StefanSA/vaultwarden-plus
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases 2 Packages 1 Wiki Activity Actions
2 releases 2 tags
  • v1.36.1 98b3906582

    Vaultwarden-Plus v1.36.1
    All checks were successful
    ci / rust-checks (push) Successful in 2m48s
    Details
    validate-publish-surface / validate-publish-surface (push) Successful in 4s
    Details
    Stable

    StefanSA released this 2026-06-24 11:31:44 +02:00 | 1 commits to main since this release

    Vaultwarden-Plus v1.36.1

    Stable release date: 2026-06-24

    This is the first stable Vaultwarden-Plus release after RC1.

    Highlights

    • Mail Dispatch Hardening for account mail paths.
    • Enumeration Protection for password-hint and account-mail request behavior.
    • New-device async notifications for non-critical login notification mail.
    • Build cache durability for Forgejo Docker buildx image builds.
    • CI stabilization for Rust checks, publish-surface validation, Renovate, and image artifact workflows.
    • Product documentation consolidation across project state, product docs, maintainer guide, feature matrix, upstream tracker, and release notes.
    • Feature Matrix refresh for the stable v1.36.1 state.
    • Upstream tracking refresh with #7345 and #5856 moved from candidate to implemented status.

    Security

    • Critical OTP/security mail flows remain fail-closed.
    • Enumeration-sensitive account-mail paths avoid exposing mail transport failures to unauthenticated callers in the implemented scope.
    • Token query redaction, invalid HTTP block-regex no-panic handling, external TLS guidance, and passkey feature gating remain part of the validated security posture.
    • Production deployments should continue to terminate TLS at a trusted reverse proxy; Rocket built-in TLS remains discouraged for production.

    Compatibility

    • Preserves official Bitwarden client compatibility as the primary release constraint.
    • Carries forward the validated 2026.5 registration, policy, and malformed SSH-key sync compatibility fixes.
    • Carries forward Send Email Verification validation for official Web Vault, Linux Desktop, and iOS.
    • Passkey login and PRF unlock remain behind PASSKEY_LOGIN_ENABLED and retain the previously validated Web Vault and official Chromium Extension scope.

    Operator Improvements

    • New-device notification mail no longer blocks the login response path.
    • Forgejo automatic image builds use durable local buildx cache replacement.
    • Release image is published as:
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:1.36.1
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:latest
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:<short-sha>
    • Release artifacts:
      • vaultwarden-plus-1.36.1.tar.gz
      • vaultwarden-plus-1.36.1.tar.gz.sha256

    Documentation

    • README.md
    • CHANGELOG.md
    • docs/CHANGELOG.md
    • docs/PROJECT_STATE.md
    • docs/PRODUCT.md
    • docs/KNOWN_LIMITATIONS.md
    • docs/upstream/FEATURE_MATRIX.md
    • docs/upstream/UPSTREAM_ISSUE_TRACKER.md
    • docs/releases/2026-06-v1.36.1/RELEASE_NOTES.md

    Deferred

    • /api/sync response parity audit for upstream #6988.
    • MariaDB 11.x/12.x migration repro harness for upstream #7268.
    • Mobile SSO/push watch items #7371 and #7372 until reproducible server-side evidence exists.
    • Direct broad adoption of upstream #7297; use it as reference until it stabilizes, splits, or is replaced.
    • Desktop, Android, and iOS passkey-login assessment.
    • Passkey recovery/fallback hardening.
    • Advanced passkey operator policy controls.
    • Optional dependency investigations from the Dependency Dashboard: reqwest, jsonwebtoken, yubico, opendal, cached, docker/toolchain/base images, database images, and cargo-storage/AWS/reqsign.
    Downloads