Skip to content

v1.2.1 — Security & Maintenance

Choose a tag to compare

@johnzastrow johnzastrow released this 02 Apr 15:12

What's Changed

Security

  • Pinned axios to 1.13.5 (supply chain attack mitigation, 2026-03-31 incident)
  • npm audit fix: patched brace-expansion, picomatch, undici, yaml

Bug Fixes

  • Calendar view now fetches all workouts (was capped at 20, causing missing entries)
  • Admin breadcrumb returning 404
  • Avatar upload click target; removed stale debug logging

Features

  • Calendar header shows workout count for viewed month
  • Nav bar icons switched to heavier filled MDI variants

CI / Infrastructure

  • setup-go now uses go-version-file: go.mod (auto-tracks toolchain version)
  • Pinned golangci-lint-action to v6 (v9 dropped v1.x support)
  • Fixed date-sensitive test failure on first day of each month
  • Docker base image bumped to golang:1.25-alpine (matches go.mod toolchain)
  • Fixed Docker workflow SHA tag format (was invalid on tag-triggered builds)

Dependency Updates

  • Go: x/crypto 0.48→0.49, pgx/v5 5.8→5.9, go-sqlite3 1.14.34→1.14.38, lib/pq 1.11→1.12
  • Frontend: Vue 3.5.28→3.5.31, vue-router 5.0.3→5.0.4, vitest 4.0→4.1, sass 1.97→1.98
  • GH Actions: docker/login-action 3→4, metadata-action 5→6, build-push-action 6→7, actions/checkout 4→6, super-linter 4→7

Known Issues

  • vite-plugin-pwa dependency chain (serialize-javascript CVE) — fix requires major downgrade to 0.19.8; deferred to next release

Docker

docker pull ghcr.io/johnzastrow/actalog:v1.2.1
# or
docker pull ghcr.io/johnzastrow/actalog:latest

Full changelog: https://github.com/johnzastrow/actalog/blob/main/docs/CHANGELOG.md