What the team
has shipped.
Every version, documented. What changed, why it changed, and what comes next.
Every version, documented. What changed, why it changed, and what comes next.
Current build: v5.4.61 — June 27, 2026
v5.4.61 is the latest patch in the v5.4.34 series — it redesigns the Start Session picker with a cleaner, icon-led selector you can read at a glance: each session type carries its own icon and a clear selected state, with full keyboard and screen-reader support. See the full version history below.
Highlights from the v5.4.34 release series
settings.json. Existing keys are migrated automatically.Authorization: Bearer … header instead of the request body. Excluded from generic request-body logging, error-tracker payloads, and HTTP proxy debug captures..claude/settings.json pointing at its own copy of the auto-log script — and never removed the entries that prior versions had added at paths that no longer exist on disk. Those orphaned entries failed with Cannot find module on every Claude Code response, and surviving duplicates caused the same conversation turn to be saved to the server twice. The extension now prunes any stale or legacy auto-log entry before adding its own, so the list stays at one current entry no matter how many times the extension is upgraded.~/.claude/projects/**/*.jsonl files older than 1 day on activation. Off by default. Backed by docpro.cleanupClaudeTranscripts.docpro.installPlaywrightMcp.Admin → Templates without a redeploy.Admin → Templates.Admin → Templates. Edit the prompt directly in the web admin without a redeploy.auto-log.mjs and have the extension execute it.bypassPermissions is written, instead of taking effect silently from the dropdown.execFile with an argv array instead of child_process.exec, removing the shell-injection surface.install-docpro.ps1 checks API keys against dp_[A-Za-z0-9_-]+ before passing them through PowerShell strings, blocking quote-injection during setup.REMOTE_MCP_ALLOWED_ORIGINS, per-token rate limit (60 requests / 60 seconds), and a 5 MB request-body cap.~/.claude/settings.json. It's now additive: it appends DocPro's hook entry to whatever you already have.Authorization: Bearer … header instead of (just) the request body. Header values are excluded from generic request-body logging, error-tracker payloads, and HTTP proxy debug captures by convention, so credentials no longer ride along in places they shouldn't be. Older plugin builds remain compatible — the backend still accepts body-field keys during the rollout window.anthropic.docpro.cloud redirects to the canonical apex; it's no longer in the invitation-origin allowlist.application/octet-stream instead of image/svg+xml so the browser never executes script inside an attachment named like an image.PUBLIC_URL environment variable; hardcoded subdomain fallbacks removed..env, *.pem, id_rsa*, *.key, and files containing credentials are now excluded from the session-start workspace bundle and from "Read this folder."docpro.apiUrl at a plaintext http:// host (other than localhost) is now rejected before any request fires, instead of silently sending API keys in the clear.~/.claude/projects/**/*.jsonl files older than a day on activation. Set docpro.cleanupClaudeTranscripts to true to enable.passlib dependency dropped from the lockfile.settings.json. Existing keys are migrated on the first sidebar load.docpro.installPlaywrightMcp to true in settings to enable it.docpro.cloud. Older host names continue to work and redirect.docpro.cloud.docpro.docpro-app.