Replaces 33 for...in loops across 18 files with for...of + Object.keys/entries
or indexed for loops. for...in iterates enumerable string keys including
inherited ones, which is especially risky on reactive arrays (tasks, labels,
assignees, etc.) where polyfilled properties may appear.
Loops that mutate via splice during iteration now iterate backwards to avoid
index-shift bugs. Adds a no-restricted-syntax ESLint rule forbidding
ForInStatement to prevent regressions.
Closes#513
Every file input in the codebase is hidden (via class="is-hidden" or
scoped display:none) and triggered programmatically by a custom XButton.
None of Bulma's .file / .file-label / .file-cta / .file-input / .file-name /
.file-icon classes are used anywhere in .vue files, so the partial is dead
code.
Vikunja's Modal.vue uses a native <dialog> element with its own locally-
scoped classes (modal-dialog, modal-container, modal-content, modal-header).
None of Bulma's modal classes (.modal, .modal-background, .modal-card*) are
used anywhere in the app. The two CSS variables this partial provided
(--modal-card-head-padding, --modal-content-spacing-tablet) were inlined in
the two callers in the previous commits, so the whole partial is now dead
code.
Modal.vue already had several 'reset bulma' overrides fighting the default
rules Bulma applied to .modal-content; those can be cleaned up in a
follow-up.
The --modal-content-spacing-tablet CSS variable is provided by Bulma's
components/modal partial. Inlining Bulma's default (40px) lets us drop that
partial.
The --modal-card-head-padding CSS variable is provided by Bulma's
components/modal partial. Inlining Bulma's default (20px) lets us drop that
partial without needing a local redeclaration.
Call license.Init() after database initialization and before the web
server starts. Call license.Shutdown() during graceful shutdown to stop
the background check goroutine.
Implement the license validation system with:
- Server communication with retry logic and exponential backoff
- In-memory state management for feature flags and user limits
- Cached validation with 72h expiry stored in database
- Background goroutine with adaptive check intervals (24h/1h)
- Graceful degradation to community mode on failure
- Instance ID generation and persistence
Native <dialog> elements opened with showModal() render in the browser's
top-layer. Popups appended to document.body end up behind the dialog
regardless of z-index, which broke the slash-command menu and the user
mention suggestion inside the task detail modal.
Append the popups to the nearest open <dialog> ancestor of the editor
(falling back to document.body) so they join the same top-layer stacking
context.
Pacman verifies individual package signatures (.sig files). Add GPG
setup and detach-sign step for archlinux packages in the os-package
job. The .sig is uploaded alongside the package to S3.
S3 can't store symlinks. Previously all symlinks were deleted, which
removed vikunja.db -> vikunja.db.tar.gz needed by pacman. Now resolve
symlinks into real file copies first, then delete package files.
Add GPG signing configuration to nfpm.yaml for rpm packages. The
os-package job now sets up GPG and exports the key for nfpm to use
during package creation.
The dl.vikunja.io worker redirects package file requests under /repos/
to the existing artifacts, so uploading them again is redundant.
Remove .deb, .rpm, .apk, .archlinux, .pacman, .pkg.tar.zst files
and symlinks before uploading to R2.
The s3-action glob matched directories causing EISDIR errors. Fixed
the action to filter with fs.statSync().isFile(). Updated all
s3-action references to the new version.
The **/*.* glob skipped extensionless files like Release, InRelease,
and Packages. Revert to **/* and instead remove reprepro's internal
db/conf directories and directory symlinks before uploading.
Parse the top-level `attachments` array in WeKan board JSON exports,
group them by card ID, base64-decode the payload, and attach the
resulting files to the generated tasks so they land in Vikunja as
task attachments. Orphaned attachments (cardId with no matching card)
are silently skipped; decode errors are logged and skipped.
The mage-static binary is compiled with glibc which can't run on
Alpine's musl. Instead of fighting compatibility, inline the APK
repo generation as shell commands since the logic is simple.
- Install libc6-compat on Alpine so the glibc-linked mage binary runs
- Change S3 upload glob from **/* to **/*.* to skip directories
- Add debug step to inspect mage-static binary on Alpine
Each package format now runs in its native container image:
- apt: ubuntu:noble (reprepro)
- rpm: fedora:latest (createrepo_c)
- pacman: archlinux:latest (repo-add + bsdtar built-in)
- apk: alpine:latest (apk + abuild-sign built-in)
This eliminates cross-distro tool availability issues. Desktop
packages are downloaded and renamed per format to match the mage
target glob patterns. Also adds --allow-untrusted to apk index
since nfpm-produced .apk packages are unsigned.
repo-add uses bsdtar to validate packages, which requires
libarchive-tools. The .archlinux extension works fine with repo-add
so the rename to .pkg.tar.zst was unnecessary. Also removes debug
steps.