Cached config operations

2026-06-24 00:05:29 +00:00 · 2025-12-28 23:44:50 +01:00
117 changed files with 11172 additions and 11075 deletions
@@ -50,11 +50,10 @@
 #########################

 ## Database URL
-## When using SQLite, this should use the sqlite:// scheme followed by the path
-## to the DB file. It defaults to sqlite://%DATA_FOLDER%/db.sqlite3.
-## Bare paths without the sqlite:// scheme are supported for backwards compatibility,
-## but only if the database file already exists.
-# DATABASE_URL=sqlite://data/db.sqlite3
+## When using SQLite, this is the path to the DB file, and it defaults to
+## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this
+## must be set to a local sqlite3 file path.
+# DATABASE_URL=data/db.sqlite3
 ## When using MySQL, specify an appropriate connection URI.
 ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
 # DATABASE_URL=mysql://user:password@host[:port]/database_name
@@ -373,22 +372,16 @@
 ## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
-## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
-## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
-## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
-## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
-## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
-## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
-## - "pm-30529-webauthn-related-origins":
-## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
+## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension.
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Needs desktop >= 2025.11.0)
+## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials

 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
@@ -1,2 +1,3 @@
 # Ignore vendored scripts in GitHub stats
 src/static/scripts/* linguist-vendored
+
@@ -1,10 +1,6 @@
 name: Build
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on:
  push:
    paths:
@@ -34,10 +30,6 @@ on:
      - "docker/DockerSettings.yaml"
      - "macros/**"

-defaults:
-  run:
-    shell: bash
-
 jobs:
  build:
    name: Build and Test ${{ matrix.channel }}
@@ -62,7 +54,7 @@ jobs:

      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -71,6 +63,7 @@ jobs:
      # Determine rust-toolchain version
      - name: Init Variables
        id: toolchain
+        shell: bash
        env:
          CHANNEL: ${{ matrix.channel }}
        run: |
@@ -85,23 +78,32 @@ jobs:
      # End Determine rust-toolchain version


-      - name: "Install toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
+      # Only install the clippy and rustfmt components on the default rust-toolchain
+      - name: "Install rust-toolchain version"
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        if: ${{ matrix.channel == 'rust-toolchain' }}
+        with:
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
+          components: clippy, rustfmt
+      # End Uses the rust-toolchain file to determine version
+
+
+      # Install the any other channel to be used for which we do not execute clippy and rustfmt
+      - name: "Install MSRV version"
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        if: ${{ matrix.channel != 'rust-toolchain' }}
+        with:
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
+      # End Install the MSRV channel to be used
+
+      # Set the current matrix toolchain version as default
+      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
        env:
-          CHANNEL: ${{ matrix.channel }}
          RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
        run: |
          # Remove the rust-toolchain.toml
          rm rust-toolchain.toml
-
-          # Install the correct toolchain version
-          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal --no-self-update
-
-          # If this matrix is the `rust-toolchain` flow, also install rustfmt and clippy
-          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
-            rustup component add --toolchain "${RUST_TOOLCHAIN}" rustfmt clippy
-          fi
-
-          # Set as the default toolchain
+          # Set the default
          rustup default "${RUST_TOOLCHAIN}"

      # Show environment
@@ -113,7 +115,7 @@ jobs:

      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -1,16 +1,8 @@
 name: Check templates
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on: [ push, pull_request ]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  docker-templates:
    name: Validate docker templates
@@ -20,7 +12,7 @@ jobs:
    steps:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo
@@ -1,15 +1,8 @@
 name: Hadolint
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on: [ push, pull_request ]
+permissions: {}

-defaults:
-  run:
-    shell: bash

 jobs:
  hadolint:
@@ -20,7 +13,7 @@ jobs:
    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -32,6 +25,7 @@ jobs:

      # Download hadolint - https://github.com/hadolint/hadolint/releases
      - name: Download hadolint
+        shell: bash
        run: |
          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
          sudo chmod +x /usr/local/bin/hadolint
@@ -40,18 +34,20 @@ jobs:
      # End Download hadolint
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo

      # Test Dockerfiles with hadolint
      - name: Run hadolint
+        shell: bash
        run: hadolint docker/Dockerfile.{debian,alpine}
      # End Test Dockerfiles with hadolint

      # Test Dockerfiles with docker build checks
      - name: Run docker build check
+        shell: bash
        run: |
          echo "Checking docker/Dockerfile.debian"
          docker build --check . -f docker/Dockerfile.debian
@@ -1,10 +1,6 @@
 name: Cleanup
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
 on:
  workflow_dispatch:
    inputs:
@@ -1,10 +1,6 @@
 name: Trivy
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on:
  push:
    branches:
@@ -33,12 +29,12 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        env:
          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -50,6 +46,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: 'trivy-results.sarif'
@@ -1,11 +1,7 @@
 name: Code Spell Checking
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on: [ push, pull_request ]
+permissions: {}

 jobs:
  typos:
@@ -16,11 +12,11 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo

      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
      - name: Spell Check Repo
-        uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2
+        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
@@ -1,9 +1,4 @@
 name: Security Analysis with zizmor
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on:
  push:
@@ -11,6 +6,8 @@ on:
  pull_request:
    branches: ["**"]

+permissions: {}
+
 jobs:
  zizmor:
    name: Run zizmor
@@ -19,12 +16,12 @@ jobs:
      security-events: write # To write the security report
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
        with:
          # intentionally not scanning the entire repository,
          # since it contains integration tests.
@@ -1,60 +1,58 @@
 ---
 repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
+-   repo: https://github.com/pre-commit/pre-commit-hooks
    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
    hooks:
-      - id: check-yaml
-      - id: check-json
-      - id: check-toml
-      - id: mixed-line-ending
-        args: [ "--fix=no" ]
-      - id: end-of-file-fixer
-        exclude: "(.*js$|.*css$)"
-      - id: check-case-conflict
-      - id: check-merge-conflict
-      - id: detect-private-key
-      - id: check-symlinks
-      - id: forbid-submodules
-
-  # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
-  - repo: https://github.com/crate-ci/typos
-    rev: 37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2
+    - id: check-yaml
+    - id: check-json
+    - id: check-toml
+    - id: mixed-line-ending
+      args: ["--fix=no"]
+    - id: end-of-file-fixer
+      exclude: "(.*js$|.*css$)"
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: detect-private-key
+    - id: check-symlinks
+    - id: forbid-submodules
+-   repo: local
    hooks:
-      - id: typos
-
-  - repo: local
-    hooks:
-      - id: fmt
-        name: fmt
-        description: Format files with cargo fmt.
-        entry: cargo fmt
-        language: system
-        always_run: true
-        pass_filenames: false
-        args: [ "--", "--check" ]
-      - id: cargo-test
-        name: cargo test
-        description: Test the package for errors.
-        entry: cargo test
-        language: system
-        args: [ "--features", "sqlite,mysql,postgresql", "--" ]
-        types_or: [ rust, file ]
-        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-        pass_filenames: false
-      - id: cargo-clippy
-        name: cargo clippy
-        description: Lint Rust sources
-        entry: cargo clippy
-        language: system
-        args: [ "--features", "sqlite,mysql,postgresql", "--", "-D", "warnings" ]
-        types_or: [ rust, file ]
-        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-        pass_filenames: false
-      - id: check-docker-templates
-        name: check docker templates
-        description: Check if the Docker templates are updated
-        language: system
-        entry: sh
-        args:
-          - "-c"
-          - "cd docker && make"
+    - id: fmt
+      name: fmt
+      description: Format files with cargo fmt.
+      entry: cargo fmt
+      language: system
+      always_run: true
+      pass_filenames: false
+      args: ["--", "--check"]
+    - id: cargo-test
+      name: cargo test
+      description: Test the package for errors.
+      entry: cargo test
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql", "--"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
+      pass_filenames: false
+    - id: cargo-clippy
+      name: cargo clippy
+      description: Lint Rust sources
+      entry: cargo clippy
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql", "--", "-D", "warnings"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
+      pass_filenames: false
+    - id: check-docker-templates
+      name: check docker templates
+      description: Check if the Docker templates are updated
+      language: system
+      entry: sh
+      args:
+        - "-c"
+        - "cd docker && make"
+# When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
+- repo: https://github.com/crate-ci/typos
+  rev: 2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
+  hooks:
+    - id: typos
@@ -23,6 +23,4 @@ extend-ignore-re = [
    # https://github.com/bitwarden/server/blob/dff9f1cf538198819911cf2c20f8cda3307701c5/src/Notifications/HubHelpers.cs#L86
    # https://github.com/bitwarden/clients/blob/9612a4ac45063e372a6fbe87eb253c7cb3c588fb/libs/common/src/auth/services/anonymous-hub.service.ts#L45
    "AuthRequestResponseRecieved",
-    # Ignore Punycode/IDN tests
-    "xn--.+"
 ]
@@ -59,9 +59,8 @@ A nearly complete implementation of the Bitwarden Client API is provided, includ
 ## Usage

 > [!IMPORTANT]
-> The web-vault requires the use of HTTPS and a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). <br>
-> That means it will only work if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS). <br>
-> We also suggest to use a [reverse proxy](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples).
+> The web-vault requires the use a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API).
+> That means it will only work via `http://localhost:8000` (using the port from the example below) or if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS).

 The recommended way to install and use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
 See [which container image to use](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) for an explanation of the provided tags.
@@ -1,21 +1,22 @@
-use std::{env, io::Error, process::Command};
+use std::env;
+use std::process::Command;

 fn main() {
-    // These allow using e.g. #[cfg(mysql)] instead of #[cfg(feature = "mysql")], which helps when trying to add them through macros
-    #[cfg(feature = "sqlite_system")] // The `sqlite` feature implies this one.
+    // This allow using #[cfg(sqlite)] instead of #[cfg(feature = "sqlite")], which helps when trying to add them through macros
+    #[cfg(feature = "sqlite")]
    println!("cargo:rustc-cfg=sqlite");
    #[cfg(feature = "mysql")]
    println!("cargo:rustc-cfg=mysql");
    #[cfg(feature = "postgresql")]
    println!("cargo:rustc-cfg=postgresql");
-    #[cfg(not(any(feature = "sqlite_system", feature = "mysql", feature = "postgresql")))]
+    #[cfg(feature = "s3")]
+    println!("cargo:rustc-cfg=s3");
+
+    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
    compile_error!(
        "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite"
    );

-    #[cfg(feature = "s3")]
-    println!("cargo:rustc-cfg=s3");
-
    // Use check-cfg to let cargo know which cfg's we define,
    // and avoid warnings when they are used in the code.
    println!("cargo::rustc-check-cfg=cfg(sqlite)");
@@ -41,12 +42,13 @@ fn main() {
    }
 }

-fn run(args: &[&str]) -> Result<String, Error> {
+fn run(args: &[&str]) -> Result<String, std::io::Error> {
    let out = Command::new(args[0]).args(&args[1..]).output()?;
    if !out.status.success() {
+        use std::io::Error;
        return Err(Error::other("Command not successful"));
    }
-    Ok(String::from_utf8(out.stdout).unwrap().trim().to_owned())
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
 }

 /// This method reads info from Git, namely tags, branch, and revision
@@ -56,7 +58,7 @@ fn run(args: &[&str]) -> Result<String, Error> {
 ///    - `env!("GIT_BRANCH")`
 ///    - `env!("GIT_REV")`
 ///    - `env!("VW_VERSION")`
-fn version_from_git_info() -> Result<String, Error> {
+fn version_from_git_info() -> Result<String, std::io::Error> {
    // The exact tag for the current commit, can be empty when
    // the current commit doesn't have an associated tag
    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
@@ -2,4 +2,4 @@
 # see diesel.rs/guides/configuring-diesel-cli

 [print_schema]
-file = "src/db/schema.rs"
+file = "src/db/schema.rs"
@@ -1,11 +1,11 @@
 ---
-vault_version: "v2026.4.1"
-vault_image_digest: "sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe"
+vault_version: "v2025.12.0"
+vault_image_digest: "sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613"
 # Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.96.0 # Rust version to be used
+rust_version: 1.92.0 # Rust version to be used
 debian_version: trixie # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
-#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
-#     [docker.io/vaultwarden/web-vault:v2026.4.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.96.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.96.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.96.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.96.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.92.0 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.92.0 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.92.0 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.92.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -57,6 +57,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
    # Debian Trixie uses libpq v17
    PQ_LIB_DIR="/usr/local/musl/pq17/lib"

+
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" && \
    rustup set profile minimal
@@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
-#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
-#     [docker.io/vaultwarden/web-vault:v2026.4.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.96.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.92.0-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -51,7 +51,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
    TERM=xterm-256color \
    CARGO_HOME="/root/.cargo" \
    USER="root"
-# Install clang && xx-c-essentials to get `xx-cargo` working
+# Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
 # Install the libc cross packages based upon the debian-arch
@@ -59,16 +59,19 @@ RUN apt-get update && \
    apt-get install -y \
        --no-install-recommends \
        clang \
-        git && \
+        pkg-config \
+        git \
+        "libc6-$(xx-info debian-arch)-cross" \
+        "libc6-dev-$(xx-info debian-arch)-cross" \
+        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
    xx-apt-get install -y \
        --no-install-recommends \
+        gcc \
        libpq-dev \
        libpq5 \
        libssl-dev \
        libmariadb-dev \
-        pkg-config \
-        zlib1g-dev \
-        xx-c-essentials && \
+        zlib1g-dev && \
    # Run xx-cargo early, since it sometimes seems to break when run at a later stage
    echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo

@@ -80,6 +83,29 @@ RUN mkdir -pv "${CARGO_HOME}" && \
 RUN USER=root cargo new --bin /app
 WORKDIR /app

+# Environment variables for Cargo on Debian based builds
+ARG TARGET_PKG_CONFIG_PATH
+
+RUN source /env-cargo && \
+    if xx-info is-cross ; then \
+        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
+        # Because of this we generate the needed environment variables here which we can load in the needed steps.
+        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export CROSS_COMPILE=1" >> /env-cargo && \
+        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
+        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
+        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
+        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
+            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
+        else \
+            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
+        fi && \
+        echo "# End of env-cargo" >> /env-cargo ; \
+    fi && \
+    # Output the current contents of the file
+    cat /env-cargo
+
 RUN source /env-cargo && \
    rustup target add "${CARGO_TARGET}"

@@ -96,9 +122,7 @@ ARG DB=sqlite,mysql,postgresql
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
 RUN source /env-cargo && \
-    # Workaround for xx related build issues
-    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
-    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}" && \
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
    find . -not -path "./target*" -delete

 # Copies the complete project
@@ -113,9 +137,7 @@ RUN source /env-cargo && \
    # Also do this for build.rs to ensure the version is rechecked
    touch build.rs src/main.rs && \
    # Create a symlink to the binary target folder to easy copy the binary in the final stage
-    # Workaround for xx related build issues
-    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
-    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}" && \
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
    else \
@@ -19,19 +19,14 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
+#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
 #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
+#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
 #
-{% macro xx_cargo_config() -%}
-# Workaround for xx related build issues
-    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
-    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}"
-{%- endmacro %}
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault

 {% if base == "debian" %}
@@ -71,10 +66,10 @@ ENV DEBIAN_FRONTEND=noninteractive \
    # Use PostgreSQL v17 during Alpine/MUSL builds instead of the default v16
    # Debian Trixie uses libpq v17
    PQ_LIB_DIR="/usr/local/musl/pq17/lib"
-{%- endif %}
+{% endif %}

 {% if base == "debian" %}
-# Install clang && xx-c-essentials to get `xx-cargo` working
+# Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
 # Install the libc cross packages based upon the debian-arch
@@ -82,16 +77,19 @@ RUN apt-get update && \
    apt-get install -y \
        --no-install-recommends \
        clang \
-        git && \
+        pkg-config \
+        git \
+        "libc6-$(xx-info debian-arch)-cross" \
+        "libc6-dev-$(xx-info debian-arch)-cross" \
+        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
    xx-apt-get install -y \
        --no-install-recommends \
+        gcc \
        libpq-dev \
        libpq5 \
        libssl-dev \
        libmariadb-dev \
-        pkg-config \
-        zlib1g-dev \
-        xx-c-essentials && \
+        zlib1g-dev && \
    # Run xx-cargo early, since it sometimes seems to break when run at a later stage
    echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 {% endif %}
@@ -104,7 +102,31 @@ RUN mkdir -pv "${CARGO_HOME}" && \
 RUN USER=root cargo new --bin /app
 WORKDIR /app

-{% if base == "alpine" %}
+{% if base == "debian" %}
+# Environment variables for Cargo on Debian based builds
+ARG TARGET_PKG_CONFIG_PATH
+
+RUN source /env-cargo && \
+    if xx-info is-cross ; then \
+        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
+        # Because of this we generate the needed environment variables here which we can load in the needed steps.
+        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export CROSS_COMPILE=1" >> /env-cargo && \
+        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
+        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
+        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
+        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
+            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
+        else \
+            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
+        fi && \
+        echo "# End of env-cargo" >> /env-cargo ; \
+    fi && \
+    # Output the current contents of the file
+    cat /env-cargo
+
+{% elif base == "alpine" %}
 # Environment variables for Cargo on Alpine based builds
 RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
    # Output the current contents of the file
@@ -132,11 +154,7 @@ ARG DB=sqlite,mysql,postgresql,enable_mimalloc
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
 RUN source /env-cargo && \
-{% if base == "debian" %}
-    {{ xx_cargo_config() }} && \
-{% elif base == "alpine" %}
    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
-{% endif %}
    find . -not -path "./target*" -delete

 # Copies the complete project
@@ -151,11 +169,7 @@ RUN source /env-cargo && \
    # Also do this for build.rs to ensure the version is rechecked
    touch build.rs src/main.rs && \
    # Create a symlink to the binary target folder to easy copy the binary in the final stage
-{% if base == "debian" %}
-    {{ xx_cargo_config() }} && \
-{% elif base == "alpine" %}
    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
-{% endif %}
    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
    else \
@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true

 [dependencies]
-quote = "1.0.45"
-syn = "2.0.117"
+quote = "1.0.42"
+syn = "2.0.111"

 [lints]
 workspace = true
@@ -1,15 +1,14 @@
 use proc_macro::TokenStream;
 use quote::quote;
-use syn::{DeriveInput, parse_macro_input};

 #[proc_macro_derive(UuidFromParam)]
 pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {
-    let ast = parse_macro_input!(input as DeriveInput);
+    let ast = syn::parse(input).unwrap();

    impl_derive_uuid_macro(&ast)
 }

-fn impl_derive_uuid_macro(ast: &DeriveInput) -> TokenStream {
+fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
    let name = &ast.ident;
    let gen_derive = quote! {
        #[automatically_derived]
@@ -31,12 +30,12 @@ fn impl_derive_uuid_macro(ast: &DeriveInput) -> TokenStream {

 #[proc_macro_derive(IdFromParam)]
 pub fn derive_id_from_param(input: TokenStream) -> TokenStream {
-    let ast = parse_macro_input!(input as DeriveInput);
+    let ast = syn::parse(input).unwrap();

    impl_derive_safestring_macro(&ast)
 }

-fn impl_derive_safestring_macro(ast: &DeriveInput) -> TokenStream {
+fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
    let name = &ast.ident;
    let gen_derive = quote! {
        #[automatically_derived]
@@ -1 +0,0 @@
-DROP TABLE IF EXISTS archives;
@@ -1,10 +0,0 @@
-DROP TABLE IF EXISTS archives;
-
-CREATE TABLE archives (
-    user_uuid   CHAR(36) NOT NULL,
-    cipher_uuid CHAR(36) NOT NULL,
-    archived_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    PRIMARY KEY (user_uuid, cipher_uuid),
-    FOREIGN KEY (user_uuid) REFERENCES users (uuid) ON DELETE CASCADE,
-    FOREIGN KEY (cipher_uuid) REFERENCES ciphers (uuid) ON DELETE CASCADE
-);
@@ -1 +0,0 @@
-ALTER TABLE sso_auth DROP COLUMN binding_hash;
@@ -1 +0,0 @@
-ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;
@@ -1 +0,0 @@
-ALTER TABLE sso_auth DROP COLUMN code_response_error;
@@ -1 +0,0 @@
-ALTER TABLE sso_auth ADD COLUMN code_response_error TEXT;
@@ -1 +0,0 @@
-DROP TABLE IF EXISTS archives;
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`ALTER TABLE sso_auth DROP COLUMN binding_hash;`
				`@@ -1 +0,0 @@`
				`ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;`
				`@@ -1 +0,0 @@`
				`ALTER TABLE sso_auth DROP COLUMN code_response_error;`
				`@@ -1 +0,0 @@`
				`ALTER TABLE sso_auth ADD COLUMN code_response_error TEXT;`