StefanSA/vaultwarden-plus
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases 2 Packages 1 Wiki Activity Actions
2 releases 2 tags
  • v1.36.1 98b3906582

    Vaultwarden-Plus v1.36.1
    All checks were successful
    ci / rust-checks (push) Successful in 2m48s
    Details
    validate-publish-surface / validate-publish-surface (push) Successful in 4s
    Details
    Stable

    StefanSA released this 2026-06-24 11:31:44 +02:00 | 1 commits to main since this release

    Vaultwarden-Plus v1.36.1

    Stable release date: 2026-06-24

    This is the first stable Vaultwarden-Plus release after RC1.

    Highlights

    • Mail Dispatch Hardening for account mail paths.
    • Enumeration Protection for password-hint and account-mail request behavior.
    • New-device async notifications for non-critical login notification mail.
    • Build cache durability for Forgejo Docker buildx image builds.
    • CI stabilization for Rust checks, publish-surface validation, Renovate, and image artifact workflows.
    • Product documentation consolidation across project state, product docs, maintainer guide, feature matrix, upstream tracker, and release notes.
    • Feature Matrix refresh for the stable v1.36.1 state.
    • Upstream tracking refresh with #7345 and #5856 moved from candidate to implemented status.

    Security

    • Critical OTP/security mail flows remain fail-closed.
    • Enumeration-sensitive account-mail paths avoid exposing mail transport failures to unauthenticated callers in the implemented scope.
    • Token query redaction, invalid HTTP block-regex no-panic handling, external TLS guidance, and passkey feature gating remain part of the validated security posture.
    • Production deployments should continue to terminate TLS at a trusted reverse proxy; Rocket built-in TLS remains discouraged for production.

    Compatibility

    • Preserves official Bitwarden client compatibility as the primary release constraint.
    • Carries forward the validated 2026.5 registration, policy, and malformed SSH-key sync compatibility fixes.
    • Carries forward Send Email Verification validation for official Web Vault, Linux Desktop, and iOS.
    • Passkey login and PRF unlock remain behind PASSKEY_LOGIN_ENABLED and retain the previously validated Web Vault and official Chromium Extension scope.

    Operator Improvements

    • New-device notification mail no longer blocks the login response path.
    • Forgejo automatic image builds use durable local buildx cache replacement.
    • Release image is published as:
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:1.36.1
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:latest
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:<short-sha>
    • Release artifacts:
      • vaultwarden-plus-1.36.1.tar.gz
      • vaultwarden-plus-1.36.1.tar.gz.sha256

    Documentation

    • README.md
    • CHANGELOG.md
    • docs/CHANGELOG.md
    • docs/PROJECT_STATE.md
    • docs/PRODUCT.md
    • docs/KNOWN_LIMITATIONS.md
    • docs/upstream/FEATURE_MATRIX.md
    • docs/upstream/UPSTREAM_ISSUE_TRACKER.md
    • docs/releases/2026-06-v1.36.1/RELEASE_NOTES.md

    Deferred

    • /api/sync response parity audit for upstream #6988.
    • MariaDB 11.x/12.x migration repro harness for upstream #7268.
    • Mobile SSO/push watch items #7371 and #7372 until reproducible server-side evidence exists.
    • Direct broad adoption of upstream #7297; use it as reference until it stabilizes, splits, or is replaced.
    • Desktop, Android, and iOS passkey-login assessment.
    • Passkey recovery/fallback hardening.
    • Advanced passkey operator policy controls.
    • Optional dependency investigations from the Dependency Dashboard: reqwest, jsonwebtoken, yubico, opendal, cached, docker/toolchain/base images, database images, and cargo-storage/AWS/reqsign.
    Downloads
  • v1.36.0-rc1 018cc054d0

    Vaultwarden-Plus RC1 Pre-release

    StefanSA released this 2026-06-18 20:40:00 +02:00 | 10 commits to canonical/vwplus-all-in-20260612 since this release

    Vaultwarden-Plus RC1

    Release candidate for the current Forgejo main baseline.

    Current main: 4ba74020b9b4da53e5509ad423f5d7991362c4a2
    Release tag: v1.36.0-rc1
    Container images:

    • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:1.36.0-rc1
    • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:rc1
    • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:4ba74020b9b4

    Highlights

    • Forgejo migration
    • Homelab runner
    • Rust runner certification
    • context-mode MCP repair
    • CI stabilization
    • Dependency cleanup
    • RC dependency freeze

    Technical Status

    • CI: PASS
    • Runner: PASS
    • Dependency Dashboard: PASS
    • Open dependency PRs: 0
    • Dependency branches: 0
    • RC blockers: 0

    Release Assets

    Current baseline assets:

    • vaultwarden-plus-manual-4ba74020b9b4.tar.gz
    • vaultwarden-plus-manual-4ba74020b9b4.tar.gz.sha256

    The current image export was prepared from the existing validated local image without rebuilding.

    Validation Summary

    Latest main CI status for 4ba74020b9b4da53e5509ad423f5d7991362c4a2:

    • auto-image-build: PASS
    • rust-checks: PASS
    • validate-publish-surface: PASS

    Dependency Dashboard #1 is reconciled and marks RC dependency work complete.

    Deferred

    • cargo-storage / AWS / reqsign
    • reqwest
    • jsonwebtoken
    • yubico
    • opendal
    • cached
    • docker/toolchain/base images
    • database images

    Security Notes

    • External TLS termination is required for production use.
    • Rocket built-in TLS is not recommended for this release candidate.
    • See docs/SECURITY_BASELINE.md.

    Upgrade Notes

    No special migration is expected beyond normal Vaultwarden upgrade procedures.

    Downloads