Merge branch 'dev' into clients-multi-pop

2025-08-22 18:29:19 +02:00 · 2025-08-12 15:01:00 -07:00 · 2025-08-12 15:01:00 -07:00 · ae52fcc757
commit ae52fcc757
parent d557832509 fd605d9c81
73 changed files with 1857 additions and 2589 deletions
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@ -23,7 +23,7 @@ jobs:
            - name: Set up Node.js
              uses: actions/setup-node@v4
              with:
-                node-version: '20'
+                node-version: '22'
            - name: Install dependencies
              run: |
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -15,7 +15,7 @@ jobs:
      - uses: actions/setup-node@v4
        with:
-          node-version: '20'
+          node-version: '22'
      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
--- a/.nvmrc
+++ b/.nvmrc
@ -1 +1 @@
-20
+22
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:22-alpine
 WORKDIR /app
--- a/Dockerfile.pg
+++ b/Dockerfile.pg
@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 WORKDIR /app
@ -15,7 +15,7 @@ RUN npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema
 RUN npm run build:pg
 RUN npm run build:cli
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 WORKDIR /app
--- a/Dockerfile.sqlite
+++ b/Dockerfile.sqlite
@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 WORKDIR /app
@ -15,7 +15,7 @@ RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/sqlite/schema
 RUN npm run build:sqlite
 RUN npm run build:cli
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 WORKDIR /app
--- a/README.md
+++ b/README.md
@ -139,7 +139,7 @@ Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license.
 ## Contributions
-Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22).
+Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22). Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
--- a/cli/commands/resetUserSecurityKeys.ts
+++ b/cli/commands/resetUserSecurityKeys.ts
@ -0,0 +1,67 @@
 import { CommandModule } from "yargs";
 import { db, users, securityKeys } from "@server/db";
 import { eq } from "drizzle-orm";
 type ResetUserSecurityKeysArgs = {
    email: string;
 };
 export const resetUserSecurityKeys: CommandModule<{}, ResetUserSecurityKeysArgs> = {
    command: "reset-user-security-keys",
    describe: "Reset a user's security keys (passkeys) by deleting all their webauthn credentials",
    builder: (yargs) => {
        return yargs
            .option("email", {
                type: "string",
                demandOption: true,
                describe: "User email address"
            });
    },
    handler: async (argv: { email: string }) => {
        try {
            const { email } = argv;
            console.log(`Looking for user with email: ${email}`);
            // Find the user by email
            const [user] = await db
                .select()
                .from(users)
                .where(eq(users.email, email))
                .limit(1);
            if (!user) {
                console.error(`User with email '${email}' not found`);
                process.exit(1);
            }
            console.log(`Found user: ${user.email} (ID: ${user.userId})`);
            // Check if user has any security keys
            const userSecurityKeys = await db
                .select()
                .from(securityKeys)
                .where(eq(securityKeys.userId, user.userId));
            if (userSecurityKeys.length === 0) {
                console.log(`User '${email}' has no security keys to reset`);
                process.exit(0);
            }
            console.log(`Found ${userSecurityKeys.length} security key(s) for user '${email}'`);
            // Delete all security keys for the user
            await db
                .delete(securityKeys)
                .where(eq(securityKeys.userId, user.userId));
            console.log(`Successfully reset security keys for user '${email}'`);
            console.log(`Deleted ${userSecurityKeys.length} security key(s)`);
            process.exit(0);
        } catch (error) {
            console.error("Error:", error);
            process.exit(1);
        }
    }
 }; 
--- a/cli/index.ts
+++ b/cli/index.ts
@ -3,9 +3,11 @@
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 yargs(hideBin(process.argv))
    .scriptName("pangctl")
    .command(setAdminCredentials)
    .command(resetUserSecurityKeys)
    .demandCommand()
    .help().argv;
--- a/esbuild.mjs
+++ b/esbuild.mjs
@ -64,7 +64,7 @@ esbuild
            }),
        ],
        sourcemap: true,
-        target: "node20",
+        target: "node22",
    })
    .then(() => {
        console.log("Build completed successfully");
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@ -60,4 +60,4 @@ networks:
  default:
    driver: bridge
    name: pangolin
-    enable_ipv6: true
+{{if .EnableIPv6}}    enable_ipv6: true{{end}}
--- a/install/input.txt
+++ b/install/input.txt
@ -1,6 +1,7 @@
 docker
 example.com
 pangolin.example.com
 yes
 admin@example.com
 yes
 admin@example.com
--- a/install/main.go
+++ b/install/main.go
@ -18,6 +18,7 @@ import (
 	"syscall"
 	"text/template"
 	"time"
    "net"
 	"golang.org/x/term"
 )
@ -39,6 +40,7 @@ type Config struct {
 	BadgerVersion             string
 	BaseDomain                string
 	DashboardDomain           string
 	EnableIPv6                bool
 	LetsEncryptEmail          string
 	EnableEmail               bool
 	EmailSMTPHost             string
@ -75,6 +77,17 @@ func main() {
 	fmt.Println("Lets get started!")
 	fmt.Println("")
    for _, p := range []int{80, 443} {
        if err := checkPortsAvailable(p); err != nil {
            fmt.Fprintln(os.Stderr, err)
            fmt.Printf("Please close any services on ports 80/443 in order to run the installation smoothly")
            os.Exit(1)
        }
    }
 	reader := bufio.NewReader(os.Stdin)
 	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
@ -303,6 +316,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	fmt.Println("\n=== Basic Configuration ===")
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", "pangolin."+config.BaseDomain)
 	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
 	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
 	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
@ -776,3 +790,21 @@ func run(name string, args ...string) error {
 	cmd.Stderr = os.Stderr
 	return cmd.Run()
 }
 func checkPortsAvailable(port int) error {
    addr := fmt.Sprintf(":%d", port)
    ln, err := net.Listen("tcp", addr)
    if err != nil {
        return fmt.Errorf(
            "ERROR: port %d is occupied or cannot be bound: %w\n\n",
            port, err,
        )
    }
    if closeErr := ln.Close(); closeErr != nil {
        fmt.Fprintf(os.Stderr,
            "WARNING: failed to close test listener on port %d: %v\n",
            port, closeErr,
        )
    }
    return nil
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
    "remoteSubnets": "Remote Subnets",
    "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Enable Public Proxy",
    "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
    "externalProxyEnabled": "External Proxy Enabled"
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
    "remoteSubnets": "Remote Subnets",
    "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Enable Public Proxy",
    "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
    "externalProxyEnabled": "External Proxy Enabled"
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Beim Abrufen der neuesten Olm-Veröffentlichung ist ein Fehler aufgetreten.",
    "remoteSubnets": "Remote-Subnetze",
    "enterCidrRange": "Geben Sie den CIDR-Bereich ein",
-    "remoteSubnetsDescription": "Fügen Sie CIDR-Bereiche hinzu, die aus der Ferne auf diesen Standort zugreifen können. Verwenden Sie das Format wie 10.0.0.0/24 oder 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Öffentlichen Proxy aktivieren",
    "resourceEnableProxyDescription": "Ermöglichen Sie öffentliches Proxieren zu dieser Ressource. Dies ermöglicht den Zugriff auf die Ressource von außerhalb des Netzwerks durch die Cloud über einen offenen Port. Erfordert Traefik-Config.",
    "externalProxyEnabled": "Externer Proxy aktiviert"
--- a/messages/en-US.json
+++ b/messages/en-US.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
    "remoteSubnets": "Remote Subnets",
    "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Enable Public Proxy",
    "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
    "externalProxyEnabled": "External Proxy Enabled"
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Se ha producido un error al recuperar la última versión de Olm.",
    "remoteSubnets": "Subredes remotas",
    "enterCidrRange": "Ingresa el rango CIDR",
-    "remoteSubnetsDescription": "Agregue rangos CIDR que puedan acceder a este sitio de forma remota. Use un formato como 10.0.0.0/24 o 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Habilitar proxy público",
    "resourceEnableProxyDescription": "Habilite el proxy público para este recurso. Esto permite el acceso al recurso desde fuera de la red a través de la nube en un puerto abierto. Requiere configuración de Traefik.",
    "externalProxyEnabled": "Proxy externo habilitado"
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Une erreur s'est produite lors de la récupération de la dernière version d'Olm.",
    "remoteSubnets": "Sous-réseaux distants",
    "enterCidrRange": "Entrez la plage CIDR",
-    "remoteSubnetsDescription": "Ajoutez des plages CIDR pouvant accéder à ce site à distance. Utilisez le format comme 10.0.0.0/24 ou 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Activer le proxy public",
    "resourceEnableProxyDescription": "Activez le proxy public vers cette ressource. Cela permet d'accéder à la ressource depuis l'extérieur du réseau via le cloud sur un port ouvert. Nécessite la configuration de Traefik.",
    "externalProxyEnabled": "Proxy externe activé"
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Si è verificato un errore durante il recupero dell'ultima versione di Olm.",
    "remoteSubnets": "Sottoreti Remote",
    "enterCidrRange": "Inserisci l'intervallo CIDR",
-    "remoteSubnetsDescription": "Aggiungi intervalli CIDR che possono accedere a questo sito da remoto. Usa il formato come 10.0.0.0/24 o 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Abilita Proxy Pubblico",
    "resourceEnableProxyDescription": "Abilita il proxy pubblico a questa risorsa. Consente l'accesso alla risorsa dall'esterno della rete tramite il cloud su una porta aperta. Richiede la configurazione di Traefik.",
    "externalProxyEnabled": "Proxy Esterno Abilitato"
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
    "remoteSubnets": "Remote Subnets",
    "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Enable Public Proxy",
    "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
    "externalProxyEnabled": "External Proxy Enabled"
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Er is een fout opgetreden bij het ophalen van de nieuwste Olm release.",
    "remoteSubnets": "Externe Subnets",
    "enterCidrRange": "Voer CIDR-bereik in",
-    "remoteSubnetsDescription": "Voeg CIDR-bereiken toe die deze site op afstand kunnen openen. Gebruik een format zoals 10.0.0.0/24 of 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Openbare proxy inschakelen",
    "resourceEnableProxyDescription": "Schakel publieke proxy in voor deze resource. Dit maakt toegang tot de resource mogelijk vanuit het netwerk via de cloud met een open poort. Vereist Traefik-configuratie.",
    "externalProxyEnabled": "Externe Proxy Ingeschakeld"
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Wystąpił błąd podczas pobierania najnowszego wydania Olm.",
    "remoteSubnets": "Zdalne Podsieci",
    "enterCidrRange": "Wprowadź zakres CIDR",
-    "remoteSubnetsDescription": "Dodaj zakresy CIDR, które mogą uzyskać zdalny dostęp do tej witryny. Użyj formatu takiego jak 10.0.0.0/24 lub 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Włącz publiczny proxy",
    "resourceEnableProxyDescription": "Włącz publiczne proxy dla tego zasobu. To umożliwia dostęp do zasobu spoza sieci przez chmurę na otwartym porcie. Wymaga konfiguracji Traefik.",
    "externalProxyEnabled": "Zewnętrzny Proxy Włączony"
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "Ocorreu um erro ao buscar o lançamento mais recente do Olm.",
    "remoteSubnets": "Sub-redes Remotas",
    "enterCidrRange": "Insira o intervalo CIDR",
-    "remoteSubnetsDescription": "Adicione intervalos CIDR que podem acessar este site remotamente. Use o formato como 10.0.0.0/24 ou 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Ativar Proxy Público",
    "resourceEnableProxyDescription": "Permite proxy público para este recurso. Isso permite o acesso ao recurso de fora da rede através da nuvem em uma porta aberta. Requer configuração do Traefik.",
    "externalProxyEnabled": "Proxy Externo Habilitado"
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
    "remoteSubnets": "Remote Subnets",
    "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Enable Public Proxy",
    "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
    "externalProxyEnabled": "External Proxy Enabled"
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "En son Olm yayını alınırken bir hata oluştu.",
    "remoteSubnets": "Uzak Alt Ağlar",
    "enterCidrRange": "CIDR aralığını girin",
-    "remoteSubnetsDescription": "Bu siteye uzaktan erişebilecek CIDR aralıklarını ekleyin. 10.0.0.0/24 veya 192.168.1.0/24 gibi formatlar kullanın.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "Genel Proxy'i Etkinleştir",
    "resourceEnableProxyDescription": "Bu kaynağa genel proxy erişimini etkinleştirin. Bu sayede ağ dışından açık bir port üzerinden kaynağa bulut aracılığıyla erişim sağlanır. Traefik yapılandırması gereklidir.",
    "externalProxyEnabled": "Dış Proxy Etkinleştirildi"
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@ -1320,7 +1320,7 @@
    "olmErrorFetchLatest": "获取最新 Olm 发布版本时出错。",
    "remoteSubnets": "远程子网",
    "enterCidrRange": "输入 CIDR 范围",
-    "remoteSubnetsDescription": "添加能远程访问此站点的 CIDR 范围。使用格式如 10.0.0.0/24 或 192.168.1.0/24。",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
    "resourceEnableProxy": "启用公共代理",
    "resourceEnableProxyDescription": "启用到此资源的公共代理。这允许外部网络通过开放端口访问资源。需要 Traefik 配置。",
    "externalProxyEnabled": "外部代理已启用"
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -50,15 +50,15 @@
        "@radix-ui/react-tabs": "1.1.12",
        "@radix-ui/react-toast": "1.2.14",
        "@radix-ui/react-tooltip": "^1.2.7",
-        "@react-email/components": "0.3.1",
+        "@react-email/components": "0.5.0",
-        "@react-email/render": "^1.1.2",
+        "@react-email/render": "^1.2.0",
        "@simplewebauthn/browser": "^13.1.0",
        "@simplewebauthn/server": "^9.0.3",
-        "@react-email/tailwind": "1.2.1",
+        "@react-email/tailwind": "1.2.2",
        "@tailwindcss/forms": "^0.5.10",
        "@tanstack/react-table": "8.21.3",
        "arctic": "^3.7.0",
-        "axios": "1.10.0",
+        "axios": "1.11.0",
        "better-sqlite3": "11.7.0",
        "canvas-confetti": "1.9.3",
        "class-variance-authority": "^0.7.1",
@ -69,9 +69,9 @@
        "cookies": "^0.9.1",
        "cors": "2.8.5",
        "crypto-js": "^4.2.0",
-        "drizzle-orm": "0.44.2",
+        "drizzle-orm": "0.44.4",
-        "eslint": "9.31.0",
+        "eslint": "9.32.0",
-        "eslint-config-next": "15.3.5",
+        "eslint-config-next": "15.4.6",
        "express": "4.21.2",
        "express-rate-limit": "7.5.1",
        "glob": "11.0.3",
@ -82,28 +82,28 @@
        "jmespath": "^0.16.0",
        "js-yaml": "4.1.0",
        "jsonwebtoken": "^9.0.2",
-        "lucide-react": "0.525.0",
+        "lucide-react": "0.536.0",
        "moment": "2.30.1",
-        "next": "15.3.5",
+        "next": "15.4.6",
        "next-intl": "^4.3.4",
        "next-themes": "0.4.6",
        "node-cache": "5.1.2",
        "node-fetch": "3.3.2",
        "nodemailer": "7.0.5",
-        "npm": "^11.4.2",
+        "npm": "^11.5.2",
        "oslo": "1.2.1",
        "pg": "^8.16.2",
        "qrcode.react": "4.2.0",
-        "react": "19.1.0",
+        "react": "19.1.1",
-        "react-dom": "19.1.0",
+        "react-dom": "19.1.1",
        "react-easy-sort": "^1.6.0",
-        "react-hook-form": "7.60.0",
+        "react-hook-form": "7.62.0",
        "react-icons": "^5.5.0",
        "rebuild": "0.1.2",
        "semver": "^7.7.2",
        "swagger-ui-express": "^5.0.1",
        "tailwind-merge": "3.3.1",
-        "tw-animate-css": "^1.3.5",
+        "tw-animate-css": "^1.3.6",
        "uuid": "^11.1.0",
        "vaul": "1.1.2",
        "winston": "3.17.0",
@ -114,7 +114,7 @@
        "yargs": "18.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.47.6",
+        "@dotenvx/dotenvx": "1.48.4",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
        "@tailwindcss/postcss": "^4.1.10",
        "@types/better-sqlite3": "7.6.12",
@ -129,8 +129,8 @@
        "@types/node": "^24",
        "@types/nodemailer": "6.4.17",
        "@types/pg": "8.15.4",
-        "@types/react": "19.1.8",
+        "@types/react": "19.1.9",
-        "@types/react-dom": "19.1.6",
+        "@types/react-dom": "19.1.7",
        "@types/semver": "^7.7.0",
        "@types/swagger-ui-express": "^4.1.8",
        "@types/ws": "8.18.1",
@ -139,12 +139,12 @@
        "esbuild": "0.25.6",
        "esbuild-node-externals": "1.18.0",
        "postcss": "^8",
-        "react-email": "4.1.0",
+        "react-email": "4.2.8",
        "tailwindcss": "^4.1.4",
        "tsc-alias": "1.8.16",
        "tsx": "4.20.3",
        "typescript": "^5",
-        "typescript-eslint": "^8.36.0"
+        "typescript-eslint": "^8.39.0"
    },
    "overrides": {
        "emblor": {
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@ -271,7 +271,7 @@ export async function getNextAvailableClientSubnet(
        )
    ].filter((address) => address !== null) as string[];
-    let subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+    const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
    if (!subnet) {
        throw new Error("No available subnets remaining in space");
    }
@ -289,7 +289,7 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
    const addresses = existingAddresses.map((org) => org.subnet!);
-    let subnet = findNextAvailableCidr(
+    const subnet = findNextAvailableCidr(
        addresses,
        config.getRawConfig().orgs.block_size,
        config.getRawConfig().orgs.subnet_group
--- a/server/lib/rateLimitStore.ts
+++ b/server/lib/rateLimitStore.ts
@ -1,6 +1,6 @@
 import { MemoryStore, Store } from "express-rate-limit";
 export function createStore(): Store {
-    let rateLimitStore: Store = new MemoryStore();
+    const rateLimitStore: Store = new MemoryStore();
    return rateLimitStore;
 }
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@ -222,7 +222,7 @@ export async function listAccessTokens(
            (resource) => resource.resourceId
        );
-        let countQuery: any = db
+        const countQuery: any = db
            .select({ count: count() })
            .from(resources)
            .where(inArray(resources.resourceId, accessibleResourceIds));
--- a/server/routers/gerbil/getAllRelays.ts
+++ b/server/routers/gerbil/getAllRelays.ts
@ -48,7 +48,7 @@ export async function getAllRelays(
        }
        // Fetch exit node
-        let [exitNode] = await db.select().from(exitNodes).where(eq(exitNodes.publicKey, publicKey));
+        const [exitNode] = await db.select().from(exitNodes).where(eq(exitNodes.publicKey, publicKey));
        if (!exitNode) {
            return next(createHttpError(HttpCode.NOT_FOUND, "Exit node not found"));
        }
@ -63,7 +63,7 @@ export async function getAllRelays(
        }
        // Initialize mappings object for multi-peer support
-        let mappings: { [key: string]: ProxyMapping } = {};
+        const mappings: { [key: string]: ProxyMapping } = {};
        // Process each site
        for (const site of sitesRes) {
--- a/server/routers/gerbil/getConfig.ts
+++ b/server/routers/gerbil/getConfig.ts
@ -112,7 +112,7 @@ export async function getConfig(
                )
            );
-        let peers = await Promise.all(
+        const peers = await Promise.all(
            sitesRes.map(async (site) => {
                if (site.type === "wireguard") {
                    return {
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@ -68,7 +68,7 @@ export async function createOidcIdp(
            );
        }
-        let {
+        const {
            clientId,
            clientSecret,
            authUrl,
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@ -85,7 +85,7 @@ export async function updateOidcIdp(
        }
        const { idpId } = parsedParams.data;
-        let {
+        const {
            clientId,
            clientSecret,
            authUrl,
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@ -238,7 +238,7 @@ export async function validateOidcCallback(
            const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
            const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
-            let userOrgInfo: { orgId: string; roleId: number }[] = [];
+            const userOrgInfo: { orgId: string; roleId: number }[] = [];
            for (const org of allOrgs) {
                const [idpOrgRes] = await db
                    .select()
@ -314,7 +314,7 @@ export async function validateOidcCallback(
            let existingUserId = existingUser?.userId;
-            let orgUserCounts: { orgId: string; userCount: number }[] = [];
+            const orgUserCounts: { orgId: string; userCount: number }[] = [];
            // sync the user with the orgs and roles
            await db.transaction(async (trx) => {
--- a/server/routers/newt/handleNewtPingRequestMessage.ts
+++ b/server/routers/newt/handleNewtPingRequestMessage.ts
@ -55,7 +55,7 @@ export const handleNewtPingRequestMessage: MessageHandler = async (context) => {
                    );
                    if (currentConnections.count >= maxConnections) {
-                        return null
+                        return null;
                    }
                weight =
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@ -37,7 +37,7 @@ export const startOfflineChecker = (): void => {
    }, OFFLINE_CHECK_INTERVAL);
    logger.info("Started offline checker interval");
-}
+};
 /**
 * Stops the background interval that checks for offline clients
@ -48,7 +48,7 @@ export const stopOfflineChecker = (): void => {
        offlineCheckerInterval = null;
        logger.info("Stopped offline checker interval");
    }
-}
+};
 /**
 * Handles ping messages from clients and responds with pong
--- a/server/routers/resource/listResourceRules.ts
+++ b/server/routers/resource/listResourceRules.ts
@ -35,7 +35,7 @@ const listResourceRulesSchema = z.object({
 });
 function queryResourceRules(resourceId: number) {
-    let baseQuery = db
+    const baseQuery = db
        .select({
            ruleId: resourceRules.ruleId,
            resourceId: resourceRules.resourceId,
@ -117,7 +117,7 @@ export async function listResourceRules(
        const baseQuery = queryResourceRules(resourceId);
-        let countQuery = db
+        const countQuery = db
            .select({ count: sql<number>`cast(count(*) as integer)` })
            .from(resourceRules)
            .where(eq(resourceRules.resourceId, resourceId));
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@ -231,7 +231,7 @@ export async function listResources(
            (resource) => resource.resourceId
        );
-        let countQuery: any = db
+        const countQuery: any = db
            .select({ count: count() })
            .from(resources)
            .where(inArray(resources.resourceId, accessibleResourceIds));
--- a/server/routers/role/listRoles.ts
+++ b/server/routers/role/listRoles.ts
@ -100,7 +100,7 @@ export async function listRoles(
        const { orgId } = parsedParams.data;
-        let countQuery: any = db
+        const countQuery: any = db
            .select({ count: sql<number>`cast(count(*) as integer)` })
            .from(roles)
            .where(eq(roles.orgId, orgId));
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@ -176,7 +176,7 @@ export async function listSites(
        const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
        const baseQuery = querySites(orgId, accessibleSiteIds);
-        let countQuery = db
+        const countQuery = db
            .select({ count: count() })
            .from(sites)
            .where(
--- a/server/routers/site/pickSiteDefaults.ts
+++ b/server/routers/site/pickSiteDefaults.ts
@ -86,7 +86,7 @@ export async function pickSiteDefaults(
            .where(eq(sites.exitNodeId, exitNode.exitNodeId));
        // TODO: we need to lock this subnet for some time so someone else does not take it
-        let subnets = sitesQuery.map((site) => site.subnet).filter((subnet) => subnet !== null);
+        const subnets = sitesQuery.map((site) => site.subnet).filter((subnet) => subnet !== null);
        // exclude the exit node address by replacing after the / with a site block size
        subnets.push(
            exitNode.address.replace(
--- a/server/routers/target/helpers.ts
+++ b/server/routers/target/helpers.ts
@ -2,7 +2,7 @@ import { db } from "@server/db";
 import { resources, targets } from "@server/db";
 import { eq } from "drizzle-orm";
-let currentBannedPorts: number[] = [];
+const currentBannedPorts: number[] = [];
 export async function pickPort(siteId: number): Promise<{
    internalPort: number;
@ -15,8 +15,8 @@ export async function pickPort(siteId: number): Promise<{
    // TODO: is this all inefficient?
    // Fetch targets for all resources of this site
-    let targetIps: string[] = [];
+    const targetIps: string[] = [];
-    let targetInternalPorts: number[] = [];
+    const targetInternalPorts: number[] = [];
    await Promise.all(
        resourcesRes.map(async (resource) => {
            const targetsRes = await db
--- a/server/routers/target/listTargets.ts
+++ b/server/routers/target/listTargets.ts
@ -35,7 +35,7 @@ const listTargetsSchema = z.object({
 });
 function queryTargets(resourceId: number) {
-    let baseQuery = db
+    const baseQuery = db
        .select({
            targetId: targets.targetId,
            ip: targets.ip,
@ -99,7 +99,7 @@ export async function listTargets(
        const baseQuery = queryTargets(resourceId);
-        let countQuery = db
+        const countQuery = db
            .select({ count: sql<number>`cast(count(*) as integer)` })
            .from(targets)
            .where(eq(targets.resourceId, resourceId));
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@ -62,7 +62,7 @@ const wss: WebSocketServer = new WebSocketServer({ noServer: true });
 const NODE_ID = uuidv4();
 // Client tracking map (local to this node)
-let connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
+const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Helper to get map key
 const getClientMapKey = (clientId: string) => clientId;
--- a/server/setup/scriptsPg/1.6.0.ts
+++ b/server/setup/scriptsPg/1.6.0.ts
@ -36,8 +36,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (rawConfig.server?.trust_proxy) {
--- a/server/setup/scriptsSqlite/1.0.0-beta10.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta10.ts
@ -23,8 +23,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        delete rawConfig.server.secure_cookies;
--- a/server/setup/scriptsSqlite/1.0.0-beta12.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta12.ts
@ -25,8 +25,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (!rawConfig.flags) {
--- a/server/setup/scriptsSqlite/1.0.0-beta15.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta15.ts
@ -30,8 +30,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        const baseDomain = rawConfig.app.base_domain;
--- a/server/setup/scriptsSqlite/1.0.0-beta2.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta2.ts
@ -22,8 +22,8 @@ export default async function migration() {
    }
    // Read and parse the YAML file
    let rawConfig: any;
    const fileContents = fs.readFileSync(filePath, "utf8");
    let rawConfig: any;
    rawConfig = yaml.load(fileContents);
    // Validate the structure
--- a/server/setup/scriptsSqlite/1.0.0-beta3.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta3.ts
@ -22,8 +22,8 @@ export default async function migration() {
    }
    // Read and parse the YAML file
    let rawConfig: any;
    const fileContents = fs.readFileSync(filePath, "utf8");
    let rawConfig: any;
    rawConfig = yaml.load(fileContents);
    // Validate the structure
--- a/server/setup/scriptsSqlite/1.0.0-beta5.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta5.ts
@ -25,8 +25,8 @@ export default async function migration() {
    }
    // Read and parse the YAML file
    let rawConfig: any;
    const fileContents = fs.readFileSync(filePath, "utf8");
    let rawConfig: any;
    rawConfig = yaml.load(fileContents);
    // Validate the structure
--- a/server/setup/scriptsSqlite/1.0.0-beta6.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta6.ts
@ -23,8 +23,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        // Validate the structure
--- a/server/setup/scriptsSqlite/1.0.0-beta9.ts
+++ b/server/setup/scriptsSqlite/1.0.0-beta9.ts
@ -58,8 +58,8 @@ export default async function migration() {
            }
            // Read and parse the YAML file
            let rawConfig: any;
            const fileContents = fs.readFileSync(filePath, "utf8");
            let rawConfig: any;
            rawConfig = yaml.load(fileContents);
            rawConfig.server.resource_session_request_param =
@ -122,7 +122,7 @@ export default async function migration() {
            const traefikFileContents = fs.readFileSync(traefikPath, "utf8");
            const traefikConfig = yaml.load(traefikFileContents) as any;
-            let parsedConfig: any = schema.safeParse(traefikConfig);
+            const parsedConfig: any = schema.safeParse(traefikConfig);
            if (parsedConfig.success) {
                // Ensure websecure entrypoint exists
@ -179,7 +179,7 @@ export default async function migration() {
            const traefikFileContents = fs.readFileSync(traefikPath, "utf8");
            const traefikConfig = yaml.load(traefikFileContents) as any;
-            let parsedConfig: any = schema.safeParse(traefikConfig);
+            const parsedConfig: any = schema.safeParse(traefikConfig);
            if (parsedConfig.success) {
                // delete permanent from redirect-to-https middleware
--- a/server/setup/scriptsSqlite/1.2.0.ts
+++ b/server/setup/scriptsSqlite/1.2.0.ts
@ -43,8 +43,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (!rawConfig.flags) {
--- a/server/setup/scriptsSqlite/1.3.0.ts
+++ b/server/setup/scriptsSqlite/1.3.0.ts
@ -177,7 +177,8 @@ export default async function migration() {
        }
        const fileContents = fs.readFileSync(filePath, "utf8");
-        let rawConfig: any = yaml.load(fileContents);
+        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (!rawConfig.server.secret) {
            rawConfig.server.secret = generateIdFromEntropySize(32);
--- a/server/setup/scriptsSqlite/1.5.0.ts
+++ b/server/setup/scriptsSqlite/1.5.0.ts
@ -44,8 +44,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (rawConfig.cors?.headers) {
--- a/server/setup/scriptsSqlite/1.6.0.ts
+++ b/server/setup/scriptsSqlite/1.6.0.ts
@ -45,8 +45,8 @@ export default async function migration() {
        }
        // Read and parse the YAML file
        let rawConfig: any;
        const fileContents = fs.readFileSync(filePath, "utf8");
        let rawConfig: any;
        rawConfig = yaml.load(fileContents);
        if (rawConfig.server?.trust_proxy) {
--- a/src/app/[orgId]/settings/api-keys/create/page.tsx
+++ b/src/app/[orgId]/settings/api-keys/create/page.tsx
@ -108,7 +108,7 @@ export default function Page() {
    async function onSubmit(data: CreateFormValues) {
        setCreateLoading(true);
-        let payload: CreateOrgApiKeyBody = {
+        const payload: CreateOrgApiKeyBody = {
            name: data.name
        };
--- a/src/app/[orgId]/settings/clients/ClientsTable.tsx
+++ b/src/app/[orgId]/settings/clients/ClientsTable.tsx
@ -290,7 +290,7 @@ export default function ClientsTable({ clients, orgId }: ClientTableProps) {
                columns={columns}
                data={rows}
                addClient={() => {
-                    router.push(`/${orgId}/settings/clients/create`)
+                    router.push(`/${orgId}/settings/clients/create`);
                }}
            />
        </>
--- a/src/app/[orgId]/settings/clients/create/page.tsx
+++ b/src/app/[orgId]/settings/clients/create/page.tsx
@ -280,7 +280,7 @@ export default function Page() {
            return;
        }
-        let payload: CreateClientBody = {
+        const payload: CreateClientBody = {
            name: data.name,
            type: data.method as "olm",
            siteIds: data.siteIds.map((site) => parseInt(site.id)),
--- a/src/app/[orgId]/settings/resources/[resourceId]/ResourceInfoBox.tsx
+++ b/src/app/[orgId]/settings/resources/[resourceId]/ResourceInfoBox.tsx
@ -29,7 +29,7 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
    const { isEnabled, isAvailable } = useDockerSocket(site!);
    const t = useTranslations();
-    let fullUrl = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
+    const fullUrl = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
    return (
        <Alert>
--- a/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx
@ -327,7 +327,7 @@ export default function ReverseProxyTargets(props: {
            setProxySettingsLoading(true);
            // Save targets
-            for (let target of targets) {
+            for (const target of targets) {
                const data = {
                    ip: target.ip,
                    port: target.port,
--- a/src/app/[orgId]/settings/resources/[resourceId]/rules/page.tsx
+++ b/src/app/[orgId]/settings/resources/[resourceId]/rules/page.tsx
@ -271,7 +271,7 @@ export default function ResourceRules(props: {
            }
            // Save rules
-            for (let rule of rules) {
+            for (const rule of rules) {
                const data = {
                    action: rule.action,
                    match: rule.match,
@ -348,7 +348,7 @@ export default function ResourceRules(props: {
                setRules([
                    ...rules.map((r) => {
-                        let res = {
+                        const res = {
                            ...r,
                            new: false,
                            updated: false
--- a/src/app/[orgId]/settings/sites/create/page.tsx
+++ b/src/app/[orgId]/settings/sites/create/page.tsx
@ -291,10 +291,10 @@ WantedBy=default.target`
            },
            nixos: {
                x86_64: [
-                    `nix run 'nixpkgs#fosrl-newt' --id ${id} --secret ${secret} --endpoint ${endpoint}`
+                    `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}`
                ],
                aarch64: [
-                    `nix run 'nixpkgs#fosrl-newt' --id ${id} --secret ${secret} --endpoint ${endpoint}`
+                    `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}`
                ]
            }
        };
--- a/src/app/admin/api-keys/create/page.tsx
+++ b/src/app/admin/api-keys/create/page.tsx
@ -106,7 +106,7 @@ export default function Page() {
    async function onSubmit(data: CreateFormValues) {
        setCreateLoading(true);
-        let payload: CreateOrgApiKeyBody = {
+        const payload: CreateOrgApiKeyBody = {
            name: data.name
        };
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@ -34,7 +34,7 @@ export default async function RootLayout({
    const env = pullEnv();
    const locale = await getLocale();
-    let supporterData = {
+    const supporterData = {
        visible: true
    } as any;
--- a/src/components/LocaleSwitcher.tsx
+++ b/src/components/LocaleSwitcher.tsx
@ -52,6 +52,10 @@ export default function LocaleSwitcher() {
                {
                    value: "ko-KR",
                    label: "한국어"
                },
                {
                    value: "nb-NO",
                    label: "Norsk (Bokmål)"
                }
            ]}
        />
--- a/src/i18n/config.ts
+++ b/src/i18n/config.ts
@ -1,4 +1,4 @@
 export type Locale = (typeof locales)[number];
-export const locales = ['en-US', 'es-ES', 'fr-FR', 'de-DE', 'nl-NL', 'it-IT', 'pl-PL', 'pt-PT', 'tr-TR', 'zh-CN', 'ko-KR', 'bg-BG', 'cs-CZ', 'ru-RU'] as const;
+export const locales = ['en-US', 'es-ES', 'fr-FR', 'de-DE', 'nl-NL', 'it-IT', 'pl-PL', 'pt-PT', 'tr-TR', 'zh-CN', 'ko-KR', 'bg-BG', 'cs-CZ', 'ru-RU', 'nb-NO'] as const;
 export const defaultLocale: Locale = 'en-US';
--- a/tsconfig.json
+++ b/tsconfig.json
@ -25,7 +25,7 @@
                "name": "next"
            }
        ],
-        "target": "ES2017"
+        "target": "ES2022"
    },
    "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
    "exclude": ["node_modules"]
`@ -1,4 +1,4 @@`
	`FROM node:20-alpine`	`FROM node:22-alpine`

	`WORKDIR /app`	`WORKDIR /app`