chore: version bump to 2025.10.0 (#904)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -6,3 +6,9 @@
 
 # Default file owners.
 * @bitwarden/team-admin-console-dev
+
+# Docker-related files
+**/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre

.github/renovate.json

@@ -1,18 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": ["github-actions", "npm"],
-  "packageRules": [
-    {
-      "groupName": "gh minor",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "groupName": "Google Libraries",
-      "matchPackagePatterns": ["google-auth-library", "googleapis"],
-      "matchManagers": ["npm"],
-      "groupSlug": "google-libraries"
-    }
-  ]
-}

.github/renovate.json5

@@ -0,0 +1,24 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["github>bitwarden/renovate-config"],
+  enabledManagers: ["github-actions", "npm"],
+  packageRules: [
+    {
+      groupName: "gh minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor", "patch"],
+    },
+  ],
+  ignoreDeps: [
+    // yao-pkg is used to create a single executable application bundle for the CLI.
+    // It is a third party build of node which carries a high supply chain risk.
+    // This must be manually vetted by our appsec team before upgrading.
+    // It is excluded from renovate to avoid accidentally upgrading to a non-vetted version.
+    "@yao-pkg/pkg",
+    // googleapis uses ESM after 149.0.0 so we are not upgrading it until we have ESM support.
+    // They release new versions every couple of weeks so ignoring it at the dependency dashboard
+    // level is not sufficient.
+    // FIXME: remove and upgrade when we have ESM support.
+    "googleapis",
+  ],
+}

.github/workflows/build.yml

@@ -23,20 +23,22 @@ jobs:
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get Package Version
         id: retrieve-version
         run: |
           PKG_VERSION=$(jq -r .version package.json)
-          echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT
+          echo "package_version=$PKG_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Get Node Version
         id: retrieve-node-version
         run: |
           NODE_NVMRC=$(cat .nvmrc)
           NODE_VERSION=${NODE_NVMRC/v/''}
-          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
   linux-cli:
     name: Build Linux CLI
@@ -49,10 +51,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -61,7 +65,7 @@ jobs:
       - name: Update NPM
         run: |
           npm install -g node-gyp
-          node-gyp install $(node -v)
+          node-gyp install "$(node -v)"
 
       - name: Keytar
         run: |
@@ -72,8 +76,8 @@ jobs:
           keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz"
 
           mkdir -p ./keytar/linux
-          wget $keytarUrl -O ./keytar/linux/$keytarTarGz
-          tar -xvf ./keytar/linux/$keytarTarGz -C ./keytar/linux
+          wget "$keytarUrl" -O "./keytar/linux/$keytarTarGz"
+          tar -xvf "./keytar/linux/$keytarTarGz" -C ./keytar/linux
 
       - name: Install
         run: npm install
@@ -82,19 +86,19 @@ jobs:
         run: npm run dist:cli:lin
 
       - name: Zip
-        run: zip -j dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip dist-cli/linux/bwdc keytar/linux/build/Release/keytar.node
+        run: zip -j "dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" "dist-cli/linux/bwdc" "keytar/linux/build/Release/keytar.node"
 
       - name: Version Test
         run: |
           sudo apt-get update
           sudo apt install libsecret-1-0 dbus-x11 gnome-keyring
-          eval $(dbus-launch --sh-syntax)
+          eval "$(dbus-launch --sh-syntax)"
 
-          eval $(echo -n "" | /usr/bin/gnome-keyring-daemon --login)
-          eval $(/usr/bin/gnome-keyring-daemon --components=secrets --start)
+          eval "$(echo -n "" | /usr/bin/gnome-keyring-daemon --login)"
+          eval "$(/usr/bin/gnome-keyring-daemon --components=secrets --start)"
 
           mkdir -p test/linux
-          unzip ./dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip -d ./test/linux
+          unzip "./dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" -d ./test/linux
 
           testVersion=$(./test/linux/bwdc -v)
 
@@ -125,10 +129,12 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -137,7 +143,7 @@ jobs:
       - name: Update NPM
         run: |
           npm install -g node-gyp
-          node-gyp install $(node -v)
+          node-gyp install "$(node -v)"
 
       - name: Keytar
         run: |
@@ -148,8 +154,8 @@ jobs:
           keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz"
 
           mkdir -p ./keytar/macos
-          wget $keytarUrl -O ./keytar/macos/$keytarTarGz
-          tar -xvf ./keytar/macos/$keytarTarGz -C ./keytar/macos
+          wget "$keytarUrl" -O "./keytar/macos/$keytarTarGz"
+          tar -xvf "./keytar/macos/$keytarTarGz" -C ./keytar/macos
 
       - name: Install
         run: npm install
@@ -158,12 +164,12 @@ jobs:
         run: npm run dist:cli:mac
 
       - name: Zip
-        run: zip -j dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip dist-cli/macos/bwdc keytar/macos/build/Release/keytar.node
+        run: zip -j "dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" "dist-cli/macos/bwdc" "keytar/macos/build/Release/keytar.node"
 
       - name: Version Test
         run: |
           mkdir -p test/macos
-          unzip ./dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip -d ./test/macos
+          unzip "./dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" -d ./test/macos
 
           testVersion=$(./test/macos/bwdc -v)
 
@@ -194,14 +200,16 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Windows builder
         run: |
           choco install checksum --no-progress
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -241,7 +249,7 @@ jobs:
       - name: Version Test
         shell: pwsh
         run: |
-          Expand-Archive -Path "dist-cli\bwdc-windows-${{ env._PACKAGE_VERSION }}.zip" -DestinationPath "test\windows"
+          Expand-Archive -Path "dist-cli\bwdc-windows-$env:_PACKAGE_VERSION.zip" -DestinationPath "test\windows"
           $testVersion = Invoke-Expression '& .\test\windows\bwdc.exe -v'
           echo "version: ${env:_PACKAGE_VERSION}"
           echo "testVersion: $testVersion"
@@ -267,17 +275,20 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
+      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-          node-version: '18'
+          node-version: ${{ env._NODE_VERSION }}
 
       - name: Update NPM
         run: |
@@ -364,22 +375,25 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
+      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-          node-version: '18'
+          node-version: ${{ env._NODE_VERSION }}
 
       - name: Update NPM
         run: |
           npm install -g node-gyp
-          node-gyp install $(node -v)
+          node-gyp install "$(node -v)"
 
       - name: Set up environment
         run: |
@@ -421,22 +435,25 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
+      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-          node-version: '18'
+          node-version: ${{ env._NODE_VERSION }}
 
       - name: Update NPM
         run: |
           npm install -g node-gyp
-          node-gyp install $(node -v)
+          node-gyp install "$(node -v)"
 
       - name: Print environment
         run: |
@@ -461,16 +478,16 @@ jobs:
 
       - name: Get certificates
         run: |
-          mkdir -p $HOME/certificates
+          mkdir -p "$HOME/certificates"
 
           az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert |
-            jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12
+            jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12"
 
           az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert |
-            jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12
+            jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12"
 
           az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert |
-            jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
+            jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
@@ -479,9 +496,9 @@ jobs:
         env:
           KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }}
         run: |
-          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
           security default-keychain -s build.keychain
-          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
           security set-keychain-settings -lut 1200 build.keychain
 
           security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \
@@ -493,12 +510,12 @@ jobs:
           security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \
             -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
 
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
 
       - name: Load package version
         run: |
           $rootPath = $env:GITHUB_WORKSPACE;
-          $packageVersion = (Get-Content -Raw -Path $rootPath\package.json | ConvertFrom-Json).version;
+          $packageVersion = (Get-Content -Raw -Path "$rootPath\package.json" | ConvertFrom-Json).version;
 
           Write-Output "Setting package version to $packageVersion";
           Write-Output "PACKAGE_VERSION=$packageVersion" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append;
@@ -508,10 +525,12 @@ jobs:
         run: npm install
 
       - name: Set up private auth key
+        env:
+          _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
         run: |
           mkdir ~/private_keys
           cat << EOF > ~/private_keys/AuthKey_UFD296548T.p8
-          ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
+          ${_APP_STORE_CONNECT_AUTH_KEY}
           EOF
 
       - name: Build application

.github/workflows/integration-test.yml

@@ -10,12 +10,14 @@ on:
       - "src/services/ldap-directory.service*" # we only have integration for LDAP testing at the moment
       - "./openldap/**/*" # any change to test fixtures
       - "./docker-compose.yml" # any change to Docker configuration
+      - "./package.json" # dependencies
   pull_request:
     paths:
       - ".github/workflows/integration-test.yml" # this file
       - "src/services/ldap-directory.service*" # we only have integration for LDAP testing at the moment
       - "./openldap/**/*" # any change to test fixtures
       - "./docker-compose.yml" # any change to Docker configuration
+      - "./package.json" # dependencies
 permissions:
   contents: read
   checks: write # required by dorny/test-reporter to upload its results
@@ -27,17 +29,19 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get Node version
         id: retrieve-node-version
         run: |
           NODE_NVMRC=$(cat .nvmrc)
           NODE_VERSION=${NODE_NVMRC/v/''}
-          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -58,7 +62,7 @@ jobs:
         run: npm run test:integration --coverage
 
       - name: Report test results
-        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results

.github/workflows/release.yml

@@ -26,7 +26,9 @@ jobs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Branch check
         if: ${{ inputs.release_type != 'Dry Run' }}

.github/workflows/test.yml

@@ -22,17 +22,19 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get Node version
         id: retrieve-node-version
         run: |
           NODE_NVMRC=$(cat .nvmrc)
           NODE_VERSION=${NODE_NVMRC/v/''}
-          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -51,7 +53,7 @@ jobs:
         run: npm run test --coverage
 
       - name: Report test results
-        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results

.github/workflows/version-bump.yml

@@ -42,16 +42,17 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
 
       - name: Checkout Branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
 
       - name: Setup git
         run: |
@@ -62,7 +63,7 @@ jobs:
         id: current-version
         run: |
           CURRENT_VERSION=$(cat package.json | jq -r '.version')
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Verify input version
         if: ${{ inputs.version_number_override != '' }}
@@ -77,8 +78,7 @@ jobs:
           fi
 
           # Check if version is newer.
-          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
-          if [ $? -eq 0 ]; then
+          if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then
             echo "Version check successful."
           else
             echo "Version check failed."
@@ -110,26 +110,34 @@ jobs:
 
       - name: Set final version output
         id: set-final-version-output
+        env:
+          _BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }}
+          _INPUT_VERSION_NUMBER_OVERRIDE: ${{ inputs.version_number_override }}
+          _BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }}
+          _CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }}
+          
         run: |
-          if [[ "${{ steps.bump-version-override.outcome }}" == "success" ]]; then
-            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-version-automatic.outcome }}" == "success" ]]; then
-            echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          if [[ "$_BUMP_VERSION_OVERRIDE_OUTCOME" == "success" ]]; then
+            echo "version=$_INPUT_VERSION_NUMBER_OVERRIDE" >> "$GITHUB_OUTPUT"
+          elif [[ "$_BUMP_VERSION_AUTOMATIC_OUTCOME" == "success" ]]; then
+            echo "version=$_CALCULATE_NEXT_VERSION" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Check if version changed
         id: version-changed
         run: |
           if [ -n "$(git status --porcelain)" ]; then
-            echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT
+            echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT"
           else
-            echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT
+            echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT"
             echo "No changes to commit!";
           fi
 
       - name: Commit files
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a
+        env:
+          _VERSION: ${{ steps.set-final-version-output.outputs.version }}
+        run: git commit -m "Bumped version to $_VERSION" -a
 
       - name: Push changes
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   open-ldap:
-    image: bitnami/openldap:latest
+    image: bitnamilegacy/openldap:latest
     hostname: openldap
     environment:
       - LDAP_ADMIN_USERNAME=admin

jslib/angular/src/components/modal/modal-injector.ts

@@ -1,4 +1,4 @@
-import { InjectFlags, InjectOptions, Injector, ProviderToken } from "@angular/core";
+import { InjectOptions, Injector, ProviderToken } from "@angular/core";
 
 export class ModalInjector implements Injector {
   constructor(
@@ -12,8 +12,7 @@ export class ModalInjector implements Injector {
     options: InjectOptions & { optional?: false },
   ): T;
   get<T>(token: ProviderToken<T>, notFoundValue: null, options: InjectOptions): T;
-  get<T>(token: ProviderToken<T>, notFoundValue?: T, options?: InjectOptions | InjectFlags): T;
-  get<T>(token: ProviderToken<T>, notFoundValue?: T, flags?: InjectFlags): T;
+  get<T>(token: ProviderToken<T>, notFoundValue?: T, options?: InjectOptions): T;
   get(token: any, notFoundValue?: any): any;
   get(token: any, notFoundValue?: any, flags?: any): any {
     return this._additionalTokens.get(token) ?? this._parentInjector.get<any>(token, notFoundValue);

jslib/angular/src/components/toastr.component.ts

@@ -60,6 +60,7 @@ import {
     ]),
   ],
   preserveWhitespaces: false,
+  standalone: false,
 })
 export class BitwardenToast extends BaseToast {
   constructor(

jslib/angular/src/directives/a11y-title.directive.ts

@@ -2,6 +2,7 @@ import { Directive, ElementRef, Input, Renderer2 } from "@angular/core";
 
 @Directive({
   selector: "[appA11yTitle]",
+  standalone: false,
 })
 export class A11yTitleDirective {
   @Input() set appA11yTitle(title: string) {

jslib/angular/src/directives/api-action.directive.ts

@@ -13,6 +13,7 @@ import { ValidationService } from "../services/validation.service";
  */
 @Directive({
   selector: "[appApiAction]",
+  standalone: false,
 })
 export class ApiActionDirective implements OnChanges {
   @Input() appApiAction: Promise<any>;

jslib/angular/src/directives/autofocus.directive.ts

@@ -5,6 +5,7 @@ import { Utils } from "@/jslib/common/src/misc/utils";
 
 @Directive({
   selector: "[appAutofocus]",
+  standalone: false,
 })
 export class AutofocusDirective {
   @Input() set appAutofocus(condition: boolean | string) {

jslib/angular/src/directives/blur-click.directive.ts

@@ -2,6 +2,7 @@ import { Directive, ElementRef, HostListener } from "@angular/core";
 
 @Directive({
   selector: "[appBlurClick]",
+  standalone: false,
 })
 export class BlurClickDirective {
   constructor(private el: ElementRef) {}

jslib/angular/src/directives/box-row.directive.ts

@@ -2,6 +2,7 @@ import { Directive, ElementRef, HostListener, OnInit } from "@angular/core";
 
 @Directive({
   selector: "[appBoxRow]",
+  standalone: false,
 })
 export class BoxRowDirective implements OnInit {
   el: HTMLElement = null;

jslib/angular/src/directives/fallback-src.directive.ts

@@ -2,6 +2,7 @@ import { Directive, ElementRef, HostListener, Input } from "@angular/core";
 
 @Directive({
   selector: "[appFallbackSrc]",
+  standalone: false,
 })
 export class FallbackSrcDirective {
   @Input("appFallbackSrc") appFallbackSrc: string;

jslib/angular/src/directives/stop-click.directive.ts

@@ -2,6 +2,7 @@ import { Directive, HostListener } from "@angular/core";
 
 @Directive({
   selector: "[appStopClick]",
+  standalone: false,
 })
 export class StopClickDirective {
   @HostListener("click", ["$event"]) onClick($event: MouseEvent) {

jslib/angular/src/directives/stop-prop.directive.ts

@@ -2,6 +2,7 @@ import { Directive, HostListener } from "@angular/core";
 
 @Directive({
   selector: "[appStopProp]",
+  standalone: false,
 })
 export class StopPropDirective {
   @HostListener("click", ["$event"]) onClick($event: MouseEvent) {

jslib/angular/src/pipes/i18n.pipe.ts

@@ -4,6 +4,7 @@ import { I18nService } from "@/jslib/common/src/abstractions/i18n.service";
 
 @Pipe({
   name: "i18n",
+  standalone: false,
 })
 export class I18nPipe implements PipeTransform {
   constructor(private i18nService: I18nService) {}

jslib/common/src/models/request/identityToken/passwordTokenRequest.ts

@@ -31,7 +31,4 @@ export class PasswordTokenRequest extends TokenRequest implements CaptchaProtect
     return obj;
   }
 
-  alterIdentityTokenHeaders(headers: Headers) {
-    headers.set("Auth-Email", Utils.fromUtf8ToUrlB64(this.email));
-  }
 }

openldap/group-fixtures.ts

@@ -35,6 +35,29 @@ const data: Jsonify<GroupEntry>[] = [
     externalId: "cn=Cleaners,ou=Janitorial,dc=bitwarden,dc=com",
     name: "Cleaners",
   },
+  {
+    userMemberExternalIds: [
+      "cn=Painterson Miki,ou=Product Development,dc=bitwarden,dc=com",
+      "cn=Virgina Pichocki,ou=Product Development,dc=bitwarden,dc=com",
+      "cn=Steffen Carsten,ou=Product Development,dc=bitwarden,dc=com",
+    ],
+    groupMemberReferenceIds: [],
+    users: [],
+    referenceId: "cn=DevOps Team,dc=bitwarden,dc=com",
+    externalId: "cn=DevOps Team,dc=bitwarden,dc=com",
+    name: "DevOps Team",
+  },
+  {
+    userMemberExternalIds: [
+      "cn=Angus Merizzi,ou=Management,dc=bitwarden,dc=com",
+      "cn=Grissel Currer,ou=Management,dc=bitwarden,dc=com",
+    ],
+    groupMemberReferenceIds: [],
+    users: [],
+    referenceId: "cn=Security Team,dc=bitwarden,dc=com",
+    externalId: "cn=Security Team,dc=bitwarden,dc=com",
+    name: "Security Team",
+  },
 ];
 
 export const groupFixtures = data.map((g) => GroupEntry.fromJSON(g));

openldap/ldifs/directory-20.ldif

@@ -688,4 +688,27 @@ mobile: +1 804 319-5569
 pager: +1 804 815-3661
 roomNumber: 9273
 manager: cn=Inga Schnirer,ou=Product Testing,dc=bitwarden, dc=com
-secretary: cn=Keven Gilleland,ou=Administrative,dc=bitwarden, dc=com 
+secretary: cn=Keven Gilleland,ou=Administrative,dc=bitwarden, dc=com
+
+# DevOps Team and Security Team identify their members by the member uid attribute,
+# instead of the member Dn attribute.
+# These test that group membership by uid works correctly.
+
+dn: cn=DevOps Team,dc=bitwarden,dc=com
+changetype: add
+cn: DevOps Team
+gidnumber: 800
+memberuid: mikip
+memberuid: pichockv
+memberuid: carstens
+objectclass: posixGroup
+objectclass: top
+
+dn: cn=Security Team,dc=bitwarden,dc=com
+changetype: add
+cn: Security Team
+gidnumber: 900
+memberuid: merizzia
+memberuid: currerg
+objectclass: posixGroup
+objectclass: top

package.json

@@ -2,7 +2,7 @@
   "name": "@bitwarden/directory-connector",
   "productName": "Bitwarden Directory Connector",
   "description": "Sync your user directory to your Bitwarden organization.",
-  "version": "2025.6.1",
+  "version": "2025.10.0",
   "keywords": [
     "bitwarden",
     "password",
@@ -73,33 +73,33 @@
     "test:types": "npx tsc --noEmit"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "17.3.17",
-    "@angular-eslint/eslint-plugin-template": "17.5.3",
-    "@angular-eslint/template-parser": "17.5.3",
-    "@angular/compiler-cli": "17.3.12",
+    "@angular-devkit/build-angular": "20.3.3",
+    "@angular-eslint/eslint-plugin-template": "20.3.0",
+    "@angular-eslint/template-parser": "20.3.0",
+    "@angular/compiler-cli": "20.3.3",
     "@electron/notarize": "2.5.0",
-    "@electron/rebuild": "3.7.2",
+    "@electron/rebuild": "4.0.1",
     "@fluffy-spoon/substitute": "1.208.0",
     "@microsoft/microsoft-graph-types": "2.40.0",
-    "@ngtools/webpack": "17.3.17",
+    "@ngtools/webpack": "20.3.3",
     "@types/inquirer": "8.2.10",
     "@types/jest": "29.5.14",
     "@types/lowdb": "1.0.15",
-    "@types/node": "20.14.8",
+    "@types/node": "22.18.1",
     "@types/node-fetch": "2.6.12",
     "@types/node-forge": "1.3.11",
     "@types/proper-lockfile": "4.1.4",
     "@types/tldjs": "2.3.4",
-    "@typescript-eslint/eslint-plugin": "8.35.0",
-    "@typescript-eslint/parser": "8.35.0",
+    "@typescript-eslint/eslint-plugin": "8.46.0",
+    "@typescript-eslint/parser": "8.46.0",
     "@yao-pkg/pkg": "5.16.1",
     "clean-webpack-plugin": "4.0.0",
-    "concurrently": "9.1.2",
+    "concurrently": "9.2.0",
     "copy-webpack-plugin": "13.0.0",
     "cross-env": "7.0.3",
     "css-loader": "7.1.2",
-    "dotenv": "16.5.0",
-    "electron": "34.5.8",
+    "dotenv": "17.2.0",
+    "electron": "38.1.0",
     "electron-builder": "24.13.3",
     "electron-log": "5.4.1",
     "electron-reload": "2.0.0-alpha.1",
@@ -107,72 +107,73 @@
     "electron-updater": "6.6.2",
     "eslint": "8.57.1",
     "eslint-config-prettier": "10.1.5",
-    "eslint-import-resolver-typescript": "3.7.0",
-    "eslint-plugin-import": "2.31.0",
+    "eslint-import-resolver-typescript": "4.4.4",
+    "eslint-plugin-import": "2.32.0",
     "eslint-plugin-rxjs": "5.0.3",
     "eslint-plugin-rxjs-angular": "2.0.1",
-    "form-data": "4.0.3",
+    "form-data": "4.0.4",
+    "glob": "8.1.0",
     "html-loader": "5.1.0",
     "html-webpack-plugin": "5.6.3",
     "husky": "9.1.7",
     "jest": "29.7.0",
     "jest-junit": "16.0.0",
-    "jest-mock-extended": "4.0.0",
+    "jest-mock-extended": "3.0.7",
     "jest-preset-angular": "14.6.0",
     "lint-staged": "16.1.2",
     "mini-css-extract-plugin": "2.9.2",
-    "node-abi": "3.75.0",
+    "minimatch": "5.1.2",
+    "node-abi": "3.77.0",
     "node-forge": "1.3.1",
     "node-loader": "2.1.0",
-    "prettier": "3.5.3",
+    "prettier": "3.6.2",
     "rimraf": "6.0.1",
     "rxjs": "7.8.2",
-    "sass": "1.89.2",
+    "sass": "1.93.2",
     "sass-loader": "16.0.5",
-    "ts-jest": "29.4.0",
+    "ts-jest": "29.4.1",
     "ts-loader": "9.5.2",
     "tsconfig-paths-webpack-plugin": "4.2.0",
-    "type-fest": "4.41.0",
-    "typescript": "5.4.5",
-    "webpack": "5.99.9",
+    "type-fest": "5.0.1",
+    "typescript": "5.8.3",
+    "webpack": "5.101.0",
     "webpack-cli": "6.0.1",
     "webpack-merge": "6.0.1",
     "webpack-node-externals": "3.0.0",
-    "zone.js": "0.14.10"
+    "zone.js": "0.15.1"
   },
   "dependencies": {
-    "@angular/animations": "17.3.12",
-    "@angular/cdk": "17.3.10",
-    "@angular/common": "17.3.12",
-    "@angular/compiler": "17.3.12",
-    "@angular/core": "17.3.12",
-    "@angular/forms": "17.3.12",
-    "@angular/platform-browser": "17.3.12",
-    "@angular/platform-browser-dynamic": "17.3.12",
-    "@angular/router": "17.3.12",
+    "@angular/animations": "20.3.3",
+    "@angular/cdk": "20.2.7",
+    "@angular/cli": "20.3.3",
+    "@angular/common": "20.3.3",
+    "@angular/compiler": "20.3.3",
+    "@angular/core": "20.3.3",
+    "@angular/forms": "20.3.3",
+    "@angular/platform-browser": "20.3.3",
+    "@angular/platform-browser-dynamic": "20.3.3",
+    "@angular/router": "20.3.3",
     "@microsoft/microsoft-graph-client": "3.0.7",
     "big-integer": "1.6.52",
     "bootstrap": "5.3.7",
     "browser-hrtime": "1.1.8",
     "chalk": "4.1.2",
     "commander": "14.0.0",
-    "core-js": "3.44.0",
-    "form-data": "4.0.3",
-    "google-auth-library": "10.1.0",
-    "googleapis": "150.0.1",
+    "form-data": "4.0.4",
+    "googleapis": "149.0.0",
     "https-proxy-agent": "7.0.6",
     "inquirer": "8.2.6",
     "keytar": "7.9.0",
     "ldapts": "8.0.1",
     "lowdb": "1.0.0",
-    "ngx-toastr": "19.0.0",
+    "ngx-toastr": "19.1.0",
     "node-fetch": "2.7.0",
-    "parse5": "7.3.0",
+    "parse5": "8.0.0",
     "proper-lockfile": "4.1.2",
     "rxjs": "7.8.2",
     "tldjs": "2.3.1",
     "uuid": "11.1.0",
-    "zone.js": "0.14.10"
+    "zone.js": "0.15.1"
   },
   "engines": {
     "node": "~20",

src/app/accounts/apiKey.component.ts

@@ -16,6 +16,7 @@ import { EnvironmentComponent } from "./environment.component";
 @Component({
   selector: "app-apiKey",
   templateUrl: "apiKey.component.html",
+  standalone: false,
 })
 // There is an eslint exception made here due to semantics.
 // The eslint rule expects a typical takeUntil() pattern involving component destruction.

src/app/accounts/environment.component.ts

@@ -8,6 +8,7 @@ import { PlatformUtilsService } from "@/jslib/common/src/abstractions/platformUt
 @Component({
   selector: "app-environment",
   templateUrl: "environment.component.html",
+  standalone: false,
 })
 export class EnvironmentComponent extends BaseEnvironmentComponent {
   constructor(

src/app/app.component.ts

@@ -28,6 +28,7 @@ const BroadcasterSubscriptionId = "AppComponent";
   styles: [],
   template: ` <ng-template #settings></ng-template>
     <router-outlet></router-outlet>`,
+  standalone: false,
 })
 export class AppComponent implements OnInit {
   @ViewChild("settings", { read: ViewContainerRef, static: true }) settingsRef: ViewContainerRef;

src/app/app.module.ts

@@ -1,4 +1,3 @@
-import "core-js/stable";
 import "zone.js";
 
 import { NgModule } from "@angular/core";

src/app/tabs/dashboard.component.ts

@@ -17,6 +17,7 @@ const BroadcasterSubscriptionId = "DashboardComponent";
 @Component({
   selector: "app-dashboard",
   templateUrl: "dashboard.component.html",
+  standalone: false,
 })
 export class DashboardComponent implements OnInit, OnDestroy {
   simGroups: GroupEntry[];
@@ -111,7 +112,7 @@ export class DashboardComponent implements OnInit, OnDestroy {
       this.simEnabledUsers = result.enabledUsers;
       this.simDisabledUsers = result.disabledUsers;
       this.simDeletedUsers = result.deletedUsers;
-    } catch (e) {
+    } catch {
       this.simGroups = null;
       this.simUsers = null;
     }

src/app/tabs/more.component.ts

@@ -12,6 +12,7 @@ const BroadcasterSubscriptionId = "MoreComponent";
 @Component({
   selector: "app-more",
   templateUrl: "more.component.html",
+  standalone: false,
 })
 export class MoreComponent implements OnInit {
   version: string;

src/app/tabs/settings.component.ts

@@ -1,4 +1,5 @@
 import { ChangeDetectorRef, Component, NgZone, OnDestroy, OnInit } from "@angular/core";
+import { webUtils } from "electron";
 
 import { I18nService } from "@/jslib/common/src/abstractions/i18n.service";
 import { LogService } from "@/jslib/common/src/abstractions/log.service";
@@ -16,6 +17,7 @@ import { ConnectorUtils } from "../../utils";
 @Component({
   selector: "app-settings",
   templateUrl: "settings.component.html",
+  standalone: false,
 })
 export class SettingsComponent implements OnInit, OnDestroy {
   directory: DirectoryType;
@@ -121,7 +123,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
       return;
     }
 
-    (this.ldap as any)[id] = filePicker.files[0].path;
+    (this.ldap as any)[id] = webUtils.getPathForFile(filePicker.files[0]);
     // reset file input
     // ref: https://stackoverflow.com/a/20552042
     filePicker.type = "";

src/app/tabs/tabs.component.ts

@@ -3,5 +3,6 @@ import { Component } from "@angular/core";
 @Component({
   selector: "app-tabs",
   templateUrl: "tabs.component.html",
+  standalone: false,
 })
 export class TabsComponent {}

src/scss/bootstrap.scss

@@ -8,8 +8,9 @@ $theme-colors: (
   "secondary": #ced4da,
   "secondary-alt": #1a3b66,
 );
-$font-family-sans-serif: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif,
-  "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+$font-family-sans-serif:
+  "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji",
+  "Segoe UI Emoji", "Segoe UI Symbol";
 
 $h1-font-size: 2rem;
 $h2-font-size: 1.3rem;

src/services/ldap-directory.service.ts

@@ -118,7 +118,7 @@ export class LdapDirectoryService implements IDirectoryService {
         [delControl],
       );
       return regularUsers.concat(deletedUsers);
-    } catch (e) {
+    } catch {
       this.logService.warning("Cannot query deleted users.");
       return regularUsers;
     }
@@ -192,14 +192,21 @@ export class LdapDirectoryService implements IDirectoryService {
       this.syncConfig.userFilter,
     );
     const userPath = this.makeSearchPath(this.syncConfig.userPath);
-    const userIdMap = new Map<string, string>();
+    const userDnMap = new Map<string, string>();
+    const userUidMap = new Map<string, string>();
     await this.search<string>(userPath, userFilter, (se: any) => {
-      userIdMap.set(this.getReferenceId(se), this.getExternalId(se, this.getReferenceId(se)));
+      const dn = this.getReferenceId(se);
+      const uid = this.getAttr<string>(se, "uid");
+      const externalId = this.getExternalId(se, dn);
+      userDnMap.set(dn, externalId);
+      if (uid != null) {
+        userUidMap.set(uid.toLowerCase(), externalId);
+      }
       return se;
     });
 
     for (const se of groupSearchEntries) {
-      const group = this.buildGroup(se, userIdMap);
+      const group = this.buildGroup(se, userDnMap, userUidMap);
       if (group != null) {
         entries.push(group);
       }
@@ -208,7 +215,20 @@ export class LdapDirectoryService implements IDirectoryService {
     return entries;
   }
 
-  private buildGroup(searchEntry: any, userMap: Map<string, string>) {
+  /**
+   * Builds a GroupEntry from LDAP search results, including membership.
+   * Supports user membership by DN or UID and nested group membership by DN.
+   *
+   * @param searchEntry - The LDAP search entry containing group data
+   * @param userDnMap - Map of user DNs to their external IDs
+   * @param userUidMap - Map of user UIDs to their external IDs
+   * @returns A populated GroupEntry object, or null if the group lacks required properties
+   */
+  private buildGroup(
+    searchEntry: any,
+    userDnMap: Map<string, string>,
+    userUidMap: Map<string, string>,
+  ) {
     const group = new GroupEntry();
     group.referenceId = this.getReferenceId(searchEntry);
     if (group.referenceId == null) {
@@ -228,11 +248,34 @@ export class LdapDirectoryService implements IDirectoryService {
 
     const members = this.getAttrVals<string>(searchEntry, this.syncConfig.memberAttribute);
     if (members != null) {
-      for (const memDn of members) {
-        if (userMap.has(memDn) && !group.userMemberExternalIds.has(userMap.get(memDn))) {
-          group.userMemberExternalIds.add(userMap.get(memDn));
-        } else if (!group.groupMemberReferenceIds.has(memDn)) {
-          group.groupMemberReferenceIds.add(memDn);
+      // Parses a group member attribute and identifies it as a member DN, member Uid, or a group Dn
+      const getMemberAttributeType = (member: string): "memberDn" | "memberUid" | "groupDn" => {
+        const isDnLike = member.includes("=") && member.includes(",");
+        if (isDnLike) {
+          return userDnMap.has(member) ? "memberDn" : "groupDn";
+        }
+        return "memberUid";
+      };
+
+      for (const member of members) {
+        switch (getMemberAttributeType(member)) {
+          case "memberDn": {
+            const externalId = userDnMap.get(member);
+            if (externalId != null) {
+              group.userMemberExternalIds.add(externalId);
+            }
+            break;
+          }
+          case "memberUid": {
+            const externalId = userUidMap.get(member.toLowerCase());
+            if (externalId != null) {
+              group.userMemberExternalIds.add(externalId);
+            }
+            break;
+          }
+          case "groupDn":
+            group.groupMemberReferenceIds.add(member);
+            break;
         }
       }
     }

src/services/sync.service.integration.spec.ts

@@ -123,7 +123,10 @@ describe("SyncService", () => {
       expect(apiService.postPublicImportDirectory).toHaveBeenCalledWith(
         expect.objectContaining({ overwriteExisting: false }),
       );
-      expect(apiService.postPublicImportDirectory).toHaveBeenCalledTimes(6);
+
+      // The expected number of calls may change if more data is added to the ldif
+      // Make sure it equals (number of users / 4) + (number of groups / 4)
+      expect(apiService.postPublicImportDirectory).toHaveBeenCalledTimes(7);
 
       // @ts-expect-error Reset batch size to original state.
       constants.batchSize = originalBatchSize;