As discussed on Matrix, Vikunja currently prevents users from using LDAP
authentication if the server allows anonymous binds (common in local
environments like YunoHost). The application would previously trigger a
`log.Fatal` if `AuthLdapBindDN` or `AuthLdapBindPassword` were left
empty in the configuration.
#### **How this fixes the problem:**
* **Validation:** Removed the strict requirement for Bind credentials in
`InitializeLDAPConnection`.
* **Connection Logic:** Updated `ConnectAndBindToLDAPDirectory` to
attempt an `UnauthenticatedBind` from the `go-ldap` library when no
credentials are provided.
* **Safety:** If a Bind DN is provided, the behavior remains unchanged
(authenticated bind).
#### **Testing:**
* Tested manually on a **YunoHost** instance by replacing the binary.
* Confirmed that Vikunja now successfully starts and authenticates users
via the local LDAP (localhost) without requiring a service account.
* Added a basic unit test in `pkg/modules/auth/ldap/ldap_test.go` to
ensure the initialization logic doesn't crash with empty credentials.
*Note: This is my first contribution to a Go project (assisted by an LLM
for syntax). Feedback on code style is more than welcome!*
Bumps [github.com/labstack/echo/v5](https://github.com/labstack/echo)
from 5.0.0 to 5.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/releases">github.com/labstack/echo/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.3 security (static middleware directory traversal under
Windows)</h2>
<p>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a> (<a
href="https://redirect.github.com/labstack/echo/pull/2891">labstack/echo#2891</a>).</p>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.2...v5.0.3">https://github.com/labstack/echo/compare/v5.0.2...v5.0.3</a></p>
<h2>v5.0.2 security (static middleware folder browsing)</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware when folder browsing is enabled
(<code>config.Browse=true</code> , defaults to <code>false</code>) lists
all files/subfolders from <code>config.Filesystem</code> root folder and
not starting from <code>config.Root</code> and requested folder in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a>
. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a> in <a
href="https://redirect.github.com/labstack/echo/issues/2886">labstack/echo#2886</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.1...v5.0.2">https://github.com/labstack/echo/compare/v5.0.1...v5.0.2</a></p>
<h2>v5.0.1 small fixes</h2>
<h2>What's Changed</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>Context: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>Fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/cgalibern"><code>@cgalibern</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li><a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.1">https://github.com/labstack/echo/compare/v5.0.0...v5.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/blob/master/CHANGELOG.md">github.com/labstack/echo/v5's
changelog</a>.</em></p>
<blockquote>
<h2>v5.0.3 - 2026-02-06</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a>.</li>
</ul>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p>Exposure is restricted to the active process working directory and
its subfolders.</p>
<h2>v5.0.2 - 2026-02-02</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware with <code>config.Browse=true</code> lists all
files/subfolders from <code>config.Filesystem</code> root and not
starting from <code>config.Root</code> in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a></li>
</ul>
<h2>v5.0.1 - 2026-01-28</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>improve: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b1d443086e"><code>b1d4430</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2891">#2891</a>
from aldas/fix_staticmw</li>
<li><a
href="48f25a6c16"><code>48f25a6</code></a>
Fix test reporting different size due Windows / Linux line ending
inconsisten...</li>
<li><a
href="6c162596b4"><code>6c16259</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="88d975a83d"><code>88d975a</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="09ccfbaace"><code>09ccfba</code></a>
Fill c.Request().Pattern field with route path to help standard library
based...</li>
<li><a
href="68aaf3a429"><code>68aaf3a</code></a>
Changelog for version 5.0.2</li>
<li><a
href="26ec148ea7"><code>26ec148</code></a>
security (static middleware): fix bowser=true listing all file names
from giv...</li>
<li><a
href="ba104908b9"><code>ba10490</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2880">#2880</a>
from aldas/changelog_501</li>
<li><a
href="0954d6e36e"><code>0954d6e</code></a>
Changelog for v5.0.1 release</li>
<li><a
href="8e4c91f736"><code>8e4c91f</code></a>
Create SECURITY.md</li>
<li>Additional commits viewable in <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/go-vikunja/vikunja/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Uploads two different avatars in sequence and verifies the header
avatar src changes after the second upload. This confirms both the
backend cache (via DelPrefix) and the frontend cache are properly
invalidated when a new avatar is uploaded.
FlushCache was using keyvalue.Del with the base key
(avatar_upload_{userID}) but the actual cache entries are stored with
size suffixes (avatar_upload_{userID}_{size}). The Del call targeted a
key that never existed, so cached avatars were never invalidated.
Switch to keyvalue.DelPrefix to delete all size variants at once,
matching the pattern the gravatar provider already uses correctly.
The test populates the cache with multiple size-suffixed keys
and verifies that FlushCache removes all of them. Currently fails
because FlushCache uses Del with the base key which doesn't match
the actual size-suffixed cache keys.
The gantt chart rebuild lost the visual distinction for completed tasks.
Restore strikethrough on task labels and add reduced opacity on bars
for done tasks.
Regression introduced in the gantt chart rebuild in 5fc255cb3.
Resolves#2211
Siging seems to fail now, with no changes to the pipeline. This change
moves the setup to right before the signing, in case the build step
mangles with the gpg setup
Remove email, name, emailRemindersEnabled, and isLocalUser from user JWT
claims, and isLocalUser from link share JWT claims. These fields are never
used from the token - the backend always fetches the full user from the
database by ID, and the frontend fetches user data from the /user API
endpoint immediately after login.
Also simplify GetUserFromClaims to only extract id and username, and
remove the now-unnecessary email override in the frontend's
refreshUserInfo.
