Pico

Recent Commits

• Eric Bower (14 Jun 26)

  fix(pgs): broken url for imgproxy integration

• Silvio Tomatis (11 Jun 26)

  fix(pgs): never cache http-pass responses Password-protected (http-pass) projects could be read without the password. The shared cache keys entries on subdomain+method+uri with no auth component, and only declines to store responses marked private or no-store. http-pass assets were served as 200 with `cache-control: max-age=60, s-maxage=600, must-revalidate`, so the first authenticated request populated the cache and every subsequent unauthenticated visitor got a cache hit that bypassed the password gate for the duration of the TTL. Mark http-pass asset responses `private, no-store` so the shared cache refuses to store them. The override is applied after the user `_headers` are merged, so a project's own cache-control cannot re-enable caching of protected content. Adds a regression test asserting an http-pass response is served non-cacheable even when a `_headers` file requests aggressive caching.

• Eric Bower (31 May 26)

  fix: strip debug from linker

• Eric Bower (31 May 26)

  refactor: move go-rsync-receiver into pico monorepo

• Eric Bower (16 May 26)

  fix: require testcontainers for pico.sh ci

• Eric Bower (16 May 26)

  fix(ci): cleanup

• Eric Bower (16 May 26)

  chore(ci): cleanup

• Eric Bower (16 May 26)

  docs(pgs): help cmd for forms

• Eric Bower (11 May 26)

  chore: pico.sh ci script

• Eric Bower (11 May 26)

  fix(pgs): _headers should override default cache-control Closes: https://github.com/picosh/pico/issues/215

• Eric Bower (11 May 26)

  feat(tui): analytics now displays device breakdown You can see mobile vs desktop

• Eric Bower (11 May 26)

  docs: runbooks

• Eric Bower (11 May 26)

  fix: script

• Eric Bower (11 May 26)

  chore: script to find orphaned buckets

• Eric Bower (06 May 26)

  fix(auth): mime type can include charset e.g. text/html; charset=utf-8

• Eric Bower (05 May 26)

  chore(visits): new indexes and parallel queries

• Eric Bower (05 May 26)

  chore: remove dev artifacts

• Eric Bower (03 May 26)

  refactor(visits): aggregate visit tables Previously we had an analytics_visits table that held all the raw visit data. This mean our analytics UI was constantly executing queries across 18 mil records which was extremely slow. This change aggregates those analytics every month and then deletes all the raw data. We keep 2 months worth of raw data and then everything else gets pushed into the aggregate tables.

• Eric Bower (04 May 26)

  chore: script reap edits

• Eric Bower (03 May 26)

  fix: reap should look skip anyone that has pico+

• Eric Bower (03 May 26)

  chore: delete old analytics

• Eric Bower (03 May 26)

  chore: sql query to reap unused accounts References: https://pico.prose.sh/ann-036-reap-inactive-accounts

• Eric Bower (28 Apr 26)

  fix(httpcache): cdn accept encoding Two bugs combined to produce the broken behavior: Bug 1: CDN forwarded Accept-Encoding to upstream (cmd/pgs/cdn/main.go) proxyServe.ServeHTTP cloned the incoming request (including its Accept-Encoding: zstd header sent by Caddy) and forwarded it to ash.pgs.sh. The upstream responded with a zstd-compressed body + content-encoding: zstd. The CDN then cached that compressed blob. Caddy (sitting in front of the CDN) can't transcode zstd→nothing, so clients received raw zstd bytes named .xml. Fix: proxyReq.Header.Del("Accept-Encoding") before the upstream round-trip. The CDN should store one uncompressed representation per URL; Caddy handles per-client content encoding on egress. Bug 2: matchVary was looking in the wrong place (pkg/httpcache/serve.go, rw.go) When the response included Vary: Accept-Encoding, matchVary looked for Accept-Encoding in the response headers map — but Accept-Encoding is a request header and was never there. The cachedValue == "" branch silently continued, causing every request to match regardless of what encoding it accepted. Fix: ToCacheValue now accepts the *http.Request and snapshots the Vary-relevant request header values into a new CacheValue.VaryRequestHeaders map[string]string field. matchVary now compares the incoming request's headers against that snapshot instead of looking in response headers. Legacy entries with no VaryRequestHeaders are treated as misses so they repopulate correctly.

• Eric Bower (22 Apr 26)

  fix(pgs): dupe headers

• Eric Bower (22 Apr 26)

  chore(pgs): configurable max items for lru

• Eric Bower (22 Apr 26)

  chore: lint

• Eric Bower (22 Apr 26)

  chore: disable flaky test

• Eric Bower (22 Apr 26)

  chore(httpcache): cache-status cleanup and random bug fixes

• Eric Bower (21 Apr 26)

  chore: normalize header keys

• Eric Bower (21 Apr 26)

  chore: disable imgproxy tests We don't have them setup properly atm