- **New Function**: `sqlpage.oidc_logout_url(redirect_uri)` - Genera…

…tes a secure logout URL for OIDC-authenticated users with support for [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout)

 - Fix compatibility with Auth0 for OpenID-Connect authentification. See ramosbugs/openidconnect-rs#23
 - updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.60.0.md
 - updated apexcharts to 5.3.6:
   - apexcharts/apexcharts.js@v5.3.0...v5.3.6
   - https://github.com/apexcharts/apexcharts.js/releases/tag/v5.3.6
 - re-add the `lime` color option to charts
 - update default chart color palette; use [Open Colors](https://yeun.github.io/open-color/)
   - <img width="2077" height="978" alt="image" src="https://github.com/user-attachments/assets/839bd318-c4cd-419c-8f04-a583399e0512" />
 - re-enable text drop shadow in chart data labels

performance improvements, bug fixes, backwards incompatible variable

handling changes

- OIDC login redirects now use HTTP 303 responses so POST submissions are converted to safe GET requests before reaching the identity provider, fixing incorrect reuse of the original POST (HTTP 307) that could break standard auth flows.
 - SQLPage now respects [HTTP accept headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept) for JSON. You can now easily process the contents of any existing sql page programmatically with:
    - `curl -H "Accept: application/json" http://example.com/page.sql`: returns a json array
    - `curl -H "Accept: application/x-ndjson" http://example.com/page.sql`: returns one json object per line.
 - Fixed a bug in `sqlpage.link`: a link with no path (link to the current page) and no url parameter now works as expected. It used to keep the existing url parameters instead of removing them. `sqlpage.link('', '{}')` now returns `'?'` instead of the empty string.
 - `sqlpage.fetch(null)` and `sqlpage.fetch_with_meta(null)` now return `null` instead of throwing an error.
 - **New Function**: `sqlpage.set_variable(name, value)`
   - Returns a URL with the specified variable set to the given value, preserving other existing variables.
   - This is a shorthand for `sqlpage.link(sqlpage.path(), json_patch(sqlpage.variables('get'), json_object(name, value)))`.
 - **Variable System Improvements**: URL and POST parameters are now immutable, preventing accidental modification. User-defined variables created with `SET` remain mutable.
   - **BREAKING**: `$variable` no longer accesses POST parameters. Use `:variable` instead.
     - **What changed**: Previously, `$x` would return a POST parameter value if no GET parameter named `x` existed.
     - **Fix**: Replace `$x` with `:x` when you need to access form field values.
     - **Example**: Change `SELECT $username` to `SELECT :username` when reading form submissions.
   - **BREAKING**: `SET $name` no longer makes GET (URL) parameters inaccessible when a URL parameter with the same name exists.
     - **What changed**: `SET $name = 'value'` would previously overwrite the URL parameter `$name`. Now it creates an independent SET variable that shadows the URL parameter.
     - **Fix**: This is generally the desired behavior. If you need to access the original URL parameter after setting a variable with the same name, extract it from the JSON returned by `sqlpage.variables('get')`.
     - **Example**: If your URL is `page.sql?name=john`, and you do `SET $name = 'modified'`, then:
       - `$name` will be `'modified'` (the SET variable)
       - The original URL parameter is still preserved and accessible:
         - `sqlpage.variables('get')->>'name'` returns `'john'`
   - **New behavior**: Variable lookup now follows this precedence:
     - `$variable` checks SET variables first, then URL parameters
     - SET variables always shadow URL/POST parameters with the same name
   - **New sqlpage.variables() filters**:
     - `sqlpage.variables('get')` returns only URL parameters as JSON
     - `sqlpage.variables('post')` returns only POST parameters as JSON
     - `sqlpage.variables('set')` returns only user-defined SET variables as JSON
     - `sqlpage.variables()` returns all variables merged together, with SET variables taking precedence
   - **Deprecation warnings**: Using `$var` when both a URL parameter and POST parameter exist with the same name now shows a warning. In a future version, you'll need to explicitly choose between `$var` (URL) and `:var` (POST).
 - Improved performance of `sqlpage.run_sql`.
   - On a simple test that just runs 4 run_sql calls, the new version is about 2.7x faster (15,708 req/s vs 5,782 req/s) with lower latency (0.637 ms vs 1.730 ms per request).
 - add support for postgres range types

v0.39.1 (2025-11-08)

 - More precise server timing tracking to debug performance issues
 - Fix missing server timing header in some cases
 - Implement nice error messages for some header-related errors such as invalid header values.
 - `compress_responses` is now set to `false` by default in the configuration.
  - When response compression is enabled, additional buffering is needed. Users reported a better experience with pages that load more progressively, reducing the time before the pages' shell is rendered.
  - When SQLPage is deployed behind a reverse proxy, compressing responses between sqlpage and the proxy is wasteful.
 - In the table component, allow simple objects in custom_actions instead of requiring arrays of objects.
 - Fatser icon loading. Previously, even a page containing a single icon required downloading and parsing a ~2MB file. This resulted in a delay where pages initially appeared with a blank space before icons appeared. Icons are now inlined inside pages and appear instantaneously.
 - Updated tabler icons to 3.35
 - Fix inaccurate ODBC warnings
 - Added support for Microsoft SQL Server named instances: `mssql://user:pass@localhost/db?instance_name=xxx`
 - Added a detailed [performance guide](https://sql-page.com/blog?post=Performance+Guide) to the docs.

improved errors, table action URLs, Server-Timing, ODBC fixes, new lo…

…gin component.

 - Ability to execute sql for URL paths with another extension. If you create sitemap.xml.sql, it will be executed for example.com/sitemap.xml
 - Display source line info in errors even when the database does not return a precise error position. In this case, the entire problematic SQL statement is referenced.
 - The shell with a vertical sidebar can now have "active" elements, just like the horizontal header bar.
 - New `edit_url`, `delete_url`, and `custom_actions` properties in the [table](https://sql-page.com/component.sql?component=table) component to easily add nice icon buttons to a table.
 - SQLPage now sets the [`Server-Timing` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing) in development. So when you have a page that loads slowly, you can open your browser's network inspector, click on the slow request, then open the timing tab to understand where it's spending its time.
   - <img width="1250" height="1263" alt="image" src="https://github.com/user-attachments/assets/6781a31f-e342-4e8c-8506-bc47049ce313" />
 - Fixed a memory corruption issue in the builtin odbc driver manager
 - ODBC: fix using globally installed system drivers by their name in debian-based linux distributions.
 - New [login](https://sql-page.com/component.sql?component=table) component.

Now SQLPage can connect to ANY relational database

 - Added support for the Open Database Connectivity (ODBC) standard.
   - This makes SQLPage compatible with many new databases, including:
    - [*ClickHouse*](https://github.com/ClickHouse/clickhouse-odbc),
    - [*MongoDB*](https://www.mongodb.com/docs/atlas/data-federation/query/sql/drivers/odbc/connect),
    - [*DuckDB*](https://duckdb.org/docs/stable/clients/odbc/overview.html), and through it [many other data sources](https://duckdb.org/docs/stable/data/data_sources),
    - [*Oracle*](https://www.oracle.com/database/technologies/releasenote-odbc-ic.html),
    - [*Snowflake*](https://docs.snowflake.com/en/developer-guide/odbc/odbc),
    - [*BigQuery*](https://cloud.google.com/bigquery/docs/reference/odbc-jdbc-drivers),
    - [*IBM DB2*](https://www.ibm.com/support/pages/db2-odbc-cli-driver-download-and-installation-information),
    - [*Trino*](https://docs.starburst.io/clients/odbc/odbc-v2.html), and through it [many other data sources](https://trino.io/docs/current/connector.html)
 - Added a new `sqlpage.hmac()` function for cryptographic HMAC (Hash-based Message Authentication Code) operations.
   - Create and verify secure signatures for webhooks (Shopify, Stripe, GitHub, etc.)
   - Generate tamper-proof tokens for API authentication
   - Secure download links and temporary access codes
   - Supports SHA-256 (default) and SHA-512 algorithms
   - Output formats: hexadecimal (default) or base64 (e.g., `sha256-base64`)
   - See the [function documentation](https://sql-page.com/functions.sql?function=hmac) for detailed examples
 - Fixed a slight spacing issue in the list components empty value display.
 - Improved performance of setting a variable to a literal value. `SET x = 'hello'` is now executed locally by SQLPage and does not send anything to the database. This completely removes the cost of extracting static values into variables for cleaner SQL files.
 - Enable arbitrary precision in the internal representation of numbers. This guarantees zero precision loss when the database returns very large or very small DECIMAL or NUMERIC values.

Adds support for many new database systems through ODBC. This is a be…

…ta version, please report any bug you may find.

small bugfix release

 - fixed decoding of UUID values
 - Fixed handling of NULL values in `sqlpage.link`. They were encoded as the string `'null'` instead of being omitted from the link's parameters.
 - Enable submenu autoclosing (on click) in the shell. This is not ideal, but this prevents a bug introduced in v0.36.0 where the page would scroll back to the top when clicking anywhere on the page after navigating from a submenu. The next version will fix this properly. See #1011
 - Adopt the new nice visual errors introduced in v0.37.1 for '403 Forbidden' and '429 Too Many Requests' errors.
 - Fix a bug in oidc login flows. When two tabs in the same browser initiated a login at the same time, an infinite redirect loop could be triggered. This mainly occured when restoring open tabs after a period of inactivity, often in mobile browsers.
 - Multiple small sql parser improvements.
   - Adds support for MERGE queries inside CTEs, and MERGE queries with a RETURNING clause.
   -  https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.59.0.md

multiple bug fixes and improvements

 - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?".
   - Thanks to https://signpath.io for providing us with a windows signing certificate !
 - Added a new parameter `encoding` to the [fetch](https://sql-page.com/functions.sql?function=fetch) function:
  - All [standard web encodings](https://encoding.spec.whatwg.org/#concept-encoding-get) are supported.
  - Additionally, `base64` can be specified to decode binary data as base64 (compatible with [data URI](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs))
  - By default, the old behavior of the `fetch_with_meta` function is preserved: the response body is decoded as `utf-8` if possible, otherwise the response is encoded in `base64`.
 - Added a specific warning when a URL parameter and a form field have the same name. The previous general warning about referencing form fields with the `$var` syntax was confusing in that case.
 - [modal](https://sql-page.com/component.sql?component=modal) component: allow opening modals with a simple link.
   - This allows you to trigger modals from any other component, including tables, maps, forms, lists and more.
   - Since modals have their own url inside the page, you can now link to a modal from another page, and if you refresh a page while the modal is open, the modal will stay open.
   - modals now have an `open` parameter to open the modal automatically when the page is loaded.
 - New [download](https://sql-page.com/component.sql?component=download) component to let the user download files. The files may be stored as BLOBs in the database, local files on the server, or may be fetched from a different server.
 - **Enhanced BLOB Support**. You can now return binary data (BLOBs) directly to sqlpage, and it will automatically convert them to data URLs. This allows you to use database BLOBs directly wherever a link is expected, including in the new download component.
   - supports columns of type `BYTEA` (PostgreSQL), `BLOB` (MySQL, SQLite), `VARBINARY` and `IMAGE` (mssql)
   - Automatic detection of common file types based on magic bytes
   - This means you can use a BLOB wherever an image url is expected. For instance:
     ```sql
     select 'list' as component;
     select username as title, avatar_blob as image_url
     from users;
     ```
 - When a sql file is saved with the wrong character encoding (not UTF8), SQLPage now displays a helpful error messages that points to exactly where in the file the problem is.
 - More visual error messages: errors that occured before (such as file access issues) used to generate plain text messages that looked scary to non-technical users. All errors are now displayed nicely in the browser.
 - The form component now considers numbers and their string representation as equal when comparing the `value` parameter and the values from the `options` parameter in dropdowns. This makes it easier to use variables (which are always strings) in the value parameter in order to preserve a dropdown field value across page reloads. The following is now valid:
    - ```sql
      select 'form' as component;
      select
          'select' as type,
          true as create_new,
          true as dropdown,
          '2' as value, -- passed as text even if the option values are passed as integers
          '[{"label": "A", "value": 1}, {"label": "B", "value": 2}]' as options;
      ```

small bugfix release

 - Fix regression introduced in v0.36.0: PostgreSQL money values showed as 0.0
   - The recommended way to display money values in postgres is still to format them in the way you expect in SQL. See #983
 - updated dependencies

Let's draft these release notes in a way that's focused on the end-us…

…er experience. We'll highlight what new features and improvements mean for users interacting with the software.

---

Hello everyone! We've been working hard to bring you a range of new features and improvements in this update. Here's what's new and how it benefits you:

1. **Database Enhancements:**
   - We now support the `MONEY` and `SMALLMONEY` types in MSSQL. If you're dealing with financial data, this makes your life easier.
   - Added math functions to the built-in SQLite database, which means you can perform more calculations directly in your queries without extra work.

2. **Migration Files:**
   - You can now create empty migration files directly from the command line using the `sqlpage create-migration` command. This simplifies setting up new database changes.

3. **New Component:**
   - Introducing the new modal component. This allows you to display content in a popup window, improving the user interface and experience.

4. **Chart Improvements:**
   - Bar charts now sort categories by name rather than by their first appearance. This makes cumulative bar charts easier to interpret, especially when some data points are missing.
   - Pie charts now accept numerical values passed as strings, making it more flexible to create these charts.

5. **Updates and Fixes:**
   - Updated Tabler to version 1.4 and Tabler Icons to version 3.34. You now have access to 19 new icons for your projects.
   - Enhanced file-based routing: Requests to `/xxx` will now redirect to `/xxx/` only if `/xxx/index.sql` exists, resulting in a more intuitive navigation experience.
   - Fixed an issue where SSO logins would fail over time due to key rotation by identity providers. Now, the system refreshes provider metadata periodically, ensuring smoother and more reliable logins.

6. **Single Sign-On (SSO) Improvements:**
   - We've added support for partially private sites with OIDC SSO. This means you can have both public and private pages in the same application. It’s now easier to create a login page that redirects to your OIDC provider.
   - SQLPage can now read custom claims from SSO tokens. This lets you configure your identity provider to include user-specific data (like roles or permissions) in the login token, enabling dynamic content tailored to the authenticated user.

7. **Bug Fixes:**
   - Fixed an issue with URL parameters during SSO login. Now, if an anonymous user visits a page with URL parameters and logs in, they’ll be correctly redirected to that page with all parameters intact.

8. **SQL Parser Updates:**
   - Added support for Postgres text search types (tsquery and tsvector).
   - Fixed parsing of LIMIT in subqueries and improved handling of JOIN precedence and Unicode identifiers.
   - Support for MySQL `MEMBER OF`, making it easier to work with JSON arrays.

We hope these updates make your experience with SQLPage even better. As always, we appreciate your feedback and are here to help if you have any questions or run into issues.

Happy querying!

---

Hello everyone! We've been working hard to bring you a range of new features and improvements in this update. Here's what's new and how it benefits you:

1. **Database Enhancements:**
   - We now support the `MONEY` and `SMALLMONEY` types in MSSQL, which is handy if you're dealing with financial data.
   - Added math functions to the built-in SQLite database, allowing you to perform more calculations directly in your queries.

2. **Migration Files:**
   - You can now create empty migration files directly from the command line using the `sqlpage create-migration` command, making it easier to set up new database changes.

3. **New Component:**
   - Introducing the new modal component. This allows you to display content in a popup window, improving the user interface and experience.

4. **Chart Improvements:**
   - Bar charts now sort categories by name rather than by their first appearance. This makes cumulative bar charts easier to interpret, especially when some data points are missing.
   - Pie charts now accept numerical values passed as strings, making it more flexible to create these charts.

5. **Updates and Fixes:**
   - Updated Tabler to version 1.4 and Tabler Icons to version 3.34, giving you access to 19 new icons for your projects.
   - Enhanced file-based routing: Requests to `/xxx` will now redirect to `/xxx/` only if `/xxx/index.sql` exists, resulting in a more intuitive navigation experience.
   - Fixed an issue where SSO logins would fail over time due to key rotation by identity providers. Now, the system refreshes provider metadata periodically, ensuring smoother and more reliable logins.

6. **Single Sign-On (SSO) Improvements:**
   - We've added support for partially private sites with OIDC SSO. This means you can have both public and private pages in the same application. It’s now easier to create a login page that redirects to your OIDC provider.
   - SQLPage can now read custom claims from SSO tokens. This lets you configure your identity provider to include user-specific data (like roles or permissions) in the login token, enabling dynamic content tailored to the authenticated user.

7. **Bug Fixes:**
   - Fixed an issue with URL parameters during SSO login. Now, if an anonymous user visits a page with URL parameters and logs in, they’ll be correctly redirected to that page with all parameters intact.

8. **SQL Parser Updates:**
   - Added support for Postgres text search types (tsquery and tsvector).
   - Fixed parsing of LIMIT in subqueries and improved handling of JOIN precedence and Unicode identifiers.
   - Support for MySQL `MEMBER OF`, making it easier to work with JSON arrays.

We hope these updates make your experience with SQLPage even better. As always, we appreciate your feedback and are here to help if you have any questions or run into issues.

Happy querying!