chore(deps): update container image vikunja/vikunja to v2.2.2

[renovate]

This PR contains the following updates:

Package	Update	Change
vikunja/vikunja	major	0.24.6 → 2.2.2

---

Release Notes

go-vikunja/vikunja (vikunja/vikunja)

v2.2.2

Compare Source

Bug Fixes

• Require admin access to list link shares (5cd5dc4)
• Hide link sharing section in UI for non-admin users (74d1bdd)

v2.2.1

Compare Source

Bug Fixes

• (auth) Reject disabled/locked users in OIDC callback
• (auth) Reject disabled/locked users in API token middleware
• (auth) Return correct error type for locked users in OIDC callback
• (auth) Reject disabled/locked users in CheckUserCredentials
• (auth) Skip profile updates for disabled LDAP users
• (caldav) Replace href with pathname from parseURL for api base
• (frontend) OrigUrlToCheck references the same object as urlToCheck
• (openid) Merge VikunjaGroups and ExtraSettingsLinks from userinfo
• (user) Reject disabled/locked users in getUser by default
• (user) Handle status errors in pkg/user callers, remove redundant checks
• (user) Handle status errors across the codebase, remove redundant checks
• (user) Use getUser directly for uniqueness checks in UpdateUser
• (user) Use unique error code for ErrCodeAccountLocked
• Remove small class from preset label (652eb9b)
• Include kanban bucket move permission in tasks preset (0085772)
• Prevent TOTP passcode reuse within validity window (5f06e1d)
• Update TOTP reuse test to use user10 matching rebased fixture (acafa6d)
• Add TTL-based expiry and cleanup for used TOTP passcode entries (0f98c19)
• Check child project's own IsArchived flag in CheckIsArchived (d0606ea)
• Update ParadeDB search test count for new fixture (595002b)
• Filter related tasks by project access to prevent cross-project info disclosure (67a4778)
• Prevent attachment IDOR by validating task_id in ReadOne (GHSA-jfmm-mjcp-8wq2) (b8edc8f)
• Prevent link share IDOR by validating project_id in Delete and ReadOne (654d2c7)
• Prevent SSRF via OpenID Connect avatar download (GHSA-g9xj-752q-xh63) (363aa66)
• Prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr) (9329774)
• Prevent SSRF via Microsoft Todo migration pagination links (73edbb6)
• Prevent SSRF via Unsplash background image download (a94109e)
• Block link share users from listing link shares in ReadAll (9efe1fa)
• Correct error message assertion in linkshare ReadAll tests (a0478a0)
• Strip BasicAuth credentials from project webhook API responses (75c9b75)
• Strip BasicAuth credentials from user webhook API responses (6aef5af)
• Use MySQL-compatible CREATE INDEX in migration 2026022 (867c527)
• Skip quick add magic parsing when text is wrapped in quotes (07b9742)

Dependencies

• (deps) Update dependency rollup to v4.60.0
• (deps) Update dependency caniuse-lite to v1.0.30001781
• (deps) Update flatted to 3.4.2 to fix prototype pollution vulnerability
• (deps) Update dev-dependencies
• (deps) Update dev-dependencies to v8.57.2

Documentation

• Mention mole proxy in outgoingrequests config docs (701e3f9)

Features

• (user) Add ErrAccountLocked error type
• Add quick presets for API token permission selection (68097cf)
• Add outgoingrequests config keys for centralized SSRF protection (f96b53f)
• Add shared SSRF-safe HTTP client utility (0266fff)

Miscellaneous Tasks

• (ci) Update golangci-lint to v2.10.1
• (i18n) Update translations via Crowdin
• (lint) Suppress known gosec false positives
• (lint) Suppress additional gosec false positives
• (lint) Suppress gosec false positives on SSRF-safe HTTP client calls

Refactor

• (user) Export IsErrUserStatusError for use across packages
• Reorganize quick add magic into focused modules (cb81cf1)
• Add accessibleProjectIDsSubquery helper for project-level authz filtering (e2683bb)
• Use accessibleProjectIDsSubquery in addBucketsToTasks (833f2ae)
• Use shared SSRF-safe HTTP client in webhook code (e5a1c05)

Testing

• (auth) Add comprehensive disabled/locked user auth tests
• Add TOTP fixture and load it in user test bootstrap (de58f63)
• Add failing test for TOTP passcode reuse prevention (5591ca9)
• Add API token fixture for disabled user (198322c)
• Verify disabled user's API token is rejected (e4379ef)
• Verify disabled user is rejected via CalDAV auth (8b614a4)
• Verify GetUserByID rejects disabled users and returns user with error (525f5ee)
• Add cross-project task relation fixture for authz test (589d2a5)
• Add failing test for cross-project task relation info disclosure (50c3eeb)
• Add attachment fixture on inaccessible task for IDOR test (b2c3c36)
• Add IDOR test for task attachment ReadOne (GHSA-jfmm-mjcp-8wq2) (3111f3d)
• Use new outgoingrequests config keys in SSRF tests (d4d88c0)
• Remove redundant webhook SSRF tests (848a4e7)
• Add BasicAuth credentials to webhook fixture (094ff5f)
• Add failing test for webhook BasicAuth credential exposure (751ab2c)
• Update user count assertions for new locked user fixture (c1418c1)
• Add failing tests for quote-escaped task text parsing (8538b4c)

v2.2.0

Compare Source

Bug Fixes

• (attachments) Sync kanban store and task ref on attachment changes
• (auth) Use SameSite=None for refresh token cookie to fix desktop app
• (auth) Make SameSite=None conditional on HTTPS for refresh cookie
• (caldav) Eliminate nested db session in CalDAV auth
• (caldav) Parse timestamps in configured timezone
• (caldav) Use /dav/projects/ as home to make iOS/MacOS reminders work (#​2417)
• (ci) Remove HTML comments inside table that break markdown rendering
• (cli) Make user deletion confirmation check Windows compatible (#​2339)
• (db) Prevent SQLite "database is locked" errors under concurrent writes
• (db) Use immediate txlock for SQLite instead of MaxOpenConns(1)
• (db) Use WAL mode for SQLite and temp file for ephemeral databases
• (desktop) Disable nodeIntegration and enable contextIsolation/sandbox
• (desktop) Validate URL schemes before shell.openExternal
• (desktop) Block same-window navigation to external origins
• (docker) Remove COPY for deleted patches directory
• (e2e) Drain event handlers and stop browser between tests
• (events) Defer task event dispatch until after transaction commit
• (events) Defer event dispatch for task sub-entities
• (events) Defer event dispatch for project operations
• (events) Defer event dispatch for team operations
• (events) Defer event dispatch for user creation and task positions
• (events) Dispatch pending events in CalDAV handlers after commit
• (events) Dispatch pending events in migration and export handlers
• (frontend) Add horizontal overflow handling to tables on mobile
• (frontend) Use semantic class instead of targeting Tailwind utility
• (frontend) Use mbs-2 utility class instead of scoped CSS
• (gantt) Always show relation arrows and fix arrow Y positioning
• (gantt) Update relation arrows in real-time during drag and resize
• (gantt) Make relation arrows smaller and dash precedes lines
• (gantt) Spread overlapping relation arrows at shared endpoints
• (gantt) Improve parent task bar styling and visual grouping
• (gantt) Make collapse/expand triangle smaller
• (gantt) Move parent diamonds outward with stroke and remove hover effect
• (gantt) Only set hasDerivedDates when children have actual dates
• (gantt) Clamp collapse chevron x position to prevent negative offset
• (gantt) Remove unreachable hover rule on relation arrows
• (gantt) Render collapse chevron after bars for correct SVG paint order
• (menu) Prevent dropdown from closing when cursor crosses offset gap (#​2367)
• (menu) Show all project menu items in sidebar dropdown
• (migration) Support space-separated date format in TickTick importer
• (nav) Project drag handle position
• (shortcuts) Resolve lint errors in shortcut module
• (shortcuts) Track active sequences explicitly to prevent misfires
• (tasks) Support both expand and expand[] query parameter formats (#​2415)
• (test) Update mobile kanban test to use close button instead of back button
• (views) Assign default position when creating new project views
• Use MinPositionSpacing threshold in calculateNewPositionForTask (#​2320) (3ca4913)
• Remove invalidateAvatarCache call that broke request deduplication (#​2317) (7297682)
• Add /tmp directory to Docker image to fix data export (84d563c)
• Update old kolaente.dev URLs to code.vikunja.io (#​2342) (a160048)
• Validate default settings timezone on startup (#​2345) (40bcf2b)
• Correct package.json indentation after dependency removal (f8763d8)
• Remove duplicate close button on mobile task detail view (8a4f3a9)
• Prevent nil pointer panic in mention notification listeners (18f1687)
• Only drop Vikunja-owned tables in WipeEverything (14e2c95)
• Only dump Vikunja-owned tables (cd7d405)
• Remove debug log statements from task duplicate (6da0f68)
• Close source file handle when duplicating attachments (7aad96b)
• Preserve cover image when duplicating task (9c23e19)
• Allow browser caching for file downloads (#​2349) (54d9775)
• Handle deleted user in saved filter view event listener (7288483)
• Include remote IP address in HTTP request logs (f9cb0a2)
• Use ParadeDB v2 fuzzy prefix matching for search (#​2346) (0a38ec0)
• Prefer working directory for service.rootpath default (d3cbc4f)
• Ensure /tmp is writable by container user in Docker image (f497e8b)
• Remove debounce from color picker to prevent stale color on save (d196af0)
• Send account deletion notification before deleting user row (79a612a)
• Register bulk label route correctly for API token permissions (e19bea8)
• Prevent authenticated UI flash when server rejects JWT session (#​2387) (28cc9e0)
• Preserve CalDAV inverse relations when parent has no RELATED-TO (#​2389) (ada2eba)
• Collapse view buttons into dropdown when overflowing (#​2306) (7b6b432)
• Invalidate all sessions when enabling TOTP (3bc0093)
• Make mage fmt skip gitignored files (e74265d)
• Ensure frontend dist directory exists for lint and fmt commands (c62b7e6)
• Handle S3 backend in user export download (b0ede53)
• Use file mime type instead of hardcoded application/zip in S3 export (4cd63f9)
• Configure Echo IPExtractor to prevent rate limit bypass via spoofed headers (a498dd6)
• Block login for StatusAccountLocked users (4c80932)
• Prevent password reset from re-enabling admin-disabled accounts (d8570c6)
• Reject password reset token requests for disabled users (708ccab)
• Prevent email confirmation from re-enabling admin-disabled accounts (049f4a6)
• Update test expectations for new disabled user fixture (89923eb)
• Reject images exceeding 50M pixels before decode (af61d0f)
• Adapt image preview DoS protection to new FileStorage interface (be0aaa7)
• Verify comment belongs to task in URL to prevent IDOR (bc6d843)
• Require CanUpdate for project background deletion (f066eb3)
• Only enforce task_id check when TaskID is provided (4941961)
• Use require.Error instead of assert.Error for error assertions (b7a1408)
• Reject CalDAV basic auth when TOTP is enabled (cdf5d30)
• Use user10 instead of user1 for TOTP fixture to avoid breaking login tests (659e73a)
• Update TOTP fixtures and tests to avoid conflicts with existing enrollment tests (1ed813c)

Dependencies

• (deps) Update dev-dependencies
• (deps) Upgrade serialize-javascript to 7.0.3
• (deps) Update dependency @​vue/tsconfig to v0.9.0
• (deps) Use forked afero-s3 to fix S3 read performance regression (#​2313)
• (deps) Update dependency flexsearch to v0.8.212
• (deps) Remove obsolete flexsearch 0.7.43 patch
• (deps) Remove @​github/hotkey dependency
• (deps) Update dependency rollup-plugin-visualizer to v6.0.11
• (deps) Update dependency electron to v40.7.0
• (deps) Update immutable to 5.1.5
• (deps) Update svgo to 3.3.3
• (deps) Update tar to 7.5.10 and @​tootallnate/once to 3.0.1 in desktop
• (deps) Update dependency vite-svg-loader to v5.1.1
• (deps) Bump dompurify from 3.3.1 to 3.3.2 in /frontend
• (deps) Update dependency eslint to v9.39.4
• (deps) Update dev-dependencies to v8.57.0
• (deps) Update dependency sass-embedded to v1.98.0
• (deps) Update dev-dependencies (#​2395)
• (deps) Update dependency caniuse-lite to v1.0.30001779
• (deps) Override flatted to 3.4.1 to fix unbounded recursion DoS
• (deps) Update tar override to 7.5.11 to fix symlink path traversal
• (deps) Update dependency vue-tsc to v3.2.6
• (deps) Update dependency electron to v40.8.3
• (deps) Update dev-dependencies to v4.2.2
• (deps) Add daenney/ssrf for webhook SSRF protection
• (deps) Update dependency stylelint to v17.5.0

Documentation

• Update user search endpoint description for external team bypass (b5086fe)
• Update rootpath description to mention working directory default (ddfc565)
• Document database.schema config option for PostgreSQL (8868b21)
• Document IP extraction and trusted proxy config options (015a172)

Features

• (ci) Post preview deployment comment on PRs
• (ci) Enable merge queue trigger
• (config) Add webhooks.allownonroutableips setting
• (events) Add DispatchOnCommit/DispatchPending for deferred event dispatch
• (frontend) Upgrade Tailwind CSS from v3 to v4
• (frontend) Highlight overdue tasks consistently (#​958)
• (gantt) Add expand=subtasks to Gantt API params
• (gantt) Add task tree builder utility for hierarchy
• (gantt) Add dependency arrow data builder
• (gantt) Integrate task tree into Gantt rendering with collapse
• (gantt) Add collapse/expand chevron and indent indicators
• (gantt) Render parent summary bars with diamond endpoints
• (gantt) Create arrow SVG overlay component for relations
• (gantt) Wire relation arrows into GanttChart with toggle
• (handlers) Dispatch pending events after transaction commit
• (release) Update frontend package.json version on release
• (shortcuts) Add event.code-based shortcut module
• (webhooks) Add built-in SSRF protection using daenney/ssrf
• Ensure forms submit on Enter (#​959) (e1d1e7c)
• Use offical vite plugin for sentry (#​873) (0a9586e)
• Mini tiptap improvements (b92735b)
• Surface API validation errors to registration form fields (#​1902) (c6f0d8b)
• Add table registration to db package (d26936f)
• Register Vikunja tables with db package at init (3dd2ba4)
• Add RegisteredTableNames helper to db package (0a8534d)
• Add task duplicate backend model and tests (d8f3a96)
• Register task duplicate API route (77fdf1b)
• Add task duplicate frontend model and service (52bee37)
• Add duplicateTask action to task store (2014d50)
• Add duplicate button to task detail view (6c9407c)
• Bypass discoverability settings for external team members (28b913f)
• Add InitEventsForTesting and Unfake for real event dispatch in tests (1b1e8e5)
• Add mage test:e2e-api target for e2e API tests (24b800d)
• Add conversational email template and rendering (d4b0302)
• Convert notifications to conversational email style (b3572c5)
• Add translation keys for conversational emails (def73e2)
• Add user_id to webhooks and user-directed event infrastructure (d4577c6)
• Extend WebhookListener for user-level webhooks (dbbc80a)
• Add API routes for user-level webhooks (47a0775)
• Add user-level webhooks settings page (2e1648e)
• Replace afero-s3 with minimal S3 afero.Fs implementation (b065c62)
• Add service.ipextractionmethod and service.trustedproxies config options (26324a7)
• Add StatusAccountLocked user status for TOTP lockouts (f42a045)

Miscellaneous Tasks

• (dev) Update devenv
• (i18n) Update translations via Crowdin
• Remove feature request issue template (06ead58)

Other

• (other) [skip ci] Updated swagger docs
• (other) Add e2e API tests to CI pipeline
• (other) Upgrade ParadeDB image to support v2 fuzzy search API

Refactor

• (attachments) Read from task prop instead of global store
• (attachments) Return uploaded attachments instead of writing to store
• (attachments) Use local state instead of global attachment store
• (attachments) Remove global attachment store
• (shortcuts) Update directive to use new shortcut module
• (shortcuts) Update v-shortcut values to event.code format
• (shortcuts) Replace eventToHotkeyString with eventToShortcutString
• (shortcuts) Use event.code for raw keyboard handlers
• Batch label inserts during task duplication (e07eeed)
• Use TaskRelation.Create for copy relation (692357a)
• Move ListUsers tests from pkg/user to pkg/models (54c7c4a)
• Enable golangci-lint on magefile, fix errors (cea8c78)
• Fix contextcheck lint errors on magefile by passing mage context (0a1104b)
• Merge last unique build tag "tools" into go.mod tools section (1b5f3f4)
• Add centralized ResolvePath for rootpath-relative paths (2a7165a)
• Use config.ResolvePath for all rootpath-relative paths (a043940)
• Replace afero with FileStorage interface (0e1f44e)
• Use StatusAccountLocked for TOTP lockouts (7792bf6)
• Rename checkProjectBackgroundWriteRights to checkProjectBackgroundWritePermissions (4b91e5e)

Styling

• Fix alignment in config key declarations (ddd9ef5)

Testing

• (shortcuts) Add unit tests for shortcut parsing logic
• (webhooks) Add SSRF protection tests
• (webhooks) Allow non-routable IPs in E2E tests
• Update event assertions to work with deferred dispatch (f516bbe)
• Add web integration tests for task duplication (4d494ba)
• Add user 11 to external team 14 for discoverability tests (64e455a)
• Add tests for external team user discoverability bypass (3a73016)
• Verify email masking for external team name search (0661789)
• Add e2e API test package with webhook pipeline verification (1f3509b)
• Add fixture task with compound word for prefix search testing (275f714)
• Add web tests for prefix/substring search (#​2346) (892b38b)
• Rewrite MultiFieldSearch tests with SQL output verification (ee2723d)
• Call real MultiFieldSearch function and branch on db engine (e6cbd67)
• Add task #​48 to expected results in feature tests (3568aaa)
• Adjust ParadeDB search tests for fuzzy prefix match broadening (6268c48)
• Fix lint and adjust project search test for ParadeDB fuzzy matching (b69705e)
• Add result count assertions for ParadeDB search tests (c7c63e8)
• Fix non-ParadeDB project search count assertion (df0e3a8)
• Fix ParadeDB project search count to 27 (d36ac9d)
• Add tests for conversational email system (aacf650)
• Add e2e tests for user-level webhooks (05cc65f)
• Add web tests for bulk label task endpoint (675dfb3)
• Add failing test for bulk label API token route registration (554593c)
• Add FileStat assertion to validate storage path in attachment test (17eccd8)
• Add tests for disabled user password reset prevention (241b0e8)
• Add web test for disabled user password reset rejection (2260d76)
• Add failing test for image preview with oversized dimensions (f7592e2)
• Add failing test for task comment IDOR (2da8925)
• Add failing test for project background delete with read-only access (f60f3af)
• Add TOTP fixture data for user1 (27ef92b)
• Add failing test for CalDAV 2FA bypass via basic auth (bda16e7)
• Register totp fixture in test setup (a66bda2)
• Verify CalDAV token auth bypasses TOTP check (1f2aef7)

v2.1.0

Compare Source

Bug Fixes

• (auth) Remove password reset token after use
• (auth) Correctly delete older password reset tokens in cron
• (editor) Use overflow-wrap instead of word-break for text wrapping
• (filter) Recover from datemath panic on malformed date filter values

Dependencies

• (deps) Update dependency stylelint to v17.4.0
• (deps) Update dependency autoprefixer to v10.4.26
• (deps) Update dev-dependencies
• (deps) Override transitive rollup 2.x to use direct dependency version
• (deps) Upgrade transitive basic-ftp from 5.0.5 to 5.2.0
• (deps) Upgrade transitive minimatch from 10.2.1 to 10.2.3+

Features

• (checklist) Show green progress circle when all checkboxes are done
• (multiselect) Add green plus icon and always-visible hint to create option

Miscellaneous Tasks

• (i18n) Update translations via Crowdin
• Add opensourcefinder verification (1eccb0e)

Other

• (other) [skip ci] Updated swagger docs

v2.0.0

Compare Source

Bug Fixes

• (attachments) Use mime.FormatMediaType for Content-Disposition header
• (auth) Use checked type assertions for all JWT claims
• (build) Add osusergo tag to plugin build
• (build) Use absolute path for zip output in release
• (db) Validate table names and quote identifiers in raw SQL
• (gantt) Render done tasks with strikethrough and reduced opacity
• (gantt) Sync task updates from detail view back to gantt chart
• (gantt) Only persist dates that actually exist on partial-date tasks
• (migration) Make migration from Microsoft Todo work for those with previously migrated wunderlist accounts (#​2126)
• (migration) Reject zip entries with path traversal in vikunja-file import
• (migration) Limit zip entry read size to prevent decompression bombs
• (migration) Use checked type assertion for background file id
• (release) Skip upx compression for windows arm64 binaries
• (restore) Reject zip entries with path traversal sequences
• (restore) Sanitize config file path to prevent zip slip
• (restore) Validate database file names in zip archive
• (restore) Validate migration data before wiping database
• (restore) Limit zip entry read size to prevent decompression bombs
• (restore) Pre-validate all table data JSON before wiping database
• (restore) Extract preValidateTableData to reduce cyclomatic complexity
• (task) Require explicit confirmation before saving reminders
• (task) Disable Confirm button when no date is selected in absolute reminder picker
• (tasks) Show drag handle icon on mobile devices (#​2286)
• (test) Update existing reminder tests to click Confirm after date selection
• (tests) Update web test assertions for new task47 fixture
• (tests) Properly assert sort order including task47 in web tests
• Use DelPrefix in upload avatar FlushCache to clear all cached sizes (79d0942)
• Reset group permission checkboxes when creating a new API token (30e53db)
• Wrap API tokens table rows in thead and tbody elements (b66b75f)
• Correct indentation in API tokens table after thead/tbody wrap (17360a8)
• Add missing error checks in filepath.Walk and defer Close locations (8dbff21)
• Replace stray panic with return err (122ba30)
• Prevent duplicated sql condition in filters (#​1546) (8779a28)
• Merge AND-joined sub-table filters into single EXISTS subquery (c034e43)
• Only merge range comparators in sub-table filter grouping (1943d69)
• Don't show export ready message when no export exists (7862651)
• Clamp gantt bar title position when task starts before visible range (df05c51)
• Break long continuous strings in editor to prevent overflow (bc2f7e5)
• Fix API_URL trailing slash and remove CORS env var overrides in test:e2e (51a9f9c)
• Use preview:dev for correct dist dir and kill process groups in test:e2e (d008512)
• Use in-memory SQLite and log temp directory cleanup in test:e2e (fec1c03)
• Correct broken throttle in checkAuth that never triggered (a11cde1)
• Don't overwrite user info with incomplete JWT data on navigation (1d420dd)
• Keep token expiry in sync when skipping setUser from JWT (65806df)
• Reset throttle on logout so checkAuth clears auth state (4cee2cf)
• Detect and store mime type when creating file attachments (519f66a)
• Add Content-Disposition attachment header to task attachment downloads (4915f53)
• Fall back to application/octet-stream when the file has no mime type stored (c6370bb)
• Escape attachment download filename (d222d45)
• Load file content before generating attachment preview (1ccc8dc)
• Treat archived TickTick tasks as done during import (249b651)
• Prevent browser from caching API responses (a13ecbd)
• Show tasks spanning entire gantt date range (56eb5d3)
• Prevent cursor reset when typing in filter input (#​2287) (f7a93e4)
• Wait for router before dismissing loading screen (7c04d44)
• Replace tx.Sync() with explicit ALTER TABLE in webhooks migration (b1534f1)
• Make teams oidc_id rename migration idempotent (4acad97)
• Add comprehensive catchup for bucket and filter format migrations (99ac3e6)
• Cast bucket_configuration to text in postgres catchup query (3d6c527)
• Preserve teams external_id type when renaming on mysql (0c7c07b)
• Decouple webhook dispatch from email/mailer config (6de82db)
• Add transaction begin to db.NewSession() (fd77e04)
• Add missing Commit() to write callers (c9c250f)
• Close leaked database sessions (764d356)
• Eliminate nested database sessions to prevent table locks (49bba7f)
• Handle Begin() error in db.NewSession() instead of ignoring it (1167b08)
• Remove transaction control from File.Delete to prevent premature commit/rollback (312648d)
• Isolate deletion notifications into per-user transactions (eea59c3)
• Add missing Commit() to event listeners and cron jobs (2188c7a)
• Pass pointer to xorm Update to avoid hash panic in transaction mode (cbfd0e6)
• Use session-aware file creation to avoid nested transactions (2a10b22)
• Prevent session leaks and visibility issues in model tests (a7086e5)
• Add TestMain to caldav tests and fix session conflicts (2f71820)
• Use caller's session in LDAP syncUserGroups to avoid nested transactions (b3d8a56)
• Address review comments on session lifecycle (2f680d0)
• Commit transaction in session cleanup cron (107a92f)
• Prevent reflected HTML injection via filter URL parameter (a42b4f3)
• Prevent XSS via innerHTML injection in link edit prompt (111ac9c)
• Detect and fail on oversized zip entries instead of silent truncation (39da47e)

Dependencies

• (deps) Update dev-dependencies
• (deps) Update mcr.microsoft.com/playwright docker tag to v1.58.2
• (deps) Bump axios from 1.13.2 to 1.13.5 in /frontend
• (deps) Update dependency happy-dom to v20.5.1
• (deps) Update dependency electron to v40.4.1
• (deps) Update dependency eslint-plugin-vue to v10.8.0
• (deps) Update dependency caniuse-lite to v1.0.30001770
• (deps) Update dev-dependencies to v8.56.0
• (deps) Pin dependency eslint-plugin-depend to 1.4.0
• (deps) Update dependency @​vue/eslint-config-typescript to v14.7.0
• (deps) Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 (#​2252)
• (deps) Upgrade node-tar to 7.5.9
• (deps) Upgrade qs to 6.15.0
• (deps) Upgrade markdown-it to 14.1.1
• (deps) Update dependency electron-builder to v26.8.0 (#​2253)
• (deps) Update dev-dependencies (#​2257)
• (deps) Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1
• (deps) Update minimatch to ^10.2.1 via pnpm overrides
• (deps) Update dependency rollup-plugin-visualizer to v6.0.8
• (deps) Update dependency caniuse-lite to v1.0.30001774
• (deps) Update dev-dependencies to v8.56.1
• (deps) Update ajv to 6.14.0
• (deps) Update dependency electron to v40.6.1

Documentation

• Document mage test:e2e in AGENTS.md (8f6f8f9)
• Instruct agents to save test output instead of re-running tests (c8ea673)

Features

• (api) Enforce password validation on reset and update flows
• (attachments) Open file picker directly from sidebar button
• (auth) Allow LDAP authentication with anonymous bind (#​2226)
• (cli) Reorganize repair commands under unified 'vikunja repair' parent (#​2300)
• (comments) Support order_by query parameter in comments API
• (comments) Add sort order toggle for task comments
• (dev) Print commit statistics during tag-release
• (frontend) Make dev server port configurable via VIKUNJA_FRONTEND_PORT env var
• (frontend) Use Password component in password update settings
• (gantt) Add dateType field to GanttBarModel meta
• (gantt) Handle tasks with partial dates in transformation and filtering
• (gantt) Render partial-date bars with gradient fade effect
• (gantt) Update API filter to fetch tasks with due_date or end_date
• (gantt) Add i18n strings for partial-date accessibility
• (gantt) Update drag/resize to handle partial-date task updates
• (gantt) Right-align text for endOnly partial-date bars
• Use credentials when accessing PWA manifest (#​2218) (b196c98)
• Add eslint-plugin-depend to frontend (2fe66c8)
• Add dependency diff and provenance GitHub Action for PRs (8f48b58)
• Add Swedish for language selection (#​2248) (e3695c1)
• Toggle test verbosity based on Mage verbose flag (fc0e0f5)
• Add optional project column to table view (#​2182) (48074d2)
• Add discard and reload confirmation modal (#​2154) (bf8138e)
• Clickable task notifications (#​2258) (8fd256a)
• Add mage test:e2e for isolated end-to-end testing (c5ae797)
• Add repair-file-mime-types CLI command (55c122f)
• Add TaskReminderFiredEvent and TaskOverdueEvent types (e04c1a3)
• Register reminder and overdue events for webhooks (83dc753)
• Dispatch TaskReminderFiredEvent from reminder cron (626e731)
• Dispatch TaskOverdueEvent from overdue cron (54aacd3)
• Add sessions table migration (04e6047)
• Add jwtttlshort config key for session tokens (a6bdeb6)
• Add Session model with CRUD, permissions, and cleanup cron (b3d0b2f)
• Add session-based auth with refresh token rotation (8ee069a)
• Add frontend session management with refresh tokens (be1db01)
• Add RepairOrphanedProjects function (ad307a3)
• Add repair-projects CLI command (71657fc)

Miscellaneous Tasks

• (ci) Update golangci-lint from v2.6.0 to v2.9.0
• (dev) Add sample config to gitignore
• (i18n) Update translations via Crowdin
• (lint) Ignore revive var-naming for stdlib-conflicting package names
• (renovate) Group playwright npm package and docker image together
• Downgrade depend/ban-dependencies to warning (e6ae87d)
• Fix lint issue from gantt partial dates feature (2bf99cf)

Other

• (other) [skip ci] Updated swagger docs

Refactor

• (gantt) Extract GanttBarDateType as reusable type
• (utils) Extract ContainsPathTraversal to shared utils package
• Remove environment variable requirements for go test (591a646)
• Remove root path in favor of Magefile default directory (e19a614)
• Return errors to Mage instead of os.Exit and stream to stdout/stderr (d8983b7)
• Switch to native filepath.Walk for gofmt file discovery (c773e2e)
• Use Go idioms for running tests (b2715bb)
• Remove redundant Begin() calls after NewSession auto-begins (a6e6f25)
• Remove typesense support (a5b1a90)

Styling

• Run gofmt -s to update octal literals (65ef54f)
• Fix doc comments to match godoc style (cba5f6b)
• Fix alignment in test case (302b58d)

Testing

• (api) Add tests for password validation in reset and update flows
• (comments) Add e2e tests for comment sort order
• (e2e) Add Playwright test for avatar cache invalidation
• (task) Add e2e tests for reminder confirm-before-save behavior
• Add failing test for upload avatar FlushCache (c93fa1b)
• Add task #​47 with reminders outside window for bug #​2245 (6733ac4)
• Add failing test for sub-table filter multi-row matching bug #​2245 (cd72231)
• Update expected task index after adding task #​47 fixture (d1901f4)
• Add OR-joined reminder filter regression test (a93f6bf)
• Add unit tests for getDisplayName (1dc625f)
• Add session lifecycle tests (2ef693a)
• Add e2e tests for session refresh and retry interceptor (cb091f9)
• Add regression test for atomic parent project deletion (23176bb)
• Add orphaned project fixture for repair-projects command (9e050fe)
• Add failing tests for RepairOrphanedProjects (963235c)

v1.1.0

Compare Source

Bug Fixes

• (auth) Remove unnecessary fields from JWT token payloads
• (backgrounds) Enforce max file size for unsplash downloads
• (backgrounds) Avoid integer overflow in max size calculation
• (backgrounds) Stream unsplash download to temp file instead of memory
• (build) Add osusergo tag to prevent SIGFPE crash under systemd
• (build) Normalize comma-separated TAGS to prevent build failure
• (ci) Move gpg setup to right before sign step
• (dump) Stream files during restore to avoid memory pressure
• (dump) Limit copy size to prevent decompression bombs
• (files) Require io.ReadSeeker for S3 uploads, remove temp file fallback
• (files) Update all callers to provide seekable readers for S3 uploads
• (files) Seek to start before writing for consistent behavior
• (log) Write each log category to its own file (#​2206)
• (nav) Show shared sub-projects in sidebar when the parent is inaccessible (#​2176)
• (task) Use DOMParser in task glance tooltip description preview
• Add touch CSS properties to list view for mobile drag-and-drop (b741c2d)
• Restrict numeric date regex matching to text boundaries (#​2195) (a82efa0)
• Allow middle-of-text dates when followed by time expressions (#​2195) (3f0bf71)
• Iterate past rejected middle matches in matchDateAtBoundary() (77b8403)
• Redirect immediately after login to prevent form flash in app shell (8bccf21)
• Redirect immediately after registration to prevent form flash in app shell (dcff454)
• Avoid clearing saved redirect in onBeforeMount to prevent race with submit (0e2ea5c)
• Prevent auth layout swap while still on login/register route (5d9f62c)
• Guard against undefined route.name in auth layout check (cdca790)
• Format attachment upload error messages as readable strings (7256a14)
• Handle attachment upload errors with user-visible notifications (eb369cf)

Dependencies

• (deps) Update @​isaacs/brace-expansion to 5.0.1
• (deps) Update node-tar
• (deps) Update lodash to 4.17.23

Documentation

• (agents) Include go tips [skip ci]
• Add caveat about running go tests to agent instructions [skip ci] (ac3fd3e)

Features

• (doctor) Add detailed file diagnostics for local storage (#​2179)
• (doctor) Add user namespace detection and improved storage diagnostics (#​2180)
• Add option to send Basic Auth header with webhook requests (#​2137) (cf029ce)
• Add matchDateAtBoundary() helper for position-aware date matching (#​2195) (1013305)
• Add UNSIGNED-PAYLOAD config option for S3-compatible stores (#​2205) (b6974ff)

Miscellaneous Tasks

• (ci) Add debugging around release signing
• (i18n) Update translations via Crowdin

Other

• (other) [skip ci] Updated swagger docs

Refactor

• (db) Extract testable ResolveDatabasePath function (#​2193)
• (files) Remove redundant seek operations in writeToStorage
• Remove unnecessary flags parameter from matchDateAtBoundary() (61448bb)
• Remove unnecessary comment from getDateFromText() (cee258e)
• Extract auth route names into shared constant (e9a6abf)

Testing

• (files) Update tests for io.ReadSeeker API
• Add failing tests for middle-of-text date false positives (#​2195) (e9b10e6)
• Add dot-separated middle-of-text date false positive test (#​2195) (829b10b)
• Add positive boundary tests for date parsing (#​2195) (c544886)
• Add E2E test for login form flash regression (b3e95e9)

v1.0.0

Compare Source

Bug Fixes

• (editor) Prevent crash when exiting edit mode in tiptap
• (files) Make sure base directory exists when using local file system (#​2166)
• (routes) Restore SPA routing after Echo v5 upgrade
• Use dark shadows for email template in dark mode (#​2155) (28593e6)

Dependencies

• (deps) Update dependency sass-embedded to v1.97.3 (#​2150)
• (deps) Update module github.com/redis/go-redis/v9 to v9.17.3 (#​2153)
• (deps) Update dev-dependencies (major) (#​1375)
• (deps) Update tiptap to v3.17.0

Features

• Add required checkbox to confirm issue search before submission (d61caab)
• Add vikunja doctor command for diagnostic checks (#​2165) (3aa1e90)

Miscellaneous Tasks

• Use correct repo and issue url (72a928d)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.