v0.68.4

Fixed

• Documents: PDF previews no longer fail with "This page was blocked by Chrome" in Chromium-based browsers. The preview iframe dropped its sandbox attribute (Chromium refuses to start its internal PDF viewer inside sandboxed frames) and the /documents/:id/preview endpoint now sends a PDF-specific Content-Security-Policy (default-src 'self') instead of the strict default-src 'none' that blocked the native viewer. PDFs are still served same-origin as application/pdf with X-Content-Type-Options: nosniff, so no scripts can execute; non-PDF previews keep the strict policy.

v0.68.3

Changed

• Dashboard: assignee avatars in the calendar widget's event rows are now 28px, matching the tasks widget and the app-wide default. They were previously 26px — a slight outlier — so the two side-by-side dashboard widgets now present assignees at a consistent size with better visual presence.

v0.68.2

Fixed

• Desktop sidebar: collapsing/expanding the navigation sidebar no longer makes the icons, logo, and toggle button jump horizontally. Elements now keep stable horizontal centers and the toggle button's padding transitions smoothly in sync with the width animation, instead of snapping via instant justify-content changes.

v0.68.1

Security

• Documents preview: hardened the new GET /api/v1/documents/:id/preview endpoint with defense-in-depth against stored XSS. It now enforces its own server-side allowlist of previewable MIME types (PDF, PNG, JPEG, WebP, plain text, CSV) and returns 415 for anything else, instead of serving any stored mime_type inline. Responses additionally carry X-Content-Type-Options: nosniff and a restrictive Content-Security-Policy (default-src 'none') so no inline content can execute scripts even if a file were ever misclassified. (Not exploitable in 0.68.0 — uploads already reject HTML/SVG — but this removes the implicit dependency on the upload allowlist.)

v0.68.0

Added

• Documents: in-browser document viewer. Uploaded files can now be previewed directly in an xl modal without downloading — images (PNG/JPEG/WebP) render inline, PDFs open in a sandboxed same-origin iframe, and text/CSV files are fetched and shown in a monospaced block. Office files (Word/Excel) and other non-previewable types fall back to a download prompt. A new eye-icon action button appears on viewable files, and clicking a card or row opens the viewer. Backed by a new GET /api/v1/documents/:id/preview endpoint serving files with Content-Disposition: inline.

Changed

• Documents: grid cards redesigned — the category icon and date now share a header row, with action buttons centered below a divider.

Security

• The Content-Security-Policy frame-src directive was relaxed from 'none' to 'self' to allow same-origin PDF embedding in the document viewer. The PDF iframe is additionally sandboxed (allow-same-origin only, no scripts) as defense-in-depth.

v0.67.6

Fixed

• Docker/Podman: BACKUP_DIR in docker-compose.yml and podman-compose.yml is now hardcoded to /backups in the container's environment: section. Previously, setting BACKUP_DIR=./backups in .env to control the host-side volume mount source would also inject that host path into the container, where it does not exist — causing backups to fail silently. The container-side mount target is always /backups (fixed in volumes:), so the env var is now set unconditionally to that value.

v0.67.5

Security

• Added Content-Security-Policy and Referrer-Policy meta tags to all landing-site pages (index.html, install.html, impressum.html, datenschutz.html). The CSP restricts resources to same-origin plus the inline styles/scripts the pages actually use; the referrer policy is strict-origin-when-cross-origin. (Clickjacking headers such as X-Frame-Options/frame-ancestors only take effect as real HTTP headers and cannot be enforced on plain GitHub Pages.)

v0.67.4

Added

• Privacy guide for self-hosters (docs/PRIVACY-FOR-SELFHOSTERS.md): per-service third-country assessments for every external integration (Open-Meteo/OpenWeatherMap weather, CalDAV/CardDAV sync, OIDC single sign-on, WebDAV backup), data-processing-agreement notes, GDPR log-retention guidance, a household-exemption explainer, and a records-of-processing template. Linked from the README, the installation guide, and .env.example.

v0.67.3

Added

• Imprint (impressum.html) and privacy policy (datenschutz.html) pages for the yuvomi.cloud landing site, linked from the footer of every public page.

Changed

• The landing page now embeds the GitHub star count at build time (scripts/update-gh-stars.mjs, refreshed by a weekly workflow) instead of fetching the GitHub API from the visitor's browser — so opening the page no longer transmits any visitor data to a third party.
• Clarified the AES-256/SQLCipher database encryption as optional (enabled in the recommended Docker setup) across the README, landing page, and SECURITY.md, to match the actual default install.
• Corrected the session/CSRF cookie description in SECURITY.md from SameSite=Strict to SameSite=Lax to match the implementation, with a note on the Safari ITP rationale and Double-Submit-Cookie CSRF protection.

v0.67.2

Changed

• Redesigned the GitHub social preview and Open Graph image (docs/social-preview.png, docs/og-image.png) with a more modern, professional editorial layout: brand logo mark and wordmark, a kicker pill, a gradient headline, feature chips with real icons, and the dashboard shown inside a macOS-style window frame with an ambient glow. The internal generator (scripts/generate-social-preview.mjs) was rewritten to embed the Plus Jakarta Sans brand font for crisp, on-brand typography. Image paths are unchanged, so existing Open Graph references keep working.