Merge branch 'dev' into clients-multi-pop

.github/workflows/linting.yml

@@ -23,7 +23,7 @@ jobs:
             - name: Set up Node.js
               uses: actions/setup-node@v4
               with:
-                node-version: '20'
+                node-version: '22'
 
             - name: Install dependencies
               run: |

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
 
       - name: Copy config file
         run: cp config/config.example.yml config/config.yml

.nvmrc

@@ -1 +1 @@
-20
+22

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:22-alpine
 
 WORKDIR /app
 

Dockerfile.pg

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 
 WORKDIR /app
 
@@ -15,7 +15,7 @@ RUN npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema
 RUN npm run build:pg
 RUN npm run build:cli
 
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 
 WORKDIR /app
 

Dockerfile.sqlite

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 
 WORKDIR /app
 
@@ -15,7 +15,7 @@ RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/sqlite/schema
 RUN npm run build:sqlite
 RUN npm run build:cli
 
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 
 WORKDIR /app
 

README.md

@@ -139,7 +139,7 @@ Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license.
 
 ## Contributions
 
-Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22).
+Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22). Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
 
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
 

cli/commands/resetUserSecurityKeys.ts

@@ -0,0 +1,67 @@
+import { CommandModule } from "yargs";
+import { db, users, securityKeys } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ResetUserSecurityKeysArgs = {
+    email: string;
+};
+
+export const resetUserSecurityKeys: CommandModule<{}, ResetUserSecurityKeysArgs> = {
+    command: "reset-user-security-keys",
+    describe: "Reset a user's security keys (passkeys) by deleting all their webauthn credentials",
+    builder: (yargs) => {
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "User email address"
+            });
+    },
+    handler: async (argv: { email: string }) => {
+        try {
+            const { email } = argv;
+
+            console.log(`Looking for user with email: ${email}`);
+
+            // Find the user by email
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            console.log(`Found user: ${user.email} (ID: ${user.userId})`);
+
+            // Check if user has any security keys
+            const userSecurityKeys = await db
+                .select()
+                .from(securityKeys)
+                .where(eq(securityKeys.userId, user.userId));
+
+            if (userSecurityKeys.length === 0) {
+                console.log(`User '${email}' has no security keys to reset`);
+                process.exit(0);
+            }
+
+            console.log(`Found ${userSecurityKeys.length} security key(s) for user '${email}'`);
+
+            // Delete all security keys for the user
+            await db
+                .delete(securityKeys)
+                .where(eq(securityKeys.userId, user.userId));
+
+            console.log(`Successfully reset security keys for user '${email}'`);
+            console.log(`Deleted ${userSecurityKeys.length} security key(s)`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+}; 

cli/index.ts

@@ -3,9 +3,11 @@
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
+import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 
 yargs(hideBin(process.argv))
     .scriptName("pangctl")
     .command(setAdminCredentials)
+    .command(resetUserSecurityKeys)
     .demandCommand()
     .help().argv;

esbuild.mjs

@@ -64,7 +64,7 @@ esbuild
             }),
         ],
         sourcemap: true,
-        target: "node20",
+        target: "node22",
     })
     .then(() => {
         console.log("Build completed successfully");

install/config/docker-compose.yml

@@ -60,4 +60,4 @@ networks:
   default:
     driver: bridge
     name: pangolin
-    enable_ipv6: true
+{{if .EnableIPv6}}    enable_ipv6: true{{end}}

install/input.txt

@@ -1,6 +1,7 @@
 docker
 example.com
 pangolin.example.com
+yes
 admin@example.com
 yes
 admin@example.com

install/main.go

@@ -18,6 +18,7 @@ import (
 	"syscall"
 	"text/template"
 	"time"
+    "net"
 
 	"golang.org/x/term"
 )
@@ -39,6 +40,7 @@ type Config struct {
 	BadgerVersion             string
 	BaseDomain                string
 	DashboardDomain           string
+	EnableIPv6                bool
 	LetsEncryptEmail          string
 	EnableEmail               bool
 	EmailSMTPHost             string
@@ -75,6 +77,17 @@ func main() {
 	fmt.Println("Lets get started!")
 	fmt.Println("")
 
+
+    for _, p := range []int{80, 443} {
+        if err := checkPortsAvailable(p); err != nil {
+            fmt.Fprintln(os.Stderr, err)
+
+            fmt.Printf("Please close any services on ports 80/443 in order to run the installation smoothly")
+            os.Exit(1)
+        }
+    }
+
+
 	reader := bufio.NewReader(os.Stdin)
 	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
 
@@ -303,6 +316,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	fmt.Println("\n=== Basic Configuration ===")
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", "pangolin."+config.BaseDomain)
+	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
 	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
 	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
 
@@ -776,3 +790,21 @@ func run(name string, args ...string) error {
 	cmd.Stderr = os.Stderr
 	return cmd.Run()
 }
+
+func checkPortsAvailable(port int) error {
+    addr := fmt.Sprintf(":%d", port)
+    ln, err := net.Listen("tcp", addr)
+    if err != nil {
+        return fmt.Errorf(
+            "ERROR: port %d is occupied or cannot be bound: %w\n\n",
+            port, err,
+        )
+    }
+    if closeErr := ln.Close(); closeErr != nil {
+        fmt.Fprintf(os.Stderr,
+            "WARNING: failed to close test listener on port %d: %v\n",
+            port, closeErr,
+        )
+    }
+    return nil
+}

messages/bg-BG.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
     "remoteSubnets": "Remote Subnets",
     "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Enable Public Proxy",
     "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
     "externalProxyEnabled": "External Proxy Enabled"

messages/cs-CZ.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
     "remoteSubnets": "Remote Subnets",
     "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Enable Public Proxy",
     "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
     "externalProxyEnabled": "External Proxy Enabled"

messages/de-DE.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Beim Abrufen der neuesten Olm-Veröffentlichung ist ein Fehler aufgetreten.",
     "remoteSubnets": "Remote-Subnetze",
     "enterCidrRange": "Geben Sie den CIDR-Bereich ein",
-    "remoteSubnetsDescription": "Fügen Sie CIDR-Bereiche hinzu, die aus der Ferne auf diesen Standort zugreifen können. Verwenden Sie das Format wie 10.0.0.0/24 oder 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Öffentlichen Proxy aktivieren",
     "resourceEnableProxyDescription": "Ermöglichen Sie öffentliches Proxieren zu dieser Ressource. Dies ermöglicht den Zugriff auf die Ressource von außerhalb des Netzwerks durch die Cloud über einen offenen Port. Erfordert Traefik-Config.",
     "externalProxyEnabled": "Externer Proxy aktiviert"

messages/en-US.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
     "remoteSubnets": "Remote Subnets",
     "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Enable Public Proxy",
     "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
     "externalProxyEnabled": "External Proxy Enabled"

messages/es-ES.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Se ha producido un error al recuperar la última versión de Olm.",
     "remoteSubnets": "Subredes remotas",
     "enterCidrRange": "Ingresa el rango CIDR",
-    "remoteSubnetsDescription": "Agregue rangos CIDR que puedan acceder a este sitio de forma remota. Use un formato como 10.0.0.0/24 o 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Habilitar proxy público",
     "resourceEnableProxyDescription": "Habilite el proxy público para este recurso. Esto permite el acceso al recurso desde fuera de la red a través de la nube en un puerto abierto. Requiere configuración de Traefik.",
     "externalProxyEnabled": "Proxy externo habilitado"

messages/fr-FR.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Une erreur s'est produite lors de la récupération de la dernière version d'Olm.",
     "remoteSubnets": "Sous-réseaux distants",
     "enterCidrRange": "Entrez la plage CIDR",
-    "remoteSubnetsDescription": "Ajoutez des plages CIDR pouvant accéder à ce site à distance. Utilisez le format comme 10.0.0.0/24 ou 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Activer le proxy public",
     "resourceEnableProxyDescription": "Activez le proxy public vers cette ressource. Cela permet d'accéder à la ressource depuis l'extérieur du réseau via le cloud sur un port ouvert. Nécessite la configuration de Traefik.",
     "externalProxyEnabled": "Proxy externe activé"

messages/it-IT.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Si è verificato un errore durante il recupero dell'ultima versione di Olm.",
     "remoteSubnets": "Sottoreti Remote",
     "enterCidrRange": "Inserisci l'intervallo CIDR",
-    "remoteSubnetsDescription": "Aggiungi intervalli CIDR che possono accedere a questo sito da remoto. Usa il formato come 10.0.0.0/24 o 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Abilita Proxy Pubblico",
     "resourceEnableProxyDescription": "Abilita il proxy pubblico a questa risorsa. Consente l'accesso alla risorsa dall'esterno della rete tramite il cloud su una porta aperta. Richiede la configurazione di Traefik.",
     "externalProxyEnabled": "Proxy Esterno Abilitato"

messages/ko-KR.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
     "remoteSubnets": "Remote Subnets",
     "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Enable Public Proxy",
     "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
     "externalProxyEnabled": "External Proxy Enabled"

messages/nl-NL.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Er is een fout opgetreden bij het ophalen van de nieuwste Olm release.",
     "remoteSubnets": "Externe Subnets",
     "enterCidrRange": "Voer CIDR-bereik in",
-    "remoteSubnetsDescription": "Voeg CIDR-bereiken toe die deze site op afstand kunnen openen. Gebruik een format zoals 10.0.0.0/24 of 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Openbare proxy inschakelen",
     "resourceEnableProxyDescription": "Schakel publieke proxy in voor deze resource. Dit maakt toegang tot de resource mogelijk vanuit het netwerk via de cloud met een open poort. Vereist Traefik-configuratie.",
     "externalProxyEnabled": "Externe Proxy Ingeschakeld"

messages/pl-PL.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Wystąpił błąd podczas pobierania najnowszego wydania Olm.",
     "remoteSubnets": "Zdalne Podsieci",
     "enterCidrRange": "Wprowadź zakres CIDR",
-    "remoteSubnetsDescription": "Dodaj zakresy CIDR, które mogą uzyskać zdalny dostęp do tej witryny. Użyj formatu takiego jak 10.0.0.0/24 lub 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Włącz publiczny proxy",
     "resourceEnableProxyDescription": "Włącz publiczne proxy dla tego zasobu. To umożliwia dostęp do zasobu spoza sieci przez chmurę na otwartym porcie. Wymaga konfiguracji Traefik.",
     "externalProxyEnabled": "Zewnętrzny Proxy Włączony"

messages/pt-PT.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "Ocorreu um erro ao buscar o lançamento mais recente do Olm.",
     "remoteSubnets": "Sub-redes Remotas",
     "enterCidrRange": "Insira o intervalo CIDR",
-    "remoteSubnetsDescription": "Adicione intervalos CIDR que podem acessar este site remotamente. Use o formato como 10.0.0.0/24 ou 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Ativar Proxy Público",
     "resourceEnableProxyDescription": "Permite proxy público para este recurso. Isso permite o acesso ao recurso de fora da rede através da nuvem em uma porta aberta. Requer configuração do Traefik.",
     "externalProxyEnabled": "Proxy Externo Habilitado"

messages/ru-RU.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "An error occurred while fetching the latest Olm release.",
     "remoteSubnets": "Remote Subnets",
     "enterCidrRange": "Enter CIDR range",
-    "remoteSubnetsDescription": "Add CIDR ranges that can access this site remotely. Use format like 10.0.0.0/24 or 192.168.1.0/24.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Enable Public Proxy",
     "resourceEnableProxyDescription": "Enable public proxying to this resource. This allows access to the resource from outside the network through the cloud on an open port. Requires Traefik config.",
     "externalProxyEnabled": "External Proxy Enabled"

messages/tr-TR.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "En son Olm yayını alınırken bir hata oluştu.",
     "remoteSubnets": "Uzak Alt Ağlar",
     "enterCidrRange": "CIDR aralığını girin",
-    "remoteSubnetsDescription": "Bu siteye uzaktan erişebilecek CIDR aralıklarını ekleyin. 10.0.0.0/24 veya 192.168.1.0/24 gibi formatlar kullanın.",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "Genel Proxy'i Etkinleştir",
     "resourceEnableProxyDescription": "Bu kaynağa genel proxy erişimini etkinleştirin. Bu sayede ağ dışından açık bir port üzerinden kaynağa bulut aracılığıyla erişim sağlanır. Traefik yapılandırması gereklidir.",
     "externalProxyEnabled": "Dış Proxy Etkinleştirildi"

messages/zh-CN.json

@@ -1320,7 +1320,7 @@
     "olmErrorFetchLatest": "获取最新 Olm 发布版本时出错。",
     "remoteSubnets": "远程子网",
     "enterCidrRange": "输入 CIDR 范围",
-    "remoteSubnetsDescription": "添加能远程访问此站点的 CIDR 范围。使用格式如 10.0.0.0/24 或 192.168.1.0/24。",
+    "remoteSubnetsDescription": "Add CIDR ranges that can be accessed from this site remotely using clients. Use format like 10.0.0.0/24. This ONLY applies to VPN client connectivity.",
     "resourceEnableProxy": "启用公共代理",
     "resourceEnableProxyDescription": "启用到此资源的公共代理。这允许外部网络通过开放端口访问资源。需要 Traefik 配置。",
     "externalProxyEnabled": "外部代理已启用"

package.json

@@ -50,15 +50,15 @@
         "@radix-ui/react-tabs": "1.1.12",
         "@radix-ui/react-toast": "1.2.14",
         "@radix-ui/react-tooltip": "^1.2.7",
-        "@react-email/components": "0.3.1",
-        "@react-email/render": "^1.1.2",
+        "@react-email/components": "0.5.0",
+        "@react-email/render": "^1.2.0",
         "@simplewebauthn/browser": "^13.1.0",
         "@simplewebauthn/server": "^9.0.3",
-        "@react-email/tailwind": "1.2.1",
+        "@react-email/tailwind": "1.2.2",
         "@tailwindcss/forms": "^0.5.10",
         "@tanstack/react-table": "8.21.3",
         "arctic": "^3.7.0",
-        "axios": "1.10.0",
+        "axios": "1.11.0",
         "better-sqlite3": "11.7.0",
         "canvas-confetti": "1.9.3",
         "class-variance-authority": "^0.7.1",
@@ -69,9 +69,9 @@
         "cookies": "^0.9.1",
         "cors": "2.8.5",
         "crypto-js": "^4.2.0",
-        "drizzle-orm": "0.44.2",
-        "eslint": "9.31.0",
-        "eslint-config-next": "15.3.5",
+        "drizzle-orm": "0.44.4",
+        "eslint": "9.32.0",
+        "eslint-config-next": "15.4.6",
         "express": "4.21.2",
         "express-rate-limit": "7.5.1",
         "glob": "11.0.3",
@@ -82,28 +82,28 @@
         "jmespath": "^0.16.0",
         "js-yaml": "4.1.0",
         "jsonwebtoken": "^9.0.2",
-        "lucide-react": "0.525.0",
+        "lucide-react": "0.536.0",
         "moment": "2.30.1",
-        "next": "15.3.5",
+        "next": "15.4.6",
         "next-intl": "^4.3.4",
         "next-themes": "0.4.6",
         "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
         "nodemailer": "7.0.5",
-        "npm": "^11.4.2",
+        "npm": "^11.5.2",
         "oslo": "1.2.1",
         "pg": "^8.16.2",
         "qrcode.react": "4.2.0",
-        "react": "19.1.0",
-        "react-dom": "19.1.0",
+        "react": "19.1.1",
+        "react-dom": "19.1.1",
         "react-easy-sort": "^1.6.0",
-        "react-hook-form": "7.60.0",
+        "react-hook-form": "7.62.0",
         "react-icons": "^5.5.0",
         "rebuild": "0.1.2",
         "semver": "^7.7.2",
         "swagger-ui-express": "^5.0.1",
         "tailwind-merge": "3.3.1",
-        "tw-animate-css": "^1.3.5",
+        "tw-animate-css": "^1.3.6",
         "uuid": "^11.1.0",
         "vaul": "1.1.2",
         "winston": "3.17.0",
@@ -114,7 +114,7 @@
         "yargs": "18.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.47.6",
+        "@dotenvx/dotenvx": "1.48.4",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
         "@tailwindcss/postcss": "^4.1.10",
         "@types/better-sqlite3": "7.6.12",
@@ -129,8 +129,8 @@
         "@types/node": "^24",
         "@types/nodemailer": "6.4.17",
         "@types/pg": "8.15.4",
-        "@types/react": "19.1.8",
-        "@types/react-dom": "19.1.6",
+        "@types/react": "19.1.9",
+        "@types/react-dom": "19.1.7",
         "@types/semver": "^7.7.0",
         "@types/swagger-ui-express": "^4.1.8",
         "@types/ws": "8.18.1",
@@ -139,12 +139,12 @@
         "esbuild": "0.25.6",
         "esbuild-node-externals": "1.18.0",
         "postcss": "^8",
-        "react-email": "4.1.0",
+        "react-email": "4.2.8",
         "tailwindcss": "^4.1.4",
         "tsc-alias": "1.8.16",
         "tsx": "4.20.3",
         "typescript": "^5",
-        "typescript-eslint": "^8.36.0"
+        "typescript-eslint": "^8.39.0"
     },
     "overrides": {
         "emblor": {

server/lib/ip.ts

@@ -271,7 +271,7 @@ export async function getNextAvailableClientSubnet(
         )
     ].filter((address) => address !== null) as string[];
 
-    let subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+    const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
     if (!subnet) {
         throw new Error("No available subnets remaining in space");
     }
@@ -289,7 +289,7 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
 
     const addresses = existingAddresses.map((org) => org.subnet!);
 
-    let subnet = findNextAvailableCidr(
+    const subnet = findNextAvailableCidr(
         addresses,
         config.getRawConfig().orgs.block_size,
         config.getRawConfig().orgs.subnet_group

server/lib/rateLimitStore.ts

@@ -1,6 +1,6 @@
 import { MemoryStore, Store } from "express-rate-limit";
 
 export function createStore(): Store {
-    let rateLimitStore: Store = new MemoryStore();
+    const rateLimitStore: Store = new MemoryStore();
     return rateLimitStore;
 }

server/routers/accessToken/listAccessTokens.ts

@@ -222,7 +222,7 @@ export async function listAccessTokens(
             (resource) => resource.resourceId
         );
 
-        let countQuery: any = db
+        const countQuery: any = db
             .select({ count: count() })
             .from(resources)
             .where(inArray(resources.resourceId, accessibleResourceIds));

server/routers/gerbil/getAllRelays.ts

@@ -48,7 +48,7 @@ export async function getAllRelays(
         }
 
         // Fetch exit node
-        let [exitNode] = await db.select().from(exitNodes).where(eq(exitNodes.publicKey, publicKey));
+        const [exitNode] = await db.select().from(exitNodes).where(eq(exitNodes.publicKey, publicKey));
         if (!exitNode) {
             return next(createHttpError(HttpCode.NOT_FOUND, "Exit node not found"));
         }
@@ -63,7 +63,7 @@ export async function getAllRelays(
         }
         
         // Initialize mappings object for multi-peer support
-        let mappings: { [key: string]: ProxyMapping } = {};
+        const mappings: { [key: string]: ProxyMapping } = {};
 
         // Process each site
         for (const site of sitesRes) {

server/routers/gerbil/getConfig.ts

@@ -112,7 +112,7 @@ export async function getConfig(
                 )
             );
 
-        let peers = await Promise.all(
+        const peers = await Promise.all(
             sitesRes.map(async (site) => {
                 if (site.type === "wireguard") {
                     return {

server/routers/idp/createOidcIdp.ts

@@ -68,7 +68,7 @@ export async function createOidcIdp(
             );
         }
 
-        let {
+        const {
             clientId,
             clientSecret,
             authUrl,

server/routers/idp/updateOidcIdp.ts

@@ -85,7 +85,7 @@ export async function updateOidcIdp(
         }
 
         const { idpId } = parsedParams.data;
-        let {
+        const {
             clientId,
             clientSecret,
             authUrl,

server/routers/idp/validateOidcCallback.ts

@@ -238,7 +238,7 @@ export async function validateOidcCallback(
             const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
             const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
 
-            let userOrgInfo: { orgId: string; roleId: number }[] = [];
+            const userOrgInfo: { orgId: string; roleId: number }[] = [];
             for (const org of allOrgs) {
                 const [idpOrgRes] = await db
                     .select()
@@ -314,7 +314,7 @@ export async function validateOidcCallback(
 
             let existingUserId = existingUser?.userId;
 
-            let orgUserCounts: { orgId: string; userCount: number }[] = [];
+            const orgUserCounts: { orgId: string; userCount: number }[] = [];
 
             // sync the user with the orgs and roles
             await db.transaction(async (trx) => {

server/routers/newt/handleNewtPingRequestMessage.ts

@@ -55,7 +55,7 @@ export const handleNewtPingRequestMessage: MessageHandler = async (context) => {
                     );
 
                     if (currentConnections.count >= maxConnections) {
-                        return null
+                        return null;
                     }
 
                 weight =

server/routers/olm/handleOlmPingMessage.ts

@@ -37,7 +37,7 @@ export const startOfflineChecker = (): void => {
     }, OFFLINE_CHECK_INTERVAL);
 
     logger.info("Started offline checker interval");
-}
+};
 
 /**
  * Stops the background interval that checks for offline clients
@@ -48,7 +48,7 @@ export const stopOfflineChecker = (): void => {
         offlineCheckerInterval = null;
         logger.info("Stopped offline checker interval");
     }
-}
+};
 
 /**
  * Handles ping messages from clients and responds with pong

server/routers/resource/listResourceRules.ts

@@ -35,7 +35,7 @@ const listResourceRulesSchema = z.object({
 });
 
 function queryResourceRules(resourceId: number) {
-    let baseQuery = db
+    const baseQuery = db
         .select({
             ruleId: resourceRules.ruleId,
             resourceId: resourceRules.resourceId,
@@ -117,7 +117,7 @@ export async function listResourceRules(
 
         const baseQuery = queryResourceRules(resourceId);
 
-        let countQuery = db
+        const countQuery = db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(resourceRules)
             .where(eq(resourceRules.resourceId, resourceId));

server/routers/resource/listResources.ts

@@ -231,7 +231,7 @@ export async function listResources(
             (resource) => resource.resourceId
         );
 
-        let countQuery: any = db
+        const countQuery: any = db
             .select({ count: count() })
             .from(resources)
             .where(inArray(resources.resourceId, accessibleResourceIds));

server/routers/role/listRoles.ts

@@ -100,7 +100,7 @@ export async function listRoles(
 
         const { orgId } = parsedParams.data;
 
-        let countQuery: any = db
+        const countQuery: any = db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(roles)
             .where(eq(roles.orgId, orgId));

server/routers/site/listSites.ts

@@ -176,7 +176,7 @@ export async function listSites(
         const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
         const baseQuery = querySites(orgId, accessibleSiteIds);
 
-        let countQuery = db
+        const countQuery = db
             .select({ count: count() })
             .from(sites)
             .where(

server/routers/site/pickSiteDefaults.ts

@@ -86,7 +86,7 @@ export async function pickSiteDefaults(
             .where(eq(sites.exitNodeId, exitNode.exitNodeId));
 
         // TODO: we need to lock this subnet for some time so someone else does not take it
-        let subnets = sitesQuery.map((site) => site.subnet).filter((subnet) => subnet !== null);
+        const subnets = sitesQuery.map((site) => site.subnet).filter((subnet) => subnet !== null);
         // exclude the exit node address by replacing after the / with a site block size
         subnets.push(
             exitNode.address.replace(

server/routers/target/helpers.ts

@@ -2,7 +2,7 @@ import { db } from "@server/db";
 import { resources, targets } from "@server/db";
 import { eq } from "drizzle-orm";
 
-let currentBannedPorts: number[] = [];
+const currentBannedPorts: number[] = [];
 
 export async function pickPort(siteId: number): Promise<{
     internalPort: number;
@@ -15,8 +15,8 @@ export async function pickPort(siteId: number): Promise<{
 
     // TODO: is this all inefficient?
     // Fetch targets for all resources of this site
-    let targetIps: string[] = [];
-    let targetInternalPorts: number[] = [];
+    const targetIps: string[] = [];
+    const targetInternalPorts: number[] = [];
     await Promise.all(
         resourcesRes.map(async (resource) => {
             const targetsRes = await db

server/routers/target/listTargets.ts

@@ -35,7 +35,7 @@ const listTargetsSchema = z.object({
 });
 
 function queryTargets(resourceId: number) {
-    let baseQuery = db
+    const baseQuery = db
         .select({
             targetId: targets.targetId,
             ip: targets.ip,
@@ -99,7 +99,7 @@ export async function listTargets(
 
         const baseQuery = queryTargets(resourceId);
 
-        let countQuery = db
+        const countQuery = db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(targets)
             .where(eq(targets.resourceId, resourceId));

server/routers/ws/ws.ts

@@ -62,7 +62,7 @@ const wss: WebSocketServer = new WebSocketServer({ noServer: true });
 const NODE_ID = uuidv4();
 
 // Client tracking map (local to this node)
-let connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
+const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Helper to get map key
 const getClientMapKey = (clientId: string) => clientId;
 

server/setup/scriptsPg/1.6.0.ts

@@ -36,8 +36,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         if (rawConfig.server?.trust_proxy) {

server/setup/scriptsSqlite/1.0.0-beta10.ts

@@ -23,8 +23,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         delete rawConfig.server.secure_cookies;

server/setup/scriptsSqlite/1.0.0-beta12.ts

@@ -25,8 +25,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         if (!rawConfig.flags) {

server/setup/scriptsSqlite/1.0.0-beta15.ts

@@ -30,8 +30,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         const baseDomain = rawConfig.app.base_domain;

server/setup/scriptsSqlite/1.0.0-beta2.ts

@@ -22,8 +22,8 @@ export default async function migration() {
     }
 
     // Read and parse the YAML file
-    let rawConfig: any;
     const fileContents = fs.readFileSync(filePath, "utf8");
+    let rawConfig: any;
     rawConfig = yaml.load(fileContents);
 
     // Validate the structure

server/setup/scriptsSqlite/1.0.0-beta3.ts

@@ -22,8 +22,8 @@ export default async function migration() {
     }
 
     // Read and parse the YAML file
-    let rawConfig: any;
     const fileContents = fs.readFileSync(filePath, "utf8");
+    let rawConfig: any;
     rawConfig = yaml.load(fileContents);
 
     // Validate the structure

server/setup/scriptsSqlite/1.0.0-beta5.ts

@@ -25,8 +25,8 @@ export default async function migration() {
     }
 
     // Read and parse the YAML file
-    let rawConfig: any;
     const fileContents = fs.readFileSync(filePath, "utf8");
+    let rawConfig: any;
     rawConfig = yaml.load(fileContents);
 
     // Validate the structure

server/setup/scriptsSqlite/1.0.0-beta6.ts

@@ -23,8 +23,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         // Validate the structure

server/setup/scriptsSqlite/1.0.0-beta9.ts

@@ -58,8 +58,8 @@ export default async function migration() {
             }
 
             // Read and parse the YAML file
-            let rawConfig: any;
             const fileContents = fs.readFileSync(filePath, "utf8");
+            let rawConfig: any;
             rawConfig = yaml.load(fileContents);
 
             rawConfig.server.resource_session_request_param =
@@ -122,7 +122,7 @@ export default async function migration() {
             const traefikFileContents = fs.readFileSync(traefikPath, "utf8");
             const traefikConfig = yaml.load(traefikFileContents) as any;
 
-            let parsedConfig: any = schema.safeParse(traefikConfig);
+            const parsedConfig: any = schema.safeParse(traefikConfig);
 
             if (parsedConfig.success) {
                 // Ensure websecure entrypoint exists
@@ -179,7 +179,7 @@ export default async function migration() {
             const traefikFileContents = fs.readFileSync(traefikPath, "utf8");
             const traefikConfig = yaml.load(traefikFileContents) as any;
 
-            let parsedConfig: any = schema.safeParse(traefikConfig);
+            const parsedConfig: any = schema.safeParse(traefikConfig);
 
             if (parsedConfig.success) {
                 // delete permanent from redirect-to-https middleware

server/setup/scriptsSqlite/1.2.0.ts

@@ -43,8 +43,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         if (!rawConfig.flags) {

server/setup/scriptsSqlite/1.3.0.ts

@@ -177,7 +177,8 @@ export default async function migration() {
         }
 
         const fileContents = fs.readFileSync(filePath, "utf8");
-        let rawConfig: any = yaml.load(fileContents);
+        let rawConfig: any;
+        rawConfig = yaml.load(fileContents);
 
         if (!rawConfig.server.secret) {
             rawConfig.server.secret = generateIdFromEntropySize(32);

server/setup/scriptsSqlite/1.5.0.ts

@@ -44,8 +44,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         if (rawConfig.cors?.headers) {

server/setup/scriptsSqlite/1.6.0.ts

@@ -45,8 +45,8 @@ export default async function migration() {
         }
 
         // Read and parse the YAML file
-        let rawConfig: any;
         const fileContents = fs.readFileSync(filePath, "utf8");
+        let rawConfig: any;
         rawConfig = yaml.load(fileContents);
 
         if (rawConfig.server?.trust_proxy) {

src/app/[orgId]/settings/api-keys/create/page.tsx

@@ -108,7 +108,7 @@ export default function Page() {
     async function onSubmit(data: CreateFormValues) {
         setCreateLoading(true);
 
-        let payload: CreateOrgApiKeyBody = {
+        const payload: CreateOrgApiKeyBody = {
             name: data.name
         };
 

src/app/[orgId]/settings/clients/ClientsTable.tsx

@@ -290,7 +290,7 @@ export default function ClientsTable({ clients, orgId }: ClientTableProps) {
                 columns={columns}
                 data={rows}
                 addClient={() => {
-                    router.push(`/${orgId}/settings/clients/create`)
+                    router.push(`/${orgId}/settings/clients/create`);
                 }}
             />
         </>

src/app/[orgId]/settings/clients/create/page.tsx

@@ -280,7 +280,7 @@ export default function Page() {
             return;
         }
 
-        let payload: CreateClientBody = {
+        const payload: CreateClientBody = {
             name: data.name,
             type: data.method as "olm",
             siteIds: data.siteIds.map((site) => parseInt(site.id)),

src/app/[orgId]/settings/resources/[resourceId]/ResourceInfoBox.tsx

@@ -29,7 +29,7 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
     const { isEnabled, isAvailable } = useDockerSocket(site!);
     const t = useTranslations();
 
-    let fullUrl = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
+    const fullUrl = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
 
     return (
         <Alert>

src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx

@@ -327,7 +327,7 @@ export default function ReverseProxyTargets(props: {
             setProxySettingsLoading(true);
 
             // Save targets
-            for (let target of targets) {
+            for (const target of targets) {
                 const data = {
                     ip: target.ip,
                     port: target.port,

src/app/[orgId]/settings/resources/[resourceId]/rules/page.tsx

@@ -271,7 +271,7 @@ export default function ResourceRules(props: {
             }
 
             // Save rules
-            for (let rule of rules) {
+            for (const rule of rules) {
                 const data = {
                     action: rule.action,
                     match: rule.match,
@@ -348,7 +348,7 @@ export default function ResourceRules(props: {
 
                 setRules([
                     ...rules.map((r) => {
-                        let res = {
+                        const res = {
                             ...r,
                             new: false,
                             updated: false

src/app/[orgId]/settings/sites/create/page.tsx

@@ -291,10 +291,10 @@ WantedBy=default.target`
             },
             nixos: {
                 x86_64: [
-                    `nix run 'nixpkgs#fosrl-newt' --id ${id} --secret ${secret} --endpoint ${endpoint}`
+                    `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}`
                 ],
                 aarch64: [
-                    `nix run 'nixpkgs#fosrl-newt' --id ${id} --secret ${secret} --endpoint ${endpoint}`
+                    `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}`
                 ]
             }
         };

src/app/admin/api-keys/create/page.tsx

@@ -106,7 +106,7 @@ export default function Page() {
     async function onSubmit(data: CreateFormValues) {
         setCreateLoading(true);
 
-        let payload: CreateOrgApiKeyBody = {
+        const payload: CreateOrgApiKeyBody = {
             name: data.name
         };
 

src/app/layout.tsx

@@ -34,7 +34,7 @@ export default async function RootLayout({
     const env = pullEnv();
     const locale = await getLocale();
 
-    let supporterData = {
+    const supporterData = {
         visible: true
     } as any;
 

src/components/LocaleSwitcher.tsx

@@ -52,6 +52,10 @@ export default function LocaleSwitcher() {
                 {
                     value: "ko-KR",
                     label: "한국어"
+                },
+                {
+                    value: "nb-NO",
+                    label: "Norsk (Bokmål)"
                 }
             ]}
         />

src/i18n/config.ts

@@ -1,4 +1,4 @@
 export type Locale = (typeof locales)[number];
 
-export const locales = ['en-US', 'es-ES', 'fr-FR', 'de-DE', 'nl-NL', 'it-IT', 'pl-PL', 'pt-PT', 'tr-TR', 'zh-CN', 'ko-KR', 'bg-BG', 'cs-CZ', 'ru-RU'] as const;
+export const locales = ['en-US', 'es-ES', 'fr-FR', 'de-DE', 'nl-NL', 'it-IT', 'pl-PL', 'pt-PT', 'tr-TR', 'zh-CN', 'ko-KR', 'bg-BG', 'cs-CZ', 'ru-RU', 'nb-NO'] as const;
 export const defaultLocale: Locale = 'en-US';

tsconfig.json

@@ -25,7 +25,7 @@
                 "name": "next"
             }
         ],
-        "target": "ES2017"
+        "target": "ES2022"
     },
     "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
     "exclude": ["node_modules"]