The upstream afero-s3 library has a severe performance regression where
every Read() call opens a new HTTP connection to S3, resulting in
hundreds of requests for sequential reads (e.g. ~320 requests for a 10MB
file with 32KB buffers instead of 1).
This temporarily replaces afero-s3 with a fork that fixes the issue by
requesting from the current offset to end-of-file when opening a read
stream, and properly closing the stream on Seek().
Upstream PR: https://github.com/fclairamb/afero-s3/pull/938 This replace
directive should be removed once the upstream PR is merged and a new
version is released.
Typesense was an optional external search backend. This commit fully
removes the integration, leaving the database searcher as the only
search implementation.
Changes:
- Delete pkg/models/typesense.go (core integration)
- Delete pkg/cmd/index.go (CLI command for indexing)
- Simplify task search to always use database searcher
- Remove Typesense event listeners for task sync
- Remove TypesenseSync model registration
- Remove Typesense config keys and defaults
- Remove Typesense doctor health check
- Remove Typesense initialization from startup
- Clean up benchmark test
- Add migration to drop typesense_sync table
- Remove golangci-lint suppression for typesense.go
- Remove typesense-go dependency
Add a CLI command that finds all files in the database with no MIME type
set, detects it from the stored file content, and updates the database.
This is useful for backfilling MIME types on files created before MIME
detection was added on upload.
Bumps [github.com/labstack/echo/v5](https://github.com/labstack/echo)
from 5.0.0 to 5.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/releases">github.com/labstack/echo/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.3 security (static middleware directory traversal under
Windows)</h2>
<p>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a> (<a
href="https://redirect.github.com/labstack/echo/pull/2891">labstack/echo#2891</a>).</p>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.2...v5.0.3">https://github.com/labstack/echo/compare/v5.0.2...v5.0.3</a></p>
<h2>v5.0.2 security (static middleware folder browsing)</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware when folder browsing is enabled
(<code>config.Browse=true</code> , defaults to <code>false</code>) lists
all files/subfolders from <code>config.Filesystem</code> root folder and
not starting from <code>config.Root</code> and requested folder in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a>
. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a> in <a
href="https://redirect.github.com/labstack/echo/issues/2886">labstack/echo#2886</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.1...v5.0.2">https://github.com/labstack/echo/compare/v5.0.1...v5.0.2</a></p>
<h2>v5.0.1 small fixes</h2>
<h2>What's Changed</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>Context: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>Fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/cgalibern"><code>@cgalibern</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li><a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.1">https://github.com/labstack/echo/compare/v5.0.0...v5.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/blob/master/CHANGELOG.md">github.com/labstack/echo/v5's
changelog</a>.</em></p>
<blockquote>
<h2>v5.0.3 - 2026-02-06</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@shblue21</code></a>.</li>
</ul>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p>Exposure is restricted to the active process working directory and
its subfolders.</p>
<h2>v5.0.2 - 2026-02-02</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware with <code>config.Browse=true</code> lists all
files/subfolders from <code>config.Filesystem</code> root and not
starting from <code>config.Root</code> in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a></li>
</ul>
<h2>v5.0.1 - 2026-01-28</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>improve: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b1d443086e"><code>b1d4430</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2891">#2891</a>
from aldas/fix_staticmw</li>
<li><a
href="48f25a6c16"><code>48f25a6</code></a>
Fix test reporting different size due Windows / Linux line ending
inconsisten...</li>
<li><a
href="6c162596b4"><code>6c16259</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="88d975a83d"><code>88d975a</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="09ccfbaace"><code>09ccfba</code></a>
Fill c.Request().Pattern field with route path to help standard library
based...</li>
<li><a
href="68aaf3a429"><code>68aaf3a</code></a>
Changelog for version 5.0.2</li>
<li><a
href="26ec148ea7"><code>26ec148</code></a>
security (static middleware): fix bowser=true listing all file names
from giv...</li>
<li><a
href="ba104908b9"><code>ba10490</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2880">#2880</a>
from aldas/changelog_501</li>
<li><a
href="0954d6e36e"><code>0954d6e</code></a>
Changelog for v5.0.1 release</li>
<li><a
href="8e4c91f736"><code>8e4c91f</code></a>
Create SECURITY.md</li>
<li>Additional commits viewable in <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/go-vikunja/vikunja/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Resolves https://github.com/go-vikunja/vikunja/issues/1745
- [x] Understand the issue from GitHub issue #1745
- [x] Analyze the codebase to locate the bug in
`duplicateProjectBackground` function
- [x] Fix the bug: return nil explicitly at the end of
duplicateProjectBackground
- [x] Add test for duplicating a project with an uploaded background (as
subtest)
- [x] Run tests and verify the fix
- [x] Run code review and address any feedback
- [x] Run CodeQL security scan
## Summary of Changes
### Problem
When duplicating a project with an uploaded (non-Unsplash) background
image, users encounter an internal server error (HTTP 500). The backend
logs show: `file was not downloaded from unsplash [FileID: X]`
### Root Cause
The `duplicateProjectBackground` function in
`pkg/models/project_duplicate.go` uses named returns. When
`GetUnsplashPhotoByFileID` returns `ErrFileIsNotUnsplashFile` for an
uploaded background, the error was intentionally ignored (to proceed
with copying the file) but not cleared from the named return variable.
This caused the error to be returned at the end of the function via the
bare `return` statement, triggering a 500 response.
### Solution
Changed the bare `return` at the end of `duplicateProjectBackground` to
`return nil` explicitly.
### Changes
1. **`pkg/models/project_duplicate.go`**: Changed bare `return` to
`return nil` at the end of `duplicateProjectBackground`
2. **`pkg/models/project_duplicate_test.go`**: Added subtest "duplicate
project with uploaded background" to `TestProjectDuplicate`
### Testing
- All existing tests pass
- Added subtest to `TestProjectDuplicate` for uploaded background
scenario (project 35 with non-Unsplash background)
### Security Summary
- No security vulnerabilities found by CodeQL
- Code review passed
<!-- START COPILOT CODING AGENT SUFFIX -->
<details>
<summary>Original prompt</summary>
> # Duplicate project with uploaded background - Implementation Plan
>
> ## Overview
> Users encounter an internal server error when duplicating a project
that uses an uploaded background image (non-Unsplash). The b
> ackend attempt to copy the background leaves a non-Unsplash error
(`ErrFileIsNotUnsplashFile`) in a named return value, causing
> the duplication API call to fail even though the error should be
ignored. We need to adjust the duplication flow to allow upload
> ed backgrounds and add regression tests.
>
> ## Current State Analysis
> - Project duplication calls `duplicateProjectBackground` to copy the
background file. The helper tries to copy a downloaded Unsp
> lash image and returns `ErrFileIsNotUnsplashFile` for uploaded files.
> - In the duplication code, the error variable is not cleared after
intentionally ignoring this specific error, so the function s
> till returns the error and triggers a 500 response.
> - There are no automated regression tests covering project duplication
with uploaded backgrounds.
>
> ### Key Discoveries
> - The duplication logic treats Unsplash and uploaded backgrounds
differently and only clears the Unsplash download error, leavin
> g the non-Unsplash error set.
> - The API currently works for Unsplash backgrounds but fails for
uploaded backgrounds due to the lingering error value.
>
> ## Desired End State
> - Duplicating a project succeeds for both Unsplash and uploaded
backgrounds.
> - Uploaded background files (and their metadata) are copied correctly
to the new project when possible, or gracefully skipped wi
> thout failing duplication.
> - Regression tests cover duplication with both background types to
prevent future regressions.
>
> ## What We're NOT Doing
> - No changes to the background upload endpoints or UI selection
workflow.
> - No changes to Unsplash download behavior or quota handling.
> - No new migration or database schema changes.
>
> ## Implementation Approach
> 1. Fix backend duplication error handling so uploaded backgrounds do
not cause a fatal error.
> 2. Add backend tests to cover duplication with uploaded backgrounds
and Unsplash backgrounds (success paths) and verify duplicat
> ion works without returning 500 errors.
> 3. Ensure tests document the expected behavior and guard against
regressions.
>
> ## Phase 1: Fix duplication error handling
> ### Overview
> Make project duplication tolerate uploaded backgrounds by clearing or
not propagating `ErrFileIsNotUnsplashFile` once it has bee
> n intentionally ignored.
>
> ### Changes Required
> - **File:** `pkg/models/projects.go` (or relevant duplication helper)
> - Adjust `duplicateProjectBackground` (or the calling logic) to reset
the named return error after handling `ErrFileIsNotUnspl
> ashFile`, ensuring the function returns `nil` when no real error
occurs.
> - Keep existing behavior for other errors and for Unsplash downloads.
>
> ### Success Criteria
> - Uploaded background duplication no longer returns an internal server
error.
> - Unsplash background duplication remains functional and still
surfaces real errors.
>
> ## Phase 2: Add regression tests
> ### Overview
> Add automated tests verifying project duplication works for both
uploaded and Unsplash backgrounds.
>
> ### Changes Required
> - **File:** `pkg/models/projects_test.go` (or closest existing test
file for project duplication)
> - Add a test that sets up a project with an uploaded background file,
duplicates the project, and asserts duplication succeeds
> and the duplicated project has an appropriate background reference.
> - Add/adjust test coverage for Unsplash background duplication to
confirm unchanged behavior.
> - Use existing fixtures or temporary files as needed for uploaded
background setup.
>
> ### Success Criteria
> - Tests fail on current main branch but pass after the fix.
> - Tests validate that duplication completes without 500 errors for
both background types.
>
> ## Testing Strategy
> - Automated Go tests via `mage test:filter` targeting the new
duplication tests.
> - Optionally run the broader suite (`mage test:feature`) if time
permits to ensure no regressions.
>
> ## Manual Verification
> 1. Create a project and upload a background via the UI; duplicate it;
observe duplication succeeds and background is present or
> gracefully handled.
> 2. Create a project with an Unsplash background; duplicate it; verify
duplication succeeds.
> 3. Check API responses for duplication calls to ensure no internal
server errors.
</details>
<!-- START COPILOT CODING AGENT TIPS -->
---
💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
This change fixes a few issues with the TickTick import:
1. BOM (Byte Order Mark) Handling: Added stripBOM() function to properly handle UTF-8 BOM at the beginning of CSV files
2. Multi-line Status Section: Updated header detection to handle the multi-line status description in real TickTick exports
3. CSV Parser Configuration: Made the CSV parser more lenient with variable field counts and quote handling
4. Test Infrastructure: Added missing logger initialization for tests
5. Field Mapping: Fixed the core issue where CSV fields weren't being mapped to struct fields correctly
The main problem was in the newLineSkipDecoder function where:
- Header detection calculated line skip count on BOM-stripped content
- CSV decoder was also stripping BOM and applying the same skip count
- This caused inconsistent positioning and empty field mapping
Rewrote the decoder to use a scanner-based approach with consistent BOM handling.
Resolves https://github.com/go-vikunja/vikunja/issues/1870
This fixes a panic that occurred when handling webhooks. The code was
incorrectly using webhook.CreatedByID (user ID) to fetch a project,
when it should use webhook.ProjectID. This could cause GetProjectSimpleByID
to return nil if no project exists with that ID.
Additionally, added a nil check before calling project.ReadOne() to prevent
a nil pointer dereference panic when accessing p.ID.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
