v1.9.2

Warning

This release introduces breaking changes.
Review carefully the upgrading notes

Important

This release introduces security fixes.

🐳 New Docker images

Update available upon the following tags : 1.9, 1.9.2 and latest.
Recommended tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.9
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.9

Exact tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.9.2
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.9.2

Latest tag:

• API : ghcr.io/seaweedbraincy/zero-totp-api:latest
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

• Angular bumped to angular v20
• Bump idna from 3.7 to 3.10
• Bump exceptiongroup from 1.1.3 to 1.3.0
• Bump opentelemetry-api from 1.22.0 to 1.34.1
• Bump google-auth-oauthlib from 1.1.0 to 1.2.2
• Bump google-api-python-client from 2.171.0 to 2.175.0
• Add a trivy scan after every images deployment to spot known vulnerabilities
• The latest tag is only pushed, when all tests (including e2e-tests) passed

What's fixed

• Downgrade to connexion 3.1 due to spec-first/connexion#2029
• Due to permissions issue with the frontend docker container, the frontend now follows the same scheme as the API : It starts as root, set up all files and permissions and then drops permission to use a non-root user.
• fix CVE-2025-30360 CVE-2025-30359 CVE-2025-46565 CVE-2025-32997 CVE-2025-32996 CVE-2025-32395 CVE-2025-31486

Breaking changes

🚨 This version introduces breaking change. Kindly check the how to below BEFORE upgrading

TL;DR :

docker-compose.yml :

  frontend:
    container_name: frontend
    image: ghcr.io/seaweedbraincy/zero-totp-frontend:latest
-   user: 101:101
+   environment:
+      USER_UID: 101
+      USER_GID: 101
    ports:
      - 4200:80
    volumes:
      - ./frontend/log:/var/log/nginx
    restart: always

Description :

• The frontend needs to setup files and permission at startup that require root privileges. Once, setup the entrypoint will drop root privileges and use a non-root user to execute nginx that will serve the frontend. The default non-root user is 101:101, but you can use any user id and group id with the env variables listed below.
• Dockerfile and docker compose must not contain any non-root user, otherwise the frontend entrypoint will not be able to configure files and permissions properly. No matter what, the entrypoint will completely drop the root privileges. This doesn't change the default behavior, the frontend will still run as non-root user.

v1.8.0

Important

This release introduce breaking changes.
Review carefully the upgrading notes

🐳 New Docker images

Update available upon the following tags : 1.8, 1.8.0 and latest.
Recommended tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.8
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.8

Exact tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.8.1
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.8.1

Latest tag:

• API : ghcr.io/seaweedbraincy/zero-totp-api:latest
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

• Zero-TOTP status in no longer present in the footer of self-hosted Zero-TOTP tenants.
• Add a FAQ section dedicated to Google Drive backups
• Google drive storage option can now be disabled at a tenant level for self hosted version
• Signup can now be disabled at a tenant level for self hosted version

What's fixed

• When a user de-associated their google drive account not from Zero-TOTP, Zero-TOTP wasn't correctly unapproved in google drive, therefore creating issues when the user tried to re-associate the account. Now the API catch this kind of issue, and the frontend display to the user a way to fix this.
• Update some deprecated code

Breaking changes

🚨 This version introduces breaking change. Kindly check the how to below BEFORE upgrading

TL;DR :

config.yml :

api:

[...]

-    oauth: 
-           client_secret_file_path: ".secret/client_secret.json"

[...]

features:

[...]

+    ## Optional
+    ## Google Drive automatic backup
+    ## Allow the users to link their Google Drive account to the API and automatically backup their vaults.
+    ## Follow the documentation to set up the Google Drive OAuth credentials.
+    # google_drive_backup:
+        ## Enable or disable the Google Drive automatic backup feature.
+        ## Default: false
+        # enabled: false

+        ## The path to the client secret file used to authenticate with Google Drive.
+        ## This file must be in JSON format and contain the OAuth credentials.
+        ## See https://developers.google.com/identity/protocols/oauth2 for more information.
+        # client_secret_file_path: ".secret/client_secret.json"

Description :

• The client_secret_file_path key, that was defined in api.oauth section of the config.yml file is not located in the feature section, under :

features:
     google_drive_backup:
        enabled: true
        client_secret_file_path: ".secret/client_secret.json

Note that google drive backups option needs to be globally enable to be available for users.

How to upgrade

• Remove the oauth section api
• If you wish to enable google drive backup options for your users, add

     google_drive_backup:
        enabled: true
        client_secret_file_path: ".secret/client_secret.json

in the features section

v1.7.1

Important

This release introduce security fixes.
Upgrade to this version as soon as possible

🐳 New Docker images

Update available upon the following tags : 1.7, 1.7.1 and latest.
Recommended tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.7
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.7

Exact tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.7.1
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.7.1

Latest tag:

• API : ghcr.io/seaweedbraincy/zero-totp-api:latest
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

• Users can now add a TOTP code by simply tapping of a little + button at the bottom right hand corner of the vault page
• Users are no longer logged out when refreshing the app. Instead, they can still interact with all their accounts settings and must re-type their password to unlock their vault. This is closer to what really happen and is easier for users.
• Transition betweens page are now smooths
• Following dependencies have been updated:
  * Bump ruamel-yaml-clib from 0.2.8 to 0.2.12
  * Bump bcrypt from 4.0.1 to 4.3.0
  * Bump alembic from 1.13.1 to 1.16.2
  * Bump identify from 2.6.9 to 2.6.12
  * Bump urllib3 from 2.2.2 to 2.5.0

What's fixed

• Assets cleanup
• The following vulnerabilities impacting Zero-TOTP dependencies have been fixed:
  • CVE-2025-50182
  • CVE-2025-50181
  • CVE-2025-4565

v1.6.4

Important

This release introduce security fixes.
Upgrade to this version as soon as possible

🐳 New Docker images

Update available upon the following tags : 1.6, 1.6.4 and latest.
Recommended tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.6
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.6

Exact tag :

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.6.4
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.6.4

Latest tag:

• API : ghcr.io/seaweedbraincy/zero-totp-api:latest
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

• Frontend docker container has now a buit-in healthcheck script
• Bump google-api-core from 2.14.0 to 2.24.2
• Bump python-dotenv from 1.0.0 to 1.1.0
• Bump google-api-python-client from 2.108.0 to 2.171.0
• Bump ruamel-yaml from 0.18.5 to 0.18.14
• Bump requests from 2.32.3 to 2.32.4
• bump google-auth-httplib2 to 0.2.0
• Legacy code cleaning (mostly code related to JWTs that were used in the past as session token)
• Bump google-api-core from 2.14.0 to 2.24.2

What's fixed

• The following vulnerabilities impacting Zero-TOTP dependencies have been fixed:
  • CVE-2024-47081
  • CVE-2025-5889
  • CVE-2025-5889

v1.6.3

Important

This release introduce breaking changes.
Review the upgrade notice before updating.

What's Changed

• You can now use your own privacy policy for self hosted instances.
  • Current Zero-TOTP privacy policy is now available at https://github.com/SeaweedbrainCY/zero-totp/tree/main/api/assets/privacy_policy
  • To use your own privacy policy, simply create one of the following files : privacy_policy_en.md or privacy_policy_fr.md in your mounted folder ./config/assets/privacy_policy. This will override the default privacy policy.
• In signup and login pages, the currently used instance is now displayed. Especially for self-hosted version, the current instance is flagged as such and displayed to the user. A warning message has also been added to make the user aware of the difference between the official version (zero-totp.com) and the self hosted version.
• Zero-TOTP has always ran as a non-root user. Thus, to ensure the API is correctly set up, the container now requires to run as root, and is then switching to a non-root user by it-self when starting the API. This is crucial to handle how the API is setup, and ensure it will start. By default 1001:1001 is used, but it can be customized with USER_UID and USER_GUID env varibles. See below the upgrade notice for more information.

Warning

If you are using a different user than 1001:1001, make sure to specify it is env variables to ensure not breaking file access by the API

• API logs have been moved from /var/log/api/ to /api/logs/

What's fixed

• The signup process doesn't require anymore the user to re-type the phrase 'My passphrase is strong and I won't forger it'. Instead a more user-friendly pop-up is displayed to ensure the user understands the importance of the passphrase and that it is strong enough.

Upgrade notice

• 🔧 This upgrade introduces breaking changes

Breaking changes and how to update

• TL;DR :
  - Remove user:1001:1001 from api conf in docker-compose.yml
  - Change /api/log:/var/log/api to /api/log/:/api/logs/ in api mounted volumes
• The API needs to be root to start. It will then drop those rights and launch gunicorn as non-root user once the API is correctly set up.
  • Therefore, the docker-compose file, for the API must NOT contain a user: parameter.
  • By default, the API will be ran as 1001:1001, if you want to change this value, you can set up the following optional env variables in the docker file : USER_UID and USER_GUID.
• Logs are not located in /api/logs in the container. Make sure to update the mounter volume to continue keeping API logs.

Breaking changes overview in docker-compose.yml:

[...]
  api:
    container_name: api
    image: ghcr.io/seaweedbraincy/zero-totp-api:1.6.3
-   user: '1001:1001'
    ports:
      - 8080:8080
+   environment:
+      USER_UID: 1001 #Optional 
+      USER_GID: 1001 #Optional 
    volumes:
      - ./api/secret:/api/secret
-     - ./api/log:/var/log/api
+     - ./api/log/:/api/logs
      - ./api/config:/api/config
    restart: always

[...]

🐳 Docker image

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.6.3
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.6.3

v1.4.1

What's changed

• Bump tomli from 2.0.1 to 2.2.1 in /api
• Bump attrs from 23.1.0 to 25.3.0 in /api
• Bump typescript from 5.5.4 to 5.8.3 in /frontend
• Bump @ngx-translate/http-loader from 8.0.0 to 16.0.1 in /frontend
• Bump node from 20-slim to 24-slim in /frontend

Upgrade notice

• No breaking change introduced in this upgrade

🐳 Latest stable docker image

• API : ghcr.io/seaweedbraincy/zero-totp-api:1.4.1
• Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.4.1

v1.3.2

Important

This release introduce breaking changes.
Review the upgrade notice before updating.

What's Changed

• Zero-TOTP is now using ghcr as main docker container repository. Dockerhub will only be a mirror.
• Introducing a new end-to-end test to test every release before deploying it into production. Tests are currently implemented to cover the most classical user flow

What's fixed

• A bug linked to database deletion was causing the account deletion to be impossible. This is fixed.
• CSP are now only focused on 'self' instead of related zero-totp instance, to prepare the self host possibility

Upgrade notice

• 🔧 This upgrade introduces breaking changes

Breaking changes and how to update

• Since Dockerhub will only act as a mirror and ghcr as the main docker registry, it is highly recommended to switch to GHCR package.
• Update your docker compose :
  • seaweedbrain/zero-totp-frontend:latest -> ghcr.io/seaweedbraincy/zero-totp-frontend:latest
  • seaweedbrain/zero-totp-api:latest -> ghcr.io/seaweedbraincy/zero-totp-api:latest

v1.2.1

What's Changed

• When verifying the authenticity of a vault, the frontend now fetches the public key from the API
• This feature has been implemented to allow self hosted version of Zero-TOTP to be able to verify their own exported vault
• As backup, if the API is now available, a official zero-totp public key is still hardcoded in Zero-TOTP frontend

Upgrade notice

• 🚨 This upgrade patches vulnerabilities
• 🔧 This upgrade introduces breaking changes

v1.1.6

Important

This is a security update
Upgrade to this version as soon as possible

What's fixed

• Upgrade setuptools from 70.0.0 to 78.1.1 to fix
  - CVE-2025-47273

Upgrade notice

• 🚨 This upgrade patches vulnerabilities
• 🔧 This upgrade introduces breaking changes

v1.1.5

Important

This is a security update
Upgrade to this version as soon as possible

What's Changed

• Email verification codes are now encoded into hexadecimal instead of base64 to make the code manual copy easier.
• When uploading a new vault, secret uploading is not queued up instead of batched sent to avoid any rate limiting performed by the API while uploading a high number of elements.
• Bump flask from 3.1.0 to 3.1.1
• Bump uvicorn from 0.24.0.post1 to 0.34.2

What's fixed

• A bug causing the account deletion to be impossible due to a 500 error
• Several UI bugs causing some buttons to be stick together without any space in between
• Upgrade flask-cors from 5.0.1 to 6.0.0 to fix
  - CVE-2024-6844 (moderate)
  - CVE-2024-6866 (moderate)
  - CVE-2024-6839 (moderate)

Upgrade notice

• 🚨 This upgrade patches vulnerabilities
• 🔧 This upgrade introduces breaking changes