v1.2.1 — Security & Maintenance
What's Changed
Security
- Pinned axios to 1.13.5 (supply chain attack mitigation, 2026-03-31 incident)
npm audit fix: patched brace-expansion, picomatch, undici, yaml
Bug Fixes
- Calendar view now fetches all workouts (was capped at 20, causing missing entries)
- Admin breadcrumb returning 404
- Avatar upload click target; removed stale debug logging
Features
- Calendar header shows workout count for viewed month
- Nav bar icons switched to heavier filled MDI variants
CI / Infrastructure
setup-gonow usesgo-version-file: go.mod(auto-tracks toolchain version)- Pinned
golangci-lint-actionto v6 (v9 dropped v1.x support) - Fixed date-sensitive test failure on first day of each month
- Docker base image bumped to
golang:1.25-alpine(matches go.mod toolchain) - Fixed Docker workflow SHA tag format (was invalid on tag-triggered builds)
Dependency Updates
- Go: x/crypto 0.48→0.49, pgx/v5 5.8→5.9, go-sqlite3 1.14.34→1.14.38, lib/pq 1.11→1.12
- Frontend: Vue 3.5.28→3.5.31, vue-router 5.0.3→5.0.4, vitest 4.0→4.1, sass 1.97→1.98
- GH Actions: docker/login-action 3→4, metadata-action 5→6, build-push-action 6→7, actions/checkout 4→6, super-linter 4→7
Known Issues
vite-plugin-pwadependency chain (serialize-javascript CVE) — fix requires major downgrade to 0.19.8; deferred to next release
Docker
docker pull ghcr.io/johnzastrow/actalog:v1.2.1
# or
docker pull ghcr.io/johnzastrow/actalog:latestFull changelog: https://github.com/johnzastrow/actalog/blob/main/docs/CHANGELOG.md