v0.9.10

Security

• Downgraded @tus/server to 2.0.0 to eliminate a moderate middleware auth-bypass vulnerability (GHSA-p36q-q72m-gchr) introduced via srvx in 2.1.0+.

Dependencies

• Upgraded bcryptjs to v3 (ESM). Updated lazy-loader in encryption.ts to use await import() instead of require(). Removed @types/bcryptjs (types now bundled).
• Upgraded nodemailer to v8. Added @types/nodemailer v6 for compatibility.
• Upgraded isomorphic-dompurify to v3.
• Upgraded file-type to v22.

v0.9.9

What's changed

Fixed

• Video downloads now preserve the original file format (e.g. .mov files no longer get served as .mp4)
• Correct Content-Type headers for all video formats on both the share page and project page

Changed

• Increased maximum upload size limit from 100 GB to 1000 GB
• Improved Docker entrypoint to avoid unnecessary operations during user setup

Documentation

• Added system requirements to the Installation wiki (CPU, RAM, disk, SSD recommendation)
• Added CPU thread allocation reference to the Configuration wiki

Dependencies

• Updated Next.js, BullMQ, ioredis, SimpleWebAuthn, and other packages to latest minor versions

Full Changelog: v0.9.8...v0.9.9

v0.9.8

Security

• Upgraded Alpine packages (zlib, expat) to patch critical and medium CVEs.
• Upgraded bundled npm to latest to fix 6 HIGH CVEs in minimatch and tar.

Dependencies

• Updated wheel to 0.46.3.
• Updated apprise to 1.9.9.
• Updated filelock to ≥3.25.2.
• Updated virtualenv to ≥21.2.0.

v0.9.7

What's New

Added

• German (Deutsch) language support — contributed by @realjustinde.
• Customizable watermark position, opacity, and font size — configurable per-project and as global defaults (#47).
• Skip transcoding option — serve the original file directly without watermark, resolution change, or codec conversion. Available in global defaults and per-project settings (#48).

Security

• Nonce-based Content Security Policy — replaced unsafe-inline in script-src with per-request cryptographic nonces via proxy.ts.
• Moved CSP and all security headers from static next.config.js to dynamic proxy.ts for per-request nonce generation.
• Removed https: wildcards from style-src and font-src CSP directives.
• Added https://static.cloudflareinsights.com to script-src and https://cloudflareinsights.com to connect-src for Cloudflare analytics.
• Stripped all comments and console.log statements from sw.js to prevent information leakage (CWE-615).
• Replaced private IP 192.168.1.1 with RFC 5737 documentation IP 198.51.100.1 in locale placeholder strings to prevent private IP disclosure in responses.
• Added robots.txt disallowing /admin/ and /api/ paths.
• Removed comment edit (PATCH) endpoint — comments are now write-once (post only, admin can delete).
• Replaced regex-based SVG sanitization with DOMPurify strict allowlist for logo uploads.
• Store explicit isAdmin flag in video access tokens instead of relying on session ID prefix convention.
• Randomized session IDs for projects with no authentication (previously embedded client IP).
• Added Zod schema validation to user creation endpoint.
• Atomic password reset token consumption via Redis SETNX (prevents race condition on concurrent requests).
• Updated common password blocklist to NordPass Top 200 (2025).

Fixed

• Fixed process.stderr.write crash in browser — logging functions now detect the runtime and use server-only output.
• Resolved multiple CodeQL alerts across logging, auth guards, and client-asset routes.
• Fixed uploads stuck at 1% — exclude API routes from proxy matcher to avoid breaking TUS chunked uploads.
• Always store OTP email in access log as audit data regardless of analytics setting.
• Fix missing analytics.password locale key in project activity.
• GDPR compliance: consent-gated analytics, cascade deletion, cleanup fixes.

Full Changelog: https://github.com/MansiVisuals/ViTransfer/blob/main/CHANGELOG.md

v0.9.6

Added

• GDPR-compliant privacy disclosure banner for client share pages. Configurable toggle and custom text in Branding & Appearance settings.
• Page size selector (10/25/50/100) on the security events dashboard.
• New customizable email template types: OTP verification, client activity summary, and admin activity summary.
• Localized default content for new email templates in English and Dutch.
• Stronger server-side validation for global settings.

Changed

• Tutorial video reel highlights individual navigation controls instead of the entire bar.
• Refactored summary and OTP email generation to use centralized customizable templates.
• Improved upload/download consistency with adaptive transfer tuning.
• Simplified email template management in Settings.
• Replaced remaining console logging with centralized logging helpers.
• Hardened security-settings handling with cache invalidation and stricter validation.

Fixed

• Share session rate limiting no longer triggers 429 on video range requests (scrubbing/seeking).
• Standardized placeholder sanitization for email rendering.
• Fixed email template preview rendering for placeholders, attachments, and unsubscribe sections.
• Fixed client asset cleanup flow by binding assets to sessions and verifying ownership.
• Hardened notification retry behavior and auth-related logging paths.

Security

• Prevented passkey user-enumeration paths and sanitized credential names.
• Applied broader API safety hardening in auth/session and notification flows.

Dependencies

• Updated file-type to 21.3.2, flatted to 3.4.1.

v0.9.5

Added

• Due dates with calendar view, Gantt chart, and iCal feed for project deadline management.
• Due date reminder notifications via email, push, and external providers (Apprise). Configurable reminder intervals in project settings.
• Video version comparison mode with side-by-side and slider overlay. Synced playback controls, frame stepping, speed adjustment, and keyboard shortcuts.
• Interactive client tutorial with Driver.js. Auto-starts on first visit, guiding clients through the review interface. Configurable per project in share settings.
• Internationalization support (English and Dutch) with next-intl. Language toggle available on share pages. See Translations to contribute or improve translations.
• Z-A reverse alphabetical sorting option for the projects list.
• Created date column in the project table view.
• Apprise updated to 1.9.7.

Fixed

• Large video processing crash caused by database connection pool exhaustion.
• BullMQ notification repeat job history accumulating indefinitely in Redis (~1,440 keys/day with no TTL).
• XSS vulnerability in dompurify (upgraded to 3.3.2, GHSA-v2wj-7wpq-c8vv).
• 3 moderate Dependabot vulnerabilities.
• Volume slider not rendering vertically on Firefox.

Security

• Client and contact name sanitization to prevent stored XSS.
• Input validation and SMTP credential masking improvements.

Upgrade Notes

• Redis cleanup (optional): If your Redis instance has been running since before this update, you may have accumulated stale bull:notification-processing:repeat:* keys. To reclaim memory, run:

  docker exec -it <redis-container> sh -c "redis-cli -a '<password>' --no-auth-warning --scan --pattern 'bull:notification-processing:repeat:*' | xargs -n 100 redis-cli -a '<password>' --no-auth-warning DEL"
  

v0.9.4

Fixed

• Improved temp file handling with secure creation methods.
• Hardened service worker origin validation.
• Resolved static analysis findings.

Changed

• Optimized Docker image build for improved security posture.
• Added timeouts to Python dependency installation for more reliable builds.
• General security hardening and stability improvements.

Documentation

• Updated wiki to v0.9.4 (annotations, comment attachments, PWA, browser push notifications, client directory, email templates, branding, appearance settings, IP/domain blocking).
• Expanded admin settings and per-project configuration documentation.

v0.9.3

Fixed

• Improved input validation and error handling across all API routes.
• Improved request body parsing with consistent error responses for malformed input.
• Improved file upload validation for comment attachments.
• Improved redirect and URL handling in middleware.

Changed

• "Change Password" in the admin panel is now only available for your own account. Passkey management remains available for all users.
• Centralized IP address resolution with Cloudflare CF-Connecting-IP support for better accuracy behind proxies.
• Device code endpoint returns 503 (instead of 500) when the application domain is not configured.
• General security hardening and stability improvements.

v0.9.2

Added

• Freehand annotation drawing for video comments. Draw directly on the video with adjustable color, stroke width, and opacity. Annotations attach to comments with timecode ranges and display as overlays during playback with letterbox-aware coordinate mapping.
• Hide/minimize toggle for the annotation toolbar so it doesn't obstruct drawing, especially on mobile.
• Pending annotation preview: drawings remain visible on the video between clicking "Done" and submitting the comment, and immediately after submission without needing a page reload.
• Remove button for pending annotations: click the X on the "Drawing attached" indicator to discard a drawing before submitting.

Removed

• Removed the Integrations tab and page from the admin panel. Premiere Pro and DaVinci Resolve integrations are no longer planned for v1.0. Development has been paused due to time constraints and technical difficulties with Premiere Pro. We can no longer adhere to the previously planned timeline.
  All pre-orders have been refunded.

Fixed

• Fixed timecode round-trip precision for non-drop-frame (NDF) timecodes at non-integer frame rates (23.976fps, etc.). The NDF conversion now uses frame-count-based math consistent with the drop-frame path, preventing 1-frame offset on seek.
• Fixed drop-frame (DF) timecode reconstruction at minute boundaries (e.g., 00:01:00;02 at 29.97fps). Replaced the adjustment algorithm with the standard SMPTE algorithm that correctly distinguishes actual frame counts from display frame numbers.
• Fixed comment timestamp seek landing 1 frame early due to browser currentTime imprecision. Seeking now targets the center of the frame with a half-frame offset.
• Fixed annotations at the same timecode sometimes not displaying due to a tight single-frame visibility window. Added half-frame tolerance to account for floating-point drift in timecode round-trips.
• Fixed daily and weekly notification summaries being silently dropped due to Redis TTL expiring before the scheduled send time. Cancellation logic is now inverted: a comment_cancelled key is set on deletion instead of requiring a presence key that expired after 1 hour.
• Fixed notification routing only notifying "the other side" (admin comment notified clients only, client comment notified admins only). Comments now route through both admin and client notification schedules independently, so other admins and other clients are also notified.
• Fixed immediate email notifications being sent to the comment author. The author is now skipped by email match on immediate sends.
• Fixed hourly notification summaries only firing if the worker check landed within the first 2 minutes of the hour. Removed the minute restriction; the lastSent comparison already prevents double-sends.
• Fixed weekly notification summaries being skipped entirely if the worker missed the configured day. The worker now calculates the most recent occurrence of the configured day and catches up.

v0.9.1

Added

• Configurable maximum upload size in Global Settings (default: 1 GB).
• Configurable maximum comment attachments per batch in Global Settings → Advanced Security Settings → Upload Security (1-50, default: 10). Server-side enforcement ensures the limit is respected regardless of client configuration.
• Comment attachments now use TUS resumable uploads for reliable file transfers. Large files show real progress bars, and interrupted uploads can resume from where they left off instead of restarting.
• Multiple file attachments can now be selected at once when adding comment attachments via a dedicated upload modal with drag & drop support, file list preview, per-file progress tracking, and a hard cap of 10 files per batch.
• Comment attachment filenames are now included in all notification channels: email notifications (immediate and summary), Apprise, and browser push notifications. A new {{ATTACHMENTS}} placeholder is available in comment email templates.
• Upload modal validates file types before uploading and shows accepted formats.
• Attachment-only comments are now supported with auto-generated message text.

Changed

• Increased maximum attachments per comment from 5 to 10.
• Updated Advanced Security Settings layout for clearer organization.
• Improved download/session security behavior.
• Tightened default security headers.

Fixed

• Fixed admin password change failing with 404 by correcting API endpoint and payload key mismatch (#36) - thanks @Talla
• Improved upload and download reliability.
• Improved upload error messages shown in the UI.
• Reduced exposure of internal server error details.

Security

• Enforced share-token permission scopes for privileged routes (comment, download, approve) and blocked guest tokens from restricted actions.
• Added strict comment ownership validation to ensure videoId belongs to the provided projectId before comment creation.
• Hardened password reset link generation to use configured appDomain instead of request Host headers (prevents host-header poisoning).