You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trusted proxy handling now ignores forwarded host and prefix headers, preventing reverse-proxy host header poisoning from influencing generated application URLs. Password reset links are now generated from APP_URL instead of request host headers.
Upgrade Notes
No database migrations or new environment variables are required.
Confirm APP_URL is set to the public base URL for the installation, because password reset links now use it as their canonical origin.
Rebuild and restart the VolumeVault container after upgrading.
Verification
Local verification before release included docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan changelog:validate v1.16.1 --release --no-interaction.
Local verification before release included docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan test --compact.
Local verification before release included npm run build.
Local verification before release included docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php ./vendor/bin/pint --dirty --format agent.
