v6.0.0

v6.0.0 is a major release with a significant number of improvements and fixes.

As always, take a backup of your Postgres database before upgrading.

What's new?

• TOTP two-factor authentication.
• E-mail-based Forgot password reset flow.
• Ability to archive lists.
• Subscriber activity in the Subscriber profile UI.
• Ability to send transactional mails to non-subscribers via the /api/tx API.
• Campaign-level JSON {} attributes just like subscriber attributes.
• Granular override on subscriptions / subscriber profile in bulk import.
• In-built Postgres VACUUM cron in Maintenance settings for large databases.
• CORS origin configuration in Security settings

In addition, there are several other bug fixes and improvements.

Security

This version addresses the issue of arbitrary <script>s in a campaign created by a non-admin user with the campaign management permission executing when a super admin previews that campaign, allowing API calls on the super admin user's account to execute on their session.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 00f303c Add v6.0.0 migration file.
• 5673e61 Add attribs to campaign docs.
• 2d560fa Upgrade altcha JS to latest version.
• d7a41f7 Auto-translate new i18n language strings.
• 556cb37 Fix Cypres tests.
• e20ed06 Rename v5.2.0 migration to v6.0.0.
• 9552865 Apply minor style fixes to admin.
• f1dd8a4 Add support for campaign-level JSON attributes.
• e49c8d0 Refresh i18n language files.
• a65608c Split 'overwrite' on import UI into 2 separate options (userinfo and subscription status). Closes #2496
• 77fb9dd Fix invalid syntax in bundled visual template.
• 576309d Add viewport meta tag to visual builder default template. Closes #2751.
• c6bc9a6 Show duration in seconds also on campaigns page. Closes #2796.
• 5f93543 Fix user menu not showing in responsive view on the UI. Closes #2793.
• 74dc5a0 Add sandboxing to campaign preview iframe.
• d802793 Bump qs from 6.13.1 to 6.14.1 in /frontend (#2844)
• 373682a Fix and imporve bulk deletion in campaigns and queries.
• 3f5bc8d Improve zh-TW (Traditional Chinese) translation (#2840)
• 183d0ea Bump github.com/altcha-org/altcha-lib-go from 0.2.2 to 1.0.0 (#2819)
• 787c758 Fix #2778 'Track Link' status is lost when re-saving an existing link in the Rich Text Editor (#2829)
• 1a68363 Add missing i18n German translations (#2830)
• e215e1e Added Cloudron install button in doc (#2826)
• e8fb9d5 Fix incorrect --new-config file write error message. Closes #2818.
• c651117 fix confusing formatting issue in dev setup docs (#2813)
• 55540a2 Remove confusing field validation behaviour on S3 settings UI. Closes #2806.
• e703c37 Add env var support for static-dir and i18n-dir flags (#2807)
• 9feb59f Update it.json (#2803)
• a998c91 Correct status field reference in documentation (#2808)
• 1c36164 Translate English phrases to Slovak in sk.json (#2810)
• 045f0eb Fix broken language string on CAPTCHA settings on UI. Closes #2781.
• 570bb46 Add cron-based VACUUM ANALYZE support for DB maintenance.
• 67ad4d5 Add external recipient support to /api/tx endpoint.
• 583f92a Add bulk deletion (by id or query) to lists and campaigns.
• 2b60907 Add list permission check to campaign creation.
• b46e0d6 Fix list update query returning incorrect state on lists with no campaigns.
• c108a61 Change LISTMONK_db__host from 'listmonk_db' to 'db' (#2787)
• c888b7f Update default sample visual template with tracked link examples (#2788)
• 06e6b67 Add Cloudzy logo to providers list on the homepage (#2777)
• e526a5f Fix list name not being updated in campaign_lists on list update. Closes #2734.
• 2074604 Add archival support to lists.
• 6417f30 Stop recording to send count on campaign creation.
• 12b8069 Remove incorrect settings dependency on Media UI.
• 581aad4 Add SMTP status check and basic heuristics to classify hard/soft bounce in POP3 scan.
• 3bf8bdb Split queries.sql into multiple files for better readability and maintainability. Closes #2738. (#2776)
• 8170489 Split models file to domain specific files (#2775)
• 750ce91 Fix incorrect doc for query param in /api/campaign. Closes #2772.
• 60f7ac9 Bump js-yaml from 4.1.0 to 4.1.1 in /frontend/email-builder (#2767)
• 296245a Add 2FA TOTP support for authentication.
• 4c3b58c Bump golang.org/x/crypto from 0.40.0 to 0.45.0 (#2766)
• 75998ca Add Forgot password reset flow to the admin. Closes #2753.
• ea1eb3f Add warning to users:manage permission in docs. Closes #2752.
• a2bfc0b feat: add subscriber activity tracking UI in admin panel (#2756)
• b3f60a9 Bump js-yaml from 4.1.0 to 4.1.1 in /frontend (#2761)
• 425c0d7 Update 3rd party instructions re Fly.io install (#2757)
• e469296 Fix duplicate operationId in OpenAPI spec (#2758)
• 22bcd70 feat: add Northflank deploy button (#2736)
• 60c069d Fix per_page=all not working on GET bounces API. Closes #2678.
• b7e8b1e Fix tx handler incorrectly sanitizing subscriber_emails[]. Closes #2726.
• cdf0a5c Add CORS configuration to security settings.
• 827a208 Bump vite from 5.4.20 to 5.4.21 in /frontend (#2722)
• e8156e0 Update Czech translation (#2694)
• c666c4f Bump vite from 5.4.19 to 5.4.20 in /frontend (#2691)
• 39658c4 Add minor security enhancements (#2682)
• 2085abe Handle Postmark spam complaints. (#2679)
• fb60455 Bump vite from 5.4.18 to 5.4.20 in /frontend/email-builder (#2660)
• 27f58ef Bump axios from 1.8.2 to 1.12.0 in /frontend (#2666)
• 06275f1 Update Czech translations (#2688)
• 2c5dc61 Update it.json (#2667)
• d661fa8 Fix typo in docs (#2664)
• a76099e incorrect ALTCHA Form challengeurl (#2654)
• 943a961 Update release details on the static homepage.

v5.1.0

v5.1.0 contains an important security update (CSRF prevention - CVE-2025-58430) along with other minor bug fixes and improvements.

What's new?

• ALTCHA (self-contained proof-of-work CAPTCHA alternative) in addition to hCaptcha (deprecated)
• Refactored media gallery with a new UI and improved UX.
• Bulk subscriber blocklisting directly from the bounces UI.
• Auto-creation of OIDC users with default user and list roles.

Breakings change to subscription-form.html

If you are loading a custom subscription-form.html static template with --static-dir, you have to update your template with the breaking changes (CAPTCHA logic) from the new subscription-form.html

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 30846f8 Ignore altcha.umd.js from frontend build so that goreleaser ignores it.
• e27a390 Expand the warning on subscribers:sql_query permission on arbitrary SQL functions.
• 6d99316 Auto-translate new i18n language strings.
• d4007d5 Fix Go tpl expressions breaking in Visual editor HTML.
• deb41f8 Add i18n translation helper script.
• 81d05e4 Suppress optin e-mail send errors on subscriber insert/edit APIs.
• fcbebc2 Update Cypress trests on the campaign file attach UI.
• e8b0eaf Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#2634)
• 301c13a Add optional subject param to tx API. Closes #2333.
• ad66878 Fix list action icons not showing on the UI based on permissions. Closes #2640.
• fbe4c5c Make session cookie samesite to prevent CSRF requests.
• ea88b94 Add link for n8n node (#2649)
• 7d38890 Change OIDC init to lazy-load instead of loading once on boot. Fixes #2626.
• 9611164 Refresh i18n language files.
• 09d291e Add support for built-in ALTCHA CAPTCHA implementation.
• 38387d0 Fix List-Unsubscribe header incorrectly sent on opt-in confirmation. Closes #2619.
• eef0021 Add support for loading secrets from *_FILE env vars in Docker environment.
• 4a93184 Bump tmp from 0.2.3 to 0.2.4 in /frontend (#2617)
• ad67fc6 Refactor landing page on the website.
• 4d74cf4 Tweak log viewer to optionally hide filename from log lines (on the import UI).
• 26c61f8 Bump form-data from 4.0.1 to 4.0.4 in /frontend (#2587)
• fb39d61 Refactor media gallery UI.
• ba24c64 Add subsriber blocklisting on the bounces UI (#2409)
• c9c678c Add support for OIDC user auto-creation (#2578)
• 66d7413 Update OpenAPI specification (#2581)
• ae84fa3 Add listmonk-mcp to SDKs documentation (#2573)
• 6b7e423 Update OIDC doc with latest KeyCloak realm URL (#2568)
• 89b2704 Update deps and remove obsolete replace in go.mod. Closes #2567.
• 98d2ad6 Add Korean i18n translation (#2565)
• 38c784f Update release details on the static homepage.

v5.0.3

v5.0.3 contains fixes for some minor, but annoying bugs, primarily SMTP errors not being captured and displayed while sending test mails.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 48643aa Disallow POST /api/subscription on disabling public subscription in settings. Closes #2530.
• a424f01 Print full line with error in the importer log. Close #2549.
• 4f6880d Fix opt-in send errors silently ignored on signup form. Closes #2535.
• b71d80e Upgrade smtppool lib with error-return bugfix. Ref: #2503
• 419f88a Fix incorrect line counts due to empty lines in CSV importer (#2542)
• aa864fd Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#2543)
• d7e4ecf Fix typo in configuration.md (#2540)
• a9d3591 Add heading in template functions doc (#2527)
• 78f3db7 Add permanent warning to docs about Sprig functions.
• 2081048 Update release info on homepage.

v5.0.2

v5.0.2 contains an important security update which disables the env and expandenv Sprig template functions preventing accessing of env variables from templates. This affects v4.0.0 - v5.0.1 installations that have unprivileged users in a multi-user setup.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• d27d2c3 Remove dangerous tpl funcs in Sprig that's enabled by default.
• 6fc6c1e Fix Vietnamese translation issues (#2487)
• d6f5292 Fix subscribers unsubscription status being reset to confirmed on save (#2517)
• 8b8358e Add Nodion Deployment Option (#2518)
• 3f39508 updates simples3 to latest version (#2520)
• d027cb5 Add kloudbean hosting link to static website (#2508)
• bf502ba Update release details on the static homepage.

v5.0.1

v5.0.1 is a bug-fix release on top of the major v5.0.0 release. It features the addition of long pending features such as the visual drag-and-drop e-mail builder, per-campaign SMTP selection, and numerous other fixes and improvements.

What's new?

• Visual editor and templates
  • The much requested and awaited visual e-mail builder and template editor is now integrated, with one-click conversion between formats. Thanks to @vividvilla for the big PR integrating @usewaypoint/email-builder-js
• Campaigns:
  • Replace CodeFlask with the more mature and robust CodeMirror for a much better code-editing experience (HTML, CSS, Javascript, Markdown) on campaigns, forms, templates,and settings UI.
  • Ability to preview campaign archive view.
  • Make paused campaigns editable and allow unscheduling with new Unschedule button.
  • UX improvement that automatically switches scheduled campaigns to draft when send_at is removed.
  • Add format/content type selection to the first screen on campaign creation.
  • Ctrl+S short for saving campaigns while working on them
• Security:
  • Campaign viewing and management are now filtered by a user's list permissions and now use the new new campaigns:get_all and campaigns:manage_all permissions. Important: This is a behavioural change from v4.1.0.
  • Disallow private list UUIDs on public subscriber endpoints.
  • Make OIDC provider name on the login button configurable.
  • Add get list permission check to bulk subscriber list management.
  • Proper enforcement of the subscribers:sql_query permission with SQL query analysis and table allow-listing. Addresses #2412.
• SMTP & e-mail:
  • Name SMTP servers and select an SMTP-server per campaign.
  • Add List-Unsubscribe header to opt-in confirmation emails.
• General UI
  • One-click Copy button on subscribers and campaigns tables for copying names and e-mails to clickboard.
  • Checkered bg on media thumbnails to visualize transparency.
• APIs:
  • Add new search param to paginated API responses.
  • Introduce LISTMONK_ADMIN_API_USER for installation.
• Others
  • Major cleanup and restructuring of the codebase for better maintainability.
  • Upgrade of various dependencies .
  • Many other small fixes and improvements.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• dc466fc Fix quotes issue in TrackLink regexp.
• 70fe7cb Bump vite from 5.4.18 to 5.4.19 in /frontend (#2497)
• b0ecd74 Add OIDC SSO tutorials to docs for Keycloak and authentic.
• e49253b Fix name conflict in frontend JS util lib.
• 29b2766 Add missing requirements.txt to docs. Closes #2494.
• 71ae2bb Fix scheduled campaigns not finishing. Closes #2480.
• 86f808b Allow @ in usernames. Closes #2478.
• 4da91a0 Fix broken TrackLink regexp. Closes #2448.
• 03285ab Display detailed d:h:m duration schedule on campaigns page. Closes #2460.
• 3895fbd Fix race in selected template reverting to default on the campaign page. Closes #2461.
• 9540d49 Fix subscription status filter param not being picked up on subscribers page. Closes #2447.
• b04fe6b Fix bounces not being sorted by type field. Closes #2444.
• 2e56322 Fix incorrect query check in bulk subscriber actions. Closes #2491.
• 00a7eff Enforce lowercasing of email in user creation. Closes #2482.
• 4a132e0 Fix broken template funcs in visual campaign update.
• f687ac8 Fix incorrect order of translated day names in Hungarian locale (#2485)
• ae55e64 Update Dutch i18n (#2449)
• 85ead71 docs: add listmonk and forward email for secure newsletter delivery guide (#2440)
• 6336ec4 Update release details on the static homepage.

v5.0.0

Skip this release and upgrade to v5.0.2 instead for multiple fixes (UX bugs and a security fix)

Changelog

• 3b8a8c2 Add email-builder/dist to .gitignore.
• 8902320 Update screenshot on README.
• a7085cb Update homepage.
• 11f52ee Switch migration version to v5
• 47e8f81 Default body_source to null instead of empty string in non-visual campaigns.
• 925cdf2 Add visual template and new permissions to docs.
• 1599957 Add and auto-translate missing i18n strings in all language packs.
• db81dc1 Remove default dummy admin notification email settings.
• 9de19ea Fix Codemirror Cypress tests in templates and form pages.
• 92fc646 Update sdks.md: add client for java/kotlin (#2426)
• 81b62a4 Fix race condition in immediate campaign pause-start actions.
• d3c8eca Upgrade Go deps.
• 0dc29b7 Fix CSV example on the subscriber import UI.
• 953deef Hide 'New' and 'Save' buttons on the templates UI if there's no manage permission.
• 7791327 Make Must config variables non-Must so that the app doesn't panic on their absence.
• 8fc3d27 Merge pull request #2423 from knadh/dependabot/npm_and_yarn/frontend/email-builder/vite-5.4.18
• 3dfdf48 Merge pull request #2424 from knadh/dependabot/npm_and_yarn/frontend/email-builder/babel/runtime-7.27.0
• 12bc798 Make OIDC provider name display on login button configurable. Closes #2211
• 8885437 Bump @babel/runtime from 7.26.0 to 7.27.0 in /frontend/email-builder
• 6707b63 Bump vite from 5.4.10 to 5.4.18 in /frontend/email-builder
• 5477c16 Merge pull request #2373 from knadh/feat-visual-editor
• ed700d7 Add a Preview option to the campaign archive tab. Closes #2245.
• b67fc5e Replace CodeFlask code editor with CodeMirror on the UI.
• 53d7929 Prepare first RC.
• ffbda01 Add sample visual campaign template on install and upgrade.
• 445d7e5 Fix clone campaign by fetching campaign body on clone.
• 1559c55 Add visual editor Cypress tests.
• ded0fcf Fix broken visual template cloning on the templates UI.
• dcdef8e Add format/content type selection to campaign creation UI.
• d3da0be Fix `test campaign' sending wrong template for visual campaigns.
• 5207dff Fix visual editor change event/init/import sequences.
• 968b366 Stop fetching bodies for all campaigns and explicitly fetch for visual campaign import.
• 20e4b10 Fix DB state issues in visual campaign cloning.
• f4c0e66 Refactor 'media upload' integration in campaign visual editor.
• 3aba2b0 Fix frontend/email-builder Makefile build steps.
• 343d405 Add Ctrl+S campaign save shortcut and add Ctrl+S and F9 to richtext editor.
• e4e735e Update tsx formatting in email-builder.
• 503e985 Add support for converting all types to visual editor blocks.
• f1fbadf Fix incorrect template states in DB in campaign creation and broken preview.
• cee2589 Move email-builder src from / to /frontend.
• 110345d Refactor and simplify state management in campaign editor.
• fca5ec5 Change visual editor UI language.
• 7786b18 Add DB migrations for visual editor.
• c1f81cf Fix compatibility issues with master.
• 82e2b70 fix: Move visual-editor to iframe so that CSS styles are isolated.
• 4a524c9 feat: Integrate media selector to visual editor and add minor fixes.
• e6f08a0 feat: Inject email-builder instead of loading it as ES module
• ae98280 feat: Integrate email-builder on campaign/template editor UI and backend.
• 5a0980e Add on-hover one-click Copy button to subscribers and campaigns tables UI.
• a85e467 Add missing charset for numbers in TrackLink regex. (#2404)
• fb52700 Remove GET /api/settings dependency on the Lists -> Forms UI.
• b44ea0c Merge branch 'fix-sql-search'
• 75aad8e Add new search param to paginated API response structure.
• 29591c1 Add get list permission check to bulk subscriber list management.
• fca8d6d Bump vite from 5.4.17 to 5.4.18 in /frontend (#2416)
• 4b805f8 Fix broken subscribers:sql_query permission.
• 375e385 Bump golang.org/x/net from 0.36.0 to 0.38.0 (#2413)
• 4d8c8cd Update installation.md (#2405)
• 5971bc4 Fix Raw CSV example on import UI (#2392)
• 562e52c Introduce LISTMONK_ADMIN_API_USER to --install. Closes #2314, #2322.
• b3e6b09 Bump vite from 5.4.15 to 5.4.17 in /frontend (#2391)
• 0826f40 Remove repetitive URL param :id validation and simplify handlers.
• e6d3aad Add ability to wait and healthcheck for backend app in Cypress settings tests.
• 78366ab Clean up main initialization to remove app interdepencies in init.
• 8848922 Remove superfluous consts dep in init functions by separating URL consts.
• e2f24a1 Turn notifs into a special stateful global singleton package, removing clunky deps.
• e327ebb Move all HTTP handlers directly to App and remove the redundant in-between layer.
• b3d46a8 Refactor system notification callbacks into a new notifs package.
• 00c858f Refactor all HTTP handlers and attach them to a single struct.
• 007f4de Fix a number of cosmetic inconsistenies across handlers and functions.
• fcf2449 Replace awkward auth user object access in handlers with an explicit func.
• 17998fb Refactor user auth models and permission checks.
• 5c78506 Refactor superfluous list perm check middleware into standalone function.
• a271bf5 Introduce per-campaign filter permissions. Closes #2325.
• a5f8b28 Fix inconsistent behaviour in campaign scheduling on the UI.
• fbc27ae Refactor UI time diff display function to prefix '-' on past dates.
• 92e5d63 Fix various static-check/idiom warnings.
• b18c7ad Fix incorrect loading spinner on the Lists UI. Closes #1822.
• d1c964d Bump vite from 5.4.12 to 5.4.15 in /frontend (#2379)
• b8f50ea Add support for domain allowlists in addition to blocklists. Closes #2230.
• 6efb6e7 Upgrade smtppool to v2 and add support for concrete SSL options.
• e4a18da Remove forcing unique filename on all media uploads.
• ef8f319 Remove obsolete language key and refresh i18n files.
• 9224e34 Update i18n refresh script to remove deleted base keys from all other files.
• 5f1b676 Remove ASCII-only restriction on media filenames. Closes #2277.
• 0be7a79 Fix broken log rendering on importer UI.
• 1b43e1a Add minor i18n Hungarian language pack fixes (#2375)
• 06c2f3b Add Nuxt.js module to Supported Libraries Lists (#2371)
• 473f942 Add i18n Hungarian language pack fixes (#2370)
• 7d3e6e6 Fix too greedy TrackLink regex replacement. (#2355)
• 79f8b60 Updating documentation to reflect AWS Console changes (#2365)
• 625f616 Change the docker-compose example to bind Postgres locally. Closes #2357.
• de9a8ea Add Bulgarian i18n translation (#2349)
• f310131 Update Go version to v1.24.1
• d43ac10 Tidy go.mod
• f34551d Bump golang.org/x/net from 0.33.0 to 0.36.0 (#2348)
• 2005e7a Bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#2346)
• bc5b817 Bump axios from 1.7.9 to 1.8.2 in /frontend (#2347)
• a986961 Disallow private list UUIDs on public sub endpoints. Closes #2296.
• 8dc5bc2 Bump prismjs from 1.29.0 to 1.30.0 in /frontend (#2345)
• f8d07ad Fix DELETE list documentation. (#2335)
• 06768ba Fix ru i18n lang (#2330)
• e649cf6 docs: improve clarity and consistency of user-related translations (#2324)
• d3a417d Fix typo in function name.
• 2defef3 Refactor SMTP name to always have email- prefix for consistency.
• 24af0bc Update ca.json (#2303)
• d055cc5 Add support for selecting SMTP per campaign (#2290)
• 756e391 Fix typos in subscribers.md (#2302)
• 61d7a9d Update cs-cz.json (#2293)
• 2f5ab4c Display filename and milliseconds in timestamp on the logs admin UI (#2280)
• ad162c2 Bump vite from 5.4.11 to 5.4.12 in /frontend (#2268)
• 86f9ad0 Add Norwegian Bokmål (no.json) i18n language pack (#2289)
• d0321ba fix: typo in callout under the settings page (#2283)
• c3069e5 Update Finnish translation (#2270)
• 672d8ff Merge pull request #2269 from s-en-o/patch-1
• 1446fbb fix(static): no matching closing anchor tag
• 7153777 Merge pull request #2266 from vinitparekh17/patch-1
• 7c952e7 docs: removed duplicate line
• afa717f Upgrade smtp-pool lib fixing non-FQDN hostnames. Closes #2146.
• ff19a34 Fix bounce meta JSON overflowing in the table on admin UI. Closes #1797.
• 0e49a4b Merge pull request #2264 from knadh/edit-campaign
• 3d383cd Make paused campaigns editable.
• 5ba0adc Automatically switch scheduled campaigns to draft when send_at date it removed.
• 61c6b7e Add explicit Unschedule button on campaign UI.
• fd31ac6 Remove redundant send_later param in campaign POST/PUT.
• e8fd12b Add List-Unsubscribe header to opt-in confirmation mails. Closes #2224.
• 2e8a5ac Add user roles/perms documentation. Closes #2242.
• 0930a22 Add VACUUM to maintenance section in docs.
• e2aa9c5 Make media image background checkered to show transparency. Closes #2080.
• c877156 Bump golang.org/x/net from 0.23.0 to 0.33.0 (#2253)
• a5e56c3 fix: forwardemail bounce processing invalid signature issue (#2250)
• 0878f3e Add Laravel SDK to Supported Libraries Lists (#2240)
• 50b296d Remove GitHub from OIDC shortcuts as it doesn't support OIDC. Closes #2235.
• b75de39 Fix elest.io image in docs (#2239)
• cb9b798 Fix typo in de i118 (#2236)
• 62c996b Fix typo (#2233)
• 2abc0a8 Apply minor Go code fixes (#2219)
• 98934e6 Fix outdated docker local dev suite (#2200)
• 97fde64 Make CSV (import) header fields agnostic of surrounding spaces. Closes #2189.
• 6371228 Fix schema and add migration for incorrect subscriber count (null) in materialized view.
• 5c0de6e Fix broken sorting lists by subscriber_count. Closes #2151.
• 7bfbd6a Add all to subscriber deletion by query which broke with query validation. Ref: #2122.
• a129111 Replace broken indent JS lib with js-beautify. Closes #2182.
• 1c33d32 Remove redundant event from boun...

v4.1.0

v4.1.0 is a major release with a significant number of improvements and fixes.

⚠️ Important: Upgrading from v3.x.x

As always, take a backup of your Postgres database before upgrading.

v4.1.0 is a major upgrade that introduces multi-user management and authentication features, fundamentally changing how login and authentication works. It no longer relies on the browser-based BasicAuth prompt and ships with a built-in login system. The upgrade automatically creates a new Super Admin user based on the admin_username and admin_password fields from the TOML configuration file, after which, the credentials in the TOML file are no longer needed. Read more.

What's new?

• Multi-user support with granular permissions, user, role, per-list permissions and API token management.
• Support for OIDC (OpenID Connect) authentication.
• First-time Super Admin setup UI for fresh installations.
• Significant performance improvements to SQL queries underlying concurrent campaign processing. Performance gains of several orders of magnitude on large installations.
• Styling improvements to UI for better UX including new tabs UI in subscriber modal popup.
• Markdown syntax highlighting.
• Static email template subjects are now scriptable with template syntax.
• Support for CC and BCC in custom email headers.
• Syntax highlighting in HTML form generator.
• Many quality-of-life improvements, fixes, and dependency upgrades.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 0a27de1 Replace type field in user creation UI with radio-button for better usability.
• 894d284 Fix GET subscribers not filtering by list permissions. Closes #2129.
• 8b213f0 adds property description to List and NewList, updates docs (#2150)
• 18edc65 Add v4.1.0 migrations.
• abe09d6 Refactor OIDC redirect state to have nonce validation. Closes #2138.
• b995cce Switch login form URLs to relative URIs.
• cb8b54f Add ForwardEmail (provider) bounce integration (#2016)
• 0392582 Add % on campaign analytics pie chart hover (#2124)
• c35ed68 Fix quotes in JSON API req example in docs.
• e182fb5 Fix the delete/blocklist by SQL query example in docs.
• 1ac9ccb Reject blocklist-by-query API requests with no query.
• ac5e101 Reject query-by-delete API requests with no query. Ref #2122.
• d8a394d Update it.json (#2134)
• 68df637 Update curl example to remove username/api_username confusion. Closes #2136.
• 2c02e01 #2114 - Fix issue of wrong platform used during docker build (#2123)
• 599147c fix: favicon markup (#2115)
• be9fe9c Update hu.json (#2102)
• 5abf004 fix dummy detection for OIDC client secret (#2116)
• cf7d664 Fix broken individual list GET API. Closes #2117.
• ca73e4f Change wording to 'one-way mailing list' on the static homepage.
• 998b6e3 Remove version info from docker-compose docs to avoid confusion.
• f6ed13a Add explicit instructions for older docker-compose files.
• 319053d Update release link on static site homepage.
• f5dfb0c Remove root URL from login setup form to prevent bad redirect on first install. Closes #2103.
• 136d9d1 Don't fail on chown in Docker entry script. Closes #2104.
• 8ef71aa Fix docker-compose curl command examples.
• 120d275 Update release link on static site homepage.
• 3894571 Remove obsolete demo file reference from Docker build commands.
• 0f2c679 Remove deprecated goreleaser flag from GitHub action workflow.
• 11cb3ce Update gorelease Go build version to latest.
• 79f94d3 Update gorelease command and remove deprecated flags.
• afd5db9 Fix incorrect image tag in docker-compose.
• fd04fc1 Refresh i18n language files and add (GPT 3.5) auto-translations for new strings.
• 4eefd42 Remove redundant campaign manager config validations (#2095)
• 9bad699 Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 (#2083)
• d35dbb0 Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#2084)
• b8ae4f6 Change v4.0.0 migration script to not auto-generate credentials.
• 7fcc6f7 Simplify and refactor docker-compose.yml and remove install scripts.
• 24bab75 Add first time login setup template
• 178fa94 Update user login time on password login.
• 5b3d6e2 Add first-time Super Admin setup UI on fresh install.
• 1e4b3a2 Separate get individual user and get all users queries.
• 87db0d5 Fix Cypress admin form test to support rendered HTML.
• 25cdb7b Pull e-mail from userinfo endpoint if OIDC token endpoint doesn't return it.
• a37d414 Add missing GH token to Swagger docs workflow.
• 9760d19 Fix button focus/active styles on the UI.
• 69de02a Restyle and simplify subscriber form UI with tabs.
• b5382b8 Add user UI frontend tests.
• b2866b1 Apply minor style changes and improvements to modals.
• 74e77bd Add names to user form fields for testing.
• 3fdf6fe Add individual list permission checks on admin UI.
• 887d582 Fix get-users query to return all users when no ID param is given.
• 1075485 Merge branch 'fix-user-query'
• e7109da Fix missing email validation in OIDC exchange.
• 7847167 Fix incorrect id logic in user selection.
• 13222b5 Fix random timing related Cypress test failures (huh).
• 29aa977 Expand search input width on subscribers UI for smaller screens.
• 354fb30 Replace hardcoded perm literal with const.
• 6258fd5 Increase settings UI poll interval to reduce broken requests.
• 30be235 Add microseconds to log lines.
• 0f785b7 Fix Cypress tests to work with new auth and other UI changes.
• 8c07a2a Fix broken status in subscriber export query.
• 71f9e86 Show OIDC URL warning only when enabled on the UI.
• 03744e0 Fix broken settings references on forms page
• d02a9d6 Update it.json (#2085)
• 6fe47b2 Merge pull request #2082 from knadh/multiuser
• 39463d7 Refresh i18n langauge strings.
• cc71899 Add non-prod ODIC URL warning on admin settings UI.
• af06d2e Upgrade prismjs.
• f226aca Add missing auth permissions file.
• cea65c0 Fix and refactor subscriber batch fetching in campaign processing.
• ee119b0 Fix import not 'unsubscribing' list subs for already blacklisted subscribers. Ref #1931.
• a268341 Refactor subscriber APIs list permission filtering.
• d9b4bae Rename migration to v4.0.0
• 0331e3c Sory users by created_at always.
• eb47e80 Fix list auth by adding an explicit 'getAll' flag to query.
• 3671a52 Update profile UI with new user data structures.
• ae2a386 Add support for "list roles".
• 12a6451 Add list permission check to subscriber calls.
• d74e067 Add per-list permission to list management.
• 982e8d8 Fix post v4.x.x upgrade warning on admin UI.
• f8e6eaa Add docs for v4.x.x multi-user upgrade changes.
• 26c6db0 Remove admin user/password from ...

v4.0.1

Skip this version and upgrade to v4.1.0 instead.

v4.0.0

Skip this version and upgrade to v4.1.0 instead.

v3.0.0

v3.0.0 is a major release with a significant number of improvements and fixes.

What's new?

• The concurrent core or the "engine" is completely re-written. Campaign pausing and cancellations are now near-instant and lossless. Concurrent campaign sending performance has improved significantly. The sent count now accounts for every single message rather than an approximation.
• Major performance improvements for large databases with the new Settings -> Performance -> Cache slow queries option. On installations with millions of subscribers, enabling this speeds up database queries (retrieving lists, subscribers etc.) by several orders of magnitude. On a production database with ~14 million subscribers, the speed up on the lists page was 2000x, from ~20s to ~10ms.
• New frontend dependency and build system refactor, speeding the admin pages (and the development build process).
• Addressed the root cause of mysterious SMTP sending errors that triggered only in certain SMTP environments.
• New fields for filtering lists, campaigns, subscribers in query APIs.
• Campaign archives now support “slugs” (clean permalinks) for public URLs instead of UUIDs.
• Major refactor and cleanup of documentation.
• F9 shortcut key for campaign and template previews.
• Many quality-of-life improvements, fixes, and dependency upgrades.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• f9120d9 Auto-translate one missing i18n key..
• 36e39e5 Auto-translate missing i18n scripts.
• 8939d27 Reformat sl i18n language file.
• 82894e5 Simplify default e-mail template.
• dc43e9c Configure Markdown parser to not escape double quotes. Closes #1698.
• 3103bbc feat: Add Slovenian localization (#1704)
• d70236c Fix incorrect error message in tx template preview.
• 2841586 Fix sorting in camapaign analytics view counts.
• 6cb9982 Add .IndividualTracking to public templates. Closes #1663.
• 74ef6f5 Add a 'view' link on the lists page. Closes #1674.
• 7c44eb0 Replace Go easyjson lib.
• f14df89 Update Go deps.
• f0a3cbd Remove redundant SMTP test error toast on the admin UI.
• 45f4ae1 Add performance/query caching docs.
• 9adc5e7 Refactor navigation and styling in docs.
• bb1492b Merge branch 'query-performance'
• 5a3664a Add support for caching slow queries on large databases.
• a5b06a8 fixed railway icon and spelling bug (#1696)
• 9e96649 Update schema.sql - change default bounce settings (#1669)
• 67bc2ce Improve SES bounce processing docs (#1676)
• 98fa3e0 Update templating.md with command to fetch templates from repo (#1677)
• e42ab9c Bump vite from 5.0.10 to 5.0.12 in /frontend (#1680)
• 0935e9c Bump follow-redirects from 1.15.3 to 1.15.4 in /frontend (#1664)
• 4c5df16 Add deploy template for RepoCloud.io (#1662)
• 2f487de Log subscriber id/uuid on failed opt-in message push. Closes #1333.
• 908173c Style the 'fix code' buttn on campaign archive tab.
• d8ca26e Add a 'template reference' docs link next to campaign editor. Closes #1405.
• 9109097 Remove incorrect API def from docs. Closes #1658.
• 7067f05 Update listmonk-simple.service - add optional log file (#1640)
• 8677151 Merge branch 'slug'
• 0d319ad Add 'slug' (permalink) support for campaign archives. Closes #1394.
• 78caa35 fix: add copying campaign object before sending test message (#1659)
• 3335171 Fix (accidentally) broken migration scripts.
• 3711bed Fix clipboard copy prop on template form.
• bd2990f Add F9 shortcut key for toggling campaign and template previews.
• 234fd11 Fix incorrect label on maintenance UI. Closes #1652.
• a93031d Make Makefile accept custom build versions from env for dev builds.
• fa2c840 Rename v2.6.0 migration to v3.0.0, the next major release.
• a6d55d6 Upgrade smtp-pool lib fixing bad conn state issues.
• 8add9d6 Merge branch 'fix-campaign-sent'
• 9a96134 Update installation.md +tut & minor changes (#1647)
• 772476c Add accurate sent count, last sent subscriber tracking on campaigns.
• 414c5c0 Refactor the core concurrent campaign manager logic.
• 0c9dc07 Add a ?v=hash cache breaker (that changes on restart) to static assets.
• a2629c2 Make all ID/UUID labels on the UI onclick -> clipboard copy.
• b946c33 Fix broken chart components.
• 2feb1b0 Make the name part in from e-mails optional. Closes #1602.
• b2a5e37 Fix incorrect form messages on public re-subscription to double opt-in lists. Closes #1638.
• bce6758 Fix preconfirm option not working on bulk 'select all' subscriber list management. Closes #1646.
• 0d74619 Make providing name in subscriber creation optional and assign internally. Closes #1630.
• a9a7156 Scroll TinyMCE richtext editor back to caret on dialog close. Closes #1635.
• db17fa1 Restore tab selection on campaign page on reload.
• 49bbf92 Merge branch 'upgrade-frontend'
• ef77a7e Replace c3js with chart.js for major dep size reduction.
• f4b2446 Update configuration.md +logs section (#1641)
• 9bd7511 Update italian translation (#1644)
• af8b420 Refactor and upgrade the frontend vue code to work with vite instead of webpack.
• 51af75c Add subscription status filter to subscriber list query and admin UI.
• 8f12c03 Fix newly created lists not showing up on other pages automatically. Closes #1589.
• 01acd38 Add tag/type/optin filter options to lists and campaigns APIs. Closes #1631.
• c468e7a Upgrade Cypress to latest version.
• 5d63574 Skip non-existent dirs in --static-dir mode to use default stuffed dirs. Closes #1599.
• aba7111 Fix default non-stuffed frontend dir path.
• dd87a10 Addte listmonk-simple.service (#1622)
• 6a26580 Update general-question.md
• 9a30067 Create da.json (Danish translation) (#1628)
• 80b2537 Bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#1632)
• be62c50 feat: Add from_email to postback struct for sending tx postbacks (#1623)
• e869f7b Translate to Ukrainian (#1606)
• b6922b0 Suppress 'no campaign' errors on pixel view registration. Closes #1588.
• 95dabe5 Update upgrade.md +binary info (#1613)
• e06d379 Update installation.md +tutorials (#1611)
• 7c99167 Update installation.md +changing port (#1607)
• fa50664 Add i18n Greek translation (#1605)
• 53eb71a Add 404 HTTP handlers to prevent those requests going to BasicAuth endpoints.
• 2ce2a11 feat: docker compose use alpine for postgres (#1603)
• 52ee79b chore: noreferrer for listmonk url in footer (#1601)
• 524be27 Bump tinymce from 5.10.8 to 5.10.9 in /frontend (#1592)
• 75befe5 📝🐛 — Fix /api/subscribers/lists doc (#1594)
• 4577868 chore: remove refs to deprecated io/ioutil (#1593)
• c59825f Fix broken sorting (lists -> subcount, subscribers -> status) in queries. Closes #1076.
• 06b4494 Fix incorrect sanitisation of search queries on list/campaign frontend.
• 82c74cd Bump golang.org/x/image from 0.6.0 to 0.10.0 (#1580)
• 4c8c19e Update configuration.md - update path due to recent install path change (#1581)
• d439ecf Bump axios from 0.27.2 to 1.6.0 in /frontend (#1587)
• ef08495 Make the unsub form on opt-in confirmation e-mail open 'manage' by default. Closes #1515.
• 44d3462 Fix 'confirmed' subscriptions becoming 'unconfirmed' on public form re-signup. Closes #1441.
• 62be5e2 Fix mysteriously broken frontend build by switching eslint parser dep.
• 49ec11c Merge branch 'refactor-docs'
• e8ecdf8 Fix mkdocs links in docs.
• ff135ec Add 'copy code' button to code snippets in docs.
• be4be72 Refactor and clean up API Markdown docs.
• f8a55f8 Fix mkdocs navbar shadow
• 9e3af91 Update fr.json (#1586)
• f720e88 Refactor hr style in mkdocs template.
• b29f565 Fix broken table in campaign doc. Closes #1585.
• 3641f74 Add missing header field in campaign creation docs. Closes #1561.
• ccceaa6 Bump @babel/traverse from 7.21.3 to 7.23.2 in /frontend (#1563)
• c7882bb Bump tinymce from 5.10.7 to 5.10.8 in /frontend (#1564)
• fd05a6d Update installation.md - add cd listmonk (#1576)
• 06332d5 Update de.json (#1572)
• 1ebd80c Add Hebrew translation. Closes #1517.
• 491fab3 Update i18n language files.
• 764a052 Bump golang.org/x/net from 0.8.0 to 0.17.0 (#1555)
• c911aeb Fix attachments being omitted from postback (#1557)
• 954ed45 Fix incorrect Slovak language code. Closes #1533.
• a61a9d8 Fix preference management logic to avoid unnecessary DB calls.
• 99c71a2 fix: update inlang settings (#1529)
• 82c3c68 Clean root URL of trailing slashes when updating settings.
• 04e571d Fix file fetch in attachments failing for signed URLs. Closes #1499.
• 8f2a08b Fix invalid suffix 'd' in timestring string in s3 expiry config.
• 11f90b2 Fix typo in i18n S3 expiry description.
• 5af6252 Fix make not picking up semver from git archive builds. Fixes #1380.
• 717a636 Add Sprig and other tpl functions to static templates as well. Closes #1527.
• 7019f26 Fix docs for public subscription api (#1522)
• 9423c74 Docker Multi Arch (esp. ARM) builds: Improving Build File (#1451)
• 2b95c88 Add Postmark bounce webhook support (refactor #1385) (#1485)
• e5ac111 Update installation.md - fly.io instructions not working (#1487)
• 34d86fc Update installation.md (#1494)
• 5664e5c fix: replace docker-compose with docker compose (#1490)
• 83c88d7 Escape search query in list search. Closes #1471.
• 16eeb94 added "tutorials" section and other minor edits (#1444)
• e317f2c Modify sed flag based on OS. Closes #1474.
• 25513b8 go: bump to 1.20 (#1479)
• eefcbc3 Fix hardcoded DB name in 'about' SQL query. Closes #1477.
• 52a7298 Update bounces...