commit b22fe9811c672e4d226ae2c054d7c965d8783805 Author: Nick Craig-Wood Date: Fri May 22 17:11:48 2026 +0100 Version v1.74.2 commit ce64f4edb8b1d99156bb917a93ac303676ab7118 Author: Nick Craig-Wood Date: Fri May 22 16:30:02 2026 +0100 gui: update embedded release to 1.1.8 commit f3986e2bb72788c84b94686c6acaf37e631a44d6 Author: Nick Craig-Wood Date: Fri May 22 12:08:35 2026 +0100 lib/http: replace deprecated h2c.NewHandler with http.Server.Protocols The golang.org/x/net/http2/h2c package was deprecated in v0.54.0 in favour of setting the http.Server Protocols field to enable unencrypted HTTP/2. This replaces the h2c.NewHandler wrapping added in e863f751f with http.Server.Protocols, which is supported by the standard library since Go 1.24. Note that the stdlib only supports HTTP/2 prior-knowledge on cleartext connections, not HTTP/1.1 Upgrade: h2c negotiation. In practice clients use prior-knowledge or require TLS, so this should not affect users. commit f0961f4a8dd354caf79c20f8d5eaf76476e01cc2 Author: Nick Craig-Wood Date: Fri May 22 11:54:29 2026 +0100 build: update golang.org/x dependencies to address multiple CVEs Upgrade to v0.55.0 of golang.org/x/net in order to address: - CVE-2026-42506: html: incorrect handling of namespaced elements in foreign content - CVE-2026-39821: idna: failure to reject ASCII-only Punycode-encoded labels - CVE-2026-42502: html: incorrect handling of HTML elements in foreign content - CVE-2026-25680: html: denial of service when parsing arbitrary HTML - CVE-2026-25681: html: incorrect handling of character references in DOCTYPE nodes - CVE-2026-27136: html: duplicate attributes can cause XSS Upgrade to version v0.52.0 of golang.org/x/crypto to address: - CVE-2026-46598: ssh/agent: pathological inputs can lead to client panic - CVE-2026-46597: ssh: byte arithmetic causes underflow and panic - CVE-2026-39828: ssh: bypass of certificate restrictions - CVE-2026-39835: ssh: server panic during CheckHostKey/Authenticate - CVE-2026-39833: ssh/agent: key constraints not enforced - CVE-2026-39832: ssh/agent: agent constraints dropped when forwarding keys - CVE-2026-39827: ssh: memory leak when rejecting channels can lead to DoS - CVE-2026-39830: ssh: client can cause server deadlock on unexpected responses - CVE-2026-39829: ssh: pathological RSA/DSA parameters may cause DoS - CVE-2026-39831: ssh: bypass of FIDO/U2F security keys physical interaction - CVE-2026-39834: ssh: infinite loop on large channel writes - CVE-2026-42508: ssh/knownhosts: auth bypass via unenforced @revoked status - CVE-2026-46595: ssh: VerifiedPublicKeyCallback permissions skip enforcement Upgrade to version v0.41.0 of golang.org/x/image to address: - CVE-2026-42500: bmp: panic when reading out of bound palette index - CVE-2026-33809: tiff: excessive resource consumption in PackBits decompression Upgrade to version v0.45.0 of golang.org/x/sys to address: - CVE-2026-39824: windows: integer overflow in NewNTUnicodeString commit 139ccc7ffd6fb9bb71f39b2e7ee5f0bdd5961824 Author: Iizuki <36295229+Iizuki@users.noreply.github.com> Date: Thu May 21 12:09:25 2026 +0300 docs: s3: update doc link for force_path_style commit b3ddec50c679fc06f24a1d0a9b9af0f473fd4e10 Author: Nick Craig-Wood Date: Wed May 20 12:08:05 2026 +0100 s3: add new MEGA S4 endpoints on megas4.com including Asia-Pacific region MEGA S4 has launched a new dedicated domain megas4.com with three new endpoints, including their first Asia-Pacific location in Tokyo, plus new endpoints in Paris and Barcelona. The existing Amsterdam, Luxembourg, Montreal and Vancouver locations have been renamed onto the new domain. All current s4.mega.io endpoints continue to be supported and are retained as legacy options. New accounts use the megas4.com endpoints. commit 3cd224e03fead317638602d46a64f83d7d10561d Author: Nick Craig-Wood Date: Wed May 20 11:52:10 2026 +0100 docs: fix heading levels so sections appear in the table of contents The "Import/Export of google documents" section in drive.md and the "--b2-versions" examples section in b2.md were both at H4 instead of H3, which excluded them from the ToC even though they are top-level topics in their respective sections. commit 52af9caa14ca0f53895f8e9a74540fc1440994bd Author: William Tange Date: Tue May 19 10:18:58 2026 +0000 protondrive: fix corrupted on transfer: sha1 hashes differ Some SHA1 hashes of protondrive files are uppercase, so always converting to lowercase before comparing seems to be the solution. Fixes #7345 commit b2cb7f89c18dc129de991f2e590b110883295eac Author: Lucky945H <1355363613@qq.com> Date: Sun May 17 00:52:59 2026 +0800 vfs/vfscache: fix silent write failure when mounting with remote:. When mounting with 'remote:.' (dot notation for current directory), the '.' is passed through toOSPath() which encodes it to full-width '.' (U+FF0E) via EncodeDot. This caused the VFS cache data/meta root to be written to a full-width-dot directory while the local cache backend pointed to the canonicalized path, resulting in writes being cached but never uploaded. Fix by calling clean() on the relativeDirPath before toOSPath(), so path.Clean() strips the trailing '/.' removing the dot before encoding. commit 2292ba0cd45af97428ac7e051ce6af2567740198 Author: Leon Brocard Date: Fri May 15 19:12:47 2026 +0100 docs: fix misspellings Fix several misspellings in documentation and config comments detected by `misspell`. commit 07c87327ae821a7e64b00d3ca6b1d89c20e32978 Author: Sai Asish Y Date: Wed May 13 00:15:50 2026 -0700 webdav: honour auth_redirect on listAll PROPFIND - fixes #9159 commit 6cc0d1a0b0c2dcc997cb5f2f2fcf59a51b093d55 Author: Tore Anderson Date: Thu May 14 01:15:04 2026 +0200 jottacloud: support whitelabel service Phonero Sky Phonero is a Norwegian mobile provider focusing on the enterprise market. They provide rebranded Jottacloud service through their «Phonero Sky» (Norwegian for «Phonero Cloud»). The Client ID `desktop` used by most of the other whitelabel services does not work for Phonero Sky. Both `desktop-win` and `desktop-mac` work, though. Authentication does not work when the `jotta-default` scope is present, so drop it. This results in a Client ID and scope setup that is identical with that of Let's Go Cloud (Germany). commit 7a5e01b01501cab96002f8876bdc1f07a7357659 Author: FTCHD <144691102+FTCHD@users.noreply.github.com> Date: Thu May 14 00:04:19 2026 +0300 docs: add note about using config/update to reconnect an oauth remote commit bf111df84af6565930c6f102d78e1936d6d500c9 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed May 13 19:56:17 2026 +0100 build: bump github.com/go-git/go-billy/v5 to 5.9.0 to fix CVE-2026-44740 (again) The previous commit had no content due to copilot deleting it as I was merging it! Bumps [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) from 5.8.0 to 5.9.0. - [Release notes](https://github.com/go-git/go-billy/releases) - [Commits](https://github.com/go-git/go-billy/compare/v5.8.0...v5.9.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-billy/v5 dependency-version: 5.9.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 0b73e2b8587a8f90dc6ec8edc9dd6b2e253b9d1d Author: Nick Craig-Wood Date: Tue May 12 12:04:50 2026 +0100 docs: upgrade protondrive to tier 4 tests pass and community maintains commit e0f210cdc48f0060029cbfd914ad3929346adee1 Author: Alvinwylim <31592545+Alvinwylim@users.noreply.github.com> Date: Wed May 13 16:55:06 2026 +0800 drime: fix 500 errors when listing shared folders When using the drime backend to access a folder shared from another Drime account (via root_folder_id config option), listing the folder's children fails with HTTP 500. This makes cross-account read-only mounts non-functional. This fixes the problem by changing listAll to use `folderId` instead of `parentIds[]` Fixes #9420 commit 1c06bb92723c1eb225b7e65011f30c786f194c88 Author: nielash Date: Sun May 10 23:49:03 2026 -0400 bisync: fix --conflict-loser pathname with --conflict-resolve newer Before this change, --conflict-loser pathname assumed --conflict-resolve none, following the legacy behavior prior to v1.66. This produced unexpected behavior when used with a different --conflict-resolve option. This change fixes the issue by ensuring that --conflict-loser pathname looks for the correct name on the side not being renamed, when only one side should be renamed. https://forum.rclone.org/t/bisync-does-not-copy-the-winner-file-to-the-loser-site/53768 commit b2e1aa65dc8cc69ff9453221b2c5db2c458cdbe7 Author: Nick Craig-Wood Date: Mon May 11 11:51:29 2026 +0100 rc: remove duplicate metrics_addr option registration The metrics_addr option was registered twice: once explicitly and once implicitly via AddPrefix(libhttp.ConfigInfo, "metrics", ...). Both pointed at the same MetricsHTTP.ListenAddr field, so options/info returned a duplicate entry. Drop the explicit entry and use SetDefault to keep the empty default (so the metrics server stays off unless configured), matching the pattern already used for rc_addr. Fixes #9419 commit 3a414d8262f54e743eecad6c45f19060587d2833 Author: John Volk Date: Mon May 11 08:04:49 2026 -0400 drime: fix file doesn't exists error when trying to delete When using rcat to upload a new version of a file that already existed, the file upload would succeed. The subsequent deletion of the old file is attempted after the upload. Drime appears to handle the deletion of the old file automatically and returns HTTP status code 422, stating the "The selected entry ids is invalid." The deletion and the rcat would fail before this change. This is with file history enabled on my Drime account. This change detects the error and ignores it since the file has already been deleted. commit 24054305ce01c26be1e7808bb23528eafac9f81c Author: Nick Craig-Wood Date: Fri May 8 17:14:19 2026 +0100 Start v1.74.2-DEV development