CHANGELOG.md

CHANGELOG

• 2.1.4.686 (Latest): Filter Docker-injected bind mounts from Disks+.

  • Excluded /etc/hosts, /etc/resolv.conf, and /etc/hostname from the disk list when running inside a container. These are internal bind mounts injected by the Docker runtime for network configuration and were incorrectly surfacing as mounted disks in Disks+. The filter should apply identically on Linux, Docker Desktop for macOS, and Docker Desktop for Windows.

• 2.1.4.684: PostCSS security dependency upgrade.

  • Patched PostCSS CVE-2026-41305 (XSS via Unescaped </style> in CSS Stringify Output opened 4 minutes ago) by upgrading postcss (npm) to 8.5.10+. Pinned via npm overrides so every transitive consumer (Tailwind, Vite, Vue compiler) resolves to the patched version.

• 2.1.4.682: Disks+, Code editor, Calendar & World Clock, Notepad markdown preview, and type-safe data layer.

  • Introduced Disks+, a new File Explorer location next to Storage, Drop Zone and App Drive. Unlock it with your password to start a timed session and browse every physical disk on the machine: internal SSDs, external USBs, optical drives, you name it. All the usual file operations work here too: list, download, upload (including full folder drops with nested subdirectories), delete, rename, create folder, ZIP multiple items, and recursive search with live results. Plug in a USB and it shows up in the sidebar automatically thanks to real-time hot-plug detection. Turns out you didn’t need to flash an ISO for that.
  • Protected Zones require a second password prompt before entering system-critical paths like /etc, /boot, /sys, /proc, /root, /dev, /var/log, /usr/bin, /System, /Library, C:\Windows, C:\Program Files, and others. Once you authorize a zone it stays open for the rest of the session. Locking or timing out wipes all grants. After 5 wrong attempts your IP gets locked out for 5 minutes.
  • End-to-end password encryption for unlock and zone-auth flows. Passwords never travel in plaintext, using the same RSA-OAEP + AES-GCM hybrid encryption already in place for saved settings and login.
  • Sliding session timer. Every successful Disks+ action resets the countdown back to the configured timeout, so you won't get locked out while actively working. The UI updates immediately without waiting for the server sync.
  • Session health indicators in the sidebar. A circular arc next to the Lock button drains as time passes, shifting colour from blue to yellow to orange to red. A thin bar under the Disks+ header mirrors the same progression. Hover for a full mm:ss countdown.
  • Pinned Disk replaces the old "External Drive" concept in Settings. The dropdown groups disks by Internal and External with media-type icons (NVMe, SSD, HDD, USB, Optical) and human-readable sizes. My Home widget and System Logs chart now show the real disk label instead of a generic "External Storage". The disk where HomeDock OS is installed gets detected automatically and excluded from the list so it never appears twice.
  • Disks+ settings in Settings > Storage. Configurable session timeout (3, 5, 10, or 15 minutes, or disabled with a security warning) and a toggle to require password re-entry for protected system paths.
  • Disks+ is a first-class upload location with its own dedicated tray indicator in the taskbar, progress bubble, queue, and tray badge, just like Storage, Drop Zone and App Drive. The sidebar section is collapsible and follows the same accordion pattern. Expanding it on a locked session prompts the unlock modal automatically. Logging out locks any active Disks+ session.
  • Smart search and listing performance. Search skips hidden directories, symlinks, ungranted danger-zone subtrees, and remote mounts before descending into them. Searching on a disk mounted at / actually reaches /Users or /home instead of burning all the time inside /System and /Library. Directory sizes are not calculated for Disks+ listings (matching Finder and Windows Explorer behaviour), so listing a root with folders like /usr or /var is instant instead of taking 30+ seconds.
  • Boot, EFI, and pseudo-filesystem partitions (/boot, /boot/efi, /boot/firmware, /efi) are excluded from the disk list. No more EFI System Partitions cluttering every Linux VPS.
  • Dead remote mount protection. Unreachable NFS, CIFS, SMB, SSHFS, or WebDAV shares are detected from the kernel mount table without touching them and skipped from listings, search, and ZIP generation. A single dead share doesn't freeze everything for the socket timeout. Works on Windows too... I guess, Windows is kind of special for everything.
  • macOS disk detection correctly identifies internal disks on Apple Silicon and T2 Intel Macs (the old check only recognised /dev/disk0 and /dev/disk1, mislabelling everything else as USB). Volume names are recovered from /Volumes/ symlinks so you see "Macintosh HD" instead of raw disk3s1s1 identifiers.
  • Favorites and Recents support Disks+. Items show under a "Disks+" group with the proper icon, navigate back to the correct disk, and check unlock state and zone authorization before doing anything. Opening a favorite inside a long folder listing auto-scrolls to center the file in view.
  • Notepad and File Properties support Disks+. Files opened from Disks+ keep their disk context through the editor (tab icon, status bar, tooltip, save-back route). Saving to a protected path re-prompts zone authorization. File Properties show Location, Disk label, and Mountpoint.
  • App Drive favorites display as Container/file (or Container:N/file for multiple mounts) instead of just the bare filename.
  • My Home lists every connected disk alongside Cloud Storage with one card per mounted disk showing media type, internal/removable badge, usage bar, and size info. The pinned disk sorts first with a pin icon.
  • New Calendar & World Clock utility. Full-featured calendar app with event management, colour-coded events with dots on the calendar grid, and a sidebar showing events for the selected day. Create, edit, and delete events with date/time pickers and notes. Import and export events in standard ICS format for interoperability with Google Calendar, Apple Calendar, and Outlook. Remove duplicate events with a selectable list dialog. World Clock tab lets you add up to 12 timezone clocks with live times, dates, and UTC offsets. The System Tray clock dropdown now shows event indicators on calendar days and lists events for the selected date with an "Open Calendar" button. Responsive layout stacks vertically when the window is narrow using CSS container queries. Menu bar with File (New Event, Import/Export, Remove Duplicates, Delete All, Exit) and View (Calendar, World Clock) menus.
  • Calendar Groups (macOS-style). Events belong to named calendars with distinct colours. Create, rename, recolour, and delete calendars from the sidebar or from a dedicated management dialog. Deleting a calendar asks for double confirmation with a Switch toggle to keep or permanently delete its events. ICS import prompts which calendar to import into, with an inline option to create a new one on the spot. View menu shows per-calendar visibility toggles so you can hide entire calendars without deleting them. Event colours are inherited from their calendar, not set per-event, keeping everything consistent.
  • Proximity-aware event indicator on the System Tray clock. The dot now pulses and shifts colour as the next event approaches: blue when far away, yellow within 3 hours, orange within 1 hour, red within 15 minutes, and a pulsing red ping when the event is happening right now. Colour transitions are smooth (2 s ease) and the urgency level updates every second.
  • Responsive tab switcher in narrow Calendar sidebar. When the window is below 520 px, the sidebar switches from stacked sections to an Events / Calendars tab bar, showing one panel at a time. Wide mode keeps both panels with a collapsible Calendars section using the same expand-wrapper pattern as File Explorer.
  • Launchpad-style app grid in My Home. System Apps and Utilities are now displayed as an icon grid instead of a plain list, with rounded app icons, truncated labels, and adaptive column count based on window width.
  • New Code editor utility. Programming files (.js, .ts, .py, .vue, .json, .css, .html, .sh, .yml, and many more) now open in a dedicated Code editor with syntax highlighting. Supports multi-tab editing, Save and Save As to Storage, and automatically pops a dialog to save all open tabs when the window closes. Notepad stays focused on plain text and Markdown.
  • Notepad Markdown preview. Markdown files now have three view modes you can switch from the View menu or a floating badge: Edit (plain text), Live Preview (side-by-side with synchronized scrolling), and full Preview (read-only rendered output). Keyboard shortcuts: Ctrl+L for Live Preview, Ctrl+P for Preview. Rendered output is sanitized with DOMPurify and external images are replaced with a themed placeholder showing the URL.
  • Theme-aware Markdown rendering. Code blocks inside Markdown get syntax highlighting with colours that adapt to the current theme (Default, Noir, Aero) through CSS variables.
  • Centralized SSE store. Real-time server-sent events (system stats, disk hot-plug) now go through a single shared store with automatic reconnection and exponential backoff, replacing the old per-component approach.
  • Type-safe data layer. All backend-to-frontend data contracts are now defined as TypeScript interfaces (CommonData, DashboardData, DiskData, SettingsData, ThemeData, PortData, ErrorData). Components use typed injection instead of inline object shapes, and all property names are normalized to snake_case to match the backend.
  • App loading screen icon preload. The app icon next to the title now preloads the full image in memory before revealing it with a slide-in animation, instead of reserving space while the browser is still downloading. No more layout clunk.
  • Port scanning overlay in folders. The infinite-slider animation that shows while a running app is discovering its ports now appears inside Folder windows too, not just on the Desktop grid. Same PortScanningOverlay component and detection logic, it was simply never wired up in AppFolder.vue. Damn son...
  • So at the end of the day we just figured out that we're not building a NAS OS, we're building an actual OS for your NAS. Or... Kind of, lol

---

• 2.1.2.114: localStorage-persisted wallpaper hash for zero-reload wallpapers.

  • Wallpaper hash now persists in localStorage. djb2 hash computed once, stored in wallpaperHash, read instantly on page load for a stable URL and browser cache hit. Background verify on each load updates it only if the image actually changed. (You're hired back, just in case).

• 2.1.2.112: Wallpaper cache bust fix and reactive login screen lines.

  • Replaced timestamp-based wallpaper cache busting (💩) with a djb2 hash (😈). Someone thought Date.now() on every updateTheme call was a good idea, causing the custom wallpaper to re-download on every theme interaction (you're fired). Now uses Daniel J. Bernstein's djb2 hash (h = h*33 ^ byte, unsigned 32-bit) computed directly from the image bytes in AeroPlusWallpaper.vue. Same image produces a stable hash, so the browser caches it naturally. Different image produces a different hash, so cache invalidation is automatic. No backend changes, the component owns its own cache key. Magick!
  • Oscillating lines now react to login state because we designed for 2036, not 2026. Wrong password? Lines flash red for 2 seconds and thicken like they felt the rejection too. Correct login? They gracefully disperse off-screen as if holding the door open for you. Zero new components, zero new animations. The reactive line system from the app loading screen was already there, just waiting for someone to plug it into Login.vue. Three props, one flashLoginError(), done. UX so smooth it should be illegal.

• 2.1.2.110: Virtual scroll, screenshot window bars, polish, and DropZone encryption upgrade.

  • Upgraded DropZone encryption to dzkey_v3 (HKDF). Replaced PBKDF2 (1.2M iterations) with HKDF for key derivation. Since the base key is already a cryptographically strong os.urandom(32) secret, PBKDF2's slow-by-design iterations added no security value, HKDF is the correct KDF for high-entropy inputs. Instantaneous derivation with identical security, eliminating the need for derived key caching, TTL timers, and any possible ou-of-the-box threading. HKDF info field now includes a purpose-scoped context string (dropzone/file-encryption/v3/) to prevent key collisions if multiple derivations share the same base secret. Transparent migration from v2 (PBKDF2/GCM) and v1 (PBKDF2/CBC) on first file access.
  • Atomic file writes in DropZone. Encrypted files are now written to a .tmp file first, then atomically replaced via os.replace(), preventing data loss if the process crashes mid-write.
  • Virtual scroll for the App Store listing. Only visible rows are rendered in the DOM, fixing crashes on iPhone and improving performance across all devices when browsing large app catalogs.
  • Screenshot thumbnails now display a window title bar with traffic light dots matching the style used on our website. Themed for all three visual modes.
  • Default Credentials section now has a visible title header consistent with Ports, Volumes, and other config sections.
  • Category icons in the info bar now match the icons used in the App Store category filters instead of a generic shape.
  • Help tooltips on empty config sections (Ports, Volumes, Environment) explaining why a section may be empty, so users know it's not an error.
  • Smoother category transitions. Switching categories fades the entire list at once instead of animating each card individually, reducing layout thrashing.
  • Redesigned App Loading screen. App name badge with frosted glass pill and container icon, step indicators (Connecting → Verifying → Launching) with animated progression, and a "Try Again" button when connection fails. Oscillating background lines now react to connection state, dispersing on success, turning red and thickening on error, and resetting on retry.
  • App display name from store in the loading screen. Shows the real app name (e.g. "Open WebUI") instead of the container slug.
  • Fixed icon priority in dashboard. Native app icons (docker-icons/) now take precedence over external package icons (user-images/), preventing imported packages from overriding system app icons.
  • Fixed App Store icon swapping on resize. Virtual scroll rows now use app-name-based keys instead of numeric indices, preventing Vue from recycling DOM nodes with stale icons when column count changes.
  • Faster App Store initial load. External apps and container status are now fetched in parallel via Promise.all, and the app list is only rendered once with its final state (new/installed badges), eliminating the visual reordering flash.
  • App icon resolution with fallback. Icons in the loading screen are resolved via HEAD requests trying docker-icons/ first (native apps), then user-images/ (external packages), with .jpg, .jpeg, .png extension probing.
  • Port scanning indicator on desktop icons. Containers that are running but still waiting for port detection now show a subtle animated loading bar overlay on their icon, on both desktop and mobile. Detects scanning state via duplicate ports (raw Docker data) or disabled flag, and excludes hostmode containers.

---

• 2.1.2.106: App Store and App Installation Window redesign inspired by Apple App Store style.

  • Redesigned App Store listing from a card grid to Apple-style horizontal rows with larger icons, app info, and compact "GET" pill buttons.
  • Redesigned category filters as smooth filled pills with clean horizontal scroll. Active category highlighted in solid blue.
  • Replaced pagination with infinite scroll. Apps load progressively as you scroll down, with automatic pre-loading for a seamless browsing experience.
  • Redesigned Install Config page with a larger app icon, matching "GET" pill button, and a cleaner header with truncated text for smaller screens.
  • Added info bar to the Install Config page showing Category, Type, Image, Version, Security, and Dependencies at a glance. Each cell shows a tooltip on hover explaining what it means. External apps display an amber "Source" indicator.
  • Screenshots are now part of Simple Config mode and animate in/out when switching to advanced mode. Thumbnails are larger with a saturation effect on hover.
  • Configuration sections wrapped in clean cards with softer titles and inline controls. Privileged Mode toggle moved next to its heading.
  • Empty state indicators for Ports, Volumes, and Environment with a help tooltip explaining why a section may be empty, so users don't think something is broken.
  • Polished search dropdown with larger app icons, inline "NEW" badges, and better layout.
  • Extended theme support across all three themes (Default, Noir, Aero) for every new UI element.

• 2.1.2.34: Hotfix for app installation broken by Docker project name injection.

  • Fixed app installation failure caused by injecting a name field into compose files at install time. Docker Compose v1/v2/v3 format rejects unknown root keys like name, which broke all installations when the compose fallback used a legacy engine. Removed the injection entirely.

• 2.1.2.32: Third-Party Stores, Packager upgrades, installation error feedback, and security patches.

  • Patched axios CVE-2026-40175 and CVE-2025-62718 (critical) by upgrading axios (npm) to 1.15.0+, fixing a header injection chain that could leak cloud credentials and a NO_PROXY hostname normalization bypass that enabled SSRF against loopback services. Also lifts the version pin introduced in 2.1.0.604.
  • Added Third-Party Stores tab to the Packager. Import entire app stores from Casa-compatible and Zima-compatible store community projects by pasting a GitHub ZIP archive URL. Apps are previewed, selectable, and converted to .hds packages automatically, metadata, icons, volumes, networks, ports, labels, and architecture are all adapted for HomeDock OS, with full credits to the original maintainers.
  • Added Migrate Compose to the Third-Party Stores tab. Drop or browse a single Casa-compatible docker-compose.yml file to convert it into a ready-to-install .hds package.
  • Added 3 predefined third-party stores (BigBearTechWorld, TMC Store, Zima App Store) as one-click import cards. Click any of them to download, preview, and selectively import hundreds of apps.
  • Added suggested_port and suggested_trail fields to the HDS manifest and Package Generator. Apps using network_mode: host can now specify which port HomeDock OS should use for the access button, and apps serving their UI at a subpath (e.g., /admin, /web) can declare it so the dashboard builds the correct URL.
  • Added HDGroup/HDRole labels auto-injection for multi-service composes. When a compose has more than one service, labels are injected so HomeDock OS can uninstall dependencies alongside the main container. Also auto-populates the dependencies list and is_group flag in the manifest.
  • Added Docker project name injection at install time. If a compose file has no name: field, HomeDock OS now injects the app slug as the project name so Docker resources (networks, volumes) are prefixed cleanly instead of using the temporary hash directory name.
  • Added installation error notifications. When an app fails to install (architecture incompatibility, TLS errors, disk space, permissions, etc.), a descriptive notification now appears in the bottom-right corner instead of failing silently. Errors are classified from Docker stderr output.
  • Added selectable import for .hdstore bundles. The import dialog now shows checkboxes with Select All / Deselect All, matching the export dialog UX. Apps that already exist are marked and cannot be selected.
  • Added Support Badges to the badge sharing dialog. Developers can now download "{AppName} works better on HomeDock OS" badges in dark and light variants, generated in runtime with vector graphics. Badges are organized in an accordion with three sections: App Store, Support, and Branding.
  • Branding Badges are now fully inline, generated as SVG with <text> elements and vector logo paths. The static badge SVG files in /images/badges/ are no longer needed.
  • Duplicate prevention in the App Store. When external apps share the same slug as a native app, the native version takes priority and the external duplicate is filtered out.
  • Compose normalization for third-party imports: long-form ports (target/published/protocol dicts), long-form volumes (type/source/target dicts), x-casaos extensions, networks, empty fields (devices: [], cap_add: [], command: []), comments, and [[INSTALL_PATH]] placeholders are all handled correctly through YAML-safe round-tripping.
  • Fixed [[INSTALL_PATH]] YAML corruption. Double brackets were misinterpreted as YAML flow sequences during parsing, causing volume paths to break into nested lists. Fixed by using safe placeholders during the YAML round-trip cycle.
  • Fixed Docker Compose stderr capture for error classification. When python-on-whales raises a DockerException without capturing stderr, the error handler now retries with subprocess to capture the real Docker error message. Maybe we should send a PR.
  • Increased .hdstore package limit from 300 to 999 packages per bundle.
  • Increased third-party store ZIP download limit from 200 MB to 500 MB.
  • Fixed /DATA/* volume mounts from Casa-compatible imports. Paths like /DATA/Media, /DATA/Downloads, etc. are now rewritten to [[INSTALL_PATH]]/{appSlug}/... instead of being left as hardcoded host paths.
  • Added "Open Format" info card to the How it Works section, explaining that .hds and .hdstore files are standard ZIP archives with SHA-256 signatures, not proprietary formats.
  • What's narrative control? What's SEO? We ship, six seven!

• 2.1.0.608: Update All button, container update fix and security patches following our (not) SLA (the never-ending story).

  • Patched cryptography CVE-2026-39892 (Buffer Overflow via Non-Contiguous Buffers opened 14 hours ago) by upgrading cryptography (pip) to 46.0.7+, fixing a moderate severity vulnerability where passing non-contiguous buffers to APIs accepting Python buffers (e.g. Hash.update()) could lead to buffer overflows reading past the end of the buffer on Python >3.11.
  • Added Update All button to the container updates tray icon. When two or more container updates are available, a button appears at the bottom of the dropdown to trigger all pending updates at once.
  • Fixed container updates when service_name and container_name differed in hd_DockerAPIUpdateContainer.py. Docker Compose services that define a custom container_name would trigger the update correctly but never reappear in the dashboard afterwards, as the container could not be matched back by name post-recreation.

• 2.1.0.606: Security patches following our (not) SLA (the saga continues).

  • Patched vite CVE-2026-39363 (Arbitrary File Read via Dev Server WebSocket opened 11 hours ago) by upgrading vite (npm) to 7.3.2+, fixing a high severity vulnerability where fetchModule invoked via the HMR WebSocket bypassed server.fs access controls, allowing retrieval of arbitrary files on the server.
  • Patched 2 additional vite vulnerabilities (missing CVEs) (server.fs.deny bypass via query parameters and path traversal in optimized deps .map handling, opened 11 hours ago) by upgrading vite (npm) to 7.3.2+, fixing high and moderate severity vulnerabilities where ?raw/?import&raw query parameters bypassed server.fs.deny rules and ../ segments in .map requests escaped the project root.

    TL;DR: All 3 vulnerabilities target Vite's dev server only (server.fs, WebSocket HMR, .map handling), none of them affect the production build or end users. We patch them anyway because keeping dependencies clean is the right thing to do and we can't ensure what's people doing with the repo at home.

• 2.1.0.604: Security patches following our (not) SLA (the trilogy).

  • Patched lodash-es CVE-2026-4800 (Code Injection via _.template imports opened 15 hours ago) by upgrading lodash-es (npm) to 4.18.0+, fixing a high severity vulnerability where untrusted input as options.imports key names could execute arbitrary code at template compilation time. Transitive dependency via ant-design-vue.
  • Patched lodash-es CVE-2026-2950 (Prototype Pollution via _.unset and _.omit opened 15 hours ago) by upgrading lodash-es (npm) to 4.18.0+, fixing a moderate severity vulnerability where array-wrapped path segments could bypass prototype pollution protections, allowing deletion of properties from built-in prototypes. Transitive dependency via ant-design-vue.
  • Pinned axios to 1.13.6 due to an active supply chain attack on axios@1.14.1, which introduces plain-crypto-js@4.2.1, a confirmed malicious package that acts as an obfuscated dropper executing shell commands at install time. Version pinned until the incident is resolved... Props for the homeboy @midudev for the hint, what a time to be alive.

• 2.1.0.602: Security patches following our (not) SLA (yes, again).

  • Patched node-forge CVE-2026-33891 (DoS via Infinite Loop opened 42 hours ago) by upgrading node-forge (npm) to 1.4.0+, fixing a high severity vulnerability where a zero input to modInverse() caused the process to hang indefinitely.
  • Patched node-forge CVE-2026-33895 (Ed25519 Signature Forgery opened 42 hours ago) by upgrading node-forge (npm) to 1.4.0+, fixing a high severity vulnerability where Ed25519 verification accepted forged non-canonical signatures.
  • Patched node-forge CVE-2026-33894 (RSA-PKCS Signature Forgery opened 42 hours ago) by upgrading node-forge (npm) to 1.4.0+, fixing a high severity vulnerability where RSA signature verification accepted forged signatures for low-exponent keys.
  • Patched node-forge CVE-2026-33896 (Certificate Chain Verification Bypass opened 42 hours ago) by upgrading node-forge (npm) to 1.4.0+, fixing a high severity vulnerability where non-CA certificates could act as intermediate CAs when certain extensions were absent.
  • Patched cryptography CVE-2026-34073 (DNS Name Constraint Bypass opened 42 hours ago) by upgrading cryptography (pip) to 46.0.6+, fixing a low severity vulnerability where DNS name constraints weren't enforced against peer names during validation.

• 2.1.0.498: Security patches following our (not) SLA.

  • Patched picomatch CVE-2026-33671 (ReDoS via extglob quantifiers opened 3 hours ago) by upgrading picomatch (npm) to 4.0.4+ and 2.3.2+, fixing a high severity vulnerability where certain extglob patterns could cause catastrophic regex backtracking, blocking the event loop. Transitive dependency via Vite and Tailwind CSS.
  • Patched picomatch CVE-2026-33672 (Method Injection in POSIX Character Classes opened 3 hours ago) by upgrading picomatch (npm) to 4.0.4+ and 2.3.2+, fixing a moderate severity vulnerability where crafted POSIX bracket expressions could inject inherited method names into generated regexes, causing incorrect glob matching. Transitive dependency via Vite and Tailwind CSS.
  • Patched requests CVE-2026-25645 (Insecure Temp File Reuse in extract_zipped_paths() opened 3 minutes ago) by upgrading requests (pip) to 2.33.0+, fixing a moderate severity vulnerability where predictable temp filenames could be pre-created by a local attacker to substitute malicious files. Standard Requests usage is not affected, only direct extract_zipped_paths() calls.
  • Fixed Planchette App Store category typo from "Media Server" to "AI Talking Board", because no, a spirit board is not a media server... Or is it? 👻

• 2.1.0.496: SSE streaming fix and App Store addition.

  • Fixed browser tab freeze after prolonged use: the dashboard stats stream internally accumulated browser resources on each reconnection cycle (~every 5 minutes), eventually causing the tab to become unresponsive after extended sessions. Replaced the streaming mechanism and fixed reconnection error handling.
  • Updated python-on-whales from 0.80.0 to 0.81.0.
  • Added Planchette to the App Store, a local AI Ouija-style spirit board that talks back. Just your machine and whatever's on the other side 👻

• 2.1.0.494: Security patches for unhead (XSS bypass), dashboard SSE rewrite, and dependency updates.

  • Patched unhead CVE-2026-31873 (Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity opened 44 hours ago) by upgrading @unhead/vue (npm) to 2.1.12+, fixing a low severity vulnerability where link.href sanitization was case-sensitive, allowing JAVASCRIPT: or DATA: URI schemes to bypass the filter since browsers treat them case-insensitively.
  • Patched unhead CVE-2026-31860 (XSS bypass in useHeadSafe via attribute name injection opened 44 hours ago) by upgrading @unhead/vue (npm) to 2.1.12+, fixing a moderate severity vulnerability where data-* attribute keys containing spaces could break out of the HTML attribute and inject event handlers like onload, achieving XSS on SSR-rendered <head> tags.
  • Replaced dashboard polling with Server-Sent Events (SSE): consolidated 11 individual /thread/* polling endpoints into a single /stream/stats SSE stream. The backend now pushes only changed values as JSON patches every 2 seconds, with an initial snapshot on connect, heartbeat keep-alives, and server-initiated reconnect after 5 minutes. This eliminates ~11 concurrent setInterval + axios.get loops per browser tab, reducing HTTP request volume by ~90% and delivering real-time updates with lower latency.
  • Unified backend metrics modules: merged 8 separate service files (hd_LogCPUTemp.py, hd_LogCPUUsage.py, hd_LogRAMUsage.py, hd_LogDiskUsage.py, hd_LogExternalDiskUsage.py, hd_LogNetworkUsage.py, DashboardCPUTemp.ts, DashboardCPUUsage.ts, etc.) and hd_UIDashboardThreads.py into two focused modules: hd_DashboardMetrics.py (cache + collectors + log samplers) and hd_SSEStats.py (SSE stream with singleton StatsCollector, per-session client limits, and delta-only broadcasting).
  • Frontend store rewritten for SSE: useSystemStatsStore now uses a ReadableStream reader with chunked SSE parsing, exponential backoff reconnect with jitter, and AbortController-based teardown, replacing the previous per-metric setInterval + adaptive polling approach.
  • Added ThreadPoolExecutor(max_workers=50) as the default asyncio executor, preventing SSE stream handlers from starving the thread pool under concurrent connections.
  • Updated axios from 1.13.5 to 1.13.6.
  • Updated vue from 3.5.27 to 3.5.30.

• 2.1.0.492: Rollup CVE-2026-27606 hotfix, reverse proxy support, auto-port routing fix, and various fixes.

  • Patched CVE-2026-27606 (Arbitrary File Write via Path Traversal in Rollup opened 15 hours ago) by overriding rollup (npm) to 4.59.0+, fixing a high severity vulnerability where ../ path traversal sequences could write files outside the output directory. Transitive dependency via Vite.
  • Added Reverse Proxy support (reverse_proxy config option) with a new toggle in Settings > System. When enabled, HomeDock OS wraps the Flask app with Werkzeug's ProxyFix middleware (trusting X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host), sets SESSION_COOKIE_SECURE = True for TLS termination, and prints the reverse proxy status at boot. Requires restart. It should work with most reverse proxies.
  • Added 421 Misdirected Request response in the HTTP redirector when X-Forwarded-Proto: https is detected, preventing reverse proxies from accidentally routing already-secure traffic to the HTTP-to-HTTPS redirect server.
  • Simplified service URL generation in container data API: removed complex urlparse + X-Forwarded-Host hostname resolution in favor of relative paths (/app/{port} instead of protocol-relative //host/app/{port}), eliminating hostname validation edge cases and making the URLs work naturally behind reverse proxies.
  • Fixed auto-port routing for network_mode: host suggested ports we've removed the check_port_availability() gate that prevented suggested ports from being assigned when the container wasn't running yet, causing apps with suggested ports (e.g., Home Assistant, Plex, Pi-hole) to lose their any automatic routing config.
  • Added default credentials for Disavow Generator application in the App Store, they were missing when we added them all, or at least... When we tried to add them all lol
  • Added "Requires Restart" badge in Settings > System for options that need a HomeDock OS restart to take effect (Local DNS Access, Reverse Proxy). The badge only appears when the value has been changed from its current state, with a smooth fade transition.
  • Improved login error feedback when reverse proxy mode is enabled: accessing HomeDock OS directly via plain HTTP when reverse_proxy is enabled now shows "Login only permitted from a valid HTTPS source" instead of failing silently, since Secure session cookies can't be sent over unencrypted connections.

• 2.1.0.490: Security patch for port routing configuration injection.

  • Fixed Configuration Injection via Newline in Port Routing container_id (reported by Jupiter Belic) by sanitizing the container_id parameter in hd_UIDashboardPortRouting.py through sanitize_container_name(), which strips any character outside [a-zA-Z0-9_-]. Docker itself already enforces a regex on container names at creation time, but as defense in depth we now also sanitize on our side before the value reaches any internal logic.

• 2.1.0.489: Security patches for Werkzeug and Flask.

  • Patched Werkzeug CVE-2026-27199 (opened 7 hours ago) by upgrading werkzeug (pip) to 3.1.6+, fixing a moderate severity vulnerability where safe_join failed to filter Windows (🙉) special device names (e.g., NUL) when preceded by other path segments, allowing send_from_directory to open device files and hang indefinitely on Windows.
  • Patched Flask CVE-2026-27205 (opened 7 hours ago) by upgrading flask (pip) to 3.1.3+, fixing a low severity vulnerability where certain forms of session access (e.g., using the in operator) did not trigger the Vary: Cookie response header, potentially allowing caching proxies to serve session-specific responses to other users. Don't ship on Friday... But what about Saturday?

• 2.1.0.488: Default credentials for apps, UI/UX improvements, Packager UI redesign, and share improvements.

  • Added Default Credentials support: apps that ship with hardcoded login credentials (e.g., admin/admin123) now display them with copy-to-clipboard in the App Store install screen, with a reminder to change them after first sign-in. This works for both built-in App Store apps and .hds packages.
  • Default credentials also appear in the Properties panel of installed apps in the Desktop (Right click > Properties), so you can check them anytime without having to look them up elsewhere.
  • Added Default Credentials toggle in the Package Generator, letting developers and packagers specify the default username and password when creating an .hds package.
  • Added auto-generated password hint in the install screen. Apps that receive a unique random password before installation now show a partially masked preview (first 6 characters + bullet dots) with a copy button. The previous UI confused users into thinking this was their HomeDock OS login password. HomeDock OS never knows your login password, and that's the whole point of generating random per-app passwords. Copy it, change it, or leave it as-is.
  • Added minimum password length validation for apps (e.g., File Browser requires 12 characters, otherwise it doesn't even boot up). A red inline warning appears when the password is too short, and the Install button is disabled until the requirement is met.
  • Install button is now disabled when required credential fields (username or password) are empty, preventing broken installations.
  • Added suggested port and suggested trail fields for apps, improving automatic port routing for containers running in host network mode (e.g., Home Assistant on port 8123, Plex on 32400/web, Pi-hole on /admin and so).
  • Redesigned the Package Generator UI (yes, again lol) with a responsive 2-column grid layout for metadata fields, more compact horizontal upload areas, and colored icon badges on section headers.
  • Package Manager is now the default tab in Packager (instead of Package Generator), with shortened tab labels.
  • Added empty state in Package Manager that links to the Package Generator when no packages exist yet.
  • Added Discord sharing section in the Share Badge dialog with a direct link to the #package-sharing channel and a "Join Discord" button.
  • Updated the App Store submission section wording, now mentioning support for indie developers.
  • Share badges now download as .png instead of .svg for better compatibility, rendered at 4x resolution via canvas.
  • Duplicati now ships with auto-generated encryption key and password, it was a broken app because of that so we fixed it.
  • qBittorrent now supports custom username and password at install time via PBKDF2 hash generation in the container entrypoint, quite hacky, perfectly working.
  • Added GhostInk to the App Store, technically platform-agnostic, but the app is so full of hidden-in-emojis HomeDock OS shout-outs that adding it elsewhere would feel awkward heh.

    TL;DR: Sphynx, our up and coming built-in inverse proxy entirely written in Python + aiohttp, has reached a very (very very lol) advanced stage, it will be released as a pip package under aGPLv3 license. It's what will make Docker apps run seamlessly inside Prism Window Manager, with localStorage isolation via IndexedDB KVs, path rewriting, and no need to open ports anymore, with a ~97% success rate in testing. If you'd like to beta test it open an issue.

• 2.1.0.486: Security patch for axios.

  • Patched CVE-2026-25639 (Denial of Service via __proto__ key in axios mergeConfig opened 5 minutes ago) by upgrading axios (npm) to 1.13.5+, fixing a high severity vulnerability where JSON.parse()-derived config objects with __proto__ as own property caused a TypeError crash in mergeConfig, enabling DoS on any backend passing user-controlled JSON to axios.

    TL;DR: A specially crafted JSON payload could crash any app using axios by exploiting a quirk in how JavaScript handles __proto__. Not prototype pollution, just a straight crash... Patched by upgrading axios as usual tho.

• 2.1.0.484: Security patch for cryptography package.

  • Patched CVE-2026-26007 (Subgroup Attack in cryptography public_key_from_numbers and EllipticCurvePublicNumbers.public_key opened 8 hours ago) by upgrading cryptography (Python package) to 46.0.5+, fixing a high severity vulnerability where SECT curves lacked subgroup validation, allowing private key leakage via ECDH and signature forgery via ECDSA.

    TL;DR: HomeDock OS uses RSA, AES-GCM, and Ed25519, none of which are SECT curves, so this vulnerability didn't affect us in practice. We patched it anyway because staying ahead of CVEs is the best way to keep your data safe, even when the fire isn't in our house.

• 2.1.0.482: Packager .hdstore Full App Store bundles, share badges for apps, and UI refinements.

  • Added Share Badges to the system app Packager: when you tap "Share", a dialog lets you preview and download custom SVG badges for your app in light and dark themes. Each badge features your app's icon as a blurred background, the icon in full detail, and the "Get {AppName} on the HomeDock OS App Store" call to action, all self-contained in a single SVG file with the icon embedded as base64, ready to drop into a README, website, or docs.
  • Added generic branding badges (light and dark) for the HomeDock OS App Store, similar to Apple's "Download on the App Store" badges, available for download alongside the custom per-app badges.
  • Added Submit to the public App Store section in the share dialog, guiding developers to send their .hds packages to apps@homedock.cloud for review and public listing.
  • Introduced the .hdstore bundle format, a new way to export and import multiple apps at once. You can now select several apps from your library as a bundle, export them as a single .hdstore file, and share or import the whole bundle on another HomeDock OS instance.
  • Added preview before import for .hdstore bundles, letting you inspect the contents of a bundle before committing to the import.
  • Improved app slug generation: spaces are now converted to hyphens instead of being stripped, producing cleaner and more readable identifiers (e.g., "My App" becomes my-app instead of myapp).
  • Replaced tab navigation with segmented controls in Settings and Packager for a more compact, modern look with smooth horizontal scrolling on smaller screens.
  • Added "Add your own apps" button in the App Store header, linking directly to the Packager for a more discoverable publishing flow.
  • Added smooth animated tab transitions in Settings, with height auto-adaptation when switching between sections of different sizes.

• 2.1.0.236: App Store additions and Packager bugfix.

  • Added Disavow Generator to the App Store, a tool for creating Google disavow files to remove toxic backlinks from your site's link profile. Born as an internal CLI tool to fight a dumb negative SEO attack we faced in January, now it's yours too :)
  • Fixed App Packager category validation where selecting categories like "AI" or "Developer Tools" would fail with "Invalid category" error due to backend using outdated category list that was out of sync with the App Store categories.

• 2.1.0.234: Security patches and dependency updates.

  • Patched CVE-2025-13465 (Prototype Pollution in lodash _.unset and _.omit functions opened 7 hours ago) by adding overrides for lodash and lodash-es to versions 4.17.22+ and 4.17.23+ respectively, fixing a moderate severity vulnerability introduced transitively via ant-design-vue.
  • Updated @unhead/vue from 2.0.19 to 2.1.2.
  • Updated vite from 7.2.7 to 7.3.1.
  • Updated vue from 3.5.25 to 3.5.27.
  • Updated @types/node from 25.0.1 to 25.0.10.
  • Updated @vitejs/plugin-basic-ssl from 2.1.0 to 2.1.4.

• 2.1.0.232: Unified File Explorer with three storage backends, new utility applications suite, and consolidated file management experience.

  • Introduced Unified File Explorer combining three storage backends into a single, cohesive file management interface: Storage (unencrypted local files), DropZone (AES-256-GCM encrypted files), and AppDrive (Docker container volumes).
  • Native audio & video playback via Media Player: MP4, WebM, OGV, OGG, MP3, WAV, AAC, FLAC, M4A.
  • Native image viewing & annotation via Image Viewer & Brusher: JPG, JPEG, PNG, GIF, WebP, BMP, ICO, TIF, TIFF.
  • Native PDF rendering via PDF Viewer.
  • Native text & code editing via Notepad: TXT, MD, JSON, YML, YAML, XML, CONF, INI, ENV, LOG, JS, TS, JSX, TSX, and more (much more, lol).
  • Removed standalone App Drive and Drop Zone applications in favor of the new unified File Explorer, reducing code duplication and providing a consistent user experience across all storage types.
  • Added Window Snap to Screen feature allowing desktop users to snap windows to left or right half of the screen by dragging to screen edges, with animated pulsating blue preview indicator, automatic size restoration when unsnapping, and respect for window constraints (disabled for non-maximizable windows like Calculator and Properties).
  • Added Audio Indicator to the Taskbar that appears when media is playing in the Media Player, with styled volume controls and active media playback.
  • Added sidebar navigation to File Explorer providing quick access between storage locations, favorites, and recent files.
  • Implemented favorites system allowing users to bookmark up to 50 frequently accessed files or folders across all three storage backends.
  • Implemented recents tracking that automatically records the last 100 accessed items, making it easy to return to recently used files.
  • Created unified upload progress indicator in the system tray consolidating upload tracking for all storage backends into a single component.
  • Added Notepad utility featuring a full-featured text editor with per-user AES-256-GCM encryption for notes, auto-save functionality, and complete note management.
  • Added Calculator utility with standard arithmetic operations and full keyboard support.
  • Added Image Viewer utility supporting common formats (JPG, PNG, GIF, WebP, SVG) with zoom, pan, and rotation controls.
  • Added Media Player utility for audio and video playback with volume controls, fullscreen support, and real-time spectrum analyzer for audio visualization using Web Audio API.
  • Added PDF Viewer utility powered by PDF.js with page navigation, zoom controls, and search functionality.
  • Added Brusher utility for simple image annotation and quick markups.
  • Implemented unencrypted Storage API with full CRUD operations, folder management, multi-file ZIP downloads, and comprehensive path traversal protection.
  • Implemented encrypted Notepad API using existing DropZone encryption infrastructure for secure note storage.
  • Implemented File Explorer metadata API for managing favorites and recents with location-aware storage across all three backends.
  • Added centralized state management for File Explorer including current location, path navigation, view preferences, and selection state.
  • Created unified upload queue management replacing the previous separate upload stores for App Drive and Drop Zone.
  • Added window configuration system for utility applications and auxiliary windows with proper size constraints and default dimensions.
  • Reorganized all file-related API routes with a cleaner RESTful structure under /api/storage/, /api/dropzone/, /api/appdrive/, /api/utils/notepad/, and /api/fileexplorer/.
  • Added search functionality to App Drive with time limits (10 seconds) and result limits (500 files) for DoS protection.
  • Implemented automatic DropZone data migration from the legacy location to the new unified storage structure, ensuring seamless transition for existing users.
  • Relocated all user storage directories under a unified _storage folder for better organization, separating encrypted DropZone files from unencrypted Storage files.
  • Added PDF.js dependency for PDF rendering capabilities in the PDF Viewer utility.
  • Updated python-on-whales dependency for improved Docker API compatibility.
  • Enhanced system integration allowing files to be opened directly in appropriate utility applications from the File Explorer.
  • Updated My Home, Properties, Notifications, Taskbar, and Start Menu with File Explorer integration and utility app launchers.
  • Added File Explorer as default desktop icon alongside My Home, providing quick access to the unified file management interface directly from the desktop.
  • My Home is now removable from the desktop like any other system app. Both My Home and File Explorer can be removed via right-click context menu and re-added from Start Menu > "Add to Desktop".
  • Added dynamic volume icon to Audio Indicator and Media Player that changes based on volume level: muted, zero, low (<50%), and high (≥50%).
  • All new endpoints protected with CSRF validation and login authentication.
  • Maintained comprehensive security controls including path traversal protection, symlink validation, DoS limits (file counts and time limits), and null byte injection prevention across all new modules.

    TL;DR: This update and the previous one put us at the forefront of the Cloud OS technology ecosystem, bringing real multitasking to what used to be a single dashboard panel. The line between a browser Cloud OS and a native OS blurs now. Every release brings us one step closer to our vision, a fully-featured operating system that lives in your browser. Thank you for reshaping the future with us :)

• 2.0.4.228: Added iOS-like window persistence for optimized browser RAM management.

  • Implemented a new composable providing intelligent, transparent memory management for minimized windows, inspired by iOS app lifecycle management.
  • Added 3-tier persistence strategy for minimized windows: (1) immediate cleanup under memory pressure (>75% heap), (2) automatic general cleanup after 5 minutes for independent windows, and (3) graceful cleanup of expired windows (>2min) when over device limits.
  • Implemented device-aware window limits using navigator.deviceMemory API when available, dynamically adjusting maximum minimized windows from 2 (low-end devices) to 8 (high-end devices), with fallback to 4 windows on unsupported browsers.
  • Added real-time memory monitoring using performance.memory API (Chromium) to detect heap pressure and proactively free resources, falling back to time-based cleanup only on Firefox/Safari/Others.
  • Designed for complete user transparency: no notifications, no console logs, no visible indicators. Windows are silently recycled in the background, exactly like iOS manages background apps.

• 2.0.4.226: Mobile desktop grid fixes and touch scroll improvements.

  • Fixed mobile icon auto-positioning on pages > 0 where icons were placed incorrectly due to using container width instead of inner pages width.
  • Fixed touch scroll blocking on mobile-desktop icons allowing horizontal page swiping when touch gesture starts on an icon (when not in wiggle/edit mode), improving mobile navigation UX.

• 2.0.4.224: Advanced desktop drag & drop system, folder customization, unified grid positioning, and Python deps CVE hotfix.

  • Patched Werkzeug CVE-2026-21860 (opened 6 hours ago) by upgrading from 3.1.4 to 3.1.5, addressing a security vulnerability in the WSGI utility library.
  • Patched urllib3 CVE-2026-21441 (opened 20 hours ago) by upgrading from 2.6.0 to 2.6.3, fixing a security issue in the HTTP client library.
  • Created useDesktopGrid.ts composable centralizing all desktop icon positioning logic for apps, folders, and system icons, eliminating ~160 lines of duplicated code across components.
  • Unified updateItemPosition() in desktop store replacing three separate functions (updateIconPosition, updateFolderPosition, updateSystemIconPosition) with a single type-safe function.
  • Standardized DesktopItemType to "app" | "folder" | "systemicon" across all composables for future support of new items on Prism Window Manager such as widgets and more.
  • Implemented advanced desktop drag & drop architecture with new composables (useDesktopDragAndDrop.ts, useDesktopDragGhost.ts, useDesktopDragSelection.ts) providing a unified, type-safe foundation for all desktop, folders and any future app interactions.
  • Refactored multi-selection support on desktop with Ctrl+Click for individual items and drag-to-select box selection for batch operations across apps, folders, and system icons simultaneously.
  • Created DragGhost.vue component displaying a visual preview when dragging multiple selected items from folders to desktop, showing app icons stacked with a count badge for better drag feedback.
  • Implemented SelectionBox.vue component for rubber-band selection, allowing users to draw a selection rectangle to select multiple desktop items at once, shared by Drop Zone, App Drive, Desktop and Folders.
  • Added folder drop targets with visual highlighting when dragging apps over folders, making it intuitive to organize apps into folders.
  • Replaced ColorPickerMenu.vue with new FolderCustomizeMenu.vue that allows customizing both folder color and icon in a unified interface.
  • Added 18 predefined folder icons (games, movies, music, code, cloud, heart, star, downloads, settings, images, documents, books, briefcase, school, home, lock, and more) for better visual organization.
  • Added "Add to Desktop" context menu for system apps in Start Menu, allowing users to right-click any system app and add it as a desktop shortcut with automatic icon detection.
  • Extended multi-selection and drag ghost support inside folder windows, bringing the same advanced drag & drop experience to folder contents.
  • Fixed system app icons on mobile ensuring proper display and interaction on touch devices.
  • Integrated mobile touch gestures (tap, double tap, long press) directly into useDesktopDragAndDrop composable with configurable callbacks, avoiding composable fragmentation.
  • Fixed super-edge Android double-action bug where double tap would trigger actions twice due to browser-synthesized click/dblclick events after touch events.
  • Fixed window focus stealing when opening Properties from inside folders on mobile, where the folder window would regain focus after the new window opened.
  • Fixed SelectionBox appearing on mobile when tapping empty space inside folders, caused by synthesized mousedown events triggering box selection logic.
  • Fixed DesktopFolderIcon missing touch events by adding touchmove/touchend emissions, ensuring consistent gesture handling across all desktop item types.
  • Minor updates to StartMenu.vue and Enteprise modules to allow users to add Enterprise Start Menu icons to the desktop too.

• 2.0.4.222: Dynamic Enterprise slot system for Start Menu modules.

  • Implemented dynamic slot-based rendering for Enterprise modules in Start Menu, eliminating the need to modify core files when adding new Enterprise modules, preparing for open core philosophy.
  • Added getModulesBySlot() function to EnterpriseSRILoader.ts allowing Enterprise modules to self-declare their rendering location via slot and order metadata during registration.
  • Created EnterpriseStartMenuSlots.vue component that dynamically discovers and renders all Enterprise modules registered for the startMenu slot, ordered by their declared priority.
  • Refactored Start Menu to use the new dynamic slot system instead of hardcoded module references, decoupling the open core from specific Enterprise module implementations.
  • Almost new year release kickoff!

• 2.0.4.220: Migrated Docker base image from Debian to Alpine Linux, reducing image size by ~50%.

  • Migrated base image from python:3.12-slim (Debian) to python:3.12-alpine, reducing image size from 826MB to 441MB (~400MB savings per arch).
  • Reduced CVE count from 42 to 5 by eliminating unnecessary Debian packages (glibc, systemd, etc) that carried 33 LOW and several MEDIUM vulnerabilities.
  • Replaced Debian Docker packages with Alpine equivalents, docker-cli and docker-cli-compose instead of docker-ce-cli and docker-compose-plugin.
  • Added build-time compilation support for Python packages requiring native extensions (psutil + cryptography) on ARM64, with automatic cleanup of build dependencies (gcc, musl-dev, etc) to keep the final image lean.
  • Upgraded pip during build to address CVE-2025-8869 because... Why not? Yes, we upgrade pip.

• 2.0.4.218: UI refactoring, notification improvements, and backend security hardening.

  • Implemented enterprise module signature verification on the backend using Ed25519 cryptographic signatures, ensuring both the enterprise __init__.py and individual module files are verified against their manifest signatures before loading.
  • Refactored Popover styles from component-scoped CSS to global antd.css for consistent theming across all popovers in the application.
  • Improved notification persistence to preserve update notifications when polling refreshes the notification list, preventing update alerts from disappearing unexpectedly.
  • Added @layer enterprise CSS layer for proper style isolation and ordering of enterprise module stylesheets.
  • Refactored Start Menu app items from scoped CSS to inline Tailwind classes with group-hover effects for better maintainability and consistent styling.
  • Added Docker update reminder notification that appears after 7 days of uptime in Docker deployments, prompting users to check for new versions on Docker Hub.

• 2.0.4.216: Fixed App Drive file access in Docker-in-Docker deployments.

  • Fixed App Drive in Docker-in-Docker (DinD) mode where browsing container volumes would fail with a "Security violation" error due to our strict path validation preventing what it perceived as an unauthorized access attempt. App Drive now correctly resolves volume paths when HomeDock OS runs as a container.
  • Added automatic path translation in DinD mode, now host paths like /home/user/homedock/_DATA/DATA/HomeDock/AppData/... are now correctly mapped to /DATA/HomeDock/AppData/... inside HomeDock OS container.
  • Improved path normalization for mount sources ensuring consistent security validation across all deployment modes.

• 2.0.4.214: Unified file viewer experience and mobile stability improvements.

  • Unified view preferences between Drop Zone and App Drive: sorting, view mode (grid/list), and order direction now sync instantly across both file managers. Change to list view in Drop Zone? App Drive updates in real-time, no refresh needed.
  • Created shared preferences store laying the groundwork for the upcoming File Explorer in version 3, which will unify Disk Drives, Drop Zone, and Container Volumes into a single, cohesive file management experience.
  • Fixed mobile flickering in App Drive where container icons would rapidly alternate between 2 and 3 columns, causing constant visual jitter. Icons now render smoothly without layout recalculations.
  • Fixed double-tap behavior on mobile devices on App Drive: tap once to select, tap again to open, consistent with Drop Zone. Previously some actions required awkward double-taps or one-taps depending the context due to missing touch handlers.
  • Fixed double scrollbar issue where two vertical scrollbars would appear simultaneously when browsing container icons on App Drive.
  • Improved touch responsiveness across all file items with proper gesture handling, eliminating the 300ms delay that made mobile interactions feel sluggish.

• 2.0.4.212: Added App Drive file manager for Docker containers volume management and more.

  • Introduced App Drive (thanks @bitebait for the idea!), a new system application for browsing and managing files directly inside Docker container volumes without terminal access. Notepad for direct editing still in the work.
  • Implemented container mount browser allowing navigation through all mounted volumes of running containers with automatic detection of read-only mounts.
  • Added file operations including upload, download, create folder, rename, and delete with full multi-selection support maintaining folder hierarchy.
  • Implemented dual view modes as in Drop Zone (grid/list) with sorting by name, size, or date and ascending/descending toggle for flexible file browsing.
  • Created breadcrumb navigation for intuitive path navigation within container filesystems with quick access.
  • Added multi-selection support with Ctrl+Click and drag-to-select for batch file operations.
  • Implemented context menus for files and folders with right-click actions including download, rename, delete, and folder-specific operations.
  • Added "Files" tab in Application Properties window showing all accessible container volumes with quick-launch buttons to open App Drive directly for any mount point.
  • Created upload progress tracking store (useAppDriveUploadingStore.ts) for managing concurrent file uploads with queue system and real-time progress indicators.
  • Fixed Self-DDoS vulnerability in Drop Zone where enumerating thousands of files could overwhelm the server. Implemented calculate_directory_size_ddos_safe() with file count limits (10,000 files) and time limits (2 seconds) to prevent resource exhaustion.
  • Added ZIP download support for Drop Zone: download multiple selected files as a single ZIP archive, or download entire folders as ZIP with visual compression indicator and animated feedback.
  • Implemented server-side ZIP generation with security limits (50,000 files max, 30 seconds timeout) to prevent resource exhaustion during batch downloads.
  • Added "Refresh" button to Drop Zone context menu for quick file list updates without navigating away.
  • Enhanced Drop Zone error responses by removing detailed error messages that could expose internal paths or system information, improving security posture.
  • Added size exceeded indicator showing when directory size calculation hits limits, so users know the displayed size is approximate for very large folders.
  • Improved Enterprise SRI Loader with lazy loading for Ant Design components, reducing initial bundle size and improving load performance for enterprise deployments.
  • Updated open source credits adding Noble Ed25519, Noble Hashes, and PyOTP libraries to the acknowledgments section.
  • Enhanced oscillating background lines with mouse-reactive physics because we got bored and started playing with the login screen. Now they dodge your cursor like mass trying to escape a black hole. Added Catmull-Rom spline interpolation for buttery-smooth curves, because cubic beziers are so 2024 and we're already in in 2030.

    TLDR - Is App Drive safe? Yes. App Drive only accesses container volumes mounted within HomeDock's secure paths: /DATA/HomeDock on Linux, ~/HomeDock on macOS, and C:\HomeDock on Windows. It cannot browse arbitrary system directories or escape these sandboxed locations. All file operations are validated against path traversal attacks and symlink escapes consistently, period.

• 2.0.4.26: Enhanced Ed25519 signature verification with cross-browser fallback support.

  • Added fallback Ed25519 signature verification using @noble/ed25519 library for browsers that don't support Web Crypto API or are running in non-secure contexts (HTTP).
  • Implemented automatic cryptographic API detection that uses native Web Crypto API when available in secure contexts, falling back to the noble library implementation when crypto.subtle is unavailable.
  • Enhanced cross-browser compatibility ensuring enterprise module signature verification works reliably across all browsers and contexts, including HTTP development environments.

• 2.0.4.24: Enterprise module loader architecture with SRI validation and Ed25519 cryptographic signing.

  • Implemented Enterprise Module Loader for businesses and organizations running self-hosted, on-premise HomeDock OS instances, enabling dynamic loading of custom enterprise modules with automatic initialization, startup and routing.
  • Added Ed25519 cryptographic signature verification ensuring only our signed modules can get executed, preventing unauthorized code injection.
  • Added Subresource Integrity (SRI) validation using SHA256 hashes as a secondary layer to ensure code integrity before executing any enterprise module, preventing tampering and supply chain attacks.
  • Created EnterpriseSRILoader.ts frontend loader that securely verifies and loads enterprise modules as self-contained Vue components with full access to HomeDock OS theme system and UI framework.
  • Introduced EnterpriseSlotRenderer.vue component enabling enterprise modules to render natively within the HomeDock OS interface at predefined injection points.
  • Added enterprise startup banner displaying Enterprise UUID, license status, and loaded modules list during server initialization.

    TLDR - What are Enterprise modules? When businesses or organizations need custom functionality for their HomeDock OS deployment (CRMs, ERPs, inventory systems, log exports, internal tools, etc.), we develop it as a native Enterprise module for HomeDock OS rather than a standalone app. This means custom-built solutions that integrate seamlessly with HomeDock's UI, theming, authentication, and security layers, extending HomeDock OS beyond the typical homelab into professional and business environments. Think of it as bespoke software development that runs natively inside HomeDock OS. This architecture keeps the same core build for everyone while enterprise modules are loaded on-demand only where and when needed. Some features, like Drop Zone started as enterprise modules before eventually becoming part of HomeDock OS for all users.

• 2.0.4.22: Two-Factor Authentication (2FA) and centralized encryption architecture.

  • Added Two-Factor Authentication (2FA) support using TOTP-compatible authenticator apps like Google Authenticator, Authy, Microsoft Authenticator and more with QR code setup directly from Settings.
  • Implemented backup codes system generating 10 single-use recovery codes during 2FA setup, with the ability to regenerate them at any time from Settings.
  • Added "Trust this device" option that remembers verified devices for 30 days, allowing users to skip 2FA on trusted devices.
  • Created centralized encryption module (pymodules/hd_CryptoServer.py + __Utils__/CryptoClient.ts) consolidating all client-server encryption logic into a single, well-tested system, replacing scattered implementations across the codebase.
  • Implemented hybrid RSA + AES-GCM encryption to overcome RSA's ~446 byte payload limit (imposed by OAEP padding on our 4096-bit key). For larger payloads, the client generates a random AES-256 key, encrypts the data with AES-GCM, then RSA-encrypts only the 32-byte AES key. The server reverses this process, combining RSA's security for key exchange with AES's efficiency for bulk data.
  • Added draggable dialogs allowing popup windows to be repositioned by dragging their title bar like in regular operating systems where dialogs alone can be move too.
  • Improved login attempt logging with new status types (2FA Failed, 2FA Errored) for better security monitoring and audit trails.
  • Enhanced theme consistency for login buttons with proper styling across Light, Dark, and Aero+ themes.
  • Added pyotp Python dependency for TOTP code generation and verification.
  • Added qrcode npm package for generating QR codes during 2FA setup.

• 2.0.3.190: Secure in-app installation workflow and centralized directory management.

  • Implemented secure installation verification using SHA256 hash validation to ensure compose file integrity before deploying containers, preventing tampering during the installation process.
  • Added centralized directory initialization that ensures all required system folders (logs, compose-link, dropzone, user packages) are properly created at startup.
  • Simplified Docker Compose deployment by passing compose files directly instead of working directories, making container operations more reliable and straightforward.
  • Streamlined container update process by removing unnecessary temporary file operations during updates.
  • Updated npm dependencies including Vite 7.2.7, Vue Router 4.6.4, node-forge 1.3.3, and @types/node 25.0.1.
  • Minor UI improvements to the server startup banner with website, docs and email links.
  • Fixed HTTP > HTTPS redirector to only start when SSL is running on port 443, avoiding useless redirects on non-standard ports.
  • Added automatic port switching from 80 to 443 when SSL is enabled, preventing invalid SSL-on-HTTP configurations.
  • Updated Dockerfile to expose both ports 80 and 443 for Docker deployments with SSL support.

• 2.0.3.188: New notification system with external notifications and smart reminders.

  • Added external notifications support allowing us to send important announcements directly to your HomeDock OS instance.
  • Implemented notification persistence so dismissed notifications stay hidden across sessions and systems.
  • Added smart system reminders including security tips, community invites, and helpful suggestions based on uptime.
  • Enhanced notification bell with action buttons and smooth animations for a better user experience.

• 2.0.3.186: Fixed DNS Open Redirect vulnerability, enhanced application packaging workflow and SSL enabled for Windows and macOS.

  • Fixed DNS Open Redirect vulnerability in HTTP to HTTPS redirector that was inadvertently introduced while mitigating the previous Open Redirect vulnerability patched in v2.0.3.184.
  • Removed unsafe socket.getfqdn() call from hd_HTTPRedirector.py that performed reverse DNS lookups of the server's own IP address for hostname validation. While unlikely, an attacker who controls the PTR (reverse DNS) (think compromised ISP, shared hosting environments, or malicious datacenter) could manipulate this lookup to return a domain they control, bypassing redirect protections to malicious sites.
  • Implemented HTTP>HTTPS industry-standard redirect validation following best practices from NGINX and other production web servers, validating both hostname AND resolved IP addresses before redirecting.
  • Enhanced cross-platform SSL support with native certificate path detection for macOS (~/HomeDock/SSLCerts) and Windows (C:/HomeDock/SSLCerts), ensuring SSL-enabled applications work seamlessly across all platforms. See SSL/HTTPS Setup Guide for configuration instructions. This feature will be available straight from HomeDock OS Desktop v0.44.684 for both Windows and macOS, older versions may not work properly.
  • Improved SSL certificate directory resolution in hd_FunctionsNativeSSL.py with platform-specific path handling (get_ssl_cert_directory() for host paths and get_ssl_cert_directory_for_containers() for Docker volume mounts).
  • Enhanced Compose DevHooks in hd_ComposeDevHooks.py to automatically inject the correct SSL certificate paths via [[SSL_CERT_PATH]] placeholder based on the running operating system (Linux, macOS, or Windows).
  • Improved App Packager in AppPackager.vue with enhanced validation and error handling for custom package creation and management.
  • Updated multiple App Store applications (databag.yml and 30+ SSL-enabled apps) to use the [[SSL_CERT_PATH]] devhook and make them instantly inherit the root SSL certificate on Windows and macOS too while installing them.

    TLDR - Why this secondary vulnerability? The DNS Open Redirect is a super edge-case where an attacker with control over reverse DNS (PTR records) could manipulate socket.getfqdn() to return a malicious domain that we'd then trust for redirects. The v2.0.3.184 fix added getfqdn() for hostname validation, which ironically introduced this DNS-based attack vector. Since we're already hardening against Open Redirect attacks, why leave any vector open... Even super-edge ones? Suck that! This update closes that gap by removing DNS resolution from security checks and following NGINX's whitelist-only approach. If we don't explicitly know about it, it gets rejected. Simple and paranoid as that.

• 2.0.3.184: Security hardening and simplified Docker-in-Docker networking validation.

  • Fixed Open Redirect vulnerability in HTTP to HTTPS redirector that could allow attackers to redirect users to malicious sites via Host header manipulation.
  • Added comprehensive host validation in hd_HTTPRedirector.py including IP validation, DNS resolution checks, and hostname/FQDN verification before redirecting.
  • Simplified IP validation logic in Docker-in-Docker mode by allowing all RFC1918 private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) instead of detecting specific subnets.
  • This approach is secure because internal connections use host.docker.internal (constant), not the request hostname, preventing SSRF attacks by design.
  • Removed HOST_SUBNET_PREFIX environment variable detection from entrypoint.sh (no longer needed).
  • Removed iproute2 dependency from Dockerfile (no longer required for subnet detection).
  • Enhanced Docker-in-Docker compatibility by supporting any private network configuration without manual subnet specification.

• 2.0.3.182: Fixed local network access in Docker deployments.

  • Fixed hostname validation in /app/ endpoint that was preventing access from local network IPs when running in Docker mode.
  • Enhanced security logic to properly detect and allow private subnet access while maintaining strict validation controls.
  • Improved entrypoint script to auto-detect host network configuration for accurate hostname validation.

• 2.0.3.180: Docker-in-Docker support, security updates and stability fixes.

  • Updated urllib3 from 2.5.0 to 2.6.0 to address two high-severity vulnerabilities (both opened 8 hours ago).
  • Fixed CVE-2025-66471 (High): urllib3 streaming API improperly handles highly compressed data, preventing excessive resource consumption (high CPU usage and massive memory allocation) when processing malicious compressed responses.
  • Fixed CVE-2025-66418 (High): urllib3 allows an unbounded number of links in the decompression chain, preventing DoS attacks via unlimited compression steps that could lead to massive memory allocation and high CPU usage.
  • Added Docker-in-Docker support allowing HomeDock OS to run inside a Docker container for easy testing.
  • Added Dockerfile and docker-compose.yml for containerized deployment with optimized image size.
  • Added hd_FunctionsHostSelector.py module for automatic host detection (localhost vs host.docker.internal).
  • Added HDDockerInDocker label to filter the master container from the container list when running HomeDock OS in Docker mode.
  • Added .is_docker flag detection to disable in-app updates (users update via docker pull instead).
  • Added welcome message in Docker mode encouraging users to install natively for the best experience.
  • Improved off-thread initial port routing in hd_DockerAPIContainerData.py for non-standard ports, making it fully compatible with reverse proxies, Docker-in-Docker, or any custom deployment, designed to run... Everywhere, hehe, haha.

• 2.0.3.168: Added uninstallation script.

  • Added uninstall.sh script for clean removal of HomeDock OS, including service cleanup and installation directory removal.

• 2.0.3.166: New applications with SSL support and enhanced security configurations.

  • Added Perplexica to the App Store with SSL support via runtime Node.js HTTPS proxy injection.
  • Added FacturaScripts to the App Store with SSL support, unattended installation, and on-the-fly MariaDB credential injection.

• 2.0.3.164 (Latest): New applications with SSL support and enhanced security configurations.

  • Added Perplexica to the App Store with SSL support via runtime Node.js HTTPS proxy injection.
  • Added FacturaScripts to the App Store with SSL support, unattended installation, and on-the-fly MariaDB credential injection.

• 2.0.3.162: Security update and dependency upgrades.

  • Updated Werkzeug from 3.1.3 to 3.1.4 to address CVE-2025-66221. (Opened 14 hours ago).
  • Updated Vite from 7.2.4 to 7.2.6 with latest build improvements.
  • Updated Vue from 3.5.24 to 3.5.25 with framework enhancements.
  • Enhanced auto port routing with retry mechanism for port availability detection. The system now retries up to 3 times with 5-second delays when no active ports are found, improving reliability for containers that take longer to initialize their services.

• 2.0.3.148: Security update for node-forge dependency fixing 3 critical CVEs.

  • Updated node-forge from 1.3.1 to 1.3.2 (CVEs opened 6 hours ago) to address critical ASN.1 vulnerabilities.
  • Fixed CVE-2025-12816 (High): ASN.1 Validator Desynchronization vulnerability that could bypass cryptographic verifications.
  • Fixed CVE-2025-66031 (High): ASN.1 Unbounded Recursion vulnerability enabling DoS via stack exhaustion.
  • Fixed CVE-2025-66030 (Moderate): ASN.1 OID Integer Truncation vulnerability allowing OID spoofing.

• 2.0.3.146: Updated Booklore to the latest version with corrected Docker image path.

  • Updated Booklore (both SSL injection support and non-SSL for self-hosted) to the latest version following the official Docker image path change by the developers.
  • Fixed Docker Compose configuration to use the correct image repository after upstream changes.
  • Thanks to @cringe0287 for reporting the issue!

• 2.0.3.144: Updated npm dependencies to their latest versions for improved security and performance.

  • Updated Vite from 7.2.1 to 7.2.4 for enhanced build performance and bug fixes.
  • Updated Vue from 3.5.23 to 3.5.24 with latest framework improvements.
  • Updated @types/node from 24.10.0 to 24.10.1 for improved TypeScript definitions.
  • Updated Autoprefixer from 10.4.20 to 10.4.22 for better CSS vendor prefix handling.
  • Resolved CVE-2025-64756 (glob) by updating Tailwind CSS to 3.4.18 (opened 12 hours ago), which removed the vulnerable glob package and migrated to fast-glob instead. The project no longer includes the affected dependency.

• 2.0.3.142: Major improvements to application installation workflow with enhanced configuration UI and streamlined Docker Compose handling.

  • Completely redesigned App Installation interface with an intuitive grid-based layout for configuring ports, volumes, environment variables, network settings, and capabilities before installation.
  • Added port validation system that checks for conflicts before installation, showing which application is using a conflicting port with clear error messages, you will not be able to deploy NGINX on port 80 if HomeDock OS or any other app from the App Store is running on that same port.
  • Implemented network configuration selector allowing users to choose between Host, Bridge, HomeDock OS Network, None, or custom network modes with proper handling of host networking and group-aware configuration for multi-service apps. Default is now HomeDock OS Network, it's like Bridge, but better just because of the name, lol.
  • Introduced environment variable editor and capabilities management enabling users to configure container environment, capabilities (CAP_ADD), and privileged mode directly from the installation dialog.
  • Enhanced notification system replacing Ant Design message components with custom themed notifications that properly integrate with all three themes (Default, Noir, Aero+).
  • Enhanced network cleanup on uninstall to properly remove custom networks while preserving system networks (bridge, host, none, homedock_network).
  • Removed deprecated version field from all Docker Compose application files (209 apps updated), following Docker Compose v2+ best practices for improved compatibility (thanks @Labarta for the hint!).
  • Added SSL certificate inheritance support for Immich, enabling secure HTTPS connections with automatic certificate mounting from /DATA/SSLCerts.
  • Introduced Brave Browser and RetroArch to the App Store with full SSL support configurations.
  • Removed deprecated applications from the App Store that are no longer maintained by LinuxServer: Dillinger, Domoticz, EmbyStat, EmulatorJS, Endlessh, FreeТube, Headphones, Minetest, Netbootxyz, Readarr, SickChill, and Snipe-IT.
  • Improved input validation robustness in container name handling to prevent TypeError exceptions when invalid or missing parameters are provided, ensuring proper 400 Bad Request responses instead of 500 Internal Server Errors.
  • Enhanced regex validation pattern to block trailing newlines in container names using \Z anchor instead of $, improving input sanitization and preventing edge case validation bypasses.

• 2.0.3.110: Redesigned Control Hub with comprehensive system monitoring and enhanced user experience.

  • Completely redesigned Control Hub interface with a modern card-based layout displaying real-time system information at a glance.
  • Added CPU usage monitoring showing current processor utilization with visual percentage indicators.
  • Implemented RAM usage display with total/used memory statistics and percentage-based progress visualization.
  • Added disk usage monitoring displaying storage consumption across system volumes with capacity indicators.
  • Introduced network activity tracking showing real-time upload and download speeds for system monitoring.
  • Added active containers counter displaying the number of running Docker containers for quick system overview.
  • Implemented system uptime display showing how long the system has been running since last restart.
  • Enhanced container management cards with improved visual hierarchy and status indicators for better container oversight.
  • Added quick action buttons for common container operations directly accessible from the main interface.
  • Improved responsive design ensuring Control Hub adapts seamlessly across desktop, tablet, and mobile devices.
  • Enhanced theme integration with proper styling across Default, Noir, and Aero+ themes for consistent visual experience.
  • Refactored component structure to support future additions and extensibility for new system monitoring features.
  • The Control Hub is now ready for new implementations and additional system management capabilities.
  • Added back RobiPet!

• 2.0.3.108: Enhanced AppPackager security with file type validation preventing malicious file uploads.

  • Added file type validation module verifying uploaded files match their actual content, not just their extension.
  • Implemented whitelist-based validation only allowing HDS files for .hds packages, YAML for docker-compose files, and JPG/PNG for icons.
  • Added dangerous pattern detection blocking files containing potentially harmful code like PHP, scripts, or executable commands.
  • Enhanced frontend validation providing immediate feedback when invalid files are selected before uploading.
  • Enhanced backend validation ensuring all uploaded files are verified server-side, preventing security bypasses.
  • Fixed an internally discovered security issue where malicious files could be smuggled inside imported .hds packages. While the 256-bit .hds_signature should prevent tampering, an attacker could recalculate it, so content validation adds an extra security layer. Overkill? Maybe. Safer? Yessir. We back at it.
  • Increased multifallback (whales > compose > oldpose) Docker Compose timeout from 5 minutes to 30 minutes preventing installation failures for large apps on slower networks.
  • Added RobiPet app by @Anghios.

• 2.0.3.106: Completely redesigned Drop Zone with folder support, hierarchical navigation, and enhanced user experience.

  • Introduced folder support allowing you to organize encrypted files in custom folder structures with drag-and-drop uploads maintaining directory hierarchy.
  • Implemented hierarchical navigation enabling browsing through folders with breadcrumb path navigation and seamless folder management.
  • Added global search functionality with folder-aware results displaying files grouped by their parent directories for easy location.
  • Implemented fullscreen drag-and-drop overlay with visual feedback showing upload zones and automatically filtering hidden files (.*) during folder uploads.
  • Enhanced file display system with two view modes - grid view with positioned icons in a desktop-like layout and list view with grouped folder sections.
  • Added context menu support for files and folders with right-click actions including download, delete, and folder-specific operations.
  • Implemented multi-selection support allowing selection of multiple files/folders for batch operations using Ctrl+Click and drag-to-select area selection.
  • Enhanced file metadata display showing folder sizes calculated recursively, relative timestamps with "NEW" indicators, and compact size badges.
  • Improved status bubble system using Vue Teleport to properly render notifications and status messages outside component hierarchy, fixing z-index stacking issues.
  • Created dedicated folder creation API with validation, permission checks, and proper error handling for creating nested folder structures.
  • Added folder deletion support with recursive removal of folder contents ensuring clean deletion of entire directory trees.
  • Implemented path validation and security preventing directory traversal attacks with symlink detection and safe path validation on all file operations.
  • Enhanced search API endpoint with recursive folder scanning, filtering hidden files, and returning folder-grouped results for better organization.
  • Improved upload handling supporting target path specification for uploading files directly into specific folders with automatic directory creation.
  • Enhanced file listing API supporting path navigation, directory detection, and recursive size calculation for folders displaying accurate storage usage.
  • Added visual file type indicators with dynamic icons based on file extensions and folder indicators for improved visual hierarchy.
  • Implemented touch-optimized interactions with long-press detection, touch-friendly selection, and mobile-optimized context menus for tablets and phones.
  • Enhanced download progress tracking with visual progress bars overlaid on files during download operations showing real-time transfer status.
  • Improved sorting system supporting name, size, and date sorting with ascending/descending order preserved across view mode changes.
  • Added empty state handling displaying contextual messages when no files exist or search returns no results with helpful user guidance.
  • Enhanced file icons system automatically detecting file types and displaying appropriate icons for documents, images, videos, archives, and code files.
  • Implemented grid view positioning with automatic layout calculation ensuring optimal icon placement and responsive grid adjustments.
  • Improved error handling with detailed error messages, security violation detection, and user-friendly feedback for all operations.
  • Enhanced encryption system integration maintaining AES-256-GCM encryption for all files while supporting folder structures with encrypted paths.
  • Fixed backdrop-blur-xl rendering issue in taskbar widgets by using Vue Teleport to body, ensuring proper backdrop filter effects work correctly across Aero+ theme.
  • Updated all JavaScript dependencies to their latest stable versions including axios 1.13.2, vue 3.5.23, vite 7.2.1, pinia 3.0.4, dayjs 1.11.19, and @types/node 24.10.0.
  • Updated all Python dependencies to their latest stable versions including Flask 3.1.2, Flask-Compress 1.23, python-on-whales 0.79.0, requests 2.32.5, PyYAML 6.0.3, cython 3.2.0, and psutil 7.1.3.

• 2.0.2.286: Fixed external drive detection and reactive storage display across Settings, My Home, and System Monitor.

  • Fixed external drive detection that was missing in version 2.0, external USB drives and storage devices now properly appear in Storage Settings dropdown selector. (Thanks @ExcuseMe300 for the hint).
  • Implemented cross-platform drive detection using get_valid_external_drives() function that automatically detects external drives on macOS (/Volumes/), Linux (sd* devices), and Windows (non-C:\ drives).
  • Added reactive storage display ensuring external drive selection in Settings immediately reflects in AppHome dashboard and System Monitor without requiring page refresh.
  • Enhanced Settings storage data flow by properly passing valid drives, populating data with all available external drives.
  • Implemented automatic UI synchronization where selecting or deselecting external drives in Storage Settings instantly shows/hides the external storage card in My Home system app dashboard and System Monitor taskbar widget.
  • Enhanced TypeScript interfaces to properly type valid_drives as string array in DashboardData interface ensuring type safety across the application.
  • Improved external drive filtering to exclude invalid values like "disabled" and "null" from the available drives list, ensuring only genuine storage devices appear in the selector.

• 2.0.2.284: Enhanced port routing system with intelligent port availability detection and improved window loading experience.

  • Implemented smart port sorting in auto port routing thread that automatically detects which ports are actively responding and prioritizes them in the port list display, ensuring the most accessible endpoints appear first.
  • Added real-time port availability checking during container startup using HEAD and GET request validation with SSL fallback support for both HTTP and HTTPS endpoints as same as in the /app/ endpoint.
  • Introduced port rescan functionality in Application Properties window, allowing users to manually trigger port detection when container services become available, with automatic UI updates.
  • Added a Loading animation with an animated icon displaying during async component loading, providing visual feedback while applications are being initialized.
  • Improved error handling in auto port routing thread with malformed configuration line detection, automatic config rebuilding on corruption, and graceful recovery from file I/O errors.
  • Enhanced configuration file validation ensuring proper parsing of port routing data with defensive checks against IndexError and ValueError exceptions.
  • Added User-Agent spoofing in port availability checks mimicking Chrome/Windows to ensure compatibility with web applications that validate request headers.
  • Implemented SSL verification fallback in port checks attempting secure connections first, then falling back to insecure verification for self-signed certificates.
  • Enhanced container state validation ensuring port routing only processes running containers, skipping stopped or paused instances to reduce unnecessary checks.
  • Enhanced HTTP status code handling in port checks recognizing 401, 301, 302, 308 as valid responses indicating active services, and performing secondary GET requests for 404/405 responses.
  • Implemented request timeout management with 2-second timeouts for port availability checks ensuring responsive UI and preventing long blocking operations.
  • Improved thread safety in port routing configuration updates with proper exception handling and atomic file write operations.

• 2.0.2.282: Fixed SSL certificate verification for self-signed certificates in application endpoint detection.

  • Fixed issue where self-signed SSL certificates were incorrectly reported as unavailable in the /app/ endpoint despite ports being open and certificates configured correctly.
  • Implemented smart certificate verification that first attempts full validation (secure for Let's Encrypt and CA-signed certificates), then falls back to accepting self-signed certificates if validation fails (standard for development/internal environments).
  • Thanks to @Flippy for reporting this issue and helping make HomeDock OS better! Our community is incredible!

    TLDR - Why this happens: Self-signed certificates can't be verified because they're user-signed, not CA-signed. We always attempt full certificate validation first (ensuring Let's Encrypt and production certificates maintain strict security), and only falling back to accept self-signed certs when verification fails (standard practice for local/dev environments). This way, legitimate certificates stay fully protected while self-signed ones remain functional.

• 2.0.2.280: Fixed context menu behavior for system icons on mobile devices.

  • Fixed system icon context menu on mobile, long press on system icons like "My Home" now correctly shows the system icon menu (Refresh) instead of incorrectly displaying the regular app menu (Properties, System Logs, etc.).
  • Implemented dedicated event handling for system icons in mobile touch interactions by adding systemiconContextmenu event to properly distinguish between apps, folders, and system icons.
  • Enhanced Mobile Desktop component to emit the correct context menu event based on item type, ensuring consistent behavior across all desktop icon types.

• 2.0.2.268: Redesigned Settings interface with new grouped layout system and improved mobile experience.

  • Introduced new Settings layout components for a cleaner, more modern interface.
  • Implemented grouped settings sections with headers and footer descriptions for better organization and user guidance.
  • Added colored icon indicators for each setting option (blue, green, red, orange, purple, gray, cyan, pink, yellow) making it easier to identify different types of settings at a glance.
  • Enhanced mobile responsiveness with automatic layout stacking on smaller screens, controls move below their labels when space is limited for better usability on phones and tablets.
  • Improved Settings visual hierarchy with better spacing, borders, and hover effects providing clearer visual feedback when interacting with options.
  • Added animated transitions for settings groups with smooth slide-in effects when opening the Settings window.
  • Implemented smart control detection that automatically adjusts layout based on control type. Small controls like switches stay inline while larger inputs stack on mobile.
  • Enhanced form control styling ensuring inputs, selects, and other controls take full width when stacked on mobile devices.
  • Added comprehensive theme support for all new Settings components across Default, Noir, and Aero+ themes with proper colors and backgrounds.
  • Improved Settings readability with better typography, consistent spacing, and clearer descriptions for each configuration option.
  • Fixed inconsistent Context Menu behavior on mobile when interacting with system icons - now properly detects touch events and shows appropriate options.
  • Also updated vite and axios dependencies to latest versions available.

• 2.0.2.266: Added custom wallpaper support for Aero+ theme and improved Settings reactivity with better state management.

  • Introduced custom wallpaper upload feature allowing users to personalize their Aero+ theme with custom background images.
  • Added new wallpaper upload endpoint (/api/upload_wallpaper) with comprehensive security validation including magic byte verification for JPEG and PNG formats.
  • Enhanced Settings Theme tab with conditional rendering, showing wallpaper options only when Aero+ theme is selected for cleaner interface.
  • Improved Settings form validation ensuring wallpaper uploads complete before saving other settings to maintain data consistency.
  • Enhanced reactivity in Settings app by adding update-settings injection to properly propagate configuration changes across the application.
  • Removed obsolete default custom wallpaper file (back_custom_default.jpg) as custom wallpapers now use dynamic naming with timestamps.
  • Enhanced CSRF token handling in wallpaper upload requests ensuring secure file transfer operations.
  • Updated upload limits configuration adding wallpaper endpoint to size-controlled endpoints for consistent security policy.
  • Improved Settings component communication between parent and child components using refs for better state synchronization.
  • Added fade-slide transitions for wallpaper sections providing smooth visual feedback when switching themes.
  • Enhanced warning notifications in Settings to inform users about wallpaper upload failures with actionable error messages.
  • Refined file delivery system to support serving custom wallpaper files with proper MIME type detection.
  • Updated theme selector to handle dynamic custom wallpaper paths ensuring proper wallpaper loading across sessions.
  • Improved desktop wallpaper rendering in AeroPlusWallpaper component to support both default and custom wallpaper sources.
  • Enhanced mobile desktop wallpaper support ensuring custom wallpapers render correctly on touch devices and smaller screens.
  • Updated SECURITY.md documentation with latest security considerations and best practices.

• 2.0.2.260: Enhanced App Store experience with screenshot previews, overall experience and more improvements.

  • Added screenshot preview galleries to the App Installation dialog, allowing you to view app screenshots before installing with smooth drag-to-scroll navigation.
  • Implemented fullscreen screenshot viewer with keyboard navigation support (arrow keys and ESC) for better preview experience.
  • Introduced Show Desktop button on the taskbar (vertical line on the bottom right) with right-click context menu for quick desktop access and window management.
  • Added centralized system tray manager preventing multiple tray panels from opening simultaneously for cleaner interface management.
  • Expanded App Store with screenshot support for all available applications, providing visual previews to help you choose the right apps.
  • Improved update system reliability with automatic server restart detection and smart polling to ensure smooth updates without manual intervention.
  • Refined App Installation dialog layout with reorganized screenshot placement and improved visual hierarchy.

• 2.0.2.148: Major improvements to the application update system for better stability and efficiency.

  • Improved version comparison system to detect updates more accurately an follow only real newer versions instead of just different ones.
  • Fixed critical issue that caused orphaned images during insatlled application updates, making them dangling.
  • Implemented auto-cleanup update flag system with 120-second timeout to prevent locks while updating HomeDock OS.
  • Modified availale applications update check interval to 3 hours to reduce system load.

• 2.0.2.146: Fixed a typo in homedock-ui/vue3/static/js/__Layouts__/App.vue, last-minute catch, we're on VDS 2025 and VC investors really do have eagle vision.

• 2.0.2.144: Introduced the HDS Package Management System with the new Packager system tool, allowing you to create, import, and share custom application packages directly into the App Store. Added comprehensive update tracking for your apps with automatic detection. Enhanced system monitoring with a brand new Home dashboard displaying real-time storage statistics and system health.

  • Launched the Packager application, your personal package creation studio for building custom app distributions in the new .hds format.
  • Added Package Generator interface where you can bundle Docker Compose files with custom icons, metadata, and configurations into shareable packages.
  • Introduced Package Manager allowing you to import, browse, and manage all your custom application packages in one place.
  • Implemented support for HDS package files (.hds), a specialized format designed to simplify app distribution and installation across all HomeDock OS instances, making them instantly available on the App Store.
  • Created automatic update detection system that monitors your installed applications and alerts you when newer versions are available.
  • Added App Updates Indicator to the taskbar showing at-a-glance how many of your apps have updates ready to install.
  • Implemented background update checker thread that automatically scans for app updates every 6 hours without impacting system performance.
  • Built the new My Home app application serving as your system's dashboard, displaying storage usage, encrypted files, and external drive information at a glance.
  • Added system storage overview on My Home app showing your cloud storage usage with visual progress bars and detailed capacity information.
  • Integrated encrypted storage statistics on My Home app displaying how much space your secure Drop Zone files are using with file count tracking.
  • Implemented external drive detection and monitoring on My Home app, automatically showing external storage capacity and usage when drives are connected.
  • Enhanced system statistics monitoring with new real-time tracking capabilities for container resource usage and performance metrics.
  • Created dedicated resource monitoring thread for tracking CPU, memory, and network usage of individual Docker containers tracking CPU, RAM and network usage.
  • Introduced system stats store providing centralized state management for all performance metrics across the interface.
  • Upgraded the Desktop icons grid with improved drag-and-drop behavior, smoother animations, and better multi-selection support.
  • Enhanced folder management with refined context menus, improved color customization, and more intuitive organization features.
  • Refined Start Menu with better app categorization, improved search functionality, and visual polish for custom package apps.
  • Updated Application Properties window to display more comprehensive container information including now RAM and traffic usage too.
  • Added Docker Compose Helper class providing standardized utilities for parsing, validating, and managing compose file operations.
  • Enhanced container data retrieval with improved caching, better error handling, and support for user-created package apps.
  • Implemented devhook placeholder detection on Packager app allowing package creators to include dynamic variables like random strings or generated API keys in their compose files.
  • Added comprehensive .hds validation system for package creation including slug format checking, category validation, and file size limits.
  • Introduced .hds package metadata system supporting display names, descriptions, categories, types, and custom branding for user packages.
  • Created package export functionality allowing you to download your created packages as .hds files for backup or sharing.
  • Implemented package import workflow with drag-and-drop support, validation checks, and automatic installation to your app library.
  • Added user packages directory (_user_packages/) organizing imported packages with dedicated folders for package files, icons, and compose configurations.
  • Enhanced App Store integration to seamlessly display both official HomeDock OS apps and your custom imported packages in a unified interface.
  • Improved desktop icon rendering for custom package apps with proper icon loading, fallback handling, and theme-aware styling.
  • Updated installation workflow to support custom packages with the same reliability and features as official HomeDock OS App Store applications.
  • Refined taskbar indicators with new visual designs for updates, installations, and uploads maintaining consistent styling across themes.
  • Added support for package deletion with proper cleanup of associated files, icons, and compose configurations.
  • Implemented package editing capabilities allowing you to modify existing package metadata, icons, and compose files after creation.
  • Created compose file editor within Packager system app featuring syntax validation, live preview, and formatting assistance.
  • Added icon preview system in the package generator showing real-time previews of uploaded icons with size and format validation.
  • Introduced category selection with predefined options including Media, Development, Security, Networking, and more for better app organization.
  • Enhanced error messaging throughout the packaging system with clear, user-friendly feedback for validation failures and upload issues.
  • Implemented file size limits ensuring packages remain manageable (5MB for packages, 10MB for compose files, 5MB for icons).
  • Added path traversal protection in package handling preventing security issues when extracting or processing package files.
  • Created package versioning support within .hds format version tracking ensuring compatibility across future HomeDock OS releases.
  • Improved container update logic with smarter image comparison using manifest digests for accurate update detection.
  • Added update filtering to exclude dependency containers (marked with HDRole=dependency) from update notifications.
  • Refined mobile responsiveness for AppPackager with optimized layouts for tablets and smaller screens.
  • Updated window configurations adding proper size constraints, default dimensions, and positioning for the new Home and Packager system apps.
  • Enhanced desktop layout to accommodate the new Home system app as a quick-access system dashboard alongside other core applications.
  • Improved Docker API interactions with better error handling, retry logic, and timeout management for registry checks and container operations.
  • Added cache invalidation for external apps ensuring package changes are immediately reflected throughout the interface.
  • Fixed compose version compatibility in WireGuard and WG-Easy templates ensuring proper deployment across different Docker Compose versions.
  • Refined notification system to handle package installation progress, update availability, and error states with contextual messages.
  • Improved state persistence for package-related data ensuring your custom apps remain available across sessions and restarts.
  • Added sanitization utilities for container names and package slugs preventing conflicts and ensuring filesystem compatibility.
  • Enhanced global functions with new utilities for package path resolution, directory creation, and file operations.
  • Enhanced file delivery system supporting package downloads with proper MIME types and headers for .hds files.

• 2.0.1.106: Updated JavaScript and Python dependencies to latest versions, migrated head management library and simplified rate limiting architecture.

  • Updated all JavaScript dependencies to their latest stable versions for improved security and performance.
  • Updated all Python dependencies to their latest stable versions ensuring compatibility and security patches.
  • Removed Flask-Limiter dependency, simplifying the rate limiting architecture with custom implementation.
  • Migrated from vue-meta to @unhead/vue for improved head/meta tag management with better Vue 3 compatibility, performance, and modern API.

• 2.0.1.104: Implemented session expiration detection system with ultra-hardened axios interceptor and fixed CSS theming bugs in AppDropzone.vue and ThemeSelector.ts.

  • Added new SessionExpiredTray.vue component to taskbar that monitors HTTP 401/403 responses to automatically detect expired sessions and CSRF token failures.
  • Implemented ultra-hardened axios interceptor with comprehensive security protections against prototype pollution, getter traps, type coercion, ReDoS, and DoS attacks using native method caching, strict validation, string length limits, and rate limiting.
  • Added visual indicator to taskbar with animated SVG icon (gear with slash) showing session status.
  • Implemented dropdown panel with "Log in again" button for seamless re-authentication experience.
  • Fixed CSS theming bug in AppDropzone where upload list item text (.ant-upload-list-item-name) and loading icons (.ant-upload-text-icon) appeared black in Noir and Aero+ themes due to missing themeClasses.scopeSelector class on the UploadDragger component, preventing CSS rules in antd.css from applying correctly.
  • Fixed missing theme class in ThemeSelector.ts for folder color picker context menu text styling.

• 2.0.1.102: Fixed RegEx injection issue in AppExplorer search functionality where special regex characters (like (, ), [, ], *, +, etc.) were not being escaped, causing application crashes and potential security issues. Implemented proper input sanitization by escaping all special regex characters before pattern compilation, preventing malformed expressions and protecting against ReDoS attacks.

• 2.0.1.88: HomeDock OS 2.0 release featuring our brand new Prism Windows Manager, introducing real multitasking and a complete operating system experience.

  • Transformed HomeDock OS from a single-page web application into a full desktop environment with true multitasking, similar to Windows 11 or macOS.
  • Released our fully functional Prism Window Manager with resizable, draggable, maximizable, and minimizable windows. App load from within this desktop manager will be enabled after the integrated reverse proxy gets released.
  • Implemented draggable desktop icons with snap-to-grid positioning, allowing users to organize applications freely on the desktop.
  • Added support for desktop folders, enabling users to group related applications together for better organization (e.g., "Media Apps", "Development Tools").
  • Implemented Start Menu with application search, quick access, and organization of both system and installed Docker applications.
  • Created functional taskbar with active application buttons, system clock, notification area and quick access to Start Menu.
  • Added real-time system statistics widget to the taskbar displaying CPU, RAM, disk usage, and network activity.
  • Implemented context menus for desktop, applications, and folders with right-click support for quick actions and long-press detection for mobile icon dragging/wiggling.
  • Converted all main sections (App Store, Control Hub, Settings, System Logs, Drop Zone) into independent windows that can be opened simultaneously.
  • Implemented proper z-index management ensuring focused windows appear on top of others.
  • Added support for window size constraints (min/max width/height) configurable per application type.
  • Implemented double-click on title bar to maximize/restore windows, matching standard desktop OS behavior.
  • Added resize handles on all eight directions (N, S, E, W, NE, NW, SE, SW) for flexible window resizing.
  • Implemented smooth minimize animations with scaling effects.
  • Implemented window state persistence, remembering position and size across sessions.
  • Added support for multi-selection on Desktop using Ctrl+Click and drag-to-select area selection for batch operations on multiple applications.
  • Implemented persistent icon positions across sessions, maintaining user's desktop layout after logout/login.
  • Created a mobile-optimized desktop experience with horizontal page navigation and touch gestures, mimicking real-life mobile OS home screen behavior.
  • Created mobile-optimized fullscreen mode for windows on touch devices, respecting taskbar height.
  • Added visual page indicators for mobile users to track which page they're currently viewing.
  • Added keyboard shortcuts and accessibility features for window management.
  • Implemented smooth animations and transitions for icon movements, folder operations, and window actions.
  • Created new File Explorer system application for browsing and managing files within the desktop environment.
  • Implemented Folder View system application for viewing folder contents in a dedicated window.
  • Implemented Application Properties window displaying detailed information about Docker containers (status, ports, volumes, multi-service configs, etc).
  • Redesigned the whole App Installation modal using Ant Design Vue for customizing Docker Compose settings before installing applications.
  • Created About window displaying HomeDock OS version, credits, system information, and props for what we understand it's unacceptable now.
  • Massively expanded theme system with support for all new components (windows, desktop, context menus, color pickers, dialogs, etc).
  • Added new CSS variables for window shadows, borders, and backdrop effects ensuring consistent theming.
  • Integrated Ant Design component styling adapted to match HomeDock OS theme palette across all three themes (Default, Noir, AeroPlus).
  • Updated logo and graphics to support dynamic color adaptation based on selected theme using currentColor.
  • Implemented theme-aware animations and transitions for desktop interactions.
  • Implemented modal dialog system for application interactions (confirmations, inputs, alerts).
  • Created color picker menu for folder customization, allowing users to assign custom colors to organize folders visually.
  • Added date/time picker component with calendar view on the taskbar, replacing the top-right one.
  • Implemented info banners for displaying important system messages prominently.
  • Created installation progress indicator showing real-time status of App Store application installations to the system tray.
  • Added upload progress indicator with file-by-file tracking for Drop Zone uploads straight to the system tray.
  • Implemented status bar for windows displaying relevant information per application type and a little help section.
  • Created consistent section headers across all applications for improved visual hierarchy.
  • Added version control component for tracking and displaying HomeDock OS version information.
  • Implemented unified logo icon component used across the entire interface.
  • Refactored App Store with window system integration, allowing installation while browsing other sections.
  • Improved search and filtering capabilities with instant results and category-based organization.
  • Updated Control Hub to function as window with enhanced Docker container management capabilities.
  • Enhanced chart displays with better visual feedback and real-time data updates.
  • Improved login attempt visualization with clearer security indicators.
  • Integrated notification bell with taskbar for quick access to system alerts.
  • Enhanced port routing logic for better Docker service discovery and connection handling.
  • Added new storage management options in settings for external drive configuration.
  • Improved theme selector with live preview and instant switching.
  • Removed obsolete single-page HTML templates consolidating everything into the unified desktop environment.
  • Updated copyright notices and credits throughout the interface.
  • Patched rate-limiting bypass vulnerability (reported by @StringManolo) where attackers could spoof IP addresses via HTTP headers (X-Forwarded-For, X-Real-IP) to circumvent login attempt restrictions and Shield Mode protections. Replaced insecure get_remote_address() with request.remote_addr to enforce TCP socket-based IP validation, making IP spoofing impossible without a trusted reverse proxy. Enhanced is_local_subnetwork_ip() to properly validate all RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback addresses using ipaddress module, fixing incomplete subnet validation that only checked 192.168.x.x ranges.
  • Mitigated an Authenticated SSRF vulnerability in /api/check-port (reported at Secur0 by @cybernize), which allowed Host header manipulation to probe internal services, implementing strict hostname allowlisting and IP validation against trusted local/internet IPs.
  • Fixed a Path Traversal vulnerability in Drop Zone file operations (reported at Secur0 by @esTse), which allowed unauthorized path manipulation during file handling.
  • Additionally mitigated DoS variant of the Path Traversal vulnerability (reported at Secur0 by @Ismael034) where accessing /dev/random could crash the application.
  • Updated SECURITY.md security documentation with complete vulnerability history and fix versions, acknowledging security researchers.
  • Implemented desktop state persistence on localStorage to remember your icon positions, folder organization, and personal preferences across sessions.
  • Added window state management to remember each window's position, size, and state after closing and reopening.
  • Added support for tracking multiple simultaneous file uploads with real-time progress indicators.
  • Enhanced application management to support running multiple instances of the same app in different windows.
  • Added multi-selection support for performing batch operations on multiple desktop icons simultaneously.
  • Implemented custom dialog system for consistent modal interactions across all applications with full theme support.
  • Implemented intelligent responsive design that automatically adapts the interface based on your device (mobile, tablet, or desktop).
  • Enhanced security token management with automatic token refresh and hot reload ensuring secure API communications throughout the application.
  • Integrated real-time system monitoring for CPU temperature, usage, containers, disk space, network activity, RAM, and uptime with live updates in the system statistics widget.
  • Unified Docker container operations allowing you to manage containers from any window or context seamlessly.
  • Improved component rendering engine for faster and more efficient dynamic window loading.
  • Enhanced navigation system with support for multiple simultaneous windows and intelligent routing (e.g., opening multiple log viewers at once).
  • Added a Vue Router cosmetic client-side navigation guard for better user experience when switching between protected routes (security validation still happens server-side).
  • Simplified application layouts by removing redundant navigation elements now handled by the desktop environment.
  • Created unified desktop layout system as the primary interface for the application.
  • Maintained specialized pages for login, error handling, limited mode, and shield mode with dedicated layouts.
  • Ensured backward compatibility with legacy application routing while supporting the new window-based architecture.
  • Redesigned application initialization to support the new desktop-first architecture with multiple concurrent windows.
  • Implemented lazy loading for window components, significantly improving initial application load performance.
  • Completely refactored backend architecture to support desktop environment with unified routing and data handling.
  • Enhanced Docker service integration with improved dynamic loading, port mapping, and container information retrieval.
  • Integrated file management with the window system for seamless Drop Zone operations within the desktop.
  • Expanded settings management providing comprehensive desktop configuration options and user preferences.
  • Enhanced Docker API to provide extended container information including detailed properties and resource usage (RAM monitoring coming soon).
  • Updated all Docker operations (start, stop, restart, pause, unpause, update, uninstall) to work seamlessly from any window context.
  • Implemented comprehensive type safety across the entire application with strict TypeScript interfaces for better reliability and developer experience.
  • Enhanced file metadata system for improved Drop Zone file management with detailed type information.
  • Updated JavaScript dependencies adding modern libraries for advanced window management, drag-and-drop functionality, and enhanced UI components.
  • Updated Python dependencies ensuring full compatibility with the new architectural patterns and desktop features.
  • Optimized build system with intelligent code splitting for faster page loads and improved performance.
  • Enhanced TypeScript configuration with stricter type checking and better module structure support.
  • Hi there! We're working! :D

• 1.0.18.126: Dependabot security update patching Axios CVE-2025-58754

• 1.0.18.124: Dependabot security update patching Vite CVE-2025-58751 and CVE-2025-58752. Minor improvements on the notification system to make it cleaner and more consistent with the rest of the HomeDock OS GUI.

• 1.0.18.122: Improved /app/ endpoint loader with dynamic app icons and smooth slide-up animations. Added /api/container-by-port/<port> to map ports to container names via Docker API, removing static config dependencies. Icons now show next to the HomeDock OS logo when available, UX at its finest... Updated backend-to-frontend data flow (selected_app_slug) with TypeScript interfaces and secured new endpoints with @login_required and our own CSRF protection module.

• 1.0.18.120: Added new apps (Jellyseerr, Downtify, Web-Check, IT-Tools, Booklore (SSL too), Morphos, Homebridge, WG-Easy (SSL too), Homebox, Uptime-Kuma, and Compose-Toolbox) to the App Store. Fixed hd_UIAppLoader.py to correctly handle HTTP 308 redirects (which broke on some apps like Pi-hole due changing its response behavior). The loader now respects subpaths and makes requests to the exact endpoint configured (e.g., localhost:8080/test instead of just localhost:8080). Minor design tweaks were also applied to App.vue and MenuContent.vue to improve visual consistency. Fixed Nextcloud and also added native SSL support if enabled.

• 1.0.18.118 [Dependency Clean-up]: Upgraded axios to 1.11.0 to enforce a clean dependency tree after the previous mitigation of CVE-2025-7783. Although version 1.0.18.117 had already resolved the issue by bundling form-data@4.0.4, some security scanners (e.g. Dependabot, Snyk) continued flagging a potential risk due to transitive resolution inconsistencies. This update ensures form-data@4.0.0 is fully removed from the lockfile and guarantees compliance with automated auditing tools. Additionally, most JavaScript dependencies have been updated to their latest versions, with the exception of Tailwind CSS (still on 3.4.16), which requires additional configuration work. No runtime or API changes introduced.

• 1.0.18.117 [Security Update]: Upgraded npm dependency axios to version 1.10.0 to eliminate a transitive dependency on form-data@4.0.2, which used insecure Math.random() for multipart boundaries (CVE-2025-7783). The new version bundles form-data@4.0.4, fixing the issue without breaking compatibility. This ensures safer outbound HTTP requests and avoids injection risks in multipart payloads. No changes required to existing axios usage across the codebase. Confirmed that form-data is no longer a vulnerable node in the dependency tree.

• 1.0.18.116: Added cross-platform external drive detection in hd_ExternalDriveManager.py, tested on Windows, macOS and Linux. Fixed container recreation on Windows by replacing os.rename with atomic os.replace. Added [[RND_STR]] devhook to compose preparser for dynamic string generation (perfect fit por API Keys and related). Replaced Python Requests user-agent in /app/ with realistic Chrome/Windows UA and adjusted retry timing for better app compatibility. Centralized devhook handling in hd_ComposeDevHooks.py and added logic to detect and remove internal volumes on uninstall if configured. Replaced static Welcome to HomeDock OS greeting with dynamic messages from WelcomeMessage.vue and refactored UserGreeting.vue for cohesion. Removed VanillaJS legacy user button from dashboard and fixed mobile CSS issue causing blue links.

• 1.0.18.112: Replaced the Popconfirm component used for uninstalling apps on the Dashboard with a new custom multi-step confirmation system to address a long-standing bug in Ant Design Vue that caused uninstall actions to fail silently on some Windows builds and specific screen resolutions. The new implementation uses a progressive button interaction with animated feedback (Uninstall → Confirm? → Are you sure?!) to ensure reliability, improve UX, and fully bypass the inconsistent rendering issues of the original component, this kind of inherits the file deletion confirmation from Drop Zone files so it would be better for UI/UX too. (Thanks @tracins for the issue report)

• 1.0.18.110: Removed the Drop Zone delete confirmation modal and replaced it with a double-click deletion system for a faster, cleaner, and more intuitive UX. Improved overall UI flow. Introduced a limit of 3 simultaneous uploads to prevent overhead and ensure better stability during heavy usage.

• 1.0.18.109: Complete DropZone interface redesign with advanced file management capabilities. Implemented dual view modes (grid/list) with persistent user preferences stored in localStorage under unified dropzoneStatus which will be soon extended to the dashboard for a Desktop feeling. Added intelligent sorting system with name, size, and date options plus ascending/descending toggle. Enhanced file information display with relative timestamps ("5m ago", "1h ago", "Now" for recent uploads) and NEW badges for files uploaded within the last hour. Introduced confirmation modal due to popular demand for file deletions to prevent accidental data loss (sorry if you were affected >_>). Improved responsive design ensuring search bar and controls adapt perfectly across mobile and desktop devices. Added comprehensive theming support with new themeClasses for all interface elements (view toggles, sort controls, modal, badges) ensuring consistent styling across all three themes (Default, Noir, AeroPlus). Progress bars now maintain consistent appearance between grid and list views using absolute positioning to prevent layout shifts.

• 1.0.18.108: Added CONTRIBUTING.md and improved DropZone file encryption with AES-GCM and PBKDF2-HMAC-SHA256 (1.2M iterations) using per-user keys and 32 bytes salts stored in homedock_dropzone.conf (under the dzkey_v2 prefix). Introduced in-memory key caching to avoid redundant derivations, and added associated data (username) to AES-GCM for integrity binding. This kind of mirrors the salt logic from the legacy dzkey system, but serves a distinct purpose. While the username is used in the salt to generate a unique key per user, it's also used as associated data to ensure that encrypted files are tightly bound to their intended user, so now both mechanisms now coexist in dzkey_v2. Legacy-encrypted files are automatically migrated on access so transition is seamless. Also removed key derivation from login to prevent slowdown, refined salt handling, cleaned up dead code, and improved error messages. In short, DropZone is now 10–50× more secure and obviously, faster.

• 1.0.18.106: This quality-of-life update focuses on improving the stability and responsiveness of background services. We've enhanced the homedock.local (mDNS) service to gracefully handle network name conflicts, preventing potential application crashes and providing clearer user feedback. Some core network services have been reworked to be event-driven, allowing settings changes to take effect in real-time without requiring an application restart. Internal improvements and a monthly rotation in the active instance management service to enhance stability and entropy. Also fixed minor typos and some icon theme issues.

• 1.0.18.104: Applied a temporary workaround to restore Filebrowser functionality after unexpected changes in their image and startup behavior, which broke compatibility with previously working Docker Compose setups. This ensures it remains operational while they clarify their recommended deployment approach.

• 1.0.18.103: Updated README.md and CHANGELOG.md (we missed this one). Added GitHub icon to social links and integrated Discord with a ticket-based support system.

• 1.0.18.102: Patched brace-expansion (CVE-2025-5889) and requests/urllib3 vulnerabilities (CVE-2024-47081, CVE-2025-50181, CVE-2025-50182) related to ReDoS, SSRF, and credential leakage. Removed deprecated apps no longer aligned with current standards. Fixed filebrowser.yml for both SSL and non-SSL setups. Added a contextual troubleshooting guide and increased /app/ endpoint retries to 10, as requested by users. Implemented HomeDock OS Desktop detection to disable in-app and HMR updates (updates are handled externally by Electron in Desktop mode). Introduced a lightweight entropy-based signature system for internal lighthouse consistency.

• 1.0.17.129: Added upload and download progress bars to Drop Zone, as requested by several users. Each theme (Default, Noir/Dark, and Aero+) now features its own tailored progress bar styling for a more cohesive visual experience. Changelog added.

• 1.0.17.128: Upgraded Flask to 3.1.1 (CVE-2025-47278), Vite to 6.3.4 (CVE-2025-46565), Pinia to 3.0.2, and @iconify/vue to 5.0.0. Refactored HTTP-to-HTTPS redirection to run inside Hypercorn via ASGI middleware, ensuring cleaner and more production-aligned behavior.

• 1.0.17.104: Added a bunch of SSL native applications, there's a lot of work to do here since not all apps are compatible, may need to add an HDRole=proxy quite soon. Implemented automatic SSL environment detection to retrieve certificates dynamically. Fully revamped /app preload logic for improved performance and reliability. Also addressed Vite CVE-2025-32395 by updating dependencies. Detailed changelog coming soon (it's on 1.0.18.102!).

• 1.0.17.102: Added native SSL support detection for compatible apps and displayed SSL status in the App Store. Introduced StatusFooter.vue (requires app image and label), improved image handling options, and applied minor UI tweaks to OrbitLoader.vue, App.vue, and Login.vue. Enforced Strict-Transport-Security via hd_CSPMaxed.py to prevent single-domain multiport conflicts, and enabled automatic HTTP-to-HTTPS redirection on SSL-enabled instances.

• 1.0.16.146: Patched Vite vulnerabilities CVE-2025-31486 (arbitrary file access via crafted .svg paths) and CVE-2025-31125 (unauthorized file exposure via query parameter injection) by upgrading to Vite ≥6.2.5. Added social login icons to the login screen, introduced new icons on the Dashboard, and improved update failover handling for better resilience.

• 1.0.16.143: Patched Axios (CVE-2025-27152) and Babel (CVE-2025-27789) vulnerabilities. Also fixed environment issues affecting n8n on Unix-based hosts.

• 1.0.16.142: Added n8n and Jellystat to the App Store with full integration support.

• 1.0.16.141: Minor tweaks and bug fixes in the Drop Zone module to improve stability and user experience.

• 1.0.16.129: Addressed CVE-2024-12797 and updated Python dependencies accordingly. Fixed footer rendering behavior, improved uninstall confirmation UX, and increased default time delay for new Atlas instances (just kidding hehe). Resolved internal port routing in host mode and introduced hd_FunctionsActiveInstance.py for centralized active instance management.

• 1.0.15.055: Fixed a bug in hd_HMRUpdate.py where the configuration was being loaded before it was guaranteed to exist, causing execution failures during certain update flows.

• 1.0.15.047: Added failover retry polling to the Dashboard App Loader for improved resilience. Fixed a bug in Drop Zone’s active path menu and updated logic to use the configured username instead of the normalized ID. Updated vite-fusion to 0.0.9 for better performance and applied a security patch for Vite@6.0.9 (CVE-2025-24010). Also changed the virtual environment path to /venv for consistency across setups.

• 1.0.15.046: Added smart application endpoint detection with SSL support check and automatic redirection on HTTPS-enabled instances. Fixed a bug in hd_DockerAPIContainerData.py to ensure the correct HomeDock OS port is used in service URLs. Improved handling of apps that block HEAD requests and corrected a debug typo in SSL status detection.

• 1.0.15.029: Merged UpdateHMR branch from private internal repository. Finalized HMR integration and resolved multiple stability issues. Also fixed Drop Zone activePath bug and reduced update redirect delay to 2s for a smoother user experience.

• 1.0.15.028: Removed automatic updates on startup. Updates must now be manually applied by the user through frontend notifications, giving full control over when to update.

• 1.0.14.124: Introduced support for modifying version.txt during the update process and enforced last_update_hash: never to ensure consistent version syncing behavior.

• 1.0.14.123: Ensured consistent execution paths across environments. Fixed a bug from the homedock_www refactor where relative paths broke when running via the homedock.py binary. All assets and templates now load correctly regardless of the execution location, and Vite asset paths are resolved properly when launching HomeDock OS from different directories.

• 1.0.14.122: Ensured consistent execution paths across environments. Fixed a bug introduced during the homedock_www refactor that broke relative paths when running via the homedock.py binary. Assets and templates now load reliably regardless of the working directory, and Vite asset paths are correctly resolved when launching HomeDock OS from alternative locations.

• 1.0.14.121: Implemented full Hot Module Replacement (HMR) support with granular file-level updates and automatic restarts on changes within /pymodules. Improved versioning logic to prevent overruns and added mechanisms to safely interrupt the auto-update process, ensuring consistent reload behavior across updates.

• 1.0.14.117: Migrated from WSGI to ASGI using Hypercorn with AsyncioWSGIMiddleware, enforcing 64KB size limits on critical endpoints (/login, /api/pcrypt) for enhanced security. Refactored homedock_www initialization into pymodules/hd_HDOSWebServerInit.py, replaced homedock_www.rootpath with current_directory, improved UI delivery via vite-fusion, and added a partial GitHub auto-update check/download system with pre-HMR sync status validation.

• 1.0.14.101: Finalized and deployed workaround for Hypercorn's wsgi_max_body_size limitation affecting Drop Zone uploads. Ensures stable large file handling under ASGI constraints.

• 1.0.14.100: Introduced Drop Zone with AES-256 CBC encryption, using PBKDF2-HMAC-SHA256 based on username for secure upload/download, search, and responsive UI. Replaced Flask's global MAX_CONTENT_LENGTH with endpoint-specific size control via hd_ApplyUploadLimits.py middleware (e.g., 1GB for /api/upload_file). Fixed logic issues and typos in Notifications.vue. Cleaned up app-store by removing test/placeholder composes. Added workaround for Hypercorn's wsgi_max_body_size per-endpoint limitation. Reverted to last_update_hash: never as default.

• 1.0.12.402v3: Completed Drop Zone backend with full support for encrypted upload, download, and deletion. Implemented client-side file size display and stabilized ciphering logic. Also improved local_dns handling using Zeroconf with better error management for edge cases and unavailable local networks accesible from homedock.local.

• 1.0.12.401v3: Pre-release with broad improvements across security, UI, and functionality. Replaced legacy HDOS-VanillaJS AppStore endpoints and reintroduced favicons/manifest for SSL. Improved public IP detection and fixed NaN issues in external disk API for TypeScript. Added /routes support in Port Routing from the Dashboard, with error code 606 for invalid ports and port change notifications. Enhanced styling cohesion, added dynamic classes to ThemeSelector.ts, applied security patch for urllib3 1.26.19, and included build precompilation adjustments.

• 1.0.12.399v3: Initial commit and prelaunch setup for version 12.399v3. Baseline foundation for upcoming features and release structure, v3 means Vue3, this nomenclature will be discarded when we fully port all features from Vanilla JS and CSS, we already have it working on Svelte and React.

This changelog consolidates multiple commits into unified version entries for clarity. Some changes originated from different branches and private repositories, ensuring a cleaner and more traceable development history.