chore(deps): update container image vikunja/vikunja to v2.0.0

[renovate]

This PR contains the following updates:

Package	Update	Change
vikunja/vikunja	major	0.24.6 → 2.0.0

---

Release Notes

go-vikunja/vikunja (vikunja/vikunja)

v2.0.0

Compare Source

Bug Fixes

• (attachments) Use mime.FormatMediaType for Content-Disposition header
• (auth) Use checked type assertions for all JWT claims
• (build) Add osusergo tag to plugin build
• (build) Use absolute path for zip output in release
• (db) Validate table names and quote identifiers in raw SQL
• (gantt) Render done tasks with strikethrough and reduced opacity
• (gantt) Sync task updates from detail view back to gantt chart
• (gantt) Only persist dates that actually exist on partial-date tasks
• (migration) Make migration from Microsoft Todo work for those with previously migrated wunderlist accounts (#​2126)
• (migration) Reject zip entries with path traversal in vikunja-file import
• (migration) Limit zip entry read size to prevent decompression bombs
• (migration) Use checked type assertion for background file id
• (release) Skip upx compression for windows arm64 binaries
• (restore) Reject zip entries with path traversal sequences
• (restore) Sanitize config file path to prevent zip slip
• (restore) Validate database file names in zip archive
• (restore) Validate migration data before wiping database
• (restore) Limit zip entry read size to prevent decompression bombs
• (restore) Pre-validate all table data JSON before wiping database
• (restore) Extract preValidateTableData to reduce cyclomatic complexity
• (task) Require explicit confirmation before saving reminders
• (task) Disable Confirm button when no date is selected in absolute reminder picker
• (tasks) Show drag handle icon on mobile devices (#​2286)
• (test) Update existing reminder tests to click Confirm after date selection
• (tests) Update web test assertions for new task47 fixture
• (tests) Properly assert sort order including task47 in web tests
• Use DelPrefix in upload avatar FlushCache to clear all cached sizes (79d0942)
• Reset group permission checkboxes when creating a new API token (30e53db)
• Wrap API tokens table rows in thead and tbody elements (b66b75f)
• Correct indentation in API tokens table after thead/tbody wrap (17360a8)
• Add missing error checks in filepath.Walk and defer Close locations (8dbff21)
• Replace stray panic with return err (122ba30)
• Prevent duplicated sql condition in filters (#​1546) (8779a28)
• Merge AND-joined sub-table filters into single EXISTS subquery (c034e43)
• Only merge range comparators in sub-table filter grouping (1943d69)
• Don't show export ready message when no export exists (7862651)
• Clamp gantt bar title position when task starts before visible range (df05c51)
• Break long continuous strings in editor to prevent overflow (bc2f7e5)
• Fix API_URL trailing slash and remove CORS env var overrides in test:e2e (51a9f9c)
• Use preview:dev for correct dist dir and kill process groups in test:e2e (d008512)
• Use in-memory SQLite and log temp directory cleanup in test:e2e (fec1c03)
• Correct broken throttle in checkAuth that never triggered (a11cde1)
• Don't overwrite user info with incomplete JWT data on navigation (1d420dd)
• Keep token expiry in sync when skipping setUser from JWT (65806df)
• Reset throttle on logout so checkAuth clears auth state (4cee2cf)
• Detect and store mime type when creating file attachments (519f66a)
• Add Content-Disposition attachment header to task attachment downloads (4915f53)
• Fall back to application/octet-stream when the file has no mime type stored (c6370bb)
• Escape attachment download filename (d222d45)
• Load file content before generating attachment preview (1ccc8dc)
• Treat archived TickTick tasks as done during import (249b651)
• Prevent browser from caching API responses (a13ecbd)
• Show tasks spanning entire gantt date range (56eb5d3)
• Prevent cursor reset when typing in filter input (#​2287) (f7a93e4)
• Wait for router before dismissing loading screen (7c04d44)
• Replace tx.Sync() with explicit ALTER TABLE in webhooks migration (b1534f1)
• Make teams oidc_id rename migration idempotent (4acad97)
• Add comprehensive catchup for bucket and filter format migrations (99ac3e6)
• Cast bucket_configuration to text in postgres catchup query (3d6c527)
• Preserve teams external_id type when renaming on mysql (0c7c07b)
• Decouple webhook dispatch from email/mailer config (6de82db)
• Add transaction begin to db.NewSession() (fd77e04)
• Add missing Commit() to write callers (c9c250f)
• Close leaked database sessions (764d356)
• Eliminate nested database sessions to prevent table locks (49bba7f)
• Handle Begin() error in db.NewSession() instead of ignoring it (1167b08)
• Remove transaction control from File.Delete to prevent premature commit/rollback (312648d)
• Isolate deletion notifications into per-user transactions (eea59c3)
• Add missing Commit() to event listeners and cron jobs (2188c7a)
• Pass pointer to xorm Update to avoid hash panic in transaction mode (cbfd0e6)
• Use session-aware file creation to avoid nested transactions (2a10b22)
• Prevent session leaks and visibility issues in model tests (a7086e5)
• Add TestMain to caldav tests and fix session conflicts (2f71820)
• Use caller's session in LDAP syncUserGroups to avoid nested transactions (b3d8a56)
• Address review comments on session lifecycle (2f680d0)
• Commit transaction in session cleanup cron (107a92f)
• Prevent reflected HTML injection via filter URL parameter (a42b4f3)
• Prevent XSS via innerHTML injection in link edit prompt (111ac9c)
• Detect and fail on oversized zip entries instead of silent truncation (39da47e)

Dependencies

• (deps) Update dev-dependencies
• (deps) Update mcr.microsoft.com/playwright docker tag to v1.58.2
• (deps) Bump axios from 1.13.2 to 1.13.5 in /frontend
• (deps) Update dependency happy-dom to v20.5.1
• (deps) Update dependency electron to v40.4.1
• (deps) Update dependency eslint-plugin-vue to v10.8.0
• (deps) Update dependency caniuse-lite to v1.0.30001770
• (deps) Update dev-dependencies to v8.56.0
• (deps) Pin dependency eslint-plugin-depend to 1.4.0
• (deps) Update dependency @​vue/eslint-config-typescript to v14.7.0
• (deps) Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 (#​2252)
• (deps) Upgrade node-tar to 7.5.9
• (deps) Upgrade qs to 6.15.0
• (deps) Upgrade markdown-it to 14.1.1
• (deps) Update dependency electron-builder to v26.8.0 (#​2253)
• (deps) Update dev-dependencies (#​2257)
• (deps) Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1
• (deps) Update minimatch to ^10.2.1 via pnpm overrides
• (deps) Update dependency rollup-plugin-visualizer to v6.0.8
• (deps) Update dependency caniuse-lite to v1.0.30001774
• (deps) Update dev-dependencies to v8.56.1
• (deps) Update ajv to 6.14.0
• (deps) Update dependency electron to v40.6.1

Documentation

• Document mage test:e2e in AGENTS.md (8f6f8f9)
• Instruct agents to save test output instead of re-running tests (c8ea673)

Features

• (api) Enforce password validation on reset and update flows
• (attachments) Open file picker directly from sidebar button
• (auth) Allow LDAP authentication with anonymous bind (#​2226)
• (cli) Reorganize repair commands under unified 'vikunja repair' parent (#​2300)
• (comments) Support order_by query parameter in comments API
• (comments) Add sort order toggle for task comments
• (dev) Print commit statistics during tag-release
• (frontend) Make dev server port configurable via VIKUNJA_FRONTEND_PORT env var
• (frontend) Use Password component in password update settings
• (gantt) Add dateType field to GanttBarModel meta
• (gantt) Handle tasks with partial dates in transformation and filtering
• (gantt) Render partial-date bars with gradient fade effect
• (gantt) Update API filter to fetch tasks with due_date or end_date
• (gantt) Add i18n strings for partial-date accessibility
• (gantt) Update drag/resize to handle partial-date task updates
• (gantt) Right-align text for endOnly partial-date bars
• Use credentials when accessing PWA manifest (#​2218) (b196c98)
• Add eslint-plugin-depend to frontend (2fe66c8)
• Add dependency diff and provenance GitHub Action for PRs (8f48b58)
• Add Swedish for language selection (#​2248) (e3695c1)
• Toggle test verbosity based on Mage verbose flag (fc0e0f5)
• Add optional project column to table view (#​2182) (48074d2)
• Add discard and reload confirmation modal (#​2154) (bf8138e)
• Clickable task notifications (#​2258) (8fd256a)
• Add mage test:e2e for isolated end-to-end testing (c5ae797)
• Add repair-file-mime-types CLI command (55c122f)
• Add TaskReminderFiredEvent and TaskOverdueEvent types (e04c1a3)
• Register reminder and overdue events for webhooks (83dc753)
• Dispatch TaskReminderFiredEvent from reminder cron (626e731)
• Dispatch TaskOverdueEvent from overdue cron (54aacd3)
• Add sessions table migration (04e6047)
• Add jwtttlshort config key for session tokens (a6bdeb6)
• Add Session model with CRUD, permissions, and cleanup cron (b3d0b2f)
• Add session-based auth with refresh token rotation (8ee069a)
• Add frontend session management with refresh tokens (be1db01)
• Add RepairOrphanedProjects function (ad307a3)
• Add repair-projects CLI command (71657fc)

Miscellaneous Tasks

• (ci) Update golangci-lint from v2.6.0 to v2.9.0
• (dev) Add sample config to gitignore
• (i18n) Update translations via Crowdin
• (lint) Ignore revive var-naming for stdlib-conflicting package names
• (renovate) Group playwright npm package and docker image together
• Downgrade depend/ban-dependencies to warning (e6ae87d)
• Fix lint issue from gantt partial dates feature (2bf99cf)

Other

• (other) [skip ci] Updated swagger docs

Refactor

• (gantt) Extract GanttBarDateType as reusable type
• (utils) Extract ContainsPathTraversal to shared utils package
• Remove environment variable requirements for go test (591a646)
• Remove root path in favor of Magefile default directory (e19a614)
• Return errors to Mage instead of os.Exit and stream to stdout/stderr (d8983b7)
• Switch to native filepath.Walk for gofmt file discovery (c773e2e)
• Use Go idioms for running tests (b2715bb)
• Remove redundant Begin() calls after NewSession auto-begins (a6e6f25)
• Remove typesense support (a5b1a90)

Styling

• Run gofmt -s to update octal literals (65ef54f)
• Fix doc comments to match godoc style (cba5f6b)
• Fix alignment in test case (302b58d)

Testing

• (api) Add tests for password validation in reset and update flows
• (comments) Add e2e tests for comment sort order
• (e2e) Add Playwright test for avatar cache invalidation
• (task) Add e2e tests for reminder confirm-before-save behavior
• Add failing test for upload avatar FlushCache (c93fa1b)
• Add task #​47 with reminders outside window for bug #​2245 (6733ac4)
• Add failing test for sub-table filter multi-row matching bug #​2245 (cd72231)
• Update expected task index after adding task #​47 fixture (d1901f4)
• Add OR-joined reminder filter regression test (a93f6bf)
• Add unit tests for getDisplayName (1dc625f)
• Add session lifecycle tests (2ef693a)
• Add e2e tests for session refresh and retry interceptor (cb091f9)
• Add regression test for atomic parent project deletion (23176bb)
• Add orphaned project fixture for repair-projects command (9e050fe)
• Add failing tests for RepairOrphanedProjects (963235c)

v1.1.0

Compare Source

Bug Fixes

• (auth) Remove unnecessary fields from JWT token payloads
• (backgrounds) Enforce max file size for unsplash downloads
• (backgrounds) Avoid integer overflow in max size calculation
• (backgrounds) Stream unsplash download to temp file instead of memory
• (build) Add osusergo tag to prevent SIGFPE crash under systemd
• (build) Normalize comma-separated TAGS to prevent build failure
• (ci) Move gpg setup to right before sign step
• (dump) Stream files during restore to avoid memory pressure
• (dump) Limit copy size to prevent decompression bombs
• (files) Require io.ReadSeeker for S3 uploads, remove temp file fallback
• (files) Update all callers to provide seekable readers for S3 uploads
• (files) Seek to start before writing for consistent behavior
• (log) Write each log category to its own file (#​2206)
• (nav) Show shared sub-projects in sidebar when the parent is inaccessible (#​2176)
• (task) Use DOMParser in task glance tooltip description preview
• Add touch CSS properties to list view for mobile drag-and-drop (b741c2d)
• Restrict numeric date regex matching to text boundaries (#​2195) (a82efa0)
• Allow middle-of-text dates when followed by time expressions (#​2195) (3f0bf71)
• Iterate past rejected middle matches in matchDateAtBoundary() (77b8403)
• Redirect immediately after login to prevent form flash in app shell (8bccf21)
• Redirect immediately after registration to prevent form flash in app shell (dcff454)
• Avoid clearing saved redirect in onBeforeMount to prevent race with submit (0e2ea5c)
• Prevent auth layout swap while still on login/register route (5d9f62c)
• Guard against undefined route.name in auth layout check (cdca790)
• Format attachment upload error messages as readable strings (7256a14)
• Handle attachment upload errors with user-visible notifications (eb369cf)

Dependencies

• (deps) Update @​isaacs/brace-expansion to 5.0.1
• (deps) Update node-tar
• (deps) Update lodash to 4.17.23

Documentation

• (agents) Include go tips [skip ci]
• Add caveat about running go tests to agent instructions [skip ci] (ac3fd3e)

Features

• (doctor) Add detailed file diagnostics for local storage (#​2179)
• (doctor) Add user namespace detection and improved storage diagnostics (#​2180)
• Add option to send Basic Auth header with webhook requests (#​2137) (cf029ce)
• Add matchDateAtBoundary() helper for position-aware date matching (#​2195) (1013305)
• Add UNSIGNED-PAYLOAD config option for S3-compatible stores (#​2205) (b6974ff)

Miscellaneous Tasks

• (ci) Add debugging around release signing
• (i18n) Update translations via Crowdin

Other

• (other) [skip ci] Updated swagger docs

Refactor

• (db) Extract testable ResolveDatabasePath function (#​2193)
• (files) Remove redundant seek operations in writeToStorage
• Remove unnecessary flags parameter from matchDateAtBoundary() (61448bb)
• Remove unnecessary comment from getDateFromText() (cee258e)
• Extract auth route names into shared constant (e9a6abf)

Testing

• (files) Update tests for io.ReadSeeker API
• Add failing tests for middle-of-text date false positives (#​2195) (e9b10e6)
• Add dot-separated middle-of-text date false positive test (#​2195) (829b10b)
• Add positive boundary tests for date parsing (#​2195) (c544886)
• Add E2E test for login form flash regression (b3e95e9)

v1.0.0

Compare Source

Bug Fixes

• (editor) Prevent crash when exiting edit mode in tiptap
• (files) Make sure base directory exists when using local file system (#​2166)
• (routes) Restore SPA routing after Echo v5 upgrade
• Use dark shadows for email template in dark mode (#​2155) (28593e6)

Dependencies

• (deps) Update dependency sass-embedded to v1.97.3 (#​2150)
• (deps) Update module github.com/redis/go-redis/v9 to v9.17.3 (#​2153)
• (deps) Update dev-dependencies (major) (#​1375)
• (deps) Update tiptap to v3.17.0

Features

• Add required checkbox to confirm issue search before submission (d61caab)
• Add vikunja doctor command for diagnostic checks (#​2165) (3aa1e90)

Miscellaneous Tasks

• Use correct repo and issue url (72a928d)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.