Vykar

v0.16.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 15d Backup & Recovery

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

backup rust sysadmin

Affected surfaces

deps

Summary

AI summary

Fixed prune grouping, SFTP pool‑acquire logging, multi‑path basename sharing, Windows path normalization, and macOS GUI linking.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	`russh` bumped to 0.60.3 and `russh-sftp` to 2.1.2 for CVEs GHSA-f5v4-2wr6-hqmg and CVE-2026-46673. `russh` bumped to 0.60.3 and `russh-sftp` to 2.1.2 for CVEs GHSA-f5v4-2wr6-hqmg and CVE-2026-46673. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Multi-path sources can now share the same basename. Multi-path sources can now share the same basename. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Downloads available for Linux, macOS, and Windows platforms in various architectures and formats. Downloads available for Linux, macOS, and Windows platforms in various architectures and formats. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Dependency	Medium	Hygiene bumps: `rusty-s3` 0.9.1, `fastcdc` 4.0.1, `nix` 0.31.3, `tray-icon` 0.22.2, `lru` 0.18. Hygiene bumps: `rusty-s3` 0.9.1, `fastcdc` 4.0.1, `nix` 0.31.3, `tray-icon` 0.22.2, `lru` 0.18. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Dependency	Medium	`ureq` unified on v3 across the workspace. `ureq` unified on v3 across the workspace. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix
Bugfix	Medium	Prune groups by source label regardless of local config. Prune groups by source label regardless of local config. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	SFTP pool-acquire waits no longer masquerade as transport retries. SFTP pool-acquire waits no longer masquerade as transport retries. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Windows path normalization fixed. Windows path normalization fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix	Medium	GUI link error on macOS fixed. GUI link error on macOS fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Other	Medium	All Node.js-based GitHub Actions bumped to current majors for Node.js 24 compatibility. All Node.js-based GitHub Actions bumped to current majors for Node.js 24 compatibility. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—

Full changelog

Bug Fixes

Prune now groups by source label regardless of local config. Previously, running prune from a repo without a configured sources: block (e.g. on a central server backing up clients) pooled every snapshot into a single bucket and ignored source labels, producing wrong retention. Labels are intrinsic to each snapshot, so grouping is now consistent with how snapshots were created. (#138)
SFTP pool-acquire waits no longer masquerade as transport retries. On connection-capped servers (e.g. Hetzner Storage Box), concurrent uploads previously logged connection error (attempt N/5) for pure pool contention and consumed the user-visible retry budget. Pool waits now log distinctly (waited Ns for connection pool slot), do not touch the retry budget, and don't trigger backoff. A wedged-pool fuse preserves liveness if a slot ever leaks.
Multi-path sources can now share the same basename. Snapshots prefix each source-path's contents by the full configured absolute path, so paths like /etc and /var/lib/machines/base/etc can coexist in one source. Single-path single-source files keep the legacy basename layout. (#143)
Windows path normalization fixed. A str::replace regression in the duplicate-basename fix broke compilation on x86_64-pc-windows-msvc. The Linux/macOS builds never compile that branch, so the issue surfaced only on Windows.
GUI link error on macOS fixed. Pinned slint and slint-build to ~1.15 to avoid duplicate muda Objective-C class registration that broke macOS release linking.

Dependencies

Security: russh bumped to 0.60.3 and russh-sftp to 2.1.2 for two upstream CVEs — GHSA-f5v4-2wr6-hqmg (keyboard-interactive OOM) and CVE-2026-46673 (compression ZIP-bomb that bypassed max-packet checks).
Hygiene bumps: rusty-s3 0.9.1, fastcdc 4.0.1, nix 0.31.3, tray-icon 0.22.2, lru 0.18.
ureq unified on v3 across the workspace, eliminating a duplicate v2 from the CLI dev-dep test pipeline.

Infrastructure

All Node.js-based GitHub Actions bumped to current majors for Node.js 24 compatibility (the runner forces Node 24 by default starting 2026-06-02).

Downloads

| Platform | Asset |
| --- | --- |
| Linux x86_64 (glibc) | vykar-v0.16.1-x86_64-unknown-linux-gnu.tar.gz |
| Linux x86_64 (musl) | vykar-v0.16.1-x86_64-unknown-linux-musl.tar.gz |
| Linux aarch64 (glibc) | vykar-v0.16.1-aarch64-unknown-linux-gnu.tar.gz |
| Linux aarch64 (musl) | vykar-v0.16.1-aarch64-unknown-linux-musl.tar.gz |
| Linux x86_64 (GUI AppImage) | vykar-gui-v0.16.1-x86_64.AppImage |
| macOS aarch64 | vykar-v0.16.1-aarch64-apple-darwin.tar.gz |
| Windows x86_64 | vykar-v0.16.1-x86_64-pc-windows-msvc.zip |

Security Fixes

dep: GHSA-f5v4-2wr6-hqmg — keyboard‑interactive OOM in russh
dep: CVE-2026-46673 — ZIP‑bomb bypass of max‑packet checks in russh-sftp

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Vykar

Get notified when new releases ship.

About Vykar

Fast, encrypted, deduplicated backups

All releases →

Related context

Related tools

Related CVEs

CVE-2026-46673 NVD KEV EPSS