From d6a8fb8e48859750ee36b4d2d6227cac08c6f9cb Mon Sep 17 00:00:00 2001 From: mountdisk Date: Thu, 10 Jul 2025 05:24:29 +0800 Subject: [PATCH 01/10] chore: fix some minor issues in the comments (#5998) Signed-off-by: mountdisk --- src/api/icons.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/api/icons.rs b/src/api/icons.rs index 30539c34..ebb87e07 100644 --- a/src/api/icons.rs +++ b/src/api/icons.rs @@ -338,7 +338,7 @@ struct IconUrlResult { /// Returns a IconUrlResult which holds a Vector IconList and a string which holds the referer. /// There will always two items within the iconlist which holds http(s)://domain.tld/favicon.ico. -/// This does not mean that that location does exists, but it is the default location browser use. +/// This does not mean that location exists, but (it) is the default location the browser uses. /// /// # Argument /// * `domain` - A string which holds the domain with extension. From 4fd22d8e3b47fcbca616b465cc02a60034d32d24 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Wed, 9 Jul 2025 23:25:11 +0200 Subject: [PATCH 02/10] fix hiding email as 2fa provider (#6026) --- src/api/web.rs | 1 + src/static/templates/scss/vaultwarden.scss.hbs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/api/web.rs b/src/api/web.rs index d9d13b13..c4faf58c 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -57,6 +57,7 @@ fn vaultwarden_css() -> Cached> { let css_options = json!({ "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(), "mail_enabled": CONFIG.mail_enabled(), + "mail_2fa_enabled": CONFIG._enable_email_2fa(), "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(), "emergency_access_allowed": CONFIG.emergency_access_allowed(), "sends_allowed": CONFIG.sends_allowed(), diff --git a/src/static/templates/scss/vaultwarden.scss.hbs b/src/static/templates/scss/vaultwarden.scss.hbs index 9caa1315..c017e265 100644 --- a/src/static/templates/scss/vaultwarden.scss.hbs +++ b/src/static/templates/scss/vaultwarden.scss.hbs @@ -118,7 +118,7 @@ app-root a[routerlink="/signup"] { {{/if}} {{/if}} -{{#unless mail_enabled}} +{{#unless mail_2fa_enabled}} /* Hide `Email` 2FA if mail is not enabled */ .providers-2fa-1 { @extend %vw-hide; From 55945ad79350cd1c81c432f952fd8a8260204288 Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Wed, 9 Jul 2025 23:26:12 +0200 Subject: [PATCH 03/10] Update web-vault and admin resources (#6044) - Updated web-vault to v2025.7.0 - Updated admin JS and CSS files Signed-off-by: BlackDex --- docker/DockerSettings.yaml | 4 +- docker/Dockerfile.alpine | 12 +++--- docker/Dockerfile.debian | 12 +++--- src/static/scripts/bootstrap.bundle.js | 6 +-- src/static/scripts/bootstrap.css | 2 +- src/static/scripts/datatables.css | 17 +++++--- src/static/scripts/datatables.js | 42 ++++++++++++++----- .../templates/scss/vaultwarden.scss.hbs | 4 ++ 8 files changed, 64 insertions(+), 35 deletions(-) diff --git a/docker/DockerSettings.yaml b/docker/DockerSettings.yaml index e7b9f185..ffecb1ad 100644 --- a/docker/DockerSettings.yaml +++ b/docker/DockerSettings.yaml @@ -1,6 +1,6 @@ --- -vault_version: "v2025.6.0" -vault_image_digest: "sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c" +vault_version: "v2025.7.0" +vault_image_digest: "sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e" # Cross Compile Docker Helper Scripts v1.6.1 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine index 70388bfd..a1e724e6 100644 --- a/docker/Dockerfile.alpine +++ b/docker/Dockerfile.alpine @@ -19,15 +19,15 @@ # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, # click the tag name to view the digest of the image it currently points to. # - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2025.6.0 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.6.0 -# [docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c] +# $ docker pull docker.io/vaultwarden/web-vault:v2025.7.0 +# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.7.0 +# [docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e] # # - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c -# [docker.io/vaultwarden/web-vault:v2025.6.0] +# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e +# [docker.io/vaultwarden/web-vault:v2025.7.0] # -FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c AS vault +FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e AS vault ########################## ALPINE BUILD IMAGES ########################## ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index d343cbff..6bd0cdfc 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -19,15 +19,15 @@ # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, # click the tag name to view the digest of the image it currently points to. # - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2025.6.0 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.6.0 -# [docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c] +# $ docker pull docker.io/vaultwarden/web-vault:v2025.7.0 +# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.7.0 +# [docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e] # # - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c -# [docker.io/vaultwarden/web-vault:v2025.6.0] +# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e +# [docker.io/vaultwarden/web-vault:v2025.7.0] # -FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c AS vault +FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e AS vault ########################## Cross Compile Docker Helper Scripts ########################## ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts diff --git a/src/static/scripts/bootstrap.bundle.js b/src/static/scripts/bootstrap.bundle.js index 859e9d2b..91eea7e7 100644 --- a/src/static/scripts/bootstrap.bundle.js +++ b/src/static/scripts/bootstrap.bundle.js @@ -1,5 +1,5 @@ /*! - * Bootstrap v5.3.6 (https://getbootstrap.com/) + * Bootstrap v5.3.7 (https://getbootstrap.com/) * Copyright 2011-2025 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE) */ @@ -647,7 +647,7 @@ * Constants */ - const VERSION = '5.3.6'; + const VERSION = '5.3.7'; /** * Class definition @@ -4805,7 +4805,6 @@ * * Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L38 */ - // eslint-disable-next-line unicorn/better-regex const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i; const allowedAttribute = (attribute, allowedAttributeList) => { const attributeName = attribute.nodeName.toLowerCase(); @@ -5349,6 +5348,7 @@ if (trigger === 'click') { EventHandler.on(this._element, this.constructor.eventName(EVENT_CLICK$1), this._config.selector, event => { const context = this._initializeOnDelegatedTarget(event); + context._activeTrigger[TRIGGER_CLICK] = !(context._isShown() && context._activeTrigger[TRIGGER_CLICK]); context.toggle(); }); } else if (trigger !== TRIGGER_MANUAL) { diff --git a/src/static/scripts/bootstrap.css b/src/static/scripts/bootstrap.css index cb819ec2..e9479ad9 100644 --- a/src/static/scripts/bootstrap.css +++ b/src/static/scripts/bootstrap.css @@ -1,6 +1,6 @@ @charset "UTF-8"; /*! - * Bootstrap v5.3.6 (https://getbootstrap.com/) + * Bootstrap v5.3.7 (https://getbootstrap.com/) * Copyright 2011-2025 The Bootstrap Authors * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE) */ diff --git a/src/static/scripts/datatables.css b/src/static/scripts/datatables.css index 06c823f2..4d927abf 100644 --- a/src/static/scripts/datatables.css +++ b/src/static/scripts/datatables.css @@ -4,10 +4,10 @@ * * To rebuild or modify this file with the latest versions of the included * software please visit: - * https://datatables.net/download/#bs5/dt-2.3.1 + * https://datatables.net/download/#bs5/dt-2.3.2 * * Included libraries: - * DataTables 2.3.1 + * DataTables 2.3.2 */ :root { @@ -17,17 +17,18 @@ --dt-row-stripe: 0, 0, 0; --dt-row-hover: 0, 0, 0; --dt-column-ordering: 0, 0, 0; + --dt-header-align-items: center; --dt-html-background: white; } :root.dark { --dt-html-background: rgb(33, 37, 41); } -table.dataTable td.dt-control { +table.dataTable tbody td.dt-control { text-align: center; cursor: pointer; } -table.dataTable td.dt-control:before { +table.dataTable tbody td.dt-control:before { display: inline-block; box-sizing: border-box; content: ""; @@ -36,7 +37,7 @@ table.dataTable td.dt-control:before { border-bottom: 5px solid transparent; border-right: 0px solid transparent; } -table.dataTable tr.dt-hasChild td.dt-control:before { +table.dataTable tbody tr.dt-hasChild td.dt-control:before { border-top: 10px solid rgba(0, 0, 0, 0.5); border-left: 5px solid transparent; border-bottom: 0px solid transparent; @@ -163,7 +164,7 @@ table.dataTable tfoot > tr > td div.dt-column-header, table.dataTable tfoot > tr > td div.dt-column-footer { display: flex; justify-content: space-between; - align-items: center; + align-items: var(--dt-header-align-items); gap: 4px; } table.dataTable thead > tr > th div.dt-column-header span.dt-column-title, @@ -421,6 +422,10 @@ table.dataTable tbody td.dt-body-nowrap { white-space: nowrap; } +:root { + --dt-header-align-items: flex-end; +} + /*! Bootstrap 5 integration for DataTables * * ©2020 SpryMedia Ltd, all rights reserved. diff --git a/src/static/scripts/datatables.js b/src/static/scripts/datatables.js index 368cfb36..0ba22347 100644 --- a/src/static/scripts/datatables.js +++ b/src/static/scripts/datatables.js @@ -4,13 +4,13 @@ * * To rebuild or modify this file with the latest versions of the included * software please visit: - * https://datatables.net/download/#bs5/dt-2.3.1 + * https://datatables.net/download/#bs5/dt-2.3.2 * * Included libraries: - * DataTables 2.3.1 + * DataTables 2.3.2 */ -/*! DataTables 2.3.1 +/*! DataTables 2.3.2 * © SpryMedia Ltd - datatables.net/license */ @@ -124,7 +124,7 @@ _fnCamelToHungarian( defaults.column, defaults.column, true ); /* Setting up the initialisation object */ - _fnCamelToHungarian( defaults, $.extend( oInit, $this.data() ), true ); + _fnCamelToHungarian( defaults, $.extend( oInit, _fnEscapeObject($this.data()) ), true ); @@ -513,7 +513,7 @@ * * @type string */ - builder: "bs5/dt-2.3.1", + builder: "bs5/dt-2.3.2", /** * Buttons. For use with the Buttons extension for DataTables. This is @@ -554,6 +554,11 @@ */ errMode: "alert", + /** HTML entity escaping */ + escape: { + /** When reading data-* attributes for initialisation options */ + attributes: false + }, /** * Legacy so v1 plug-ins don't throw js errors on load @@ -4025,7 +4030,7 @@ if ( write ) { if (unique) { // Allow column options to be set from HTML attributes - _fnColumnOptions( settings, shifted, jqCell.data() ); + _fnColumnOptions( settings, shifted, _fnEscapeObject(jqCell.data()) ); // Get the width for the column. This can be defined from the // width attribute, style attribute or `columns.width` option @@ -4271,7 +4276,7 @@ // to the object for the callback. var empty = {}; - DataTable.util.set(ajax.dataSrc)(empty, []); + _fnAjaxDataSrc(oSettings, empty, []); callback(empty); } else { @@ -5799,9 +5804,11 @@ var run = false; var columns = column === undefined ? _fnColumnsFromHeader( e.target ) - : Array.isArray(column) - ? column - : [column]; + : typeof column === 'function' + ? column() + : Array.isArray(column) + ? column + : [column]; if ( columns.length ) { for ( var i=0, ien=columns.length ; i form > div:nth-child(1) > div > button[buttontype="secon } {{/if}} +/* Hide the `Log in with passkey` settings */ +app-change-password app-webauthn-login-settings { + @extend %vw-hide; +} /* Hide Log in with passkey on the login page */ {{#if (webver ">=2025.5.1")}} .vw-passkey-login { From e718afb441f6ddd0ac6b2fc5891056729f1790d2 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Wed, 9 Jul 2025 23:44:20 +0200 Subject: [PATCH 04/10] improve the usage section of the README (#6041) --- README.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 6efbd73d..fc68df22 100644 --- a/README.md +++ b/README.md @@ -59,19 +59,21 @@ A nearly complete implementation of the Bitwarden Client API is provided, includ ## Usage > [!IMPORTANT] -> Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost. -> ->This can be configured in [Vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). -> ->If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy or Traefik (see examples linked above). +> The web-vault requires the use a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). +> That means it will only work via `http://localhost:8000` (using the port from the example below) or if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS). -> [!TIP] ->**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).** - -The main way to use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server). +The recommended way to install and use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server). +See [which container image to use](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) for an explanation of the provided tags. There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki). +Alternatively, you can also [build Vaultwarden](https://github.com/dani-garcia/vaultwarden/wiki/Building-binary) yourself. + +While Vaultwarden is based upon the [Rocket web framework](https://rocket.rs) which has built-in support for TLS our recommendation would be that you setup a reverse proxy (see [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples). + +> [!TIP] +>**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).** + ### Docker/Podman CLI Pull the container image and mount a volume from the host for persistent storage.
@@ -83,7 +85,7 @@ docker run --detach --name vaultwarden \ --env DOMAIN="https://vw.domain.tld" \ --volume /vw-data/:/data/ \ --restart unless-stopped \ - --publish 80:80 \ + --publish 127.0.0.1:8000:80 \ vaultwarden/server:latest ``` @@ -104,7 +106,7 @@ services: volumes: - ./vw-data/:/data/ ports: - - 80:80 + - 127.0.0.1:8000:80 ```
From f58539f0b44de322f955ddb675e0b66b4c775d43 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Thu, 10 Jul 2025 13:52:52 +0200 Subject: [PATCH 05/10] close unmatched left parenthesis in the README (#6046) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fc68df22..c84a9c40 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ There are also [community driven packages](https://github.com/dani-garcia/vaultw Alternatively, you can also [build Vaultwarden](https://github.com/dani-garcia/vaultwarden/wiki/Building-binary) yourself. -While Vaultwarden is based upon the [Rocket web framework](https://rocket.rs) which has built-in support for TLS our recommendation would be that you setup a reverse proxy (see [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples). +While Vaultwarden is based upon the [Rocket web framework](https://rocket.rs) which has built-in support for TLS our recommendation would be that you setup a reverse proxy (see [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). > [!TIP] >**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).** From fee0c1c711cd5d2ab7b668cd9b1748b575aa22a4 Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Sun, 13 Jul 2025 00:48:56 +0200 Subject: [PATCH 06/10] Update crates, workflow and issue template (#6056) - Updated all the crates, which probably fixes #5959 - Updated all the workflows and tested it with zizmor Also added zizmor as a workflow it self. - Updated the issue template to better mention to search first. Signed-off-by: BlackDex --- .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/bug_report.yml | 25 ++- .github/workflows/build.yml | 14 +- .github/workflows/check-templates.yml | 5 +- .github/workflows/hadolint.yml | 2 +- .github/workflows/release.yml | 28 +-- .github/workflows/trivy.yml | 4 +- .github/workflows/zizmor.yml | 28 +++ Cargo.lock | 244 +++++++++++++++----------- Cargo.toml | 14 +- 10 files changed, 228 insertions(+), 137 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 805d2585..3a336541 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,5 +1,6 @@ /.github @dani-garcia @BlackDex /.github/** @dani-garcia @BlackDex /.github/CODEOWNERS @dani-garcia @BlackDex +/.github/ISSUE_TEMPLATE/** @dani-garcia @BlackDex /.github/workflows/** @dani-garcia @BlackDex /SECURITY.md @dani-garcia @BlackDex diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 7168e8ea..515bfaff 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -8,15 +8,30 @@ body: value: | Thanks for taking the time to fill out this bug report! - Please *do not* submit feature requests or ask for help on how to configure Vaultwarden here. + Please **do not** submit feature requests or ask for help on how to configure Vaultwarden here! The [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions/) has sections for Questions and Ideas. + Our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki/) has topics on how to configure Vaultwarden. + Also, make sure you are running [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) of Vaultwarden! - And search for existing open or closed issues or discussions regarding your topic before posting. Be sure to check and validate the Vaultwarden Admin Diagnostics (`/admin/diagnostics`) page for any errors! See here [how to enable the admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page). + + > [!IMPORTANT] + > :bangbang: Search for existing **Open _AND_ Closed** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) regarding your topic before posting! + # + - type: checkboxes + id: checklist + attributes: + label: Prerequisites + description: Please confirm you have completed the following before submitting an issue + options: + - label: I have searched the existing issues and discussions + required: true + - label: I have read the documentation + required: true # - id: support-string type: textarea @@ -36,7 +51,7 @@ body: attributes: label: Vaultwarden Build Version description: What version of Vaultwarden are you running? - placeholder: ex. v1.31.0 or v1.32.0-3466a804 + placeholder: ex. v1.34.0 or v1.34.1-53f58b14 validations: required: true # @@ -67,7 +82,7 @@ body: attributes: label: Reverse Proxy description: Are you using a reverse proxy, if so which and what version? - placeholder: ex. nginx 1.26.2, caddy 2.8.4, traefik 3.1.2, haproxy 3.0 + placeholder: ex. nginx 1.29.0, caddy 2.10.0, traefik 3.4.4, haproxy 3.2 validations: required: true # @@ -115,7 +130,7 @@ body: attributes: label: Client Version description: What version(s) of the client(s) are you seeing the problem on? - placeholder: ex. CLI v2024.7.2, Firefox 130 - v2024.7.0 + placeholder: ex. CLI v2025.7.0, Firefox 140 - v2025.6.1 # - id: reproduce type: textarea diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cffeb4fb..9c563570 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,13 +66,15 @@ jobs: - name: Init Variables id: toolchain shell: bash + env: + CHANNEL: ${{ matrix.channel }} run: | - if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then + if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)" - elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then + elif [[ "${CHANNEL}" == 'msrv' ]]; then RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)" else - RUST_TOOLCHAIN="${{ matrix.channel }}" + RUST_TOOLCHAIN="${CHANNEL}" fi echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}" # End Determine rust-toolchain version @@ -80,7 +82,7 @@ jobs: # Only install the clippy and rustfmt components on the default rust-toolchain - name: "Install rust-toolchain version" - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1 + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2 if: ${{ matrix.channel == 'rust-toolchain' }} with: toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" @@ -90,7 +92,7 @@ jobs: # Install the any other channel to be used for which we do not execute clippy and rustfmt - name: "Install MSRV version" - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1 + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2 if: ${{ matrix.channel != 'rust-toolchain' }} with: toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" @@ -115,7 +117,7 @@ jobs: # Enable Rust Caching - name: Rust Caching - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 with: # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes. # Like changing the build host from Ubuntu 20.04 to 22.04 for example. diff --git a/.github/workflows/check-templates.yml b/.github/workflows/check-templates.yml index 20a40b08..25f6faac 100644 --- a/.github/workflows/check-templates.yml +++ b/.github/workflows/check-templates.yml @@ -4,7 +4,8 @@ permissions: {} on: [ push, pull_request ] jobs: - docker-templates: + docker-templates: + name: Validate docker templates permissions: contents: read runs-on: ubuntu-24.04 @@ -20,7 +21,7 @@ jobs: - name: Run make to rebuild templates working-directory: docker - run: make + run: make - name: Check for unstaged changes working-directory: docker diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 329981dc..2efdd581 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -14,7 +14,7 @@ jobs: steps: # Start Docker Buildx - name: Setup Docker Buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 # https://github.com/moby/buildkit/issues/3969 # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 43ec251f..20f51a4f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them services: registry: - image: registry:2 + image: registry:sha256@1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0 - https://hub.docker.com/_/registry/tags ports: - 5000:5000 env: @@ -76,7 +76,7 @@ jobs: # Start Docker Buildx - name: Setup Docker Buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 # https://github.com/moby/buildkit/issues/3969 # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills with: @@ -192,7 +192,7 @@ jobs: - name: Bake ${{ matrix.base_image }} containers id: bake_vw - uses: docker/bake-action@4ba453fbc2db7735392b93edf935aaf9b1e8f747 # v6.5.0 + uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # v6.8.0 env: BASE_TAGS: "${{ env.BASE_TAGS }}" SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" @@ -213,14 +213,15 @@ jobs: shell: bash env: BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }} + BASE_IMAGE: ${{ matrix.base_image }} run: | - GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" + GET_DIGEST_SHA="$(jq -r '.["${BASE_IMAGE}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}" # Attest container images - name: Attest - docker.io - ${{ matrix.base_image }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ vars.DOCKERHUB_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -228,7 +229,7 @@ jobs: - name: Attest - ghcr.io - ${{ matrix.base_image }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ vars.GHCR_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -236,7 +237,7 @@ jobs: - name: Attest - quay.io - ${{ matrix.base_image }} if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ vars.QUAY_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -248,6 +249,7 @@ jobs: shell: bash env: REF_TYPE: ${{ github.ref_type }} + BASE_IMAGE: ${{ matrix.base_image }} run: | # Check which main tag we are going to build determined by ref_type if [[ "${REF_TYPE}" == "tag" ]]; then @@ -257,7 +259,7 @@ jobs: fi # Check which base_image was used and append -alpine if needed - if [[ "${{ matrix.base_image }}" == "alpine" ]]; then + if [[ "${BASE_IMAGE}" == "alpine" ]]; then EXTRACT_TAG="${EXTRACT_TAG}-alpine" fi @@ -266,25 +268,25 @@ jobs: # Extract amd64 binary docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" - docker cp amd64:/vaultwarden vaultwarden-amd64-${{ matrix.base_image }} + docker cp amd64:/vaultwarden vaultwarden-amd64-${BASE_IMAGE} docker rm --force amd64 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" # Extract arm64 binary docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" - docker cp arm64:/vaultwarden vaultwarden-arm64-${{ matrix.base_image }} + docker cp arm64:/vaultwarden vaultwarden-arm64-${BASE_IMAGE} docker rm --force arm64 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" # Extract armv7 binary docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" - docker cp armv7:/vaultwarden vaultwarden-armv7-${{ matrix.base_image }} + docker cp armv7:/vaultwarden vaultwarden-armv7-${BASE_IMAGE} docker rm --force armv7 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" # Extract armv6 binary docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" - docker cp armv6:/vaultwarden vaultwarden-armv6-${{ matrix.base_image }} + docker cp armv6:/vaultwarden vaultwarden-armv6-${BASE_IMAGE} docker rm --force armv6 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" @@ -314,7 +316,7 @@ jobs: path: vaultwarden-armv6-${{ matrix.base_image }} - name: "Attest artifacts ${{ matrix.base_image }}" - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-path: vaultwarden-* # End Upload artifacts to Github Actions diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9345dd81..abfbfddf 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0 + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 env: TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 @@ -48,6 +48,6 @@ jobs: severity: CRITICAL,HIGH - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.5 + uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..7726c1db --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1 + with: + # intentionally not scanning the entire repository, + # since it contains integration tests. + inputs: ./.github/ diff --git a/Cargo.lock b/Cargo.lock index ad66b074..d4ecc9e0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -116,9 +116,9 @@ dependencies = [ [[package]] name = "async-channel" -version = "2.3.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89b47800b0be77592da0afd425cc03468052844aff33b84e33cc696f64e77b6a" +checksum = "924ed96dd52d1b75e9c1a3e6275715fd320f5f9439fb5a4a11fa51f4221158d2" dependencies = [ "concurrent-queue", "event-listener-strategy", @@ -162,7 +162,7 @@ version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c" dependencies = [ - "async-channel 2.3.1", + "async-channel 2.5.0", "async-executor", "async-io", "async-lock", @@ -207,7 +207,7 @@ version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cde3f4e40e6021d7acffc90095cbd6dc54cb593903d1de5832f435eb274b85dc" dependencies = [ - "async-channel 2.3.1", + "async-channel 2.5.0", "async-io", "async-lock", "async-signal", @@ -333,9 +333,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "aws-config" -version = "1.8.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "455e9fb7743c6f6267eb2830ccc08686fbb3d13c9a689369562fd4d4ef9ea462" +checksum = "c18d005c70d2b9c0c1ea8876c039db0ec7fb71164d25c73ccea21bf41fd02171" dependencies = [ "aws-credential-types", "aws-runtime", @@ -399,9 +399,9 @@ dependencies = [ [[package]] name = "aws-sdk-sso" -version = "1.73.0" +version = "1.74.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2ac1674cba7872061a29baaf02209fefe499ff034dfd91bd4cc59e4d7741489" +checksum = "e0a69de9c1b9272da2872af60c7402683e7f45c06267735b4332deacb203239b" dependencies = [ "aws-credential-types", "aws-runtime", @@ -421,9 +421,9 @@ dependencies = [ [[package]] name = "aws-sdk-ssooidc" -version = "1.74.0" +version = "1.75.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a6a22f077f5fd3e3c0270d4e1a110346cddf6769e9433eb9e6daceb4ca3b149" +checksum = "f0b161d836fac72bdd5ac1a4cd1cdc38ab888c7af26cfd95f661be4409505e63" dependencies = [ "aws-credential-types", "aws-runtime", @@ -443,9 +443,9 @@ dependencies = [ [[package]] name = "aws-sdk-sts" -version = "1.75.0" +version = "1.76.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3258fa707f2f585ee3049d9550954b959002abd59176975150a01d5cf38ae3f" +checksum = "cb1cd79a3412751a341a28e2cd0d6fa4345241976da427b075a0c0cd5409f886" dependencies = [ "aws-credential-types", "aws-runtime", @@ -547,9 +547,9 @@ dependencies = [ [[package]] name = "aws-smithy-runtime" -version = "1.8.3" +version = "1.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14302f06d1d5b7d333fd819943075b13d27c7700b414f574c3c35859bfb55d5e" +checksum = "c3aaec682eb189e43c8a19c3dab2fe54590ad5f2cc2d26ab27608a20f2acf81c" dependencies = [ "aws-smithy-async", "aws-smithy-http", @@ -570,9 +570,9 @@ dependencies = [ [[package]] name = "aws-smithy-runtime-api" -version = "1.8.1" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd8531b6d8882fd8f48f82a9754e682e29dd44cff27154af51fa3eb730f59efb" +checksum = "9852b9226cb60b78ce9369022c0df678af1cac231c882d5da97a0c4e03be6e67" dependencies = [ "aws-smithy-async", "aws-smithy-types", @@ -745,11 +745,11 @@ dependencies = [ [[package]] name = "blocking" -version = "1.6.1" +version = "1.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "703f41c54fc768e63e091340b424302bb1c29ef4aa0c7f10fe849dfb114d29ea" +checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21" dependencies = [ - "async-channel 2.3.1", + "async-channel 2.5.0", "async-task", "futures-io", "futures-lite", @@ -858,9 +858,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.27" +version = "1.2.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d487aa071b5f64da6f19a3e848e3578944b726ee5a4854b82172f02aa876bfdc" +checksum = "5c1599538de2394445747c8cf7935946e3cc27e9625f889d979bfb2aaf569362" dependencies = [ "jobserver", "libc", @@ -896,23 +896,12 @@ dependencies = [ [[package]] name = "chrono-tz" -version = "0.10.3" +version = "0.10.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "efdce149c370f133a071ca8ef6ea340b7b88748ab0810097a9e2976eaa34b4f3" +checksum = "a6139a8597ed92cf816dfb33f5dd6cf0bb93a6adc938f11039f371bc5bcd26c3" dependencies = [ "chrono", - "chrono-tz-build", - "phf", -] - -[[package]] -name = "chrono-tz-build" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f10f8c9340e31fc120ff885fcdb54a0b48e474bbd77cab557f0c30a3e569402" -dependencies = [ - "parse-zoneinfo", - "phf_codegen", + "phf 0.12.1", ] [[package]] @@ -1283,9 +1272,9 @@ dependencies = [ [[package]] name = "diesel" -version = "2.2.11" +version = "2.2.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a917a9209950404d5be011c81d081a2692a822f73c3d6af586f0cab5ff50f614" +checksum = "229850a212cd9b84d4f0290ad9d294afc0ae70fccaa8949dbe8b43ffafa1e20c" dependencies = [ "bigdecimal", "bitflags", @@ -1318,9 +1307,9 @@ dependencies = [ [[package]] name = "diesel_derives" -version = "2.2.6" +version = "2.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52841e97814f407b895d836fa0012091dff79c6268f39ad8155d384c21ae0d26" +checksum = "1b96984c469425cb577bf6f17121ecb3e4fe1e81de5d8f780dd372802858d756" dependencies = [ "diesel_table_macro_syntax", "dsl_auto_type", @@ -1542,7 +1531,7 @@ dependencies = [ "atomic 0.6.1", "pear", "serde", - "toml", + "toml 0.8.23", "uncased", "version_check", ] @@ -1822,7 +1811,7 @@ dependencies = [ "indexmap", "lasso", "once_cell", - "phf", + "phf 0.11.3", ] [[package]] @@ -2110,7 +2099,7 @@ dependencies = [ "http 1.3.1", "hyper 1.6.0", "hyper-util", - "rustls 0.23.28", + "rustls 0.23.29", "rustls-native-certs", "rustls-pki-types", "tokio", @@ -2121,9 +2110,9 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.14" +version = "0.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb" +checksum = "7f66d5bd4c6f02bf0542fad85d626775bab9258cf795a4256dcaf3161114d1df" dependencies = [ "base64 0.22.1", "bytes", @@ -2309,6 +2298,17 @@ dependencies = [ "generic-array", ] +[[package]] +name = "io-uring" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b86e202f00093dcba4275d4636b93ef9dd75d025ae560d2521b45ea28ab49013" +dependencies = [ + "bitflags", + "cfg-if", + "libc", +] + [[package]] name = "ipconfig" version = "0.3.2" @@ -2455,7 +2455,7 @@ dependencies = [ "nom 8.0.0", "percent-encoding", "quoted_printable", - "rustls 0.23.28", + "rustls 0.23.29", "rustls-native-certs", "serde", "socket2", @@ -2489,9 +2489,9 @@ dependencies = [ [[package]] name = "libsqlite3-sys" -version = "0.33.0" +version = "0.35.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "947e6816f7825b2b45027c2c32e7085da9934defa535de4a6a46b10a4d5257fa" +checksum = "133c182a6a2c87864fe97778797e46c7e999672690dc9fa3ee8e241aa4a9c13f" dependencies = [ "cc", "pkg-config", @@ -2604,12 +2604,12 @@ checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0" [[package]] name = "migrations_internals" -version = "2.2.0" +version = "2.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd01039851e82f8799046eabbb354056283fb265c8ec0996af940f4e85a380ff" +checksum = "3bda1634d70d5bd53553cf15dca9842a396e8c799982a3ad22998dc44d961f24" dependencies = [ "serde", - "toml", + "toml 0.9.2", ] [[package]] @@ -2938,9 +2938,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" [[package]] name = "openssl-src" -version = "300.5.0+3.5.0" +version = "300.5.1+3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8ce546f549326b0e6052b649198487d91320875da901e7bd11a06d1ee3f9c2f" +checksum = "735230c832b28c000e3bc117119e6466a663ec73506bc0a9907ea4187508e42a" dependencies = [ "cc", ] @@ -3009,15 +3009,6 @@ dependencies = [ "windows-targets 0.52.6", ] -[[package]] -name = "parse-zoneinfo" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f2a05b18d44e2957b88f96ba460715e295bc1d7510468a2f3d3b44535d26c24" -dependencies = [ - "regex", -] - [[package]] name = "password-hash" version = "0.5.0" @@ -3150,17 +3141,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078" dependencies = [ "phf_macros", - "phf_shared", + "phf_shared 0.11.3", ] [[package]] -name = "phf_codegen" -version = "0.11.3" +name = "phf" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aef8048c789fa5e851558d709946d6d79a8ff88c0440c587967f8e94bfb1216a" +checksum = "913273894cec178f401a31ec4b656318d95473527be05c0752cc41cdc32be8b7" dependencies = [ - "phf_generator", - "phf_shared", + "phf_shared 0.12.1", ] [[package]] @@ -3169,7 +3159,7 @@ version = "0.11.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d" dependencies = [ - "phf_shared", + "phf_shared 0.11.3", "rand 0.8.5", ] @@ -3180,7 +3170,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f84ac04429c13a7ff43785d75ad27569f2951ce0ffd30a3321230db2fc727216" dependencies = [ "phf_generator", - "phf_shared", + "phf_shared 0.11.3", "proc-macro2", "quote", "syn", @@ -3195,6 +3185,15 @@ dependencies = [ "siphasher", ] +[[package]] +name = "phf_shared" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06005508882fb681fd97892ecff4b7fd0fee13ef1aa569f8695dae7ab9099981" +dependencies = [ + "siphasher", +] + [[package]] name = "pico-args" version = "0.5.0" @@ -3413,7 +3412,7 @@ dependencies = [ "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.23.28", + "rustls 0.23.29", "socket2", "thiserror 2.0.12", "tokio", @@ -3433,7 +3432,7 @@ dependencies = [ "rand 0.9.1", "ring", "rustc-hash", - "rustls 0.23.28", + "rustls 0.23.29", "rustls-pki-types", "slab", "thiserror 2.0.12", @@ -3676,14 +3675,14 @@ dependencies = [ "sha1", "sha2", "tokio", - "toml", + "toml 0.8.23", ] [[package]] name = "reqwest" -version = "0.12.21" +version = "0.12.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c8cea6b35bcceb099f30173754403d2eba0a5dc18cea3630fccd88251909288" +checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531" dependencies = [ "async-compression", "base64 0.22.1", @@ -3707,7 +3706,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.28", + "rustls 0.23.29", "rustls-native-certs", "rustls-pki-types", "serde", @@ -3908,13 +3907,12 @@ dependencies = [ [[package]] name = "rust-ini" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e310ef0e1b6eeb79169a1171daf9abcb87a2e17c03bee2c4bb100b55c75409f" +checksum = "e7295b7ce3bf4806b419dc3420745998b447178b7005e2011947b38fc5aa6791" dependencies = [ "cfg-if", "ordered-multimap", - "trim-in-place", ] [[package]] @@ -3965,15 +3963,15 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.28" +version = "0.23.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7160e3e10bf4535308537f3c4e1641468cd0e485175d6163087c0393c7d46643" +checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1" dependencies = [ "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.103.3", + "rustls-webpki 0.103.4", "subtle", "zeroize", ] @@ -4021,9 +4019,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.3" +version = "0.103.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4a72fe2bcf7a6ac6fd7d0b9e5cb68aeb7d4c0a0271730218b3e92d43b4eb435" +checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc" dependencies = [ "ring", "rustls-pki-types", @@ -4191,6 +4189,15 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_spanned" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83" +dependencies = [ + "serde", +] + [[package]] name = "serde_urlencoded" version = "0.7.1" @@ -4607,17 +4614,19 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.45.1" +version = "1.46.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75ef51a33ef1da925cea3e4eb122833cb377c61439ca401b770f54902b806779" +checksum = "0cc3a2344dafbe23a245241fe8b09735b521110d30fcefbbd5feb1797ca35d17" dependencies = [ "backtrace", "bytes", + "io-uring", "libc", "mio", "parking_lot", "pin-project-lite", "signal-hook-registry", + "slab", "socket2", "tokio-macros", "windows-sys 0.52.0", @@ -4650,7 +4659,7 @@ version = "0.26.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" dependencies = [ - "rustls 0.23.28", + "rustls 0.23.29", "tokio", ] @@ -4698,11 +4707,26 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362" dependencies = [ "serde", - "serde_spanned", - "toml_datetime", + "serde_spanned 0.6.9", + "toml_datetime 0.6.11", "toml_edit", ] +[[package]] +name = "toml" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed0aee96c12fa71097902e0bb061a5e1ebd766a6636bb605ba401c45c1650eac" +dependencies = [ + "indexmap", + "serde", + "serde_spanned 1.0.0", + "toml_datetime 0.7.0", + "toml_parser", + "toml_writer", + "winnow 0.7.12", +] + [[package]] name = "toml_datetime" version = "0.6.11" @@ -4712,6 +4736,15 @@ dependencies = [ "serde", ] +[[package]] +name = "toml_datetime" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3" +dependencies = [ + "serde", +] + [[package]] name = "toml_edit" version = "0.22.27" @@ -4720,10 +4753,19 @@ checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a" dependencies = [ "indexmap", "serde", - "serde_spanned", - "toml_datetime", + "serde_spanned 0.6.9", + "toml_datetime 0.6.11", "toml_write", - "winnow 0.7.11", + "winnow 0.7.12", +] + +[[package]] +name = "toml_parser" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97200572db069e74c512a14117b296ba0a80a30123fbbb5aa1f4a348f639ca30" +dependencies = [ + "winnow 0.7.12", ] [[package]] @@ -4732,6 +4774,12 @@ version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" +[[package]] +name = "toml_writer" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64" + [[package]] name = "totp-lite" version = "2.0.1" @@ -4851,12 +4899,6 @@ dependencies = [ "tracing-log", ] -[[package]] -name = "trim-in-place" -version = "0.1.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "343e926fc669bc8cde4fa3129ab681c63671bae288b1f1081ceee6d9d37904fc" - [[package]] name = "try-lock" version = "0.2.5" @@ -5656,9 +5698,9 @@ dependencies = [ [[package]] name = "winnow" -version = "0.7.11" +version = "0.7.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74c7b26e3480b707944fc872477815d29a8e429d2f93a1ce000f5fa84a15cbcd" +checksum = "f3edebf492c8125044983378ecb5766203ad3b4c2f7a922bd7dd207f6d443e95" dependencies = [ "memchr", ] @@ -5696,9 +5738,9 @@ checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb" [[package]] name = "xml-rs" -version = "0.8.26" +version = "0.8.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a62ce76d9b56901b19a74f19431b0d8b3bc7ca4ad685a746dfd78ca8f4fc6bda" +checksum = "6fd8403733700263c6eb89f192880191f1b83e332f7a20371ddcf421c4a337c7" [[package]] name = "xmlparser" diff --git a/Cargo.toml b/Cargo.toml index 61788274..4ae0c413 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -73,7 +73,7 @@ dashmap = "6.1.0" # Async futures futures = "0.3.31" -tokio = { version = "1.45.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] } +tokio = { version = "1.46.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] } tokio-util = { version = "0.7.15", features = ["compat"]} # A generic serialization/deserialization framework @@ -81,7 +81,7 @@ serde = { version = "1.0.219", features = ["derive"] } serde_json = "1.0.140" # A safe, extensible ORM and Query builder -diesel = { version = "2.2.11", features = ["chrono", "r2d2", "numeric"] } +diesel = { version = "2.2.12", features = ["chrono", "r2d2", "numeric"] } diesel_migrations = "2.2.0" diesel_logger = { version = "0.4.0", optional = true } @@ -89,7 +89,7 @@ derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref" diesel-derive-newtype = "2.1.2" # Bundled/Static SQLite -libsqlite3-sys = { version = "0.33.0", features = ["bundled"], optional = true } +libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true } # Crypto-related libraries rand = "0.9.1" @@ -101,7 +101,7 @@ uuid = { version = "1.17.0", features = ["v4"] } # Date and time libraries chrono = { version = "0.4.41", features = ["clock", "serde"], default-features = false } -chrono-tz = "0.10.3" +chrono-tz = "0.10.4" time = "0.3.41" # Job scheduler @@ -134,7 +134,7 @@ email_address = "0.2.9" handlebars = { version = "6.3.2", features = ["dir_source"] } # HTTP client (Used for favicons, version check, DUO and HIBP API) -reqwest = { version = "0.12.20", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false} +reqwest = { version = "0.12.22", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false} hickory-resolver = "0.25.2" # Favicon extraction libraries @@ -184,9 +184,9 @@ opendal = { version = "0.53.3", features = ["services-fs"], default-features = f # For retrieving AWS credentials, including temporary SSO credentials anyhow = { version = "1.0.98", optional = true } -aws-config = { version = "1.8.0", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } +aws-config = { version = "1.8.1", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } aws-credential-types = { version = "1.2.3", optional = true } -aws-smithy-runtime-api = { version = "1.8.1", optional = true } +aws-smithy-runtime-api = { version = "1.8.3", optional = true } http = { version = "1.3.1", optional = true } reqsign = { version = "0.16.5", optional = true } From 0755bb19c0c606e9c8c0453306e12ee34d32e13b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Sun, 13 Jul 2025 01:01:08 +0200 Subject: [PATCH 07/10] Update release.yml (#6057) Seems like docker can't use the hash references: https://github.com/dani-garcia/vaultwarden/actions/runs/16242780267/job/45861396226 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 20f51a4f..dfb86e27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them services: registry: - image: registry:sha256@1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0 - https://hub.docker.com/_/registry/tags + image: registry:3.0.0 # https://hub.docker.com/_/registry/tags ports: - 5000:5000 env: From b2e2aef7de73d204e19f6a7adf66708ab139c2d8 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Sun, 13 Jul 2025 10:22:33 +0200 Subject: [PATCH 08/10] fix hash reference in release.yml (#6058) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dfb86e27..61f374a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them services: registry: - image: registry:3.0.0 # https://hub.docker.com/_/registry/tags + image: registry@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0 ports: - 5000:5000 env: From 2ac589d4b4e0d5914e9317593a07e31eec31b670 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 13 Jul 2025 13:20:16 +0300 Subject: [PATCH 09/10] Fix digest SHA extraction step (#6059) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 61f374a0..d08828d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -215,7 +215,7 @@ jobs: BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }} BASE_IMAGE: ${{ matrix.base_image }} run: | - GET_DIGEST_SHA="$(jq -r '.["${BASE_IMAGE}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" + GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}" # Attest container images From ce70cd2cf4f1faf84ce32266bcc65ca9482a5514 Mon Sep 17 00:00:00 2001 From: Timshel Date: Mon, 14 Jul 2025 22:01:20 +0200 Subject: [PATCH 10/10] Hide login form custom fields (#6054) Co-authored-by: Timshel --- src/static/templates/scss/vaultwarden.scss.hbs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/static/templates/scss/vaultwarden.scss.hbs b/src/static/templates/scss/vaultwarden.scss.hbs index a97c0b47..8f86881a 100644 --- a/src/static/templates/scss/vaultwarden.scss.hbs +++ b/src/static/templates/scss/vaultwarden.scss.hbs @@ -20,6 +20,11 @@ a[href$="/settings/sponsored-families"] { @extend %vw-hide; } +/* Hide the sso `Email` input field */ +.vw-email-sso { + @extend %vw-hide; +} + /* Hide the `Enterprise Single Sign-On` button on the login page */ {{#if (webver ">=2025.5.1")}} .vw-sso-login { @@ -57,6 +62,11 @@ app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-chi } {{/if}} +/* Hide the `Other` button on the login page */ +.vw-other-login { + @extend %vw-hide; +} + /* Hide Two-Factor menu in Organization settings */ bit-nav-item[route="settings/two-factor"], a[href$="/settings/two-factor"] {