- **New Function**: `sqlpage.web_root()` - Returns the web root direc…

…tory where SQLPage serves `.sql` files from. This is more reliable than `sqlpage.current_working_directory()` when you need to reference the location of your SQL files, especially when the `--web-root` argument or `WEB_ROOT` environment variable is used.

- **New Function**: `sqlpage.configuration_directory()` - Returns the configuration directory where SQLPage looks for `sqlpage.json`, templates, and migrations. Useful when you need to reference configuration-related files in your SQL code.
- fix: The default welcome page (`index.sql`) now correctly displays the web root and configuration directory paths instead of showing the current working directory.
- fix: `sqlpage.variables()` now does not return json objects with duplicate keys when post, get and set variables of the same name are present. The semantics of the returned values remains the same (precedence: set > post > get).
- add support for some duckdb-specific (like `select {'a': 1, 'b': 2}`), and oracle-specific syntax dynamically when connected through odbc.
- better oidc support. Single-sign-on now works with sites:
  - using a non-default `site_prefix`
  - hosted behind an ssl-terminating reverse proxy
- New docker image variant: `lovasoa/sqlpage:latest-duckdb`, `lovasoa/sqlpage:main-duckdb` with preconfigured duckdb odbc drivers.
- New config option: `cache_stale_duration_ms` to control the duration for which cached sql files are considered fresh.

 - **New Function**: `sqlpage.oidc_logout_url(redirect_uri)` - Genera…

…tes a secure logout URL for OIDC-authenticated users with support for [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout)

 - Fix compatibility with Auth0 for OpenID-Connect authentification. See ramosbugs/openidconnect-rs#23
 - updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.60.0.md
 - updated apexcharts to 5.3.6:
   - apexcharts/apexcharts.js@v5.3.0...v5.3.6
   - https://github.com/apexcharts/apexcharts.js/releases/tag/v5.3.6
 - re-add the `lime` color option to charts
 - update default chart color palette; use [Open Colors](https://yeun.github.io/open-color/)
   - <img width="2077" height="978" alt="image" src="https://github.com/user-attachments/assets/839bd318-c4cd-419c-8f04-a583399e0512" />
 - re-enable text drop shadow in chart data labels

performance improvements, bug fixes, backwards incompatible variable

handling changes

- OIDC login redirects now use HTTP 303 responses so POST submissions are converted to safe GET requests before reaching the identity provider, fixing incorrect reuse of the original POST (HTTP 307) that could break standard auth flows.
 - SQLPage now respects [HTTP accept headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept) for JSON. You can now easily process the contents of any existing sql page programmatically with:
    - `curl -H "Accept: application/json" http://example.com/page.sql`: returns a json array
    - `curl -H "Accept: application/x-ndjson" http://example.com/page.sql`: returns one json object per line.
 - Fixed a bug in `sqlpage.link`: a link with no path (link to the current page) and no url parameter now works as expected. It used to keep the existing url parameters instead of removing them. `sqlpage.link('', '{}')` now returns `'?'` instead of the empty string.
 - `sqlpage.fetch(null)` and `sqlpage.fetch_with_meta(null)` now return `null` instead of throwing an error.
 - **New Function**: `sqlpage.set_variable(name, value)`
   - Returns a URL with the specified variable set to the given value, preserving other existing variables.
   - This is a shorthand for `sqlpage.link(sqlpage.path(), json_patch(sqlpage.variables('get'), json_object(name, value)))`.
 - **Variable System Improvements**: URL and POST parameters are now immutable, preventing accidental modification. User-defined variables created with `SET` remain mutable.
   - **BREAKING**: `$variable` no longer accesses POST parameters. Use `:variable` instead.
     - **What changed**: Previously, `$x` would return a POST parameter value if no GET parameter named `x` existed.
     - **Fix**: Replace `$x` with `:x` when you need to access form field values.
     - **Example**: Change `SELECT $username` to `SELECT :username` when reading form submissions.
   - **BREAKING**: `SET $name` no longer makes GET (URL) parameters inaccessible when a URL parameter with the same name exists.
     - **What changed**: `SET $name = 'value'` would previously overwrite the URL parameter `$name`. Now it creates an independent SET variable that shadows the URL parameter.
     - **Fix**: This is generally the desired behavior. If you need to access the original URL parameter after setting a variable with the same name, extract it from the JSON returned by `sqlpage.variables('get')`.
     - **Example**: If your URL is `page.sql?name=john`, and you do `SET $name = 'modified'`, then:
       - `$name` will be `'modified'` (the SET variable)
       - The original URL parameter is still preserved and accessible:
         - `sqlpage.variables('get')->>'name'` returns `'john'`
   - **New behavior**: Variable lookup now follows this precedence:
     - `$variable` checks SET variables first, then URL parameters
     - SET variables always shadow URL/POST parameters with the same name
   - **New sqlpage.variables() filters**:
     - `sqlpage.variables('get')` returns only URL parameters as JSON
     - `sqlpage.variables('post')` returns only POST parameters as JSON
     - `sqlpage.variables('set')` returns only user-defined SET variables as JSON
     - `sqlpage.variables()` returns all variables merged together, with SET variables taking precedence
   - **Deprecation warnings**: Using `$var` when both a URL parameter and POST parameter exist with the same name now shows a warning. In a future version, you'll need to explicitly choose between `$var` (URL) and `:var` (POST).
 - Improved performance of `sqlpage.run_sql`.
   - On a simple test that just runs 4 run_sql calls, the new version is about 2.7x faster (15,708 req/s vs 5,782 req/s) with lower latency (0.637 ms vs 1.730 ms per request).
 - add support for postgres range types

v0.39.1 (2025-11-08)

 - More precise server timing tracking to debug performance issues
 - Fix missing server timing header in some cases
 - Implement nice error messages for some header-related errors such as invalid header values.
 - `compress_responses` is now set to `false` by default in the configuration.
  - When response compression is enabled, additional buffering is needed. Users reported a better experience with pages that load more progressively, reducing the time before the pages' shell is rendered.
  - When SQLPage is deployed behind a reverse proxy, compressing responses between sqlpage and the proxy is wasteful.
 - In the table component, allow simple objects in custom_actions instead of requiring arrays of objects.
 - Fatser icon loading. Previously, even a page containing a single icon required downloading and parsing a ~2MB file. This resulted in a delay where pages initially appeared with a blank space before icons appeared. Icons are now inlined inside pages and appear instantaneously.
 - Updated tabler icons to 3.35
 - Fix inaccurate ODBC warnings
 - Added support for Microsoft SQL Server named instances: `mssql://user:pass@localhost/db?instance_name=xxx`
 - Added a detailed [performance guide](https://sql-page.com/blog?post=Performance+Guide) to the docs.

improved errors, table action URLs, Server-Timing, ODBC fixes, new lo…

…gin component.

 - Ability to execute sql for URL paths with another extension. If you create sitemap.xml.sql, it will be executed for example.com/sitemap.xml
 - Display source line info in errors even when the database does not return a precise error position. In this case, the entire problematic SQL statement is referenced.
 - The shell with a vertical sidebar can now have "active" elements, just like the horizontal header bar.
 - New `edit_url`, `delete_url`, and `custom_actions` properties in the [table](https://sql-page.com/component.sql?component=table) component to easily add nice icon buttons to a table.
 - SQLPage now sets the [`Server-Timing` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing) in development. So when you have a page that loads slowly, you can open your browser's network inspector, click on the slow request, then open the timing tab to understand where it's spending its time.
   - <img width="1250" height="1263" alt="image" src="https://github.com/user-attachments/assets/6781a31f-e342-4e8c-8506-bc47049ce313" />
 - Fixed a memory corruption issue in the builtin odbc driver manager
 - ODBC: fix using globally installed system drivers by their name in debian-based linux distributions.
 - New [login](https://sql-page.com/component.sql?component=table) component.

Now SQLPage can connect to ANY relational database

 - Added support for the Open Database Connectivity (ODBC) standard.
   - This makes SQLPage compatible with many new databases, including:
    - [*ClickHouse*](https://github.com/ClickHouse/clickhouse-odbc),
    - [*MongoDB*](https://www.mongodb.com/docs/atlas/data-federation/query/sql/drivers/odbc/connect),
    - [*DuckDB*](https://duckdb.org/docs/stable/clients/odbc/overview.html), and through it [many other data sources](https://duckdb.org/docs/stable/data/data_sources),
    - [*Oracle*](https://www.oracle.com/database/technologies/releasenote-odbc-ic.html),
    - [*Snowflake*](https://docs.snowflake.com/en/developer-guide/odbc/odbc),
    - [*BigQuery*](https://cloud.google.com/bigquery/docs/reference/odbc-jdbc-drivers),
    - [*IBM DB2*](https://www.ibm.com/support/pages/db2-odbc-cli-driver-download-and-installation-information),
    - [*Trino*](https://docs.starburst.io/clients/odbc/odbc-v2.html), and through it [many other data sources](https://trino.io/docs/current/connector.html)
 - Added a new `sqlpage.hmac()` function for cryptographic HMAC (Hash-based Message Authentication Code) operations.
   - Create and verify secure signatures for webhooks (Shopify, Stripe, GitHub, etc.)
   - Generate tamper-proof tokens for API authentication
   - Secure download links and temporary access codes
   - Supports SHA-256 (default) and SHA-512 algorithms
   - Output formats: hexadecimal (default) or base64 (e.g., `sha256-base64`)
   - See the [function documentation](https://sql-page.com/functions.sql?function=hmac) for detailed examples
 - Fixed a slight spacing issue in the list components empty value display.
 - Improved performance of setting a variable to a literal value. `SET x = 'hello'` is now executed locally by SQLPage and does not send anything to the database. This completely removes the cost of extracting static values into variables for cleaner SQL files.
 - Enable arbitrary precision in the internal representation of numbers. This guarantees zero precision loss when the database returns very large or very small DECIMAL or NUMERIC values.

Adds support for many new database systems through ODBC. This is a be…

…ta version, please report any bug you may find.

small bugfix release

 - fixed decoding of UUID values
 - Fixed handling of NULL values in `sqlpage.link`. They were encoded as the string `'null'` instead of being omitted from the link's parameters.
 - Enable submenu autoclosing (on click) in the shell. This is not ideal, but this prevents a bug introduced in v0.36.0 where the page would scroll back to the top when clicking anywhere on the page after navigating from a submenu. The next version will fix this properly. See #1011
 - Adopt the new nice visual errors introduced in v0.37.1 for '403 Forbidden' and '429 Too Many Requests' errors.
 - Fix a bug in oidc login flows. When two tabs in the same browser initiated a login at the same time, an infinite redirect loop could be triggered. This mainly occured when restoring open tabs after a period of inactivity, often in mobile browsers.
 - Multiple small sql parser improvements.
   - Adds support for MERGE queries inside CTEs, and MERGE queries with a RETURNING clause.
   -  https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.59.0.md

multiple bug fixes and improvements

 - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?".
   - Thanks to https://signpath.io for providing us with a windows signing certificate !
 - Added a new parameter `encoding` to the [fetch](https://sql-page.com/functions.sql?function=fetch) function:
  - All [standard web encodings](https://encoding.spec.whatwg.org/#concept-encoding-get) are supported.
  - Additionally, `base64` can be specified to decode binary data as base64 (compatible with [data URI](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs))
  - By default, the old behavior of the `fetch_with_meta` function is preserved: the response body is decoded as `utf-8` if possible, otherwise the response is encoded in `base64`.
 - Added a specific warning when a URL parameter and a form field have the same name. The previous general warning about referencing form fields with the `$var` syntax was confusing in that case.
 - [modal](https://sql-page.com/component.sql?component=modal) component: allow opening modals with a simple link.
   - This allows you to trigger modals from any other component, including tables, maps, forms, lists and more.
   - Since modals have their own url inside the page, you can now link to a modal from another page, and if you refresh a page while the modal is open, the modal will stay open.
   - modals now have an `open` parameter to open the modal automatically when the page is loaded.
 - New [download](https://sql-page.com/component.sql?component=download) component to let the user download files. The files may be stored as BLOBs in the database, local files on the server, or may be fetched from a different server.
 - **Enhanced BLOB Support**. You can now return binary data (BLOBs) directly to sqlpage, and it will automatically convert them to data URLs. This allows you to use database BLOBs directly wherever a link is expected, including in the new download component.
   - supports columns of type `BYTEA` (PostgreSQL), `BLOB` (MySQL, SQLite), `VARBINARY` and `IMAGE` (mssql)
   - Automatic detection of common file types based on magic bytes
   - This means you can use a BLOB wherever an image url is expected. For instance:
     ```sql
     select 'list' as component;
     select username as title, avatar_blob as image_url
     from users;
     ```
 - When a sql file is saved with the wrong character encoding (not UTF8), SQLPage now displays a helpful error messages that points to exactly where in the file the problem is.
 - More visual error messages: errors that occured before (such as file access issues) used to generate plain text messages that looked scary to non-technical users. All errors are now displayed nicely in the browser.
 - The form component now considers numbers and their string representation as equal when comparing the `value` parameter and the values from the `options` parameter in dropdowns. This makes it easier to use variables (which are always strings) in the value parameter in order to preserve a dropdown field value across page reloads. The following is now valid:
    - ```sql
      select 'form' as component;
      select
          'select' as type,
          true as create_new,
          true as dropdown,
          '2' as value, -- passed as text even if the option values are passed as integers
          '[{"label": "A", "value": 1}, {"label": "B", "value": 2}]' as options;
      ```

small bugfix release

 - Fix regression introduced in v0.36.0: PostgreSQL money values showed as 0.0
   - The recommended way to display money values in postgres is still to format them in the way you expect in SQL. See #983
 - updated dependencies