Excalibur 0.5.1 includes minor changes to the app to improve the overall experience for users.

App​

✨ New Features​

• 💄 Added directory item count to the file explorer page

🔄 Changes​

• 💄 Made the breadcrumbs on the top of the file explorer scrollable

🐛 Bug Fixes​

• 🐛 Fixed scrollbar appearing on the search dialog if the main window size is too small

⬆️ Dependencies​

• ⬆️ Updated Capacitor dependencies:

  • @capacitor/keyboard from 8.0.1 to 8.0.2

• ⬆️ Updated Ionic dependencies:

  • @ionic/core from 8.8.1 to 8.8.2
  • @ionic/react from 8.8.1 to 8.8.2
  • @ionic/react-router from 8.8.1 to 8.8.2

• ⬆️ Updated TailwindCSS dependencies:

  • tailwindcss from 4.2.1 to 4.2.2
  • @tailwindcss/vite from 4.2.1 to 4.2.2

• ⬆️ Updated baseline-browser-mapping dependency from 2.10.7 to 2.10.11

• ⬆️ Updated vitest development dependency from 4.1.0 to 4.1.2

Server​

⬆️ Dependencies​

• ⬇️ Downgraded sqlalchemy from 2.0.48 to 2.0.44
• ⬆️ Updated fastapi from 0.135.1 to 0.135.2
• ⬆️ Updated ruff development dependency from 0.15.6 to 0.15.8

🧹 Miscellaneous​

• 🐛 Fixed an internal issue where running the alembic database revision creation command would fail
  • This is related to the downgrade of the SQLAlchemy version

Excalibur 0.5 includes many new features and improvements to the project. Here are some of the highlights:

• Refreshed Interface: We've updated the user interface of the Excalibur app to follow Material Design 3 and to use TailwindCSS's colours.
• File Upload Progress: Previously the upload progress of files was left as indeterminate. Now it shows the actual progress of the upload!
• New Move Dialog: The old move dialog was a bit clunky and unpolished. In this update, we've replaced it with a new, more user-friendly dialog.
• File Searching: You can now search for files in the Excalibur app. You can also just download the files directly from the search results!

The Excalibur documentation website was also updated in this release.

Do note that there are some breaking changes to the Excalibur server in this release. Please follow the 0.5 upgrade guide to upgrade your Excalibur instance to version 0.5.

Read all about the changes to Excalibur below. Enjoy!

App​

🔒️ Security​

• 🔒️ Amended some POST requests to have their bodies encrypted
  • Specifically, the /api/files/mkdir, /api/files/move, and /api/files/rename endpoints used to send their POST bodies in the clear. Now they are encrypted using the shared end-to-end encryption key
• 🔒️ Path parameters will now be encrypted by default
• 🔒️ Overridden version minima of several dependencies in pnpm-workspace.yaml to address security vulnerabilities:
  • CVE-2026-25547: @isaacs/brace-expansion to 5.0.1
  • CVE-2025-69873: ajv to 6.14.0
  • CVE-2026-25639: axios to 1.13.5
  • CVE-2026-2739: bn.js@<4.12.3 to 5.2.3 and bn.js@>=5.0.0 <5.2.3 to 5.2.3
  • CVE-2026-32141: flatted to 3.4.0
  • CVE-2026-26996, CVE-2026-27903, and CVE-2026-27904: minimatch@<3.1.4 to 3.1.4, minimatch@>=5.0.0 <5.1.8 to 5.1.8, minimatch@>=9.0.0 <9.0.7 to 9.0.7, and minimatch@>=10.0.0 <10.2.3 to 10.2.3
  • CVE-2026-2391: qs to 6.14.2
  • CVE-2026-27606: rollup to 4.59.0
  • CVE-2026-26960, CVE-2026-29786, and CVE-2026-31802: tar to 7.5.11
  • CVE-2026-31988: yauzl to 3.2.1

✨ New Features​

• 💄 Refreshed the look of the app
  • Updated colour palette for light and dark modes
  • Changed look of some components to match Material Design 3
• 🚸 Added file upload progress to all upload jobs
• ✨ Created a new move dialog
• ✨ Added ability to search for files
• ✨ Added a crypto key strength option in the settings
  • The default key strength is 128 bits; you can change it to 192 or 256 bits as needed
• ✨ Added caps lock indicator to login page

🔄 Changes​

• 🚸 Changed the way toasts are displayed to allow new toasts to replace old ones
• 🚸 Modified the server compatibility message to include the version of Excalibur that is incompatible with the server
• ✏️ Changed "Operations" to "Crypto" in the settings

🐛 Bug Fixes​

• 🐛 Fixed an issue where the toast popup on the file explorer will block the floating action button's actions

♻️ Code Refactoring​

• ♻️ Allowed ExEF strength to be configured independently of the given encryption key
• ⚰️ Removed heartbeat check
  • Heartbeat check is no longer necessary as the client can simply observe the responses to the requests made to the server
• ♻️ Changed Cypress.env() calls to Cypress.expose() in tests, following the advice of this migration guide
• ♻️ Replaced references to process.env.NODE_ENV === "development" and the like with a reference to the new IS_DEV constant
• 🔧 Configured Android project to use Daemon JVM Toolchains

⬆️ Dependencies​

• ⬆️ Updated Capacitor dependencies:

  • @capacitor/android from 8.0.0 to 8.2.0
  • @capacitor/app from 8.0.0 to 8.0.1
  • @capacitor/cli from 8.0.0 to 8.2.0
  • @capacitor/core from 8.0.0 to 8.2.0
  • @capacitor/filesystem from 8.0.0 to 8.1.2
  • @capacitor/keyboard from 8.0.0 to 8.0.1
  • @capacitor/preferences from 8.0.0 to 8.0.1
  • @capacitor/privacy-screen from 2.0.0 to 2.0.1
  • @capawesome/capacitor-file-picker from 8.0.0 to 8.0.2
  • capacitor-blob-writer from 1.1.19 to 1.1.20

• ⬆️ Updated ESLint development dependencies:

  • eslint from 9.39.2 to 9.39.3
  • eslint-plugin-cypress from 5.2.1 to 6.1.0
  • eslint-plugin-react-refresh from 0.4.26 to 0.5.2
  • typescript-eslint from 8.52.0 to 8.56.1

• ⬆️ Updated Electron dependencies:

  • dmg-builder from 26.4.0 to 26.8.1
  • electron-builder from 26.4.0 to 26.8.1
  • electron-builder-squirrel-windows from 26.4.0 to 26.8.1
  • electron-updater from 6.7.3 to 6.8.3

• ⬆️ Updated Ionic dependencies:

  • @ionic/core from 8.7.16 to 8.8.1
  • @ionic/react from 8.7.16 to 8.8.1
  • @ionic/react-router from 8.7.16 to 8.8.1

• ⬆️ Updated React dependencies:

  • react from 19.2.3 to 19.2.4
  • react-dom from 19.2.3 to 19.2.4

• ⬆️ Updated TailwindCSS dependencies:

  • tailwindcss from 4.1.18 to 4.2.1
  • @tailwindcss/vite from 4.1.18 to 4.2.1

• ⬆️ Updated Vite dependencies:

  • vite-plugin-node-polyfills from 0.24.0 to 0.25.0
  • vitest from 4.0.16 to 4.1.0
  • @vitejs/plugin-react from 5.1.2 to 5.1.4

• ⬆️ Updated immer from 11.1.3 to 11.1.4

• ⬆️ Updated cypress development dependency from 15.8.2 to 15.11.0

• ⬆️ Updated globals development dependency from 17.0.0 to 17.4.0

• ⬆️ Updated lint-staged development dependency from 16.2.7 to 16.3.3

• ⬆️ Updated prettier development dependency from 3.7.4 to 3.8.1

• ⬆️ Updated type dependencies:

  • @types/node from 25.0.6 to 25.5.0
  • @types/react from 19.2.8 to 19.2.14

🧹 Miscellaneous​

• 🧑‍💻 Added some internal test pages for development purposes:
  • TestPage (/dev/test): Basic test page for development
  • ExEFPage (/dev/exef): Test page for ExEF encryption/decryption

Server​

🔒️ Security​

• 🔒️ Path parameters can now be specified as encrypted by adding the X-Encrypted: true header
  • The encrypted value must use the ExEF and be URL-safe base64 encoded
• 🔒️ Overridden version minima of pyjwt in pyproject.toml to 2.12.0 to address CVE-2026-32597 (#15)

💥 Breaking Changes​

• 💥 Changed CLI options for the start command:
  • --host can now be specified with -h
  • --port can now be specified with -p
  • --encrypt-responses/--no-encrypt-responses no longer has the short forms of -e/-E
  • --delay no longer has the short form of -d
  • --enable-cors/--disable-cors no longer has the short forms of -c/-C
  • --clean-up-logs/--no-clean-up-logs can now be specified with -c/-C
• 💥 Removed heartbeat endpoint (/api/well-known/heartbeat)
  • We removed this endpoint as its use is no longer necessary. We assume that the client will be able to discern whether they are still connected to the server by observing the responses to the requests made to the server
  • Accordingly, the default template value of the logging.no_log_endpoints configuration option was updated to remove this endpoint
• 💥 Changed the path in upload file endpoint (/api/files/upload/{path:path}) to be the file path instead of the file's containing directory; also removed the name query parameter
• 💥 Renamed /api/files/list/{path}'s with_exef_header query parameter to include_exef_size

✨ New Features​

• ✨ Added new file searching endpoint at /api/files/search
• 🔧 Added a crypto key strength configuration field
  • The default key strength is 128 bits; you can change it to 192 or 256 bits as needed
• ✨ Added a new CLI option to the start command to enable or disable Proof of Possession (PoP) checking
  • It is recommended to only disable PoP checking when debugging

🔄 Changes​

• 🔧 Added the /api/docs endpoint as a default endpoint that is ignored in the logging.no_log_endpoints field
• 🗃️ Updated DuckDB from 1.3 Ossivalis to 1.4 Andium (LTS)

♻️ Code Refactoring​

• ♻️ Replace references to os.getenv and os.environ with calls to functions in env.py for easier management and less repeated code
• ♻️ Renamed internal use of EXCALIBUR_SERVER_POP_ENABLED to EXCALIBUR_SERVER_ENABLE_POP
• ♻️ Modified style of cryptography middleware logging to make it show up on the logs again
• 🚚 Renamed listings.py in excalibur_server/src/files to utils.py

⬆️ Dependencies​

• ⬆️ Updated minimum uv version from 0.9.3 in pyproject.toml and 0.9.18 in GitHub actions to 0.9.30
  • We will be updating the uv version to the 0.10.x series in the future
• ⬆️ Updated alembic from 1.18.0 to 1.18.4
• ⬆️ Updated duckdb from 1.3.2 to 1.4.4
• ⬆️ Updated fastapi from 0.128.0 to 0.135.1
• ⬆️ Updated pydantic-settings from 2.12.0 to 2.13.1
• ⬆️ Updated pyjwt from 2.10.1 to 2.12.1
• ⬆️ Updated sqlalchemy from 2.0.45 to 2.0.48
• ⬆️ Updated sqlmodel from 0.0.31 to 0.0.37
• ⬆️ Updated tomlkit from 0.13.3 to 0.14.0
• ⬆️ Updated typer from 0.21.1 to 0.24.1
• ⬆️ Updated uvicorn from 0.40.0 to 0.41.0
• ⬆️ Updated ipython development dependency from 9.9.0 to 9.10.0
• ⬆️ Updated ruff development dependency from 0.14.11 to 0.15.6

This is a security release overriding some dependencies' versions' minima.

App​

🔒 Security​

• Override diff version minima to ^5.2.2 in pnpm-workspace.yaml to address CVE-2026-24001
• Override lodash and lodash-es version minima to ^4.17.23 in pnpm-workspace.yaml to address CVE-2025-13465
• Override tar version minima to ^7.5.7 in pnpm-workspace.yaml to address CVE-2026-24842 and CVE-2026-23950

📦 Dependencies​

• Updated @capacitor/cli from 8.0.0 to 8.0.2

Server​

No significant changes.

Excalibur 0.4.2 removes heartbeat checking on the client to fix an annoying (but technically intended) bug.

Note that the server still has the heartbeat endpoint, but is now unused. The removal of this endpoint will come in Excalibur 0.5.

App​

🔧 Fixes​

• Fixed an issue on mobile where navigating to file selection and taking too long would kick the user back to the login screen
  • Related to heartbeat checking

🗑️ Removals​

• Removed heartbeat checking

Server​

No significant changes.

Excalibur 0.4.1 is a hotfix release fixing two big issues with the app.

App​

🔧 Fixes​

• Fixed issue where opening list of active jobs would trigger a refresh of the file list
• Fixed issue where a token refresh would not prompt the client to reconnect to the file listener

Server​

✏️ Changes​

• Made /api/auth/token also disconnect the user from the update manager

🔧 Fixes​

• Fixed minor issue where attempting to send messages to disconnected sockets would cause the entire file listener to fail