Releases: rwinkhart/libmutton
v0.5.0
libmutton v0.5.0
February 17, 2026
This release adds password age-tracking support and features large refactors that improve the robustness of core functionality. Many breaking changes are present. Highlights are listed below.
Breaking (for users+developers)
- USERS: These changes require updating your copy of
libmuttonserver; additionally, you must re-generate your config file however your client allows (e.g.mutn init) - (50d51f9) Password age tracking support
- libmutton now tracks when passwords were last updated
- Clients can use this information to warn users when passwords should be changed
- Random (within the last year) age data can be added to existing password entries
- This allows easing into this feature, rather than having all your passwords expire on the same day
- Developers: see the new
agepackage
- (e355c81) (f16078f) (4e6c18d) (2ab777f) (941a2dc) (35db3bf) (5e5a7c5) (07571a6) (d0e8640) (3b4e75b) Massive sync refactor
- Sync info is now passed from the server to the client using rigidly defined JSON types
- This greatly improves code maintainability and reduces potential for bugs
- Sync now supports password age tracking data
- Sync info is now passed from the server to the client using rigidly defined JSON types
- (b591e2e) (571bc0a) New config file format
libmutton.iniis nowlibmuttoncfg.json- This format change was made since the JSON package was being adopted for the sync refactor (the
gopkg.in/ini.v1dependency can now be dropped)
- This format change was made since the JSON package was being adopted for the sync refactor (the
- Developers: see the new
configpackage, replacing the oldcfgpackage
- (6d3e3cd) Dropped built-in Termux support to simplify builds (clients can still implement this on their own)
Breaking (for developers)
- (bf1399c) (9703790) (a0f21b3) (80cf657) (8d1dd48) (c63dff4) (336dc5c) (04e1b0d) (d2a6ed5) (fdce036) (6004a94) Massive clipboard refactor
- Added new
clippackage - Non-continuous TOTP copy must use
core.GenTOTPdirectly- The typical copy workflow now only supports continuous copy
- Dropped mobile clipboard support
- This can/should be handled by the GUI toolkit
- Added new
- (2828678) (a18c3ea) (5e5a7c5) (4467a8c)
core.LibmuttonInitoverhaul- Now supports non-destructive append
- Now supports custom device ID prefixes
New (non-breaking)
Fixes
- (2054f5b) Reduced clipboard latency on Windows
- (f82b35b) Fixed background processes dying w/terminal on Windows
Dependencies (direct/replaced)
- Dropped
- golang.design/x/clipboard
- gopkg.in/ini.v1
- Bumped
- Go: v1.25.4 => v1.26.0
- github.com/rwinkhart/go-boilerplate: v0.1.0 => v0.3.1
- github.com/rwinkhart/rcw: v0.2.4 => v0.3.0
- golang.org/x/crypto: v0.45.0 => v0.48.0
- github.com/rwinkhart/sys: v0.38.0 => v0.41.0
v0.4.4
libmutton v0.4.4
November 23, 2025
This release fixes a minor bug and dependency-derived security issues.
Fixes
- (711515f) Fix subprocesses being killed prematurely when the main process is force quit
- Fixes issues with master password caching and clipboard clearing
Dependencies
- Bumped (direct/replaced)
- golang.org/x/crypto: v0.43.0 => v0.45.0
- Addresses CVE-2025-58181 and CVE-2025-47914
- github.com/rwinkhart/rcw: v0.2.3 => v0.2.4
- golang.org/x/crypto: v0.43.0 => v0.45.0
v0.4.2
libmutton v0.4.2
November 09, 2025
This is purely a dependency bump release.
Dependencies
- Bumped (direct/replaced)
- Go: v1.25.3 => v1.25.4
- github.com/rwinkhart/rcw: v0.2.2 => v0.2.3
- github.com/rwinkhart/peercred-mini: v0.1.1 => v0.1.2
- github.com/rwinkhart/sys: v0.37.0 => v0.38.0
- github.com/rwinkhart/go-winio-easy-pipe-handles: switched to tagged v0.1.0 of
github.com/rwinkhart/go-winio
v0.4.1
libmutton v0.4.1
October 26, 2025
This is a dependency bump release with only minor changes for developers.
Breaking (for developers)
- (b9175d7) Standardized on "password" rather than a mix of "passphrase"/"password"
- Some function names changed as a result
- (aa10016) Developers using
LibmuttonInitcan now force clients into offline mode programmatically- This means
LibmuttonInitnow requires an extra parameter
- This means
Dependencies
- Bumped (direct/replaced)
- Go: v1.24.6 => v1.25.3
- github.com/pkg/sftp: v1.13.9 => v1.13.10
- golang.org/x/crypto: v0.41.0 => v0.43.0
- github.com/rwinkhart/sys: v0.35.0 => v0.37.0
v0.4.0
libmutton v0.4.0
August 17, 2025
This is the largest update to libmutton yet, and as such, these patch notes are non-exhaustive.
Many minor changes and fixes to features mentioned in these patch notes have been made.
Please see the commit history for a more complete list of changes.
Breaking (for users)
- GPG has been entirely replaced with RCW
- All entries created in previous versions must be converted using this conversion program
- Steam TOTP keys now must be in base32 format
- (3c5db78) Release binaries of
libmuttonservernow target x86_64_v2 and arm64v8.7 - (3dd07e7) Offline mode is now manually specified in libmutton.ini
Breaking (for developers)
- libmutton has been further modularized
- The
corepackage has been split intocore,global,crypt, andcfg - The
syncpackage has been split intosyncclient,syncserver,synccommon, andsynccycles - This decreases the size of the server binary and allows for more modular clients
- The
- (40f0f35) Errors are now returned, rather than printed
Features
- (111324c) Deletions (server-side) now follow the client through device ID changes
- (ca277ba) Added the
EntryRefresh()function for re-encrypting entries with a new passphrase/optimizing bloated entries - (74b8261) Added the
LibmuttonInit()function to ensure clients initialize libmutton as intended - (bed23e9) (41a12c6) Added iOS clipboard support
- (3fdcc9e) (1a66a30) (d023058) Support one-time TOTP copy
- (fb2120c) Support custom device ID prefixes
Fixes
- (50ab27c) libmutton.ini is now always created with 0600 permissions on *nix platforms
- (4a0e0f8) Old devices IDs are no longer removed from clients when registration of a new device ID fails
Dependencies
- Dropped
- github.com/fortis/go-steam-totp (functionality now covered by github.com/pquerna/otp)
- Bumped (direct)
- Go: v1.24.2 => v1.24.6
- github.com/pquerna/otp: v1.4.1-0.20231130234153-3357de7c0481 => v1.5.0
- golang.design/x/clipboard: v0.7.0 => v0.7.1
- golang.org/x/crypto: v0.37.0 => v0.41.0
- Added (direct)
- github.com/rwinkhart/go-boilerplate v0.1.0
- github.com/rwinkhart/rcw v0.2.2
v0.3.1
libmutton v0.3.1
April 21, 2025
Features
- (da95ede) Added
EntryAddPrecheck()utility function for ensuring the target locations for new entries are valid - (1722375) (4492473) (0f90e82) Added initial native Android support
- (51bb67f) Split device ID retrieval into dedicated exported function,
GetCurrentDeviceID - (4ed816c) Allow more control over string generation to improve generated password compatibility
Fixes
- (51bb67f) Fixed clients having multiple device IDs after failed registrations
- (451d695) Fixed inability to add a folder on the server if the folder was already created on a client that failed to sync
Dependencies
- Bumps (direct and indirect)
- Go: v1.24.0 => v1.24.2
- github.com/pkg/sftp: v1.13.7 => v1.13.9
- golang.org/x/crypto: v0.34.0 => v0.37.0
- golang.org/x/sys: v0.30.0 => v0.32.0
- New
- Android builds only
- golang.design/x/clipboard v0.7.0
- golang.org/x/exp/shiny v0.0.0-20250408133849-7e4ce0ab07d0
- golang.org/x/image v0.26.0
- golang.org/x/mobile v0.0.0-20250408133729-978277e7eaf7
- golang.design/x/clipboard v0.7.0
- Android builds only
v0.3.0
libmutton v0.3.0
February 22, 2025
Features
- (f9aa2fc) (d2034b4) (81b7806) (e9d0c37)
core.LaunchClipClearProcess,core.WriteToStdin,core.ExpandPathWithHome, andcore.PrintErrorare now exported utility functions for direct use by clients - (c28d45c) One-off sync functions can now be forced to run in offline mode
- (5028fb2) SSH connection attempts now have a 3-second timeout
- (89b74ce) Individual keys can now be removed from the config file
- Many features for building interactive (GUI/TUI) clients
- (619e422) Clipboard clearing can now be handled much more sensibly by interactive clients
- (3b57d59) (55be8a3) The clipboard can now be cleared instantly (no timer); useful for clearing on client exit
- (2feeeb7)
core.ParseConfignow returns errors for proper handling in interactive clients - (68e3108)
sync.RunJobcan now return lists of synchronized entries for display in interactive clients
Fixes
- (eb2b349) Deletions are now synchronized before folders to avoid sync failures under unlikely conditions
- (fc1cd34) Double-space line breaks with Markdown formatting are now preserved when saving an entry
- (4689cae) Sheared folder names now always end in a trailing slash for clarity and reduced duplicate entries in the deletions directory
- Many fixes for building interactive (GUI/TUI) clients
- (1cebb39) The soft exit function now specifies a return value
- (a4a39a3) Passphrase-protected SSH identity files are no longer broken for interactive clients
- (1c650d4) (0162b73) Interactive clients will no longer crash on SSH dialing failures
- (173574e) Error messages not making sense for interactive clients have been addressed
Optimizations
- (f2f9c52) An unnecessary variable declaration was removed in
core.DecryptGPG - (fb5449c) A redundant (and late) check for the pre-existence of a new entry has been removed
- (e9d0c37)
core.PrintErrorcan be used to decrease the overall size of client binaries through code re-use
Dependencies
- Bumps (direct and indirect)
- Go: v1.23.4 => v1.24.0
- golang.org/x/crypto: v0.31.0 => v0.34.0
- golang.org/x/sys: v0.28.0 => v0.30.0
v0.2.4
libmutton v0.2.4
December 13, 2024
IMPORTANT
- This release includes a dependency bump to address a high-severity CVE (CVE-2024-45337) - Please update as soon as possible!
Changes
- (91fdeb5) The MIME type of data copied to the clipboard on UNIX-like systems (X11 and Wayland) is now statically set to "text/plain" to avoid potential issues with type inference
Dependencies
- Bumps (direct and indirect)
- Go: v1.23.2 => v1.23.4
- github.com/pkg/sftp: v1.13.6 => v1.13.7
- golang.org/x/crypto: v0.28.0 => v0.31.0
- Addresses CVE-2024-45337
- golang.org/x/sys: v0.26.0 => v0.28.0
- golang.org/x/term: v0.25.0 => v0.27.0
v0.2.3
libmutton v0.2.3
October 19, 2024
Fixes
- (1fb2834) Fixed renaming/moving an entry/folder to an invalid path still having clients request the operation on the server
Dependencies
- Bumps (direct and indirect)
- Go: v1.22.6 => v1.23.2
- golang.org/x/crypto: v0.26.0 => v0.28.0
- golang.org/x/sys: v0.24.0 => v0.26.0
- golang.org/x/term: v0.23.0 => v0.25.0