Skip to main content

Uppy 4.0 is here: TypeScript rewrite, Google Photos, React hooks, and much more.

Uppy 1.8 and 1.9: security, error handling and better types

· 4 min read

Uppy 1.8, 1.9 and a few important security patches are out! Here are the highlights:

Companion: security patches and new Instagram API

  • We released a patch to an SSRF vulnerability affecting @uppy/companion and the @uppy/url plugin. Many thanks to the parties involved in reporting and disclosing this vulnerability to the Uppy team. The patch is available in @uppy/companion version 1.9.5.
  • As the Instagram Legacy API will soon no longer be available, we have now added support for the new Instagram Graph API. As far as using this on @uppy/companion goes, not much has changed. The only difference is that you will now be retrieving your Instagram credentials from the Facebook Developer Platform, and no longer from the Instagram Developer Platform.

Error handling

  • We’ve significantly improved error handling and retries in @uppy/core, @uppy/transloadit and @uppy/dashboard. The retry button on the Status Bar, which was broken in some edge cases, now works as expected.
  • Errors from Transloadit assemblies now include Assembly ID, as well as the full assembly object, for easier debugging.
  • You can now click on the question mark (?) icon on the Informer or Dashboard error message, and get a browser alert with error details — much easier for the users to copy-paste the text this way. The Informer now also conveniently stays on screen, as long as you hover over the question mark.


The Dashboard plugin has gained new file type icons: for images — useful before the preview is generated, or when there’s no preview at all, like with images from the Url plugin — and for archives.


Our typings got a significant upgrade: plugin options can now be type-checked! In the past, we did have typings for plugin options, but the uppy.use() function had a fallback that would accept any object as options. If your plugin options were wrong, typescript would just use the fallback and not tell you about it!

Stricter typings normally mean that old code may no longer type-check. So, although this is a bugfix, you have to opt into the new types. In 2.0, the old way will be removed and only the strict types will be available.

You can opt in by specifying the StrictTypes type parameter to the Uppy type:

import Uppy = require('@uppy/core');
const uppy = Uppy<Uppy.StrictTypes>({
// options here

This type parameter must also be specified if you are storing the uppy instance anywhere. For example, inside a class:

class UppyProvider extends React.Component {
private uppy: Uppy<Uppy.StrictTypes>;
constructor(props) {
this.uppy = Uppy<Uppy.StrictTypes>({
// etc

If you do not specify the StrictTypes parameter, the old fallback for the uppy.use() method remains available.

The typings for @uppy/react component props are now derived from plugin options types, so they will no longer get out of sync, as they occasionally did in the past. For example, in version 1.7, the @uppy/drag-drop plugin supported a note option to add some text to the drop area. The React typings didn't include that option, so you couldn't use it from typescript! That is now permanently fixed:

import components = require('@uppy/react');
const { DragDrop } = components;

// assuming some `uppy` variable already exists
declare var uppy: Uppy<Uppy.StrictTypes>;

function MyComponent() {
return <DragDrop uppy={uppy} note="This prop is now supported!" />;

Finally, the locale options and React props now have full typings. Your editor should now be able to provide autocompletion for language keys!

Screenshot showing VS Code autocompletion for a language key.

We now also use tsd, so our typings are actually tested.

See PR #1918 for all the details.

Downloadable ZIP archives of Uppy releases

Uppy is now available as a downloadable ZIP archive from the Transloadit CDN! NPM down? Don’t like build tools? Looking for a quick way to play around with Uppy? We’ve got you covered:


  • Uppy now speaks Korean and Vietnamese.
  • The French, German and Chinese (zh_TW) translations have been improved.


  • @uppy/core: core: setState(modifiedFiles) in onBeforeUpload (#2028 / @arturi)
  • @uppy/core: always log errors (#2029 / @arturi)
  • @uppy/core: fix mime type checking bug (#2004 / @shahimclt)
  • @uppy/core: add .tsv and .tab: text/tab-separated-values (#2056 / @arturi)
  • @uppy/onedrive: make encryption shorter + enable onedrive on website (#2034 / @ifedapoolarewaju)
  • @uppy/react: use componentDidUpdate instead of componentWillReceiveProps (@cryptic022, #1999)
  • @uppy/xhr-upload: free item from rate limit queue when upload times out (@rtaieb, #2018)
  • @uppy/aws-s3-multipart: add optional headers for signed url (@ardeois, #1985)
  • @uppy/aws-s3: fix crash when S3 response does not have a Content-Type header (@roenschg, #2012)

As always, you can find the full list of changes and package versions, as well as future plans, in our changelog.