Release windedup · 9001/copyparty

there is a discord server with an @everyone in case of future important updates
v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

breaking changes

two of the prometheus metrics have changed slightly; see the breaking changes readme section
- (i'm not familiar with prometheus so i'm not sure if this is a big deal)

#58 versioned docker images! no longer just latest
browser: the mkdir feature now accepts foo/bar/qux and ../foo and /bar
add 14 more prometheus metrics; see readme for details
- connections, requests, malicious requests, volume state, file hashing/analyzation queues
catch some more malicious requests in the autoban filters
- some malicious requests are now answered with HTTP 422, so that they count against --ban-422

windows: fix symlink-based upload deduplication
- MS decided to make symlinks relative to working-directory rather than destination-path...
--stats would produce invalid metrics if a volume was offline
minor improvements to password hashing ux:
- properly warn if --ah-cli or --ah-gen is used without --ah-alg
- support ^D during --ah-cli
browser-ux / cosmetics:
- fix toast/tooltip colors on splashpage
- easier to do partial text selection inside links (search results, breadcrumbs, uploads)
- more rclone-related hints on the connect-page

malformed http headers from clients are no longer included in the client error-message
- just in case there are deployments with a reverse-proxy inserting interesting stuff on the way in
- the serverlog still contains all the necessary info to debug your own clients
updated example nginx config to recover faster from brief server outages
- the default value of fail_timeout (10sec) makes nginx cache the outage for longer than necessary