Merge pull request #11967 from firefly-iii/release-1773691728

🤖 Automatically merge the PR into the develop branch.

.github/security.md

@@ -99,12 +99,10 @@ compatibility.
 ## Security scanning through automated means
 
 There is some additional guidance for security vulnerabilities or suspected security vulnerabilities that have been 
-found with the full or partial support of AI coding agents, large language models and other code-scanning tools. Many of 
-such reports the developer of Firefly III receives are not applicable. This takes time away from responding to
-actual security vulnerabilities or suspected security vulnerabilities. If you use automated means to find these in
-the Firefly III code base, please take care to:
+found with the full or partial support of AI coding agents, large language models and other code-scanning tools. These reports are often not applicable, not actually a vulnerability, or just plain wrong. This takes time away from responding to
+*actual* security vulnerabilities or suspected security vulnerabilities. If you use automated means to search for security vulnerabilities in the Firefly III code base, please take care to:
 
-1. Manually validate the results before you submit a report,
+1. manually validate the results before you submit a report,
 2. explain how the vulnerability can actually be abused by a nefarious third party, and
 3. try to limit the verbosity of your report.
 

app/Api/V1/Controllers/Summary/BasicController.php

@@ -323,7 +323,7 @@ final class BasicController extends Controller
         $today      = today(config('app.timezone'));
         $available  = $this->abRepository->getAvailableBudgetWithCurrency($start, $end);
         $budgets    = $this->budgetRepository->getActiveBudgets();
-        $spent      = $this->opsRepository->sumExpenses($start, $end, null, $budgets);
+        $spent      = $this->opsRepository->sumExpenses($start, $end, null, $budgets, null, true);
         $days       = (int) $today->diffInDays($end, true) + 1;
         $currencies = [];
 

app/Api/V1/Requests/Chart/ChartRequest.php

@@ -28,7 +28,7 @@ use FireflyIII\Enums\UserRoleEnum;
 use FireflyIII\Support\Http\Api\ValidatesUserGroupTrait;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -69,9 +69,9 @@ class ChartRequest extends FormRequest
         ];
     }
 
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(static function (Validator $validator): void {
+        $validator->after(static function (FireflyValidator $validator): void {
             // validate transaction query data.
             $data = $validator->getData();
             if (!array_key_exists('accounts', $data)) {

app/Api/V1/Requests/Data/Bulk/MoveTransactionsRequest.php

@@ -27,7 +27,7 @@ namespace FireflyIII\Api\V1\Requests\Data\Bulk;
 use FireflyIII\Repositories\Account\AccountRepositoryInterface;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -61,9 +61,9 @@ class MoveTransactionsRequest extends FormRequest
      * Configure the validator instance with special rules for after the basic validation rules.
      * TODO this is duplicate.
      */
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
+        $validator->after(function (FireflyValidator $validator): void {
             // validate start before end only if both are there.
             $data = $validator->getData();
             if (array_key_exists('original_account', $data) && array_key_exists('destination_account', $data)) {
@@ -75,7 +75,7 @@ class MoveTransactionsRequest extends FormRequest
         }
     }
 
-    private function validateMove(Validator $validator): void
+    private function validateMove(FireflyValidator $validator): void
     {
         $data                = $validator->getData();
         $repository          = app(AccountRepositoryInterface::class);

app/Api/V1/Requests/Models/Account/UpdateRequest.php

@@ -33,7 +33,7 @@ use FireflyIII\Rules\UniqueIban;
 use FireflyIII\Support\Request\AppendsLocationData;
 use FireflyIII\Support\Request\ChecksLogin;
 use FireflyIII\Support\Request\ConvertsDataTypes;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
 
@@ -121,9 +121,9 @@ class UpdateRequest extends FormRequest
     /**
      * Configure the validator instance with special rules for after the basic validation rules.
      */
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
+        $validator->after(function (FireflyValidator $validator): void {
             // validate start before end only if both are there.
             $data       = $validator->getData();
 

app/Api/V1/Requests/Models/TransactionCurrency/CurrencyCodeRequest.php

@@ -25,7 +25,7 @@ declare(strict_types=1);
 namespace FireflyIII\Api\V1\Requests\Models\TransactionCurrency;
 
 use FireflyIII\Api\V1\Requests\ApiRequest;
-use Illuminate\Contracts\Validation\Validator;
+use FireflyIII\Validation\FireflyValidator;
 
 class CurrencyCodeRequest extends ApiRequest
 {
@@ -34,10 +34,10 @@ class CurrencyCodeRequest extends ApiRequest
         return ['code' => sprintf('exists:transaction_currencies,code|%s', $this->required)];
     }
 
-    public function withValidator(Validator $validator): void
+    public function withValidator(FireflyValidator $validator): void
     {
-        $validator->after(function (Validator $validator): void {
-            if (!$validator->valid()) {
+        $validator->after(function (FireflyValidator $validator): void {
+            if (0 === count($validator->valid())) {
                 return;
             }
             $code = $this->convertString('code', '');

app/Helpers/Collector/Extensions/MetaCollection.php

@@ -955,9 +955,9 @@ trait MetaCollection
         $this->fields[] = 'tags.tag as tag_name';
         $this->fields[] = 'tags.date as tag_date';
         $this->fields[] = 'tags.description as tag_description';
-        $this->fields[] = 'tags.latitude as tag_latitude';
-        $this->fields[] = 'tags.longitude as tag_longitude';
-        $this->fields[] = 'tags.zoomLevel as tag_zoom_level';
+        //        $this->fields[] = 'tags.latitude as tag_latitude';
+        //        $this->fields[] = 'tags.longitude as tag_longitude';
+        // $this->fields[] = 'tags.zoomLevel as tag_zoom_level';
 
         $this->joinTagTables();
 

app/Http/Controllers/Controller.php

@@ -99,6 +99,7 @@ abstract class Controller extends BaseController
         $logoutUrl        = config('firefly.custom_logout_url');
 
         // overrule v2 layout back to v1.
+
         if ('true' === request()->get('force_default_layout') && 'v2' === config('view.layout')) {
             // config('view.layout','v1');
             Config::set('view.layout', 'v1');

app/Http/Controllers/Json/BudgetController.php

@@ -60,7 +60,7 @@ final class BudgetController extends Controller
             $this->abRepository = app(AvailableBudgetRepositoryInterface::class);
             $this->blRepository = app(BudgetLimitRepositoryInterface::class);
             $this->repository->cleanupBudgets();
-            $this->blRepository->cleanup();
+            $this->abRepository->cleanup();
 
             return $next($request);
         });

app/Http/Controllers/Transaction/EditController.php

@@ -115,7 +115,7 @@ final class EditController extends Controller
         ];
         $optionalFields['external_url'] ??= false;
         $optionalFields['location']     ??= false;
-        $optionalFields['location'] = $optionalFields['location']
+        $optionalFields['location'] = true === $optionalFields['location']
         && true === FireflyConfig::get('enable_external_map', config('firefly.enable_external_map'))->data;
 
         // map info voor v2:

app/Http/Middleware/SecureHeaders.php

@@ -59,7 +59,7 @@ class SecureHeaders
             "object-src 'none'",
             sprintf("script-src 'unsafe-eval' 'strict-dynamic' 'nonce-%1s'", $nonce),
             // sprintf("style-src 'self' 'nonce-%1s'", $nonce), // safe variant
-            "style-src 'self' 'unsafe-eval'", // unsafe variant
+            "style-src 'self' 'unsafe-inline'", // unsafe variant
             "base-uri 'self'",
             "form-action 'self'",
             "font-src 'self' data:",

app/Models/GroupMembership.php

@@ -31,6 +31,9 @@ use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
+/**
+ * @property User $user
+ */
 class GroupMembership extends Model
 {
     use ReturnsIntegerIdTrait;

app/Models/TransactionJournalMeta.php

@@ -32,6 +32,9 @@ use Illuminate\Database\Eloquent\SoftDeletes;
 use function Safe\json_decode;
 use function Safe\json_encode;
 
+/**
+ * @property TransactionJournal $transactionJournal
+ */
 class TransactionJournalMeta extends Model
 {
     use ReturnsIntegerIdTrait;

app/Repositories/Attachment/AttachmentRepositoryInterface.php

@@ -27,6 +27,8 @@ use FireflyIII\Enums\UserRoleEnum;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Models\Attachment;
 use FireflyIII\Models\UserGroup;
+use FireflyIII\User;
+use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Support\Collection;
 
 /**
@@ -37,6 +39,7 @@ use Illuminate\Support\Collection;
  * @method getUser()
  * @method checkUserGroupAccess(UserRoleEnum $role)
  * @method setUserGroupById(int $userGroupId)
+ * @method setUser(null|Authenticatable|User $user)
  */
 interface AttachmentRepositoryInterface
 {

app/Repositories/Bill/BillRepository.php

@@ -638,9 +638,10 @@ class BillRepository implements BillRepositoryInterface, UserGroupInterface
 
         /** @var Bill $bill */
         foreach ($bills as $bill) {
+            // Log::debug(sprintf('Bill #%d ("%s")', $bill->id, $bill->name));
             /** @var Collection $set */
-            $set       = $bill->transactionJournals()->after($start)->before($end)->get(['transaction_journals.*']);
-            $currency  = $convertToPrimary && $bill->transactionCurrency->id !== $primary->id ? $primary : $bill->transactionCurrency;
+            $set      = $bill->transactionJournals()->after($start)->before($end)->get(['transaction_journals.*']);
+            $currency = $convertToPrimary && $bill->transactionCurrency->id !== $primary->id ? $primary : $bill->transactionCurrency;
             $return[(int) $currency->id] ??= [
                 'id'             => (string) $currency->id,
                 'name'           => $currency->name,
@@ -649,13 +650,14 @@ class BillRepository implements BillRepositoryInterface, UserGroupInterface
                 'decimal_places' => $currency->decimal_places,
                 'sum'            => '0',
             ];
-            $setAmount = '0';
+            // Log::debug(sprintf('Created a new array for currency #%d', $currency->id));
 
             /** @var TransactionJournal $transactionJournal */
             foreach ($set as $transactionJournal) {
-                // grab currency from transaction.
-                $transactionCurrency                           = $transactionJournal->transactionCurrency;
-                $return[(int) $transactionCurrency->id] ??= [
+                // grab currency from journal.
+                $transactionCurrency        = $transactionJournal->transactionCurrency;
+                $currencyId                 = (int) $transactionCurrency->id;
+                $return[$currencyId] ??= [
                     'id'             => (string) $transactionCurrency->id,
                     'name'           => $transactionCurrency->name,
                     'symbol'         => $transactionCurrency->symbol,
@@ -663,19 +665,12 @@ class BillRepository implements BillRepositoryInterface, UserGroupInterface
                     'decimal_places' => $transactionCurrency->decimal_places,
                     'sum'            => '0',
                 ];
-
+                $amountFromJournal          = Amount::getAmountFromJournalObject($transactionJournal);
+                // Log::debug(sprintf('Created a (new) array for currency #%d', $currencyId));
+                // Log::debug(sprintf('Amount to add is %s', $amountFromJournal));
                 // get currency from transaction as well.
-                $return[(int) $transactionCurrency->id]['sum'] = bcadd(
-                    $return[(int) $transactionCurrency->id]['sum'],
-                    Amount::getAmountFromJournalObject($transactionJournal)
-                );
-
-                // $setAmount = bcadd($setAmount, Amount::getAmountFromJournalObject($transactionJournal));
+                $return[$currencyId]['sum'] = bcadd($return[$currencyId]['sum'], $amountFromJournal);
             }
-
-            // Log::debug(sprintf('Bill #%d ("%s") with %d transaction(s) and sum %s %s', $bill->id, $bill->name, $set->count(), $currency->code, $setAmount));
-            // $return[$currency->id]['sum'] = bcadd($return[$currency->id]['sum'], $setAmount);
-            // Log::debug(sprintf('Total sum is now %s', $return[$currency->id]['sum']));
         }
         // remove empty sets
         $final            = [];

app/Repositories/PeriodStatistic/PeriodStatisticRepository.php

@@ -25,7 +25,10 @@ declare(strict_types=1);
 namespace FireflyIII\Repositories\PeriodStatistic;
 
 use Carbon\Carbon;
+use FireflyIII\Models\Account;
+use FireflyIII\Models\Category;
 use FireflyIII\Models\PeriodStatistic;
+use FireflyIII\Models\Tag;
 use FireflyIII\Support\Repositories\UserGroup\UserGroupInterface;
 use FireflyIII\Support\Repositories\UserGroup\UserGroupTrait;
 use Illuminate\Database\Eloquent\Builder;
@@ -38,7 +41,7 @@ class PeriodStatisticRepository implements PeriodStatisticRepositoryInterface, U
 {
     use UserGroupTrait;
 
-    public function allInRangeForModel(Model $model, Carbon $start, Carbon $end): Collection
+    public function allInRangeForModel(Account|Category|Tag $model, Carbon $start, Carbon $end): Collection
     {
         return $model->primaryPeriodStatistics()->where('start', '>=', $start)->where('end', '<=', $end)->get();
     }

app/Repositories/PeriodStatistic/PeriodStatisticRepositoryInterface.php

@@ -25,13 +25,16 @@ declare(strict_types=1);
 namespace FireflyIII\Repositories\PeriodStatistic;
 
 use Carbon\Carbon;
+use FireflyIII\Models\Account;
+use FireflyIII\Models\Category;
 use FireflyIII\Models\PeriodStatistic;
+use FireflyIII\Models\Tag;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Collection;
 
 interface PeriodStatisticRepositoryInterface
 {
-    public function allInRangeForModel(Model $model, Carbon $start, Carbon $end): Collection;
+    public function allInRangeForModel(Account|Category|Tag $model, Carbon $start, Carbon $end): Collection;
 
     public function allInRangeForPrefix(string $prefix, Carbon $start, Carbon $end): Collection;
 
@@ -41,6 +44,8 @@ interface PeriodStatisticRepositoryInterface
 
     public function deleteStatisticsForPrefix(string $prefix, Collection $dates): void;
 
+    public function deleteStatisticsForType(string $class, Collection $objects, Collection $dates): void;
+
     public function findPeriodStatistic(Model $model, Carbon $start, Carbon $end, string $type): Collection;
 
     public function findPeriodStatistics(Model $model, Carbon $start, Carbon $end, array $types): Collection;

app/Support/Amount.php

@@ -225,21 +225,27 @@ class Amount
      */
     public function getAmountFromJournalObject(TransactionJournal $journal): string
     {
+        // Log::debug(sprintf('Get amount from journal #%d', $journal->id));
         $convertToPrimary  = $this->convertToPrimary();
         $currency          = $this->getPrimaryCurrency();
-        $field             = $convertToPrimary && $currency->id !== $journal->transaction_currency_id ? 'pc_amount' : 'amount';
+        $field             = $convertToPrimary && $currency->id !== $journal->transaction_currency_id ? 'native_amount' : 'amount';
 
         /** @var null|Transaction $sourceTransaction */
         $sourceTransaction = $journal->transactions()->where('amount', '<', 0)->first();
         if (null === $sourceTransaction) {
+            // Log::debug('Return zero!');
             return '0';
         }
         $amount            = $sourceTransaction->{$field} ?? '0';
+        // Log::debug(sprintf('Amount is %s', $amount));
         if ((int) $sourceTransaction->foreign_currency_id === $currency->id) {
             // use foreign amount instead!
             $amount = (string) $sourceTransaction->foreign_amount; // hard coded to be foreign amount.
+
+            // Log::debug(sprintf('Amount is now %s', $amount));
         }
 
+        // Log::debug(sprintf('Final return is %s', $amount));
         return $amount;
     }
 

app/Support/Export/ExportDataGenerator.php

@@ -59,9 +59,9 @@ use FireflyIII\Support\Request\ConvertsDataTypes;
 use FireflyIII\User;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Log;
-use League\Csv\AbstractCsv;
 use League\Csv\CannotInsertRecord;
 use League\Csv\Exception;
+use League\Csv\Writer;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
 
@@ -284,7 +284,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv         = AbstractCsv::fromString();
+        $csv         = Writer::fromString();
 
         // insert the header
         try {
@@ -353,7 +353,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv        = AbstractCsv::fromString();
+        $csv        = Writer::fromString();
 
         // insert the header
         try {
@@ -412,7 +412,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv         = AbstractCsv::fromString();
+        $csv         = Writer::fromString();
 
         // insert the header
         try {
@@ -457,7 +457,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv        = AbstractCsv::fromString();
+        $csv        = Writer::fromString();
 
         // insert the header
         try {
@@ -537,7 +537,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv          = AbstractCsv::fromString();
+        $csv          = Writer::fromString();
 
         // insert the header
         try {
@@ -704,7 +704,7 @@ class ExportDataGenerator
             }
         }
         // load the CSV document from a string
-        $csv            = AbstractCsv::fromString();
+        $csv            = Writer::fromString();
 
         // insert the header
         try {
@@ -851,7 +851,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv       = AbstractCsv::fromString();
+        $csv       = Writer::fromString();
 
         // insert the header
         try {
@@ -883,7 +883,7 @@ class ExportDataGenerator
      */
     private function exportTags(): string
     {
-        $header   = ['user_id', 'tag_id', 'created_at', 'updated_at', 'tag', 'date', 'description', 'latitude', 'longitude', 'zoom_level'];
+        $header   = ['user_id', 'tag_id', 'created_at', 'updated_at', 'tag', 'date', 'description']; // 'latitude', 'longitude', 'zoom_level'
 
         $tagRepos = app(TagRepositoryInterface::class);
         $tagRepos->setUser($this->user);
@@ -900,14 +900,14 @@ class ExportDataGenerator
                 $tag->tag,
                 $tag->date?->format('Y-m-d'),
                 $tag->description,
-                $tag->latitude,
-                $tag->longitude,
-                $tag->zoomLevel,
+                //                $tag->latitude,
+                //                $tag->longitude,
+                //                $tag->zoomLevel,
             ];
         }
 
         // load the CSV document from a string
-        $csv      = AbstractCsv::fromString();
+        $csv      = Writer::fromString();
 
         // insert the header
         try {
@@ -1103,7 +1103,7 @@ class ExportDataGenerator
         }
 
         // load the CSV document from a string
-        $csv        = AbstractCsv::fromString();
+        $csv        = Writer::fromString();
 
         // insert the header
         try {

app/Support/Http/Controllers/UserNavigation.php

@@ -111,6 +111,8 @@ trait UserNavigation
 
                 return redirect(route('index'));
             }
+
+            /** @var TransactionJournal $journal */
             $journal     = $transaction->transactionJournal;
 
             /** @var null|Transaction $other */

app/Support/Request/ConvertsDataTypes.php

@@ -27,8 +27,10 @@ namespace FireflyIII\Support\Request;
 use Carbon\Carbon;
 use Carbon\Exceptions\InvalidDateException;
 use Carbon\Exceptions\InvalidFormatException;
+use FireflyIII\Models\UserGroup;
 use FireflyIII\Repositories\Account\AccountRepositoryInterface;
 use FireflyIII\Support\Facades\Steam;
+use Illuminate\Http\Request;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Log;
 
@@ -36,6 +38,8 @@ use function Safe\preg_replace;
 
 /**
  * Trait ConvertsDataTypes
+ *
+ * @method UserGroup validateUserGroup(Request $request)
  */
 trait ConvertsDataTypes
 {

app/User.php

@@ -106,9 +106,6 @@ class User extends Authenticatable
         throw new NotFoundHttpException();
     }
 
-    /**
-     * Link to accounts.
-     */
     public function accounts(): HasMany
     {
         return $this->hasMany(Account::class);

changelog.md

@@ -3,7 +3,40 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## 6.5.5 - 2026-03-15
+## v6.5.7 - 2026-03-xx
+
+<!-- summary: If you can read this I forgot to update the summary! -->
+
+### Added
+
+- Initial release.
+
+### Changed
+
+- Initial release.
+
+### Deprecated
+
+- Initial release.
+
+### Removed
+
+- Initial release.
+
+### Fixed
+
+- [Issue 11964](https://github.com/firefly-iii/firefly-iii/issues/11964) ("Left to spend" is not taking into account non-main currency withdrawals (when displaying in primary currency)) reported by @absdjfh
+- [Issue 11966](https://github.com/firefly-iii/firefly-iii/issues/11966) (Error when trying to export data in CSV (Export data via front end)) reported by @jgmm81
+
+### Security
+
+- Initial release.
+
+### API
+
+- Initial release.
+
+## v6.5.6 - 2026-03-16
 
 <!-- summary: This release takes note of some security issues, and fixes interesting bugs. -->
 
@@ -16,7 +49,41 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Lots of code cleanup and small quality issues fixed.
 
 ### Fixed
+- [Issue 11803](https://github.com/firefly-iii/firefly-iii/issues/11803) (Monthly Left budget not correct) reported by @fabienfitoussi
+- [Issue 11641](https://github.com/firefly-iii/firefly-iii/issues/11641) (Annual budget “Remaining” resets in subsequent months) reported by @maxwell5555
+- [Discussion 11879](https://github.com/orgs/firefly-iii/discussions/11879) (Searching for accounts should include inactive accounts?) started by @b-ryan
+- [Issue 11916](https://github.com/firefly-iii/firefly-iii/issues/11916) (Balance is not recalculated when multiple transactions are selected and then deleted) reported by @elp3dr0
+- [Discussion 11936](https://github.com/orgs/firefly-iii/discussions/11936) (Links in emails don't link to correct domain) started by @SamLMB
+- [Issue 11944](https://github.com/firefly-iii/firefly-iii/issues/11944) (Stale available_budgets rows prevent disabling a currency after switching default) reported by @k-leveller
+- [Issue 11953](https://github.com/firefly-iii/firefly-iii/issues/11953) ("Actions" buttons no longer appears after selecting multiple transactions) reported by @crtxcr
+- [Issue 11954](https://github.com/firefly-iii/firefly-iii/issues/11954) (Search results are not shown after loading) reported by @fabienfitoussi
 
+### Security
+
+- Credits go to Igor for finding some interesting issues in Firefly III. They have been fixed.
+
+> [!NOTE]
+> As AI-code scanning tools like Claude and Co-Pilot get more advanced, many (new) issues are being reported through (semi-)automated means. I have updated [the security policy](https://github.com/firefly-iii/firefly-iii/security/policy) to reflect my stance on this. The following security related issues no longer need reporting:
+
+- It is possible to point webhooks to private or internal IPs.
+- You can see all transaction link types.
+- `unsafe-inline` is allowed for CSS, which means you can overrule the layout if you manage to get CSS on the page.
+
+## v6.5.5 - 2026-03-15
+
+<!-- summary: This release takes note of some security issues, and fixes interesting bugs. -->
+
+### Added
+
+- Add the ability for Fosstodon posts to read a summary of the changelog.
+
+### Changed
+
+- Lots of code cleanup and small quality issues fixed.
+
+### Fixed
+- [Issue 11803](https://github.com/firefly-iii/firefly-iii/issues/11803) (Monthly Left budget not correct) reported by @fabienfitoussi
+- [Issue 11641](https://github.com/firefly-iii/firefly-iii/issues/11641) (Annual budget “Remaining” resets in subsequent months) reported by @maxwell5555
 - [Discussion 11879](https://github.com/orgs/firefly-iii/discussions/11879) (Searching for accounts should include inactive accounts?) started by @b-ryan
 - [Issue 11916](https://github.com/firefly-iii/firefly-iii/issues/11916) (Balance is not recalculated when multiple transactions are selected and then deleted) reported by @elp3dr0
 - [Discussion 11936](https://github.com/orgs/firefly-iii/discussions/11936) (Links in emails don't link to correct domain) started by @SamLMB
@@ -24,19 +91,14 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Security
 
+- Credits go to Igor for finding some interesting issues in Firefly III. They have been fixed.
+
 > [!NOTE] 
-> A lot of people have access to the new Claude model that has enhanced code scanning capabilities. Many new issues are being reported through (semi-)automated means. I will update the security policy to reflect this. Please stop reporting the following issues:
+> As AI-code scanning tools like Claude and Co-Pilot get more advanced, many (new) issues are being reported through (semi-)automated means. I have updated [the security policy](https://github.com/firefly-iii/firefly-iii/security/policy) to reflect my stance on this. The following security related issues no longer need reporting:
 
-- Yes, it is possible to point webhooks to private or internal IPs.
-- Yes, you can see all transaction link types. If you are an owner, you can also delete them.
-- Yes, `unsafe-inline` is allowed for CSS, which means you can overrule the layout if you manage to get CSS on the page.
-- Yes, you can make the rule engine print internal enums.
-
-These issues are security issues, but Claude is usually incapable of assessing their impact. 
-
-### API
-
-- Initial release.
+- It is possible to point webhooks to private or internal IPs.
+- You can see all transaction link types.
+- `unsafe-inline` is allowed for CSS, which means you can overrule the layout if you manage to get CSS on the page.
 
 ## v6.5.4 - 2026-03-06
 

composer.lock

@@ -8,16 +8,16 @@
     "packages": [
         {
             "name": "bacon/bacon-qr-code",
-            "version": "v3.0.3",
+            "version": "v3.0.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/Bacon/BaconQrCode.git",
-                "reference": "36a1cb2b81493fa5b82e50bf8068bf84d1542563"
+                "reference": "3feed0e212b8412cc5d2612706744789b0615824"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/36a1cb2b81493fa5b82e50bf8068bf84d1542563",
-                "reference": "36a1cb2b81493fa5b82e50bf8068bf84d1542563",
+                "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/3feed0e212b8412cc5d2612706744789b0615824",
+                "reference": "3feed0e212b8412cc5d2612706744789b0615824",
                 "shasum": ""
             },
             "require": {
@@ -57,9 +57,9 @@
             "homepage": "https://github.com/Bacon/BaconQrCode",
             "support": {
                 "issues": "https://github.com/Bacon/BaconQrCode/issues",
-                "source": "https://github.com/Bacon/BaconQrCode/tree/v3.0.3"
+                "source": "https://github.com/Bacon/BaconQrCode/tree/v3.0.4"
             },
-            "time": "2025-11-19T17:15:36+00:00"
+            "time": "2026-03-16T01:01:30+00:00"
         },
         {
             "name": "beberlei/assert",
@@ -3242,20 +3242,20 @@
         },
         {
             "name": "league/uri",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri.git",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76"
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri/zipball/4436c6ec8d458e4244448b069cc572d088230b76",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76",
+                "url": "https://api.github.com/repos/thephpleague/uri/zipball/08cf38e3924d4f56238125547b5720496fac8fd4",
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4",
                 "shasum": ""
             },
             "require": {
-                "league/uri-interfaces": "^7.8",
+                "league/uri-interfaces": "^7.8.1",
                 "php": "^8.1",
                 "psr/http-factory": "^1"
             },
@@ -3328,7 +3328,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3336,20 +3336,20 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-14T17:24:56+00:00"
+            "time": "2026-03-15T20:22:25+00:00"
         },
         {
             "name": "league/uri-interfaces",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri-interfaces.git",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4"
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
+                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/85d5c77c5d6d3af6c54db4a78246364908f3c928",
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928",
                 "shasum": ""
             },
             "require": {
@@ -3412,7 +3412,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3420,7 +3420,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-15T06:54:53+00:00"
+            "time": "2026-03-08T20:05:35+00:00"
         },
         {
             "name": "mailersend/laravel-driver",
@@ -11430,11 +11430,11 @@
         },
         {
             "name": "phpstan/phpstan",
-            "version": "2.1.40",
+            "version": "2.1.41",
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/9b2c7aeb83a75d8680ea5e7c9b7fca88052b766b",
-                "reference": "9b2c7aeb83a75d8680ea5e7c9b7fca88052b766b",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/a2eae8f20856b3afe74bf1f9726ce8c11438e300",
+                "reference": "a2eae8f20856b3afe74bf1f9726ce8c11438e300",
                 "shasum": ""
             },
             "require": {
@@ -11479,7 +11479,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-23T15:04:35+00:00"
+            "time": "2026-03-16T18:24:10+00:00"
         },
         {
             "name": "phpstan/phpstan-deprecation-rules",
@@ -12036,21 +12036,21 @@
         },
         {
             "name": "rector/rector",
-            "version": "2.3.8",
+            "version": "2.3.9",
             "source": {
                 "type": "git",
                 "url": "https://github.com/rectorphp/rector.git",
-                "reference": "bbd37aedd8df749916cffa2a947cfc4714d1ba2c"
+                "reference": "917842143fd9f5331a2adefc214b8d7143bd32c4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/rectorphp/rector/zipball/bbd37aedd8df749916cffa2a947cfc4714d1ba2c",
-                "reference": "bbd37aedd8df749916cffa2a947cfc4714d1ba2c",
+                "url": "https://api.github.com/repos/rectorphp/rector/zipball/917842143fd9f5331a2adefc214b8d7143bd32c4",
+                "reference": "917842143fd9f5331a2adefc214b8d7143bd32c4",
                 "shasum": ""
             },
             "require": {
                 "php": "^7.4|^8.0",
-                "phpstan/phpstan": "^2.1.38"
+                "phpstan/phpstan": "^2.1.40"
             },
             "conflict": {
                 "rector/rector-doctrine": "*",
@@ -12084,7 +12084,7 @@
             ],
             "support": {
                 "issues": "https://github.com/rectorphp/rector/issues",
-                "source": "https://github.com/rectorphp/rector/tree/2.3.8"
+                "source": "https://github.com/rectorphp/rector/tree/2.3.9"
             },
             "funding": [
                 {
@@ -12092,7 +12092,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-22T09:45:50+00:00"
+            "time": "2026-03-16T09:43:55+00:00"
         },
         {
             "name": "sebastian/cli-parser",
@@ -12382,16 +12382,16 @@
         },
         {
             "name": "sebastian/environment",
-            "version": "8.0.3",
+            "version": "8.0.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/environment.git",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68"
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
+                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
                 "shasum": ""
             },
             "require": {
@@ -12434,7 +12434,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/environment/issues",
                 "security": "https://github.com/sebastianbergmann/environment/security/policy",
-                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.3"
+                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.4"
             },
             "funding": [
                 {
@@ -12454,7 +12454,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-12T14:11:56+00:00"
+            "time": "2026-03-15T07:05:40+00:00"
         },
         {
             "name": "sebastian/exporter",

config/firefly.php

@@ -78,8 +78,8 @@ return [
         'running_balance_column' => (bool)envDefaultWhenEmpty(env('USE_RUNNING_BALANCE'), true), // this is only the default value, is not used.
         // see cer.php for exchange rates feature flag.
     ],
-    'version'                              => 'develop/2026-03-14',
-    'build_time'                           => 1773474042,
+    'version'                              => 'develop/2026-03-16',
+    'build_time'                           => 1773691523,
     'api_version'                          => '2.1.0', // field is no longer used.
     'db_version'                           => 28, // field is no longer used.
 

package-lock.json

@@ -4135,9 +4135,9 @@
             "license": "MIT"
         },
         "node_modules/baseline-browser-mapping": {
-            "version": "2.10.7",
-            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.7.tgz",
-            "integrity": "sha512-1ghYO3HnxGec0TCGBXiDLVns4eCSx4zJpxnHrlqFQajmhfKMQBzUGDdkMK7fUW7PTHTeLf+j87aTuKuuwWzMGw==",
+            "version": "2.10.8",
+            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.8.tgz",
+            "integrity": "sha512-PCLz/LXGBsNTErbtB6i5u4eLpHeMfi93aUv5duMmj6caNu6IphS4q6UevDnL36sZQv9lrP11dbPKGMaXPwMKfQ==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
@@ -4587,9 +4587,9 @@
             }
         },
         "node_modules/caniuse-lite": {
-            "version": "1.0.30001778",
-            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001778.tgz",
-            "integrity": "sha512-PN7uxFL+ExFJO61aVmP1aIEG4i9whQd4eoSCebav62UwDyp5OHh06zN4jqKSMePVgxHifCw1QJxdRkA1Pisekg==",
+            "version": "1.0.30001779",
+            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001779.tgz",
+            "integrity": "sha512-U5og2PN7V4DMgF50YPNtnZJGWVLFjjsN3zb6uMT5VGYIewieDj1upwfuVNXf4Kor+89c3iCRJnSzMD5LmTvsfA==",
             "dev": true,
             "funding": [
                 {
@@ -11004,9 +11004,9 @@
             }
         },
         "node_modules/terser": {
-            "version": "5.46.0",
-            "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.0.tgz",
-            "integrity": "sha512-jTwoImyr/QbOWFFso3YoU3ik0jBBDJ6JTOQiy/J2YxVJdZCc+5u7skhNwiOR3FQIygFqVUPHl7qbbxtjW2K3Qg==",
+            "version": "5.46.1",
+            "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.1.tgz",
+            "integrity": "sha512-vzCjQO/rgUuK9sf8VJZvjqiqiHFaZLnOiimmUuOKODxWL8mm/xua7viT7aqX7dgPY60otQjUotzFMmCB4VdmqQ==",
             "dev": true,
             "license": "BSD-2-Clause",
             "dependencies": {

public/v1/js/ff/accounts/reconcile.js

@@ -53,13 +53,13 @@ $(function () {
         if (reconcileStarted) {
             //console.log('Reconcile has started.');
             // hide original instructions.
-            $('.select_transactions_instruction').hide();
+            $('.select_transactions_instruction').addClass('hidden');
 
             // show date-change warning
-            $('.date_change_warning').show();
+            $('.date_change_warning').removeClass('hidden');
 
             // show update button
-            $('.change_date_button').show();
+            $('.change_date_button').removeClass('hidden');
         }
     });
 

public/v1/js/ff/list/groups.js

@@ -130,7 +130,7 @@ function uncheckAll() {
 
 function updateActionButtons() {
     if (0 !== count) {
-        $('.action-menu').show();
+        $('.action-menu').removeClass('hidden');
 
         // also update labels:
         $('.mass-edit span.txt').text(edit_selected_txt + ' (' + count + ')');
@@ -139,7 +139,7 @@ function updateActionButtons() {
 
     }
     if (0 === count) {
-        $('.action-menu').hide();
+        $('.action-menu').addClass('hidden');
     }
 }
 

public/v1/js/ff/search/index.js

@@ -32,7 +32,7 @@ function startSearch(query) {
 
 function searchFailure() {
     $('.result_row').hide();
-    $('.error_row').show();
+    $('.error_row').removeClass('hidden');
 }
 
 function presentSearchResults(data) {
@@ -42,7 +42,7 @@ function presentSearchResults(data) {
     }
     $('.search_ongoing').hide();
     $('.search_box').find('.overlay').remove();
-    $('.search_results').html(data.html).show();
+    $('.search_results').html(data.html).removeClass('hidden');
 
 
     updateListButtons();

public/v1/js/ff/transactions/list.js

@@ -25,7 +25,7 @@
  */
 $(document).ready(function () {
     "use strict";
-    $('.mass_edit_all').show();
+    $('.mass_edit_all').removeClass('hidden');
     $('.mass_select').click(startMassSelect);
     $('.mass_stop_select').click(stopMassSelect);
 
@@ -143,10 +143,10 @@ function countChecked() {
         // get amount for the transactions:
         //getAmounts();
 
-        $('.mass_button_options').show();
+        $('.mass_button_options').removeClass('hidden');
 
     } else {
-        $('.mass_button_options').hide();
+        $('.mass_button_options').addClass('hidden');
     }
 }
 
@@ -181,25 +181,25 @@ function stopMassSelect() {
 
 
     // hide "select all" box in table header.
-    $('.select_boxes').hide();
+    $('.select_boxes').addClass('hidden');
 
     // show the other header cell.
-    $('.no_select_boxes').show();
+    $('.no_select_boxes').removeClass('hidden');
 
     // show edit/delete buttons
-    $('.edit_buttons').show();
+    $('.edit_buttons').removeClass('hidden');
 
     // hide the checkbox.
-    $('.select_single').hide();
+    $('.select_single').addClass('hidden');
 
     // show the start button
-    $('.mass_select').show();
+    $('.mass_select').removeClass('hidden');
 
     // hide the stop button
-    $('.mass_stop_select').hide();
+    $('.mass_stop_select').addClass('hidden');
 
     // show reconcile account button, if present
-    $('.mass_reconcile').show();
+    $('.mass_reconcile').removeClass('hidden');
 
     return false;
 }
@@ -212,25 +212,25 @@ function startMassSelect() {
     "use strict";
     console.log('Now in startMassSelect()');
     // show "select all" box in table header.
-    $('.select_boxes').show();
+    $('.select_boxes').removeClass('hidden');
 
     // hide the other header cell.
-    $('.no_select_boxes').hide();
+    $('.no_select_boxes').addClass('hidden');
 
     // hide edit/delete buttons
-    $('.edit_buttons').hide();
+    $('.edit_buttons').addClass('hidden');
 
     // show the checkbox.
-    $('.select_single').show();
+    $('.select_single').removeClass('hidden');
 
     // hide the start button
-    $('.mass_select').hide();
+    $('.mass_select').addClass('hidden');
 
     // show the stop button
-    $('.mass_stop_select').show();
+    $('.mass_stop_select').removeClass('hidden');
 
     // hide reconcile account button, if present
-    $('.mass_reconcile').hide();
+    $('.mass_reconcile').addClass('hidden');
 
     return false;
 }

resources/assets/v1/src/components/transactions/CreateTransaction.vue

@@ -653,7 +653,7 @@ export default {
                                     // console.log('Upload complete!');
                                     return true;
                                 }).catch(error => {
-                                console.error('Could not upload');
+                                console.error('[b] Could not upload');
                                 console.error(error);
                                 // console.log('Uploaded attachment #' + key);
                                 uploads++;

resources/assets/v1/src/components/transactions/EditTransaction.vue

@@ -964,7 +964,7 @@ export default {
                                     // console.log('Upload complete!');
                                     return true;
                                 }).catch(error => {
-                                console.error('Could not upload file.');
+                                console.error('[c] Could not upload file.');
                                 console.error(error);
                                 uploads++;
                                 this.error_message = 'Could not upload attachment: ' + error;

resources/assets/v2/src/pages/transactions/shared/process-attachments.js

@@ -37,7 +37,7 @@ let uploadFiles = function (fileData) {
                         document.dispatchEvent(event);
                     }
                 }).catch(error => {
-                    console.error('Could not upload');
+                    console.error('[a] Could not upload');
                     console.error(error);
                     uploads++;
                     // break right away

resources/lang/en_US/firefly.php

@@ -474,6 +474,7 @@ return [
     'search_modifier_not_tag_contains'                    => 'Tag does not contain ":value"',
     'search_modifier_tag_ends'                            => 'Tag ends with ":value"',
     'search_modifier_tag_starts'                          => 'Tag starts with ":value"',
+    'search_modifier_not_tag_starts'                      => 'No tag starts with ":value"',
     'search_modifier_not_tag_is'                          => 'No tag is ":value"',
     'search_modifier_date_on_year'                        => 'Transaction is in year ":value"',
     'search_modifier_not_date_on_year'                    => 'Transaction is not in year ":value"',

resources/views/install/index.blade.php

@@ -83,7 +83,7 @@
                 <p>The upgrade and installation is ongoing. Please track its progress through the box below.</p>
                 <div class="row">
                     <div class="col-lg-12">
-                        <div id="status-box p-3 install-box-border">
+                        <div id="status-box" class="p-3 install-box-border">
                             <span class="fa fa-spin fa-spinner"></span> Waiting to start...
                         </div>
                     </div>