listmonk Files

v6.1.0 has important security fixes in addition to several improvements and general bug fixes.

As always, take a backup of your Postgres database before upgrading.

Security

This version has fixes for multiple campaign/list permission validation issues in multi-user environments.

What's new

• New global Privacy setting to disable view and click tracking.
• Ability to proxy S3 media files through listmonk instead of linking to S3 directly.
• Lettermint bounce webhook provider.
• New global data refresh button on admin nav that works across all pages.
• A new 'Duplicate' button to visual e-mail builder block UI options.
• PATCH /api/subscribers/:id endpoint for partial subscriber updates.
• New granular campaigns:send permission, separate from campaigns:manage for finer access control.
• New altbody param to /api/tx for sending multipart plaintext bodies in transactional mails.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

:::shell
# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• [1b5e8d] Bump picomatch from 2.3.1 to 2.3.2 in /frontend/email-builder (#2973)
• [86c94c] Fix users without certain list permissions being able to see list names on subs.
• [50564c] Remove unpredictable/useless 'back' button from public forms. Closes [#1834].
• [e9c1da] Add new campaigns:send permission and separate it from campaigns:manage.
• [00bae6] Update go-pop3 with BOM fix. Closes [#2959].
• [24817d] Add PATCH /api/subscribers/:id to partially modify subscribers. Closes [#1681].
• [1d5724] Add a 'Duplicate' button to visual e-mail builder block UI options. Closes [#2852].
• [deeb3f] Fix minor UI issues on analytics page. Closes [#2446].
• [4e5e71] Exclude non-http hrefs on the UI when adding @TrackLink. Closes [#2859].
• [010655] Don't make 'tracklink' checkbox on the UI on by default and remember last preference. Closes [#2858]. Closes [#2862].
• [678d4e] Cleanup and optimize images on the static homepage.
• [501f30] Exclude roles API queries from Settings UI for users who don't have that perm. Closes [#2965].
• [152585] feat: add Lettermint as bounce webhook provider (#2935)
• [cfd865] Bump yaml from 1.10.2 to 1.10.3 in /frontend/email-builder (#2968)
• [870293] Bump picomatch from 2.3.1 to 2.3.2 in /frontend (#2969)
• [0ee89f] Fix deleted lists breaking campaign query. Closes [#2908].
• [e908cc] Refactor and improve Cypress test scaffolding.
• [678c36] Fix incorrect permission check in CSV import blocklisting.
• [db8203] Wipe user sessions from DB on password reset/change.
• [347f59] Fix serveral missing permission checks across multiple handlers.
• [171a59] Bump flatted from 3.3.1 to 3.4.2 in /frontend/email-builder (#2960)
• [d3e8c4] Bump flatted from 3.3.2 to 3.4.2 in /frontend (#2962)
• [c60ea7] Fix % encoded URLs breaking with TrackLink. Closes [#2947].
• [e35bf8] Fix incorrect timestamps in dashboard analytics materialized views. (#2952)
• [5f4f36] Fix attachments incorrectly accuring for every recipient in test mails. Closes [#2949].
• [1e3d31] Add expiry+TTL to Altcha CAPTCHA tokens. Closes [#2684].
• [915ee0] Skip windows/arm-32 bit builds in goreleaser (which was breaking) that was removed in go 1.26
• [be7b60] Add new 'altbody' param to /api/tx to send multipart plaintext bodies in transactional mails. Closes [#2486]
• [1d33d9] Bump Hodor to 0.3.4 (adds python3, shellcheck, file, diffstat) (#2943)
• [bf24c3] build: bump Go version to 1.26.1 to fix stdlib CVEs (#2941)
• [00180b] Hodor: require hodor-review label to run, re-run on subsequent pushes (#2940)
• [3adacb] Fix Hodor: use docker run directly (0.3.2 entrypoint changed) (#2939)
• [ece5a6] Fix pipe batch hanging and corrupting campaign runtime state if NextSubscribers() throws an error.
• [97b72e] Fix pre-existing non-permitted lists on a subscriber being wiped incorrectly on update. Closes [#2902].
• [ee7bcc] Throw an error if there isn't a single permitted list in subscriber create/update. Closes [#2905].
• [b62851] Fix potential hanging campaign pipes if the pipe queue ever becomes full.
• [16d5e5] Fix incorrect subscriber checkpoint in campaign stats update.
• [0f3299] Apply improvements to Danish i18n (#2928)
• [080801] feat: add Lettermint SMTP preset (#2932)
• [458bca] Bump immutable from 5.0.3 to 5.1.5 in /frontend (#2936)
• [19b53d] Add Hodor AI code review workflow (#2937)
• [c8b1f6] Standardize spelling of "opt-in" in docs. (#2931)
• [8b6336] Update security-reports.md (#2929)
• [62778d] Bump rollup from 4.30.1 to 4.59.0 in /frontend (#2926)
• [739627] Bump rollup from 4.24.4 to 4.59.0 in /frontend/email-builder (#2925)
• [2e9f0e] Updated Danish translation (#2927)
• [fdd7db] Incorporate SOURCE_DATE_EPOCH in build. Closes [#2802].
• [7fd5ed] Add Hodor AI code review workflow (#2923)
• [756c5a] Fix nightly docker push workflow.
• [c6bf54] Add a link to security reporting docs to SECURITY.md
• [d0fb8d] Add a global data refresh button on top nav that works on all pages (#2861)
• [c381e4] Add global setting to disable view and click tracking (#2920)
• [07078e] Bump systeminformation from 5.28.5 to 5.31.1 in /frontend (#2910)
• [97de0b] Add docker-compose.override.yml to .gitignore (#2917)
• [7b64b8] Add a page on security reporting listing down recurring non-issue reports.
• [6d5787] Skip non-available email- messenger during campaign creation and default to 'email'. Closes [#2901].
• [c417df] Fix untranslated 'Delete' string on lists page. Closes [#2904].
• [68c861] Change docker manifest to docker buildx imagetools in nightly job to fix manifest error.
• [5436d0] Add --amend to nightly Docker build (after it stopped working randomly).
• [cc14bc] Bump qs from 6.14.1 to 6.14.2 in /frontend (#2906)
• [8cf9a7] Bump axios from 1.12.0 to 1.13.5 in /frontend (#2899)
• [5a8ecf] Add support for proxying S3 media files through a custom path (#2863)
• [0d9e66] Increase campaign/template preview modal height. Closes [#2857].
• [f5bec8] Display campaign name + subject in subscriber activity tab on the UI. Closes [#2874].
• [e7b09f] Fix incorrect skipping of +1 count in sliding window check. Closes [#2894].
• [8d1b9f] Add substring matching to list search like campaign search. Closes [#2896].
• [dce582] Fix bounce POP scanner incorrectly returning errors while scanning. Closes [#2884].
• [c5631e] Update de language (#2895)
• [2adee6] fix: Update dev Dockerfile to use Go 1.24.1 to match go.mod (#2879)
• [3c7326] Bump lodash from 4.17.21 to 4.17.23 in /frontend (#2881)
• [881bcd] Add automated nightly releases.
• [577036] Increase GitHub issue auto-close interval to 5 months.
• [fff3c7] update listmonk TypeScript SDK scope from @solytude to @maloma (#2875)
• [600604] fix: convert forwardemail webhook truthsource property to string (#2869)
• [29c406] Add left/right float options to TinyMCE image popup. Closes [#2865].
• [cd1bb1] Docs update to OIDC - adds Google Workspace / Google Cloud (#2866)
• [267263] Update release details on the static homepage.
• [504a14] Upgrade smtppool lib to handle 421 rate limit errors.
• [480fe5] Improve i18n Taiwan Chinese translation quality (#2856)
• [2d9995] Add warning icon to subscribers:sql_query permission and link to docs on the Roles UI.
• [83bdad] Add detailed docs on the risks of the subscribers:sql_query permission and Postgres privileges.
• [4e5008] docs: add @solytude/listmonk TypeScript SDK to community SDKs (#2849)