Cached config operations

2026-03-06 02:03:12 +08:00 · 2025-12-28 23:44:50 +01:00
40 changed files with 6021 additions and 4597 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,10 +1,6 @@
 name: Build
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on:
  push:
    paths:
@@ -34,10 +30,6 @@ on:
      - "docker/DockerSettings.yaml"
      - "macros/**"

-defaults:
-  run:
-    shell: bash
-
 jobs:
  build:
    name: Build and Test ${{ matrix.channel }}
@@ -71,6 +63,7 @@ jobs:
      # Determine rust-toolchain version
      - name: Init Variables
        id: toolchain
+        shell: bash
        env:
          CHANNEL: ${{ matrix.channel }}
        run: |
--- a/.github/workflows/check-templates.yml
+++ b/.github/workflows/check-templates.yml
@@ -1,16 +1,8 @@
 name: Check templates
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on: [ push, pull_request ]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  docker-templates:
    name: Validate docker templates
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -1,15 +1,8 @@
 name: Hadolint
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on: [ push, pull_request ]
+permissions: {}

-defaults:
-  run:
-    shell: bash

 jobs:
  hadolint:
@@ -32,6 +25,7 @@ jobs:

      # Download hadolint - https://github.com/hadolint/hadolint/releases
      - name: Download hadolint
+        shell: bash
        run: |
          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
          sudo chmod +x /usr/local/bin/hadolint
@@ -47,11 +41,13 @@ jobs:

      # Test Dockerfiles with hadolint
      - name: Run hadolint
+        shell: bash
        run: hadolint docker/Dockerfile.{debian,alpine}
      # End Test Dockerfiles with hadolint

      # Test Dockerfiles with docker build checks
      - name: Run docker build check
+        shell: bash
        run: |
          echo "Checking docker/Dockerfile.debian"
          docker build --check . -f docker/Dockerfile.debian
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,12 +1,6 @@
 name: Release
 permissions: {}

-concurrency:
-  # Apply concurrency control only on the upstream repo
-  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
-  # Don't cancel other runs when creating a tag
-  cancel-in-progress: ${{ github.ref_type == 'branch' }}
-
 on:
  push:
    branches:
@@ -16,6 +10,12 @@ on:
      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
      - '[1-2].[0-9]+.[0-9]+'

+concurrency:
+  # Apply concurrency control only on the upstream repo
+  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
+  # Don't cancel other runs when creating a tag
+  cancel-in-progress: ${{ github.ref_type == 'branch' }}
+
 defaults:
  run:
    shell: bash
@@ -102,7 +102,7 @@ jobs:

      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -117,7 +117,7 @@ jobs:

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -133,7 +133,7 @@ jobs:

      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
@@ -233,7 +233,7 @@ jobs:

      # Upload artifacts to Github Actions and Attest the binaries
      - name: Attest binaries
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}

@@ -265,7 +265,7 @@ jobs:

      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -280,7 +280,7 @@ jobs:

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -296,7 +296,7 @@ jobs:

      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
@@ -313,43 +313,45 @@ jobs:
      # Determine Base Tags
      - name: Determine Base Tags
        env:
-          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
          REF_TYPE: ${{ github.ref_type }}
        run: |
          # Check which main tag we are going to build determined by ref_type
          if [[ "${REF_TYPE}" == "tag" ]]; then
-            echo "BASE_TAGS=latest${BASE_IMAGE_TAG},${GITHUB_REF#refs/*/}${BASE_IMAGE_TAG}${BASE_IMAGE_TAG//-/,}" | tee -a "${GITHUB_ENV}"
+            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
          elif [[ "${REF_TYPE}" == "branch" ]]; then
-            echo "BASE_TAGS=testing${BASE_IMAGE_TAG}" | tee -a "${GITHUB_ENV}"
+            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
          fi

      - name: Create manifest list, push it and extract digest SHA
        working-directory: ${{ runner.temp }}/digests
        env:
+          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        run: |
+          set +e
          IFS=',' read -ra IMAGES <<< "${CONTAINER_REGISTRIES}"
          IFS=',' read -ra TAGS <<< "${BASE_TAGS}"
-
-          TAG_ARGS=()
          for img in "${IMAGES[@]}"; do
            for tag in "${TAGS[@]}"; do
-              TAG_ARGS+=("-t" "${img}:${tag}")
+              echo "Creating manifest for ${img}:${tag}${BASE_IMAGE_TAG}"
+
+              OUTPUT=$(docker buildx imagetools create \
+                -t "${img}:${tag}${BASE_IMAGE_TAG}" \
+                $(printf "${img}@sha256:%s " *) 2>&1)
+              STATUS=$?
+
+              if [ ${STATUS} -ne 0 ]; then
+                echo "Manifest creation failed for ${img}:${tag}${BASE_IMAGE_TAG}"
+                echo "${OUTPUT}"
+              exit ${STATUS}
+              fi
+
+              echo "Manifest created for ${img}:${tag}${BASE_IMAGE_TAG}"
+              echo "${OUTPUT}"
            done
          done
-
-          echo "Creating manifest"
-          if ! OUTPUT=$(docker buildx imagetools create \
-                          "${TAG_ARGS[@]}" \
-                          $(printf "${IMAGES[0]}@sha256:%s " *) 2>&1); then
-            echo "Manifest creation failed"
-            echo "${OUTPUT}"
-            exit 1
-          fi
-
-          echo "Manifest created successfully"
-          echo "${OUTPUT}"
+          set -e

          # Extract digest SHA for subsequent steps
          GET_DIGEST_SHA="$(echo "${OUTPUT}" | grep -oE 'sha256:[a-f0-9]{64}' | tail -1)"
@@ -358,7 +360,7 @@ jobs:
      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -366,7 +368,7 @@ jobs:

      - name: Attest - ghcr.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -374,7 +376,7 @@ jobs:

      - name: Attest - quay.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
--- a/.github/workflows/releasecache-cleanup.yml
+++ b/.github/workflows/releasecache-cleanup.yml
@@ -1,10 +1,6 @@
 name: Cleanup
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,10 +1,6 @@
 name: Trivy
 permissions: {}

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 on:
  push:
    branches:
@@ -50,6 +46,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/typos.yml
+++ b/.github/workflows/typos.yml
@@ -1,11 +1,7 @@
 name: Code Spell Checking
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on: [ push, pull_request ]
+permissions: {}

 jobs:
  typos:
@@ -23,4 +19,4 @@ jobs:

      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
      - name: Spell Check Repo
-        uses: crate-ci/typos@9066e9940a8a05b98fb4733c62a726f83c9e57f8 # v1.43.3
+        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,9 +1,4 @@
 name: Security Analysis with zizmor
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 on:
  push:
@@ -11,6 +6,8 @@ on:
  pull_request:
    branches: ["**"]

+permissions: {}
+
 jobs:
  zizmor:
    name: Run zizmor
@@ -24,7 +21,7 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
        with:
          # intentionally not scanning the entire repository,
          # since it contains integration tests.
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -53,6 +53,6 @@ repos:
        - "cd docker && make"
 # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
 - repo: https://github.com/crate-ci/typos
-  rev: 9066e9940a8a05b98fb4733c62a726f83c9e57f8 # v1.43.3
+  rev: 2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
  hooks:
    - id: typos
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [workspace.package]
 edition = "2021"
-rust-version = "1.91.0"
+rust-version = "1.90.0"
 license = "AGPL-3.0-only"
 repository = "https://github.com/dani-garcia/vaultwarden"
 publish = false
@@ -65,30 +65,30 @@ dotenvy = { version = "0.15.7", default-features = false }
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.10"
+bigdecimal = "0.4.9"

 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
 rocket_ws = { version ="0.1.1" }

 # WebSockets libraries
-rmpv = "1.3.1" # MessagePack library
+rmpv = "1.3.0" # MessagePack library

 # Concurrent HashMap used for WebSocket messaging and favicons
 dashmap = "6.1.0"

 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.49.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.18", features = ["compat"]}
+tokio = { version = "1.48.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio-util = { version = "0.7.17", features = ["compat"]}

 # A generic serialization/deserialization framework
 serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.149"
+serde_json = "1.0.145"

 # A safe, extensible ORM and Query builder
 # Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
-diesel = { version = "2.3.6", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.3.5", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.3.1"

 derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
@@ -103,21 +103,21 @@ ring = "0.17.14"
 subtle = "2.6.1"

 # UUID generation
-uuid = { version = "1.20.0", features = ["v4"] }
+uuid = { version = "1.19.0", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.43", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.42", features = ["clock", "serde"], default-features = false }
 chrono-tz = "0.10.4"
-time = "0.3.47"
+time = "0.3.44"

 # Job scheduler
 job_scheduler_ng = "2.4.0"

 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.10.0"
+data-encoding = "2.9.0"

 # JWT library
-jsonwebtoken = { version = "10.3.0", features = ["use_pem", "rust_crypto"], default-features = false }
+jsonwebtoken = { version = "10.2.0", features = ["use_pem", "rust_crypto"], default-features = false }

 # TOTP library
 totp-lite = "2.0.1"
@@ -133,7 +133,7 @@ webauthn-rs-proto = "0.5.4"
 webauthn-rs-core = "0.5.4"

 # Handling of URL's for WebAuthn and favicons
-url = "2.5.8"
+url = "2.5.7"

 # Email libraries
 lettre = { version = "0.11.19", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
@@ -141,7 +141,7 @@ percent-encoding = "2.3.2" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"

 # HTML Template library
-handlebars = { version = "6.4.0", features = ["dir_source"] }
+handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
 reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
@@ -149,9 +149,9 @@ hickory-resolver = "0.25.2"

 # Favicon extraction libraries
 html5gum = "0.8.3"
-regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.12.2", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.2"
-bytes = "1.11.1"
+bytes = "1.11.0"
 svg-hush = "0.9.5"

 # Cache function results (Used for version check and favicon fetching)
@@ -197,10 +197,10 @@ grass_compiler = { version = "0.13.4", default-features = false }
 opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }

 # For retrieving AWS credentials, including temporary SSO credentials
-anyhow = { version = "1.0.101", optional = true }
-aws-config = { version = "1.8.13", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+anyhow = { version = "1.0.100", optional = true }
+aws-config = { version = "1.8.12", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
 aws-credential-types = { version = "1.2.11", optional = true }
-aws-smithy-runtime-api = { version = "1.11.3", optional = true }
+aws-smithy-runtime-api = { version = "1.9.3", optional = true }
 http = { version = "1.4.0", optional = true }
 reqsign = { version = "0.16.5", optional = true }

--- a/docker/DockerSettings.yaml
+++ b/docker/DockerSettings.yaml
@@ -1,11 +1,11 @@
 ---
-vault_version: "v2026.1.1"
-vault_image_digest: "sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7"
+vault_version: "v2025.12.0"
+vault_image_digest: "sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613"
 # Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.93.0 # Rust version to be used
+rust_version: 1.92.0 # Rust version to be used
 debian_version: trixie # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.1.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.1.1
-#     [docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7
-#     [docker.io/vaultwarden/web-vault:v2026.1.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.93.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.93.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.93.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.93.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.92.0 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.92.0 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.92.0 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.92.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.1.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.1.1
-#     [docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7
-#     [docker.io/vaultwarden/web-vault:v2026.1.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.92.0-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@@ -19,13 +19,13 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
+#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
 #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
+#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
 #
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault

--- a/macros/Cargo.toml
+++ b/macros/Cargo.toml
@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true

 [dependencies]
-quote = "1.0.44"
-syn = "2.0.114"
+quote = "1.0.42"
+syn = "2.0.111"

 [lints]
 workspace = true
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.93.0"
+channel = "1.92.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -31,7 +31,7 @@ use crate::{
    http_client::make_http_request,
    mail,
    util::{
-        container_base_image, format_naive_datetime_local, get_active_web_release, get_display_size,
+        container_base_image, format_naive_datetime_local, get_display_size, get_web_vault_version,
        is_running_in_container, NumberOrString,
    },
    CONFIG, VERSION,
@@ -689,26 +689,6 @@ async fn get_ntp_time(has_http_access: bool) -> String {
    String::from("Unable to fetch NTP time.")
 }

-fn web_vault_compare(active: &str, latest: &str) -> i8 {
-    use semver::Version;
-    use std::cmp::Ordering;
-
-    let active_semver = Version::parse(active).unwrap_or_else(|e| {
-        warn!("Unable to parse active web-vault version '{active}': {e}");
-        Version::parse("2025.1.1").unwrap()
-    });
-    let latest_semver = Version::parse(latest).unwrap_or_else(|e| {
-        warn!("Unable to parse latest web-vault version '{latest}': {e}");
-        Version::parse("2025.1.1").unwrap()
-    });
-
-    match active_semver.cmp(&latest_semver) {
-        Ordering::Less => -1,
-        Ordering::Equal => 0,
-        Ordering::Greater => 1,
-    }
-}
-
 #[get("/diagnostics")]
 async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> ApiResult<Html<String>> {
    use chrono::prelude::*;
@@ -728,21 +708,32 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
        _ => "Unable to resolve domain name.".to_string(),
    };

-    let (latest_vw_release, latest_vw_commit, latest_web_release) = get_release_info(has_http_access).await;
-    let active_web_release = get_active_web_release();
-    let web_vault_compare = web_vault_compare(&active_web_release, &latest_web_release);
+    let (latest_release, latest_commit, latest_web_build) = get_release_info(has_http_access).await;

    let ip_header_name = &ip_header.0.unwrap_or_default();

+    // Get current running versions
+    let web_vault_version = get_web_vault_version();
+
+    // Check if the running version is newer than the latest stable released version
+    let web_vault_pre_release = if let Ok(web_ver_match) = semver::VersionReq::parse(&format!(">{latest_web_build}")) {
+        web_ver_match.matches(
+            &semver::Version::parse(&web_vault_version).unwrap_or_else(|_| semver::Version::parse("2025.1.1").unwrap()),
+        )
+    } else {
+        error!("Unable to parse latest_web_build: '{latest_web_build}'");
+        false
+    };
+
    let diagnostics_json = json!({
        "dns_resolved": dns_resolved,
        "current_release": VERSION,
-        "latest_release": latest_vw_release,
-        "latest_commit": latest_vw_commit,
+        "latest_release": latest_release,
+        "latest_commit": latest_commit,
        "web_vault_enabled": &CONFIG.web_vault_enabled(),
-        "active_web_release": active_web_release,
-        "latest_web_release": latest_web_release,
-        "web_vault_compare": web_vault_compare,
+        "web_vault_version": web_vault_version,
+        "latest_web_build": latest_web_build,
+        "web_vault_pre_release": web_vault_pre_release,
        "running_within_container": running_within_container,
        "container_base_image": if running_within_container { container_base_image() } else { "Not applicable" },
        "has_http_access": has_http_access,
@@ -853,32 +844,3 @@ impl<'r> FromRequest<'r> for AdminToken {
        })
    }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn validate_web_vault_compare() {
-        // web_vault_compare(active, latest)
-        // Test normal versions
-        assert!(web_vault_compare("2025.12.0", "2025.12.1") == -1);
-        assert!(web_vault_compare("2025.12.1", "2025.12.1") == 0);
-        assert!(web_vault_compare("2025.12.2", "2025.12.1") == 1);
-
-        // Test patched/+build.n versions
-        // Newer latest version
-        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1") == -1);
-        assert!(web_vault_compare("2025.12.1", "2025.12.1+build.1") == -1);
-        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1+build.1") == -1);
-        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.2") == -1);
-        // Equal versions
-        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.1") == 0);
-        assert!(web_vault_compare("2025.12.2+build.2", "2025.12.2+build.2") == 0);
-        // Newer active version
-        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1") == 1);
-        assert!(web_vault_compare("2025.12.2", "2025.12.1+build.1") == 1);
-        assert!(web_vault_compare("2025.12.2+build.1", "2025.12.1+build.1") == 1);
-        assert!(web_vault_compare("2025.12.1+build.3", "2025.12.1+build.2") == 1);
-    }
-}
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -1704,6 +1704,6 @@ pub async fn purge_auth_requests(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        AuthRequest::purge_expired_auth_requests(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging auth requests")
+        error!("Failed to get DB connection while purging trashed ciphers")
    }
 }
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -929,15 +929,11 @@ struct OrgIdData {
 }

 #[get("/ciphers/organization-details?<data..>")]
-async fn get_org_details(data: OrgIdData, headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
+async fn get_org_details(data: OrgIdData, headers: OrgMemberHeaders, conn: DbConn) -> JsonResult {
    if data.organization_id != headers.membership.org_uuid {
        err_code!("Resource not found.", "Organization id's do not match", rocket::http::Status::NotFound.code);
    }

-    if !headers.membership.has_full_access() {
-        err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
-    }
-
    Ok(Json(json!({
        "data": _get_org_details(&data.organization_id, &headers.host, &headers.user.uuid, &conn).await?,
        "object": "list",
@@ -3211,7 +3207,7 @@ async fn put_reset_password(

    // Sending email before resetting password to ensure working email configuration and the resulting
    // user notification. Also this might add some protection against security flaws and misuse
-    if let Err(e) = mail::send_admin_reset_password(&user.email, user.display_name(), &org.name).await {
+    if let Err(e) = mail::send_admin_reset_password(&user.email, &user.name, &org.name).await {
        err!(format!("Error sending user reset password email: {e:#?}"));
    }

--- a/src/api/core/two_factor/email.rs
+++ b/src/api/core/two_factor/email.rs
@@ -7,10 +7,10 @@ use crate::{
        core::{log_user_event, two_factor::_generate_recover_code},
        EmptyResult, JsonResult, PasswordOrOtpData,
    },
-    auth::{ClientHeaders, Headers},
+    auth::Headers,
    crypto,
    db::{
-        models::{AuthRequest, AuthRequestId, DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
+        models::{DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
        DbConn,
    },
    error::{Error, MapResult},
@@ -30,14 +30,12 @@ struct SendEmailLoginData {
    email: Option<String>,
    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
-    auth_request_id: Option<AuthRequestId>,
-    auth_request_access_code: Option<String>,
 }

 /// User is trying to login and wants to use email 2FA.
 /// Does not require Bearer token
 #[post("/two-factor/send-email-login", data = "<data>")] // JsonResult
-async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: ClientHeaders, conn: DbConn) -> EmptyResult {
+async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
    let data: SendEmailLoginData = data.into_inner();

    if !CONFIG._enable_email_2fa() {
@@ -49,41 +47,18 @@ async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: Client
        Some(email) if !email.is_empty() => Some(email),
        _ => None,
    };
-    let master_password_hash = match &data.master_password_hash {
-        Some(password_hash) if !password_hash.is_empty() => Some(password_hash),
-        _ => None,
-    };
-    let auth_request_id = match &data.auth_request_id {
-        Some(auth_request_id) if !auth_request_id.is_empty() => Some(auth_request_id),
-        _ => None,
-    };
-
    let user = if let Some(email) = email {
+        let Some(master_password_hash) = &data.master_password_hash else {
+            err!("No password hash has been submitted.")
+        };
+
        let Some(user) = User::find_by_mail(email, &conn).await else {
            err!("Username or password is incorrect. Try again.")
        };

-        if let Some(master_password_hash) = master_password_hash {
-            // Check password
-            if !user.check_valid_password(master_password_hash) {
-                err!("Username or password is incorrect. Try again.")
-            }
-        } else if let Some(auth_request_id) = auth_request_id {
-            let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_id, &conn).await else {
-                err!("AuthRequest doesn't exist", "User not found")
-            };
-            let Some(code) = &data.auth_request_access_code else {
-                err!("no auth request access code")
-            };
-
-            if auth_request.device_type != client_headers.device_type
-                || auth_request.request_ip != client_headers.ip.ip.to_string()
-                || !auth_request.check_access_code(code)
-            {
-                err!("AuthRequest doesn't exist", "Invalid device, IP or code")
-            }
-        } else {
-            err!("No password hash has been submitted.")
+        // Check password
+        if !user.check_valid_password(master_password_hash) {
+            err!("Username or password is incorrect. Try again.")
        }

        user
--- a/src/api/core/two_factor/webauthn.rs
+++ b/src/api/core/two_factor/webauthn.rs
@@ -144,7 +144,7 @@ async fn generate_webauthn_challenge(data: Json<PasswordOrOtpData>, headers: Hea
    let (mut challenge, state) = WEBAUTHN.start_passkey_registration(
        Uuid::from_str(&user.uuid).expect("Failed to parse UUID"), // Should never fail
        &user.email,
-        user.display_name(),
+        &user.name,
        Some(registrations),
    )?;

--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -266,7 +266,7 @@ async fn _sso_login(
        Some((user, _)) if !user.enabled => {
            err!(
                "This user has been disabled",
-                format!("IP: {}. Username: {}.", ip.ip, user.display_name()),
+                format!("IP: {}. Username: {}.", ip.ip, user.name),
                ErrorEvent {
                    event: EventType::UserFailedLogIn
                }
@@ -482,18 +482,14 @@ async fn authenticated_response(
        Value::Null
    };

-    let account_keys = if user.private_key.is_some() {
-        json!({
-            "publicKeyEncryptionKeyPair": {
-                "wrappedPrivateKey": user.private_key,
-                "publicKey": user.public_key,
-                "Object": "publicKeyEncryptionKeyPair"
-            },
-            "Object": "privateKeys"
-        })
-    } else {
-        Value::Null
-    };
+    let account_keys = json!({
+        "publicKeyEncryptionKeyPair": {
+            "wrappedPrivateKey": user.private_key,
+            "publicKey": user.public_key,
+            "Object": "publicKeyEncryptionKeyPair"
+        },
+        "Object": "privateKeys"
+    });

    let mut result = json!({
        "access_token": auth_tokens.access_token(),
@@ -525,7 +521,7 @@ async fn authenticated_response(
        result["TwoFactorToken"] = Value::String(token);
    }

-    info!("User {} logged in successfully. IP: {}", user.display_name(), ip.ip);
+    info!("User {} logged in successfully. IP: {}", &user.name, ip.ip);
    Ok(Json(result))
 }

@@ -614,25 +610,6 @@ async fn _user_api_key_login(

    info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);

-    let has_master_password = !user.password_hash.is_empty();
-    let master_password_unlock = if has_master_password {
-        json!({
-            "Kdf": {
-                "KdfType": user.client_kdf_type,
-                "Iterations": user.client_kdf_iter,
-                "Memory": user.client_kdf_memory,
-                "Parallelism": user.client_kdf_parallelism
-            },
-            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
-            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
-            "MasterKeyEncryptedUserKey": user.akey,
-            "MasterKeyWrappedUserKey": user.akey,
-            "Salt": user.email
-        })
-    } else {
-        Value::Null
-    };
-
    // Note: No refresh_token is returned. The CLI just repeats the
    // client_credentials login flow when the existing token expires.
    let result = json!({
@@ -648,11 +625,6 @@ async fn _user_api_key_login(
        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
        "scope": AuthMethod::UserApiKey.scope(),
-        "UserDecryptionOptions": {
-            "HasMasterPassword": has_master_password,
-            "MasterPasswordUnlock": master_password_unlock,
-            "Object": "userDecryptionOptions"
-        },
    });

    Ok(Json(result))
@@ -947,7 +919,6 @@ struct RegisterVerificationData {

 #[derive(rocket::Responder)]
 enum RegisterVerificationResponse {
-    #[response(status = 204)]
    NoContent(()),
    Token(Json<String>),
 }
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -47,7 +47,6 @@ pub type EmptyResult = ApiResult<()>;
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct PasswordOrOtpData {
-    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
    otp: Option<String>,
 }
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -12,6 +12,7 @@ use serde_json::Value;
 use crate::{
    api::{core::now, ApiResult, EmptyResult},
    auth::decode_file_download,
+    config::CachedConfigOperation,
    db::models::{AttachmentId, CipherId},
    error::Error,
    util::Cached,
@@ -52,20 +53,18 @@ fn not_found() -> ApiResult<Html<String>> {
    Ok(Html(text))
 }

-#[get("/css/vaultwarden.css")]
-fn vaultwarden_css() -> Cached<Css<String>> {
+static VAULTWARDEN_CSS_CACHE: CachedConfigOperation<String> = CachedConfigOperation::new(|config| {
    let css_options = json!({
-        "emergency_access_allowed": CONFIG.emergency_access_allowed(),
+        "emergency_access_allowed": config.emergency_access_allowed(),
        "load_user_scss": true,
-        "mail_2fa_enabled": CONFIG._enable_email_2fa(),
-        "mail_enabled": CONFIG.mail_enabled(),
-        "sends_allowed": CONFIG.sends_allowed(),
-        "password_hints_allowed": CONFIG.password_hints_allowed(),
-        "signup_disabled": CONFIG.is_signup_disabled(),
-        "sso_enabled": CONFIG.sso_enabled(),
-        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
-        "webauthn_2fa_supported": CONFIG.is_webauthn_2fa_supported(),
-        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
+        "mail_2fa_enabled": config._enable_email_2fa(),
+        "mail_enabled": config.mail_enabled(),
+        "sends_allowed": config.sends_allowed(),
+        "signup_disabled": config.is_signup_disabled(),
+        "sso_enabled": config.sso_enabled(),
+        "sso_only": config.sso_enabled() && config.sso_only(),
+        "yubico_enabled": config._enable_yubico() && config.yubico_client_id().is_some() && config.yubico_secret_key().is_some(),
+        "webauthn_2fa_supported": config.is_webauthn_2fa_supported(),
    });

    let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
@@ -79,7 +78,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
        }
    };

-    let css = match grass_compiler::from_string(
+    match grass_compiler::from_string(
        scss,
        &grass_compiler::Options::default().style(grass_compiler::OutputStyle::Compressed),
    ) {
@@ -98,10 +97,12 @@ fn vaultwarden_css() -> Cached<Css<String>> {
            )
            .expect("SCSS to compile")
        }
-    };
+    }
+});

-    // Cache for one day should be enough and not too much
-    Cached::ttl(Css(css), 86_400, false)
+#[get("/css/vaultwarden.css")]
+fn vaultwarden_css() -> Css<String> {
+    Css(CONFIG.cached_operation(&VAULTWARDEN_CSS_CACHE))
 }

 #[get("/")]
@@ -239,8 +240,8 @@ pub fn static_files(filename: &str) -> Result<(ContentType, &'static [u8]), Erro
        "jdenticon-3.3.0.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jdenticon-3.3.0.js"))),
        "datatables.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/datatables.js"))),
        "datatables.css" => Ok((ContentType::CSS, include_bytes!("../static/scripts/datatables.css"))),
-        "jquery-4.0.0.slim.js" => {
-            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-4.0.0.slim.js")))
+        "jquery-3.7.1.slim.js" => {
+            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.7.1.slim.js")))
        }
        _ => err!(format!("Static file not found: {filename}")),
    }
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1210,20 +1210,8 @@ pub async fn refresh_tokens(
 ) -> ApiResult<(Device, AuthTokens)> {
    let refresh_claims = match decode_refresh(refresh_token) {
        Err(err) => {
-            error!("Failed to decode {} refresh_token: {refresh_token}: {err:?}", ip.ip);
-            //err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
-
-            // If the token failed to decode, it was probably one of the old style tokens that was just a Base64 string.
-            // We can generate a claim for them for backwards compatibility. Note that the password refresh claims don't
-            // check expiration or issuer, so they're not included here.
-            RefreshJwtClaims {
-                nbf: 0,
-                exp: 0,
-                iss: String::new(),
-                sub: AuthMethod::Password,
-                device_token: refresh_token.into(),
-                token: None,
-            }
+            debug!("Failed to decode {} refresh_token: {refresh_token}", ip.ip);
+            err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
        }
        Ok(claims) => claims,
    };
--- a/src/config.rs
+++ b/src/config.rs
@@ -3,7 +3,7 @@ use std::{
    fmt,
    process::exit,
    sync::{
-        atomic::{AtomicBool, Ordering},
+        atomic::{AtomicBool, AtomicUsize, Ordering},
        LazyLock, RwLock,
    },
 };
@@ -14,7 +14,7 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};

 use crate::{
    error::Error,
-    util::{get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags},
+    util::{get_env, get_env_bool, get_web_vault_version, is_valid_email, parse_experimental_client_feature_flags},
 };

 static CONFIG_FILE: LazyLock<String> = LazyLock::new(|| {
@@ -103,6 +103,7 @@ macro_rules! make_config {

        struct Inner {
            rocket_shutdown_handle: Option<rocket::Shutdown>,
+            revision: usize,

            templates: Handlebars<'static>,
            config: ConfigItems,
@@ -322,7 +323,7 @@ macro_rules! make_config {
        }

        #[derive(Clone, Default)]
-        struct ConfigItems { $($( $name: make_config! {@type $ty, $none_action}, )+)+ }
+        struct ConfigItems { $($( pub $name: make_config! {@type $ty, $none_action}, )+)+ }

        #[derive(Serialize)]
        struct ElementDoc {
@@ -1325,16 +1326,12 @@ fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String {
    if embed_images {
        "cid:".to_string()
    } else {
-        // normalize base_url
-        let base_url = domain.trim_end_matches('/');
-        format!("{base_url}/vw_static/")
+        format!("{domain}/vw_static/")
    }
 }

 fn generate_sso_callback_path(domain: &str) -> String {
-    // normalize base_url
-    let base_url = domain.trim_end_matches('/');
-    format!("{base_url}/identity/connect/oidc-signin")
+    format!("{domain}/identity/connect/oidc-signin")
 }

 /// Generate the correct URL for the icon service.
@@ -1471,6 +1468,23 @@ pub enum PathType {
    RsaKey,
 }

+pub struct CachedConfigOperation<T: Clone> {
+    generator: fn(&Config) -> T,
+    value_cache: RwLock<Option<T>>,
+    revision: AtomicUsize,
+}
+
+impl<T: Clone> CachedConfigOperation<T> {
+    #[allow(private_interfaces)]
+    pub const fn new(generator: fn(&Config) -> T) -> Self {
+        CachedConfigOperation {
+            generator,
+            value_cache: RwLock::new(None),
+            revision: AtomicUsize::new(0),
+        }
+    }
+}
+
 impl Config {
    pub async fn load() -> Result<Self, Error> {
        // Loading from env and file
@@ -1490,6 +1504,7 @@ impl Config {
        Ok(Config {
            inner: RwLock::new(Inner {
                rocket_shutdown_handle: None,
+                revision: 1,
                templates: load_templates(&config.templates_folder),
                config,
                _env,
@@ -1528,6 +1543,7 @@ impl Config {
            writer.config = config;
            writer._usr = builder;
            writer._overrides = overrides;
+            writer.revision += 1;
        }

        //Save to file
@@ -1546,6 +1562,51 @@ impl Config {
        self.update_config(builder, false).await
    }

+    pub async fn delete_user_config(&self) -> Result<(), Error> {
+        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+        operator.delete(&CONFIG_FILENAME).await?;
+
+        // Empty user config
+        let usr = ConfigBuilder::default();
+
+        // Config now is env + defaults
+        let config = {
+            let env = &self.inner.read().unwrap()._env;
+            env.build()
+        };
+
+        // Save configs
+        {
+            let mut writer = self.inner.write().unwrap();
+            writer.config = config;
+            writer._usr = usr;
+            writer._overrides = Vec::new();
+            writer.revision += 1;
+        }
+
+        Ok(())
+    }
+
+    pub fn cached_operation<T: Clone>(&self, operation: &CachedConfigOperation<T>) -> T {
+        let config_revision = self.inner.read().unwrap().revision;
+        let cache_revision = operation.revision.load(Ordering::Relaxed);
+
+        // If the current revision matches the cached revision, return the cached value
+        if cache_revision == config_revision {
+            let reader = operation.value_cache.read().unwrap();
+            return reader.as_ref().unwrap().clone();
+        }
+
+        // Otherwise, compute the value, update the cache and revision, and return the new value
+        let value = (operation.generator)(&CONFIG);
+        {
+            let mut writer = operation.value_cache.write().unwrap();
+            *writer = Some(value.clone());
+            operation.revision.store(config_revision, Ordering::Relaxed);
+        }
+        value
+    }
+
    /// Tests whether an email's domain is allowed. A domain is allowed if it
    /// is in signups_domains_whitelist, or if no whitelist is set (so there
    /// are no domain restrictions in effect).
@@ -1595,33 +1656,10 @@ impl Config {
        }
    }

-    pub async fn delete_user_config(&self) -> Result<(), Error> {
-        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
-        operator.delete(&CONFIG_FILENAME).await?;
-
-        // Empty user config
-        let usr = ConfigBuilder::default();
-
-        // Config now is env + defaults
-        let config = {
-            let env = &self.inner.read().unwrap()._env;
-            env.build()
-        };
-
-        // Save configs
-        {
-            let mut writer = self.inner.write().unwrap();
-            writer.config = config;
-            writer._usr = usr;
-            writer._overrides = Vec::new();
-        }
-
-        Ok(())
-    }
-
    pub fn private_rsa_key(&self) -> String {
        format!("{}.pem", self.rsa_key_filename())
    }
+
    pub fn mail_enabled(&self) -> bool {
        let inner = &self.inner.read().unwrap().config;
        inner._enable_smtp && (inner.smtp_host.is_some() || inner.use_sendmail)
@@ -1849,7 +1887,7 @@ fn to_json<'reg, 'rc>(
 // Configure the web-vault version as an integer so it can be used as a comparison smaller or greater then.
 // The default is based upon the version since this feature is added.
 static WEB_VAULT_VERSION: LazyLock<semver::Version> = LazyLock::new(|| {
-    let vault_version = get_active_web_release();
+    let vault_version = get_web_vault_version();
    // Use a single regex capture to extract version components
    let re = regex::Regex::new(r"(\d{4})\.(\d{1,2})\.(\d{1,2})").unwrap();
    re.captures(&vault_version)
--- a/src/db/models/auth_request.rs
+++ b/src/db/models/auth_request.rs
@@ -177,9 +177,7 @@ impl AuthRequest {
    }

    pub async fn purge_expired_auth_requests(conn: &DbConn) {
-        // delete auth requests older than 15 minutes which is functionally equivalent to upstream:
-        // https://github.com/bitwarden/server/blob/f8ee2270409f7a13125cd414c450740af605a175/src/Sql/dbo/Auth/Stored%20Procedures/AuthRequest_DeleteIfExpired.sql
-        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(15).unwrap();
+        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(5).unwrap(); //after 5 minutes, clients reject the request
        for auth_request in Self::find_created_before(&expiry_time, conn).await {
            auth_request.delete(conn).await.ok();
        }
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -231,15 +231,6 @@ impl User {
    pub fn reset_stamp_exception(&mut self) {
        self.stamp_exception = None;
    }
-
-    pub fn display_name(&self) -> &str {
-        // default to email if name is empty
-        if !&self.name.is_empty() {
-            &self.name
-        } else {
-            &self.email
-        }
-    }
 }

 /// Database methods
--- a/src/main.rs
+++ b/src/main.rs
@@ -126,7 +126,7 @@ fn parse_args() {
        exit(0);
    } else if pargs.contains(["-v", "--version"]) {
        config::SKIP_CONFIG_VALIDATION.store(true, Ordering::Relaxed);
-        let web_vault_version = util::get_active_web_release();
+        let web_vault_version = util::get_web_vault_version();
        println!("Vaultwarden {version}");
        println!("Web-Vault {web_vault_version}");
        exit(0);
--- a/src/static/scripts/admin_diagnostics.js
+++ b/src/static/scripts/admin_diagnostics.js
@@ -29,7 +29,7 @@ function isValidIp(ip) {
    return ipv4Regex.test(ip) || ipv6Regex.test(ip);
 }

-function checkVersions(platform, installed, latest, commit=null, compare_order=0) {
+function checkVersions(platform, installed, latest, commit=null, pre_release=false) {
    if (installed === "-" || latest === "-") {
        document.getElementById(`${platform}-failed`).classList.remove("d-none");
        return;
@@ -37,7 +37,7 @@ function checkVersions(platform, installed, latest, commit=null, compare_order=0

    // Only check basic versions, no commit revisions
    if (commit === null || installed.indexOf("-") === -1) {
-        if (platform === "web" && compare_order === 1) {
+        if (platform === "web" && pre_release === true) {
            document.getElementById(`${platform}-prerelease`).classList.remove("d-none");
        } else if (installed == latest) {
            document.getElementById(`${platform}-success`).classList.remove("d-none");
@@ -83,7 +83,7 @@ async function generateSupportString(event, dj) {
    let supportString = "### Your environment (Generated via diagnostics page)\n\n";

    supportString += `* Vaultwarden version: v${dj.current_release}\n`;
-    supportString += `* Web-vault version: v${dj.active_web_release}\n`;
+    supportString += `* Web-vault version: v${dj.web_vault_version}\n`;
    supportString += `* OS/Arch: ${dj.host_os}/${dj.host_arch}\n`;
    supportString += `* Running within a container: ${dj.running_within_container} (Base: ${dj.container_base_image})\n`;
    supportString += `* Database type: ${dj.db_type}\n`;
@@ -208,9 +208,9 @@ function initVersionCheck(dj) {
    }
    checkVersions("server", serverInstalled, serverLatest, serverLatestCommit);

-    const webInstalled = dj.active_web_release;
-    const webLatest = dj.latest_web_release;
-    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_compare);
+    const webInstalled = dj.web_vault_version;
+    const webLatest = dj.latest_web_build;
+    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_pre_release);
 }

 function checkDns(dns_resolved) {
--- a/src/static/scripts/datatables.css
+++ b/src/static/scripts/datatables.css
@@ -4,10 +4,10 @@
 *
 * To rebuild or modify this file with the latest versions of the included
 * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.7
+ *   https://datatables.net/download/#bs5/dt-2.3.5
 *
 * Included libraries:
- *   DataTables 2.3.7
+ *   DataTables 2.3.5
 */

 :root {
@@ -88,42 +88,42 @@ table.dataTable thead > tr > th:active,
 table.dataTable thead > tr > td:active {
  outline: none;
 }
-table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before {
+table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before {
  position: absolute;
  display: block;
  bottom: 50%;
  content: "\25B2";
  content: "\25B2"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
+table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
  position: absolute;
  display: block;
  top: 50%;
  content: "\25BC";
  content: "\25BC"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order {
+table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order,
+table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order,
+table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order {
  position: relative;
  width: 12px;
-  height: 20px;
+  height: 24px;
 }
-table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
+table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
  left: 0;
  opacity: 0.125;
  line-height: 9px;
@@ -140,15 +140,15 @@ table.dataTable thead > tr > td.dt-orderable-desc:hover {
  outline: 2px solid rgba(0, 0, 0, 0.05);
  outline-offset: -2px;
 }
-table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
+table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
  opacity: 0.6;
 }
-table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled .dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty,
-table.dataTable thead > tr > td.sorting_desc_disabled .dt-column-order:after,
-table.dataTable thead > tr > td.sorting_asc_disabled .dt-column-order:before {
+table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled span.dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty,
+table.dataTable thead > tr > td.sorting_desc_disabled span.dt-column-order:after,
+table.dataTable thead > tr > td.sorting_asc_disabled span.dt-column-order:before {
  display: none;
 }
 table.dataTable thead > tr > th:active,
@@ -169,24 +169,24 @@ table.dataTable tfoot > tr > td div.dt-column-footer {
  align-items: var(--dt-header-align-items);
  gap: 4px;
 }
-table.dataTable thead > tr > th div.dt-column-header .dt-column-title,
-table.dataTable thead > tr > th div.dt-column-footer .dt-column-title,
-table.dataTable thead > tr > td div.dt-column-header .dt-column-title,
-table.dataTable thead > tr > td div.dt-column-footer .dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title {
+table.dataTable thead > tr > th div.dt-column-header span.dt-column-title,
+table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title,
+table.dataTable thead > tr > td div.dt-column-header span.dt-column-title,
+table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title,
+table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title,
+table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title {
  flex-grow: 1;
 }
-table.dataTable thead > tr > th div.dt-column-header .dt-column-title:empty,
-table.dataTable thead > tr > th div.dt-column-footer .dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-header .dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-footer .dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title:empty {
+table.dataTable thead > tr > th div.dt-column-header span.dt-column-title:empty,
+table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-header span.dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title:empty,
+table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title:empty,
+table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title:empty {
  display: none;
 }

@@ -588,16 +588,16 @@ table.dataTable.table-sm > thead > tr td.dt-ordering-asc,
 table.dataTable.table-sm > thead > tr td.dt-ordering-desc {
  padding-right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-orderable-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-asc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-desc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-asc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-desc .dt-column-order {
+table.dataTable.table-sm > thead > tr th.dt-orderable-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-asc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-desc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-ordering-asc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-ordering-desc span.dt-column-order {
  right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-type-date .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-date .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-numeric .dt-column-order {
+table.dataTable.table-sm > thead > tr th.dt-type-date span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-type-date span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-type-numeric span.dt-column-order {
  left: 0.25rem;
 }

@@ -606,8 +606,7 @@ div.dt-scroll-head table.table-bordered {
 }

 div.table-responsive > div.dt-container > div.row {
-  margin-left: 0;
-  margin-right: 0;
+  margin: 0;
 }
 div.table-responsive > div.dt-container > div.row > div[class^=col-]:first-child {
  padding-left: 0;
--- a/src/static/scripts/datatables.js
+++ b/src/static/scripts/datatables.js
@@ -4,13 +4,13 @@
 *
 * To rebuild or modify this file with the latest versions of the included
 * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.7
+ *   https://datatables.net/download/#bs5/dt-2.3.5
 *
 * Included libraries:
- *   DataTables 2.3.7
+ *   DataTables 2.3.5
 */

-/*! DataTables 2.3.7
+/*! DataTables 2.3.5
 * © SpryMedia Ltd - datatables.net/license
 */

@@ -186,7 +186,7 @@
 				"sDestroyWidth": $this[0].style.width,
 				"sInstance":     sId,
 				"sTableId":      sId,
-				colgroup: $('<colgroup>'),
+				colgroup: $('<colgroup>').prependTo(this),
 				fastData: function (row, column, type) {
 					return _fnGetCellData(oSettings, row, column, type);
 				}
@@ -259,7 +259,6 @@
 				"orderHandler",
 				"titleRow",
 				"typeDetect",
-				"columnTitleTag",
 				[ "iCookieDuration", "iStateDuration" ], // backwards compat
 				[ "oSearch", "oPreviousSearch" ],
 				[ "aoSearchCols", "aoPreSearchCols" ],
@@ -424,7 +423,7 @@
 			
 			if ( oSettings.caption ) {
 				if ( caption.length === 0 ) {
-					caption = $('<caption/>').prependTo( $this );
+					caption = $('<caption/>').appendTo( $this );
 				}
 			
 				caption.html( oSettings.caption );
@@ -437,14 +436,6 @@
 				oSettings.captionNode = caption[0];
 			}
 			
-			// Place the colgroup element in the correct location for the HTML structure
-			if (caption.length) {
-				oSettings.colgroup.insertAfter(caption);
-			}
-			else {
-				oSettings.colgroup.prependTo(oSettings.nTable);
-			}
-			
 			if ( thead.length === 0 ) {
 				thead = $('<thead/>').appendTo($this);
 			}
@@ -525,7 +516,7 @@
 		 *
 		 *  @type string
 		 */
-		builder: "bs5/dt-2.3.7",
+		builder: "bs5/dt-2.3.5",
 	
 		/**
 		 * Buttons. For use with the Buttons extension for DataTables. This is
@@ -1301,7 +1292,7 @@
 	};
 	
 	// Replaceable function in api.util
-	var _stripHtml = function (input, replacement) {
+	var _stripHtml = function (input) {
 		if (! input || typeof input !== 'string') {
 			return input;
 		}
@@ -1313,7 +1304,7 @@
 	
 		var previous;
 	
-		input = input.replace(_re_html, replacement || ''); // Complete tags
+		input = input.replace(_re_html, ''); // Complete tags
 	
 		// Safety for incomplete script tag - use do / while to ensure that
 		// we get all instances
@@ -1778,7 +1769,7 @@
 			}
 		},
 	
-		stripHtml: function (mixed, replacement) {
+		stripHtml: function (mixed) {
 			var type = typeof mixed;
 	
 			if (type === 'function') {
@@ -1786,7 +1777,7 @@
 				return;
 			}
 			else if (type === 'string') {
-				return _stripHtml(mixed, replacement);
+				return _stripHtml(mixed);
 			}
 			return mixed;
 		},
@@ -3388,7 +3379,7 @@
 						colspan++;
 					}
 	
-					var titleSpan = $('.dt-column-title', cell);
+					var titleSpan = $('span.dt-column-title', cell);
 	
 					structure[row][column] = {
 						cell: cell,
@@ -4102,8 +4093,8 @@
 						}
 	
 						// Wrap the column title so we can write to it in future
-						if ( $('.dt-column-title', cell).length === 0) {
-							$(document.createElement(settings.columnTitleTag))
+						if ( $('span.dt-column-title', cell).length === 0) {
+							$('<span>')
 								.addClass('dt-column-title')
 								.append(cell.childNodes)
 								.appendTo(cell);
@@ -4114,9 +4105,9 @@
 							isHeader &&
 							jqCell.filter(':not([data-dt-order=disable])').length !== 0 &&
 							jqCell.parent(':not([data-dt-order=disable])').length !== 0 &&
-							$('.dt-column-order', cell).length === 0
+							$('span.dt-column-order', cell).length === 0
 						) {
-							$(document.createElement(settings.columnTitleTag))
+							$('<span>')
 								.addClass('dt-column-order')
 								.appendTo(cell);
 						}
@@ -4125,7 +4116,7 @@
 						// layout for those elements
 						var headerFooter = isHeader ? 'header' : 'footer';
 	
-						if ( $('div.dt-column-' + headerFooter, cell).length === 0) {
+						if ( $('span.dt-column-' + headerFooter, cell).length === 0) {
 							$('<div>')
 								.addClass('dt-column-' + headerFooter)
 								.append(cell.childNodes)
@@ -4282,10 +4273,6 @@
 		// Custom Ajax option to submit the parameters as a JSON string
 		if (baseAjax.submitAs === 'json' && typeof data === 'object') {
 			baseAjax.data = JSON.stringify(data);
-	
-			if (!baseAjax.contentType) {
-				baseAjax.contentType = 'application/json; charset=utf-8';
-			}
 		}
 	
 		if (typeof ajax === 'function') {
@@ -5544,7 +5531,7 @@
 					var autoClass = _ext.type.className[column.sType];
 					var padding = column.sContentPadding || (scrollX ? '-' : '');
 					var text = longest + padding;
-					var insert = longest.indexOf('<') === -1 && longest.indexOf('&') === -1
+					var insert = longest.indexOf('<') === -1
 						? document.createTextNode(text)
 						: text
 	
@@ -5732,20 +5719,15 @@
 					.replace(/id=".*?"/g, '')
 					.replace(/name=".*?"/g, '');
 	
-				// Don't want Javascript at all in these calculation cells.
-				cellString = cellString.replace(/<script.*?<\/script>/gi, ' ');
-	
-				var noHtml = _stripHtml(cellString, ' ')
+				var s = _stripHtml(cellString)
 					.replace( /&nbsp;/g, ' ' );
 		
-				// The length is calculated on the text only, but we keep the HTML
-				// in the string so it can be used in the calculation table
 				collection.push({
-					str: cellString,
-					len: noHtml.length
+					str: s,
+					len: s.length
 				});
 	
-				allStrings.push(noHtml);
+				allStrings.push(s);
 			}
 	
 			// Order and then cut down to the size we need
@@ -8800,7 +8782,7 @@
 			// Automatic - find the _last_ unique cell from the top that is not empty (last for
 			// backwards compatibility)
 			for (var i=0 ; i<header.length ; i++) {
-				if (header[i][column].unique && $('.dt-column-title', header[i][column].cell).text()) {
+				if (header[i][column].unique && $('span.dt-column-title', header[i][column].cell).text()) {
 					target = i;
 				}
 			}
@@ -8896,10 +8878,6 @@
 								return null;
 							}
 	
-							if (col.responsiveVisible === false) {
-								return null;
-							}
-	
 							// Selector
 							if (match[1]) {
 								return $(nodes[idx]).filter(match[1]).length > 0 ? idx : null;
@@ -9111,7 +9089,7 @@
 				title = undefined;
 			}
 	
-			var span = $('.dt-column-title', this.column(column).header(row));
+			var span = $('span.dt-column-title', this.column(column).header(row));
 	
 			if (title !== undefined) {
 				span.html(title);
@@ -10285,8 +10263,8 @@
 	
 	// Needed for header and footer, so pulled into its own function
 	function cleanHeader(node, className) {
-		$(node).find('.dt-column-order').remove();
-		$(node).find('.dt-column-title').each(function () {
+		$(node).find('span.dt-column-order').remove();
+		$(node).find('span.dt-column-title').each(function () {
 			var title = $(this).html();
 			$(this).parent().parent().append(title);
 			$(this).remove();
@@ -10304,7 +10282,7 @@
 	 *  @type string
 	 *  @default Version number
 	 */
-	DataTable.version = "2.3.7";
+	DataTable.version = "2.3.5";
 	
 	/**
 	 * Private data store, containing all of the settings objects that are
@@ -11472,10 +11450,7 @@
 		iDeferLoading: null,
 	
 		/** Event listeners */
-		on: null,
-	
-		/** Title wrapper element type */
-		columnTitleTag: 'span'
+		on: null
 	};
 	
 	_fnHungarianMap( DataTable.defaults );
@@ -12439,10 +12414,7 @@
 		orderHandler: true,
 	
 		/** Title row indicator */
-		titleRow: null,
-	
-		/** Title wrapper element type */
-		columnTitleTag: 'span'
+		titleRow: null
 	};
 	
 	/**
--- a/src/static/scripts/jdenticon-3.3.0.js
+++ b/src/static/scripts/jdenticon-3.3.0.js
--- a/src/static/scripts/jquery-3.7.1.slim.js
+++ b/src/static/scripts/jquery-3.7.1.slim.js
--- a/src/static/templates/admin/diagnostics.hbs
+++ b/src/static/templates/admin/diagnostics.hbs
@@ -8,7 +8,7 @@
                <dl class="row">
                    <dt class="col-sm-5">Server Installed
                        <span class="badge bg-success d-none abbr-badge" id="server-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="An update is available.">Update</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="There seems to be an update available.">Update</span>
                        <span class="badge bg-info text-dark d-none abbr-badge" id="server-branch" title="This is a branched version.">Branched</span>
                    </dt>
                    <dd class="col-sm-7">
@@ -23,17 +23,17 @@
                    {{#if page_data.web_vault_enabled}}
                    <dt class="col-sm-5">Web Installed
                        <span class="badge bg-success d-none abbr-badge" id="web-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="An update is available.">Update</span>
-                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You are using a pre-release version.">Pre-Release</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="There seems to be an update available.">Update</span>
+                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You seem to be using a pre-release version.">Pre-Release</span>
                    </dt>
                    <dd class="col-sm-7">
-                        <span id="web-installed">{{page_data.active_web_release}}</span>
+                        <span id="web-installed">{{page_data.web_vault_version}}</span>
                    </dd>
                    <dt class="col-sm-5">Web Latest
                        <span class="badge bg-secondary d-none abbr-badge" id="web-failed" title="Unable to determine latest version.">Unknown</span>
                    </dt>
                    <dd class="col-sm-7">
-                        <span id="web-latest">{{page_data.latest_web_release}}</span>
+                        <span id="web-latest">{{page_data.latest_web_build}}</span>
                    </dd>
                    {{/if}}
                    {{#unless page_data.web_vault_enabled}}
--- a/src/static/templates/admin/organizations.hbs
+++ b/src/static/templates/admin/organizations.hbs
@@ -59,7 +59,7 @@
 </main>

 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_organizations.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>
--- a/src/static/templates/admin/users.hbs
+++ b/src/static/templates/admin/users.hbs
@@ -153,7 +153,7 @@
 </main>

 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_users.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>
--- a/src/static/templates/scss/vaultwarden.scss.hbs
+++ b/src/static/templates/scss/vaultwarden.scss.hbs
@@ -192,19 +192,6 @@ bit-nav-item[route="sends"] {
  @extend %vw-hide;
 }
 {{/unless}}
-
-{{#unless password_hints_allowed}}
-/* Hide password hints if not allowed */
-a[routerlink="/hint"],
-{{#if (webver "<2025.12.2")}}
-app-change-password > form > .form-group:nth-child(5),
-auth-input-password > form > bit-form-field:nth-child(4) {
-{{else}}
-.vw-password-hint {
-{{/if}}
-  @extend %vw-hide;
-}
-{{/unless}}
 /**** End Dynamic Vaultwarden Changes ****/
 /**** Include a special user stylesheet for custom changes ****/
 {{#if load_user_scss}}
--- a/src/util.rs
+++ b/src/util.rs
@@ -531,7 +531,7 @@ struct WebVaultVersion {
    version: String,
 }

-pub fn get_active_web_release() -> String {
+pub fn get_web_vault_version() -> String {
    let version_files = [
        format!("{}/vw-version.json", CONFIG.web_vault_folder()),
        format!("{}/version.json", CONFIG.web_vault_folder()),