To update the prebuilt executable you can run ./pocketbase update.

• Added nullString(), nullInt(), nullFloat(), nullBool, nullArray(), nullObject() JSVM helpers for scanning nullable columns (#7396).

• Store the correct image/png as attrs content type when generating a thumb fallback (e.g. for webp).

• Trimmed custom uploaded file name and extension from leftover . characters after filesystem.File normalization.
  This was done to prevent issues with external files sync programs that may have special handling for "invisible" files.

• Updated modernc.org/sqlite (v1.41.0 includes prepared statements optimization) and other minor Go deps.

To update the prebuilt executable you can run ./pocketbase update.

• Bumped JS SDK to v0.26.5 to fix Safari AbortError detection introduced with the previous release (#7369).

To update the prebuilt executable you can run ./pocketbase update.

• Added missing : char to the autocomplete regex (#7353; thanks @ouvreboite).

• Added "Copy raw JSON" collection dropdown option (#7357).

• Updated Go deps and JS SDK.

• Bumped min Go GitHub action version to 1.25.5 because it comes with some minor security fixes.
  The runner action was also updated to actions/setup-go@v6 since the previous v5 Go source seems no longer accessible.

• (Backported from v0.34.1) - Added missing : char to the autocomplete regex (#7353).

• (Backported from v0.34.1) Bumped min Go GitHub action version to 1.25.5 because it comes with some minor security fixes.
  The runner action was also updated to actions/setup-go@v6 since the previous v5 Go source seems no longer accessible.

To update the prebuilt executable you can run ./pocketbase update.

• Added @request.body.someField:changed modifier.
  It could be used when you want to ensure that a body field either wasn't submitted or was submitted with the same value.
  Or in other words, if you want to disallow a field change the below 2 expressions would be equivalent:

  // (old)
  (@request.body.someField:isset = false || @request.body.someField = someField)
  
  // (new)
  @request.body.someField:changed = false

• Added MailerRecordEvent.Meta["info"] property for the OnMailerRecordAuthAlertSend hook.

• Updated the backup restore popup with a short info about the performed restore steps.

• Updated Go deps.

To update the prebuilt executable you can run ./pocketbase update.

• Added extra id characters validation in addition to the user specified regex pattern (#7312).
  The following special characters are always forbidden: ./\|"'``<>:?*%$\n\r\t\0 . Common reserved Windows file names such as aux, prn, con, nul, com1-9, lpt1-9 are also not allowed.
  The list is not exhaustive but it should help minimizing eventual filesystem compatibility issues in case of wildcards or other loose regex patterns.

• Added {ALERT_INFO} placeholder to the auth alert mail template (#7314).
  ⚠️ mails.SendRecordAuthAlert(app, authRecord, info) also now accepts a 3rd info string argument.

• Updated Go deps.

To update the prebuilt executable you can run ./pocketbase update.

• ⚠️ Added extra List/Search API rules checks for the client-side filter/sort relations.

  This is continuation of the effort to eliminate the risk of information disclosure (and eventually the side-channel attacks that may originate from that).

  So far this was accepted tradeoff between performance, usability and correctness since the solutions at the time weren't really practical (especially with the back-relations as mentioned in "Security and performance" section in #4417), but with v0.23+ changes we can implement the extra checks without littering the code too much, with very little impact on the performance and at the same time ensuring better out of the box security (especially for the cases where users operate with sensitive fields like "code", "token", "secret", etc.).

  Similar to the previous release, probably for most users with already configured API rules this change won't be breaking, but if you have an intermediate/junction collection that is "locked" (superusers-only) we no longer will allow the client-side relation filter to pass through it and you'll have to set its List/Search API rule to enable the current user to search in it.

  For example, if you have a client-side filter that targets rel1.rel2.token, the client must have not only List/Search API rule access to the main collection BUT also to the collections referenced by "rel1" and "rel2" relation fields.

  Note that this change is only for the client-side filter/sort and doesn't affect the execution of superuser requests, API rules and expand - they continue to work the same as it is.

  An optional environment variable to toggle this behavior was considered but for now I think having 2 ways of resolving client-side filters would introduce maintenance burden and can even cause confusion (this change should actually make things more intuitive and clear because we can simply say something like "you can search by a collection X field only if you have List/Search API rule access to it" no matter whether the targeted collection is the request's main collection, the first or last relation from the filter chain, etc.).

  If you stumble on an error or extreme query performance degradation as a result of the extra checks, please open a Q&A discussion with the failing request and export of your collections configuration as JSON (Settings > Export collections) and I'll try to investigate it.

• Increased the default SQLite PRAGMA cache_size to ~32MB.

• Fixed deadlock when manually triggering the OnTerminate hook (#7305; thanks @yerTools).

• Fixed some code comment typos, regenerated the JSVM types and updated npm dependencies.

• Updated modernc.org/sqlite to 1.40.0.

To update the prebuilt executable you can run ./pocketbase update.

• Display presentable multiple relation fields (#7260).

• Support Ed25519 in the optional OIDC id_token signature validation (#7252; thanks @shynome).

• Added ApiScenario.DisableTestAppCleanup optional field to skip the auto test app cleanup and leave it up to the developers to do the cleanup manually (#7267).

• Added FileDownloadRequestEvent.ThumbError field that is populated in case of a thumb generation failure (e.g. unsupported format, timing out, etc.), allowing developers to reject the thumb fallback and/or supply their own custom thumb generation (#7268).

• ⚠️ Disallow client-side filtering and sorting of relations where the collection of the last targeted relation field has superusers-only List/Search API rule to further minimize the risk of eventual side-channel attack.
  This should be a non-breaking change for most users, but if you want the old behavior please open a Q&A discussion with details about your use case to evaluate making it configurable.
  Note also that as mentioned in the "Security and performance" section of #4417 and #5863, the easiest and recommended solution to protect security sensitive fields (tokens, codes, passwords, etc.) is to mark them as "Hidden" (aka. make them non-API filterable). A better out of the box handling will be available with the planned fields internals refactoring together with the already started UI rewrite and plugins support.

• Regenerated JSVM types and updated npm and Go deps.

To update the prebuilt executable you can run ./pocketbase update.

• Fixed json field CSS regression introduced with the overflow workaround in v0.30.3 (#7259).

To update the prebuilt executable you can run ./pocketbase update.

• Fixed legacy identitity field priority check when a username is a valid email address (#7256).

• Workaround autocomplete overflow issue in Firefox 144 (#7223).

• Updated modernc.org/sqlite to 1.39.1 (SQLite 3.50.4).