v0.9.8

Security

• Upgraded Alpine packages (zlib, expat) to patch critical and medium CVEs.
• Upgraded bundled npm to latest to fix 6 HIGH CVEs in minimatch and tar.

Dependencies

• Updated wheel to 0.46.3.
• Updated apprise to 1.9.9.
• Updated filelock to ≥3.25.2.
• Updated virtualenv to ≥21.2.0.

v0.9.7

What's New

Added

• German (Deutsch) language support — contributed by @realjustinde.
• Customizable watermark position, opacity, and font size — configurable per-project and as global defaults (#47).
• Skip transcoding option — serve the original file directly without watermark, resolution change, or codec conversion. Available in global defaults and per-project settings (#48).

Security

• Nonce-based Content Security Policy — replaced unsafe-inline in script-src with per-request cryptographic nonces via proxy.ts.
• Moved CSP and all security headers from static next.config.js to dynamic proxy.ts for per-request nonce generation.
• Removed https: wildcards from style-src and font-src CSP directives.
• Added https://static.cloudflareinsights.com to script-src and https://cloudflareinsights.com to connect-src for Cloudflare analytics.
• Stripped all comments and console.log statements from sw.js to prevent information leakage (CWE-615).
• Replaced private IP 192.168.1.1 with RFC 5737 documentation IP 198.51.100.1 in locale placeholder strings to prevent private IP disclosure in responses.
• Added robots.txt disallowing /admin/ and /api/ paths.
• Removed comment edit (PATCH) endpoint — comments are now write-once (post only, admin can delete).
• Replaced regex-based SVG sanitization with DOMPurify strict allowlist for logo uploads.
• Store explicit isAdmin flag in video access tokens instead of relying on session ID prefix convention.
• Randomized session IDs for projects with no authentication (previously embedded client IP).
• Added Zod schema validation to user creation endpoint.
• Atomic password reset token consumption via Redis SETNX (prevents race condition on concurrent requests).
• Updated common password blocklist to NordPass Top 200 (2025).

Fixed

• Fixed process.stderr.write crash in browser — logging functions now detect the runtime and use server-only output.
• Resolved multiple CodeQL alerts across logging, auth guards, and client-asset routes.
• Fixed uploads stuck at 1% — exclude API routes from proxy matcher to avoid breaking TUS chunked uploads.
• Always store OTP email in access log as audit data regardless of analytics setting.
• Fix missing analytics.password locale key in project activity.
• GDPR compliance: consent-gated analytics, cascade deletion, cleanup fixes.

Full Changelog: https://github.com/MansiVisuals/ViTransfer/blob/main/CHANGELOG.md

v0.9.6

Added

• GDPR-compliant privacy disclosure banner for client share pages. Configurable toggle and custom text in Branding & Appearance settings.
• Page size selector (10/25/50/100) on the security events dashboard.
• New customizable email template types: OTP verification, client activity summary, and admin activity summary.
• Localized default content for new email templates in English and Dutch.
• Stronger server-side validation for global settings.

Changed

• Tutorial video reel highlights individual navigation controls instead of the entire bar.
• Refactored summary and OTP email generation to use centralized customizable templates.
• Improved upload/download consistency with adaptive transfer tuning.
• Simplified email template management in Settings.
• Replaced remaining console logging with centralized logging helpers.
• Hardened security-settings handling with cache invalidation and stricter validation.

Fixed

• Share session rate limiting no longer triggers 429 on video range requests (scrubbing/seeking).
• Standardized placeholder sanitization for email rendering.
• Fixed email template preview rendering for placeholders, attachments, and unsubscribe sections.
• Fixed client asset cleanup flow by binding assets to sessions and verifying ownership.
• Hardened notification retry behavior and auth-related logging paths.

Security

• Prevented passkey user-enumeration paths and sanitized credential names.
• Applied broader API safety hardening in auth/session and notification flows.

Dependencies

• Updated file-type to 21.3.2, flatted to 3.4.1.

v0.9.5

Added

• Due dates with calendar view, Gantt chart, and iCal feed for project deadline management.
• Due date reminder notifications via email, push, and external providers (Apprise). Configurable reminder intervals in project settings.
• Video version comparison mode with side-by-side and slider overlay. Synced playback controls, frame stepping, speed adjustment, and keyboard shortcuts.
• Interactive client tutorial with Driver.js. Auto-starts on first visit, guiding clients through the review interface. Configurable per project in share settings.
• Internationalization support (English and Dutch) with next-intl. Language toggle available on share pages. See Translations to contribute or improve translations.
• Z-A reverse alphabetical sorting option for the projects list.
• Created date column in the project table view.
• Apprise updated to 1.9.7.

Fixed

• Large video processing crash caused by database connection pool exhaustion.
• BullMQ notification repeat job history accumulating indefinitely in Redis (~1,440 keys/day with no TTL).
• XSS vulnerability in dompurify (upgraded to 3.3.2, GHSA-v2wj-7wpq-c8vv).
• 3 moderate Dependabot vulnerabilities.
• Volume slider not rendering vertically on Firefox.

Security

• Client and contact name sanitization to prevent stored XSS.
• Input validation and SMTP credential masking improvements.

Upgrade Notes

• Redis cleanup (optional): If your Redis instance has been running since before this update, you may have accumulated stale bull:notification-processing:repeat:* keys. To reclaim memory, run:

  docker exec -it <redis-container> sh -c "redis-cli -a '<password>' --no-auth-warning --scan --pattern 'bull:notification-processing:repeat:*' | xargs -n 100 redis-cli -a '<password>' --no-auth-warning DEL"
  

v0.9.4

Fixed

• Improved temp file handling with secure creation methods.
• Hardened service worker origin validation.
• Resolved static analysis findings.

Changed

• Optimized Docker image build for improved security posture.
• Added timeouts to Python dependency installation for more reliable builds.
• General security hardening and stability improvements.

Documentation

• Updated wiki to v0.9.4 (annotations, comment attachments, PWA, browser push notifications, client directory, email templates, branding, appearance settings, IP/domain blocking).
• Expanded admin settings and per-project configuration documentation.

v0.9.3

Fixed

• Improved input validation and error handling across all API routes.
• Improved request body parsing with consistent error responses for malformed input.
• Improved file upload validation for comment attachments.
• Improved redirect and URL handling in middleware.

Changed

• "Change Password" in the admin panel is now only available for your own account. Passkey management remains available for all users.
• Centralized IP address resolution with Cloudflare CF-Connecting-IP support for better accuracy behind proxies.
• Device code endpoint returns 503 (instead of 500) when the application domain is not configured.
• General security hardening and stability improvements.

v0.9.2

Added

• Freehand annotation drawing for video comments. Draw directly on the video with adjustable color, stroke width, and opacity. Annotations attach to comments with timecode ranges and display as overlays during playback with letterbox-aware coordinate mapping.
• Hide/minimize toggle for the annotation toolbar so it doesn't obstruct drawing, especially on mobile.
• Pending annotation preview: drawings remain visible on the video between clicking "Done" and submitting the comment, and immediately after submission without needing a page reload.
• Remove button for pending annotations: click the X on the "Drawing attached" indicator to discard a drawing before submitting.

Removed

• Removed the Integrations tab and page from the admin panel. Premiere Pro and DaVinci Resolve integrations are no longer planned for v1.0. Development has been paused due to time constraints and technical difficulties with Premiere Pro. We can no longer adhere to the previously planned timeline.
  All pre-orders have been refunded.

Fixed

• Fixed timecode round-trip precision for non-drop-frame (NDF) timecodes at non-integer frame rates (23.976fps, etc.). The NDF conversion now uses frame-count-based math consistent with the drop-frame path, preventing 1-frame offset on seek.
• Fixed drop-frame (DF) timecode reconstruction at minute boundaries (e.g., 00:01:00;02 at 29.97fps). Replaced the adjustment algorithm with the standard SMPTE algorithm that correctly distinguishes actual frame counts from display frame numbers.
• Fixed comment timestamp seek landing 1 frame early due to browser currentTime imprecision. Seeking now targets the center of the frame with a half-frame offset.
• Fixed annotations at the same timecode sometimes not displaying due to a tight single-frame visibility window. Added half-frame tolerance to account for floating-point drift in timecode round-trips.
• Fixed daily and weekly notification summaries being silently dropped due to Redis TTL expiring before the scheduled send time. Cancellation logic is now inverted: a comment_cancelled key is set on deletion instead of requiring a presence key that expired after 1 hour.
• Fixed notification routing only notifying "the other side" (admin comment notified clients only, client comment notified admins only). Comments now route through both admin and client notification schedules independently, so other admins and other clients are also notified.
• Fixed immediate email notifications being sent to the comment author. The author is now skipped by email match on immediate sends.
• Fixed hourly notification summaries only firing if the worker check landed within the first 2 minutes of the hour. Removed the minute restriction; the lastSent comparison already prevents double-sends.
• Fixed weekly notification summaries being skipped entirely if the worker missed the configured day. The worker now calculates the most recent occurrence of the configured day and catches up.

v0.9.1

Added

• Configurable maximum upload size in Global Settings (default: 1 GB).
• Configurable maximum comment attachments per batch in Global Settings → Advanced Security Settings → Upload Security (1-50, default: 10). Server-side enforcement ensures the limit is respected regardless of client configuration.
• Comment attachments now use TUS resumable uploads for reliable file transfers. Large files show real progress bars, and interrupted uploads can resume from where they left off instead of restarting.
• Multiple file attachments can now be selected at once when adding comment attachments via a dedicated upload modal with drag & drop support, file list preview, per-file progress tracking, and a hard cap of 10 files per batch.
• Comment attachment filenames are now included in all notification channels: email notifications (immediate and summary), Apprise, and browser push notifications. A new {{ATTACHMENTS}} placeholder is available in comment email templates.
• Upload modal validates file types before uploading and shows accepted formats.
• Attachment-only comments are now supported with auto-generated message text.

Changed

• Increased maximum attachments per comment from 5 to 10.
• Updated Advanced Security Settings layout for clearer organization.
• Improved download/session security behavior.
• Tightened default security headers.

Fixed

• Fixed admin password change failing with 404 by correcting API endpoint and payload key mismatch (#36) - thanks @Talla
• Improved upload and download reliability.
• Improved upload error messages shown in the UI.
• Reduced exposure of internal server error details.

Security

• Enforced share-token permission scopes for privileged routes (comment, download, approve) and blocked guest tokens from restricted actions.
• Added strict comment ownership validation to ensure videoId belongs to the provided projectId before comment creation.
• Hardened password reset link generation to use configured appDomain instead of request Host headers (prevents host-header poisoning).

v0.9.0

Added

• Progressive Web App (PWA): ViTransfer can now be installed as an app on desktop and mobile devices
  • Add to home screen support for iOS and Android
  • Full-screen app experience without browser UI
• Browser Push Notifications: Real-time push notifications for admin users
  • Unified event types shared with Apprise: Share Access, Admin Access, Client Comment, Video Approval, Security Alert
  • Multi-device support with per-device preferences
  • Test notification to verify setup
  • Zero configuration required
• Client Directory: Centralized management of client companies and contacts
  • New "Clients" section in admin navigation
  • Searchable company and contact autocomplete when creating projects or adding recipients
  • Automatic sync: new recipients and company names are added to the directory automatically
  • "Sync Existing" button for bulk import from existing projects
• Customizable Email Templates: Full email template customization in Settings
  • 8 template types covering all notification emails
  • Placeholder system with template-specific variables
  • Logo placeholder for inline logo placement
  • Live email preview with sample data
  • Button syntax support and CSS class shortcuts for styling
  • Reset to default with one click
• Email Header Style Options: Choose between "Logo + Company Name", "Logo Only", "Name Only", or "None"
• Custom Branding Logo: Upload your own logo in Branding & Appearance, shown across all pages and emails
• Clickable Timecode Pills in Emails: Comment notification emails now include timecode badges that link directly to the exact moment in the video
• Project Description in Emails: Project descriptions are now included in email notifications

Changed

• New ViTransfer Logo: Redesigned logo and branding, dynamically colored with your chosen accent color
• "Videos" renamed to "Deliverables": Updated terminology across the share page and emails
• Admin UI Overhaul: Standardized all admin page headers, modals, and buttons for a consistent experience
  • User management and project creation now open as modals instead of separate pages
  • Mobile-optimized modals with proper viewport handling
• Notification Schedule Flush: Changing a notification schedule now immediately sends all pending queued notifications so nothing is lost

Fixed

• Guest thumbnails now display correctly on public share pages
• Approval emails now show the correct video name
• Email timecodes now match the exact frame position shown on the share page
• Rate limit clearing now properly unblocks users

Roadmap to v1.0.0

• Client file/attachment upload support in the comment section of the share page

Release 0.8.9

What's New

Added

• Centralized CPU allocation for video processing
  • Coordinates worker concurrency and FFmpeg threads to prevent CPU overload
  • Conservative allocation targeting 30-50% thread utilization
  • Leaves headroom for system and host processes
  • Optional CPU_THREADS environment variable for Docker resource limit overrides
• Appearance settings in Global Settings
  • Default theme selection (Auto/Light/Dark)
  • 10 accent color presets (Blue, Purple, Green, Orange, Red, Pink, Teal, Amber, Stone, Gold)
• Dynamic email branding - email templates now use admin-configured accent color
• Improved approval emails - now shows only the specific video approved instead of listing all approved videos

Fixed

• Video player now correctly displays all aspect ratios (1:1, 4:3, 4:5, 9:16) without stretching
• Preview transcoding preserves original aspect ratio instead of forcing 16:9
• Rounded corners display consistently across all screen sizes
• Project info positioned correctly below video player
• Thumbnail reel hint now shows as tooltip overlay without resizing the reel bar
• File name truncation in upload modal prevents layout issues
• Video processing no longer maxes out CPU - fixed thread allocation that was causing 100% CPU usage

Changed

• Video player uses letterbox approach with theme-aware blurred background
• Responsive breakpoint changed to xl (1280px) for better vertical video support
• Thumbnail reel hint only shows once per session
• FFmpeg thread allocation now coordinated with worker concurrency
• Worker logs now use correct terminology (threads vs cores)
• Settings reorganized: Combined "Appearance", "Company Branding", and "Domain Configuration" into single "Branding & Appearance" section

Migration Note

Existing 1:1 and 4:3 preview videos need reprocessing to fix stretched aspect ratios.

---

Roadmap to v1.0.0

ViTransfer is nearing feature completeness. Here's what's planned for the remaining releases:

0.9.x Releases

• Comment section enhancements - File uploads in comments on share pages
• Custom branding - Upload custom logos, and headers for pages and emails
• Email template editor - Customize email templates directly from the settings menu
• Additional polish and refinements

v1.0.0

• DaVinci Resolve integration (beta) - Direct upload and feedback workflow from Resolve
• Premiere Pro integration (beta) - UXP-based panel for project management and uploads

Note: The Premiere Pro integration is being developed on Adobe's UXP platform, which has presented some challenges during development and testing. The aim is to ship both integrations with v1.0.0, but the Premiere Pro panel may require additional time to stabilize. DaVinci Resolve integration is progressing well.

---

Full changelog: https://github.com/MansiVisuals/ViTransfer/blob/main/CHANGELOG.md