v2.2.33

Security

• Open-Folder UNC guard now covers forward-slash and mixed-slash variants. v2.2.32 introduced a UNC check to stop Process.Start from handing \\attacker\share to the Windows shell, but the check was a backslash-prefix match. .NET 8 and the Windows shell both treat / and \ as interchangeable separators, so //attacker/share, \/attacker\share, and /\attacker\share all still flowed through to Directory.Exists (a 20-30 s SMB timeout if the peer is unreachable) and then to Process.Start(UseShellExecute=true) — reopening the same NTLM-hash-leak-via-SMB threat the v2.2.32 fix was meant to close. The detection now predicates on character-class membership at positions [0] and [1], closing all four slash permutations at once.

Full Changelog: v2.2.32...v2.2.33

v2.2.32

Reliability

• Tray startup no longer freezes while Syncthing cold-starts. The post-launch sequence ran Syncthing's status poll and folder fetch synchronously on the UI thread, so a Syncthing that took its time to come up meant the tray icon appeared but the menu was unresponsive for up to ~1.8 seconds (a ~300 ms reachability probe + up to 1.5 s for /rest/system/status + /rest/config/folders + /rest/config/devices). Both calls now run on the thread pool, matching the steady-state poll tick and power-resume paths that were already pool-threaded.
• "Refresh List" menu item no longer freezes the menu. The per-folder submenu's "Refresh List" entry was refetching folders synchronously on the UI thread, which held the context menu open-but-frozen for the duration of the HTTP call. Now runs on the thread pool — menu dismisses immediately, the list repopulates when the response arrives.
• Settings-Save no longer freezes on slow Syncthing. Clicking "Save" in Settings refetched the folder list synchronously on the UI thread, so a Syncthing taking its time to respond (the 300 ms reachability probe + up to 1.5 s REST fetch) visibly stuttered the Save-and-close animation. The refresh now runs on the thread pool and the "Settings saved" OSD marshals back via the UI-thread dispatcher.
• Double-clicking Resume is debounced. Every other click-handler in the tray menu was protected by an 800 ms overclick guard, but Resume wasn't — an impatient double-click could fire two /rest/system/resume POSTs back-to-back. Rare in practice (Syncthing handles it idempotently), but the guard now matches Pause and the other click-paths.
• Settings' "probe Syncthing until it appears" loop stops after 60 s. The 2-second poll that auto-refreshes the discovery checkboxes while Settings is open had no retry cap — a permanently-unreachable Syncthing (wrong path, wrong API key, Syncthing uninstalled) meant the dialog kept hitting /rest/config/options every 2 seconds for the entire time the user left Settings sitting open. After 30 ticks the loop now stops, disposes the timer, and updates the warning label to prompt the user to reopen Settings.

Security

• Open-Folder menu items can't escape to arbitrary protocol handlers. The per-folder "Open folder" menu entry called Process.Start on whatever path Syncthing's REST config advertised. Local paths worked fine; a hostile or corrupted config that smuggled in ms-settings:…, shell:appsfolder\…, or a UNC \\attacker\share would hand the shell a protocol invocation. The path is now validated — UNC, any URI-shaped colon outside drive-letter position, and non-fully-qualified paths are refused with an OSD before the shell ever sees them.

Resource hygiene

• Update dialog's GitHub response is disposed on every path. await _http.GetAsync(...) assigned to a plain var; the early-return branches for HTTP 403 (rate-limit) and 404 (no releases) left the HttpResponseMessage to the finalizer. It's now a using var — disposal happens regardless of which branch exits first.

Accessibility

• Every button in Settings speaks its own name. The six link buttons that open the Help / WebUI / log pages and the "Check Config" button were the last Settings controls without explicit AccessibleName. Screen readers now announce each one by its visible text instead of generic "button".

Full Changelog: v2.2.31...v2.2.32

v2.2.6

A steadier tray, especially when Syncthing isn't running. No breaking changes.

Smoother tray

• No more stall when Syncthing is off. Clicking the tray icon or opening Settings while Syncthing was stopped could hang the menu for 5–6 seconds on every click. Now the tray checks the API with a fast probe (about 1.5 seconds) and opens immediately either way.
• Settings window actually comes to the front. On first open, the window occasionally appeared behind other apps and you'd have to hunt for it in the taskbar. It now activates reliably.
• Wake-from-sleep catches up fast. Resuming from sleep, hibernate, or Win+L now triggers an immediate status refresh instead of waiting up to a full poll cycle for the tray to notice the network came back.
• Apply vs Save. Clicking Apply in Settings no longer re-runs the full folder reload — the folder list no longer flickers when you tweak one setting at a time. Save continues to run the full path as before.

Clearer errors

• "API key rejected" is its own message. A wrong or stale API key in Settings now surfaces as a distinct error instead of folding into a generic "could not reach Syncthing" message, so you know exactly what to fix.
• Fewer duplicate log lines. When multiple different warnings fire in the same minute, each type is now logged once per minute instead of every occurrence piling up in tray.log.

Display & paths

• Crisper on high-DPI displays. The app now declares Per-Monitor V2 DPI awareness, so text and icons render sharp on 4K displays and when dragging between monitors at different scales.
• Long paths supported. Paths over 260 characters in folder selection now work on Windows 10/11 with long paths enabled, instead of being silently truncated.

Safer install paths

• Network paths rejected for syncthing.exe. Pointing the tray at \\server\share\syncthing.exe or similar UNC paths is now refused with a clear error, rather than launching an executable across the network.

Packaging

• Single-file release is smaller. Publish compression is on and native runtime libraries are embedded inside the .exe — the download drops by roughly a third and nothing loose lands next to the binary.

Full Changelog: v2.2.5...v2.2.6

v2.2.5

Full Changelog: v2.2.4...v2.2.5

v2.2.4

LTR — Long-Term Release · one-click self-update built in.

Security

• Auto-updater now verifies the SHA256 hash of each downloaded update before installing it, so the update is the exact file published on GitHub.

Full Changelog: v2.2.3...v2.2.4

v2.2.3

Changed

• Published as a single-file executable for cleaner WinGet installs.
• Security hardening across the update + distribution pipeline to satisfy WinGet validation.

Full Changelog: v2.2.2...v2.2.3

v2.2.2

Full Changelog: v2.2.0...v2.2.2

v2.2.1 — Fix discovery settings defaults

Fix: Discovery settings showed incorrect defaults

When the Syncthing API was unreachable (e.g. during startup after reboot), the Settings dialog defaulted Global Discovery, Local Discovery, and NAT Traversal checkboxes to enabled — even if Syncthing had them disabled. Hitting Save in that state would overwrite the real config.

Defaults are now fail-closed (unchecked when API is unreachable), matching the existing "Check Config" behavior.

Full Changelog: v2.1.3...v2.2.1

v2.2.0

What's New

Self-Update — You can now check for and install updates directly from Settings. Click the new Update button in the bottom row to check for the latest version of SyncthingTray on GitHub. If a newer version is available, one click downloads and installs it automatically — no need to visit GitHub manually.

Note: This updates SyncthingTray (the tray companion), not Syncthing itself. Syncthing updates are still handled separately via the existing "Check Now" button in the Updates section.

How it works

• Click Update in Settings to check for new versions
• If an update is available, click Upgrade Now to download and install
• The app restarts automatically after updating
• If anything goes wrong during the update, it automatically rolls back to the previous version

Other improvements

• Version bumped to 2.2.0
• Fixed a potential crash when taking over from a previous instance that didn't exit cleanly.
• Cleaner startup behavior when a previous instance is still exiting.

v2.1.3 — Process Check Fix + Auto-Discovery

What's New

Performance

• PID-based process check replaces GetProcessesByName polling (GOMAXPROCS=2)

Features

• Auto-discover syncthing.exe when not co-located with the tray app

Fixes

• Handle OutOfMemoryException in process check
• Clarify update checkbox refers to Syncthing, not the tray app
• Remove internal crash report before release

CI/CD

• GitHub Actions release workflow
• Semgrep security scanning
• Scoop and WinGet install methods documented