chore(deps): update dependency binwiederhier/ntfy to v2.26.0 #90

Open
jaskaran wants to merge 1 commit from renovate/binwiederhier-ntfy-2.x into main
Owner

This PR contains the following updates:

Package Update Change
binwiederhier/ntfy minor v2.23.0v2.26.0

Release Notes

binwiederhier/ntfy (binwiederhier/ntfy)

v2.26.0

Compare Source

This release hardens message templates, which are now executed with a hard-capped execution timeout. This closes
a denial-of-service hole.

On the web app side, it adds configurable date and time formats, a smoother loading and page-transition experience,
and a fix that strips unsafe URL protocols from rendered Markdown.

Security:

  • Prevent a CPU denial of service via message templates (Template: yes), #​1826, thanks to @​alanturing881 for reporting)

Features:

  • Web app: Add "Date format" and "Time format" settings (Settings -> Appearance), with ISO 8601, day/month/year (slash or dot) and month/day/year date options and a 12-/24-hour clock option, and base the default format on your browser/system locale rather than the selected display language. When logged in, both settings sync across devices via your account (#​1647, thanks to @​wsw70 for reporting)

Bug fixes + maintenance:

  • Web app: Smooth transitions and loading animation, remove flickering
  • Web app: GET /account now reads from the primary database instead of a read replica, so the account view no longer shows stale data right after a change when replicas lag behind
  • Docs: Document the third-party HelmForge Helm chart as a Kubernetes installation option (#​1727, thanks to @​mberlofa)
  • Web app: Strip unsafe URL protocols (javascript:, data:, ...) from links and images in Markdown-rendered messages, so they no longer trigger an uncaught "React has blocked a javascript: URL" error (thanks to @​jvoisin for reporting)

v2.25.0

Compare Source

This release adds password reset via email, and reworks email verification to use durable, link-based magic links (replacing the old in-memory 6-digit codes). Email stays optional at signup; a user can reset their password only once they have a verified "primary" (recovery)email.

All of this work is probably not useful for self-hosters, but it hopefully will be useful for me, since I do have to reset accounts on a regular basis.

Security issues:

  • Generate access tokens, IDs, and magic-link tokens with a cryptographically secure RNG (crypto/rand) instead of a clock-seeded PRNG

Features:

  • Add password reset via emailed magic link, with a "Forgot password" link on the login page and a ntfy user reset-pass CLI command for admins
  • Rework email verification to use durable, single-use, expiring magic links instead of in-memory 6-digit codes, and add a "primary" email (used for account recovery and as the X-Email: yes target) with verified/unverified state in the account UI
  • You can now clear/read messages and delete messages with a GET request (#​1771, thanks to @​lemmi for reporting and to @​wunter8 for implementing)
  • Add a reload button to the web app's action bar when running as an installed PWA, which clears the service worker caches and hard-refreshes the app
  • Add a "Back to app" link to the web app's login, signup, and password-reset pages (alongside the existing links), which previously had no way back to the app

Bug fixes + maintenance:

  • X-Email: yes (also true/1) now sends to your primary verified email regardless of the smtp-sender-verify setting (previously it was rejected unless verification was enabled); it requires being logged in with a verified address
  • Grant users full access to their own sync topic (st_...) so cross-device subscription sync works under auth-default-access: deny-all (#​733, #​1795, thanks to @​lmorchard for the contribution)
  • Support HTTP (non-TLS) S3-compatible endpoints by preserving the endpoint scheme, e.g. for a local MinIO instance (#​1794, #​1734, thanks to @​sskender for the contribution, and @​Kernald for reporting)
  • Stop silently stripping spaces from passwords while typing in the web app's login, signup, and password-reset forms (#​1246, thanks to @​aldem for reporting)
  • Update web app dependencies, including major-version upgrades to Vite (6 -> 8, now Rolldown-based), Material UI (5 -> 9), and Dexie (3 -> 4) (#​1800, #​1764, #​1767, #​1762, #​1766, #​1765, thanks Dependabot)
  • Play notification sounds in the web app even when the Notification API is unavailable, e.g. over plain HTTP or in browsers without notification support (#​1772, thanks to @​mitya12342 for the contribution)
  • Stop escaping <, >, and & as \u003c/\u003e/\u0026 in JSON responses (#​1511, #​1512, thanks to @​wunter8 for the contribution)
  • Fix the web app navbar not reflecting a topic reservation (lock icon, and "Reserve topic" -> "Change reservation"/"Remove reservation" menu) until a page reload, by persisting reservation and display-name changes onto already-subscribed topics during account sync
  • Reduce the web app's initial bundle size by ~300 KB (~50 KB gzipped) by lazy-loading the emoji picker dataset and the Markdown renderer, and by importing Material UI icons individually

v2.24.0

Compare Source

The main feature for this release is an in-memory ACL cache (auth-access-cache) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.

Security issues:

  • Fix case-insensitive ACL topic matching on SQLite: an access control rule for secret no longer also matches a request for SECRET. SQLite's LIKE is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).

Features:

  • Add opt-in in-memory ACL cache (auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers
  • Add ntfy --version flag to the CLI (#​1722, #​1748, thanks to @​sskender for the contribution, and @​Saucy9607 for reporting)

Bug fixes + maintenance:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [binwiederhier/ntfy](https://github.com/binwiederhier/ntfy) | minor | `v2.23.0` → `v2.26.0` | --- ### Release Notes <details> <summary>binwiederhier/ntfy (binwiederhier/ntfy)</summary> ### [`v2.26.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.26.0) [Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.25.0...v2.26.0) This release hardens **message templates**, which are now executed with a hard-capped execution timeout. This closes a denial-of-service hole. On the web app side, it adds configurable **date and time formats**, a smoother loading and page-transition experience, and a fix that strips unsafe URL protocols from rendered Markdown. **Security:** - Prevent a CPU denial of service via message templates (`Template: yes`), [#&#8203;1826](https://github.com/binwiederhier/ntfy/pull/1826), thanks to [@&#8203;alanturing881](https://github.com/alanturing881) for reporting) **Features:** - Web app: Add "Date format" and "Time format" settings (Settings -> Appearance), with ISO 8601, day/month/year (slash or dot) and month/day/year date options and a 12-/24-hour clock option, and base the default format on your browser/system locale rather than the selected display language. When logged in, both settings sync across devices via your account ([#&#8203;1647](https://github.com/binwiederhier/ntfy/issues/1647), thanks to [@&#8203;wsw70](https://github.com/wsw70) for reporting) **Bug fixes + maintenance:** - Web app: Smooth transitions and loading animation, remove flickering - Web app: `GET /account` now reads from the primary database instead of a read replica, so the account view no longer shows stale data right after a change when replicas lag behind - Docs: Document the third-party HelmForge Helm chart as a Kubernetes installation option ([#&#8203;1727](https://github.com/binwiederhier/ntfy/issues/1727), thanks to [@&#8203;mberlofa](https://github.com/mberlofa)) - Web app: Strip unsafe URL protocols (`javascript:`, `data:`, ...) from links and images in Markdown-rendered messages, so they no longer trigger an uncaught "React has blocked a javascript: URL" error (thanks to [@&#8203;jvoisin](https://github.com/jvoisin) for reporting) ### [`v2.25.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.25.0) [Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.24.0...v2.25.0) This release adds **password reset** via email, and reworks email verification to use durable, link-based magic links (replacing the old in-memory 6-digit codes). Email stays optional at signup; a user can reset their password only once they have a verified "primary" (recovery)email. All of this work is probably not useful for self-hosters, but it hopefully will be useful for me, since I do have to reset accounts on a regular basis. **Security issues:** - Generate access tokens, IDs, and magic-link tokens with a cryptographically secure RNG (`crypto/rand`) instead of a clock-seeded PRNG **Features:** - Add password reset via emailed magic link, with a "Forgot password" link on the login page and a `ntfy user reset-pass` CLI command for admins - Rework email verification to use durable, single-use, expiring magic links instead of in-memory 6-digit codes, and add a "primary" email (used for account recovery and as the `X-Email: yes` target) with verified/unverified state in the account UI - You can now clear/read messages and delete messages with a GET request ([#&#8203;1771](https://github.com/binwiederhier/ntfy/issues/1771), thanks to [@&#8203;lemmi](https://github.com/lemmi) for reporting and to [@&#8203;wunter8](https://github.com/wunter8) for implementing) - Add a reload button to the web app's action bar when running as an installed PWA, which clears the service worker caches and hard-refreshes the app - Add a "Back to app" link to the web app's login, signup, and password-reset pages (alongside the existing links), which previously had no way back to the app **Bug fixes + maintenance:** - `X-Email: yes` (also `true`/`1`) now sends to your primary verified email regardless of the `smtp-sender-verify` setting (previously it was rejected unless verification was enabled); it requires being logged in with a verified address - Grant users full access to their own sync topic (`st_...`) so cross-device subscription sync works under `auth-default-access: deny-all` ([#&#8203;733](https://github.com/binwiederhier/ntfy/issues/733), [#&#8203;1795](https://github.com/binwiederhier/ntfy/pull/1795), thanks to [@&#8203;lmorchard](https://github.com/lmorchard) for the contribution) - Support HTTP (non-TLS) S3-compatible endpoints by preserving the endpoint scheme, e.g. for a local MinIO instance ([#&#8203;1794](https://github.com/binwiederhier/ntfy/pull/1794), [#&#8203;1734](https://github.com/binwiederhier/ntfy/issues/1734), thanks to [@&#8203;sskender](https://github.com/sskender) for the contribution, and [@&#8203;Kernald](https://github.com/Kernald) for reporting) - Stop silently stripping spaces from passwords while typing in the web app's login, signup, and password-reset forms ([#&#8203;1246](https://github.com/binwiederhier/ntfy/issues/1246), thanks to [@&#8203;aldem](https://github.com/aldem) for reporting) - Update web app dependencies, including major-version upgrades to Vite (6 -> 8, now Rolldown-based), Material UI (5 -> 9), and Dexie (3 -> 4) ([#&#8203;1800](https://github.com/binwiederhier/ntfy/pull/1800), [#&#8203;1764](https://github.com/binwiederhier/ntfy/pull/1764), [#&#8203;1767](https://github.com/binwiederhier/ntfy/pull/1767), [#&#8203;1762](https://github.com/binwiederhier/ntfy/pull/1762), [#&#8203;1766](https://github.com/binwiederhier/ntfy/pull/1766), [#&#8203;1765](https://github.com/binwiederhier/ntfy/pull/1765), thanks Dependabot) - Play notification sounds in the web app even when the Notification API is unavailable, e.g. over plain HTTP or in browsers without notification support ([#&#8203;1772](https://github.com/binwiederhier/ntfy/pull/1772), thanks to [@&#8203;mitya12342](https://github.com/mitya12342) for the contribution) - Stop escaping `<`, `>`, and `&` as `\u003c`/`\u003e`/`\u0026` in JSON responses ([#&#8203;1511](https://github.com/binwiederhier/ntfy/issues/1511), [#&#8203;1512](https://github.com/binwiederhier/ntfy/pull/1512), thanks to [@&#8203;wunter8](https://github.com/wunter8) for the contribution) - Fix the web app navbar not reflecting a topic reservation (lock icon, and "Reserve topic" -> "Change reservation"/"Remove reservation" menu) until a page reload, by persisting reservation and display-name changes onto already-subscribed topics during account sync - Reduce the web app's initial bundle size by \~300 KB (\~50 KB gzipped) by lazy-loading the emoji picker dataset and the Markdown renderer, and by importing Material UI icons individually ### [`v2.24.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.24.0) [Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.23.0...v2.24.0) The main feature for this release is an in-memory ACL cache (`auth-access-cache`) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy. **Security issues:** - Fix case-insensitive ACL topic matching on SQLite: an access control rule for `secret` no longer also matches a request for `SECRET`. SQLite's `LIKE` is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL). **Features:** - Add opt-in in-memory ACL cache (`auth-access-cache`) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers - Add `ntfy --version` flag to the CLI ([#&#8203;1722](https://github.com/binwiederhier/ntfy/issues/1722), [#&#8203;1748](https://github.com/binwiederhier/ntfy/pull/1748), thanks to [@&#8203;sskender](https://github.com/sskender) for the contribution, and [@&#8203;Saucy9607](https://github.com/Saucy9607) for reporting) **Bug fixes + maintenance:** - Extend account token automatically from the PWA service worker, so installed PWAs don't get logged out ([#&#8203;1669](https://github.com/binwiederhier/ntfy/pull/1669), [#&#8203;1203](https://github.com/binwiederhier/ntfy/issues/1203), [#&#8203;1533](https://github.com/binwiederhier/ntfy/issues/1533), thanks to [@&#8203;nihalgonsalves](https://github.com/nihalgonsalves) for the contribution) - Fix `rel` attribute on auto-linked notification URLs so `noreferrer`/`noopener` are actually applied ([#&#8203;1720](https://github.com/binwiederhier/ntfy/pull/1720), thanks to [@&#8203;dmitrylyzo](https://github.com/dmitrylyzo) for the contribution) - Add systemd sandboxing/hardening to the `ntfy.service` unit ([#&#8203;1467](https://github.com/binwiederhier/ntfy/pull/1467), thanks to [@&#8203;Velocifyer](https://github.com/Velocifyer) for the contribution) - Fix `cmd` package build on macOS (darwin) so the server compiles from source ([#&#8203;1631](https://github.com/binwiederhier/ntfy/issues/1631), [#&#8203;1696](https://github.com/binwiederhier/ntfy/pull/1696), thanks to [@&#8203;ShipItAndPray](https://github.com/ShipItAndPray) for the contribution, and [@&#8203;XYenon](https://github.com/XYenon) for reporting) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTcuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5Ny4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->
jaskaran force-pushed renovate/binwiederhier-ntfy-2.x from 05e55a2ee0 to 37516337c1 2026-06-25 00:01:07 +00:00 Compare
jaskaran changed title from chore(deps): update dependency binwiederhier/ntfy to v2.24.0 to chore(deps): update dependency binwiederhier/ntfy to v2.25.0 2026-06-25 00:01:09 +00:00
jaskaran force-pushed renovate/binwiederhier-ntfy-2.x from 37516337c1 to 5a8451620f 2026-07-10 00:01:07 +00:00 Compare
jaskaran changed title from chore(deps): update dependency binwiederhier/ntfy to v2.25.0 to chore(deps): update dependency binwiederhier/ntfy to v2.26.0 2026-07-10 00:01:08 +00:00
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/binwiederhier-ntfy-2.x:renovate/binwiederhier-ntfy-2.x
git switch renovate/binwiederhier-ntfy-2.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/binwiederhier-ntfy-2.x
git switch renovate/binwiederhier-ntfy-2.x
git rebase main
git switch main
git merge --ff-only renovate/binwiederhier-ntfy-2.x
git switch renovate/binwiederhier-ntfy-2.x
git rebase main
git switch main
git merge --no-ff renovate/binwiederhier-ntfy-2.x
git switch main
git merge --squash renovate/binwiederhier-ntfy-2.x
git switch main
git merge --ff-only renovate/binwiederhier-ntfy-2.x
git switch main
git merge renovate/binwiederhier-ntfy-2.x
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jaskaran/homelab!90
No description provided.