update release workflow

.github/workflows/backend-linter.yml

@@ -17,14 +17,15 @@ permissions:
   pull-requests: read
   # Optional: allow write access to checks to allow the action to annotate code in the PR.
   checks: write
+  id-token: write
 
 jobs:
   golangci-lint:
     name: Run Golangci-lint
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/build-next.yml

@@ -9,43 +9,39 @@ concurrency:
   group: build-next-image
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
 jobs:
   build-next:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
+    runs-on: depot-ubuntu-latest
+
+    env:
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
 
       - name: Setup Go
         uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -54,6 +50,40 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Container Image Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
+      - name: Container Image Metadata
+        id: distroless-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next-distroless
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm install --frozen-lockfile
 
@@ -66,31 +96,40 @@ jobs:
 
       - name: Build and push container image
         id: build-push-image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next
-          file: docker/Dockerfile-prebuilt
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
-          file: docker/Dockerfile-distroless
+          tags: ${{ steps.distroless-meta.outputs.tags }}
+          labels: ${{ steps.distroless-meta.outputs.labels }}
+          sbom: true
+          provenance: true
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.build-push-image.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true

.github/workflows/e2e-tests.yml

@@ -13,16 +13,17 @@ on:
       - "**.md"
       - ".github/**"
 
+permissions:
+  contents: read
+  actions: write
+  id-token: write
+
 jobs:
   build:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    timeout-minutes: 20
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-24.04-16
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -49,10 +50,7 @@ jobs:
 
   test:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-24.04-16
     needs: build
     strategy:
       fail-fast: false
@@ -70,15 +68,16 @@ jobs:
             storage: database
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
 
       - name: Cache Playwright Browsers
         uses: actions/cache@v4

.github/workflows/release.yml

@@ -5,42 +5,46 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+
 jobs:
   build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      packages: write
-      attestations: write
-      id-token: write
+    runs-on: depot-ubuntu-24.04-16
+
+    env:
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
+
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{github.repository_owner}}
           password: ${{secrets.GITHUB_TOKEN}}
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -51,59 +55,89 @@ jobs:
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Docker metadata (distroless)
         id: meta-distroless
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ env.DOCKER_IMAGE_NAME }}
+            ${{ env.CONTAINER_IMAGE_NAME }}
           flavor: |
             suffix=-distroless,onlatest=true
           tags: |
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile
+
       - name: Build frontend
         run: pnpm --filter pocket-id-frontend build
 
       - name: Build binaries
         run: sh scripts/development/build-binaries.sh
+
       - name: Build and push container image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          file: docker/Dockerfile-prebuilt
+          sbom: true
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta-distroless.outputs.tags }}
           labels: ${{ steps.meta-distroless.outputs.labels }}
-          file: docker/Dockerfile-distroless
+          sbom: true
+          provenance: true
+
       - name: Binary attestation
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: "backend/.bin/pocket-id-**"
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true
       - name: Upload binaries to release
@@ -112,14 +146,12 @@ jobs:
         run: gh release upload ${{ github.ref_name }} backend/.bin/*
 
   publish-release:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     needs: [build]
-    permissions:
-      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Mark release as published
         run: gh release edit ${{ github.ref_name }} --draft=false

.github/workflows/svelte-check.yml

@@ -21,28 +21,31 @@ on:
       - "frontend/svelte.config.js"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  checks: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   type-check:
     name: Run Svelte Check
     # Don't run on dependabot branches
     if: github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-      pull-requests: write
+    runs-on: depot-ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile

.github/workflows/unit-tests.yml

@@ -9,14 +9,16 @@ on:
     paths:
       - "backend/**"
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write
+
 jobs:
   test-backend:
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"

.github/workflows/update-aaguids.yml

@@ -8,14 +8,15 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 jobs:
   update-aaguids:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Fetch JSON data
         run: |

.version

@@ -1 +1 @@
-2.3.0
+2.2.0

CHANGELOG.md

@@ -1,44 +1,3 @@
-## v2.3.0
-
-### Bug Fixes
-
-- ENCRYPTION_KEY needed for version and help commands ([#1256](https://github.com/pocket-id/pocket-id/pull/1256) by @kmendell)
-- prevent deletion of OIDC provider logo for non admin/anonymous users ([#1267](https://github.com/pocket-id/pocket-id/pull/1267) by @HiMoritz)
-- add `type="url"` to url inputs ([bb7b0d5](https://github.com/pocket-id/pocket-id/commit/bb7b0d56084df49b6a003cc3eaf076884e2cbf60) by @stonith404)
-- increase rate limit for frontend and api requests ([aab7e36](https://github.com/pocket-id/pocket-id/commit/aab7e364e85f1ce13950da93cc50324328cdd96d) by @stonith404)
-- decode URL-encoded client ID and secret in Basic auth ([#1263](https://github.com/pocket-id/pocket-id/pull/1263) by @ypomortsev)
-- token endpoint must not accept params as query string args ([#1321](https://github.com/pocket-id/pocket-id/pull/1321) by @ItalyPaleAle)
-- left align input error messages ([b3fe143](https://github.com/pocket-id/pocket-id/commit/b3fe14313684f9d8c389ed93ea8e479e3681b5c6) by @stonith404)
-- disallow API key renewal and creation with API key authentication ([#1334](https://github.com/pocket-id/pocket-id/pull/1334) by @stonith404)
-
-### Features
-
-- add VERSION_CHECK_DISABLED environment variable ([#1254](https://github.com/pocket-id/pocket-id/pull/1254) by @dihmandrake)
-- add support for HTTP/2 ([56afebc](https://github.com/pocket-id/pocket-id/commit/56afebc242be7ed14b58185425d6445bf18f640a) by @stonith404)
-- manageability of uncompressed geolite db file ([#1234](https://github.com/pocket-id/pocket-id/pull/1234) by @gucheen)
-- add JWT ID for generated tokens ([#1322](https://github.com/pocket-id/pocket-id/pull/1322) by @imnotjames)
-- current version api endpoint ([#1310](https://github.com/pocket-id/pocket-id/pull/1310) by @kmendell)
-
-### Other
-
-- bump @sveltejs/kit from 2.49.2 to 2.49.5 in the npm_and_yarn group across 1 directory ([#1240](https://github.com/pocket-id/pocket-id/pull/1240) by @dependabot[bot])
-- bump svelte from 5.46.1 to 5.46.4 in the npm_and_yarn group across 1 directory ([#1242](https://github.com/pocket-id/pocket-id/pull/1242) by @dependabot[bot])
-- bump devalue to 5.6.2 ([9dbc02e](https://github.com/pocket-id/pocket-id/commit/9dbc02e56871b2de6a39c443e1455efc26a949f7) by @kmendell)
-- upgrade deps ([4811625](https://github.com/pocket-id/pocket-id/commit/4811625cdd64b47ea67b7a9b03396e455896ccd6) by @kmendell)
-- add Estonian files ([53ef61a](https://github.com/pocket-id/pocket-id/commit/53ef61a3e5c4b77edec49d41ab94302bfec84269) by @kmendell)
-- update AAGUIDs ([#1257](https://github.com/pocket-id/pocket-id/pull/1257) by @github-actions[bot])
-- add Norwegian language files ([80558c5](https://github.com/pocket-id/pocket-id/commit/80558c562533e7b4d658d5baa4221d8cd209b47d) by @stonith404)
-- run formatter ([60825c5](https://github.com/pocket-id/pocket-id/commit/60825c5743b0e233ab622fd4d0ea04eb7ab59529) by @kmendell)
-- bump axios from 1.13.2 to 1.13.5 in the npm_and_yarn group across 1 directory ([#1309](https://github.com/pocket-id/pocket-id/pull/1309) by @dependabot[bot])
-- update dependenicies ([94a4897](https://github.com/pocket-id/pocket-id/commit/94a48977ba24e099b6221838d620c365eb1d4bf4) by @kmendell)
-- update AAGUIDs ([#1316](https://github.com/pocket-id/pocket-id/pull/1316) by @github-actions[bot])
-- bump svelte from 5.46.4 to 5.51.5 in the npm_and_yarn group across 1 directory ([#1324](https://github.com/pocket-id/pocket-id/pull/1324) by @dependabot[bot])
-- bump @sveltejs/kit from 2.49.5 to 2.52.2 in the npm_and_yarn group across 1 directory ([#1327](https://github.com/pocket-id/pocket-id/pull/1327) by @dependabot[bot])
-- upgrade dependencies ([0678699](https://github.com/pocket-id/pocket-id/commit/0678699d0cce5448c425b2c16bedab5fc242cbf0) by @stonith404)
-- upgrade to node 24 and go 1.26.0 ([#1328](https://github.com/pocket-id/pocket-id/pull/1328) by @kmendell)
-
-**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.2.0...v2.3.0
-
 ## v2.2.0
 
 ### Bug Fixes

backend/frontend/frontend_included.go

@@ -8,10 +8,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"mime"
 	"net/http"
 	"os"
-	"path"
 	"strings"
 	"time"
 
@@ -60,16 +58,9 @@ func RegisterFrontend(router *gin.Engine, rateLimitMiddleware gin.HandlerFunc) e
 		return fmt.Errorf("failed to create sub FS: %w", err)
 	}
 
-	// Load a map of all files to see which ones are available pre-compressed
-	preCompressed, err := listPreCompressedAssets(distFS)
-	if err != nil {
-		return fmt.Errorf("failed to index pre-compressed frontend assets: %w", err)
-	}
+	cacheMaxAge := time.Hour * 24
+	fileServer := NewFileServerWithCaching(http.FS(distFS), int(cacheMaxAge.Seconds()))
 
-	// Init the file server
-	fileServer := NewFileServerWithCaching(http.FS(distFS), preCompressed)
-
-	// Handler for Gin
 	handler := func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
@@ -117,138 +108,34 @@ func RegisterFrontend(router *gin.Engine, rateLimitMiddleware gin.HandlerFunc) e
 type FileServerWithCaching struct {
 	root                    http.FileSystem
 	lastModified            time.Time
+	cacheMaxAge             int
 	lastModifiedHeaderValue string
-	preCompressed           preCompressedMap
+	cacheControlHeaderValue string
 }
 
-func NewFileServerWithCaching(root http.FileSystem, preCompressed preCompressedMap) *FileServerWithCaching {
+func NewFileServerWithCaching(root http.FileSystem, maxAge int) *FileServerWithCaching {
 	return &FileServerWithCaching{
 		root:                    root,
 		lastModified:            time.Now(),
+		cacheMaxAge:             maxAge,
 		lastModifiedHeaderValue: time.Now().UTC().Format(http.TimeFormat),
-		preCompressed:           preCompressed,
+		cacheControlHeaderValue: fmt.Sprintf("public, max-age=%d", maxAge),
 	}
 }
 
 func (f *FileServerWithCaching) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// First, set cache headers
-	// Check if the request is for an immutable asset
-	if isImmutableAsset(r) {
-		// Set the cache control header as immutable with a long expiration
-		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
-	} else {
-		// Check if the client has a cached version
-		ifModifiedSince := r.Header.Get("If-Modified-Since")
-		if ifModifiedSince != "" {
-			ifModifiedSinceTime, err := time.Parse(http.TimeFormat, ifModifiedSince)
-			if err == nil && f.lastModified.Before(ifModifiedSinceTime.Add(1*time.Second)) {
-				// Client's cached version is up to date
-				w.WriteHeader(http.StatusNotModified)
-				return
-			}
-		}
-
-		// Cache other assets for up to 24 hours, but set Last-Modified too
-		w.Header().Set("Last-Modified", f.lastModifiedHeaderValue)
-		w.Header().Set("Cache-Control", "public, max-age=86400")
-	}
-
-	// Check if the asset is available pre-compressed
-	_, ok := f.preCompressed[r.URL.Path]
-	if ok {
-		// Add a "Vary" with "Accept-Encoding" so CDNs are aware that content is pre-compressed
-		w.Header().Add("Vary", "Accept-Encoding")
-
-		// Select the encoding if any
-		ext, ce := f.selectEncoding(r)
-		if ext != "" {
-			// Set the content type explicitly before changing the path
-			ct := mime.TypeByExtension(path.Ext(r.URL.Path))
-			if ct != "" {
-				w.Header().Set("Content-Type", ct)
-			}
-
-			// Make the serve return the encoded content
-			w.Header().Set("Content-Encoding", ce)
-			r.URL.Path += "." + ext
+	// Check if the client has a cached version
+	if ifModifiedSince := r.Header.Get("If-Modified-Since"); ifModifiedSince != "" {
+		ifModifiedSinceTime, err := time.Parse(http.TimeFormat, ifModifiedSince)
+		if err == nil && f.lastModified.Before(ifModifiedSinceTime.Add(1*time.Second)) {
+			// Client's cached version is up to date
+			w.WriteHeader(http.StatusNotModified)
+			return
 		}
 	}
 
+	w.Header().Set("Last-Modified", f.lastModifiedHeaderValue)
+	w.Header().Set("Cache-Control", f.cacheControlHeaderValue)
+
 	http.FileServer(f.root).ServeHTTP(w, r)
 }
-
-func (f *FileServerWithCaching) selectEncoding(r *http.Request) (ext string, contentEnc string) {
-	available, ok := f.preCompressed[r.URL.Path]
-	if !ok {
-		return "", ""
-	}
-
-	// Check if the client accepts compressed files
-	acceptEncoding := strings.TrimSpace(strings.ToLower(r.Header.Get("Accept-Encoding")))
-	if acceptEncoding == "" {
-		return "", ""
-	}
-
-	// Prefer brotli over gzip when both are accepted.
-	if available.br && (acceptEncoding == "*" || acceptEncoding == "br" || strings.Contains(acceptEncoding, "br")) {
-		return "br", "br"
-	}
-	if available.gz && (acceptEncoding == "gzip" || strings.Contains(acceptEncoding, "gzip")) {
-		return "gz", "gzip"
-	}
-
-	return "", ""
-}
-
-func isImmutableAsset(r *http.Request) bool {
-	switch {
-	// Fonts
-	case strings.HasPrefix(r.URL.Path, "/fonts/"):
-		return true
-
-	// Compiled SvelteKit assets
-	case strings.HasPrefix(r.URL.Path, "/_app/immutable/"):
-		return true
-
-	default:
-		return false
-	}
-}
-
-type preCompressedMap map[string]struct {
-	br bool
-	gz bool
-}
-
-func listPreCompressedAssets(distFS fs.FS) (preCompressedMap, error) {
-	preCompressed := make(preCompressedMap, 0)
-	err := fs.WalkDir(distFS, ".", func(path string, d fs.DirEntry, walkErr error) error {
-		if walkErr != nil {
-			return walkErr
-		}
-
-		if d.IsDir() {
-			return nil
-		}
-
-		switch {
-		case strings.HasSuffix(path, ".br"):
-			originalPath := "/" + strings.TrimSuffix(path, ".br")
-			entry := preCompressed[originalPath]
-			entry.br = true
-			preCompressed[originalPath] = entry
-		case strings.HasSuffix(path, ".gz"):
-			originalPath := "/" + strings.TrimSuffix(path, ".gz")
-			entry := preCompressed[originalPath]
-			entry.gz = true
-			preCompressed[originalPath] = entry
-		}
-
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return preCompressed, nil
-}

backend/internal/common/errors.go

@@ -280,13 +280,6 @@ func (e *APIKeyExpirationDateError) Error() string {
 }
 func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
 
-type APIKeyAuthNotAllowedError struct{}
-
-func (e *APIKeyAuthNotAllowedError) Error() string {
-	return "API key authentication is not allowed for this endpoint"
-}
-func (e *APIKeyAuthNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
-
 type OidcInvalidRefreshTokenError struct{}
 
 func (e *OidcInvalidRefreshTokenError) Error() string {

backend/internal/controller/api_key_controller.go

@@ -26,11 +26,12 @@ func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.Auth
 	uc := &ApiKeyController{apiKeyService: apiKeyService}
 
 	apiKeyGroup := group.Group("/api-keys")
+	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
 	{
-		apiKeyGroup.GET("", authMiddleware.WithAdminNotRequired().Add(), uc.listApiKeysHandler)
-		apiKeyGroup.POST("", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.createApiKeyHandler)
-		apiKeyGroup.POST("/:id/renew", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.renewApiKeyHandler)
-		apiKeyGroup.DELETE("/:id", authMiddleware.WithAdminNotRequired().Add(), uc.revokeApiKeyHandler)
+		apiKeyGroup.GET("", uc.listApiKeysHandler)
+		apiKeyGroup.POST("", uc.createApiKeyHandler)
+		apiKeyGroup.POST("/:id/renew", uc.renewApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
 	}
 }
 

backend/internal/middleware/auth_middleware.go

@@ -18,7 +18,6 @@ type AuthMiddleware struct {
 type AuthOptions struct {
 	AdminRequired   bool
 	SuccessOptional bool
-	AllowApiKeyAuth bool
 }
 
 func NewAuthMiddleware(
@@ -32,7 +31,6 @@ func NewAuthMiddleware(
 		options: AuthOptions{
 			AdminRequired:   true,
 			SuccessOptional: false,
-			AllowApiKeyAuth: true,
 		},
 	}
 }
@@ -61,17 +59,6 @@ func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
 	return clone
 }
 
-// WithApiKeyAuthDisabled disables API key authentication fallback and requires JWT auth.
-func (m *AuthMiddleware) WithApiKeyAuthDisabled() *AuthMiddleware {
-	clone := &AuthMiddleware{
-		apiKeyMiddleware: m.apiKeyMiddleware,
-		jwtMiddleware:    m.jwtMiddleware,
-		options:          m.options,
-	}
-	clone.options.AllowApiKeyAuth = false
-	return clone
-}
-
 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
@@ -92,21 +79,6 @@ func (m *AuthMiddleware) Add() gin.HandlerFunc {
 			return
 		}
 
-		if !m.options.AllowApiKeyAuth {
-			if m.options.SuccessOptional {
-				c.Next()
-				return
-			}
-
-			c.Abort()
-			if c.GetHeader("X-API-Key") != "" {
-				_ = c.Error(&common.APIKeyAuthNotAllowedError{})
-				return
-			}
-			_ = c.Error(err)
-			return
-		}
-
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {

backend/internal/middleware/auth_middleware_test.go

@@ -1,104 +0,0 @@
-package middleware
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/require"
-	"gorm.io/gorm"
-
-	"github.com/pocket-id/pocket-id/backend/internal/common"
-	"github.com/pocket-id/pocket-id/backend/internal/dto"
-	"github.com/pocket-id/pocket-id/backend/internal/model"
-	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
-	"github.com/pocket-id/pocket-id/backend/internal/service"
-	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
-)
-
-func TestWithApiKeyAuthDisabled(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	originalEnvConfig := common.EnvConfig
-	defer func() {
-		common.EnvConfig = originalEnvConfig
-	}()
-	common.EnvConfig.AppURL = "https://test.example.com"
-	common.EnvConfig.EncryptionKey = []byte("0123456789abcdef0123456789abcdef")
-
-	db := testutils.NewDatabaseForTest(t)
-
-	appConfigService, err := service.NewAppConfigService(t.Context(), db)
-	require.NoError(t, err)
-
-	jwtService, err := service.NewJwtService(t.Context(), db, appConfigService)
-	require.NoError(t, err)
-
-	userService := service.NewUserService(db, jwtService, nil, nil, appConfigService, nil, nil, nil, nil)
-	apiKeyService, err := service.NewApiKeyService(t.Context(), db, nil)
-	require.NoError(t, err)
-
-	authMiddleware := NewAuthMiddleware(apiKeyService, userService, jwtService)
-
-	user := createUserForAuthMiddlewareTest(t, db)
-	jwtToken, err := jwtService.GenerateAccessToken(user)
-	require.NoError(t, err)
-
-	_, apiKeyToken, err := apiKeyService.CreateApiKey(t.Context(), user.ID, dto.ApiKeyCreateDto{
-		Name:      "Middleware API Key",
-		ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
-	})
-	require.NoError(t, err)
-
-	router := gin.New()
-	router.Use(NewErrorHandlerMiddleware().Add())
-	router.GET("/api/protected", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), func(c *gin.Context) {
-		c.Status(http.StatusNoContent)
-	})
-
-	t.Run("rejects API key auth when API key auth is disabled", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
-		req.Header.Set("X-API-Key", apiKeyToken)
-		recorder := httptest.NewRecorder()
-
-		router.ServeHTTP(recorder, req)
-
-		require.Equal(t, http.StatusForbidden, recorder.Code)
-
-		var body map[string]string
-		err := json.Unmarshal(recorder.Body.Bytes(), &body)
-		require.NoError(t, err)
-		require.Equal(t, "API key authentication is not allowed for this endpoint", body["error"])
-	})
-
-	t.Run("allows JWT auth when API key auth is disabled", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
-		req.Header.Set("Authorization", "Bearer "+jwtToken)
-		recorder := httptest.NewRecorder()
-
-		router.ServeHTTP(recorder, req)
-
-		require.Equal(t, http.StatusNoContent, recorder.Code)
-	})
-}
-
-func createUserForAuthMiddlewareTest(t *testing.T, db *gorm.DB) model.User {
-	t.Helper()
-
-	email := "auth@example.com"
-	user := model.User{
-		Username:    "auth-user",
-		Email:       &email,
-		FirstName:   "Auth",
-		LastName:    "User",
-		DisplayName: "Auth User",
-	}
-
-	err := db.Create(&user).Error
-	require.NoError(t, err)
-
-	return user
-}

backend/internal/service/api_key_service.go

@@ -77,9 +77,6 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 		Create(&apiKey).
 		Error
 	if err != nil {
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			return model.ApiKey{}, "", &common.AlreadyInUseError{Property: "API key name"}
-		}
 		return model.ApiKey{}, "", err
 	}
 

depot.json

@@ -0,0 +1 @@
+{ "id": "c36t29j6bz" }

frontend/.prettierignore

@@ -5,5 +5,4 @@ yarn.lock
 
 # Compiled files
 .svelte-kit/
-build/
-src/lib/paraglide/messages
+build/

frontend/messages/uk.json

@@ -457,59 +457,59 @@
 	"custom_client_id_description": "Встановіть власний ідентифікатор клієнта, якщо це вимагається вашим застосунком. В іншому випадку залиште поле порожнім, щоб згенерувати випадковий.",
 	"generated": "Створено",
 	"administration": "Адміністрування",
-	"group_rdn_attribute_description": "Атрибут, який використовується в DN (Distinguished Name) групи.",
+	"group_rdn_attribute_description": "Атрибут, що використовується в розрізнювальному імені групи (DN).",
 	"display_name_attribute": "Атрибут імені для відображення",
 	"display_name": "Ім'я для відображення",
 	"configure_application_images": "Налаштування зображень застосунку",
-	"ui_config_disabled_info_title": "Налаштування через UI вимкнено",
-	"ui_config_disabled_info_description": "Налаштування через UI вимкнено, оскільки параметри конфігурації застосунку керуються через змінні середовища. Деякі налаштування можуть бути недоступні для редагування.",
+	"ui_config_disabled_info_title": "Конфігурація інтерфейсу користувача вимкнена",
+	"ui_config_disabled_info_description": "Конфігурація інтерфейсу користувача вимкнена, оскільки налаштування конфігурації програми керуються через змінні середовища. Деякі налаштування можуть бути недоступними для редагування.",
 	"logo_from_url_description": "Вставте пряму URL-адресу зображення (svg, png, webp). Знайдіть іконки на <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> або <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Недійсна URL-адреса",
 	"require_user_email": "Потрібна адреса електронної пошти",
-	"require_user_email_description": "Вимагає наявності електронної адреси у користувачів. Якщо вимкнено, користувачі без електронної адреси не зможуть користуватися функціями, які її вимагають.",
+	"require_user_email_description": "Вимагає від користувачів наявність адреси електронної пошти. Якщо ця опція вимкнена, користувачі без адреси електронної пошти не зможуть користуватися функціями, для яких потрібна адреса електронної пошти.",
 	"view": "Перегляд",
-	"toggle_columns": "Налаштувати стовпці",
-	"locale": "Мова",
+	"toggle_columns": "Перемикання стовпців",
+	"locale": "Локаль",
 	"ldap_id": "LDAP-ідентифікатор",
-	"reauthentication": "Повторна автентифікація",
+	"reauthentication": "Повторна аутентифікація",
 	"clear_filters": "Очистити фільтри",
 	"default_profile_picture": "Стандартне зображення профілю",
 	"light": "Світла",
 	"dark": "Темна",
 	"system": "Системна",
 	"signup_token_user_groups_description": "Автоматично призначати ці групи користувачам, які реєструються за допомогою цього токена.",
-	"allowed_oidc_clients": "Дозволені OIDC-клієнти",
-	"allowed_oidc_clients_description": "Оберіть OIDC-клієнти, до яких дозволено вхід членам цієї групи користувачів.",
+	"allowed_oidc_clients": "Дозволені клієнти OIDC",
+	"allowed_oidc_clients_description": "Виберіть клієнти OIDC, до яких члени цієї групи користувачів мають право входити.",
 	"unrestrict_oidc_client": "Не обмежувати {clientName}",
-	"confirm_unrestrict_oidc_client_description": "Ви впевнені, що хочете зняти обмеження з OIDC-клієнта <b>{clientName}</b>? Це видалить усі призначення груп для цього клієнта, і будь-який користувач зможе виконати вхід.",
-	"allowed_oidc_clients_updated_successfully": "Дозволені OIDC-клієнти успішно оновлено",
+	"confirm_unrestrict_oidc_client_description": "Ви впевнені, що хочете зняти обмеження з клієнта OIDC <b>{clientName}</b>? Це призведе до видалення всіх групових призначень для цього клієнта, і будь-який користувач зможе увійти в систему.",
+	"allowed_oidc_clients_updated_successfully": "Дозволені клієнти OIDC успішно оновлені",
 	"yes": "Так",
 	"no": "Ні",
 	"restricted": "Обмежений",
-	"scim_provisioning": "Синхронізація SCIM",
-	"scim_provisioning_description": "Постачання користувачів через SCIM дозволяє автоматично додавати та видаляти користувачів і групи у вашому OIDC-клієнті. Дізнайтеся більше у <link href='https://pocket-id.org/docs/configuration/scim'>документації</link>.",
+	"scim_provisioning": "Надання SCIM",
+	"scim_provisioning_description": "SCIM-провізінінг дозволяє автоматично надавати та скасовувати доступ користувачам і групам з вашого клієнта OIDC. Дізнайтеся більше в <link href='https://pocket-id.org/docs/configuration/scim'>документації</link>.",
 	"scim_endpoint": "Кінцева точка SCIM",
 	"scim_token": "Токен SCIM",
 	"last_successful_sync_at": "Остання успішна синхронізація: {time}",
-	"scim_configuration_updated_successfully": "Конфігурацію SCIM успішно оновлено.",
-	"scim_enabled_successfully": "Синхронізація SCIM успішно увімкнено.",
-	"scim_disabled_successfully": "Синхронізація SCIM успішно вимкнено.",
-	"disable_scim_provisioning": "Вимкнути SCIM синхронізацію",
-	"disable_scim_provisioning_confirm_description": "Ви впевнені, що хочете вимкнути постачання користувачів через SCIM для <b>{clientName}</b>? Це зупинить автоматичне додавання та видалення користувачів і груп.",
+	"scim_configuration_updated_successfully": "Конфігурація SCIM успішно оновлена.",
+	"scim_enabled_successfully": "SCIM успішно увімкнено.",
+	"scim_disabled_successfully": "SCIM успішно вимкнено.",
+	"disable_scim_provisioning": "Вимкнути надання SCIM",
+	"disable_scim_provisioning_confirm_description": "Ви впевнені, що хочете вимкнути надання доступу SCIM для <b>{clientName}</b>? Це зупинить всі автоматичні процеси надання та скасування доступу для користувачів і груп.",
 	"scim_sync_failed": "Синхронізація SCIM не вдалася. Перевірте журнали сервера для отримання додаткової інформації.",
 	"scim_sync_successful": "Синхронізація SCIM успішно завершена.",
 	"save_and_sync": "Зберегти та синхронізувати",
-	"scim_save_changes_description": "Необхідно зберегти зміни перед запуском синхронізації SCIM. Бажаєте зберегти зараз?",
+	"scim_save_changes_description": "Перед початком синхронізації SCIM необхідно зберегти зміни. Чи хочете ви зберегти зараз?",
 	"scopes": "Області застосування",
 	"issuer_url": "URL емітента",
-	"smtp_field_required_when_other_provided": "Обов'язково, якщо вказано будь-який параметр SMTP",
-	"smtp_field_required_when_email_enabled": "Обов'язково, якщо увімкнено сповіщення електронною поштою",
+	"smtp_field_required_when_other_provided": "Необхідно, якщо вказано будь-яке налаштування SMTP",
+	"smtp_field_required_when_email_enabled": "Необхідно, якщо увімкнено сповіщення електронною поштою",
 	"renew": "Оновити",
 	"renew_api_key": "Оновити API-ключ",
 	"renew_api_key_description": "Оновлення API-ключа призведе до створення нового ключа. Обов'язково оновіть усі інтеграції, що використовують цей ключ.",
 	"api_key_renewed": "API-ключ оновлено",
 	"app_config_home_page": "Головна сторінка",
-	"app_config_home_page_description": "Сторінка, на яку користувачі перенаправляються після входу.",
+	"app_config_home_page_description": "Сторінка, на яку перенаправляють користувачів після входу в систему.",
 	"email_verification_warning": "Підтвердьте свою адресу електронної пошти",
 	"email_verification_warning_description": "Ваша електронна адреса ще не підтверджена. Будь ласка, підтвердьте її якомога швидше.",
 	"email_verification": "Перевірка електронної адреси",

frontend/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pocket-id-frontend",
-	"version": "2.3.0",
+	"version": "2.2.0",
 	"private": true,
 	"type": "module",
 	"scripts": {
@@ -58,7 +58,6 @@
 		"tw-animate-css": "^1.4.0",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.56.0",
-		"vite": "^7.3.1",
-		"vite-plugin-compression": "^0.5.1"
+		"vite": "^7.3.1"
 	}
 }

frontend/vite.config.ts

@@ -2,47 +2,28 @@ import { paraglideVitePlugin } from '@inlang/paraglide-js';
 import { sveltekit } from '@sveltejs/kit/vite';
 import tailwindcss from '@tailwindcss/vite';
 import { defineConfig } from 'vite';
-import viteCompression from 'vite-plugin-compression';
 
-export default defineConfig((mode) => {
-	return {
-		plugins: [
-			sveltekit(),
-			tailwindcss(),
-			paraglideVitePlugin({
-				project: './project.inlang',
-				outdir: './src/lib/paraglide',
-				cookieName: 'locale',
-				strategy: ['cookie', 'preferredLanguage', 'baseLocale']
-			}),
+export default defineConfig({
+	plugins: [
+		sveltekit(),
+		tailwindcss(),
+		paraglideVitePlugin({
+			project: './project.inlang',
+			outdir: './src/lib/paraglide',
+			cookieName: 'locale',
+			strategy: ['cookie', 'preferredLanguage', 'baseLocale']
+		})
+	],
 
-			// Create gzip-compressed files
-			viteCompression({
-				disable: mode.isPreview,
-				algorithm: 'gzip',
-				ext: '.gz',
-				filter:  /\.(js|mjs|json|css)$/i
-			}),
-
-			// Create brotli-compressed files
-			viteCompression({
-				disable: mode.isPreview,
-				algorithm: 'brotliCompress',
-				ext: '.br',
-				filter:  /\.(js|mjs|json|css)$/i
-			})
-		],
-
-		server: {
-			host: process.env.HOST,
-			proxy: {
-				'/api': {
-					target: process.env.DEVELOPMENT_BACKEND_URL || 'http://localhost:1411'
-				},
-				'/.well-known': {
-					target: process.env.DEVELOPMENT_BACKEND_URL || 'http://localhost:1411'
-				}
+	server: {
+		host: process.env.HOST,
+		proxy: {
+			'/api': {
+				target: process.env.DEVELOPMENT_BACKEND_URL || 'http://localhost:1411'
+			},
+			'/.well-known': {
+				target: process.env.DEVELOPMENT_BACKEND_URL || 'http://localhost:1411'
 			}
 		}
-	};
+	}
 });

pnpm-lock.yaml

@@ -184,9 +184,6 @@ importers:
       vite:
         specifier: ^7.3.1
         version: 7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1)
-      vite-plugin-compression:
-        specifier: ^0.5.1
-        version: 0.5.1(vite@7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1))
 
   tests:
     dependencies:
@@ -835,105 +832,89 @@ packages:
     resolution: {integrity: sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linux-arm@1.2.4':
     resolution: {integrity: sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==}
     cpu: [arm]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linux-ppc64@1.2.4':
     resolution: {integrity: sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==}
     cpu: [ppc64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linux-riscv64@1.2.4':
     resolution: {integrity: sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==}
     cpu: [riscv64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linux-s390x@1.2.4':
     resolution: {integrity: sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==}
     cpu: [s390x]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linux-x64@1.2.4':
     resolution: {integrity: sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-libvips-linuxmusl-arm64@1.2.4':
     resolution: {integrity: sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   '@img/sharp-libvips-linuxmusl-x64@1.2.4':
     resolution: {integrity: sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   '@img/sharp-linux-arm64@0.34.5':
     resolution: {integrity: sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linux-arm@0.34.5':
     resolution: {integrity: sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [arm]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linux-ppc64@0.34.5':
     resolution: {integrity: sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [ppc64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linux-riscv64@0.34.5':
     resolution: {integrity: sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [riscv64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linux-s390x@0.34.5':
     resolution: {integrity: sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [s390x]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linux-x64@0.34.5':
     resolution: {integrity: sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   '@img/sharp-linuxmusl-arm64@0.34.5':
     resolution: {integrity: sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   '@img/sharp-linuxmusl-x64@0.34.5':
     resolution: {integrity: sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==}
     engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   '@img/sharp-wasm32@0.34.5':
     resolution: {integrity: sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==}
@@ -1029,28 +1010,24 @@ packages:
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   '@next/swc-linux-arm64-musl@16.1.6':
     resolution: {integrity: sha512-S4J2v+8tT3NIO9u2q+S0G5KdvNDjXfAv06OhfOzNDaBn5rw84DGXWndOEB7d5/x852A20sW1M56vhC/tRVbccQ==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   '@next/swc-linux-x64-gnu@16.1.6':
     resolution: {integrity: sha512-2eEBDkFlMMNQnkTyPBhQOAyn2qMxyG2eE7GPH2WIDGEpEILcBPI/jdSv4t6xupSP+ot/jkfrCShLAa7+ZUPcJQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   '@next/swc-linux-x64-musl@16.1.6':
     resolution: {integrity: sha512-oicJwRlyOoZXVlxmIMaTq7f8pN9QNbdes0q2FXfRsPhfCi8n8JmOZJm5oo1pwDaFbnnD421rVU409M3evFbIqg==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   '@next/swc-win32-arm64-msvc@16.1.6':
     resolution: {integrity: sha512-gQmm8izDTPgs+DCWH22kcDmuUp7NyiJgEl18bcr8irXA5N2m2O+JQIr6f3ct42GOs9c0h8QF3L5SzIxcYAAXXw==}
@@ -1269,79 +1246,66 @@ packages:
     resolution: {integrity: sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==}
     cpu: [arm]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-arm-musleabihf@4.59.0':
     resolution: {integrity: sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==}
     cpu: [arm]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-linux-arm64-gnu@4.59.0':
     resolution: {integrity: sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-arm64-musl@4.59.0':
     resolution: {integrity: sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-linux-loong64-gnu@4.59.0':
     resolution: {integrity: sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==}
     cpu: [loong64]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-loong64-musl@4.59.0':
     resolution: {integrity: sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==}
     cpu: [loong64]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-linux-ppc64-gnu@4.59.0':
     resolution: {integrity: sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==}
     cpu: [ppc64]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-ppc64-musl@4.59.0':
     resolution: {integrity: sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==}
     cpu: [ppc64]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-linux-riscv64-gnu@4.59.0':
     resolution: {integrity: sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==}
     cpu: [riscv64]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-musl@4.59.0':
     resolution: {integrity: sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==}
     cpu: [riscv64]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-linux-s390x-gnu@4.59.0':
     resolution: {integrity: sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==}
     cpu: [s390x]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-x64-gnu@4.59.0':
     resolution: {integrity: sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   '@rollup/rollup-linux-x64-musl@4.59.0':
     resolution: {integrity: sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   '@rollup/rollup-openbsd-x64@4.59.0':
     resolution: {integrity: sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==}
@@ -1486,28 +1450,24 @@ packages:
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   '@tailwindcss/oxide-linux-arm64-musl@4.2.0':
     resolution: {integrity: sha512-XKcSStleEVnbH6W/9DHzZv1YhjE4eSS6zOu2eRtYAIh7aV4o3vIBs+t/B15xlqoxt6ef/0uiqJVB6hkHjWD/0A==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   '@tailwindcss/oxide-linux-x64-gnu@4.2.0':
     resolution: {integrity: sha512-/hlXCBqn9K6fi7eAM0RsobHwJYa5V/xzWspVTzxnX+Ft9v6n+30Pz8+RxCn7sQL/vRHHLS30iQPrHQunu6/vJA==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   '@tailwindcss/oxide-linux-x64-musl@4.2.0':
     resolution: {integrity: sha512-lKUaygq4G7sWkhQbfdRRBkaq4LY39IriqBQ+Gk6l5nKq6Ay2M2ZZb1tlIyRNgZKS8cbErTwuYSor0IIULC0SHw==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   '@tailwindcss/oxide-wasm32-wasi@4.2.0':
     resolution: {integrity: sha512-xuDjhAsFdUuFP5W9Ze4k/o4AskUtI8bcAGU4puTYprr89QaYFmhYOPfP+d1pH+k9ets6RoE23BXZM1X1jJqoyw==}
@@ -2202,10 +2162,6 @@ packages:
       svelte: ^5.0.0
       sveltekit-superforms: ^2.19.0
 
-  fs-extra@10.1.0:
-    resolution: {integrity: sha512-oRXApq54ETRj4eMiFzGnHWGy+zo5raudjuxN0b8H7s/RU2oW0Wvsx9O0ACRN/kRq9E8Vu/ReskGB5o3ji+FzHQ==}
-    engines: {node: '>=12'}
-
   fsevents@2.3.2:
     resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
     engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
@@ -2390,9 +2346,6 @@ packages:
     engines: {node: '>=6'}
     hasBin: true
 
-  jsonfile@6.2.0:
-    resolution: {integrity: sha512-FGuPw30AdOIUTRMC2OMRtQV+jkVj2cfPqSeWXv1NEAJ1qZ5zb1X6z1mFhbfOB/iy3ssJCD+3KuZ8r8C3uVFlAg==}
-
   keyv@4.5.4:
     resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
 
@@ -2456,28 +2409,24 @@ packages:
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
-    libc: [glibc]
 
   lightningcss-linux-arm64-musl@1.31.1:
     resolution: {integrity: sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
-    libc: [musl]
 
   lightningcss-linux-x64-gnu@1.31.1:
     resolution: {integrity: sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
-    libc: [glibc]
 
   lightningcss-linux-x64-musl@1.31.1:
     resolution: {integrity: sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
-    libc: [musl]
 
   lightningcss-win32-arm64-msvc@1.31.1:
     resolution: {integrity: sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==}
@@ -3246,10 +3195,6 @@ packages:
   undici-types@7.16.0:
     resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==}
 
-  universalify@2.0.1:
-    resolution: {integrity: sha512-gptHNQghINnc/vTGIk0SOFGFNXw7JVrlRUtConJRlvaw6DuX0wO5Jeko9sWrMBhh+PsYAZ7oXAiOnf/UKogyiw==}
-    engines: {node: '>= 10.0.0'}
-
   unplugin@2.3.11:
     resolution: {integrity: sha512-5uKD0nqiYVzlmCRs01Fhs2BdkEgBS3SAVP6ndrBsuK42iC2+JHyxM05Rm9G8+5mkmRtzMZGY8Ct5+mliZxU/Ww==}
     engines: {node: '>=18.12.0'}
@@ -3287,11 +3232,6 @@ packages:
     resolution: {integrity: sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==}
     engines: {node: '>= 0.8'}
 
-  vite-plugin-compression@0.5.1:
-    resolution: {integrity: sha512-5QJKBDc+gNYVqL/skgFAP81Yuzo9R+EAf19d+EtsMF/i8kFUpNi3J/H01QD3Oo8zBQn+NzoCIFkpPLynoOzaJg==}
-    peerDependencies:
-      vite: '>=2.0.0'
-
   vite@7.3.1:
     resolution: {integrity: sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==}
     engines: {node: ^20.19.0 || >=22.12.0}
@@ -5129,12 +5069,6 @@ snapshots:
       svelte-toolbelt: 0.5.0(svelte@5.53.2)
       sveltekit-superforms: 2.30.0(@sveltejs/kit@2.53.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.2)(vite@7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1)))(svelte@5.53.2)(typescript@5.9.3)(vite@7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1)))(@types/json-schema@7.0.15)(svelte@5.53.2)(typescript@5.9.3)
 
-  fs-extra@10.1.0:
-    dependencies:
-      graceful-fs: 4.2.11
-      jsonfile: 6.2.0
-      universalify: 2.0.1
-
   fsevents@2.3.2:
     optional: true
 
@@ -5292,12 +5226,6 @@ snapshots:
 
   json5@2.2.3: {}
 
-  jsonfile@6.2.0:
-    dependencies:
-      universalify: 2.0.1
-    optionalDependencies:
-      graceful-fs: 4.2.11
-
   keyv@4.5.4:
     dependencies:
       json-buffer: 3.0.1
@@ -6122,8 +6050,6 @@ snapshots:
 
   undici-types@7.16.0: {}
 
-  universalify@2.0.1: {}
-
   unplugin@2.3.11:
     dependencies:
       '@jridgewell/remapping': 2.3.5
@@ -6153,15 +6079,6 @@ snapshots:
 
   vary@1.1.2: {}
 
-  vite-plugin-compression@0.5.1(vite@7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1)):
-    dependencies:
-      chalk: 4.1.2
-      debug: 4.4.3
-      fs-extra: 10.1.0
-      vite: 7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1)
-    transitivePeerDependencies:
-      - supports-color
-
   vite@7.3.1(@types/node@24.10.13)(jiti@2.6.1)(lightningcss@1.31.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.1):
     dependencies:
       esbuild: 0.27.3

pnpm-workspace.yaml

@@ -3,16 +3,12 @@ packages:
   - tests
   - email-templates
 
-onlyBuiltDependencies:
-  - esbuild
-  - sharp
-
 overrides:
-  '@isaacs/brace-expansion': '>=5.0.1'
-  cookie@<0.7.0: '>=0.7.0'
+  cookie@<0.7.0: ">=0.7.0"
   devalue: ^5.6.2
-  glob@>=11.0.0 <11.1.0: '>=11.1.0'
-  js-yaml@>=4.0.0 <4.1.1: '>=4.1.1'
-  next: '>=16.1.5'
-  valibot@>=0.31.0 <1.2.0: '>=1.2.0'
-  validator@<13.15.20: '>=13.15.20'
+  glob@>=11.0.0 <11.1.0: ">=11.1.0"
+  js-yaml@>=4.0.0 <4.1.1: ">=4.1.1"
+  valibot@>=0.31.0 <1.2.0: ">=1.2.0"
+  validator@<13.15.20: ">=13.15.20"
+  "@isaacs/brace-expansion": ">=5.0.1"
+  next: ">=16.1.5"