tag:github.com,2008:https://github.com/logto-io/logto/releases

Release notes from logto

2026-06-03T07:03:30Z tag:github.com,2008:Repository/378310716/@logto/connector-smtp2go-email@1.0.0 2026-06-03T07:03:30Z

@logto/connector-smtp2go-email@1.0.0

<p>@logto/connector-smtp2go-email@1.0.0</p> silverhand-bot tag:github.com,2008:Repository/378310716/v1.40.1 2026-05-29T11:07:39Z

v1.40.1

<h3>Patch Changes</h3> <p>This is a patch release to correct a missed version bump for <code>@logto/core-kit</code>, again...</p> <p>In v1.40.0, new <code>@logto/core-kit</code> exports were introduced for Custom UI CSP utilities and protected app additional scopes, but the changeset did not make it into the release. As a result, <code>@logto/core-kit</code> stayed at <code>2.9.0</code> while downstream packages were already expecting the new exports. JavaScript package graphs are forgiving about many things; missing exports are not one of them.</p> <p>v1.40.1 publishes <code>@logto/core-kit@2.10.0</code> so the released packages are back in sync.</p> <h4>@logto/core-kit@2.10.0</h4> <ul> <li>Add custom CSP utility methods</li> </ul> silverhand-bot tag:github.com,2008:Repository/378310716/v1.40.0 2026-05-29T07:49:40Z

v1.40.0

<a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/10806653/599940290-417b6b55-1ddf-455d-a800-d6a1a4fe0489.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODA1ODU3NTYsIm5iZiI6MTc4MDU4NTQ1NiwicGF0aCI6Ii8xMDgwNjY1My81OTk5NDAyOTAtNDE3YjZiNTUtMWRkZi00NTVkLWE4MDAtZDZhMWE0ZmUwNDg5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA2MDQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNjA0VDE1MDQxNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTg4NGU5NGQ2MjZkMDBhNmEzYjZlNzg1ZGQ0NjI4ZjQyMDZlYTk3NTZhYTU3YzhiOWQwZWIxZmI5MzhmNWU4M2ImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JnJlc3BvbnNlLWNvbnRlbnQtdHlwZT1pbWFnZSUyRnBuZyJ9.0GISMhtrHlJZ5lOkokoHFeYIi2VmaJ9vqfwHiadtfTk"><img width="2000" height="1125" alt="logto-changelog-2026-05" src="https://private-user-images.githubusercontent.com/10806653/599940290-417b6b55-1ddf-455d-a800-d6a1a4fe0489.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODA1ODU3NTYsIm5iZiI6MTc4MDU4NTQ1NiwicGF0aCI6Ii8xMDgwNjY1My81OTk5NDAyOTAtNDE3YjZiNTUtMWRkZi00NTVkLWE4MDAtZDZhMWE0ZmUwNDg5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA2MDQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNjA0VDE1MDQxNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTg4NGU5NGQ2MjZkMDBhNmEzYjZlNzg1ZGQ0NjI4ZjQyMDZlYTk3NTZhYTU3YzhiOWQwZWIxZmI5MzhmNWU4M2ImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JnJlc3BvbnNlLWNvbnRlbnQtdHlwZT1pbWFnZSUyRnBuZyJ9.0GISMhtrHlJZ5lOkokoHFeYIi2VmaJ9vqfwHiadtfTk" content-type-secured-asset="image/png" style="max-width: 100%; height: auto; max-height: 1125px;"></a> <h2>Highlights</h2> <ul> <li><strong>Audit logs time-range picker</strong>: Scope the audit log to a bounded time window (preset windows plus a custom range), backed by a server-side count cap that keeps large-volume tenants responsive.</li> <li><strong>Organization membership webhook deltas</strong>: <code>Organization.Membership.Updated</code> now reports exactly which users and applications were added or removed.</li> <li><strong>Faster organizations at scale</strong>: New secondary indexes and query rewrites speed up membership listing and per-user role lookups on large tenants.</li> <li><strong>Air-gapped & self-hosted friendliness</strong>: A new <code>--dapc</code> install/seed flag and DB-direct admin signing keys remove outbound-network and DNS friction for OSS deployments.</li> <li><strong>New connectors</strong>: MailJunky email, SMSBao SMS, and the Aliyun SMS authentication service connector, plus Aliyun Direct Mail regions and richer WeCom profiles.</li> </ul> <h2>New features & enhancements</h2> <h3>Audit logs time-range picker</h3> <ul> <li>The Console audit logs page now ships a time-range picker with a default window of the last 7 days. Presets cover <code>Last 1 hour</code> / <code>Last 24 hours</code> / <code>Last 7 days</code> / <code>Last 30 days</code>, plus a custom date range.</li> <li>The API gains <code>start_time</code> and <code>end_time</code> query parameters on <code>GET /api/logs</code> and <code>GET /api/hooks/{id}/recent-logs</code> (exclusive bounds, unix milliseconds). On <code>GET /api/hooks/{id}/recent-logs</code>, supplying either bound replaces the default 24-hour lower bound.</li> <li>A new <code>enableCap=true</code> query parameter on <code>GET /api/logs</code> and <code>GET /api/hooks/{id}/recent-logs</code> short-circuits the count query at ~10,000 rows to reduce <code>statement_timeout</code> risk on very large log volumes. Capped responses return a <code>Total-Number-Is-Capped: true</code> header, and the Console renders a Prev/Next layout in that case. Default behavior (without the param) is unchanged.</li> </ul> <h3>Organization membership webhook deltas</h3> <ul> <li>The <code>Organization.Membership.Updated</code> webhook payload is enriched with explicit delta fields: <code>addedUserIds</code> / <code>removedUserIds</code> and <code>addedApplicationIds</code> / <code>removedApplicationIds</code> across the user and application membership endpoints, plus <code>addedUserIds</code> on invitation accept and just-in-time provisioning (email-domain JIT and enterprise SSO JIT).</li> <li>Empty deltas are omitted; each delta array is capped at 5000 entries (reconcile bulk changes via <code>GET /organizations/:id/users</code> or <code>.../applications</code>). This is an additive, non-breaking change — see the <a href="https://docs.logto.io/developers/webhooks/webhooks-request#organizationmembershipupdated-payload" rel="nofollow">webhook reference</a>.</li> </ul> <h3>Account API: sessions <code>isCurrent</code></h3> <ul> <li><code>GET /api/my-account/sessions</code> now returns <code>isCurrent: boolean</code> on every entry, so session-management UIs can mark the "This device" entry and avoid revoking the caller's own session. The admin user-sessions endpoints are unchanged.</li> </ul> <h3>Performance for large organizations</h3> <ul> <li><code>GET /organizations/:id/users</code> is rewritten to aggregate roles via a <code>LATERAL</code> subquery, so <code>LIMIT</code> prunes the user set before role lookups instead of materializing the full <code>members × roles</code> join on every page.</li> <li>New secondary indexes speed up reverse lookups: <code>organization_user_relations (tenant_id, user_id)</code> (hit on every sign-in and the membership middleware) and <code>organization_role_user_relations (tenant_id, organization_id, user_id)</code> (hit by <code>getUserScopes</code> and per-user role joins).</li> <li><code>PUT /organizations/:id/users</code> now uses a new delta-based <code>replaceWithDelta()</code> query that writes only the rows that actually changed, preserving role assignments for members whose membership survives the update.</li> </ul> <h3>OpenAPI: accurate arbitrary-object types</h3> <ul> <li>Arbitrary JSON object schemas now declare <code>additionalProperties: true</code> in the OpenAPI document, so generated TypeScript clients (e.g. <code>@logto/api</code>) type fields such as <code>customData</code> as <code>{ [key: string]: unknown }</code> instead of <code>Record<string, never></code>.</li> </ul> <h2>Bug fixes & stability</h2> <h3>Experience</h3> <ul> <li><strong>Terms agreement on sign-in-to-registration</strong>: When the agreement policy is <code>ManualRegistrationOnly</code>, signing in with an unregistered email or phone and then confirming "create a new account" now prompts the terms agreement before the account is created, matching the dedicated registration and social/SSO flows.</li> </ul> <h3>Account Center</h3> <ul> <li><strong>Initial password setup</strong>: Users with no password, no primary email, and no primary phone can now set their initial password without a verification record through the Account API.</li> <li><strong>Silent re-authentication</strong>: On a user-info error (e.g. a stale access token after switching users in the same browser), Account Center re-authenticates with <code>prompt=none</code> instead of forcing the login screen, falling back to <code>prompt=login</code> only when no valid session exists.</li> <li><strong>Expired sessions</strong>: Expired Account Center sessions now redirect cleanly without flashing the manual sign-in error.</li> <li><strong>Social linking callback</strong>: The social linking callback is rendered through React Router so <code>connectorId</code> is read correctly, fixing a spurious "social sign-in method is not enabled" error.</li> <li><strong>2-step verification label</strong>: Clarified the Account Center 2-step verification toggle label.</li> </ul> <h3>Internationalization</h3> <ul> <li>Corrected the Chinese translation of "Passkey" in the MFA experience phrases.</li> </ul> <h2>Self-hosting & OSS notes</h2> <ul> <li><strong>Air-gapped admin setup (<code>--dapc</code>)</strong>: The <code>install</code> and <code>db seed</code> commands accept a new <code>--dapc</code> flag (alias <code>--disable-admin-pwned-password-check</code>). It seeds the admin password policy with the Have I Been Pwned breach check disabled, so the first admin sign-up no longer hangs when <code>api.pwnedpasswords.com</code> is unreachable.</li> <li><strong>Admin signing keys read from the database</strong>: OSS deployments now read the admin tenant signing keys directly from the database, removing the extra host/DNS mappings that previously let the container fetch its own admin tenant OIDC configuration through the external endpoint.</li> <li><strong>Database migration required</strong>: This release ships schema alterations (the new organization-relation indexes and additional internal columns). After upgrading, run the database alteration command (<code>npm run alteration deploy</code> in the <code>@logto/cli</code>/core image, or <code>logto db alteration deploy</code>) before starting the new version. See the <a href="https://docs.logto.io/logto-oss/upgrading-oss-version" rel="nofollow">upgrade guide</a>.</li> </ul> <h2>Connectors</h2> <ul> <li><strong>New — MailJunky email connector</strong>: Send transactional auth emails via the MailJunky send API.</li> <li><strong>New — SMSBao SMS connector</strong>: Domestic SMS verification flows via SMSBao.</li> <li><strong>New — Aliyun SMS authentication service connector</strong>: Adds the Aliyun SMS authentication (MAS) service.</li> <li><strong>Aliyun Direct Mail regions</strong>: The Aliyun DM connector now supports configuring the Direct Mail region.</li> <li><strong>WeCom</strong>: Fetches richer user profile details via additional API calls.</li> <li><strong>SMTP</strong>: The <code>auth</code> config may now omit <code>user</code> and <code>pass</code>, so relays that authorize by source (e.g. IP/VLAN) can be configured without forging credentials.</li> <li><strong>Connector Kit</strong>: Tightened email branding URL detection to avoid false positives on dotted abbreviations.</li> </ul> <h2>Contributors</h2> <p>Huge thanks to the community members whose work shipped in this release:</p> <ul> <li><a href="https://github.com/devadarshh">@devadarshh</a> — MailJunky email connector (<a href="https://github.com/logto-io/logto/pull/8638" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8638/hovercard">#8638</a>)</li> <li><a href="https://github.com/wintbiit">@wintbiit</a> — SMSBao SMS connector (<a href="https://github.com/logto-io/logto/pull/8871" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8871/hovercard">#8871</a>)</li> <li><a href="https://github.com/CertStone">@CertStone</a> — Aliyun SMS authentication service connector (<a href="https://github.com/logto-io/logto/pull/8385" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8385/hovercard">#8385</a>)</li> <li><a href="https://github.com/liyujun-dev">@liyujun-dev</a> — WeCom profile enrichment (<a href="https://github.com/logto-io/logto/pull/8191" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8191/hovercard">#8191</a>)</li> <li><a href="https://github.com/aayushbaluni">@aayushbaluni</a> — email URL detection fix (<a href="https://github.com/logto-io/logto/pull/8747" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8747/hovercard">#8747</a>)</li> <li><a href="https://github.com/rotempasharel1">@rotempasharel1</a> — Chinese Passkey translation fix (<a href="https://github.com/logto-io/logto/pull/8870" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8870/hovercard">#8870</a>)</li> <li><a href="https://github.com/taka-guevara">@taka-guevara</a> — Account Center silent re-authentication (<a href="https://github.com/logto-io/logto/pull/8785" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8785/hovercard">#8785</a>)</li> <li><a href="https://github.com/darcyYe">@darcyYe</a> — <code>--dapc</code> air-gapped admin seed flag (<a href="https://github.com/logto-io/logto/pull/8859" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8859/hovercard">#8859</a>)</li> <li><a href="https://github.com/chiche84">@chiche84</a> — original organization membership webhook delta proposal (<a href="https://github.com/logto-io/logto/pull/8752" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8752/hovercard">#8752</a>)</li> </ul> <p>For the complete list of changes, see the <a href="https://github.com/logto-io/logto/blob/master/packages/core/CHANGELOG.md">full changelog</a>.</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/tunnel@0.3.8 2026-05-29T10:11:56Z

@logto/tunnel@0.3.8

<p>@logto/tunnel@0.3.8</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/translate@0.2.14 2026-05-29T10:11:55Z

@logto/translate@0.2.14

<p>@logto/translate@0.2.14</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/translate@0.2.13 2026-05-29T04:06:17Z

@logto/translate@0.2.13

<p>@logto/translate@0.2.13</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/phrases-experience@1.13.3 2026-05-29T10:11:55Z

@logto/phrases-experience@1.13.3

<p>@logto/phrases-experience@1.13.3</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/phrases-experience@1.13.2 2026-05-29T04:06:17Z

@logto/phrases-experience@1.13.2

<p>@logto/phrases-experience@1.13.2</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/experience@1.19.2 2026-05-29T04:06:16Z

@logto/experience@1.19.2

<p>@logto/experience@1.19.2</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/core-kit@2.10.0 2026-05-29T10:11:55Z

@logto/core-kit@2.10.0

<p>@logto/core-kit@2.10.0</p> silverhand-bot