chore(deps): update dawarich to v1.7.3 #6452

renovate-bot · 2026-05-03T00:53:30Z

renovate-bot commented

2026-05-03 00:53:30 +00:00

This PR contains the following updates:

Package	Update	Change
Freika/dawarich	patch	`1.7.2` → `1.7.3`
freikin/dawarich	patch	`1.7.2` → `1.7.3`

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

Freika/dawarich (Freika/dawarich)

`v1.7.3`

Compare Source

Security

Fixes for several issues found in a static-analysis security audit. None of these have a known in-the-wild exploit, but operators should still upgrade.

Path traversal in user-data archive import (POST /settings/users/import) — a malicious archive whose JSON manifest referenced files via .. could attach arbitrary host files (e.g. config/master.key, /proc/self/environ) to the user's import record and download them.
OAuth web callback (Google / GitHub / OIDC) used to silently link an existing local-password account to an incoming OAuth identity on email match, with no email_verified check or consent. The web flow now mirrors the mobile-API flow: the user must confirm the link.
SSRF blocklist for the immich_url / photoprism_url settings missed RFC1918, CGNAT, IPv6 ULA, multicast and reserved ranges. Cloud installs now reject those; self-hosted gets a smaller blocklist that still catches non-http schemes, cloud-metadata IPs and multicast while permitting LAN / loopback / Docker DNS.
Web OTP challenge (POST /users/otp_challenge) had no rate limit, leaving 2FA brute-forceable given a leaked password. Added rack-attack throttles (5/15min per session, 20/15min per IP) plus an in-controller cap of 5 invalid attempts.
Stored XSS via family.name rendered through notification.content.html_safe is now passed through sanitize.
Disabling 2FA now requires both the password AND a current authenticator code (or backup code), on web and API.
Default prometheus / prometheus credentials for /metrics are gone — the endpoint refuses until both METRICS_USERNAME and METRICS_PASSWORD are set.
Devise minimum password length raised from 6 to 12.
API keys generated by new accounts are 256-bit (was 128-bit). Existing keys keep working.
OwnTracks point ingest replaces a blanket params.permit! with the documented field whitelist.

Added

Polarsteps support — locations.json and segment-array exports now import directly.
Files with unsupported extensions are rejected in the browser before upload starts.
Clear, actionable error messages when an unsupported file is uploaded — points to the right file in your Takeout instead of a generic "Unable to detect file format".

Changed

Monthly and yearly email digests now hide countries and cities with 1 hour or less of time spent, so the Top Countries / Top Cities lists no longer get padded with 0h and 1h entries.
Disabling 2FA via /settings/two_factor now asks for both your password and a current authenticator code (or one of your backup codes). The web form has been updated; API clients must send password AND otp_code to DELETE /api/v1/users/me/two_factor.
Setting a new password (signup, password change, password reset) now requires at least 12 characters. Existing shorter passwords still work for sign-in.
/metrics endpoint: if you scrape Prometheus metrics, set METRICS_USERNAME and METRICS_PASSWORD in your environment. With them unset, /metrics now returns 503.
OAuth (web) without SMTP: a user signing in via OIDC/GitHub/Google for the first time when an email-matching local account already exists is no longer auto-linked. They are sent to a password-challenge page where entering their existing Dawarich password completes the linking. No SMTP setup is required for this path. A "send me a confirmation email instead" button on the same page is the SMTP-based fallback for users who have forgotten their password.
Self-hosted Immich/PhotoPrism URLs: the next save of these settings re-validates the URL. Configurations using non-http schemes, 0.0.0.0, multicast IPs, or the cloud-metadata 169.254.169.254 will be rejected. Standard LAN / Docker / loopback URLs continue to work.

Fixed

Google Phone Takeout location-history.json now imports reliably. (#2437, #2587)
KMZ files from a wider range of exporters now import.
Imports no longer fail intermittently with No such file or directory @ rb_sysopen - /tmp/.... (#2446)
FIT files from non-Garmin devices and phone apps now import.
CSV files with quoted headers (e.g. "Latitude","Longitude") are now recognized.
Empty (0-byte) uploads now produce a clear error instead of crashing.
Upgrades from older versions (≤ 1.3.1) no longer crash during db:migrate. (#2576)

Configuration

📅 Schedule: (in timezone America/Chicago)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Freika/dawarich](https://github.com/Freika/dawarich) | patch | `1.7.2` → `1.7.3` | | [freikin/dawarich](https://github.com/Freika/dawarich) | patch | `1.7.2` → `1.7.3` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>Freika/dawarich (Freika/dawarich)</summary> ### [`v1.7.3`](https://github.com/Freika/dawarich/blob/HEAD/CHANGELOG.md#173---2026-05-02) [Compare Source](https://github.com/Freika/dawarich/compare/1.7.2...1.7.3) ##### Security Fixes for several issues found in a static-analysis security audit. None of these have a known in-the-wild exploit, but operators should still upgrade. - Path traversal in user-data archive import (`POST /settings/users/import`) — a malicious archive whose JSON manifest referenced files via `..` could attach arbitrary host files (e.g. `config/master.key`, `/proc/self/environ`) to the user's import record and download them. - OAuth web callback (Google / GitHub / OIDC) used to silently link an existing local-password account to an incoming OAuth identity on email match, with no `email_verified` check or consent. The web flow now mirrors the mobile-API flow: the user must confirm the link. - SSRF blocklist for the `immich_url` / `photoprism_url` settings missed RFC1918, CGNAT, IPv6 ULA, multicast and reserved ranges. Cloud installs now reject those; self-hosted gets a smaller blocklist that still catches non-http schemes, cloud-metadata IPs and multicast while permitting LAN / loopback / Docker DNS. - Web OTP challenge (`POST /users/otp_challenge`) had no rate limit, leaving 2FA brute-forceable given a leaked password. Added rack-attack throttles (5/15min per session, 20/15min per IP) plus an in-controller cap of 5 invalid attempts. - Stored XSS via `family.name` rendered through `notification.content.html_safe` is now passed through `sanitize`. - Disabling 2FA now requires both the password AND a current authenticator code (or backup code), on web and API. - Default `prometheus` / `prometheus` credentials for `/metrics` are gone — the endpoint refuses until both `METRICS_USERNAME` and `METRICS_PASSWORD` are set. - Devise minimum password length raised from 6 to 12. - API keys generated by new accounts are 256-bit (was 128-bit). Existing keys keep working. - OwnTracks point ingest replaces a blanket `params.permit!` with the documented field whitelist. ##### Added - Polarsteps support — `locations.json` and segment-array exports now import directly. - Files with unsupported extensions are rejected in the browser before upload starts. - Clear, actionable error messages when an unsupported file is uploaded — points to the right file in your Takeout instead of a generic "Unable to detect file format". ##### Changed - Monthly and yearly email digests now hide countries and cities with 1 hour or less of time spent, so the Top Countries / Top Cities lists no longer get padded with `0h` and `1h` entries. - Disabling 2FA via `/settings/two_factor` now asks for both your password and a current authenticator code (or one of your backup codes). The web form has been updated; API clients must send `password` AND `otp_code` to `DELETE /api/v1/users/me/two_factor`. - Setting a new password (signup, password change, password reset) now requires at least 12 characters. Existing shorter passwords still work for sign-in. - **`/metrics` endpoint**: if you scrape Prometheus metrics, set `METRICS_USERNAME` and `METRICS_PASSWORD` in your environment. With them unset, `/metrics` now returns 503. - **OAuth (web) without SMTP**: a user signing in via OIDC/GitHub/Google for the first time when an email-matching local account already exists is no longer auto-linked. They are sent to a password-challenge page where entering their existing Dawarich password completes the linking. **No SMTP setup is required for this path.** A "send me a confirmation email instead" button on the same page is the SMTP-based fallback for users who have forgotten their password. - **Self-hosted Immich/PhotoPrism URLs**: the next save of these settings re-validates the URL. Configurations using non-http schemes, `0.0.0.0`, multicast IPs, or the cloud-metadata `169.254.169.254` will be rejected. Standard LAN / Docker / loopback URLs continue to work. ##### Fixed - Google Phone Takeout `location-history.json` now imports reliably. ([#2437](https://github.com/Freika/dawarich/issues/2437), [#2587](https://github.com/Freika/dawarich/issues/2587)) - KMZ files from a wider range of exporters now import. - Imports no longer fail intermittently with `No such file or directory @ rb_sysopen - /tmp/...`. ([#2446](https://github.com/Freika/dawarich/issues/2446)) - FIT files from non-Garmin devices and phone apps now import. - CSV files with quoted headers (e.g. `"Latitude","Longitude"`) are now recognized. - Empty (0-byte) uploads now produce a clear error instead of crashing. - Upgrades from older versions (≤ 1.3.1) no longer crash during `db:migrate`. ([#2576](https://github.com/Freika/dawarich/issues/2576)) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate-bot added the automerge docker labels 2026-05-03 00:53:30 +00:00

renovate-bot added 1 commit 2026-05-03 00:53:32 +00:00

chore(deps): update dawarich to v1.7.3

renovate/stability-days Updates have not met minimum release age requirement

Details

lint-test-helm / lint-helm (pull_request) Successful in 1m16s

Details

lint-test-helm / validate-kubeconform (pull_request) Has been skipped

Details

render-manifests / render-manifests (pull_request) Successful in 1m14s

Details

0e89e8c684

renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-03 00:53:36 +00:00

renovate-bot merged commit 762b75970e into main

2026-05-03 00:53:41 +00:00

renovate-bot referenced this issue from a commit

2026-05-03 00:53:42 +00:00

Merge pull request 'chore(deps): update dawarich to v1.7.3' (#6452) from renovate/unified-dawarich into main

renovate-bot deleted branch renovate/unified-dawarich

2026-05-03 00:53:44 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6452