chore(deps): update listmonk/listmonk docker tag to v6

[renovate]

This PR contains the following updates:

Package	Update	Change
listmonk/listmonk	major	v5.0.3 → v6.0.0

---

Release Notes

knadh/listmonk (listmonk/listmonk)

v6.0.0

Compare Source

v6.0.0 is a major release with a significant number of improvements and fixes.

As always, take a backup of your Postgres database before upgrading.

What's new?

• TOTP two-factor authentication.
• E-mail based Forgot password reset flow.
• Ability to archive lists.
• Subscriber activity in the Subscriber profile UI.
• Ability to send transactional mails to non-subscribers via the /api/tx API.
• Campaign-level JSON JSON {} attributes just like subscriber attributes.
• Granular override on subscriptions / subscriber profile in bulk import.
• In-built Postgres VACUUM cron in Maintenance settings for large databases.

In addition, there are several other bug fixes and improvements.

Security

This version addresses the issue of arbitrary <script>s in a campaign created by a non-admin user with the campaign management permission executing when a super admin previews that campaign, allowing API calls on the super admin user's account to execute on their session.

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 00f303c Add v6.0.0 migration file.
• 5673e61 Add attribs to campaign docs.
• 2d560fa Upgrade altcha JS to latest version.
• d7a41f7 Auto-translate new i18n language strings.
• 556cb37 Fix Cypres tests.
• e20ed06 Rename v5.2.0 migration to v6.0.0.
• 9552865 Apply minor style fixes to admin.
• f1dd8a4 Add support for campaign-level JSON attributes.
• e49c8d0 Refresh i18n language files.
• a65608c Split 'overwrite' on import UI into 2 separate options (userinfo and subscription status). Closes #​2496
• 77fb9dd Fix invalid syntax in bundled visual template.
• 576309d Add viewport meta tag to visual builder default template. Closes #​2751.
• c6bc9a6 Show duration in seconds also on campaigns page. Closes #​2796.
• 5f93543 Fix user menu not showing in responsive view on the UI. Closes #​2793.
• 74dc5a0 Add sandboxing to campaign preview iframe.
• d802793 Bump qs from 6.13.1 to 6.14.1 in /frontend (#​2844)
• 373682a Fix and imporve bulk deletion in campaigns and queries.
• 3f5bc8d Improve zh-TW (Traditional Chinese) translation (#​2840)
• 183d0ea Bump github.com/altcha-org/altcha-lib-go from 0.2.2 to 1.0.0 (#​2819)
• 787c758 Fix #​2778 'Track Link' status is lost when re-saving an existing link in the Rich Text Editor (#​2829)
• 1a68363 Add missing i18n German translations (#​2830)
• e215e1e Added Cloudron install button in doc (#​2826)
• e8fb9d5 Fix incorrect --new-config file write error message. Closes #​2818.
• c651117 fix confusing formatting issue in dev setup docs (#​2813)
• 55540a2 Remove confusing field validation behaviour on S3 settings UI. Closes #​2806.
• e703c37 Add env var support for static-dir and i18n-dir flags (#​2807)
• 9feb59f Update it.json (#​2803)
• a998c91 Correct status field reference in documentation (#​2808)
• 1c36164 Translate English phrases to Slovak in sk.json (#​2810)
• 045f0eb Fix broken language string on CAPTCHA settings on UI. Closes #​2781.
• 570bb46 Add cron-based VACUUM ANALYZE support for DB maintenance.
• 67ad4d5 Add external recipient support to /api/tx endpoint.
• 583f92a Add bulk deletion (by id or query) to lists and campaigns.
• 2b60907 Add list permission check to campaign creation.
• b46e0d6 Fix list update query returning incorrect state on lists with no campaigns.
• c108a61 Change LISTMONK_db__host from 'listmonk_db' to 'db' (#​2787)
• c888b7f Update default sample visual template with tracked link examples (#​2788)
• 06e6b67 Add Cloudzy logo to providers list on the homepage (#​2777)
• e526a5f Fix list name not being updated in campaign_lists on list update. Closes #​2734.
• 2074604 Add archival support to lists.
• 6417f30 Stop recording to send count on campaign creation.
• 12b8069 Remove incorrect settings dependency on Media UI.
• 581aad4 Add SMTP status check and basic heuristics to classify hard/soft bounce in POP3 scan.
• 3bf8bdb Split queries.sql into multiple files for better readability and maintainability. Closes #​2738. (#​2776)
• 8170489 Split models file to domain specific files (#​2775)
• 750ce91 Fix incorrect doc for query param in /api/campaign. Closes #​2772.
• 60f7ac9 Bump js-yaml from 4.1.0 to 4.1.1 in /frontend/email-builder (#​2767)
• 296245a Add 2FA TOTP support for authentication.
• 4c3b58c Bump golang.org/x/crypto from 0.40.0 to 0.45.0 (#​2766)
• 75998ca Add Forgot password reset flow to the admin. Closes #​2753.
• ea1eb3f Add warning to users:manage permission in docs. Closes #​2752.
• a2bfc0b feat: add subscriber activity tracking UI in admin panel (#​2756)
• b3f60a9 Bump js-yaml from 4.1.0 to 4.1.1 in /frontend (#​2761)
• 425c0d7 Update 3rd party instructions re Fly.io install (#​2757)
• e469296 Fix duplicate operationId in OpenAPI spec (#​2758)
• 22bcd70 feat: add Northflank deploy button (#​2736)
• 60c069d Fix per_page=all not working on GET bounces API. Closes #​2678.
• b7e8b1e Fix tx handler incorrectly sanitizing subscriber_emails[]. Closes #​2726.
• cdf0a5c Add CORS configuration to security settings.
• 827a208 Bump vite from 5.4.20 to 5.4.21 in /frontend (#​2722)
• e8156e0 Update Czech translation (#​2694)
• c666c4f Bump vite from 5.4.19 to 5.4.20 in /frontend (#​2691)
• 39658c4 Add minor security enhancements (#​2682)
• 2085abe Handle Postmark spam complaints. (#​2679)
• fb60455 Bump vite from 5.4.18 to 5.4.20 in /frontend/email-builder (#​2660)
• 27f58ef Bump axios from 1.8.2 to 1.12.0 in /frontend (#​2666)
• 06275f1 Update Czech translations (#​2688)
• 2c5dc61 Update it.json (#​2667)
• d661fa8 Fix typo in docs (#​2664)
• a76099e incorrect ALTCHA Form challengeurl (#​2654)
• 943a961 Update release details on the static homepage.

v5.1.0

Compare Source

v5.1.0 contains an important security update (CSRF prevention - CVE-2025-58430) along with other minor bug fixes and improvements.

What's new?

• ALTCHA (self-contained proof-of-work CAPTCHA alternative) in addition to hCaptcha (deprecated)
• Refactored media gallery with a new UI and improved UX.
• Bulk subscriber blocklisting directly from the bounces UI.
• Auto-creation of OIDC users with default user and list roles.

Breakings change to subscription-form.html

If you are loading a custom subscription-form.html static template with --static-dir, you have to update your template with the breaking changes (CAPTCHA logic) from the new subscription-form.html

How to upgrade

As always, take a backup of your database before upgrading.

Binary

Download the latest binary. Stop and replace the old binary. Run ./listmonk --upgrade. Start the app again.

Docker

# cd /directory/with/docker-compose.yml

docker-compose down
docker-compose pull && docker-compose run --rm app ./listmonk --upgrade
docker-compose up -d app db

Changelog

• 30846f8 Ignore altcha.umd.js from frontend build so that goreleaser ignores it.
• e27a390 Expand the warning on subscribers:sql_query permission on arbitrary SQL functions.
• 6d99316 Auto-translate new i18n language strings.
• d4007d5 Fix Go tpl expressions breaking in Visual editor HTML.
• deb41f8 Add i18n translation helper script.
• 81d05e4 Suppress optin e-mail send errors on subscriber insert/edit APIs.
• fcbebc2 Update Cypress trests on the campaign file attach UI.
• e8b0eaf Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#​2634)
• 301c13a Add optional subject param to tx API. Closes #​2333.
• ad66878 Fix list action icons not showing on the UI based on permissions. Closes #​2640.
• fbe4c5c Make session cookie samesite to prevent CSRF requests.
• ea88b94 Add link for n8n node (#​2649)
• 7d38890 Change OIDC init to lazy-load instead of loading once on boot. Fixes #​2626.
• 9611164 Refresh i18n language files.
• 09d291e Add support for built-in ALTCHA CAPTCHA implementation.
• 38387d0 Fix List-Unsubscribe header incorrectly sent on opt-in confirmation. Closes #​2619.
• eef0021 Add support for loading secrets from *_FILE env vars in Docker environment.
• 4a93184 Bump tmp from 0.2.3 to 0.2.4 in /frontend (#​2617)
• ad67fc6 Refactor landing page on the website.
• 4d74cf4 Tweak log viewer to optionally hide filename from log lines (on the import UI).
• 26c61f8 Bump form-data from 4.0.1 to 4.0.4 in /frontend (#​2587)
• fb39d61 Refactor media gallery UI.
• ba24c64 Add subsriber blocklisting on the bounces UI (#​2409)
• c9c678c Add support for OIDC user auto-creation (#​2578)
• 66d7413 Update OpenAPI specification (#​2581)
• ae84fa3 Add listmonk-mcp to SDKs documentation (#​2573)
• 6b7e423 Update OIDC doc with latest KeyCloak realm URL (#​2568)
• 89b2704 Update deps and remove obsolete replace in go.mod. Closes #​2567.
• 98d2ad6 Add Korean i18n translation (#​2565)
• 38c784f Update release details on the static homepage.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.