Skip to content

v0.104.0

Latest

Choose a tag to compare

@eliandoran eliandoran released this 18 Jul 11:45
97860e2

Note

If you enjoyed this release, consider showing a token of appreciation by:

This release is the largest in Trilium's history, built around two big themes: security and interoperability. The attack surface has been dramatically reduced across the desktop app, the server, and shared notes — with 16 dedicated security fixes and a few deliberate breaking changes (backend scripting and the SQL console are now disabled by default), so please review the Breaking changes section before upgrading.

Getting notes in and out of Trilium is also much easier: new importers for OneNote, Notion, Google Keep, Anytype and Obsidian join a faster, more memory-efficient import/export pipeline and Spreadsheet now has XLSX and CSV import & export.

On top of that come a redesigned setup and login experience, better AI integration (including being able to use your Claude Code subscription), richer text editing (multi-state TODO lists, collapsible blocks, link previews), dashboard collections, and a huge wave of polish — roughly 86 bugfixes and 68 smaller improvements touching nearly every corner of the app. The sections below have the full details.

💡 Key highlights

  1. Setup was redesigned from scratch to be more modern (see details below).
  2. The LLM integration can now use your Claude Code subscription, without the need of an API key or additional cost.
  3. Text notes: Customizable multi-state TODO lists by @adoriandoran
  4. Collapsible blocks by @adoriandoran
  5. Link previews by @stexz01, @eliandoran and @adoriandoran
  6. Toggle List (aka Accordion) by @adoriandoran
  7. Text notes: Collapsible bullets
  8. Spreadsheet gains XLSX and CSV import & export
  9. A new experimental Dashboard collection.
  10. Auto theme switching for code blocks and code notes
  11. Autocompletion (e.g. Intellisense) for Frontend & Backend code notes
  12. Significant hardening of the desktop and server app by @perfectra1n and @eliandoran.
  13. A new import mechanism allows importing from multiple applications: OneNote notebooks using the cloud API, Notion, Google Keep, Anytype, Obsidian
  14. Significant improvements to the import/export process
    1. Use a better buffering system so that the memory consumption never increases proportionally to the number of notes exported.
    2. Display the progress of import/export.
    3. Use a native mechanism on desktop so that the files being imported are not copied in memory.
    4. Server now uses the disk to store imported files, reducing memory pressure.
    5. Improved compression time by skipping already compressed files.
    6. Improved import performance.
  15. Significant improvements to the LLM UI by @adoriandoran: Quote content, save AI responses as subnote, regenerate responses, delete & rename chats, printing, note-tooltip, scroll-to-bottom & performance tweaks.

🚨 Breaking changes

  1. Backend scripting is now disabled by default.
    1. If you make use of these scripts, see the documentation (config.ini change for server or desktop settings).
    2. The goal of this change is to strengthen Trilium's security posture since backend scripts have dangerously powerful levels of access (e.g. full FS access). Front-end scripts are unaffected.
  2. SQL console access is disabled by default.
    1. Similar to backend scripting, it can be reactivated from config.ini.
  3. The desktop application (based on Electron) has been hardened against potential RCE attacks. You might have to adapt your scripts if you have front-end scripts that depend on Electron remote or the Node.js integration.
  4. The desktop application now no longer opens its port on the local network by default.
    1. This can generally affect you only if you are using ETAPI or desktop-to-desktop sync with your desktop client (servers are unaffected).
    2. This option can be changed in Options → Security.
  5. OPML v1 export was dropped from this release, v2 which preserves basic formatting has been kept instead. The v1 is still supported for import.

🐞 Bugfixes

This release lands roughly 86 bugfixes, with a strong focus on data integrity: several issues that could overwrite note content, corrupt the database during ZIP import, or leave sync in an inconsistent state have been resolved. The remainder is steady polish across the text editor, spreadsheets, Markdown import/export, canvas notes, sharing, authentication and mobile.

All 86 bugfixes
  1. Backend log doesn't respect the code color theme.
  2. Search: Wrong escape of highlighted tokens
  3. Desktop layout doesn't respect the bottom safe area.
  4. When refreshing the page, the sidebar shows up animated.
  5. “Upload attachment” not working on mobile.
  6. Text notes: Moving lines using keyboard shortcut sometimes not working
  7. Flickering note save indicator on desktop.
  8. Revisions: “Diff isn't available” when viewing revisions of an empty note.
  9. Code block tries to link/create note when typing @, and suggests slash-commands when typing /
  10. Recovered notes appear after interrupting a sync from a device that was long offline
  11. Relation map:
    1. Partially typed name being used as relation by @Renatonet0
    2. Fix Chinese IME input by @Dinis-Ou
  12. share* labels are not filtered out during safe import.
  13. Geomap rendering raw HTML
  14. Text Notes can not add lists that are not numbered (i.e. letters) by @adoriandoran
  15. ETAPI YAML endpoint not accessible.
  16. Status bar: Code language switcher not showing the language if it was not enabled in settings.
  17. Spreadsheet:
    1. Ctrl+R copies to the right, intercepting page refresh / Unnecessary save on refresh
    2. Can't edit the same note in a split.
    3. Save is sometimes done before recalculation, causing potential incorrect values.
    4. Unnecessary save when first showing some spreadsheets.
    5. Exporting as a single file results in a .undefined file with zero content.
  18. Calendar collection not occupying 100% height.
  19. Formatting toolbar not showing after temporarily editing a note in the old layout.
  20. New layout: Note map not visible on text notes
  21. Not all notes in a split loading after a refresh.
  22. Background effects interfere with shadow on Linux.
  23. AI: Extended thinking not working in some models
  24. Markdown: colspans and rowspans are not preserved during editing
  25. Read-only Mermaid diagrams not always rendering
  26. Notes being overwritten with another note
  27. Changes to AI providers not refreshing the sidebar.
  28. Markdown: wrong escape of dollar signs
  29. TOTP: Entering a wrong password uses up the recovery code
  30. OIDC credentials are not checked for
  31. Current OpenID Connect Implementation is not compatible with Authelia
  32. New checkbox rows are already prechecked when previous row was checked
  33. Spreadsheet not localized
  34. Move line up/down doesn't always work
  35. Scroll position is lost when the editor reinitializes.
  36. Periodic hidden subtree checks causes the text editor to refresh. 
  37. Missing blurred background for the icon switcher for the inline title.
  38. Geomaps breaking with GPX (entire navigation breaks)
  39. Tree position resets to top when switching between tabs with different workspaces/hoisted notes.
  40. Formatting toolbar remains visible after changing note type by @SiriusXT
  41. Markdown import: preserve heading hierarchy instead of flattening to H2
  42. Exports: filename length is capped to 30 characters
  43. Markdown rending issues when using multiple "$" in Code Block inside Blockquote
  44. Tables not rendering properly in read-only after a Markdown import
  45. The delete attachment confirmation dialog does not auto-select "OK"
  46. Misleading "Copy link to clipboard" for attachments
  47. Backend crash on abrupt WS disconnect
  48. Allow creating notes from relation auto-complete
  49. Can't confirm inline note creation via keyboard
  50. Time offset in Log - 24 hours (timestamps today are showing as yesterday)
  51. Enabling showLoginInShareTheme does not enable login from base domain
  52. Docker deployment, when accessing the webpage, the following prompt appears: Share root not found. Please set up a note with #shareRoot label first.
  53. Video/audio players' seek forward button has incorrect text
  54. Converting an attachment to a note breaks links
  55. Built-in LaTeX editor generates \differentialD, which is not supported by the renderer
  56. Share: Table of contents scrolls to the wrong position for duplicate headings.
  57. Importing a ZIP archive that contained a root note with content would corrupt the database.
  58. ignore IME composition Enter when editing card and column titles by @greymoth-jp
  59. Zooming shortcut Ctrl+ doesn't work on German Keyboard
  60. Shared note with a large code note freeze the server
  61. The checkbox and cursor in the to-do list are too close
  62. Table: boolean column sorting not always working & row number appear shuffled when sorting
  63. Include note would render recursively for nested includes, causing performance concerns
  64. Old layout: removed collection properties in the ribbon since they are duplicated with the collection bar.
  65. Search does not find protected notes while being in protected session
  66. Markdown import/export
    1. Some equations containing HTML-like characters are broken
    2. A table with no heading row but with heading columns will end up having an empty row when reimported.
  67. Tree can crash in some rare circumstances while updating itself
  68. “Blob not found” when deleting the active note.
  69. Table of contents becoming stale when switching between two notes with many headings.
  70. CTRL-Z with two Canvas notes will delete previous drawing
  71. Canvas notes sometimes fail to render
  72. New layout: Note map not shown in empty note type switcher
  73. Some protected notes and notes titles are still displayed after inactivity delay
  74. JavaScript error while OCR processing existing image files
  75. Day notes title pattern replacements not working
  76. Template collision for Code note
  77. Fix calendar events that cross midnight not showing up by @Glitch752
  78. Mermaid images not visible in HTML or share export
  79. Electron can sometimes crash due to a connection error
  80. Mindmap freezes on save on medium or larger notes
  81. Add link dialog fails to link if you press enter twice too quickly by @mvanhorn & @eliandoran
  82. PDF
    1. PDF download: name not preserved by @Excubitorum & @eliandoran
    2. Annotations are not saved immediately, only after closing the annotation tool.
    3. Unnecessary confirmation screen when navigating a way after the annotations have already been saved.
  83. When pasting an image, srcset bypasses Trilium's downloaded image.
  84. Canvas notes zooms out to 10% when using flowchart keyboard shortcuts.
  85. PDF viewer not showing properly in attachments
  86. Calendar events spanning day boundaries without an end date by @Glitch752

✨ Improvements

Beyond the headline features, 68 smaller improvements round off nearly every corner of the app. Several are worth calling out: pinned tabs and a reworked tab bar, a right sidebar toggle handle with peek mode, and options that now open in a modal by default instead of a new tab — changes you'll notice within minutes of upgrading. Media notes get a proper treatment too, with a new gallery-style image viewer (zoom, keyboard navigation) and an overhauled media player (previous/next, play modes, Media Session API integration), while Include note now renders collections, web views and saved searches interactively, and canvas notes can embed other notes and store images as attachments.

Markdown continues to become a first-class citizen: you can now convert text notes to Markdown and back, with snippets, code-block language autocompletion and cleaner "Copy as Markdown" output. The settings screens follow the setup redesign — the keyboard shortcuts section was rebuilt around a key recorder with conflict detection, and multi-factor authentication moved into Password & auth with QR generation and TOTP validation. The rest is steady polish: the LLM assistant became noticeably smarter and smoother; spreadsheets, the backend log and the import/export dialogs all received meaningful upgrades; and the desktop app gained conveniences like tray hiding and start-on-login.

All 68 improvements
  1. Setup redesign
    1. Language selection screen.
    2. Clarified the desktop to desktop sync.
    3. Demo content can be optionally skipped if creating a new document.
    4. Improve mobile support.
    5. Background effects for Windows 11 and macOS.
    6. Redesigned the login and set password screens as well.
  2. Markdown: Minor improvements to slash commands.
  3. Import: Ignore macOS metadata when importing a ZIP
  4. Back-end log
    1. Customizable word wrap
    2. Integrate with search
    3. Add a dedicated download button.
    4. Get rid of Slow 200 GET /api/backend-log with 19200316 bytes took 75ms.
  5. Text notes: Increase blockquote padding by @bigbangcmbr
  6. Improved the display of revisions in case a diff is not available or the revision is identical to the current note content.
  7. Text editor: configurable multi-state todo list checkboxes by @adoriandoran
  8. LLM
    1. Add an option to display history of chat notes
    2. Backlink support, based on reference links used by the assistant and tool calls.
    3. In-progress tool calls are also displayed.
    4. Reference links can be inserted by the user using @-mention
    5. Handle Gemini not supporting both note tools and note search
    6. Improve skill loading and render note for some models
    7. Smoother streaming effect
    8. Improved the backend and frontend skills for the LLM.
    9. Added a tool to search for icons.
    10. Add Claude Sonnet 5 & Fable.
    11. Improved UX by @adoriandoran
    12. Table of contents, text highlight support by @adoriandoran
    13. Improved the “Add provider” screen.
    14. Improved the model selector and fixed legacy models not showing in the sidebar.
  9. Markdown
    1. Interpret Markdown in table of contents.
    2. Improve table design and margins.
  10. Toasts are now selectable
  11. Various UI improvements by @adoriandoran
  12. Add separate language code for plain JavaScript
    Text notes no longer have frontend and backend-specific versions of JavaScript
  13. Spreadsheet
    1. Trim the saved data slightly.
    2. Improved rendering in the share and printing (borders, colors, number and date formatting).
    3. Added support for images
    4. Added support for mobile, making interaction much easier such as drag to pan instead of selection.
  14. Snippet support for code notes and Markdown notes by @adoriandoran
  15. New image viewer by @adoriandoran with gallery-style navigation, zoom and keyboard navigation.
  16. Media Player improvements by @adoriandoran
    1. Add previous/next navigation for audio and video
    2. Media Session API integration
    3. Play mode options
    4. Compact media player UI
  17. Improve fit and layout of the print preview dialog.
  18. Print: improved the layout and design of footnotes
  19. Quick edit: Reference links now open in the same popup instead in the background
  20. Options
    1. Seamless transition when switching themes, fonts or editor layout
    2. Improved the layout and appearance of backups and anonymized databases.
    3. Options now open by default in a modal instead of in a new tab.
  21. Show an indicator when loading a blob takes too much.
  22. Dedicated content badge for custom request handler
  23. Open tabs nearby instead of at the end
  24. Allow viewing source of SVG files
  25. Include note now renders some note types interactively such as collections, webviews or saved searches.
  26. Canvas notes:
    1. Notes can now be embedded in a similar way to Include note in text notes.
    2. Images for canvas notes are now saved as attachments which should reduce the performance hit when modifying canvases with large images.
  27. Improved the design of included notes.
  28. Launch bar configuration now opens in a modal.
  29. Improved revision dialog layout on mobile.
  30. Added linters:
    1. Mermaid: reporting parsing errors & improved error display.
    2. JSON
  31. Improved error tolerance for rendering math equations.
  32. Redesigned the keyboard shortcuts section with a key recorder instead of manual entry and conflict detection.
  33. Redesigned the multi-factor authentication section (including QR code generation and validation of TOTP) and integrated it directly in Password & auth.
  34. Improved OAuth connection flow, including display of the OAuth provider info (URL, name, icon).
  35. Improved detection of the OAuth provider icon, instead of falling back to Google's.
  36. Removed the default key binding for “Switch to Last Tab" since it overlaps with “Reset zoom” (Ctrl+0).
  37. Script API (both front-end and back-end) now have bidirectional Markdown / HTML conversion (htmlToMarkdown, markdownToHtml) by @misch334 & @eliandoran
  38. Notes can be toggled full-width from the note contextual menu (new layout only).
  39. Adjustments to the safe import for text notes: preserve underline text, list types, transparent table borders.
  40. Added a progress bar to the import notification.
  41. Option to disable tree scroll-follows-navigation by @kleutzinger
  42. Markdown:
    1. Added snippets for page-break and table.
    2. Added auto-completion for code block language tags.
    3. When exporting, format HTML-based tables with proper indentation & newlines.
  43. Spreadsheet: prevent jumping to the beginning/end when navigating at the edge
  44. The import dialog has been restructured to take into consideration support for new app-based imports (OneNote, Notion, AnyType).
  45. The export dialog has been simplified.
  46. Pressing enter in the note title will now focus the content and insert a new paragraph/line for text & code notes.
  47. Calendar: add a button to pin the current date
  48. Tree: Prevent accidentally importing above/below the hoisted note.
  49. Turned a few info dialogs into toasts.
  50. Mermaid updated with three new diagram types: Cynefin, Swimlane & Railroad
  51. Improve backend log with features such as syntax highlighting by @adoriandoran
  52. Various UI improvements by @adoriandoran
  53. Calendar: Add slotDuration and slotLabelInterval, Add Day View by @BeatLink
  54. Desktop installer: improved the installation animation on Windows and background on macOS
  55. Keyboard shortcuts now display localized names and macOS-specific glyphs.
  56. HTML & Markdown export: remove redundant data-list-id from list items.
  57. Code notes: add Nim language support by @dirtboll
  58. Evernote was enhanced with TODO list support, internal link detection and extended formatting such as admonitions.
  59. The desktop app gains two more features:
    1. Hiding to system tray when the last window is closed.
    2. Automatically starting up on login.
  60. Pinned tabs & various tab bar improvements by @adoriandoran
  61. Right sidebar toggle handle & peek mode by @adoriandoran
  62. Improvements to deleted notes dialog by @adoriandoran
  63. Icon pack preview by @adoriandoran
  64. Markdown: Convert text notes to Markdown and vice-versa by @adoriandoran
  65. Text notes:
    1. Undo & Redo buttons for the fixed toolbar by @adoriandoran.
    2. “Copy as Markdown” now renders more cleanly (fewer HTML attributes).
  66. Contextual shortcut hints by @adoriandoran
  67. Improved error management for render notes and backend scripts.
  68. PDF: added support for drawn signatures
  69. New launch bar buttons by @adoriandoran
    1. Color scheme switcher
    2. Deleted notes

🌍 Internationalization

  • Reach 100% coverage for Romanian.
  • Added Indonesian.

📖 Documentation

🛠️ Technical updates

  1. Remove unnecessary boxicon assets.
  2. Cleaned up a few dependencies.
  3. Complete architectural change to allow for a new deployment mechanism: standalone mode.
  4. Many dependency updates.
  5. Opt-in to disable automatic DB migration by @contributor
  6. Disable background effects while dev tools is attached to the same window
  7. Improved the loading time of the client by lazy loading libraries and dialogs
  8. Improved the loading time of the desktop slightly by loading the server at the same time as Electron starts.

🔒️ Security fixes

Security is a central theme of this release: 16 fixes systematically shrink Trilium's attack surface. Content is now sanitized on every path (HTML, SVG, collections, shared notes), injection vectors (SQL, path traversal, SSRF) have been hardened, sessions and cookies tightened, and the Electron desktop app locked down with strict permission, navigation and session-isolation policies. These fixes go hand in hand with the deliberate breaking changes above — together they make the default configuration significantly safer.

All 16 security fixes
  1. require() in backend scripts is now allow/block-listed
  2. Title templates & bulk-rename no longer use eval()
  3. Note content is now HTML-sanitized on non-editor paths
  4. Table of Contents & Highlights list strip block elements
  5. Improved SVG sanitization.
  6. Shared/published notes: CSP, and escaping
    • Custom #shareTemplate is ignored when backend scripting is disabled (EJS can run JS) — shared pages fall back to the default theme.
    • #shareRaw is now flagged isDangerous in attribute UI; raw HTML shares are still intentionally served unrestricted (opt-in).
  7. Session & cookie hardening
  8. API keys for LLM agents are no now write-only through the options API.
  9. Backup name sanitization
  10. SSRF / local file disclosure via image download
  11. Path-traversal hardening on file-upload endpoints
  12. SQL injection hardening
  13. Sanitize content of Collections and Mind Maps.
  14. Hardened the optional MCP server against DNS rebinding attacks.
  15. Hardening of the Electron app
    • <webview> attach vetting
    • Dedicated guest session partition: Web View notes now load in persist:webview instead of sharing the renderer session, so embedded sites can never see Trilium cookies or resolve the trilium-app:// scheme.
    • Deny-by-default permission policy. App session allows clipboard-sanitized-write, fullscreen, notifications (user scripts use new Notification()); guests get fullscreen only.
    • Scheme allowlist for external opens: window.open/target=_blank URLs are validated before shell.openExternal
    • Global window-open & navigation policy
    • Origin gate on trilium-app:// dispatch
  16. Shared notes:
    • Prevent accessing (encrypted, not plain text) protected attachments.
    • Improved filtering of some attributes.