Elestio Release Notes

Another busy week across the catalog. Mastodon shipped coordinated security backports across three major versions, Appsmith hit v2.0, and the database side stayed loud with ClickHouse pushing both stable and LTS updates. Here's the full rundown of what landed between May 17 and May 24, 2026.

Security Alerts

Mastodon 4.5.10 / 4.4.17 / 4.3.23 (May 20): Coordinated security release patching four advisories. Two SSRF-protection bypasses (GHSA-crr4-7rm4-8gpw, GHSA-xx55-4rrg-8xg6) and two Linked-Data Signature bypasses (GHSA-53m7-2wrh-q839, GHSA-chgx-jx3p-rf73). If you run a Mastodon instance, upgrade today. The release requires asset recompilation, so don't sleep-walk through the deploy.

Databases

• ClickHouse v26.5.1.882-stable (May 21): New stable cut with the Apache 2 pg_clickhouse Postgres extension officially shipped. The unified OLTP+OLAP story just got real.
• ClickHouse v26.3.12.3-lts (May 22): LTS patch with bug fixes for the long-term support line.
• QuestDB 9.4.0 (May 18): Time-series engine update with query-planner improvements and tighter Parquet integration for cold storage offload.

Development

• Appsmith v2.0 (May 21): Major version bump for the low-code internal-tool builder. Two years since 1.0, this one is the big rewrite of the workflow engine and the auth model.
• Authentik 2026.5.0 (May 22): Monthly cadence release. Flow editor improvements, new OAuth source providers, and group-claim handling fixes that several users requested.
• Keycloak 26.6.2 (May 19): Patch release on the 26.x line. Bug fixes across the admin console and OIDC client handling.
• n8n 2.21.7 stable (May 21): Stable channel update. Bug fixes for queue-mode worker handoff and the Microsoft Graph trigger node.
• Strapi v5.46.1 (May 20): Patch release on Strapi 5. Content-type schema fixes and admin UI polish.
• Gitea v1.26.2 (May 20): Patch on the 1.26 line. Fixes for the Actions runner reconnection logic that was biting self-hosters.
• ToolJet v3.20.164-lts (May 22): LTS patch with workspace permission fixes and new data-source connectors.
• PocketBase v0.38.2 (May 22): Latest on the 0.38 line with PocketBase JS SDK 0.30 compatibility fixes.

Hosting & Infrastructure

• Portainer 2.42.0 STS (May 20): Short-term-support cut. New Kubernetes RBAC enforcement modes and Docker Swarm rolling-restart improvements.
• RabbitMQ 4.3.1 (May 20): Patch on the 4.3 line. Stream consumer rebalancing fixes and federation plugin improvements.
• RabbitMQ 4.2.7 (May 19): Maintenance release on the 4.2 line for teams not yet on 4.3.
• OpenTelemetry Collector v0.152.1 (May 19): Bi-weekly release. New processors and exporters, plus the usual upstream protobuf bumps.
• SigNoz v0.125.1 (May 20): Hot patch on top of 0.125.0. APM trace-sampling improvements and ClickHouse storage tuning.

Applications

• Ghost v6.41.0 (May 21): Twice-monthly cadence delivered. New newsletter analytics, member-stats dashboard polish, and editor performance improvements.
• Mattermost v11.6.3 (May 21): Bug-fix patch on the 11.6 ESR line. Channel-mention render fixes and integration framework patches.
• Mattermost v11.5.6 (May 21): Backport patch for teams still on 11.5 LTS.
• Jellyfin 10.11.9 (May 21): Stable patch. Subtitle handling fixes and transcoding improvements for newer hardware accelerators.
• Metabase 0.61.2 (May 19): Lead release on the 61.x line. Improved Mongo connector and dashboard load-time optimizations. Patch releases for 0.60.7, 0.59.12, and 0.58.15 also shipped for older lines.
• Chatwoot v4.14.0 (May 18): Feature release with WhatsApp Business API improvements and new automation triggers.
• BookStack v26.03.5 (May 21): Maintenance patch on the 26.03 line. Page revision UI fixes and OIDC provider improvements.
• Jitsi Meet 2.0.10978 (May 20): Stable channel cut. Mobile participant-list improvements and lobby-mode polish.
• Firefly III v6.6.3 (May 21): Personal finance manager. Currency-conversion fixes and budget-report performance improvements.

What stood out this week

A few releases worth your weekend attention:

Appsmith v2.0 is a real 2.0.

Two years of work landing in one cut, including the workflow-engine rewrite and a new auth model. If you've been on 1.x, read the migration guide before you click upgrade. There are breaking changes in the data-source config format.

ClickHouse + pg_clickhouse going Apache 2 matters more than the version bump.

The extension lets you run analytics queries against ClickHouse from inside Postgres. The "do we need a separate data warehouse?" conversation just got an easy answer for teams under 100 GB of analytical data.

Mastodon's coordinated backport is the kind of release ops teams love.

Patches landed simultaneously on 4.5, 4.4, and 4.3 with clear advisory IDs. No "you must upgrade two majors to get the fix" tax. More projects should ship this way.

Authentik's monthly cadence still produces.

Every monthly cut adds something concrete (group-claim handling this time). Steady release rhythm matters when the alternative (Keycloak) ships major versions on a 6-month schedule.

What we're watching next week

• Nextcloud Hub 34 is in RC. The stable cut should land in the next two weeks, bringing the new collaborative-Office mode and the unified search rewrite.
• Prometheus 3.12 RC is out. The histogram changes will affect anyone running long-term storage exporters.
• Percona Live (May 27-29) kicks off and usually triggers a wave of Postgres, MySQL, MariaDB, and Valkey announcements timed to the conference.

Browse the full catalog

Every service mentioned above runs on Elestio with managed updates, automated backups, TLS, and 24/7 monitoring out of the box.

Browse the full catalog: 400+ open-source services, one-click deployment.

Thanks for reading ❤️

See you next Sunday 👋

Original source

If your code lives on a self-hosted GitLab instance, deploying it to a managed platform usually means writing your own pipeline scripts, juggling SSH keys, or running a custom runner somewhere. Plenty of you have told us you don't want to mirror private repos to GitHub or GitLab.com just to get auto-deploy on Elestio. As of today, that workaround is dead.

Elestio's CI/CD now supports self-hosted GitLab as a first-class Git source. Connect your private GitLab instance once with a Personal Access Token, and every push triggers a deploy on Elestio. Same flow you already get with GitHub or GitLab.com repos, just pointed at your own server.

Why this matters

If you run GitLab on your own infrastructure, you usually have a reason: compliance, data residency, network isolation, or simply the cost of a paid GitLab.com plan at scale. None of those reasons should force you off a managed deployment platform.

Until now, the workaround options were painful: mirror your private repos to a public Git host (defeating the point), or build your own deployment scripts on a self-managed runner. The new integration handles the boring parts for you: webhook setup, SSH key provisioning, repository scoping at the group or subgroup level, and branch tracking with auto-deploy triggers.

How it works

Elestio's CI/CD treats your self-hosted GitLab like any other Git provider. You give us two things:

1. Your GitLab instance URL (e.g. https://gitlab.yourcompany.internal , no trailing slash)
2. A Personal Access Token with the api scope

We use that PAT to list the repositories you have access to (respecting your GitLab permissions), register a webhook on each project you connect, and pull the latest code on each push. The PAT is encrypted at rest. Webhooks send a signed payload, and we verify the signature before kicking off a deploy.

The api scope is the only scope we need, and the only scope that works. Narrower scopes like read_api or read_repository cannot create webhooks or manage deploy keys, so connecting with them will fail. Requires GitLab 13.5 or newer (October 2020), which covers basically every active instance.

Step-by-step setup

Prerequisites

• A self-hosted GitLab instance reachable from Elestio
• A Personal Access Token from your GitLab account
• An Elestio service to deploy to, or a new one you're about to create

Step 1: Create the PAT on your GitLab instance

In your GitLab UI, go to your avatar menu (top right) → Preferences → Access Tokens → Add new token. Or jump straight to /-/profile/personal_access_tokens.

• Token name: elestio-cicd (or whatever you'll recognize later)
• Expiration: pick a date that fits your security policy
• Scopes: tick api , and only api

Hit "Create personal access token" and copy the value immediately. GitLab will not show it again. The token starts with glpat-.

Step 2: Pick GitLab in Elestio

When creating a new service, or editing an existing one's CI/CD source, pick GitLab as the Git provider. Then flip the Hosting Type toggle from Cloud to Self-Hosted.

Heads up: switching between Cloud and Self-Hosted resets any repositories and settings you'd already picked, so do this toggle first.

Step 3: Connect your instance

Click to add a new Git account. A modal appears asking for two fields:

• GitLab Instance URL: full URL with https:// and no trailing slash (e.g. https://gitlab.yourcompany.internal )
• Personal Access Token: paste the token you just generated

Hit Connect. On success you'll see Connected as [username] on [instance URL] , and the repository list loads below.

Step 4: Import the repo

Use the Git Scope dropdown to filter by group, subgroup, or user. Search for the repo you want to deploy. Click Import.

That's it. Elestio registers the webhook on your GitLab project, pulls the code, and starts the first deploy. From now on, every push to the tracked branch ships a new version to your service.

You can connect more than one self-hosted instance, by the way. Open the Git Account dropdown and pick "Add Git Account" to wire up another one with its own PAT.

For the full reference, see the Elestio docs on deploying a CI/CD pipeline via GitLab self-hosted.

Common gotchas

A few things that trip people up:

The GitLab instance must be reachable from Elestio. If your GitLab sits behind a firewall or VPN, you'll need to allow inbound HTTPS from Elestio's IP range.

Use a token from a service account, not your personal login. When the user who created the PAT leaves the company or rotates their token, every connected repo breaks. A service account avoids that whole class of problem.

The URL format is strict. Include the protocol, drop the trailing slash. https://gitlab.acme.com works; gitlab.acme.com/ or https://gitlab.acme.com/ does not.

If you use the "Clone Template" flow instead of "Import Git Repository," your GitLab admin needs to enable Admin Area → Settings → General → Import and export settings → Allow imports from external URLs. Without it, template-based project creation fails with 404 or insufficient_scope even when the token is fine.

Subgroups appear flat in the dropdown. GitLab nests groups infinitely, but the Elestio UI shows them as a flat list with the full path. If you have mycompany/backend/api , you'll see it as mycompany/backend/api in Git Scope, not nested.

Troubleshooting

ERROR | LIKELY CAUSE | FIX

AUTH_FAILED at connection | Invalid token, expired token, or wrong instance URL | Verify the URL responds to curl -I from a public host and includes https:// with no trailing slash. Regenerate the PAT if needed
INSUFFICIENT_SCOPES at connection | PAT missing the api scope | Edit the token (or create a new one) and tick api. Narrower scopes will not work
insufficient_scope during template import | External URL imports disabled at the instance level | Ask your GitLab admin to enable Allow imports from external URLs under Admin Area → Settings → General
Push doesn't trigger deploy | Webhook missing or signature mismatch | Re-import the repo, or check GitLab's webhook delivery logs under Project → Settings → Webhooks
Branch not found | Empty repo, or the tracked branch name does not exist | Push at least one commit on the branch you configured in the pipeline

What's next

Self-hosted GitLab is the second self-hosted Git source we support, after a long stretch of GitHub-only and GitLab.com-only. Gitea, Forgejo, and Bitbucket self-hosted are on the roadmap. If one of those is blocking you, reply to this post and tell us which.

Until then: connect your GitLab instance on Elestio, push some code, and stop maintaining your own deployment glue.

Thanks for reading ❤️

See you in the next one 👋

Original source

The Elestio dashboard you logged into this week looks different. Same platform underneath, but the path from "I need a Postgres cluster" to "here's a connection string" got shorter, and a few things we used to bury behind menus now sit on the page where you'd actually expect them.

Here's what changed and what to look for.

A Cleaner Sidebar (and Fewer Round Trips)

The left rail is now split into two groups: the things you build (Services, Clusters, CI/CD, Volumes, Load Balancer, Domains) and the things you manage (Members, Billing, Project Setting, Audit Trail, Account, Support Tickets, Monitoring, Documentation).

Counts now appear inline as small badges next to the relevant items, so you can see at a glance that a project has 14 services, 35 CI/CD pipelines, or 1 volume without clicking through. Audit Trail and Monitoring used to live one level deeper. They're top-level now because that's where most teams open them in the first place.

A 4-Step Service Creation Flow

Spinning up a new service is now an explicit four-step wizard:

1. Select service: the catalog grid, filterable by category (Databases, Applications, Development, Hosting & Infra, Full Stack, AI/GPU, CI/CD, Git).
2. Select provider, region & service plan: pick your cloud (AWS, Hetzner, Netcup, Linode, DigitalOcean, Scaleway, Vultr, OVH, Lightsail) and VM size.
3. Provide service name & cluster config: auto-generated names you can override, plus a clear toggle between Single Node and Primary/Replica.
4. Select support & advanced settings: three support tiers (Basic / Pro / Business) priced by the hour, plus optional advanced config.

The progress bar at the top of every step tells you where you are. The right sidebar always shows the running summary: software, version, plan, provider, region, specs, IPv4, and an Estimated Monthly Cost that updates as you change selections. No more clicking "Create" only to find out it costs more than you thought.

A small but welcome detail: every config page has a Copy Terraform Config button next to the Create CTA, so the same setup you just clicked your way through can be checked into a repo as code.

Service Detail Page: Credentials Where You Expect Them

Open any running service and the Overview tab now leads with two things you actually need: Termination protection (a single toggle) and Connect to your service (your credentials, inline).

The credentials card shows HOST, PORT, USER, PASSWORD, and the ready-to-paste CLI command, each with its own copy button. There's a Hide credentials toggle for screen-sharing. The Admin software (pgAdmin, phpMyAdmin, the ClickHouse UI, whatever ships with your service) opens with one click below.

The right rail keeps the Quick Info card pinned: plan, provider, region, full specs, IPv4, service ID, project ID, who created it, and creation date. The fields that matter for support tickets are now copy-able directly from this card.

Your Existing Tools, Now in One Tab

VS Code, the File Explorer, the in-browser Terminal, SSH/SFTP details, and the Reset Password flow were already there. They were just scattered across different pages and modals depending on the service. The new Tools tab puts all five in the same place on every service:

• VS Code: browser-based editor running on your VM, one click.
• File Explorer: upload, download, navigate without dropping into a terminal.
• Terminal: direct console access in your browser.
• SSH/SFTP: connection details on demand, no key-hunting through your password manager.
• Reset Password: for SSH/SFTP, separated from the database credentials so you don't fat-finger the wrong reset.

Nothing new under the hood. What's new is that the layout is identical whether you're poking at a Postgres cluster, an n8n install, or a CI runner. Once you know where the Terminal lives, you know where it lives on every service in your fleet.

The Tabs Are Standard Across Every Service

Every service detail page now shares the same tab strip: Overview, Tools, Backups, Metrics, Monitoring, Logs, Audit, Security, Alerts. That consistency matters more than it sounds. If you're managing a fleet (one ClickHouse, two Postgres replicas, an n8n, a Mautic, a few CI runners), you don't have to relearn the layout for each one. Audit lives in the same place on every service. So does Alerts.

Live Cost Preview, Side by Side With the Config

Two visible changes here:

• The plan summary on the right side of the create flow now shows the hourly rate and the monthly estimate side by side. If you're sensitive to burst hourly billing (CI agents, ephemeral environments), the hourly number is what you want.
• Support tiers (Basic free, Pro at $0.0685/hour, Business at $0.2740/hour) are now their own selection step with clear inclusions. No buried checkbox.

This is the kind of thing that looks small in a screenshot but saves a support ticket a month from now.

What This Doesn't Change

The underlying platform is the same: same providers, same one-click catalog, same automated backups, same managed updates. The redesign is about reducing the number of clicks between intent and outcome, not changing what's underneath.

If you're already running services, log in and look around. The new sidebar grouping and the Tools tab are where most users will notice the difference first. If you're evaluating Elestio, the new create flow is the cleanest demo of what the platform does: pick a service from 400+, pick a region, get a running cluster with credentials, monitoring, backups, and a terminal in your browser.

Try it: elest.io. Feedback welcome.

Thanks for reading ❤️ See you in the next one 👋

Original source

There's a moment when you're running self-hosted infrastructure where you realize you spend more time tabbing between the chat with your AI and the dashboard of your provider than actually building. You ask Claude how to set up WordPress in Frankfurt, it gives you a plan, you copy commands, you switch tabs, you fill forms, you wait. Multiply that by every project, every region, every redeploy.

We just shipped something that removes that loop entirely. Elestio MCP is now live at mcp.elest.io and lets you deploy and manage your entire Elestio account directly from Claude, ChatGPT, or any AI agent that speaks the Model Context Protocol. No more switching tabs. You describe what you want, the AI calls the API, the server boots.

This guide walks you through connecting it to Claude.ai in under two minutes and shipping your first deployment by simply asking for it.

What Elestio MCP actually unlocks

MCP (Model Context Protocol) is the open standard Anthropic released to let AI assistants talk to external services through structured tool calls. Once Claude is connected to Elestio MCP, it can do everything you would normally do in the Elestio dashboard, but through natural language.

Concretely, that means:

CAPABILITY | WHAT YOU CAN ASK
Deploy from the catalog | "Deploy a Postgres 16 cluster in Singapore on Hetzner"
Deploy your own code | "Deploy this GitHub repo with CI/CD on a 4-CPU node"
Manage existing services | "Trigger a backup, then resize my n8n instance"
Multi-region orchestration | "Spin up read replicas in 3 European regions"

You get access to the full Elestio surface area: 9 cloud providers, 40 countries, 100 regions, the catalog of 400+ open-source applications, and your own frontend, backend, or agent code deployed via CI/CD. All from a chat window.

Step 1: Open the Connectors panel in Claude.ai

Inside Claude.ai, open Settings and pick the Connectors tab in the left sidebar. You'll already see a few built-in connectors (GitHub, Gmail, Google Calendar, Google Drive). We're going to add a custom one.

Scroll down and click Add custom connector.

Step 2: Add the Elestio MCP server

A small dialog appears. Fill it in like this:

• Name: elestio
• MCP server URL: https://mcp.elest.io

Leave the advanced settings alone. Click Add.

Claude will warn you that custom connectors come from third-party developers. That's correct, the connector is hosted by Elestio at the URL above, and you control which account it can touch.

Step 3: Authorize with your Elestio API token

Click Connect next to the new elestio entry. A browser tab opens on the Elestio authorization page asking for two things:

• Elestio email: the email you use on elest.io
• Elestio API token: copy it from your account security settings

Click Authorize. The page redirects back to Claude.ai and the connector now shows a green status. You can revoke access anytime from your account security settings.

That's the entire setup. Claude can now call Elestio.

Step 4: Deploy something by asking for it

Open a new conversation in Claude and type the kind of sentence you'd say to a colleague:

Can you deploy a WordPress on Elestio in Europe?

Claude reads your request, plans the work, and runs tool calls in parallel. In our test it did the following on its own:

• Loaded the WordPress template ID from the Elestio catalog
• Listed your existing projects to either reuse one or set up a new one
• Looked up European regions across the supported providers
• Picked a sensible VM size, confirmed the cost, and asked for go-ahead

Once you approve, the deployment fires and Claude streams progress back to you in plain English. A minute or two later, you have a running WordPress with HTTPS, automated backups, and a public URL. No dashboard tab opened.

Step 5: Pull credentials without leaving the chat

Once the service is up, the next thing you usually want is the URL, the admin login, and the password. Instead of opening the dashboard, ask Claude:

Can you give me my credentials please?

The connector pulls the secrets for the freshly deployed service and returns them inline: the public URL, the admin username, and the generated password. Click the URL, paste the credentials, you're in. The same prompt works for any service in the catalog, from databases to dashboards to internal tools.

This is the rhythm Elestio MCP unlocks. You don't break flow to look something up, you just keep talking.

Beyond WordPress: deploy your own code

The same flow works for code you wrote yourself. Point Claude at a GitHub repo and ask it to deploy with CI/CD. Elestio MCP wires up the build pipeline, sets the right environment variables, exposes the right ports, and gives you a redeploy hook on every push. Frontend, backend, AI agents: all the same flow.

It's not just Claude

Elestio MCP is provider-agnostic. The same https://mcp.elest.io endpoint works in:

• Claude.ai (Connectors, shown above)
• Claude Code and other Anthropic SDKs
• ChatGPT with custom MCP support
• Cursor, Continue, Zed, and any IDE that ships an MCP client
• Your own AI agent built on LangChain, LlamaIndex, or the official MCP SDKs

If your tool speaks MCP, it can drive Elestio.

Troubleshooting

"Authorize" loops back without connecting.

Your API token is wrong or revoked. Generate a fresh one in account security and retry.

Claude says it can't find a region.

Make sure the country you mentioned is one of the 40 supported. Try "Europe" or "Frankfurt" instead of a less common location.

Tool calls time out.

Long deployments (databases, big VMs) can take a couple of minutes. Claude will keep polling. If it gives up, ask it to "check the status of the latest deployment" and it will resume reporting.

You want to revoke access.

Visit your account security settings, find the Claude entry, click revoke. The connector in Claude will go red on the next call.

Try it

Spin it up in two minutes:

1. Add https://mcp.elest.io as a custom connector in Claude.ai
2. Authorize with your Elestio email and API token
3. Ask Claude to deploy something

If you don't have an Elestio account yet, start a free trial. The MCP connector is included on every plan, no extra setup.

This is the version of self-hosted infrastructure we wanted to use ourselves: less clicking, more describing.

Thanks for reading ❤️

See you in the next one 👋

Original source

A busy week across the catalog. Forgejo shipped patches across three release lines, Portainer landed a major STS with GitOps for Helm, Ollama wired Claude Desktop into its launch flow, and Nextcloud previewed version 34 alongside two stable maintenance drops. Eight notable updates below, with a security note up top.

Security Alerts

Paperless-ngx 2.20.15 (April 27) addresses a security issue around mail account enumeration on auth endpoints, plus four bug fixes covering custom field operators and API note validation. Patch immediately if you self-host Paperless behind a public URL.

No new catalog-service CVEs were disclosed this week beyond the cPanel CVE-2026-41940 storyline (already covered in last Friday's Self-Hosted Weekly). The Jellyfin advisories from April 14 (CVE-2026-35031, CVE-2026-35034) still warrant patching to 10.11.7 or later if you missed them.

Databases

• ClickHouse 25.10.7.6-stable and 25.12.11.4-stable (April 30) ship simultaneous patches across both supported branches. The 25.12 line is where the 26.3-track work continues, while 25.10 LTS users get the long-tail fixes.

AI / GPU

• Ollama 0.22.0, 0.22.1, 0.23.0 (April 28 to May 3). Three releases in one week. The headline: 0.23.0 lands Claude Desktop integration. Launching ollama from the desktop app now wires up to both Claude Cowork and Claude Code. 0.22.x added NVIDIA Nemotron 3 Omni and Poolside's Laguna XS.2 coding model, plus performance work on Gemma 4's reasoning and tool-use paths. Server-driven model recommendations now update independently of the Ollama version, which is a small but useful decoupling.

Development

• n8n 2.18.5 (April 28, latest stable) and 1.123.38 (April 29, LTS branch). The stable line gets automatic cleanup of AI-created workflows that didn't get saved, dynamic OpenAI model selection for image-editing nodes, and Connect-table rows that now jump to related executions on click. The LTS branch picked up --include and --exclude flags for import:credentials and a fix for code-node hangs during idle-timer overlaps.

• Strapi 5.44.0 (April 29) ships a "Deploy to cloud" homepage widget, an AGENTS.md guide for AI coding agents, fixes for Firefox keyboard shortcuts and self-referential relations, and the 5.0.0-02-created-document-id migration is now idempotent. 18 contributors on this one.

• Forgejo 15.0.1, 14.0.5, and 11.0.13 (April 29) all dropped on the same day. The v15.0 LTS launched April 16 with token scoping and a web-UI runner registration flow; this is its first patch. v14 stable and v11 LTS got maintenance drops with full test-suite passes across SQLite, MySQL, and PostgreSQL.

Hosting & Infrastructure

• Portainer 2.41.0 STS (April 29) is the headline release of the week. Helm chart edge stacks now deploy from Helm or Git repos, Kubernetes Manifest GitOps stacks are editable post-deploy, and there's a new GitOps Workflows page with RBAC awareness across environments. Web-console terminals now handle TUI applications. Under the hood: Go bumped to 1.26.2 (which closes multiple crypto/x509 and crypto/tls CVEs) and the Docker binary is now v29.4.1. One breaking change: CSRF protection now requires full URLs, including the scheme, for trusted origins. Bare hostnames are rejected. A legacy-csrf feature flag is available in 2.41 only as a migration window, after which it goes away.

Applications

• Nextcloud 33.0.3 (April 30) is the latest stable.
• 32.0.9 (April 30) ships maintenance for the older branch.
• 34.0.0 beta1 and beta2 (April 28 / 30) preview the next major. If you're running 33.x in production, 33.0.3 is the no-brainer upgrade. Beta watchers can start kicking the tires on 34.

What Stood Out This Week

Portainer 2.41.0 is the most significant release. GitOps for Helm stacks closes a real gap, and the manifest-editing UX change ("you can change a deployed manifest without re-creating the stack") is the kind of quality-of-life fix that saves a few minutes every day across a team. The CSRF breaking change matters: read it before you upgrade, especially if your Portainer instance is behind a reverse proxy that rewrites Host headers.

Ollama 0.23.0's Claude Desktop integration is the small detail that signals where local-first AI is going. Six months ago, "use Claude Code with a local model" required a stack of glue. Now it's a launch-flow flag. If you're running a homelab inference box, this is the week to update.

Forgejo's three-line patch day is procedural news that matters more than it sounds. Maintaining v15, v14, and v11 LTS in parallel on the same day is what enterprises look for before they migrate. Expect to see Forgejo show up in more "we left GitHub" stories over the next quarter.

n8n 2.18.5's automatic cleanup of unsaved AI-created workflows is small but surprisingly impactful. The previous flow let abandoned AI drafts pile up in the workspace, which made workflow lists noisy. This one fixes a real annoyance.

Deploy any of these on Elestio

All eight services above are available on the Elestio catalog with one-click deploys, automated backups, SSL, and update windows you control. Skip the upgrade-Friday math and let the platform handle the patch dance for you.

Thanks for reading ❤️

See you next Sunday 👋

Original source

We've been working on making Elestio's CI/CD pipeline smoother, faster, and more reliable. Whether you're running a single service or managing multiple pipelines across projects, these updates make every deployment safer and more predictable. Here's what's new and what it means for you.

Zero-Downtime Deployments

The biggest upgrade: your app now stays online during the entire build process. The pipeline builds the new image first while your existing container keeps serving traffic, then swaps in the new version in seconds. Your users experience no interruption, even on longer builds.

This also means failed builds are completely safe. If something goes wrong during the build step, the currently running container keeps serving traffic as if nothing happened. Nothing changes until the new version is confirmed ready. You get a failure email with the full build log so you can diagnose and fix it on your own schedule.

Smarter Git Sync

Git sync is now more resilient. The pipeline uses a hard reset strategy instead of a simple pull, which means temporary files or build artifacts in the working directory won't block your deployments. Every sync starts clean.

SSH Deploy Keys

Pipelines now use automatically generated SSH deploy keys instead of relying on Personal Access Tokens in the remote URL. Each pipeline gets its own key, registered with GitHub or GitLab via their API. The key is used at deploy time then cleaned up, so there are no long-lived credentials sitting in your git config.

This means you don't need to worry about token expiration silently stopping your deployments. And if deploy key setup isn't possible for your repository (e.g., limited API scope), the system falls back to token-based auth gracefully. Either way, your pipeline keeps running.

Container Health Checks

After bringing up the new container, the pipeline now actively monitors its health status rather than assuming everything is fine. It polls every 5 seconds for up to 120 seconds, waiting for all containers to report healthy. If something doesn't come up properly, the deployment is marked as failed and you're notified immediately with the full logs. This catches issues like misconfigured environment variables or missing dependencies that would otherwise go unnoticed until a user reports a problem.

Deployed Commit Tracking

You can now see exactly which commit is running in production, right from the dashboard. The deployed commit SHA is captured during each build and stored alongside your pipeline data. This is especially useful when multiple team members push changes throughout the day and you need to know precisely which version is serving your users.

Failure Notifications

When a deployment fails, the project owner (and the user who triggered it, if different) automatically receives an email with the full build log attached. You'll know something needs attention before your users do. The log includes enough detail to diagnose most issues directly from your inbox, so you can push a fix and let the pipeline handle the rest.

CI/CD Disable Toggle

You can now pause CI/CD pipelines directly from the dashboard. This is useful during maintenance windows, database migrations, or any time you want to temporarily stop automated deployments without removing the pipeline itself.

Cleaner Container Management

The pipeline now handles container cleanup automatically between deployments. Orphaned containers from previous runs are removed before the new version comes up, so you never run into naming conflicts or leftover processes consuming resources. Every deployment starts from a clean, predictable state.

Troubleshooting

Container reports unhealthy after deploy:

Check your Docker health check configuration. The pipeline waits up to 120 seconds for containers to become healthy. If your app needs more startup time, increase the

healthcheck.start_period

in your

docker-compose.yml

.

Authentication errors during git sync:

Verify your deploy key is correctly registered on GitHub/GitLab. You can check this in your repository's deploy key settings. The pipeline will fall back to token auth if needed, so also confirm your token is still valid.

Ship with Confidence

All of these improvements are live now. If you're already using Elestio's CI/CD, you don't need to change anything on your end. Everything works automatically with your existing pipeline configuration.

If you haven't tried it yet, check out

Elestio

and set it up in minutes from your

dashboard

. Connect your GitHub or GitLab repo, and every push triggers an automated deployment with all these safeguards built in. Zero-downtime deploys, health checks, SSH keys, commit tracking, and failure alerts, all out of the box.

Thanks for reading. See you in the next one.

Original source

This week brought a significant Keycloak release with zero-downtime updates going GA, Forgejo hitting its 100th release with LTS designation, and Jellyfin patching critical security issues. Here's everything that shipped across Elestio's catalog from April 12-18, 2026.

Security Alerts

Jellyfin 10.11.8 addresses security vulnerabilities that were fixed in 10.11.7. The Jellyfin team strongly recommends upgrading ASAP, as CVE disclosures for the issues fixed in 10.11.7 are expected within days. If you're running anything older than 10.11.7, treat this as urgent.

Development

Keycloak 26.6.0 (April 2026) - This is a big one. Zero-downtime patch releases are now GA and enabled by default, meaning you can do rolling updates within the same major.minor stream without service interruption. JWT Authorization Grant moves from preview to supported. Federated client authentication is now fully supported, letting clients leverage existing credentials from external issuers (including Kubernetes Service Accounts) without managing individual secrets. The new workflows feature brings Identity Governance and Administration (IGA) capabilities, with realm tasks defined in YAML and executed on events, conditions, or schedules. Also adds OpenJDK 25 support.

Keycloak 26.6.1 (April 2026) - Quick follow-up patch release with bug fixes.

Forgejo 15.0 (April 16) - The 100th release of Forgejo, and it's an LTS (supported through July 2027). Highlights: repository-specific access tokens for tighter security, OpenID Connect support for Forgejo Actions, reusable workflows that expand into individual jobs for better log visibility, and a new web-based runner registration flow (no more CLI registration). Breaking change: default cookie names have changed, so users will need to sign in again after upgrading.

N8N 1.91 (April 9) - Maintenance release with bug fixes, including improvements to the AI builder, safer webhooks, and performance improvements across core and editor components.

Hosting & Infrastructure

Grafana 12.x (April 14) - Minor update to the 12.x series with new audit log settings for data source queries and a copy-paste styles feature for dashboard panels. Note: Grafana 13 is expected to be announced at GrafanaCON later this month.

Mattermost v11.6 (April 16) - New active release cycle begins. This replaces v11.5 as the current stable release. Mattermost v10.11 ESR continues to receive security patches through August 2026.

Applications

Jellyfin 10.11.8 (April 2026) - Bug fix release addressing regressions from 10.11.7. Fixes subtitle saving, media language filtering, and folder handling for libraries. Upgrade strongly recommended due to upcoming CVE disclosures for issues patched in 10.11.7.

Immich v2.7.5 (April 13) - Latest patch in the v2.7 series. The v2.7.0 release (April 7) brought asset viewer enhancements, security improvements, and duplicate API changes. This may be the last release before v3.0.0, which will include breaking changes mainly for third-party developers.

What Stood Out This Week

Keycloak 26.6.0 is a milestone release. Zero-downtime updates going GA is the kind of feature that makes self-hosted Keycloak viable for production environments that can't afford maintenance windows. The workflows engine adds IGA capabilities that previously required separate commercial tools. If you're running Keycloak on Elestio, this upgrade is worth prioritizing.

Forgejo 15.0 LTS is a statement. Reaching 100 releases and committing to LTS support through mid-2027 signals that Forgejo is here to stay. The repository-specific access tokens feature alone makes this a compelling upgrade for teams concerned about least-privilege access.

Jellyfin's security urgency is real. With CVE disclosures imminent, running an unpatched Jellyfin instance is a ticking clock. The 10.11.8 fixes are minimal and low-risk to apply, so there's no reason to wait.

All of these services are available as one-click deployments on Elestio's catalog. If you're running any of them self-managed, now's a good time to check your versions.

Thanks for reading. See you next week.

Original source