0.14.1

Added

• Support comparing tags in addition to branches. #6141
• Show file name in browser tab title when viewing files. #5896
• Support using TLS for Redis session provider using [session] PROVIDER_CONFIG = ...,tls=true. #7860
• Support expanading values in app.ini from environment variables, e.g. [database] PASSWORD = ${DATABASE_PASSWORD}. #8057
• Support custom logout URL that users get redirected to after sign out using [auth] CUSTOM_LOGOUT_URL. #8089
• Start publishing next-generation, security-focused Docker image via gogs/gogs:next-latest, which will become the default image distribution (gogs/gogs:latest) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as gogs/gogs:legacy-latest starting 0.16.0, and be completely removed no earlier than 0.17.0. #8061

Changed

• The required Go version to compile source code changed to 1.25.
• The build tag cert has been removed, and the gogs cert subcommand is now always available. #7883
• Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. #7882
• Updated Mermaid JS to 11.9.0. #8009
• Halt the repository creation and leave the directory untouched if the repository root already exists. #8091

Fixed

• Security: Unauthenticated file upload. #8128 - GHSA-fc3h-92p8-h36f
• Security: Protected branch bypass in web UI. #8124 - GHSA-2c6v-8r3v-gh6p
• Security: Authorization bypass allows cross-repository label modification. #8123 - GHSA-cv22-72px-f4gh
• Security: Cross-repository comment deletion. #8119 - GHSA-jj5m-h57j-5gv7
• 500 error on repository watchers and stargazers pages when using MSSQL. #5482
• Submodules using ssh:// protocol and a port number are not rendered correctly. #4941
• Missing link to user profile on the first commit in commits history page. #7404
• Unable to delete or display files with special characters in their names. #7596
• Docker healthcheck fails when HTTP_PROXY or HTTPS_PROXY environment variables are set. #7529

0.13.3

Fixed

• Security: Stored XSS in PDF renderer. GHSA-xh32-cx6c-cp4v
• Security: Path Traversal in file editing UI. GHSA-wj44-9vcg-wjq7
• Randomly timeout on repository file uploads. #7890
• Unable to override email templates in custom directory. #7905

0.13.2

Fixed

• Security: Path Traversal in file editing UI. GHSA-r7j8-5h9c-f6fx
• Security: Path Traversal in file update API. GHSA-qf5v-rp47-55gg
• Security: Argument Injection in the built-in SSH server. GHSA-vm62-9jw3-c8w3
• Security: Deletion of internal files. GHSA-ccqv-43vm-4f3w
• Security: Argument Injection during changes preview. GHSA-9pp6-wq8c-3w2c
• Security: Argument Injection when tagging new releases. GHSA-m27m-h5gj-wwmg
• Use the non-deprecated section name [email] during installation for email settings. #7704
• Use the non-deprecated section name [email] PASSWORD during installation for email password. #7807
• Make purple template label color to actually use the hexcode of purple. #7722

0.13.0

Added

• Support using personal access token in the password field. #3866
• An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. #5733
• New API endpoint PUT /repos/:owner/:repo/contents/:path for creating and update repository contents. #5967
• New configuration option [git.timeout] DIFF for customizing operation timeout of git diff. #6315
• New configuration option [server] SSH_SERVER_MACS for setting list of accepted MACs for connections to builtin SSH server. #6434
• New configuration option [repository] DEFAULT_BRANCH for setting default branch name for new repositories. #7291
• New configuration option [server] SSH_SERVER_ALGORITHMS for specifying the list of accepted key exchange algorithms for connections to builtin SSH server. #7345
• Support specifying custom schema for PostgreSQL. #6695
• Support rendering Mermaid diagrams in Markdown. #6776
• Docker: Allow passing extra arguments to the backup command. #7060
• New languages support: Mongolian, Romanian. #6510 #7082

Changed

• The default branch has been changed to main. #6285
• MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work. #6295
• Use Task as the build tool. #6297
• The required Go version to compile source code changed to 1.18.
• Access tokens are now stored using their SHA256 hashes instead of raw values. #7008

Fixed

• Unable to use LDAP authentication on ARM machines. #6761
• Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. #7267
• Mistakenly include the "data" directory under the custom directory in the Docker setup. #7343
• Unable to start after data recovery with an outdated migration version. #7125

Removed

• ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
• Configuration section [mailer] is no longer used, please use [email].
• Configuration section [service] is no longer used, please use [auth].
• Configuration option APP_NAME is no longer used, please use BRAND_NAME.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is no longer used, please use [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is no longer used, please use [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is no longer used, please use [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is no longer used, please use [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is no longer used, please use [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [auth] REGISTER_EMAIL_CONFIRM is no longer used, please use [auth] REQUIRE_EMAIL_CONFIRMATION.
• Configuration option [session] GC_INTERVAL_TIME is no longer used, please use [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is no longer used, please use [session] MAX_LIFE_TIME.
• Configuration option [server] ROOT_URL is no longer used, please use [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is no longer used, please use [server] LANDING_URL.
• Configuration option [database] DB_TYPE is no longer used, please use [database] TYPE.
• Configuration option [database] PASSWD is no longer used, please use [database] PASSWORD.
• Remove option to use Makefile as the build tool. #6980