feat(oci/vikunja)!: Update 0.24.6 ➼ 2.3.0

[tinfoild]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change	OpenSSF
docker.io/vikunja/vikunja	major	0.24.6 → 2.3.0

---

Release Notes

go-vikunja/vikunja (docker.io/vikunja/vikunja)

v2.3.0

Compare Source

Bug Fixes

• (auth) Normalize API base URL to prevent refresh cookie path mismatch
• (auth) Add retry and logging for token refresh failures
• (auth) Enforce TOTP on OIDC callback for users with 2FA enabled
• (background) Use targeted column update when removing background
• (caldav) Add tags and sync token to collections (#​2482)
• (caldav) Resolve lint issues in caldavtests package
• (caldav) Skip tests for known CalDAV bugs and fix timing issues
• (caldav) Escape user-controlled strings per RFC 5545 in VCALENDAR output
• (caldav) Enforce task read authorization on GetTasksByUIDs
• (caldav) Reject GetResource when URL project mismatches task project
• (caldav) Enforce URL project match in GetResourcesByList
• (ci) Use actual docker meta tags for preview comment SHA links
• (desktop) Use stored URL instead of window.API_URL in template
• (e2e) Truncate bucket data in bucket-select tests
• (e2e) Seed project in empty-tasks overview test
• (files) Derive file size from reader at creation boundary
• (frontend) Prevent drag handle from overlapping project color in sidebar
• (gantt) Ensure chart container fills viewport width for narrow date ranges
• (gantt) Isolate chart stacking context so date picker renders above it
• (gantt) Use reactive date range in Flatpickr config to prevent reset on task update
• (gantt) Preserve query parameters when closing task modal
• (kanban) Route repeating tasks to default bucket when dropped on done (#​2573)
• (kanban) Skip upsert when repeating task already in default bucket (#​2573)
• (labels) Correct broken access-control query for label reads (GHSA-hj5c-mhh2-g7jq)
• (labels) Derive label max permission from accessible tasks only
• (mail) Set RFC 5322 compliant Message-ID using public URL domain
• (mail) Fall back to os.Hostname() before hardcoded domain
• (mail) Guard log calls in GetMailDomain and fix hostname-dependent tests
• (migration) Center and style migrator logos on migration page
• (migration) Correct TickTick swagger annotation to PUT
• (migration) Delete all default buckets when migration provides its own
• (migration) Compute attachment size from content during import
• (migration) Bound per-entry zip cap by configured files.maxsize
• (notifications) Escape markdown in user-controlled strings in email lines
• (overview) Disable checkbox for read-only tasks on overview page
• (project) Remove non-existent columns from UpdateProject column list
• (security) Enforce HTTP method and path in scoped API token matcher
• (security) Validate link share JWTs against DB on every request
• (security) Persist TOTP lockout across login rollback
• (security) Move reparent Admin gate into UpdateProject
• (tasks) Include tasks with deleted parents in subtask-expanded queries
• (tasks) Route repeating tasks to default bucket when marked done (#​2573)
• (tasks) Vertically center checkbox in project task row
• (tasks) Replace O(n) loop in repeating-task handler with arithmetic
• (webhook) Return error from sendWebhookPayload on non-2xx responses
• (webhook) Dispatch one delivery event per webhook (#​2569)
• (webhook) Return error from delivery listener on nil payload
• (webhook) Order matching webhooks by id for deterministic fan-out
• Resolve TDZ error on password update settings page (6d2bf1f)
• Use custom TableName() for dump/restore table resolution (1e0d29e)
• Ignore saved homepage filter when browsing by label (fd4f7ac)
• Propagate is_archived from parent to child projects in ReadAll CTE (e3045df)
• Support merge queue in issue-closed-comment workflow (752ae42)
• Sort TickTick tasks so parents come before children (9b1c52e)
• Add ORDER BY to ListUsers query for deterministic ordering (39e1665)
• Add proper autocomplete and name attributes to email update form (cdd46c0)
• Add position conflict resolution for batch-inserted positions (c6e7992)
• Detect and resolve position conflicts during task creation (0c3d010)
• Use InDelta for float comparison in tests (104c8ea)
• Show subtasks in saved filter views regardless of parent presence (d895053)
• Pass saved filter context to subtask visibility check (841b458)
• Move truncateAll to apiContext fixture and fix view ID conflicts (4888b1d)
• Make apiContext auto-fixture and fix remaining view ID conflicts (adcc74b)
• Use recursive CTE in accessibleProjectIDsSubquery for inherited project permissions (ac76bce)
• Derive workbox version from package.json at build time (10e7d25)
• Register gob types and use RememberValue for avatar and unsplash cache (59b047f)
• Use RememberValue for task attachment preview cache (0f54dc4)
• Update publiccode.yml to current version v2.2.2 (f775f7d)
• Reset SSO avatar provider to default when picture claim is removed (a5fb01c)
• Use assert.Empty instead of assert.Equal for empty string check (119d7df)
• Update user list test expectations for new fixture user (c5450fb)
• Catch ErrNeedsFullRecalculation in task creation position conflict resolution (2014343)
• Batch delete conditions in filter view cron to avoid SQLite expression depth limit (bfdcea6)
• Add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients (699c766)
• Reset checkAuth debounce in linkShareAuth to prevent redirect loop (1d3a234)
• Skip refreshUserInfo for link share tokens to prevent logout loop (2000732)
• Include type in checkAuth's same-user skip check (432c5f2)

Dependencies

• (deps) Update dev-dependencies
• (deps) Update picomatch to fix ReDoS and method injection vulnerabilities
• (deps) Update yaml to fix stack overflow vulnerability
• (deps) Override picomatch in desktop to fix ReDoS and method injection vulnerabilities
• (deps) Bump serialize-javascript from 7.0.3 to 7.0.5 in /frontend
• (deps) Bump golang.org/x/image from 0.35.0 to 0.38.0
• (deps) Update dependency @​typescript-eslint/eslint-plugin to v8.58.0
• (deps) Update dependency @​typescript-eslint/parser to v8.58.0
• (deps) Update dependency browserslist to v4.28.2
• (deps) Update dependency caniuse-lite to v1.0.30001784
• (deps) Resolve dependabot security alerts
• (deps) Update dependency esbuild to v0.27.5
• (deps) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
• (deps) Pin dependencies
• (deps) Update dependency ws to v8.20.0
• (deps) Update dependency caniuse-lite to v1.0.30001785
• (deps) Update defu to 6.1.7
• (deps) Update lodash to 4.18.1
• (deps) Update brace-expansion to 5.0.5
• (deps) Update dependency vitest to v4.1.3
• (deps) Bump github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
• (deps) Bump github.com/aws/aws-sdk-go-v2/service/s3
• (deps) Update dependency vitest to v4.1.4
• (deps) Bump basic-ftp override to 5.2.1 to patch CRLF injection

Documentation

• (helpers) Explain djb2 seed constant in stringHash
• (shortcuts) Show platform-aware delete key in keyboard shortcuts panel
• Rewrite CONTRIBUTING.md with setup, workflow, and style guides (58d086d)
• Correct task comment endpoint description and title (#​2498) (23415c5)

Features

• (auth) Enforce OpenID Connect issuer uniqueness across providers
• (auth) Add enforceTOTPIfRequired helper for OIDC flow
• (auth) Plumb totp passcode through openIdAuth action
• (auth) Prompt for TOTP code in the OIDC callback flow
• (desktop) Add preload script for quick entry window
• (desktop) Add quick entry window, global shortcut, and system tray
• (desktop) Open task in main window with Ctrl/Cmd+Enter
• (desktop) Configurable shortcut, --quick-entry CLI arg, show-main-window IPC
• (frontend) Add useQuickAddMode composable for quick-add detection
• (frontend) Add QuickAddOverlay component for quick-entry window
• (frontend) Route quick-add mode to QuickAddOverlay in App.vue
• (frontend) Adapt QuickActions for quick-add mode behavior
• (frontend) Listen for cross-window task creation via BroadcastChannel
• (frontend) Add configurable quick entry shortcut setting
• (helpers) Add deterministic stringHash for stable daily selection
• (home) Rotate greetings from a deterministic per-user daily pool
• (mail) Add GetMailDomain helper for RFC 5322 compliant email IDs
• (migration) Add WeKan board JSON import
• (migration) Register WeKan migration routes
• (migration) Add WeKan to migration page with logo
• (migration) Add generic CSV import with column mapping
• (migration) Add skip rows option to CSV import
• (migration) Flatten project hierarchy for single-project imports
• (models) Add ClearProjectBackground for scoped column update
• (plugins) Add plugin system interfaces and manager
• (plugins) Add plugin config options
• (plugins) Extract vikunja package symbols for yaegi
• (plugins) Extract third-party symbols for yaegi
• (plugins) Add yaegi interpreter-based plugin loader
• (plugins) Add example plugin
• (sort) Add sorting popup for list view
• (sort) Persist sort selection to URL query parameter
• (task) Allow changing bucket from task detail view (#​2233)
• (tasks) Use platform-aware delete shortcut on task detail view
• (tasks) Cap repeat_after at 10 years to harden repeating-task handler
• (user) Add option to hide last viewed projects on overview page (#​2429)
• (webhook) Add WebhookDeliveryEvent for per-webhook fan out
• (webhook) Add WebhookDeliveryListener for per-webhook delivery
• (webhook) Register WebhookDeliveryListener on startup
• (websocket) Add coder/websocket dependency
• (websocket) Add message types, connection hub, and connection handler
• (websocket) Add HTTP upgrade handler and /api/v1/ws route
• (websocket) Add notification event with XORM AfterInsert dispatch
• (websocket) Add frontend WebSocket support
• Use openid provider name instead of generic "OIDC" in synced team names (121fd3c)
• Add translation for saved filter ignored message (7208c11)
• Show info when saved homepage filter is ignored for label browsing (dca0414)
• Add CI workflow to auto-update nixpkgs on release (cb07b66)
• Improve wording and UX around CalDAV tokens (#​2476) (b89b402)
• Add OAuth 2.0 authorization code model and migration (71282dc)
• Add OAuth client validation and PKCE verification (a6e7475)
• Add OAuth 2.0 authorize endpoint (8b379b7)
• Add OAuth 2.0 token endpoint (7827ff6)
• Register OAuth authorize and token routes (e5987ac)
• Add frontend OAuth authorize route and component (0471f8a)
• Rename ServiceJWTSecret to ServiceSecret with deprecation (#​2502) (83bac15)
• Register caldav permission group for API tokens (b0b7c52)
• Add HasCaldavAccess method to APIToken (ebec91b)
• Accept API tokens for CalDAV basic auth (6207705)
• Add API token hint to CalDAV settings page (c2cfcb4)
• Add i18n keys for API token expiry notifications (d3f9bb4)
• Add API token expiry notification types (8ea0dd1)
• Add cron job for API token expiry notifications (f308584)
• Register API token expiry check cron on startup (04f94a5)
• Add AssertNotSent helper to notification testing (6dc46c1)
• Add OAuth PKCE authentication flow to desktop app (dd7532a)
• Add server selection UI for desktop OAuth login (a12002d)
• Show close-tab message after OAuth redirect (495f34f)
• Update application icons for desktop build (#​2516) (831e4f2)
• Add tooltip to readonly checkbox explaining why it's not clickable (a57cbd3)
• Add inline PDF viewer for task attachments (#​2541) (f5752b9)
• Remove flexsearch dependency and replace with simple string filtering (#​2542) (0834d19)
• Add TruncateAllTables function for e2e test isolation (6a3dd8b)
• Add DELETE /test/all endpoint to truncate all tables (e9a26b9)
• Add Factory.truncateAll() helper for e2e tests (f477da4)
• Truncate all tables before each e2e test for clean isolation (2ee8ad4)
• Add generic RememberValue[T] for type-safe keyvalue caching (e2de681)
• Update publiccode.yml automatically during release (415d5d2)

Miscellaneous Tasks

• (ci) Update nix update PR message [skip ci]
• (desktop) Add dev command to build and copy
• (frontend) Deduplicate pnpm dependencies
• (i18n) Update translations via Crowdin
• Add .pnpm-store to .gitignore (73eb827)
• Add plans/ directory to .gitignore (6566f98)
• Remove redundant truncate calls now that all tables are wiped before each test (aa1202f)

Other

• (other) [skip ci] Updated swagger docs
• (other) Expand environment variables in some.config.value.path.file inputs for better secret management
• (other) Move caldav and e2e-api tests to dedicated CI jobs
• (other) Auto-close 'waiting for reply' issues after 30 days of inactivity
• (other) Add rotating home greeting variants

Refactor

• (auth) Extract shared token validation into auth package
• (auth) Add TOTPPasscode to OIDC Callback payload
• (files) Derive attachment size from content in sibling callers
• (mail) Use CryptoRandomString for Message-ID generation
• (models) Use shared GetMailDomain in getThreadID
• (tasks) Add moveTaskToDefaultBuckets helper (#​2573)
• Use xorm's TableInfo to resolve table names (8567808)
• Rename parseTaskText module to quickAddMagic (44d01a0)
• Extract shared RefreshSession helper (7a258f6)
• Extract shared API token validation into ValidateTokenAndGetOwner (9884d93)
• Use embed fs for redoc UI and update to latest version (111090d)
• Replace Modal div-based implementation with native dialog element (cef03cb)
• Use nested map for position conflict tracking (ce3e56f)
• Move plan file instead of copying in prepare-worktree (a7bc3d6)
• Use per-view IN clause for filter task deletion instead of batching (17a97ca)

Styling

• (sort) Position popup aligned to header right edge

Testing

• (auth) Add failing unit tests for OIDC TOTP enforcement
• (caldav) Add caldavtests package with infrastructure, helpers, and mage target
• (caldav) Add PROPFIND tests (RFC 4918 §9.1)
• (caldav) Add discovery flow tests (RFC 6764, RFC 5397, RFC 4791)
• (caldav) Add REPORT query tests (RFC 4791 §7.8, §7.9)
• (caldav) Add CRUD operation tests (RFC 4791 §5.3.2)
• (caldav) Add authentication and permission tests
• (caldav) Add sync semantics tests (ETag, CTag, conditional requests)
• (caldav) Add client compatibility and bug reproduction tests
• (caldav) Add relation and subtask tests (RFC 5545 §3.8.4.5)
• (caldav) Add VTODO field round-trip tests (RFC 5545 §3.6.2)
• (e2e) Add test for read-only checkbox on overview page
• (e2e) Relax home greeting assertions for rotating pool
• (fixtures) Add child project for reparent escalation tests
• (gantt) Add e2e test for date range preservation after task modal close
• (kanban) Add failing test for repeating task bucket routing on done (#​2573)
• (migration) Add WeKan migration tests and fixture
• (migration) Regression test for forged attachment size
• (plugins) Add yaegi plugin integration tests
• (project) Add regression tests for reparent privilege escalation
• (project) Fix ParadeDB search expectation for fixture child
• (security) Webtest that a deleted link share rejects its still-valid JWT
• (tasks) Add failing test for repeating task bucket routing via Task.Update (#​2573)
• (tasks) Add DoS regression test for ancient repeating due dates
• (todoist) Serve attachment from local test server
• (user) Cover TOTP lockout persistence and password-reset unlock
• (webhook) Add failing test for #​2569 sibling webhook blocking
• (webhook) Assert good webhook delivered once despite sibling retries
• (webhook) Assert flaky webhook is retried until it succeeds
• (webhook) Handle deleted webhook gracefully between fan-out and delivery
• (webhook) Assert bad webhook is retried in no-duplicate test
• (webtests) Add end-to-end TOTP lockout test
• Update expected results for archived project propagation (13be01d)
• Add failing test for TickTick child-before-parent CSV order (c496364)
• Add test for deeply nested TickTick task ordering (112e486)
• Add tests for OAuth 2.0 authorization flow (649043a)
• Add integration tests for CalDAV API token auth (194bec8)
• Verify caldav permission group appears in /routes (390957b)
• Add tests for API token expiry notifications and cron (6b225bb)
• Add WebSocket e2e tests (4cd7908)
• Assert position existence instead of conditional skip (a628c99)
• Add failing tests for subtask visibility in filtered views (616ac8b)
• Remove obsolete invalid-cache-type test for avatar upload (c166eff)
• Verify background removal preserves project title (7679034)
• Add tests for SSO avatar provider reset on empty picture URL (1065bdd)
• Wire up API URL for anonymous link share e2e tests (91728c0)
• Add e2e regression test for link share loop while logged in (a574d62)

v2.2.2

Compare Source

Bug Fixes

• Require admin access to list link shares (5cd5dc4)
• Hide link sharing section in UI for non-admin users (74d1bdd)

v2.2.1

Compare Source

Bug Fixes

• (auth) Reject disabled/locked users in OIDC callback
• (auth) Reject disabled/locked users in API token middleware
• (auth) Return correct error type for locked users in OIDC callback
• (auth) Reject disabled/locked users in CheckUserCredentials
• (auth) Skip profile updates for disabled LDAP users
• (caldav) Replace href with pathname from parseURL for api base
• (frontend) OrigUrlToCheck references the same object as urlToCheck
• (openid) Merge VikunjaGroups and ExtraSettingsLinks from userinfo
• (user) Reject disabled/locked users in getUser by default
• (user) Handle status errors in pkg/user callers, remove redundant checks
• (user) Handle status errors across the codebase, remove redundant checks
• (user) Use getUser directly for uniqueness checks in UpdateUser
• (user) Use unique error code for ErrCodeAccountLocked
• Remove small class from preset label (652eb9b)
• Include kanban bucket move permission in tasks preset (0085772)
• Prevent TOTP passcode reuse within validity window (5f06e1d)
• Update TOTP reuse test to use user10 matching rebased fixture (acafa6d)
• Add TTL-based expiry and cleanup for used TOTP passcode entries (0f98c19)
• Check child project's own IsArchived flag in CheckIsArchived (d0606ea)
• Update ParadeDB search test count for new fixture (595002b)
• Filter related tasks by project access to prevent cross-project info disclosure (67a4778)
• Prevent attachment IDOR by validating task_id in ReadOne (GHSA-jfmm-mjcp-8wq2) (b8edc8f)
• Prevent link share IDOR by validating project_id in Delete and ReadOne (654d2c7)
• Prevent SSRF via OpenID Connect avatar download (GHSA-g9xj-752q-xh63) (363aa66)
• Prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr) (9329774)
• Prevent SSRF via Microsoft Todo migration pagination links (73edbb6)
• Prevent SSRF via Unsplash background image download (a94109e)
• Block link share users from listing link shares in ReadAll (9efe1fa)
• Correct error message assertion in linkshare ReadAll tests (a0478a0)
• Strip BasicAuth credentials from project webhook API responses (75c9b75)
• Strip BasicAuth credentials from user webhook API responses (6aef5af)
• Use MySQL-compatible CREATE INDEX in migration 2026022 (867c527)
• Skip quick add magic parsing when text is wrapped in quotes (07b9742)

Dependencies

• (deps) Update dependency rollup to v4.60.0
• (deps) Update dependency caniuse-lite to v1.0.30001781
• (deps) Update flatted to 3.4.2 to fix prototype pollution vulnerability
• (deps) Update dev-dependencies
• (deps) Update dev-dependencies to v8.57.2

Documentation

• Mention mole proxy in outgoingrequests config docs (701e3f9)

Features

• (user) Add ErrAccountLocked error type
• Add quick presets for API token permission selection (68097cf)
• Add outgoingrequests config keys for centralized SSRF protection (f96b53f)
• Add shared SSRF-safe HTTP client utility (0266fff)

Miscellaneous Tasks

• (ci) Update golangci-lint to v2.10.1
• (i18n) Update translations via Crowdin
• (lint) Suppress known gosec false positives
• (lint) Suppress additional gosec false positives
• (lint) Suppress gosec false positives on SSRF-safe HTTP client calls

Refactor

• (user) Export IsErrUserStatusError for use across packages
• Reorganize quick add magic into focused modules (cb81cf1)
• Add accessibleProjectIDsSubquery helper for project-level authz filtering (e2683bb)
• Use accessibleProjectIDsSubquery in addBucketsToTasks (833f2ae)
• Use shared SSRF-safe HTTP client in webhook code (e5a1c05)

Testing

• (auth) Add comprehensive disabled/locked user auth tests
• Add TOTP fixture and load it in user test bootstrap (de58f63)
• Add failing test for TOTP passcode reuse prevention (5591ca9)
• Add API token fixture for disabled user (198322c)
• Verify disabled user's API token is rejected (e4379ef)
• Verify disabled user is rejected via CalDAV auth (8b614a4)
• Verify GetUserByID rejects disabled users and returns user with error (525f5ee)
• Add cross-project task relation fixture for authz test (589d2a5)
• Add failing test for cross-project task relation info disclosure (50c3eeb)
• Add attachment fixture on inaccessible task for IDOR test (b2c3c36)
• Add IDOR test for task attachment ReadOne (GHSA-jfmm-mjcp-8wq2) (3111f3d)
• Use new outgoingrequests config keys in SSRF tests (d4d88c0)
• Remove redundant webhook SSRF tests (848a4e7)
• Add BasicAuth credentials to webhook fixture (094ff5f)
• Add failing test for webhook BasicAuth credential exposure (751ab2c)
• Update user count assertions for new locked user fixture (c1418c1)
• Add failing tests for quote-escaped task text parsing (8538b4c)

v2.2.0

Compare Source

Bug Fixes

• (attachments) Sync kanban store and task ref on attachment changes
• (auth) Use SameSite=None for refresh token cookie to fix desktop app
• (auth) Make SameSite=None conditional on HTTPS for refresh cookie
• (caldav) Eliminate nested db session in CalDAV auth
• (caldav) Parse timestamps in configured timezone
• (caldav) Use /dav/projects/ as home to make iOS/MacOS reminders work (#​2417)
• (ci) Remove HTML comments inside table that break markdown rendering
• (cli) Make user deletion confirmation check Windows compatible (#​2339)
• (db) Prevent SQLite "database is locked" errors under concurrent writes
• (db) Use immediate txlock for SQLite instead of MaxOpenConns(1)
• (db) Use WAL mode for SQLite and temp file for ephemeral databases
• (desktop) Disable nodeIntegration and enable contextIsolation/sandbox
• (desktop) Validate URL schemes before shell.openExternal
• (desktop) Block same-window navigation to external origins
• (docker) Remove COPY for deleted patches directory
• (e2e) Drain event handlers and stop browser between tests
• (events) Defer task event dispatch until after transaction commit
• (events) Defer event dispatch for task sub-entities
• (events) Defer event dispatch for project operations
• (events) Defer event dispatch for team operations
• (events) Defer event dispatch for user creation and task positions
• (events) Dispatch pending events in CalDAV handlers after commit
• (events) Dispatch pending events in migration and export handlers
• (frontend) Add horizontal overflow handling to tables on mobile
• (frontend) Use semantic class instead of targeting Tailwind utility
• (frontend) Use mbs-2 utility class instead of scoped CSS
• (gantt) Always show relation arrows and fix arrow Y positioning
• (gantt) Update relation arrows in real-time during drag and resize
• (gantt) Make relation arrows smaller and dash precedes lines
• (gantt) Spread overlapping relation arrows at shared endpoints
• (gantt) Improve parent task bar styling and visual grouping
• (gantt) Make collapse/expand triangle smaller
• (gantt) Move parent diamonds outward with stroke and remove hover effect
• (gantt) Only set hasDerivedDates when children have actual dates
• (gantt) Clamp collapse chevron x position to prevent negative offset
• (gantt) Remove unreachable hover rule on relation arrows
• (gantt) Render collapse chevron after bars for correct SVG paint order
• (menu) Prevent dropdown from closing when cursor crosses offset gap (#​2367)
• (menu) Show all project menu items in sidebar dropdown
• (migration) Support space-separated date format in TickTick importer
• (nav) Project drag handle position
• (shortcuts) Resolve lint errors in shortcut module
• (shortcuts) Track active sequences explicitly to prevent misfires
• (tasks) Support both expand and expand[] query parameter formats (#​2415)
• (test) Update mobile kanban test to use close button instead of back button
• (views) Assign default position when creating new project views
• Use MinPositionSpacing threshold in calculateNewPositionForTask (#​2320) (3ca4913)
• Remove invalidateAvatarCache call that broke request deduplication (#​2317) (7297682)
• Add /tmp directory to Docker image to fix data export (84d563c)
• Update old kolaente.dev URLs to code.vikunja.io (#​2342) (a160048)
• Validate default settings timezone on startup (#​2345) (40bcf2b)
• Correct package.json indentation after dependency removal (f8763d8)
• Remove duplicate close button on mobile task detail view (8a4f3a9)
• Prevent nil pointer panic in mention notification listeners (18f1687)
• Only drop Vikunja-owned tables in WipeEverything (14e2c95)
• Only dump Vikunja-owned tables (cd7d405)
• Remove debug log statements from task duplicate (6da0f68)
• Close source file handle when duplicating attachments (7aad96b)
• Preserve cover image when duplicating task (9c23e19)
• Allow browser caching for file downloads (#​2349) (54d9775)
• Handle deleted user in saved filter view event listener (7288483)
• Include remote IP address in HTTP request logs (f9cb0a2)
• Use ParadeDB v2 fuzzy prefix matching for search (#​2346) (0a38ec0)
• Prefer working directory for service.rootpath default (d3cbc4f)
• Ensure /tmp is writable by container user in Docker image (f497e8b)
• Remove debounce from color picker to prevent stale color on save (d196af0)
• Send account deletion notification before deleting user row (79a612a)
• Register bulk label route correctly for API token permissions (e19bea8)
• Prevent authenticated UI flash when server rejects JWT session (#​2387) (28cc9e0)
• Preserve CalDAV inverse relations when parent has no RELATED-TO (#​2389) (ada2eba)
• Collapse view buttons into dropdown when overflowing (#​2306) (7b6b432)
• Invalidate all sessions when enabling TOTP (3bc0093)
• Make mage fmt skip gitignored files (e74265d)
• Ensure frontend dist directory exists for lint and fmt commands (c62b7e6)
• Handle S3 backend in user export download (b0ede53)
• Use file mime type instead of hardcoded application/zip in S3 export (4cd63f9)
• Configure Echo IPExtractor to prevent rate limit bypass via spoofed headers (a498dd6)
• Block login for StatusAccountLocked users (4c80932)
• Prevent password reset from re-enabling admin-disabled accounts (d8570c6)
• Reject password reset token requests for disabled users (708ccab)
• Prevent email confirmation from re-enabling admin-disabled accounts (049f4a6)
• Update test expectations for new disabled user fixture (89923eb)
• Reject images exceeding 50M pixels before decode (af61d0f)
• Adapt image preview DoS protection to new FileStorage interface (be0aaa7)
• Verify comment belongs to task in URL to prevent IDOR (bc6d843)
• Require CanUpdate for project background deletion (f066eb3)
• Only enforce task_id check when TaskID is provided (4941961)
• Use require.Error instead of assert.Error for error assertions (b7a1408)
• Reject CalDAV basic auth when TOTP is enabled (cdf5d30)
• Use user10 instead of user1 for TOTP fixture to avoid breaking login tests (659e73a)
• Update TOTP fixtures and tests to avoid conflicts with existing enrollment tests (1ed813c)

Dependencies

• (deps) Update dev-dependencies
• (deps) Upgrade serialize-javascript to 7.0.3
• (deps) Update dependency @​vue/tsconfig to v0.9.0
• (deps) Use forked afero-s3 to fix S3 read performance regression (#​2313)
• (deps) Update dependency flexsearch to v0.8.212
• (deps) Remove obsolete flexsearch 0.7.43 patch
• (deps) Remove @​github/hotkey dependency
• (deps) Update dependency rollup-plugin-visualizer to v6.0.11
• (deps) Update dependency electron to v40.7.0
• (deps) Update immutable to 5.1.5
• (deps) Update svgo to 3.3.3
• (deps) Update tar to 7.5.10 and @​tootallnate/once to 3.0.1 in desktop
• (deps) Update dependency vite-svg-loader to v5.1.1
• (deps) Bump dompurify from 3.3.1 to 3.3.2 in /frontend
• (deps) Update dependency eslint to v9.39.4
• (deps) Update dev-dependencies to v8.57.0
• (deps) Update dependency sass-embedded to v1.98.0
• (deps) Update dev-dependencies (#​2395)
• (deps) Update dependency caniuse-lite to v1.0.30001779
• (deps) Override flatted to 3.4.1 to fix unbounded recursion DoS
• (deps) Update tar override to 7.5.11 to fix symlink path traversal
• (deps) Update dependency vue-tsc to v3.2.6
• (deps) Update dependency electron to v40.8.3
• (deps) Update dev-dependencies to v4.2.2
• (deps) Add daenney/ssrf for webhook SSRF protection
• (deps) Update dependency stylelint to v17.5.0

Documentation

• Update user search endpoint description for external team bypass (b5086fe)
• Update rootpath description to mention working directory default (ddfc565)
• Document database.schema config option for PostgreSQL (8868b21)
• Document IP extraction and trusted proxy config options (015a172)

Features

• (ci) Post preview deployment comment on PRs
• (ci) Enable merge queue trigger
• (config) Add webhooks.allownonroutableips setting
• (events) Add DispatchOnCommit/DispatchPending for deferred event dispatch
• (frontend) Upgrade Tailwind CSS from v3 to v4
• (frontend) Highlight overdue tasks consistently (#​958)
• (gantt) Add expand=subtasks to Gantt API params
• (gantt) Add task tree builder utility for hierarchy
• (gantt) Add dependency arrow data builder
• (gantt) Integrate task tree into Gantt rendering with collapse
• (gantt) Add collapse/expand chevron and indent indicators
• (gantt) Render parent summary bars with diamond endpoints
• (gantt) Create arrow SVG overlay component for relations
• (gantt) Wire relation arrows into GanttChart with toggle
• (handlers) Dispatch pending events after transaction commit
• (release) Update frontend package.json version on release
• (shortcuts) Add event.code-based shortcut module
• (webhooks) Add built-in SSRF protection using daenney/ssrf
• Ensure forms submit on Enter (#​959) (e1d1e7c)
• Use offical vite plugin for sentry (#​873) (0a9586e)
• Mini tiptap improvements (b92735b)
• Surface API validation errors to registration form fields (#​1902) (c6f0d8b)
• Add table registration to db package (d26936f)
• Register Vikunja tables with db package at init (3dd2ba4)
• Add RegisteredTableNames helper to db package (0a8534d)
• Add task duplicate backend model and tests (d8f3a96)
• Register task duplicate API route (77fdf1b)
• Add task duplicate frontend model and service (52bee37)
• Add duplicateTask action to task store (2014d50)
• Add duplicate button to task detail view (6c9407c)
• Bypass discoverability settings for external team members (28b913f)
• Add InitEventsForTesting and Unfake for real event dispatch in tests (1b1e8e5)
• Add mage test:e2e-api target for e2e API tests (24b800d)
• Add conversational email template and rendering (d4b0302)
• Convert notifications to conversational email style (b3572c5)
• Add translation keys for conversational emails (def73e2)
• Add user_id to webhooks and user-directed event infrastructure (d4577c6)
• Extend WebhookListener for user-level webhooks (dbbc80a)
• Add API routes for user-level webhooks (47a0775)
• Add user-level webhooks settings page (2e1648e)
• Replace afero-s3 with minimal S3 afero.Fs implementation (b065c62)
• Add service.ipextractionmethod and service.trustedproxies config options (26324a7)
• Add StatusAccountLocked user status for TOTP lockouts (f42a045)

Miscellaneous Tasks

• (dev) Update devenv
• (i18n) Update translations via Crowdin
• Remove feature request issue template (06ead58)

Other

• (other) [skip ci] Updated swagger docs
• (other) Add e2e API tests to CI pipeline
• (other) Upgrade ParadeDB image to support v2 fuzzy search API

Refactor

• (attachments) Read from task prop instead of global store
• (attachments) Return uploaded attachments instead of writing to store
• (attachments) Use local state instead of global attachment store
• (attachments) Remove global attachment store
• (shortcuts) Update directive to use new shortcut module
• (shortcuts) Update v-shortcut values to event.code format
• (shortcuts) Replace eventToHotkeyString with eventToShortcutString
• (shortcuts) Use event.code for raw keyboard handlers
• Batch label inserts during task duplication (e07eeed)
• Use TaskRelation.Create for copy relation (692357a)
• Move ListUsers tests from pkg/user to pkg/models (54c7c4a)
• Enable golangci-lint on magefile, fix errors (cea8c78)
• Fix contextcheck lint errors on magefile by passing mage context (0a1104b)
• Merge last unique build tag "tools" into go.mod tools section (1b5f3f4)
• Add centralized ResolvePath for rootpath-relative paths (2a7165a)
• Use config.ResolvePath for all rootpath-relative paths (a043940)
• Replace afero with FileStorage interface (0e1f44e)
• Use StatusAccountLocked for TOTP lockouts (7792bf6)
• Rename checkProjectBackgroundWriteRights to checkProjectBackgroundWritePermissions (4b91e5e)

Styling

• Fix alignment in config key declarations (ddd9ef5)

Testing

• (shortcuts) Add unit tests for shortcut parsing logic
• (webhooks) Add SSRF protection tests
• (webhooks) Allow non-routable IPs in E2E tests
• Update event assertions to work with deferred dispatch (f516bbe)
• Add web integration tests for task duplication (4d494ba)
• Add user 11 to external team 14 for discoverability tests (64e455a)
• Add tests for external team user discoverability bypass (3a73016)
• Verify email masking for external team name search (0661789)
• Add e2e API test package with webhook pipeline verification (1f3509b)
• Add fixture task with compound word for prefix search testing (275f714)
• Add web tests for prefix/substring search (#​2346) (892b38b)
• Rewrite MultiFieldSearch tests with SQL output verification (ee2723d)
• Call real MultiFieldSearch function and branch on db engine (e6cbd67)
• Add task #​48 to expected results in feature tests (3568aaa)
• Adjust ParadeDB search tests for fuzzy prefix match broadening (6268c48)
• Fix lint and adjust project search test for ParadeDB fuzzy matching (b69705e)
• Add result count assertions for ParadeDB search tests (c7c63e8)
• Fix non-ParadeDB project search count assertion (df0e3a8)
• Fix ParadeDB project search count to 27 (d36ac9d)
• Add tests for conversational email system (aacf650)
• Add e2e tests for user-level webhooks (05cc65f)
• Add web tests for bulk label task endpoint (675dfb3)
• Add failing test for bulk label API token route registration (554593c)
• Add FileStat assertion to validate storage path in attachment test (17eccd8)
• Add tests for disabled user password reset prevention (241b0e8)
• Add web test for disabled user password reset rejection (2260d76)
• Add failing test for image preview with oversized dimensions (f7592e2)
• Add failing test for task comment IDOR (2da8925)
• Add failing test for project background delete with read-only access (f60f3af)
• Add TOTP fixture data for user1 (27ef92b)
• Add failing test for CalDAV 2FA bypass via basic auth (bda16e7)
• Register totp fixture in test setup (a66bda2)
• Verify CalDAV token auth bypasses TOTP check (1f2aef7)

v2.1.0

Compare Source

Bug Fixes

• (auth) Remove password reset token after use
• (auth) Correctly delete older password reset tokens in cron
• (editor) Use overflow-wrap instead of word-break for text wrapping
• (filter) Recover from datemath panic on malformed date filter values

Dependencies

• (deps) Update dependency stylelint to v17.4.0
• (deps) Update dependency autoprefixer to v10.4.26
• (deps) Update dev-dependencies
• (deps) Override transitive rollup 2.x to use direct dependency version
• (deps) Upgrade transitive basic-ftp from 5.0.5 to 5.2.0
• (deps) Upgrade transitive minimatch from 10.2.1 to 10.2.3+

Features

• (checklist) Show green progress circle when all checkboxes are done
• (multiselect) Add green plus icon and always-visible hint to create option

Miscellaneous Tasks

• (i18n) Update translations via Crowdin
• Add opensourcefinder verification (1eccb0e)

Other

• (other) [skip ci] Updated swagger docs

v2.0.0

Compare Source

Bug Fixes

• (attachments) Use mime.FormatMediaType for Content-Disposition header
• (auth) Use checked type assertions for all JWT claims
• (build) Add osusergo tag to plugin build
• (build) Use absolute path for zip output in release
• (db) Validate table names and quote identifiers in raw SQL
• (gantt) Render done tasks with strikethrough and reduced opacity
• (gantt) Sync task updates from detail view back to gantt chart
• (gantt) Only persist dates that actually exist on partial-date tasks
• (migration) Make migration from Microsoft Todo work for those with previously migrated wunderlist accounts (#​2126)
• (migration) Reject zip entries with path traversal in vikunja-file import
• (migration) Limit zip entry read size to prevent decompression bombs
• (migration) Use checked type assertion for background file id
• (release) Skip upx compression for windows arm64 binaries
• (restore) Reject zip entries with path traversal sequences
• (restore) Sanitize config file path to prevent zip slip
• (restore) Validate database file names in zip archive
• (restore) Validate migration data before wiping database
• (restore) Limit zip entry read size to prevent decompression bombs
• (restore) Pre-validate all table data JSON before wiping database
• (restore) Extract preValidateTableData to reduce cyclomatic complexity
• (task) Require explicit confirmation before saving reminders
• (task) Disable Confirm button when no date is selected in absolute reminder picker
• (tasks) Show drag handle icon on mobile devices (#​2286)
• (test) Update existing reminder tests to click Confirm after date selection
• (tests) Update web test assertions for new task47 fixture
• (tests) Properly assert sort order including task47 in web tests
• Use DelPrefix in upload avatar FlushCache to clear all cached sizes (79d0942)
• Reset group permission checkboxes when creating a new API token (30e53db)
• Wrap API tokens table rows in thead and tbody elements (b66b75f)
• Correct indentation in API tokens table after thead/tbody wrap (17360a8)
• Add missing error checks in filepath.Walk and defer Close locations (8dbff21)
• Replace stray panic with return err (122ba30)
• Prevent duplicated sql condition in filters (#​1546) (8779a28)
• Merge AND-joined sub-table filters into single EXISTS subquery (c034e43)
• Only merge range comparators in sub-table filter grouping (1943d69)
• Don't show export ready message when no export exists (7862651)
• Clamp gantt bar title position when task starts before visible range (df05c51)
• Break long continuous strings in editor to prevent overflow (bc2f7e5)
• Fix API_URL trailing slash and remove CORS env var overrides in test:e2e (51a9f9c)
• Use preview:dev for correct dist dir and kill process groups in test:e2e (d008512)
• Use in-memory SQLite and log temp directory cleanup in test:e2e (fec1c03)
• Correct broken throttle in checkAuth that never triggered (a11cde1)
• Don't overwrite user info with incomplete JWT data on navigation (1d420dd)
• Keep token expiry in sync when skipping setUser from JWT (65806df)
• Reset throttle on logout so checkAuth clears auth state (4cee2cf)
• Detect and store mime type when creating file attachments (519f66a)
• Add Content-Disposition attachment header to task attachment downloads

---

Configuration

📅 Schedule: (in timezone Asia/Singapore)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[cloudflare-workers-and-pages]

Deploying jjgadgets-biohazard with    Cloudflare Pages

Latest commit:	0e8fd0b
Status:	✅  Deploy successful!
Preview URL:	https://9254898e.jjgadgets-biohazard.pages.dev
Branch Preview URL:	https://renovate-docker-io-vikunja-v-eqdy.jjgadgets-biohazard.pages.dev

View logs

[tinfoild]

kube/helmrelease/out00

--- HelmRelease: vikunja/vikunja Deployment: vikunja/vikunja

+++ HelmRelease: vikunja/vikunja Deployment: vikunja/vikunja

@@ -118,13 +118,13 @@

         - name: VIKUNJA_SERVICE_MAXITEMSPERPAGE
           value: '200'
         - name: VIKUNJA_SERVICE_PUBLICURL
           value: null
         - name: VIKUNJA_SERVICE_TIMEZONE
           value: null
-        image: docker.io/vikunja/vikunja:0.24.6@sha256:ed1f3ed467fecec0b57e9de7bc6607f8bbcbb23ffced6a81f5dfefc794cdbe3b
+        image: docker.io/vikunja/vikunja:2.3.0@sha256:f6b80393c1998cd5cd0dc38d24762c59ab4c10000a6f1032ef5b554e262cab93
         livenessProbe:
           failureThreshold: 3
           initialDelaySeconds: 0
           periodSeconds: 10
           tcpSocket:
             port: 8080

[tinfoild]

kube/kustomization/out00

--- kube/deploy/apps/vikunja/app Kustomization: flux-system/vikunja-app HelmRelease: vikunja/vikunja

+++ kube/deploy/apps/vikunja/app Kustomization: flux-system/vikunja-app HelmRelease: vikunja/vikunja

@@ -88,13 +88,13 @@

               VIKUNJA_SERVICE_JWTTTLLONG: '1209600'
               VIKUNJA_SERVICE_MAXITEMSPERPAGE: '200'
               VIKUNJA_SERVICE_PUBLICURL: null
               VIKUNJA_SERVICE_TIMEZONE: null
             image:
               repository: docker.io/vikunja/vikunja
-              tag: 0.24.6@sha256:ed1f3ed467fecec0b57e9de7bc6607f8bbcbb23ffced6a81f5dfefc794cdbe3b
+              tag: 2.2.0@sha256:fefda8ba71c3b06cc7f53f93ee14ebf1ad155a535e572b8dc702a46d789fc6d1
             resources:
               limits:
                 cpu: 3000m
                 memory: 6000Mi
               requests:
                 cpu: 10m