Oikos

v0.58.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21h Productivity & Wikis

✓ No known CVEs patched

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth

Summary

AI summary

First‑run web setup creates an initial admin account with transactional safety.

Type	Severity	Summary	CVE
Feature	Low	Adds web-based first‑run setup to create initial admin account. Adds web-based first‑run setup to create initial admin account. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Updates public version endpoint to indicate if first‑run setup is required. Updates public version endpoint to indicate if first‑run setup is required. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes concurrent first‑run setup creating duplicate admin accounts. Fixes concurrent first‑run setup creating duplicate admin accounts. Source: llm_adapter@2026-06-03 Confidence: low	—
Bugfix	Medium	Prevents concurrent first-run submissions from creating duplicate admin accounts by using a single transaction. Prevents concurrent first-run submissions from creating duplicate admin accounts by using a single transaction. Source: granite4.1:30b@2026-06-03-audit Confidence: low	—

Full changelog

Web-based first-run setup: create the first admin account directly in the browser on a fresh install. The first visit detects that no account exists, walks you through a setup form (username, display name, password with confirmation), creates the admin, and signs you in automatically — localized in all 16 interface languages. The node setup.js CLI remains available as a headless fallback.

The public version endpoint now reports whether first-run setup is still required, so the app routes new installations to the setup page automatically and back to login once an admin exists.
Hardened the first-run setup endpoint against concurrent requests: the user-count check and the admin insert now run in a single transaction, so two simultaneous first-run submissions can no longer create two admin accounts.

First‑run setup hardened against concurrent submissions; user‑count check and admin insert run in a single transaction to prevent duplicate admins

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households