modified style of cryptography middleware logging to make it show up on the logs again
  • ๐Ÿšš Renamed listings.py in excalibur_server/src/files to utils.py

โฌ†๏ธ Dependenciesโ€‹

  • โฌ†๏ธ Updated minimum uv version from 0.9.3 in pyproject.toml and 0.9.18 in GitHub actions to 0.9.30
    • We will be updating the uv version to the 0.10.x series in the future
  • โฌ†๏ธ Updated alembic from 1.18.0 to 1.18.4
  • โฌ†๏ธ Updated duckdb from 1.3.2 to 1.4.4
  • โฌ†๏ธ Updated fastapi from 0.128.0 to 0.135.1
  • โฌ†๏ธ Updated pydantic-settings from 2.12.0 to 2.13.1
  • โฌ†๏ธ Updated pyjwt from 2.10.1 to 2.12.1
  • โฌ†๏ธ Updated sqlalchemy from 2.0.45 to 2.0.48
  • โฌ†๏ธ Updated sqlmodel from 0.0.31 to 0.0.37
  • โฌ†๏ธ Updated tomlkit from 0.13.3 to 0.14.0
  • โฌ†๏ธ Updated typer from 0.21.1 to 0.24.1
  • โฌ†๏ธ Updated uvicorn from 0.40.0 to 0.41.0
  • โฌ†๏ธ Updated ipython development dependency from 9.9.0 to 9.10.0
  • โฌ†๏ธ Updated ruff development dependency from 0.14.11 to 0.15.6

0.4.4

ยท 732 words

This is a security release overriding some dependencies' versions' minima.

note

Version 0.4.3 was skipped due to a misconfigured dependency version preventing the release action from completing successfully. Its changes were combined with 0.4.4's changes below.

Appโ€‹

๐Ÿ”’ Securityโ€‹

  • Override diff version minima to ^5.2.2 in pnpm-workspace.yaml to address CVE-2026-24001
  • Override lodash and lodash-es version minima to ^4.17.23 in pnpm-workspace.yaml to address CVE-2025-13465
  • Override tar version minima to ^7.5.7 in pnpm-workspace.yaml to address CVE-2026-24842 and CVE-2026-23950

๐Ÿ“ฆ Dependenciesโ€‹

  • Updated @capacitor/cli from 8.0.0 to 8.0.2

Serverโ€‹

No significant changes.