Fourteen Releases, CLI Overhaul, Helm Charts & More

It's been about five weeks since the April newsletter and the release pace hasn't slowed down. Fourteen OSS releases, a major CLI rewrite, official Kubernetes Helm charts, new comparison pages, and a few blog posts. A lot to cover, so let's get to it.

Security Fix Reminder

If you missed the security notice on April 15th, a method to bypass authentication for anonymous file upload pushes was discovered and patched in v2.4.2 (with a backport to v1.69.4 LTS). Thank you to @pyuysig for the responsible disclosure. If you're self-hosting and haven't updated yet, please do.

Password Pusher Pro on pwpush.com

The hosted platform got a batch of updates since April. Here's what's new:

• New Workspace Dashboard — Your workspace now shows usage statistics at a glance — pushes, active members, and more. A proper overview instead of jumping straight into lists.
• Manager & Billing Roles — We've added two new account roles. Admins are unchanged. Existing non-admin members were automatically moved to Manager to preserve push/request visibility. Billing access is now limited to Admin and Billing roles only.
• Workspace Switcher — If you belong to multiple workspaces, a new switcher makes it easy to jump between them.
• 2FA Enforcement — Workspace admins can now require two-factor authentication for all workspace members. Available in your workspace security settings today.
• Improved Brand Editors — The brand editor has been rebuilt with dark mode support and improved image uploads for custom domains.
• Status Page — We now have a public status page at status.pwpush.com so you can check service health and subscribe to incident updates anytime.

You can always check recent product updates at What's New.

Open Source: v2.3.0 through v2.6.6

Since April we've shipped fourteen releases. Here are the highlights:

API v2 Feature Detection — v2.5.4 adds a features hash to the /api/v2/version endpoint. Clients can now detect what your instance supports at runtime — which edition, which features are enabled. This is the foundation for smarter integrations moving forward.

Custom CSS in the Admin Center — v2.6.0 moves custom CSS management into the admin UI. No more mounting Docker volumes with a custom.css file — edit your branding directly in the browser.

Auto Re-Blur — v2.4.3 adds automatic re-blur: revealed secrets blur again after 20 seconds of inactivity. One less thing to worry about with shoulder-surfing and unlocked workstations.

Browser-Native Timezones — v2.6.4 deprecates the PWP__TIMEZONE environment variable entirely. Timestamps are now driven by the viewer's browser — more accurate, fully localized, zero configuration.

MFA Enforcement — v2.4.0 adds a PWP__REQUIRE_MFA=true setting to force all users to have two-factor authentication enabled before they can log in. Community contribution by @Churfala.

Copyable Share Message — Fresh in v2.6.6: the push preview page now includes a pre-formatted, copyable message you can send alongside the link. Small addition, real time-saver.

Also in this cycle: hardened Content Security Policy with strict-dynamic (v2.5.0), theme auto-compilation so PWP_PRECOMPILE is no longer needed (v2.6.1), and the Show/Hide button for advanced push options (v2.2.2) by @ozovalihasan.

If you just want to try OSS v2 immediately: oss.pwpush.com

CLI Overhaul

The CLI tool went through a major upgrade cycle (v0.14.0 through v0.16.1):

• First-run configuration wizard — new users get guided setup
• Security hardening — config files locked to owner-only permissions, auth tokens masked in debug output
• Multi-account support — manage multiple Password Pusher instances from one CLI
• Requests API support — Pro users can create and manage Requests from the command line
• Piped input & JSON output — echo "secret" | pwpush push works now, and every command supports JSON for scripting
• New flags — --name to label pushes, --notify to trigger email notifications (Pro)

Helm Charts for Kubernetes

Official Helm charts for Self-Hosted Pro are now public. Three chart editions matching the Self-Hosted Pro tiers — Starter, Advanced, and Enterprise — with support for Argo CD and Kustomize. If you're deploying on Kubernetes, this is the recommended path now.

New on the Blog & Website

Three new blog posts since last time:

• A Text Input, Some Encryption, and a Submit Button — The Password Pusher origin story. Built in a weekend in 2011, organic growth for 14+ years, and where we are today.
• Looking for Bitwarden Send Alternatives? — An honest look at what actually matters when choosing a sharing tool, written in response to Bitwarden's recent price increase.
• Password Pusher for MSPs — Announcing the dedicated /msp landing page and the Partner Program.

We've also added dedicated comparison pages for Bitwarden Send, 1Password, and OneTimeSecret — honest feature-by-feature breakdowns including where the other tools do things better.

3,000 Stars on GitHub

We crossed 3,000 stars this month. Thank you to everyone who starred, forked, and shared the project. Every bit of visibility helps.

Community Contributors

A huge thank you to everyone who contributed this cycle:

• @pyuysig — responsible disclosure of the file upload auth bypass
• @Churfala — MFA enforcement setting
• @sfaxluke — API v2 error reporting, GitHub issue form templates
• @Hellowlol — CLI safety improvements

Your contributions make Password Pusher better for everyone.

What's Next

• OSS: Auto-dispatch — auto-email push links directly to recipients
• Self-Hosted Pro: More Helm chart updates and deployment tooling

Thank You

Thanks for making it to the end! If you can, please star the GitHub repository and share the project with anyone who might find it useful.

This newsletter is still the extent of our marketing. We've never run an ad. Organic growth and word-of-mouth has brought us this far. Every share, every star, and every recommendation matters.

Thank you to everyone running Password Pusher in production, supporting through subscriptions, filing issues, and sharing feedback.

Peter Giacomo Lombardo & the Apnotic Team

Stay Connected

• Hosted Pro: pwpush.com
• Self-Hosted Pro: Self-Hosted Pricing
• Open Source: github.com/pglombardo/PasswordPusher
• Docker Images: pglombardo/pwpush
• Blog: docs.pwpush.com/blog