v1.0.1

Fixed

• Multipart upload fails on Cloudflare R2 with "Missing or invalid field: uploadId" due to R2's upload IDs exceeding the 256-character validation limit. Raised to 1024 characters to support R2 and other S3-compatible providers (closes #59).

Documentation

• Clarified S3 CORS requirements: bucket policy needs both GET and PUT methods (not just PUT).
• Added note that S3 environment variables are shared via .env to both app and worker services automatically.

v1.0.0

ViTransfer is production-ready and near feature-complete.

Thank you to everyone who has contributed to getting ViTransfer to v1.0 — whether you contributed code, joined a discussion, helped debug an issue, opened a bug report, or submitted a feature request. Every bit of involvement has helped shape this project.

A special thanks to @thinkvp (Simon), who has been part of the journey since the very first 0.1.0 release. The countless conversations and feedback in those early months helped shape ViTransfer massively. Simon has since created his own hard fork in which he has built a full CRM package around ViTransfer's core.

IMPORTANT FOR DOCKER USERS: Starting with v1.0.0, the ViTransfer Docker image moved from crypt010/vitransfer to mansivisuals/vitransfer. If you are upgrading an existing install, update your Docker Compose, Quadlet, and manual docker pull or podman pull commands to use the new repository.

Added

• S3-compatible object storage. Set STORAGE_PROVIDER=s3 to use any S3-compatible store. Uploads use browser-direct multipart presigned URLs; individual downloads redirect via presigned GET URLs; ZIP downloads stream through the server. Tested with MinIO AIStor (self-hosted Docker). Other providers (AWS S3, Cloudflare R2, Backblaze B2, etc.) should work but are untested — open an issue if you run into problems. Local storage remains the default. Local and S3 cannot be mixed; switching backends does not migrate files.
• Preview LUT support — a 3D LUT (previewlut.cube) is applied during transcoding for color-calibrated previews. Toggleable per-project and as a global default in settings. LUT crafted and provided for ViTransfer by colorist Fred (@fredflx — yechandocolor.com).
• "Download All" button in the download modal — downloads the video and all assets together as a single ZIP file.
• "Download All Videos" button on the share page grid view — downloads all approved videos as a single ZIP file (closes #56).
• Reverse share — projects can now accept client file uploads via the share page. Enable per-project in settings. Uploaded files appear in a dedicated "Client Uploads" block on the admin project page (closes #55).
• Bulk select on the admin project page — video assets and client uploads now support multi-select with a bulk action bar for downloading or deleting multiple files at once.

Changed

• Redesigned admin settings pages with sidebar navigation on desktop and collapsible cards on mobile. Global settings split from 4 into 8 focused sections (Appearance, Branding, Privacy, Notifications, Video Processing, Project Defaults, Security, Blocklist). Project settings follow the same pattern with 5 sidebar sections.
• Replaced the admin header email display and standalone sign out button with a compact icon-only user button with dropdown menu showing name, email, role, and sign out option.
• "Copy to Version" is now accessible via the bulk action bar after selecting assets — the standalone header button is removed. The target version picker is now scoped to other versions of the same video only, not all videos in the project.
• Share page and admin share page grid view: replaced floating absolute-positioned buttons with a full-width sticky toolbar (menubar). Left side: Download All / Submit Files (share page) or Back to Project (admin). Right side: language, theme, and tutorial toggles.
• Asset bulk action bar (Download, Copy to Version, Delete) shows icon-only on mobile to prevent overflow.
• "Client Upload" badge in the asset list is hidden on mobile to reduce clutter.

Fixed

• Version count label in the video group header now renders with correct spacing.
• Toggling "Skip Transcoding" now correctly disables watermarks and preview LUT instead of leaving them enabled in the background.
• Share page playback status now shows "Original Quality" when transcoding is skipped, instead of incorrectly displaying "Downscaled Preview with Watermark".
• Uploading multiple videos or assets at once no longer fails with "Authentication failed". TUS uploads now automatically refresh expired tokens and retry.
• Fixed Docker entrypoint not setting ownership of top-level app files (e.g. package.json) when remapping PUID/PGID, causing startup permission errors.
• Keyboard shortcuts button in the comment panel no longer disappears after approving a video.
• Redis lazy connect race condition causing 500 on first request.

v0.9.10

Security

• Downgraded @tus/server to 2.0.0 to eliminate a moderate middleware auth-bypass vulnerability (GHSA-p36q-q72m-gchr) introduced via srvx in 2.1.0+.

Dependencies

• Upgraded bcryptjs to v3 (ESM). Updated lazy-loader in encryption.ts to use await import() instead of require(). Removed @types/bcryptjs (types now bundled).
• Upgraded nodemailer to v8. Added @types/nodemailer v6 for compatibility.
• Upgraded isomorphic-dompurify to v3.
• Upgraded file-type to v22.

v0.9.9

What's changed

Fixed

• Video downloads now preserve the original file format (e.g. .mov files no longer get served as .mp4)
• Correct Content-Type headers for all video formats on both the share page and project page

Changed

• Increased maximum upload size limit from 100 GB to 1000 GB
• Improved Docker entrypoint to avoid unnecessary operations during user setup

Documentation

• Added system requirements to the Installation wiki (CPU, RAM, disk, SSD recommendation)
• Added CPU thread allocation reference to the Configuration wiki

Dependencies

• Updated Next.js, BullMQ, ioredis, SimpleWebAuthn, and other packages to latest minor versions

Full Changelog: v0.9.8...v0.9.9

v0.9.8

Security

• Upgraded Alpine packages (zlib, expat) to patch critical and medium CVEs.
• Upgraded bundled npm to latest to fix 6 HIGH CVEs in minimatch and tar.

Dependencies

• Updated wheel to 0.46.3.
• Updated apprise to 1.9.9.
• Updated filelock to ≥3.25.2.
• Updated virtualenv to ≥21.2.0.

v0.9.7

What's New

Added

• German (Deutsch) language support — contributed by @realjustinde.
• Customizable watermark position, opacity, and font size — configurable per-project and as global defaults (#47).
• Skip transcoding option — serve the original file directly without watermark, resolution change, or codec conversion. Available in global defaults and per-project settings (#48).

Security

• Nonce-based Content Security Policy — replaced unsafe-inline in script-src with per-request cryptographic nonces via proxy.ts.
• Moved CSP and all security headers from static next.config.js to dynamic proxy.ts for per-request nonce generation.
• Removed https: wildcards from style-src and font-src CSP directives.
• Added https://static.cloudflareinsights.com to script-src and https://cloudflareinsights.com to connect-src for Cloudflare analytics.
• Stripped all comments and console.log statements from sw.js to prevent information leakage (CWE-615).
• Replaced private IP 192.168.1.1 with RFC 5737 documentation IP 198.51.100.1 in locale placeholder strings to prevent private IP disclosure in responses.
• Added robots.txt disallowing /admin/ and /api/ paths.
• Removed comment edit (PATCH) endpoint — comments are now write-once (post only, admin can delete).
• Replaced regex-based SVG sanitization with DOMPurify strict allowlist for logo uploads.
• Store explicit isAdmin flag in video access tokens instead of relying on session ID prefix convention.
• Randomized session IDs for projects with no authentication (previously embedded client IP).
• Added Zod schema validation to user creation endpoint.
• Atomic password reset token consumption via Redis SETNX (prevents race condition on concurrent requests).
• Updated common password blocklist to NordPass Top 200 (2025).

Fixed

• Fixed process.stderr.write crash in browser — logging functions now detect the runtime and use server-only output.
• Resolved multiple CodeQL alerts across logging, auth guards, and client-asset routes.
• Fixed uploads stuck at 1% — exclude API routes from proxy matcher to avoid breaking TUS chunked uploads.
• Always store OTP email in access log as audit data regardless of analytics setting.
• Fix missing analytics.password locale key in project activity.
• GDPR compliance: consent-gated analytics, cascade deletion, cleanup fixes.

Full Changelog: https://github.com/MansiVisuals/ViTransfer/blob/main/CHANGELOG.md

v0.9.6

Added

• GDPR-compliant privacy disclosure banner for client share pages. Configurable toggle and custom text in Branding & Appearance settings.
• Page size selector (10/25/50/100) on the security events dashboard.
• New customizable email template types: OTP verification, client activity summary, and admin activity summary.
• Localized default content for new email templates in English and Dutch.
• Stronger server-side validation for global settings.

Changed

• Tutorial video reel highlights individual navigation controls instead of the entire bar.
• Refactored summary and OTP email generation to use centralized customizable templates.
• Improved upload/download consistency with adaptive transfer tuning.
• Simplified email template management in Settings.
• Replaced remaining console logging with centralized logging helpers.
• Hardened security-settings handling with cache invalidation and stricter validation.

Fixed

• Share session rate limiting no longer triggers 429 on video range requests (scrubbing/seeking).
• Standardized placeholder sanitization for email rendering.
• Fixed email template preview rendering for placeholders, attachments, and unsubscribe sections.
• Fixed client asset cleanup flow by binding assets to sessions and verifying ownership.
• Hardened notification retry behavior and auth-related logging paths.

Security

• Prevented passkey user-enumeration paths and sanitized credential names.
• Applied broader API safety hardening in auth/session and notification flows.

Dependencies

• Updated file-type to 21.3.2, flatted to 3.4.1.

v0.9.5

Added

• Due dates with calendar view, Gantt chart, and iCal feed for project deadline management.
• Due date reminder notifications via email, push, and external providers (Apprise). Configurable reminder intervals in project settings.
• Video version comparison mode with side-by-side and slider overlay. Synced playback controls, frame stepping, speed adjustment, and keyboard shortcuts.
• Interactive client tutorial with Driver.js. Auto-starts on first visit, guiding clients through the review interface. Configurable per project in share settings.
• Internationalization support (English and Dutch) with next-intl. Language toggle available on share pages. See Translations to contribute or improve translations.
• Z-A reverse alphabetical sorting option for the projects list.
• Created date column in the project table view.
• Apprise updated to 1.9.7.

Fixed

• Large video processing crash caused by database connection pool exhaustion.
• BullMQ notification repeat job history accumulating indefinitely in Redis (~1,440 keys/day with no TTL).
• XSS vulnerability in dompurify (upgraded to 3.3.2, GHSA-v2wj-7wpq-c8vv).
• 3 moderate Dependabot vulnerabilities.
• Volume slider not rendering vertically on Firefox.

Security

• Client and contact name sanitization to prevent stored XSS.
• Input validation and SMTP credential masking improvements.

Upgrade Notes

• Redis cleanup (optional): If your Redis instance has been running since before this update, you may have accumulated stale bull:notification-processing:repeat:* keys. To reclaim memory, run:

  docker exec -it <redis-container> sh -c "redis-cli -a '<password>' --no-auth-warning --scan --pattern 'bull:notification-processing:repeat:*' | xargs -n 100 redis-cli -a '<password>' --no-auth-warning DEL"
  

v0.9.4

Fixed

• Improved temp file handling with secure creation methods.
• Hardened service worker origin validation.
• Resolved static analysis findings.

Changed

• Optimized Docker image build for improved security posture.
• Added timeouts to Python dependency installation for more reliable builds.
• General security hardening and stability improvements.

Documentation

• Updated wiki to v0.9.4 (annotations, comment attachments, PWA, browser push notifications, client directory, email templates, branding, appearance settings, IP/domain blocking).
• Expanded admin settings and per-project configuration documentation.

v0.9.3

Fixed

• Improved input validation and error handling across all API routes.
• Improved request body parsing with consistent error responses for malformed input.
• Improved file upload validation for comment attachments.
• Improved redirect and URL handling in middleware.

Changed

• "Change Password" in the admin panel is now only available for your own account. Passkey management remains available for all users.
• Centralized IP address resolution with Cloudflare CF-Connecting-IP support for better accuracy behind proxies.
• Device code endpoint returns 503 (instead of 500) when the application domain is not configured.
• General security hardening and stability improvements.