Skip to main content

0.3.0

ยท 11795 words
Downloads for 0.3.0

Excalibur 0.3 brings about huge changes to the project. Here are some of the highlights:

  • Desktop Support: Excalibur now runs as a standalone desktop application on Windows, macOS, and Ubuntu!
  • Multiple Concurrent Jobs: Support for multiple current uploads/downloads is here! Folder uploads are now also possible.
  • Auto Token Refreshing: There's no more token expiry countdown! The authentication token now refreshes automatically.
  • Item Moving: You can now move items between folders.
    • The user interface for moving items is a bit clunky. This will be worked on in the next update.

The Excalibur documentation website was also updated in this release.

Unfortunately, this release does bring about some breaking changes. Please follow the 0.3 upgrade guide to upgrade your Excalibur instance to version 0.3.

Read all about the changes to Excalibur below. Enjoy!

Appโ€‹

๐Ÿ”’ Securityโ€‹

  • Updated the Excalibur Encryption Format (ExEF) to version 3, which includes the following changes:
    • Reduced size of the Version field from 2 bytes to 1 byte
    • Replaced Key Size field with Cipher ID field for greater flexibility of choice of encryption algorithm, and reduced its size from 2 bytes to 1 byte
    • Added Header MAC field for quick verification of the decryption key (solving the issue of 'decrypting' the entire file before seeing that the AES-GCM tag does not match)
  • Use proof-of-possession token along any heartbeat request that asks for authentication validity

โœจ Additionsโ€‹

  • Added auto token refreshing, eliminating the need for a countdown before logout
  • Added support for multiple in-progress upload/download tasks
  • Added ability to cancel in-progress upload/download tasks
  • Added support for full-folder uploads
  • Added ability for the app to listen for any folder changes from the server
  • Added support for Electron desktop builds
  • Added ability to move items between folders
    • The current UI for moving items is a bit clunky; this will be improved upon in a future release
  • Added support for drag-and-drop uploads for non-mobile builds
  • Created a new user sign up page
    • New users will now need to provide the Account Creation Key (ACK) mnemonic to create an account
    • In particular, we now use BIP39 to generate a mnemonic from ACK
  • Added a "parent directory" option to subfolders to allow you to navigate back to the parent directory
  • Made right-clicking bring up the context menu
  • Added a new setting to allow users to change files'/folders' icon types:
    • Default: files' icons are outlined, folders' icons are solid
    • Reversed: files' icons are solid, folders' icons are outlined
    • All Outlined: all icons are outlined
    • All Solid: all icons are solid
  • Added automatic checking for updates

โœ๏ธ Changesโ€‹

  • Changed vault key dialog to show a mnemonic of the vault key instead of the raw hex
    • The mnemonic is generated using BIP39
  • Changed the default crypto chunk size from 512 KiB to 256 KiB

๐Ÿš„ Performance Improvementsโ€‹

  • Moved most encryption/decryption operations to crypto workers
  • Refactored code that handles encryption/decryption of requests. This should improve the speed and responsiveness of the cryptographic operations in the file explorer
  • Use chunked file reads on native systems to improve the efficiency of the app
  • Included local font files in the app to make loading faster
  • Made the server URL check in the server choice page run in parallel, reducing the total time needed to check all possible API URLs

๐Ÿ”ง Fixesโ€‹

  • Fixed an issue where scrolling the file list does not keep the breadcrumbs and file header at the top of the page
  • Fixed an issue where the server version does not refresh even after the server gets updated
  • Fixed a bug where kicking back to the login screen did not log out the user, still displaying the username on the side menu on the login page
  • Fixed several dark/light mode inconsistencies

โš ๏ธ Deprecationsโ€‹

  • Deprecated ExEF version 2 in favour of ExEF version 3

๐Ÿ—‘๏ธ Removalsโ€‹

  • Removed credits from app; moved credits to the website instead
  • Removed support for PWA-on-server builds

๐Ÿ“ฆ Dependenciesโ€‹

  • Switched to pnpm for dependency management
  • Updated js-yaml transitive dependency version from 4.1.0 to 4.1.1 to address CVE-2025-64718
  • Updated glob transitive dependency version from 11.0.3 to 11.1.0 to address CVE-2025-64756
  • Updated Capacitor to Version 8. This required updates to a few dependencies:
    • @capacitor/android from 7.4.3 to 8.0.0
    • @capacitor/app from 7.1.0 to 8.0.0
    • @capacitor/core from 7.4.3 to 8.0.0
    • @capacitor/cli from 7.4.3 to 8.0.0
    • @capacitor/filesystem from 7.1.4 to 8.0.0
    • @capacitor/keyboard from 7.0.3 to 8.0.0
    • @capacitor/preferences from 7.0.2 to 8.0.0
    • @capacitor/privacy-screen from 1.1.1 to 2.0.0
    • @capacitor/screen-orientation from 7.0.2 to 8.0.0
    • @capawesome/capacitor-file-picker from 7.2.0 to 8.0.0
  • Updated android dependencies:
    • AGP from 8.13.0 to 8.13.2
    • AndroidX activity from 1.9.2 to 1.11.0
    • AndroidX core from 1.15.0 to 1.17.0
    • AndroidX Espresso Core from 3.6.1 to 3.7.0
    • AndroidX fragment from 1.8.4 to 1.8.9
    • AndroidX JUnit from 1.2.1 to 1.3.0
    • AndroidX WebKit from 1.12.1 to 1.14.0
    • Core splash screen from 1.0.1 to 1.2.0
    • Cordova Android from 10.1.1 to 14.0.1
  • Updated Cypress from 15.3.0 to 15.8.1
  • Updated ESLint dependencies:
    • eslint from 9.37.0 to 9.39.2
    • @eslint/js from 9.37.0 to 9.39.2
    • eslint-plugin-react-hooks from 7.0.0 to 7.0.1
    • eslint-plugin-react-refresh from 0.4.23 to 0.4.26
    • typescript-eslint from 8.46.1 to 8.50.1
  • Updated Ionic dependencies:
    • @ionic/core from 8.7.5 to 8.7.15
    • @ionic/react from 8.7.5 to 8.7.15
    • @ionic/react-router from 8.7.5 to 8.7.15
  • Updated Prettier dependencies:
    • prettier from 3.6.2 to 3.7.4
    • prettier-plugin-tailwindcss from 0.6.14 to 0.7.2
    • @trivago/prettier-plugin-sort-imports from 5.2.2 to 6.0.0
  • Updated React dependencies:
    • react from 19.2.0 to 19.2.3
    • react-dom from 19.2.0 to 19.2.3
  • Updated TailwindCSS dependencies:
    • tailwindcss from 4.1.14 to 4.1.18
    • @tailwindcss/vite from 4.1.14 to 4.1.18
  • Updated Vite dependencies:
    • vite from 7.1.11 to 7.3.0
    • @vitejs/plugin-react from 5.0.4 to 5.1.2
  • Updated globals from 16.4.0 to 16.5.0
  • Updated jsonwebtoken from 9.0.3 to 9.0.4
  • Updated lint-staged from 16.2.3 to 16.2.4
  • Updated lint-staged from 16.2.4 to 16.2.6
  • Updated vitest from 3.2.4 to 4.0.16
  • Updated various type dependencies:
    • @types/node from 24.10.1 to 25.0.3
    • @types/react from 19.2.0 to 19.2.7
    • @types/react-dom from 19.2.0 to 19.2.3

โš™๏ธ Internalโ€‹

  • Made end-to-end Cypress tests more reliable
  • Added more Cypress end-to-end tests
  • Added tests for invalid ExEF file handling
  • Bump GitHub actions' actions versions
    • actions/checkout from v5 to v6
    • actions/setup-node from v5 to v6
    • actions/setup-python from v5 to v6
    • actions/upload-artifact from v5 to v6
    • astral-sh/setup-uv from v6.5.0 to v7 (with corresponding uv version bumped from 0.8.17 to 0.9.18)
  • Fixed incorrect attestation path for the PWA in the release-builds.yml workflow
  • Refactored the structure of the FileExplorer page to be less complex and more maintainable
  • Slightly modified TailwindCSS class specification to be aligned to the "canonical form" and also reduce spurious styling

Serverโ€‹

๐Ÿ”’ Securityโ€‹

  • Updated the Excalibur Encryption Format (ExEF) to version 3, which includes the following changes:
    • Reduced size of the Version field from 2 bytes to 1 byte
    • Replaced Key Size field with Cipher ID field for greater flexibility of choice of encryption algorithm, and reduced its size from 2 bytes to 1 byte
    • Added Header MAC field for quick verification of the decryption key (solving the issue of 'decrypting' the entire file before seeing that the AES-GCM tag does not match)
  • Added a requirement for a proof-of-possession (PoP) token to be sent along any heartbeat request that asks for authentication validity

โœจ Additionsโ€‹

  • Added SRP proof-of-possession checking for some WebSocket endpoints
  • Added config subcommands to the CLI:
    • config validate: Validates the config file
    • config update: Updates the config file to the latest version
  • Added a WebSocket endpoint (/api/files/listen) that allows clients to listen for directory changes
  • Added an endpoint for token refreshing
  • Added an endpoint that allows moving of items
  • Added an option (--log/--no-log or -l/-L) that enables/disables logging to console
  • Added a new configuration field to automatically delete old logs

โœ๏ธ Changesโ€‹

  • Changed account creation key to be a 32-byte random key
    • Using excalibur user ack will now print the mnemonic for the key instead of the key itself
  • Changed delay parameter in the CLI to accept both an incoming and outgoing delay (both in milliseconds)
  • Changed option that enables/disables logging to file from --logging/--no-logging (-l/-L) to --log-to-file/--no-log-to-file (-f/-F)
  • Changed the WebSocket ping interval from the Uvicorn default 20 seconds to 30 seconds
  • Disabled WebSocket logs
  • Edited some API endpoints' descriptions to be more descriptive
  • Tags that are not relevant to the current running of the server (e.g., non-debug mode, non-PWA) are now hidden

๐Ÿ”ง Fixesโ€‹

  • Fixed issue with server not correctly handling delay for WebSockets' requests

โš ๏ธ Deprecationsโ€‹

  • Deprecated ExEF version 2 in favour of ExEF version 3

๐Ÿ—‘๏ธ Removalsโ€‹

  • Removed support for PWA server builds

๐Ÿ“ฆ Dependenciesโ€‹

  • Updated aiofiles from 24.1.0 to 25.1.0
  • Updated alembic from 1.16.5 to 1.17.2
  • Updated cachetools from 6.2.0 to 6.2.4
  • Updated fastapi from 0.118.0 to 0.127.0
  • Updated Pydantic dependencies:
    • pydantic from 2.11.9 to 2.12.5
    • pydantic-core from 2.33.2 to 2.41.5
    • pydantic-settings from 2.11.0 to 2.12.0
  • Updated sqlalchemy from 2.0.43 to 2.0.45
  • Updated sqlmodel from 0.0.25 to 0.0.29
  • Updated typer from 0.19.2 to 0.20.1
  • Updated uvicorn from 0.37.0 to 0.40.0
  • Updated ipython development dependency from 9.6.0 to 9.8.0
  • Updated pytest development dependency from 8.4.2 to 9.0.2
  • Updated ruff development dependency from 0.13.3 to 0.14.10

โš™๏ธ Internalโ€‹

  • Updated minimum supported uv package manager version from 0.8.17 to 0.9.3
  • Added an internal debugging endpoint that generates a PoP header
  • Changed internal PoP check flag from EXCALIBUR_SERVER_HMAC_ENABLED to EXCALIBUR_SERVER_POP_ENABLED
  • Changed references to RFC7231 status codes to the latest RFC9110 names (see Starlette #2939):
    • HTTP_413_REQUEST_ENTITY_TOO_LARGE to HTTP_413_CONTENT_TOO_LARGE
    • HTTP_414_REQUEST_URI_TOO_LONG to HTTP_414_URI_TOO_LONG
    • HTTP_416_REQUESTED_RANGE_NOT_SATISFIABLE to HTTP_416_RANGE_NOT_SATISFIABLE
    • HTTP_422_UNPROCESSABLE_ENTITY to HTTP_422_UNPROCESSABLE_CONTENT
  • Edited the excalibur test command to allow running specific tests
  • Refactored the code in the files subdirectory of the API
  • Removed reference to license-files in pyproject.toml