On X11/XWayland (Electron's default on Wayland sessions) the window had no
icon, so KDE Plasma showed the generic placeholder. Point BrowserWindow at
the packaged icon.png so the compositor has an icon to render.
When the app is hidden in the tray, closing then relaunching it triggered
the single-instance second-instance handler, which only called focus() — a
hidden window stays hidden on focus(), so the app appeared not to start
(notably on KDE Plasma Wayland where the tray icon may also be unreachable).
Call show() to surface it, and recreate the window if it no longer exists.
The desktop app ignored termination signals because the tray and embedded
express server keep the Electron event loop alive, forcing users to kill -9
on logout/shutdown. Add SIGINT/SIGTERM handlers that set isQuitting before
app.quit() so the hide-to-tray close handler doesn't swallow the quit.
node-gyp's undici 6.26.0 -> 6.27.0 and @electron/get's 7.27.2 -> 7.28.0,
each pinned within its major via overrides so only the security patch is
taken (an open >= range would jump across majors, e.g. to undici 8).
Resolves the 9 open desktop undici Dependabot alerts.
Desktop only has the v4 copy, so a plain override pins it to >=4.2.0
(resolves alert #245). The frontend also pulls js-yaml v3 via
gray-matter (histoire story tooling), which has no v4-compatible
release, so a scoped 'js-yaml@4' override bumps only the v4 copies
(eslint/cosmiconfig) and leaves gray-matter on 3.14.2. Alert #256
stays open for that dev-only, trusted-input path.
Resolves the form-data <4.0.6 advisory (predictable multipart
boundary). Transitive in both workspaces; pinned via pnpm overrides.
Dependabot alerts #247 (desktop) and #258 (frontend).
Resolves GHSA-7c78-jf6q-g5cm (type-confusion bypass of _assertPath
allowing path traversal). tmp was pinned to >=0.2.6 via pnpm overrides
in both the frontend and desktop workspaces, which resolved to the
vulnerable 0.2.6. Dependabot alerts #243 (desktop) and #244 (frontend).
The tray icon was loaded from desktop/build/icon.png, but build/ is
electron-builder's default buildResources directory, whose contents are
not packaged into the app. The icon therefore existed when running from
source but was missing in every released build, leaving an empty tray
icon.
Load the icon from the packaged app root instead and add icon.png there,
rendered from the circular logo.svg so it has transparent corners rather
than the square full-bleed source artwork.
Fixes#2668
Resolves a medium-severity XSS in Address6 HTML-emitting methods
(GHSA / Dependabot alert #224). Vulnerable range: <=10.1.0,
patched in 10.1.1. The package is pulled in transitively through
socks -> socks-proxy-agent in the Electron build chain
(devDependency only), but we add a pnpm override to ensure the
patched version is used everywhere. The frontend workspace already
has the equivalent override.
Resolves Dependabot alert #233: qs.stringify crashes with TypeError on
null/undefined entries in comma-format arrays when encodeValuesOnly is
set (DoS, medium severity).
Updates transitive dependency via pnpm update from 6.15.0 to 6.15.2.
Adds a pnpm override for `tmp` in both the `frontend` and `desktop`
workspaces to force the patched version (0.2.6). The previous transitive
resolutions (`tmp@0.0.33` via external-editor in frontend, `tmp@0.2.3`
via tmp-promise in desktop) are vulnerable to a path traversal via
unsanitized prefix/postfix that enables directory escape.
Addresses Dependabot alerts #234 (desktop) and #235 (frontend).
Chromium already caps zoom levels internally, so the manual [-7, +7]
clamp was redundant. Removes the constants and clamping logic while
keeping the before-input-event approach intact for persistence support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Electron does not register zoom shortcuts by default, so the desktop app
had no way to scale the UI. Register Ctrl+Plus, Ctrl+Minus and Ctrl+0
via webContents.before-input-event, and Ctrl+scroll via the zoom-changed
event.
The zoom level is clamped to [-7, +7] (Chromium's range, roughly 28% to
358%) and persisted to zoom.json in app.getPath('userData'), so the
chosen level survives restarts. Restored zoom is re-applied on every
did-finish-load, since Electron resets zoom across page reloads.
Fixes#2623
The old setupTray() called tray.destroy() before creating a new Tray. On
Linux with KDE Plasma 6 Wayland, tray.destroy() does not actually remove
the icon from plasmashell (electron/electron#49517), so the new Tray
registers a fresh dbusmenu while plasmashell keeps talking to the
orphaned one. Menu items still render (cached layout) but every
com.canonical.dbusmenu.Event("clicked", ...) method call from plasmashell
hits the destroyed handler and is dropped, so menu-item click callbacks
stop firing after the frontend triggers a rebuild on login.
Move the one-time Tray construction (icon, tooltip, click handler)
behind a !tray guard and keep setContextMenu in the always-run path. The
desktop:update-quick-entry-shortcut IPC handler keeps calling setupTray()
and the accelerator label updates without touching the native Tray.
Add shortcut management: register/unregister shortcuts dynamically
via IPC from the frontend settings. Add --quick-entry CLI argument
to show quick entry on launch or toggle it when a second instance
is started. Add show-main-window IPC handler for Ctrl+Enter task
open flow.
Add desktopQuickEntryShortcut to frontend settings with a Desktop
App section in General settings, only visible when running in the
Electron app. The setting syncs to the desktop main process via
IPC whenever settings are loaded or saved.
When creating a task via quick entry, pressing Ctrl+Enter (or
Cmd+Enter on macOS) creates the task and opens it in the main
Vikunja window. Adds show-main-window IPC to bring the main
window to focus.
Add a complete OAuth 2.0 PKCE flow for the Electron desktop app:
- Implement PKCE code generation and token exchange in Electron
- Register custom protocol handler (vikunja-desktop://) for deep links
- Handle deep link race conditions (buffered URLs, process.argv fallback)
- Prevent duplicate IPC listener accumulation on re-mount
- Preserve sub-paths in OAuth authorize URL for non-root deployments
- Add token refresh support using Electron's net module
renovate[bot]
kolaente
Dávid Takács-Tolnai
kolaente