New Features

• Tailscale sharing: New --tailscale flag shares any portless app over your Tailscale network with zero framework config. Each app is root-mounted on its own Tailscale HTTPS port (443, 8443, 8444, ...) so no basePath configuration is needed. Works as a global flag, per-app flag (portless myapp --tailscale next dev), or env var (PORTLESS_TAILSCALE=1). (#262)
• Tailscale Funnel: New --funnel flag exposes apps to the public internet through Tailscale Funnel. Implies --tailscale. Also configurable via PORTLESS_FUNNEL=1. (#262)
• PORTLESS_TAILSCALE_URL env var: Child processes receive PORTLESS_TAILSCALE_URL containing the Tailscale HTTPS URL so apps can reference their public address. (#262)
• Tailscale URLs in portless list: The list command now shows tailnet URLs alongside local URLs when Tailscale sharing is active. (#262)

Improvements

• portless prune cleans stale Tailscale registrations: Prune now removes orphaned tailscale serve entries left behind by dead CLI sessions. (#262)
• portless clean removes Tailscale serve state: Clean now tears down any Tailscale serve/funnel registrations alongside the usual CA and hosts file cleanup. (#262)

Contributors

• @ctate

New Features

• portless prune command: Safety net to find and kill orphaned dev servers left behind by dead CLI sessions. Reads stale route entries, checks if something is still listening on each port, and terminates the orphan.

Bug Fixes

• Zombie process orphaning on CLI crash: Spawn child processes with detached:true on Unix so they get their own process group. Signal handlers now kill the entire group instead of just the immediate child, preventing orphaned dev servers from surviving CLI crashes or kill -9.

Contributors

• @ctate

New Features

• Zero-arg mode: Run bare portless from any project directory to auto-discover the dev script from package.json and start it through the proxy. No arguments, no config required. (#251)
• Multi-app orchestration: In monorepos, bare portless auto-discovers workspace packages (pnpm, npm, yarn, bun) and starts all dev scripts concurrently through the proxy. Each package gets a subdomain derived from its npm scope (e.g. @acme/docs becomes docs.acme.localhost). (#251)
• Turborepo integration: When turbo.json is present, portless delegates to turbo run <script> instead of spawning each app individually. Per-app PORT, HOST, and PORTLESS_URL are injected via a lightweight --require loader so turbo retains dependency ordering and task graph awareness. Set turbo: false in config to opt out. (#251)
• portless.json config file: Configure app name, script, port, and turbo settings without embedding portless in package.json scripts. Also supports a "portless" key in package.json as an inline alternative. (#251)
• --script flag: Override the default "dev" script for a single invocation (e.g. portless --script start). (#251)
• Rsbuild support: Auto-inject --port and --host CLI flags for Rsbuild dev server (#250)

Bug Fixes

• State directory moved to ~/.portless: All proxy state now lives in ~/.portless instead of /tmp/portless, fixing repeated CA trust prompts on macOS (where /tmp is periodically cleaned) and a symlink local privilege escalation vulnerability (#251)
• Duplicate macOS CA certificates: Fix security delete-certificate failing with "is ambiguous" when multiple portless CA entries had accumulated in the keychain (#251)
• CA trust marker caching: Cache the CA fingerprint after a successful trust so subsequent proxy starts skip the OS security check and avoid re-triggering the macOS authentication dialog (#251)

Improvements

• Auto-trust CA on proxy auto-start: When the proxy is auto-started and the CA is not yet trusted, portless automatically runs trust with proper sudo elevation (#251)
• Package manager delegation: Detects pnpm, yarn, bun, or npm and delegates script execution to the correct package manager (#251)
• Non-server script detection: Build-only tools (tsup, tsc, esbuild, etc.) are auto-detected and run without a proxy route. Use proxy: false in config for explicit control. (#251)
• Monochrome CLI output: Bold for headers and errors, dim for warnings and muted text, no color codes (#251)

Contributors

• @ctate

Bug Fixes

• Stale TLD persisting across proxy restart: Fix the proxy reverting to a stale TLD (e.g. .local) after restart because transient state markers were not cleaned up on stop (#235)

Contributors

• @ctate

New Features

• Auto-inject NODE_EXTRA_CA_CERTS: Child processes spawned by portless run now automatically receive NODE_EXTRA_CA_CERTS pointing to the portless CA certificate, so Node.js subprocesses trust the local CA without manual configuration (#220)

Bug Fixes

• Proxy startup on slow macOS security command: Fix the proxy failing to start when the macOS security command takes longer than expected to verify CA trust (#229)
• Lock contention with parallel commands: Fix lock contention that could cause failures when multiple portless commands run simultaneously (#230)
• ERR_HTTP2_PROTOCOL_ERROR during HMR: Fix HTTP/2 stream reset flood during hot module replacement causing protocol errors (#231)
• Proxy auto-start in non-interactive terminals: Fix auto-start failing in non-interactive terminals (e.g. IDE task runners) and when previous proxy config exists (#232)

Contributors

• @ctate

New Features

• portless clean: New command stops the proxy if it is running, removes the local CA from the OS trust store when it was installed by portless, deletes allowlisted files under known state directories, and removes the portless-managed block from the hosts file. Custom --cert and --key paths are never removed. (#213)

Improvements

• Hosts file sync by default: The proxy now keeps the hosts file in sync with active routes automatically (improves Safari and other setups where .localhost subdomains do not resolve to loopback). Set PORTLESS_SYNC_HOSTS=0 to opt out. The managed block is removed from the hosts file when the proxy exits. (#213)

Contributors

• @ctate

New Features

• LAN mode: New --lan flag exposes portless services to phones and other devices on the same network via mDNS .local hostnames. Auto-detects the active LAN IP, follows network changes, and supports --ip / PORTLESS_LAN_IP overrides for VPN or multi-interface setups. Publishes mDNS records with platform-native tools (dns-sd on macOS, avahi-publish-address on Linux). Adds *.local to generated certificate SANs so HTTPS works for LAN hostnames. (#168)
• VitePlus support: Auto-inject --port for VitePlus (vp) dev server (#147)

Contributors

• @gabimoncha
• @carderne

Bug Fixes

• WebSocket proxy memory leak: Add socket close/end handlers to prevent memory leaks in the WebSocket proxy (#208)

Contributors

• @ctate

Bug Fixes

• --force kills existing process: --force now terminates the process that owns the conflicting route before registering a new one, instead of only removing the stale route entry (#204)
• CA certificate included in TLS chain: The proxy now sends the CA certificate as part of the TLS chain, fixing UNABLE_TO_VERIFY_LEAF_SIGNATURE errors in clients that do not have the portless CA in their trust store (#203)

Contributors

• @ctate

Bug Fixes

• README missing from npm package: The published npm package now includes its README. Previously .gitignore excluded the copied README during packing; an .npmignore override fixes this. (#197)

Contributors

• @ctate