Vikunja

Recent Commits

• renovate[bot] (16 Jun 26)

  chore(deps): update dev-dependencies

• kolaente (16 Jun 26)

  fix(deps): bump js-yaml to >=4.2.0 where possible Desktop only has the v4 copy, so a plain override pins it to >=4.2.0 (resolves alert #245). The frontend also pulls js-yaml v3 via gray-matter (histoire story tooling), which has no v4-compatible release, so a scoped 'js-yaml@4' override bumps only the v4 copies (eslint/cosmiconfig) and leaves gray-matter on 3.14.2. Alert #256 stays open for that dev-only, trusted-input path.

• kolaente (16 Jun 26)

  fix(deps): force @babel/core >=7.29.6 Resolves the @babel/core <=7.29.0 advisory. Transitive; pinned via pnpm override. Dependabot alert #255 (frontend).

• kolaente (16 Jun 26)

  fix(deps): force launch-editor >=2.14.1 Resolves the launch-editor <=2.14.0 advisory. Transitive (via vite-plugin-vue-devtools); pinned via pnpm override. Dependabot alert #257 (frontend).

• kolaente (16 Jun 26)

  fix(deps): force markdown-it >=14.2.0 to fix ReDoS advisory Resolves the markdown-it <=14.1.1 advisory. Transitive; pinned via pnpm override. Dependabot alert #266 (frontend).

• kolaente (16 Jun 26)

  fix(deps): tighten tar override to >=7.5.16 The ^7.5.11 override resolved to the vulnerable 7.5.15. Pin to >=7.5.16. Resolves Dependabot alert #246 (desktop).

• kolaente (16 Jun 26)

  fix(deps): force form-data >=4.0.6 to fix unsafe boundary advisory Resolves the form-data <4.0.6 advisory (predictable multipart boundary). Transitive in both workspaces; pinned via pnpm overrides. Dependabot alerts #247 (desktop) and #258 (frontend).

• kolaente (16 Jun 26)

  fix(deps): bump dompurify to 3.4.9 to fix XSS advisories dompurify 3.4.0 was affected by several stacked advisories (mXSS / sanitizer bypasses). 3.4.9 is past all vulnerable ranges. Resolves Dependabot alerts #248-#254 (package.json) and #259-#265 (lockfile).

• kolaente (16 Jun 26)

  fix(deps): force esbuild >=0.28.1 to fix transitive advisories The frontend pins esbuild 0.28.1 directly, but vite/histoire and @intlify/bundle-utils pulled in transitive copies (0.27.7 and 0.25.12) still affected by GHSA-gv7w-rqvm-qjhr (RCE via missing binary integrity verification) and GHSA-g7r4-m6w7-qqqr (dev-server file read on Windows). A pnpm override forces all copies to the patched 0.28.1. Dependabot alerts #239 and #241.

• kolaente (16 Jun 26)

  fix(deps): bump tmp to >=0.2.7 to fix path traversal advisory Resolves GHSA-7c78-jf6q-g5cm (type-confusion bypass of _assertPath allowing path traversal). tmp was pinned to >=0.2.6 via pnpm overrides in both the frontend and desktop workspaces, which resolved to the vulnerable 0.2.6. Dependabot alerts #243 (desktop) and #244 (frontend).

• Frederick [Bot] (16 Jun 26)

  chore(i18n): update translations via Crowdin

• dependabot[bot] (12 Jun 26)

  chore(deps-dev): bump esbuild from 0.28.0 to 0.28.1 in /frontend Bumps [esbuild](https://github.com/evanw/esbuild) from 0.28.0 to 0.28.1. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.28.0...v0.28.1) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>

• kolaente (12 Jun 26)

  test(api/v2): cover the v2 file and CSV migrator endpoints Webtests for the file migrators (status, migrate, auth, missing-file) and the CSV importer (status, detect, preview, migrate happy path, missing/malformed config, empty file, auth). Each rejected upload is asserted to map to a 4xx domain error rather than a 500.

• kolaente (12 Jun 26)

  feat(api/v2): add the generic CSV importer on /api/v2 Port the CSV importer's status/detect/preview/migrate endpoints to the Huma API. detect/preview/migrate take a multipart upload; preview and migrate also carry the import config as a JSON form value (modeled as a typed multipart form field), unmarshaled in one shared place and reused via csv.RunMigration.

• kolaente (12 Jun 26)

  feat(api/v2): add file migrators (vikunja-file, ticktick, wekan) on /api/v2 Port the file-based migrators' status + migrate endpoints to the Huma API. A single registerFileMigrator helper wires all three (mirroring the OAuth migrator registrar); the migrate endpoint takes a multipart upload under the "import" field and reuses handler.RunFileMigration. POST migrate returns 200 since it runs an import rather than creating a REST resource.

• kolaente (12 Jun 26)

  refactor(migration): extract file/CSV migrate orchestration into shared funcs Pull the StartMigration -> Migrate -> FinishMigration orchestration out of the v1 echo handlers into handler.RunFileMigration and csv.RunMigration so the v2 API can reuse the exact same business logic. v1 is refactored onto them and stays byte-identical on the wire. Also tag the CSV detect/preview/config DTOs with doc:/enum: so they carry descriptions in the v2 OpenAPI schema (ignored by v1 swaggo/xorm).

• kolaente (12 Jun 26)

  feat(api/v2): add project background upload on /api/v2 Port PUT /projects/{project}/backgrounds/upload to the Huma-backed v2 API. The multipart handler reuses handler.ValidateAndSaveBackgroundUpload (shared with v1), checks project write access explicitly, and is gated on the upload provider config flag. Adds webtests covering the happy path, auth/permission failures, non-image rejection, the disabled-provider case and the multipart spec shape.

• kolaente (12 Jun 26)

  refactor(background): share upload validation between v1 and v2 handlers Extract the MIME validation, file storage and project reload from the v1 UploadBackground handler into ValidateAndSaveBackgroundUpload so the upcoming v2 handler can reuse it instead of duplicating the logic. The v1 handler keeps its exact wire behaviour; the inline "not an image" check now returns a typed ErrFileIsNoImage that the handler maps to the same message.

• kolaente (12 Jun 26)

  chore(lint): suppress contextcheck on OIDC provider init call sites Adding a context parameter to the shared package put its call chains in contextcheck's scope; the flagged background context in the provider setup is deliberate since provider lifetime exceeds any request.

• kolaente (12 Jun 26)

  feat(audit): emit the login event for the OAuth code exchange The new v2 OAuth token endpoint mints a fresh session without going through NewUserAuthTokenResponse, so those logins were missing from the audit trail. The refresh grant stays unaudited like the v1 refresh.

• kolaente (12 Jun 26)

  fix(events): handle nil auth when building event doers ProjectUser.Create and friends are called with a nil auth in tests; the old interface-typed Doer just serialized as null, so a nil doer keeps that behavior (and maps to the system actor in the audit entry).

• kolaente (12 Jun 26)

  fix(events): build event doers without re-fetching the user GetUserOrLinkShareUser re-fetches the account and fails its status check, which broke deleting a disabled user's projects (the deletion runs with the disabled account as doer). Convert the authenticated principal directly instead — it also matches what the events serialized before the doer became concrete, and drops a query per event.

• kolaente (11 Jun 26)

  refactor(events): use a concrete doer on project and team events ProjectUpdated/Deleted, ProjectSharedWith* and TeamCreated/Deleted carried an interface-typed Doer that could not be unmarshaled, forcing the audit registrations to decode anonymous mirror structs. Hydrate the doer via GetUserOrLinkShareUser at the dispatch sites like the task events already do, register the events directly and drop the untyped audit registration path. Webhook payloads for these events now serialize link share doers as their pseudo-user (negative id) instead of the raw link share object, consistent with task events.

• kolaente (11 Jun 26)

  feat(audit): attribute failed logins to the originating request Thread the request context through CheckUserCredentials so the LoginFailedEvent carries IP, user agent and request id — without it, failed logins were the one auth event useless for brute-force tracing. All four callers have the request at hand.

• kolaente (11 Jun 26)

  fix(audit): only attribute the logout event to user tokens Link share JWTs carry no sid claim so they returned before the event fired, but the id claim was read without checking the token type. Make the guard explicit so a link share id can never appear as a user id.

• kolaente (11 Jun 26)

  fix(audit): handle reopen failure after a failed rotation If both the rename and the reopen fail, logFile stayed nil while initialized was still true, panicking on the next write. Propagate the reopen error and retry the open on the next write so it self-heals.

• kolaente (11 Jun 26)

  fix(routes): generate request IDs at the start of the middleware chain Echo's RequestID middleware reuses the X-Request-Id header from a proxy or generates one, so logging and audit all see the same ID. RequestMeta previously read the request header before any later middleware could have set one, leaving the audit request_id mostly empty.

• kolaente (11 Jun 26)

  refactor(audit): move package docs into entry.go

• kolaente (10 Jun 26)

  fix: dispatch pending events after user creation commits The register handler, local/LDAP login and the OIDC callback all queue the user.created event via DispatchOnCommit but never called DispatchPending, so the event was silently dropped and its queue entry leaked. Flush after commit and discard on rollback.

• kolaente (10 Jun 26)

  refactor(events): pass context to DispatchPending directly Every DispatchPending caller either has the request context in scope or is genuinely request-less, so passing it as a parameter replaces the stored-context mechanism on the pending queue and satisfies contextcheck. Also fixes lint findings in the audit package.