Official Vikunja import
Go to file
dependabot[bot] ae06956364
chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 (#2252)
Bumps [github.com/labstack/echo/v5](https://github.com/labstack/echo)
from 5.0.0 to 5.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/releases">github.com/labstack/echo/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.3 security (static middleware directory traversal under
Windows)</h2>
<p>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@​shblue21</code></a> (<a
href="https://redirect.github.com/labstack/echo/pull/2891">labstack/echo#2891</a>).</p>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.2...v5.0.3">https://github.com/labstack/echo/compare/v5.0.2...v5.0.3</a></p>
<h2>v5.0.2 security (static middleware folder browsing)</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware when folder browsing is enabled
(<code>config.Browse=true</code> , defaults to <code>false</code>) lists
all files/subfolders from <code>config.Filesystem</code> root folder and
not starting from <code>config.Root</code> and requested folder in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a>
. Reported by <a
href="https://github.com/shblue21"><code>@​shblue21</code></a> in <a
href="https://redirect.github.com/labstack/echo/issues/2886">labstack/echo#2886</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.1...v5.0.2">https://github.com/labstack/echo/compare/v5.0.1...v5.0.2</a></p>
<h2>v5.0.1 small fixes</h2>
<h2>What's Changed</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@​cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>Context: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>Fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@​aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/cgalibern"><code>@​cgalibern</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li><a
href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a>
made their first contribution in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.1">https://github.com/labstack/echo/compare/v5.0.0...v5.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/labstack/echo/blob/master/CHANGELOG.md">github.com/labstack/echo/v5's
changelog</a>.</em></p>
<blockquote>
<h2>v5.0.3 - 2026-02-06</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix directory traversal vulnerability under Windows in Static
middleware when default Echo filesystem is used. Reported by <a
href="https://github.com/shblue21"><code>@​shblue21</code></a>.</li>
</ul>
<p>This applies to cases when:</p>
<ul>
<li>Windows is used as OS</li>
<li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code>
(default)</li>
<li><code>echo.Filesystem</code> is has not been set explicitly
(default)</li>
</ul>
<p>Exposure is restricted to the active process working directory and
its subfolders.</p>
<h2>v5.0.2 - 2026-02-02</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fix Static middleware with <code>config.Browse=true</code> lists all
files/subfolders from <code>config.Filesystem</code> root and not
starting from <code>config.Root</code> in <a
href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a></li>
</ul>
<h2>v5.0.1 - 2026-01-28</h2>
<ul>
<li>Panic MW: will now return a custom PanicStackError with stack trace
by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li>
<li>Docs: add missing err parameter to DenyHandler example by <a
href="https://github.com/cgalibern"><code>@​cgalibern</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li>
<li>improve: improve websocket checks in IsWebSocket() [per RFC 6455] by
<a
href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a>
in <a
href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li>
<li>fix: Context.Json() should not send status code before serialization
is complete by <a
href="https://github.com/aldas"><code>@​aldas</code></a> in <a
href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b1d443086e"><code>b1d4430</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2891">#2891</a>
from aldas/fix_staticmw</li>
<li><a
href="48f25a6c16"><code>48f25a6</code></a>
Fix test reporting different size due Windows / Linux line ending
inconsisten...</li>
<li><a
href="6c162596b4"><code>6c16259</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="88d975a83d"><code>88d975a</code></a>
Fix directory traversal vulnerability under Windows in Static middleware
when...</li>
<li><a
href="09ccfbaace"><code>09ccfba</code></a>
Fill c.Request().Pattern field with route path to help standard library
based...</li>
<li><a
href="68aaf3a429"><code>68aaf3a</code></a>
Changelog for version 5.0.2</li>
<li><a
href="26ec148ea7"><code>26ec148</code></a>
security (static middleware): fix bowser=true listing all file names
from giv...</li>
<li><a
href="ba104908b9"><code>ba10490</code></a>
Merge pull request <a
href="https://redirect.github.com/labstack/echo/issues/2880">#2880</a>
from aldas/changelog_501</li>
<li><a
href="0954d6e36e"><code>0954d6e</code></a>
Changelog for v5.0.1 release</li>
<li><a
href="8e4c91f736"><code>8e4c91f</code></a>
Create SECURITY.md</li>
<li>Additional commits viewable in <a
href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/labstack/echo/v5&package-manager=go_modules&previous-version=5.0.0&new-version=5.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/go-vikunja/vikunja/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-17 21:26:04 +01:00
.claude chore(dev): add prepare worktree command to mage 2026-01-24 18:32:23 +01:00
.github feat: add dependency diff and provenance GitHub Action for PRs 2026-02-17 12:00:31 +01:00
.vscode feat(dev): add frontend and api to launch config 2025-06-19 14:54:08 +02:00
.zed fix(dev): zed frontend task 2025-06-26 12:32:04 +02:00
build fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
contrib feat: improve clean-translations script (#964) 2025-06-16 19:31:41 +00:00
desktop chore(deps): update dependency electron to v40.4.1 2026-02-13 20:20:31 +01:00
examples/plugins/example fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
frontend chore(deps): update dependency @vue/eslint-config-typescript to v14.7.0 2026-02-17 15:38:34 +01:00
pkg refactor: use Go idioms for running tests 2026-02-17 18:01:05 +01:00
rest chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.devcontainer.json chore(dev): use latest devenv docker container for devcontainer 2025-07-02 20:17:29 +02:00
.dockerignore Revert "feat: improve docker layers (#803)" 2025-05-21 10:18:57 +02:00
.editorconfig chore(dev): insert final newline 2025-05-23 11:56:50 +02:00
.envrc chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.gitignore feat(tasks): scroll to bottom in task detail view when comments are available (#1995) 2025-12-16 22:06:47 +00:00
.golangci.yml chore(lint): ignore revive var-naming for stdlib-conflicting package names 2026-02-11 09:56:20 +01:00
AGENTS.md docs: add caveat about running go tests to agent instructions [skip ci] 2026-02-08 15:43:48 +01:00
CHANGELOG.md chore: v1.1.0 release preparations 2026-02-09 11:05:34 +01:00
CLAUDE.md docs: add AGENTS.md file with instructions for AI coding agents 2025-06-10 14:23:55 +02:00
CONTRIBUTING.md chore: update contributing guidelines 2023-10-10 17:48:10 +02:00
CRUSH.md docs: add link for crus coding agent instructions 2025-08-01 16:52:30 +02:00
Dockerfile chore(deps): update ghcr.io/techknowlogick/xgo:go-1.25.x docker digest to 11ac5e6 2026-01-16 10:17:44 +01:00
LICENSE fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
README.md chore: v1.1.0 release preparations 2026-02-09 11:05:34 +01:00
cliff.toml fix: add \n between scoped and unscoped commits in git cliff config 2024-11-08 11:19:50 +01:00
code-header-template.txt fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
conductor.json chore(dev): add conductor config 2025-12-07 23:02:19 +01:00
config-raw.json feat: add UNSIGNED-PAYLOAD config option for S3-compatible stores (#2205) 2026-02-08 15:03:19 +00:00
crowdin.yml chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
devenv.lock chore(deps): update devenv 2025-12-20 19:13:51 +01:00
devenv.nix feat: migrate cypress e2e tests to playwright (#1739) 2025-11-27 16:34:48 +01:00
devenv.yaml feat: switch from nix flakes to devenv 2024-08-12 12:17:31 +02:00
go.mod chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 (#2252) 2026-02-17 21:26:04 +01:00
go.sum chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 (#2252) 2026-02-17 21:26:04 +01:00
magefile.go fix: replace stray panic with return err 2026-02-17 18:01:05 +01:00
main.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
nfpm.yaml fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
publiccode.yml docs: update publiccode.yml [skip ci] 2024-02-25 14:06:23 +01:00
renovate.json chore(renovate): group playwright npm package and docker image together 2026-02-11 09:56:20 +01:00
tools.go chore(deps): update golangci-lint to 2.6.0 (#1737) 2025-10-31 17:28:52 +00:00
tsconfig.json fix: correct trailing comma in tsconfig (#970) 2025-06-26 12:30:24 +00:00
vikunja.initd fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
vikunja.service chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00

README.md

Build Status License: AGPL-3.0-or-later Install Docker Pulls Swagger Docs Go Report Card

Vikunja

The Todo-app to organize your life.

If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.

Table of contents

Security Reports

If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.

Features

See the features page on our website for a more exhaustive list or try it on try.vikunja.io!

Docs

All docs can be found on the Vikunja home page.

Roadmap

See the roadmap (hosted on Vikunja!) for more!

Contributing

Please check out the contribution guidelines on the website.

License

Most of this repository is licensed under AGPL3.0orlater. The contents of desktop/ are licensed under GPL3.0orlater.

Unsplash Images

Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplashs terms for more information.