Merge pull request #11957 from firefly-iii/develop

🤖 Automatically merge the PR into the main branch.

.github/security.md

@@ -99,12 +99,10 @@ compatibility.
 ## Security scanning through automated means
 
 There is some additional guidance for security vulnerabilities or suspected security vulnerabilities that have been 
-found with the full or partial support of AI coding agents, large language models and other code-scanning tools. Many of 
-such reports the developer of Firefly III receives are not applicable. This takes time away from responding to
-actual security vulnerabilities or suspected security vulnerabilities. If you use automated means to find these in
-the Firefly III code base, please take care to:
+found with the full or partial support of AI coding agents, large language models and other code-scanning tools. These reports are often not applicable, not actually a vulnerability, or just plain wrong. This takes time away from responding to
+*actual* security vulnerabilities or suspected security vulnerabilities. If you use automated means to search for security vulnerabilities in the Firefly III code base, please take care to:
 
-1. Manually validate the results before you submit a report,
+1. manually validate the results before you submit a report,
 2. explain how the vulnerability can actually be abused by a nefarious third party, and
 3. try to limit the verbosity of your report.
 

changelog.md

@@ -3,7 +3,40 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## 6.5.5 - 2026-03-15
+## v6.5.6 - 2026-03-16
+
+<!-- summary: This release takes note of some security issues, and fixes interesting bugs. -->
+
+### Added
+
+- Add the ability for Fosstodon posts to read a summary of the changelog.
+
+### Changed
+
+- Lots of code cleanup and small quality issues fixed.
+
+### Fixed
+- [Issue 11803](https://github.com/firefly-iii/firefly-iii/issues/11803) (Monthly Left budget not correct) reported by @fabienfitoussi
+- [Issue 11641](https://github.com/firefly-iii/firefly-iii/issues/11641) (Annual budget “Remaining” resets in subsequent months) reported by @maxwell5555
+- [Discussion 11879](https://github.com/orgs/firefly-iii/discussions/11879) (Searching for accounts should include inactive accounts?) started by @b-ryan
+- [Issue 11916](https://github.com/firefly-iii/firefly-iii/issues/11916) (Balance is not recalculated when multiple transactions are selected and then deleted) reported by @elp3dr0
+- [Discussion 11936](https://github.com/orgs/firefly-iii/discussions/11936) (Links in emails don't link to correct domain) started by @SamLMB
+- [Issue 11944](https://github.com/firefly-iii/firefly-iii/issues/11944) (Stale available_budgets rows prevent disabling a currency after switching default) reported by @k-leveller
+- [Issue 11953](https://github.com/firefly-iii/firefly-iii/issues/11953) ("Actions" buttons no longer appears after selecting multiple transactions) reported by @crtxcr
+- [Issue 11954](https://github.com/firefly-iii/firefly-iii/issues/11954) (Search results are not shown after loading) reported by @fabienfitoussi
+
+### Security
+
+- Credits go to Igor for finding some interesting issues in Firefly III. They have been fixed.
+
+> [!NOTE]
+> As AI-code scanning tools like Claude and Co-Pilot get more advanced, many (new) issues are being reported through (semi-)automated means. I have updated [the security policy](https://github.com/firefly-iii/firefly-iii/security/policy) to reflect my stance on this. The following security related issues no longer need reporting:
+
+- It is possible to point webhooks to private or internal IPs.
+- You can see all transaction link types.
+- `unsafe-inline` is allowed for CSS, which means you can overrule the layout if you manage to get CSS on the page.
+
+## v6.5.5 - 2026-03-15
 
 <!-- summary: This release takes note of some security issues, and fixes interesting bugs. -->
 

composer.lock

@@ -12382,16 +12382,16 @@
         },
         {
             "name": "sebastian/environment",
-            "version": "8.0.3",
+            "version": "8.0.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/environment.git",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68"
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
+                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
                 "shasum": ""
             },
             "require": {
@@ -12434,7 +12434,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/environment/issues",
                 "security": "https://github.com/sebastianbergmann/environment/security/policy",
-                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.3"
+                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.4"
             },
             "funding": [
                 {
@@ -12454,7 +12454,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-12T14:11:56+00:00"
+            "time": "2026-03-15T07:05:40+00:00"
         },
         {
             "name": "sebastian/exporter",

config/firefly.php

@@ -78,8 +78,8 @@ return [
         'running_balance_column' => (bool)envDefaultWhenEmpty(env('USE_RUNNING_BALANCE'), true), // this is only the default value, is not used.
         // see cer.php for exchange rates feature flag.
     ],
-    'version'                              => 'develop/2026-03-15',
-    'build_time'                           => 1773556820,
+    'version'                              => '6.5.6',
+    'build_time'                           => 1773592406,
     'api_version'                          => '2.1.0', // field is no longer used.
     'db_version'                           => 28, // field is no longer used.
 

public/v1/js/ff/accounts/reconcile.js

@@ -53,13 +53,13 @@ $(function () {
         if (reconcileStarted) {
             //console.log('Reconcile has started.');
             // hide original instructions.
-            $('.select_transactions_instruction').hide();
+            $('.select_transactions_instruction').addClass('hidden');
 
             // show date-change warning
-            $('.date_change_warning').show();
+            $('.date_change_warning').removeClass('hidden');
 
             // show update button
-            $('.change_date_button').show();
+            $('.change_date_button').removeClass('hidden');
         }
     });
 

public/v1/js/ff/list/groups.js

@@ -130,7 +130,7 @@ function uncheckAll() {
 
 function updateActionButtons() {
     if (0 !== count) {
-        $('.action-menu').show();
+        $('.action-menu').removeClass('hidden');
 
         // also update labels:
         $('.mass-edit span.txt').text(edit_selected_txt + ' (' + count + ')');
@@ -139,7 +139,7 @@ function updateActionButtons() {
 
     }
     if (0 === count) {
-        $('.action-menu').hide();
+        $('.action-menu').addClass('hidden');
     }
 }
 

public/v1/js/ff/search/index.js

@@ -32,7 +32,7 @@ function startSearch(query) {
 
 function searchFailure() {
     $('.result_row').hide();
-    $('.error_row').show();
+    $('.error_row').removeClass('hidden');
 }
 
 function presentSearchResults(data) {
@@ -42,7 +42,7 @@ function presentSearchResults(data) {
     }
     $('.search_ongoing').hide();
     $('.search_box').find('.overlay').remove();
-    $('.search_results').html(data.html).show();
+    $('.search_results').html(data.html).removeClass('hidden');
 
 
     updateListButtons();

public/v1/js/ff/transactions/list.js

@@ -25,7 +25,7 @@
  */
 $(document).ready(function () {
     "use strict";
-    $('.mass_edit_all').show();
+    $('.mass_edit_all').removeClass('hidden');
     $('.mass_select').click(startMassSelect);
     $('.mass_stop_select').click(stopMassSelect);
 
@@ -143,10 +143,10 @@ function countChecked() {
         // get amount for the transactions:
         //getAmounts();
 
-        $('.mass_button_options').show();
+        $('.mass_button_options').removeClass('hidden');
 
     } else {
-        $('.mass_button_options').hide();
+        $('.mass_button_options').addClass('hidden');
     }
 }
 
@@ -181,25 +181,25 @@ function stopMassSelect() {
 
 
     // hide "select all" box in table header.
-    $('.select_boxes').hide();
+    $('.select_boxes').addClass('hidden');
 
     // show the other header cell.
-    $('.no_select_boxes').show();
+    $('.no_select_boxes').removeClass('hidden');
 
     // show edit/delete buttons
-    $('.edit_buttons').show();
+    $('.edit_buttons').removeClass('hidden');
 
     // hide the checkbox.
-    $('.select_single').hide();
+    $('.select_single').addClass('hidden');
 
     // show the start button
-    $('.mass_select').show();
+    $('.mass_select').removeClass('hidden');
 
     // hide the stop button
-    $('.mass_stop_select').hide();
+    $('.mass_stop_select').addClass('hidden');
 
     // show reconcile account button, if present
-    $('.mass_reconcile').show();
+    $('.mass_reconcile').removeClass('hidden');
 
     return false;
 }
@@ -212,25 +212,25 @@ function startMassSelect() {
     "use strict";
     console.log('Now in startMassSelect()');
     // show "select all" box in table header.
-    $('.select_boxes').show();
+    $('.select_boxes').removeClass('hidden');
 
     // hide the other header cell.
-    $('.no_select_boxes').hide();
+    $('.no_select_boxes').addClass('hidden');
 
     // hide edit/delete buttons
-    $('.edit_buttons').hide();
+    $('.edit_buttons').addClass('hidden');
 
     // show the checkbox.
-    $('.select_single').show();
+    $('.select_single').removeClass('hidden');
 
     // hide the start button
-    $('.mass_select').hide();
+    $('.mass_select').addClass('hidden');
 
     // show the stop button
-    $('.mass_stop_select').show();
+    $('.mass_stop_select').removeClass('hidden');
 
     // hide reconcile account button, if present
-    $('.mass_reconcile').hide();
+    $('.mass_reconcile').addClass('hidden');
 
     return false;
 }

resources/lang/en_US/firefly.php

@@ -474,6 +474,7 @@ return [
     'search_modifier_not_tag_contains'                    => 'Tag does not contain ":value"',
     'search_modifier_tag_ends'                            => 'Tag ends with ":value"',
     'search_modifier_tag_starts'                          => 'Tag starts with ":value"',
+    'search_modifier_not_tag_starts'                      => 'No tag starts with ":value"',
     'search_modifier_not_tag_is'                          => 'No tag is ":value"',
     'search_modifier_date_on_year'                        => 'Transaction is in year ":value"',
     'search_modifier_not_date_on_year'                    => 'Transaction is not in year ":value"',