chore(deps): update dependency vitest to v4 [security] (#7723 )

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update dependency pytest-asyncio to v1.4.0 (#7694 )
2026-06-02 15:10:29 -04:00 · 2026-06-01 21:38:46 +00:00 · 2026-05-31 16:24:28 +00:00 · 2026-05-31 16:14:16 +00:00 · 2026-05-31 15:59:50 +00:00 · 2026-05-31 15:59:10 +00:00
51 changed files with 1878 additions and 421 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -44,6 +44,7 @@
    8000, // used by mkdocs
    9000,
    9091, // used by docker production
+    51204, // used for test coverage report
    24678 // used by nuxt when hot-reloading using polling
  ],
  // Use 'onCreateCommand' to run commands at the end of container creation.
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,6 +20,10 @@ concurrency:
 jobs:
  build:
    runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
    steps:
      - uses: actions/checkout@v6

--- a/.github/workflows/locale-sync.yml
+++ b/.github/workflows/locale-sync.yml
@@ -14,6 +14,10 @@ permissions:
 jobs:
  sync-locales:
    runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
    steps:
      - name: Generate GitHub App Token
        id: app-token
--- a/.github/workflows/pull-request-lint.yml
+++ b/.github/workflows/pull-request-lint.yml
@@ -3,7 +3,7 @@ name: Pull Request Linter
 on:
  workflow_call:
  pull_request:
-    types: [edited] # This captures the PR title changing
+    types: [edited, reopened] # This captures the PR title/body changing
    branches:
      - mealie-next

@@ -41,3 +41,50 @@ jobs:
          ignoreLabels: |
            bot
            ignore-semantic-pull-request
+
+  validate-template:
+    name: Validate PR template
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check required PR template sections
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+
+            if (pr.user.type === "Bot") {
+              console.log("Skipping template check for bot");
+              return;
+            }
+
+            const response = await github.rest.repos.getContent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              path: ".github/pull_request_template.md",
+            });
+
+            const template = Buffer.from(response.data.content, "base64").toString("utf8");
+            const lines = template.split("\n");
+
+            const requiredHeadings = [];
+            let lastHeading = null;
+
+            for (const line of lines) {
+              if (line.startsWith("## ")) {
+                lastHeading = line.trim();
+              } else if (line.trim() === "_(REQUIRED)_" && lastHeading) {
+                requiredHeadings.push(lastHeading);
+                lastHeading = null;
+              }
+            }
+
+            const body = pr.body || "";
+            const missing = requiredHeadings.filter(h => !body.includes(h));
+
+            if (missing.length > 0) {
+              core.setFailed(`Missing headings:\n${missing.join("\n")}`);
+            } else {
+              console.log("All required headings present");
+            }
--- a/.github/workflows/pull-requests.yml
+++ b/.github/workflows/pull-requests.yml
@@ -18,6 +18,8 @@ jobs:
    name: "Lint PR"
    if: github.event_name == 'pull_request'
    uses: ./.github/workflows/pull-request-lint.yml
+    permissions:
+      pull-requests: write

  backend-tests:
    name: "Backend Server Tests"
--- a/.github/workflows/test-backend.yml
+++ b/.github/workflows/test-backend.yml
@@ -13,6 +13,10 @@ jobs:

    env:
      PRODUCTION: false
+      # Install from the committed lockfile; never re-resolve. The rolling
+      # `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
+      # every uv command re-resolve and fail on in-window pins.
+      UV_FROZEN: "1"

    strategy:
      fail-fast: true
--- a/.vscode/test-block.code-snippets
+++ b/.vscode/test-block.code-snippets
@@ -0,0 +1,30 @@
+{
+  "Test Block": {
+    "prefix": "mtest",
+    "body": [
+      "import { mount } from \"@vue/test-utils\";",
+      "import { describe, expect, test, vi } from \"vitest\";",
+      "import { makeWrapper } from \"~/tests/utils\";",
+      "",
+      "const wrapper = () => makeWrapper(() => {",
+      "  return ${1:composable}();",
+      "});",
+      "",
+      "describe(\"${TM_FILENAME_BASE/(.*)\\..+$/$1/}\", () => {",
+      "  describe(\"${2:method}\", () => {",
+      "    test(\"It does the thing\", () => {",
+      "      const { ${2:method} } = wrapper();",
+      "      const result = ${2:method}();",
+      "      expect(result).toBe(EXPECTED);",
+      "    });",
+      "  });",
+      "});",
+      "",
+    ],
+    "description": "Insert a test block",
+    "scope": "typescript",
+    "include": [
+      "**/*.test.{ts,tsx,vue}"
+    ]
+  }
+}
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -7,6 +7,10 @@ env:
  DEFAULT_GROUP: Home
  DEFAULT_HOUSEHOLD: Family
  PRODUCTION: false
+  # Install from the committed lockfile; never re-resolve. Required because the
+  # rolling `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise
+  # make every `uv run`/`uv sync` re-resolve and fail on in-window pins.
+  UV_FROZEN: "1"
  API_PORT: 9000
  API_DOCS: True
  TOKEN_TIME: 256 # hours
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -52,6 +52,11 @@ RUN apt-get update \

 RUN pip install uv

+# Install from the committed lockfile; never re-resolve. The rolling
+# `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
+# `uv export` below re-resolve and fail on in-window pins.
+ENV UV_FROZEN=1
+
 WORKDIR /mealie

 # copy project files here to ensure they will be cached.
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -29,6 +29,7 @@
 | --------------------------- | :-----: | ----------------------------------------------------------------------------------- |
 | SECURITY_MAX_LOGIN_ATTEMPTS |    5    | Maximum times a user can provide an invalid password before their account is locked |
 | SECURITY_USER_LOCKOUT_TIME  |   24    | Time in hours for how long a users account is locked                                |
+| ALLOWED_IFRAME_HOSTS        |  `""`   | Comma-separated extra hostnames allowed as `<iframe>` sources in recipe content. Extends the built-in list of trusted video providers (YouTube, Vimeo). Subdomains are included automatically. Only `https` sources are permitted. Adding hosts here opts into rendering embeds from those origins to all viewers, including the public, so add only origins you trust. |

 ### Database

--- a/docs/docs/documentation/getting-started/installation/installation-checklist.md
+++ b/docs/docs/documentation/getting-started/installation/installation-checklist.md
@@ -31,7 +31,7 @@ To deploy mealie on your local network, it is highly recommended to use Docker t
 We've gone through a few versions of Mealie v1 deployment targets. We have settled on a single container deployment, and we've begun publishing the nightly container on github containers. If you're looking to move from the old nightly (split containers _or_ the omni image) to the new nightly, there are a few things you need to do:

 1. Take a backup just in case!
-2. Replace the image for the API container with `ghcr.io/mealie-recipes/mealie:v3.19.1`
+2. Replace the image for the API container with `ghcr.io/mealie-recipes/mealie:v3.19.2`
 3. Take the external port from the frontend container and set that as the port mapped to port `9000` on the new container. The frontend is now served on port 9000 from the new container, so it will need to be mapped for you to have access.
 4. Restart the container

--- a/docs/docs/documentation/getting-started/installation/postgres.md
+++ b/docs/docs/documentation/getting-started/installation/postgres.md
@@ -10,7 +10,7 @@ PostgreSQL might be considered if you need to support many concurrent users. In
 ```yaml
 services:
  mealie:
-    image: ghcr.io/mealie-recipes/mealie:v3.19.1 # (3)
+    image: ghcr.io/mealie-recipes/mealie:v3.19.2 # (3)
    container_name: mealie
    restart: always
    ports:
--- a/docs/docs/documentation/getting-started/installation/sqlite.md
+++ b/docs/docs/documentation/getting-started/installation/sqlite.md
@@ -11,7 +11,7 @@ SQLite is a popular, open source, self-contained, zero-configuration database th
 ```yaml
 services:
  mealie:
-    image: ghcr.io/mealie-recipes/mealie:v3.19.1 # (3)
+    image: ghcr.io/mealie-recipes/mealie:v3.19.2 # (3)
    container_name: mealie
    restart: always
    ports:
--- a/frontend/app/components/Domain/Announcement/Announcements/2026-05-31_1_iframe-embeds.vue
+++ b/frontend/app/components/Domain/Announcement/Announcements/2026-05-31_1_iframe-embeds.vue
@@ -0,0 +1,54 @@
+<template>
+  <div>
+    <p>
+      To harden Mealie against malicious content, <code>&lt;iframe&gt;</code> embeds in recipe
+      instructions, notes, and descriptions are now restricted to a trusted set of hosts.
+    </p>
+    <div class="mb-2">
+      By default, embeds are allowed only from well-known video providers:
+      <ul class="ml-6">
+        <li>YouTube</li>
+        <li>Vimeo</li>
+      </ul>
+    </div>
+    <p>
+      Existing recipes that embed content from <strong>other</strong> hosts will no longer render
+      those embeds. The rest of the recipe is unaffected.
+    </p>
+    <div v-if="user?.admin">
+      <hr class="mt-2 mb-4">
+      <p>
+        As an admin, you can allow additional hosts with the <code>ALLOWED_IFRAME_HOSTS</code>
+        environment variable (comma-separated). It extends the built-in defaults, and only
+        <code>https</code> sources are permitted. See the configuration docs for details:
+        <br>
+        <v-btn
+          class="mt-2"
+          color="primary"
+          href="https://docs.mealie.io/documentation/getting-started/installation/backend-config/"
+          target="_blank"
+        >
+          Backend Configuration
+        </v-btn>
+      </p>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import type { AnnouncementMeta } from "~/composables/use-announcements";
+
+const { user } = useMealieAuth();
+</script>
+
+<script lang="ts">
+export const meta: AnnouncementMeta = {
+  title: "Recipe embeds restricted to trusted hosts",
+};
+</script>
+
+<style scoped lang="css">
+p {
+  padding-bottom: 8px;
+}
+</style>
--- a/frontend/app/components/Domain/Group/GroupDataPage.vue
+++ b/frontend/app/components/Domain/Group/GroupDataPage.vue
@@ -59,9 +59,10 @@
  >
    <v-card-text>
      {{ $t("general.confirm-delete-generic") }}
-      <p v-if="deleteTarget" class="mt-4 ml-4">
+      <p v-if="deleteTarget" class="mt-4 mb-0 font-weight-bold">
        {{ deleteTarget.name || deleteTarget.title || deleteTarget.id }}
      </p>
+      <slot name="delete-dialog-bottom" />
    </v-card-text>
  </BaseDialog>

@@ -88,6 +89,7 @@
          </template>
        </v-virtual-scroll>
      </v-card>
+      <slot name="delete-dialog-bottom" />
    </v-card-text>
  </BaseDialog>

@@ -151,7 +153,7 @@ const createDialog = defineModel("createDialog", { type: Boolean, default: false
 const editForm = defineModel<{ items: AutoFormItems; data: Record<string, any> }>("editForm", { required: true });
 const editDialog = defineModel("editDialog", { type: Boolean, default: false });

-defineProps({
+const props = defineProps({
  icon: {
    type: String,
    required: true,
@@ -185,6 +187,10 @@ defineProps({
    type: String,
    default: "name",
  },
+  onDeleteDialogOpen: {
+    type: Function as PropType<(items: any[]) => Promise<void>>,
+    default: null,
+  },
 });

 // ============================================================
@@ -212,8 +218,11 @@ const editEventHandler = (item: any) => {
 const deleteTarget = ref<any>(null);
 const deleteDialog = ref(false);

-function deleteEventHandler(item: any) {
+async function deleteEventHandler(item: any) {
  deleteTarget.value = item;
+  if (props.onDeleteDialogOpen) {
+    await props.onDeleteDialogOpen([item]);
+  }
  deleteDialog.value = true;
 }

@@ -222,8 +231,11 @@ function deleteEventHandler(item: any) {
 const bulkDeleteTarget = ref<Array<any>>([]);
 const bulkDeleteDialog = ref(false);

-function bulkDeleteEventHandler(items: Array<any>) {
+async function bulkDeleteEventHandler(items: Array<any>) {
  bulkDeleteTarget.value = items;
+  if (props.onDeleteDialogOpen) {
+    await props.onDeleteDialogOpen(items);
+  }
  bulkDeleteDialog.value = true;
  console.log("Bulk Delete Event Handler", items);
 }
--- a/frontend/app/components/Domain/Recipe/RecipeChips.vue
+++ b/frontend/app/components/Domain/Recipe/RecipeChips.vue
@@ -25,6 +25,7 @@

 <script setup lang="ts">
 import type { RecipeCategory, RecipeTag, RecipeTool } from "~/lib/api/types/recipe";
+import { truncateText as truncatePlainText } from "~/lib/sanitize/text";

 export type UrlPrefixParam = "tags" | "categories" | "tools";

@@ -50,10 +51,7 @@ const props = withDefaults(defineProps<Props>(), {
 defineEmits(["item-selected"]);
 function truncateText(text: string, length = 20, clamp = "...") {
  if (!props.truncate) return text;
-  const node = document.createElement("div");
-  node.innerHTML = text;
-  const content = node.textContent || "";
-  return content.length > length ? content.slice(0, length) + clamp : content;
+  return truncatePlainText(text, length, clamp);
 }
 </script>

--- a/frontend/app/components/global/SafeMarkdown.vue
+++ b/frontend/app/components/global/SafeMarkdown.vue
@@ -4,12 +4,8 @@
 </template>

 <script setup lang="ts">
-import DOMPurify from "isomorphic-dompurify";
 import { marked } from "marked";
-
-enum DOMPurifyHook {
-  UponSanitizeAttribute = "uponSanitizeAttribute",
-}
+import { sanitizeMarkdownHtml } from "~/lib/sanitize/markdown";

 const props = defineProps({
  source: {
@@ -18,48 +14,11 @@ const props = defineProps({
  },
 });

-const ALLOWED_STYLE_TAGS = [
-  "background-color", "color", "font-style", "font-weight", "text-decoration", "text-align",
-];
-
-function sanitizeMarkdown(rawHtml: string | null | undefined): string {
-  if (!rawHtml) {
-    return "";
-  }
-
-  DOMPurify.addHook(DOMPurifyHook.UponSanitizeAttribute, (node, data) => {
-    if (data.attrName === "style") {
-      const styles = data.attrValue.split(";").filter((style) => {
-        const [property] = style.split(":");
-        return ALLOWED_STYLE_TAGS.includes(property.trim().toLowerCase());
-      });
-      data.attrValue = styles.join(";");
-    }
-  });
-
-  const sanitized = DOMPurify.sanitize(rawHtml, {
-    ALLOWED_TAGS: [
-      "strong", "em", "b", "i", "u", "p", "code", "pre", "samp", "kbd", "var", "sub", "sup", "dfn", "cite",
-      "small", "address", "hr", "br", "id", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6",
-      "ul", "ol", "li", "dl", "dt", "dd", "abbr", "a", "img", "blockquote", "iframe",
-      "del", "ins", "table", "thead", "tbody", "tfoot", "tr", "th", "td", "colgroup",
-    ],
-    ALLOWED_ATTR: [
-      "href", "src", "alt", "height", "width", "class", "allow", "title", "allowfullscreen", "frameborder",
-      "scrolling", "cite", "datetime", "name", "abbr", "target", "border", "start", "style",
-    ],
-  });
-
-  Object.values(DOMPurifyHook).forEach((hook) => {
-    DOMPurify.removeHook(hook);
-  });
-
-  return sanitized;
-}
+const { $appInfo } = useNuxtApp();

 const value = computed(() => {
  const rawHtml = marked.parse(props.source || "", { async: false, breaks: true });
-  return sanitizeMarkdown(rawHtml);
+  return sanitizeMarkdownHtml(rawHtml, $appInfo?.allowedIframeHosts ?? []);
 });
 </script>

--- a/frontend/app/composables/shopping-list-page/sub-composables/tests/mocks.ts
+++ b/frontend/app/composables/shopping-list-page/sub-composables/tests/mocks.ts
@@ -0,0 +1,83 @@
+import type { IngredientFood, RecipeSummary, ShoppingListItemOut, ShoppingListMultiPurposeLabelOut, ShoppingListOut } from "~/lib/api/types/household";
+
+export const MOCK_ITEM: ShoppingListItemOut = {
+  shoppingListId: "",
+  id: "",
+  groupId: "",
+  householdId: "",
+  display: "MOCK_ITEM",
+  updatedAt: "100",
+  position: 1,
+  checked: false,
+  createdAt: "100",
+};
+
+export const MOCK_RECIPE: RecipeSummary = {
+  id: "recipe-id",
+  name: "Recipe!",
+};
+
+export const MOCK_RECIPE2: RecipeSummary = {
+  ...MOCK_RECIPE,
+  id: undefined,
+  name: "Recipe 2!",
+};
+
+export const MOCK_FOOD: IngredientFood = {
+  id: "1",
+  name: "food 1",
+};
+
+export const MOCK_FOOD2: IngredientFood = {
+  id: "2",
+  name: "food 2",
+};
+
+export const MOCK_LABEL: ShoppingListMultiPurposeLabelOut = {
+  shoppingListId: "",
+  labelId: "",
+  id: "",
+  label: {
+    name: "MOCK_LABEL",
+    groupId: "",
+    id: "",
+  },
+};
+
+export const MOCK_LABEL2: ShoppingListMultiPurposeLabelOut = {
+  shoppingListId: "",
+  labelId: "",
+  id: "",
+  label: {
+    name: "MOCK_LABEL2",
+    groupId: "",
+    id: "",
+  },
+};
+
+export const MOCK_SHOPPING_LIST: ShoppingListOut = {
+  groupId: "",
+  userId: "",
+  id: "",
+  householdId: "",
+  labelSettings: [
+    MOCK_LABEL,
+    MOCK_LABEL2,
+  ],
+  listItems: [
+    MOCK_ITEM,
+  ],
+  recipeReferences: [{
+    id: "",
+    shoppingListId: "",
+    recipeId: "",
+    recipeQuantity: 0,
+    recipe: MOCK_RECIPE,
+  }, {
+    id: "",
+    shoppingListId: "",
+    recipeId: "",
+    recipeQuantity: 0,
+    recipe: MOCK_RECIPE2,
+  }],
+};
--- a/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-copy.test.ts
+++ b/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-copy.test.ts
@@ -0,0 +1,89 @@
+import * as vueusecore from "@vueuse/core";
+import { describe, expect, test, vi } from "vitest";
+import type { ShoppingListItemOut } from "~/lib/api/types/household";
+import { makeWrapper } from "~/tests/utils";
+import { useShoppingListCopy } from "../use-shopping-list-copy";
+import { MOCK_ITEM } from "./mocks";
+
+vi.mock("@vueuse/core", { spy: true });
+
+const mockCopy = vi.fn().mockImplementation(args => new Promise(resolve => resolve(args)));
+
+vi.mocked(vueusecore.useClipboard).mockImplementation(() => {
+  return {
+    isSupported: computed(() => true),
+    copied: computed(() => true),
+    text: computed(() => ""),
+    copy: mockCopy,
+  };
+});
+const wrapper = () => makeWrapper(useShoppingListCopy);
+
+const TEST_HEADER = "SPECIAL HEADER!";
+
+const MOCK_LIST: { [key: string]: ShoppingListItemOut[] } = {
+  [TEST_HEADER]: [MOCK_ITEM],
+  [TEST_HEADER + "2"]: [MOCK_ITEM],
+};
+
+describe("Shopping list copy composable", () => {
+  describe("copyListItems", () => {
+    test("copies markdown lists correctly", () => {
+      const { copyListItems } = wrapper();
+      copyListItems(MOCK_LIST, "markdown");
+      const expected = [
+        "# SPECIAL HEADER!",
+        "- [ ] MOCK_ITEM",
+        "",
+        "# SPECIAL HEADER!2",
+        "- [ ] MOCK_ITEM",
+      ].join("\n");
+
+      expect(mockCopy).toBeCalledWith(expected);
+    });
+    test("copies plain text lists correctly", () => {
+      const { copyListItems } = wrapper();
+      copyListItems(MOCK_LIST, "plain");
+      const expected = [
+        "[SPECIAL HEADER!]",
+        "MOCK_ITEM",
+        "",
+        "[SPECIAL HEADER!2]",
+        "MOCK_ITEM",
+      ].join("\n");
+
+      expect(mockCopy).toBeCalledWith(expected);
+    });
+  });
+
+  describe("formatCopiedLabelHeading", () => {
+    test("copies markdown headers correctly", () => {
+      const { formatCopiedLabelHeading } = wrapper();
+      const header = formatCopiedLabelHeading("markdown", TEST_HEADER);
+      expect(header).toEqual(`# ${TEST_HEADER}`);
+    });
+    test("copies plain text headers correctly", () => {
+      const { formatCopiedLabelHeading } = wrapper();
+      const header = formatCopiedLabelHeading("plain", TEST_HEADER);
+      expect(header).toEqual(`[${TEST_HEADER}]`);
+    });
+  });
+
+  describe("formatCopiedListItem", () => {
+    test("copies markdown items correctly", () => {
+      const { formatCopiedListItem } = wrapper();
+      const header = formatCopiedListItem("markdown", MOCK_ITEM);
+      expect(header).toEqual(`- [ ] ${MOCK_ITEM.display}`);
+    });
+    test("copies plain text items correctly", () => {
+      const { formatCopiedListItem } = wrapper();
+      const header = formatCopiedListItem("plain", MOCK_ITEM);
+      expect(header).toEqual(MOCK_ITEM.display);
+    });
+    test("copies items without a display as empty", () => {
+      const { formatCopiedListItem } = wrapper();
+      const header = formatCopiedListItem("plain", { ...MOCK_ITEM, display: undefined });
+      expect(header).toEqual("");
+    });
+  });
+});
--- a/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-sorting.test.ts
+++ b/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-sorting.test.ts
@@ -0,0 +1,175 @@
+import { describe, expect, test } from "vitest";
+import type { ShoppingListOut } from "~/lib/api/types/household";
+import { makeWrapper } from "~/tests/utils";
+import { useShoppingListSorting } from "../use-shopping-list-sorting";
+import { MOCK_FOOD, MOCK_FOOD2, MOCK_ITEM, MOCK_LABEL, MOCK_LABEL2, MOCK_SHOPPING_LIST } from "./mocks";
+
+const wrapper = () => makeWrapper(() => {
+  const { t } = useI18n();
+  return {
+    t,
+    ...useShoppingListSorting(),
+  };
+});
+
+describe("use-shopping-list-sorting", () => {
+  describe("sortItems", () => {
+    const { sortItems } = wrapper();
+    test("sorts by position first", () => {
+      const result = sortItems(MOCK_ITEM, { ...MOCK_ITEM, position: 0 });
+      const result2 = sortItems({ ...MOCK_ITEM, position: 0 }, MOCK_ITEM);
+      expect(result).toBe(1);
+      expect(result2).toBe(-1);
+    });
+    test("sorts by createdAt next", () => {
+      const result = sortItems(MOCK_ITEM, { ...MOCK_ITEM, createdAt: "0" });
+      const result2 = sortItems({ ...MOCK_ITEM, createdAt: "0" }, MOCK_ITEM);
+      expect(result).toBe(1);
+      expect(result2).toBe(-1);
+    });
+    test("sorts similar items into the same spot", () => {
+      const result = sortItems(MOCK_ITEM, MOCK_ITEM);
+      expect(result).toBe(0);
+    });
+    test("handles nulls", () => {
+      const result = sortItems(MOCK_ITEM, { ...MOCK_ITEM, position: undefined });
+      const result2 = sortItems({ ...MOCK_ITEM, position: undefined }, MOCK_ITEM);
+      expect(result).toBe(1);
+      expect(result2).toBe(-1);
+    });
+    test("handles nulls", () => {
+      const result = sortItems(MOCK_ITEM, { ...MOCK_ITEM, createdAt: undefined });
+      const result2 = sortItems({ ...MOCK_ITEM, createdAt: undefined }, MOCK_ITEM);
+      expect(result).toBe(1);
+      expect(result2).toBe(-1);
+    });
+  });
+  describe("sortListItems", () => {
+    const { sortListItems } = wrapper();
+    test("sorts by position first", () => {
+      const sortedList = { ...MOCK_SHOPPING_LIST, listItems: [MOCK_ITEM, { ...MOCK_ITEM, position: 0 }, { ...MOCK_ITEM, createdAt: "0" }] };
+      sortListItems(sortedList);
+      expect(sortedList.listItems).toEqual([
+        { ...MOCK_ITEM, position: 0 },
+        { ...MOCK_ITEM, createdAt: "0" },
+        MOCK_ITEM,
+      ]);
+    });
+    test("handles nulls", () => {
+      const sortedList = { ...MOCK_SHOPPING_LIST, listItems: undefined };
+      sortListItems(sortedList);
+      expect(sortedList.listItems).toEqual(undefined);
+    });
+  });
+  describe("updateItemsByLabel", () => {
+    const { updateItemsByLabel, t } = wrapper();
+    test("sorts by group", () => {
+      const sortedList = {
+        ...MOCK_SHOPPING_LIST, listItems: [
+          MOCK_ITEM,
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+        ],
+      };
+      const result = updateItemsByLabel(sortedList);
+      expect(result).toEqual({
+        [t("shopping-list.no-label")]: [
+          MOCK_ITEM,
+        ],
+        [MOCK_LABEL.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+        ],
+        [MOCK_LABEL2.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+        ],
+      });
+    });
+    test("ignores checked items", () => {
+      const sortedList = {
+        ...MOCK_SHOPPING_LIST, listItems: [
+          MOCK_ITEM,
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1", checked: true },
+        ],
+      };
+      const result = updateItemsByLabel(sortedList);
+      expect(result).toEqual({
+        [t("shopping-list.no-label")]: [
+          MOCK_ITEM,
+        ],
+        [MOCK_LABEL.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+        ],
+        [MOCK_LABEL2.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+        ],
+      });
+    });
+    test("returns unordered labels if no ordering is specified", () => {
+      const sortedList = {
+        ...MOCK_SHOPPING_LIST,
+        labelSettings: undefined,
+        listItems: [
+          MOCK_ITEM,
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1", checked: true },
+        ],
+      };
+      const result = updateItemsByLabel(sortedList);
+      expect(result).toEqual({
+        [t("shopping-list.no-label")]: [
+          MOCK_ITEM,
+        ],
+        [MOCK_LABEL2.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL2.label, labelId: "2" },
+        ],
+        [MOCK_LABEL.label.name]: [
+          { ...MOCK_ITEM, label: MOCK_LABEL.label, labelId: "1" },
+        ],
+      });
+    });
+  });
+  describe("groupAndSortListItemsByFood", () => {
+    const { groupAndSortListItemsByFood } = wrapper();
+    test("sorts by group", () => {
+      const sortedList = { ...MOCK_SHOPPING_LIST };
+      groupAndSortListItemsByFood(sortedList);
+      expect(sortedList.listItems).toEqual(MOCK_SHOPPING_LIST.listItems);
+    });
+    test("groups checked items together", () => {
+      const sortedList: ShoppingListOut = {
+        ...MOCK_SHOPPING_LIST, listItems: [
+          { ...MOCK_ITEM, checked: true, food: MOCK_FOOD },
+          { ...MOCK_ITEM, checked: true, food: MOCK_FOOD2 },
+        ],
+      };
+      groupAndSortListItemsByFood(sortedList);
+      expect(sortedList.listItems).toEqual([
+        { ...MOCK_ITEM, checked: true, food: MOCK_FOOD },
+        { ...MOCK_ITEM, checked: true, food: MOCK_FOOD2, position: 1 },
+      ]);
+    });
+    test("populates position and created at if not present", () => {
+      const sortedList: ShoppingListOut = {
+        ...MOCK_SHOPPING_LIST, listItems: [
+          { ...MOCK_ITEM, food: MOCK_FOOD, position: undefined },
+          { ...MOCK_ITEM, food: MOCK_FOOD2, createdAt: undefined },
+        ],
+      };
+      groupAndSortListItemsByFood(sortedList);
+      expect(sortedList.listItems).toEqual([
+        { ...MOCK_ITEM, food: MOCK_FOOD2, createdAt: undefined },
+        { ...MOCK_ITEM, food: MOCK_FOOD, position: 1 },
+      ]);
+    });
+    test("handles nulls", () => {
+      const sortedList: ShoppingListOut = { ...MOCK_SHOPPING_LIST, listItems: undefined };
+      groupAndSortListItemsByFood(sortedList);
+      expect(sortedList.listItems).toEqual(undefined);
+    });
+  });
+});
--- a/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-state.test.ts
+++ b/frontend/app/composables/shopping-list-page/sub-composables/tests/use-shopping-list-state.test.ts
@@ -0,0 +1,63 @@
+import { describe, expect, test } from "vitest";
+import type { ShoppingListOut } from "~/lib/api/types/household";
+import { makeWrapper } from "~/tests/utils";
+import { useShoppingListState } from "../use-shopping-list-state";
+import { MOCK_ITEM, MOCK_RECIPE, MOCK_RECIPE2, MOCK_SHOPPING_LIST } from "./mocks";
+
+const wrapper = (list: ShoppingListOut = MOCK_SHOPPING_LIST) => makeWrapper(() => {
+  const { shoppingList, ...state } = useShoppingListState();
+  shoppingList.value = list;
+  return {
+    shoppingList,
+    ...state,
+  };
+});
+
+describe("use-shopping-list-state", () => {
+  describe("checked items are sorted", () => {
+    const { sortCheckedItems } = wrapper();
+
+    test("by timestamp", () => {
+      const sorted = sortCheckedItems(MOCK_ITEM, { ...MOCK_ITEM, updatedAt: "200" });
+      const sorted2 = sortCheckedItems(MOCK_ITEM, { ...MOCK_ITEM, updatedAt: "0" });
+      expect(sorted).toBe(1);
+      expect(sorted2).toBe(-1);
+    });
+    test("by position if timestamps match", () => {
+      const sorted = sortCheckedItems(MOCK_ITEM, { ...MOCK_ITEM, position: 2 });
+      const sorted2 = sortCheckedItems(MOCK_ITEM, { ...MOCK_ITEM, position: 0 });
+      const sorted3 = sortCheckedItems({ ...MOCK_ITEM, position: undefined }, { ...MOCK_ITEM, position: undefined });
+      expect(sorted).toBe(1);
+      expect(sorted2).toBe(-1);
+      expect(sorted3).toBe(1);
+    });
+  });
+
+  describe("recipeMap", () => {
+    test("Updates to match shopping list recipe references", () => {
+      const { recipeMap } = wrapper();
+      expect(recipeMap).toEqual(new Map([
+        [MOCK_RECIPE.id, MOCK_RECIPE],
+        ["", MOCK_RECIPE2],
+      ]));
+    });
+    test("handles nulls", () => {
+      const { recipeMap } = wrapper({ ...MOCK_SHOPPING_LIST, recipeReferences: undefined });
+      expect(recipeMap).toEqual(new Map([]));
+    });
+  });
+
+  describe("checked and unchecked items", () => {
+    test("update appropriately", () => {
+      const mockCheckedItem = { ...MOCK_ITEM, checked: true };
+      const { listItems: { checked, unchecked } } = wrapper({
+        ...MOCK_SHOPPING_LIST, listItems: [
+          MOCK_ITEM,
+          mockCheckedItem,
+        ],
+      });
+      expect(unchecked[0]).toEqual(MOCK_ITEM);
+      expect(checked[0]).toEqual(mockCheckedItem);
+    });
+  });
+});
--- a/frontend/app/composables/use-locales/available-locales.ts
+++ b/frontend/app/composables/use-locales/available-locales.ts
@@ -38,7 +38,7 @@ export const LOCALES = [
  {
    name: "Svenska (Swedish)",
    value: "sv-SE",
-    progress: 75,
+    progress: 76,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -52,7 +52,7 @@ export const LOCALES = [
  {
    name: "Slovenščina (Slovenian)",
    value: "sl-SI",
-    progress: 56,
+    progress: 57,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -73,7 +73,7 @@ export const LOCALES = [
  {
    name: "Română (Romanian)",
    value: "ro-RO",
-    progress: 59,
+    progress: 60,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -108,7 +108,7 @@ export const LOCALES = [
  {
    name: "Nederlands (Dutch)",
    value: "nl-NL",
-    progress: 97,
+    progress: 98,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -150,7 +150,7 @@ export const LOCALES = [
  {
    name: "Íslenska (Icelandic)",
    value: "is-IS",
-    progress: 56,
+    progress: 57,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -248,14 +248,14 @@ export const LOCALES = [
  {
    name: "Deutsch (German)",
    value: "de-DE",
-    progress: 98,
+    progress: 99,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
  {
    name: "Dansk (Danish)",
    value: "da-DK",
-    progress: 99,
+    progress: 100,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
@@ -276,7 +276,7 @@ export const LOCALES = [
  {
    name: "Български (Bulgarian)",
    value: "bg-BG",
-    progress: 71,
+    progress: 72,
    dir: "ltr",
    pluralFoodHandling: "always",
  },
--- a/frontend/app/lang/messages/en-US.json
+++ b/frontend/app/lang/messages/en-US.json
@@ -462,7 +462,7 @@
    "mealie-text": "Mealie can import recipes from the Mealie application from a pre v1.0 release. Export your recipes from your old instance, and upload the zip file below. Note that only recipes can be imported from the export.",
    "plantoeat": {
      "title": "Plan to Eat",
-      "description-long": "Mealie can import recipies from Plan to Eat."
+      "description-long": "Mealie can import recipes from Plan to Eat. Upload a ZIP archive, CSV, or TXT file exported from Plan to Eat."
    },
    "myrecipebox": {
      "title": "My Recipe Box",
@@ -1144,6 +1144,8 @@
  },
  "data-pages": {
    "foods": {
+      "delete-affects-recipes": "Warning: this food is used in {count} recipe(s). Deleting it will leave an empty ingredient in the recipe(s).",
+      "delete-affects-recipes-more": "View all {count} recipes",
      "merge-dialog-text": "Combining the selected foods will merge the source food and target food into a single food. The source food will be deleted and all of the references to the source food will be updated to point to the target food.",
      "merge-food-example": "Merging {food1} into {food2}",
      "seed-dialog-text": "Seed the database with foods based on your local language. This will create ~2700 common foods that can be used to organize your database. Foods are translated via a community effort.",
--- a/frontend/app/lib/api/types/admin.ts
+++ b/frontend/app/lib/api/types/admin.ts
@@ -48,6 +48,7 @@ export interface AppInfo {
  oidcRedirect: boolean;
  oidcProviderName: string;
  tokenTime: number;
+  allowedIframeHosts?: string[];
 }
 export interface AppStartupInfo {
  isFirstLogin: boolean;
--- a/frontend/app/lib/sanitize/markdown.test.ts
+++ b/frontend/app/lib/sanitize/markdown.test.ts
@@ -0,0 +1,74 @@
+import { describe, expect, test } from "vitest";
+import { sanitizeMarkdownHtml } from "./markdown";
+
+describe("sanitizeMarkdownHtml", () => {
+  test("returns empty string for nullish input", () => {
+    expect(sanitizeMarkdownHtml(null)).toEqual("");
+    expect(sanitizeMarkdownHtml(undefined)).toEqual("");
+    expect(sanitizeMarkdownHtml("")).toEqual("");
+  });
+
+  test("keeps allowed formatting tags", () => {
+    const html = sanitizeMarkdownHtml("<p>Mix <strong>flour</strong> and <em>water</em></p>");
+    expect(html).toContain("<strong>flour</strong>");
+    expect(html).toContain("<em>water</em>");
+  });
+
+  test("strips script tags and event handlers", () => {
+    const html = sanitizeMarkdownHtml("<p onclick=\"alert(1)\">hi</p><script>alert(1)</script>");
+    expect(html).not.toContain("script");
+    expect(html).not.toContain("onclick");
+    expect(html).not.toContain("alert");
+  });
+
+  test("strips img onerror payloads", () => {
+    const html = sanitizeMarkdownHtml("<img src=x onerror=alert(1)>");
+    expect(html).not.toContain("onerror");
+  });
+
+  // Form controls must never render in user content.
+  test("strips form, input, and button elements", () => {
+    const html = sanitizeMarkdownHtml("<form action=/x><input name=p><button>go</button></form>");
+    expect(html).not.toContain("<form");
+    expect(html).not.toContain("<input");
+    expect(html).not.toContain("<button");
+  });
+
+  test("strips iframes when no allowed hosts are configured", () => {
+    const html = sanitizeMarkdownHtml("<iframe src=\"https://evil.example/x\"></iframe>", []);
+    expect(html).not.toContain("<iframe");
+  });
+
+  test("strips iframes whose src host is not allowlisted", () => {
+    const html = sanitizeMarkdownHtml(
+      "<iframe src=\"https://evil.example/x\"></iframe>",
+      ["youtube.com"],
+    );
+    expect(html).not.toContain("<iframe");
+  });
+
+  test("strips non-https iframes even for an allowlisted host", () => {
+    const html = sanitizeMarkdownHtml(
+      "<iframe src=\"http://www.youtube.com/embed/abc\"></iframe>",
+      ["youtube.com"],
+    );
+    expect(html).not.toContain("<iframe");
+  });
+
+  test("keeps iframes from an allowlisted host (incl. subdomains)", () => {
+    const html = sanitizeMarkdownHtml(
+      "<iframe src=\"https://www.youtube.com/embed/abc\"></iframe>",
+      ["youtube.com"],
+    );
+    expect(html).toContain("<iframe");
+    expect(html).toContain("https://www.youtube.com/embed/abc");
+  });
+
+  test("does not allow a lookalike host to pass the suffix check", () => {
+    const html = sanitizeMarkdownHtml(
+      "<iframe src=\"https://notyoutube.com/embed/abc\"></iframe>",
+      ["youtube.com"],
+    );
+    expect(html).not.toContain("<iframe");
+  });
+});
--- a/frontend/app/lib/sanitize/markdown.ts
+++ b/frontend/app/lib/sanitize/markdown.ts
@@ -0,0 +1,98 @@
+import DOMPurify from "isomorphic-dompurify";
+
+enum DOMPurifyHook {
+  UponSanitizeAttribute = "uponSanitizeAttribute",
+  AfterSanitizeAttributes = "afterSanitizeAttributes",
+}
+
+const ALLOWED_STYLE_PROPERTIES = [
+  "background-color", "color", "font-style", "font-weight", "text-decoration", "text-align",
+];
+
+const BASE_ALLOWED_TAGS = [
+  "strong", "em", "b", "i", "u", "p", "code", "pre", "samp", "kbd", "var", "sub", "sup", "dfn", "cite",
+  "small", "address", "hr", "br", "id", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6",
+  "ul", "ol", "li", "dl", "dt", "dd", "abbr", "a", "img", "blockquote",
+  "del", "ins", "table", "thead", "tbody", "tfoot", "tr", "th", "td", "colgroup",
+];
+
+const BASE_ALLOWED_ATTR = [
+  "href", "src", "alt", "height", "width", "class", "title",
+  "cite", "datetime", "name", "abbr", "target", "border", "start", "style",
+];
+
+// Attributes only meaningful on an <iframe>; added to the allowlist solely when iframe embeds
+// are enabled via a configured host allowlist.
+const IFRAME_ALLOWED_ATTR = ["allow", "allowfullscreen", "frameborder", "scrolling"];
+
+/**
+ * Returns true if an iframe `src` points at one of the allowed hosts. Only https URLs are
+ * accepted, and a configured host matches the URL's hostname exactly or as a parent domain
+ * (e.g. "youtube.com" matches "www.youtube.com").
+ */
+function isAllowedIframeSrc(src: string, allowedHosts: string[]): boolean {
+  let url: URL;
+  try {
+    url = new URL(src);
+  }
+  catch {
+    return false;
+  }
+
+  if (url.protocol !== "https:") {
+    return false;
+  }
+
+  const hostname = url.hostname.toLowerCase();
+  return allowedHosts.some((host) => {
+    const allowed = host.toLowerCase();
+    return hostname === allowed || hostname.endsWith(`.${allowed}`);
+  });
+}
+
+/**
+ * Sanitizes pre-rendered HTML (from markdown) for display in user content such as recipe
+ * instructions, notes, and descriptions.
+ *
+ * Only the tags in `BASE_ALLOWED_TAGS` and attributes in `BASE_ALLOWED_ATTR` survive; everything
+ * else (scripts, event handlers, form controls, ...) is dropped. `style` attributes are filtered
+ * down to the properties in `ALLOWED_STYLE_PROPERTIES`. `<iframe>` is only kept when
+ * `allowedIframeHosts` is non-empty, and even then any iframe whose `src` is not an https URL on
+ * the host allowlist is removed.
+ */
+export function sanitizeMarkdownHtml(rawHtml: string | null | undefined, allowedIframeHosts: string[] = []): string {
+  if (!rawHtml) {
+    return "";
+  }
+
+  const allowIframe = allowedIframeHosts.length > 0;
+
+  DOMPurify.addHook(DOMPurifyHook.UponSanitizeAttribute, (_node, data) => {
+    if (data.attrName === "style") {
+      const styles = data.attrValue.split(";").filter((style) => {
+        const [property] = style.split(":");
+        return ALLOWED_STYLE_PROPERTIES.includes(property.trim().toLowerCase());
+      });
+      data.attrValue = styles.join(";");
+    }
+  });
+
+  if (allowIframe) {
+    DOMPurify.addHook(DOMPurifyHook.AfterSanitizeAttributes, (node) => {
+      if (node.nodeName === "IFRAME" && !isAllowedIframeSrc(node.getAttribute("src") || "", allowedIframeHosts)) {
+        node.parentNode?.removeChild(node);
+      }
+    });
+  }
+
+  const sanitized = DOMPurify.sanitize(rawHtml, {
+    ALLOWED_TAGS: allowIframe ? [...BASE_ALLOWED_TAGS, "iframe"] : BASE_ALLOWED_TAGS,
+    ALLOWED_ATTR: allowIframe ? [...BASE_ALLOWED_ATTR, ...IFRAME_ALLOWED_ATTR] : BASE_ALLOWED_ATTR,
+  });
+
+  Object.values(DOMPurifyHook).forEach((hook) => {
+    DOMPurify.removeHook(hook);
+  });
+
+  return sanitized;
+}
--- a/frontend/app/lib/sanitize/text.test.ts
+++ b/frontend/app/lib/sanitize/text.test.ts
@@ -0,0 +1,35 @@
+import { describe, expect, test, vi } from "vitest";
+import { truncateText } from "./text";
+
+describe("truncateText", () => {
+  test("returns short text unchanged", () => {
+    expect(truncateText("Dinner")).toEqual("Dinner");
+  });
+
+  test("truncates long text with clamp", () => {
+    expect(truncateText("a".repeat(25))).toEqual(`${"a".repeat(20)}...`);
+  });
+
+  test("respects custom length and clamp", () => {
+    expect(truncateText("abcdef", 3, "~")).toEqual("abc~");
+  });
+
+  test("does not clamp text exactly at the length boundary", () => {
+    expect(truncateText("abcde", 5)).toEqual("abcde");
+    expect(truncateText("abcdef", 5)).toEqual("abcde...");
+  });
+
+  // Markup in the input must be treated as plain text and never parsed into the live document.
+  test("does not parse or execute HTML payloads", () => {
+    const createElement = vi.spyOn(document, "createElement");
+    const payload = "<img src=x onerror=alert(1)>";
+
+    const result = truncateText(payload);
+
+    // The payload is returned verbatim (truncated only by length), proving it is treated as text.
+    expect(result).toEqual(`${payload.slice(0, 20)}...`);
+    // No DOM element is constructed, so no <img> can fire its onerror handler.
+    expect(createElement).not.toHaveBeenCalled();
+    createElement.mockRestore();
+  });
+});
--- a/frontend/app/lib/sanitize/text.ts
+++ b/frontend/app/lib/sanitize/text.ts
@@ -0,0 +1,9 @@
+/**
+ * Truncates plain text to `length` characters, appending `clamp` when truncated.
+ *
+ * The input is treated strictly as text and is never parsed as HTML, so markup in the input is
+ * returned verbatim rather than interpreted.
+ */
+export function truncateText(text: string, length = 20, clamp = "..."): string {
+  return text.length > length ? text.slice(0, length) + clamp : text;
+}
--- a/frontend/app/pages/group/data/foods.vue
+++ b/frontend/app/pages/group/data/foods.vue
@@ -69,11 +69,7 @@
          </template>
        </v-autocomplete>

-        <v-alert
-          v-if="foods && foods.length > 0"
-          type="error"
-          class="mb-0 text-body-2"
-        >
+        <v-alert v-if="foods && foods.length > 0" type="error" class="mb-0 text-body-2">
          {{ $t("data-pages.foods.seed-dialog-warning") }}
        </v-alert>
      </v-card-text>
@@ -112,11 +108,7 @@
          :label="$t('data-pages.foods.food-label')"
        />
        <v-card variant="outlined">
-          <v-virtual-scroll
-            height="400"
-            item-height="25"
-            :items="bulkAssignTarget"
-          >
+          <v-virtual-scroll height="400" item-height="25" :items="bulkAssignTarget">
            <template #default="{ item }">
              <v-list-item class="pb-2">
                <v-list-item-title>{{ item.name }}</v-list-item-title>
@@ -141,6 +133,7 @@
      ]"
      :create-form="createForm"
      :edit-form="editForm"
+      :on-delete-dialog-open="onDeleteDialogOpen"
      @create-one="handleCreate"
      @edit-one="handleEdit"
      @delete-one="foodStore.actions.deleteOne"
@@ -151,15 +144,12 @@
          <template #icon>
            {{ $globals.icons.externalLink }}
          </template>
-          {{ $t('data-pages.combine') }}
+          {{ $t("data-pages.combine") }}
        </BaseButton>
      </template>

      <template #[`item.label`]="{ item }">
-        <MultiPurposeLabel
-          v-if="item.label"
-          :label="item.label"
-        >
+        <MultiPurposeLabel v-if="item.label" :label="item.label">
          {{ item.label.name }}
        </MultiPurposeLabel>
      </template>
@@ -171,7 +161,7 @@
      </template>

      <template #[`item.createdAt`]="{ item }">
-        {{ item.createdAt ? $d(new Date(item.createdAt)) : '' }}
+        {{ item.createdAt ? $d(new Date(item.createdAt)) : "" }}
      </template>

      <template #table-button-bottom>
@@ -179,18 +169,33 @@
          <template #icon>
            {{ $globals.icons.database }}
          </template>
-          {{ $t('data-pages.seed') }}
+          {{ $t("data-pages.seed") }}
        </BaseButton>
      </template>

      <template #edit-dialog-custom-action>
-        <BaseButton
-          edit
-          @click="aliasManagerDialog = true"
-        >
-          {{ $t('data-pages.manage-aliases') }}
+        <BaseButton edit @click="aliasManagerDialog = true">
+          {{ $t("data-pages.manage-aliases") }}
        </BaseButton>
      </template>
+
+      <template #delete-dialog-bottom>
+        <v-alert v-if="affectedRecipes.length > 0" type="warning" density="compact" class="mt-4 mb-0">
+          {{ $t("data-pages.foods.delete-affects-recipes", { count: affectedRecipesTotal }) }}
+          <ul class="mt-1 pl-5 mb-0">
+            <li v-for="recipe in affectedRecipes.slice(0, 5)" :key="recipe.slug">
+              <NuxtLink :to="recipe.url" class="text-white">{{ recipe.name }}</NuxtLink>
+            </li>
+          </ul>
+          <NuxtLink
+            v-if="affectedRecipesTotal > 5"
+            :to="affectedRecipesMoreLink"
+            class="text-white d-inline-block mt-1"
+          >
+            {{ $t("data-pages.foods.delete-affects-recipes-more", { count: affectedRecipesTotal }) }}
+          </NuxtLink>
+        </v-alert>
+      </template>
    </GroupDataPage>
  </div>
 </template>
@@ -218,6 +223,7 @@ interface CreateIngredientFoodWithOnHand extends CreateIngredientFood {
 interface IngredientFoodWithOnHand extends IngredientFood {
  onHand: boolean;
 }
+
 const userApi = useUserApi();
 const i18n = useI18n();
 const auth = useMealieAuth();
@@ -274,11 +280,14 @@ const tableHeaders: TableHeaders[] = [
 ];

 const userHousehold = computed(() => auth.user.value?.householdSlug || "");
+const userGroup = computed(() => auth.user.value?.groupSlug || "");
 const foodStore = useFoodStore();
-const foods = computed(() => foodStore.store.value.map((food) => {
-  const onHand = food.householdsWithIngredientFood?.includes(userHousehold.value) || false;
-  return { ...food, onHand } as IngredientFoodWithOnHand;
-}));
+const foods = computed(() =>
+  foodStore.store.value.map((food) => {
+    const onHand = food.householdsWithIngredientFood?.includes(userHousehold.value) || false;
+    return { ...food, onHand } as IngredientFoodWithOnHand;
+  }),
+);

 // ============================================================
 // Labels
@@ -383,6 +392,9 @@ async function handleBulkAction(event: string, items: IngredientFoodWithOnHand[]
  if (event === "delete-selected") {
    const ids = items.map(item => item.id);
    await foodStore.actions.deleteMany(ids);
+    affectedRecipes.value = [];
+    affectedRecipesTotal.value = 0;
+    affectedRecipesMoreLink.value = "";
  }
  else if (event === "assign-selected") {
    bulkAssignEventHandler(items);
@@ -401,6 +413,26 @@ function updateFoodAlias(newAliases: IngredientFoodAlias[]) {
  aliasManagerDialog.value = false;
 }

+// ============================================================
+// Delete Foods
+
+// fetch affected recipes before confirming deletion
+const affectedRecipes = ref<{ name: string; slug: string; url: string }[]>([]);
+const affectedRecipesTotal = ref(0);
+const affectedRecipesMoreLink = ref("");
+
+async function onDeleteDialogOpen(items: IngredientFoodWithOnHand[]) {
+  const ids = items.map(item => item.id);
+  const { data } = await userApi.recipes.search({ foods: ids, perPage: 5 });
+  affectedRecipes.value = (data?.items ?? []).map(r => ({
+    name: r.name ?? "",
+    slug: r.slug ?? "",
+    url: `/g/${userGroup.value}/r/${r.slug}`,
+  }));
+  affectedRecipesTotal.value = data?.total ?? 0;
+  affectedRecipesMoreLink.value = `/g/${userGroup.value}?${ids.map(id => `foods=${id}`).join("&")}`;
+}
+
 // ============================================================
 // Merge Foods

--- a/frontend/app/pages/group/migrations.vue
+++ b/frontend/app/pages/group/migrations.vue
@@ -337,16 +337,8 @@ const _content: Record<string, MigrationContent> = {
  },
  [MIGRATIONS.plantoeat]: {
    text: i18n.t("migration.plantoeat.description-long"),
-    acceptedFileType: ".zip",
-    tree: [
-      {
-        icon: $globals.icons.zip,
-        title: "plantoeat-recipes-508318_10-13-2023.zip",
-        children: [
-          { title: "plantoeat-recipes-508318_10-13-2023.csv", icon: $globals.icons.codeJson },
-        ],
-      },
-    ],
+    acceptedFileType: ".zip,.csv,.txt",
+    tree: false,
  },
  [MIGRATIONS.recipekeeper]: {
    text: i18n.t("migration.recipekeeper.description-long"),
--- a/frontend/app/tests/setup.ts
+++ b/frontend/app/tests/setup.ts
@@ -0,0 +1,18 @@
+import { config } from "@vue/test-utils";
+import { createI18n } from "vue-i18n";
+
+function loadEnLocales() {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  return require("../lang/messages/en-US.json") as Record<string, string>;
+}
+
+const i18n = createI18n({
+  locale: "en-US",
+  messages: {
+    "en-US": loadEnLocales(),
+  },
+});
+
+config.global.plugins = [...(config.global.plugins ?? []), i18n];
+
+export { i18n };
--- a/frontend/app/tests/utils.ts
+++ b/frontend/app/tests/utils.ts
@@ -1,3 +1,4 @@
+import { mount } from "@vue/test-utils";
 import { createI18n } from "vue-i18n";

 function loadEnLocales() {
@@ -14,3 +15,12 @@ export function stubI18n() {
  });
  return i18n.global;
 }
+
+export const makeWrapper = <T>(setup: () => T) => {
+  const Wrapper = {
+    template: "<div />",
+    setup,
+  };
+  const { vm } = mount(Wrapper);
+  return vm as unknown as ReturnType<typeof Wrapper.setup>;
+};
--- a/frontend/eslint.config.mjs
+++ b/frontend/eslint.config.mjs
@@ -11,6 +11,7 @@ export default withNuxt({
    "@stylistic/no-tabs": ["error"],
    "@stylistic/no-mixed-spaces-and-tabs": ["error", "smart-tabs"],
    "@typescript-eslint/no-explicit-any": "off",
+    "import/no-extraneous-dependencies": ["error"],
    "vue/first-attribute-linebreak": "error",
    "vue/html-closing-bracket-newline": "error",
    "vue/max-attributes-per-line": [
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "mealie",
-  "version": "3.19.1",
+  "version": "3.19.2",
  "private": true,
  "scripts": {
    "dev": "nuxt dev",
@@ -12,6 +12,8 @@
    "lint:log": "yarn lint:js --debug",
    "test": "vitest",
    "test:ci": "vitest --watch=false",
+    "test:coverage": "vitest run --coverage",
+    "test:ui": "vitest --ui",
    "cleanup": "nuxt cleanup"
  },
  "lint-staged": {
@@ -21,18 +23,24 @@
    "@mdi/js": "^7.4.47",
    "@nuxt/fonts": "^0.11.4",
    "@nuxtjs/i18n": "^9.2.1",
+    "@sphinxxxx/color-conversion": "^2.2.2",
    "@vite-pwa/nuxt": "^0.10.6",
    "@vueuse/core": "^12.7.0",
+    "@vueuse/shared": "^14.3.0",
    "axios": "^1.8.1",
    "date-fns": "^4.1.0",
+    "dompurify": "^3.4.7",
    "fuse.js": "^7.1.0",
    "isomorphic-dompurify": "^3.4.0",
    "json-editor-vue": "^0.18.1",
    "marked": "^15.0.12",
    "nuxt": "^4.4.2",
    "sse.js": "^2.8.0",
+    "ufo": "^1.6.4",
+    "vue": "^3.5.35",
    "vue-advanced-cropper": "^2.8.9",
    "vue-draggable-plus": "^0.6.0",
+    "vue-i18n": "^11.4.4",
    "vuetify": "^4.0.5",
    "vuetify-nuxt-module": "^0.19.5"
  },
@@ -41,6 +49,10 @@
    "@stylistic/eslint-plugin": "^5.4.0",
    "@types/node": "^25.5.2",
    "@types/sortablejs": "^1.15.8",
+    "@vitejs/plugin-vue": "^6.0.7",
+    "@vitest/coverage-v8": "3.2.4",
+    "@vitest/ui": "3.2.4",
+    "@vue/test-utils": "^2.4.6",
    "eslint": "^9.22.0",
    "eslint-config-prettier": "^10.0.2",
    "eslint-plugin-format": "^1.0.1",
@@ -50,8 +62,9 @@
    "prettier": "^3.5.2",
    "sass-embedded": "^1.85.1",
    "typescript": "^5.3",
+    "unplugin-auto-import": "^21.0.0",
    "vite-plugin-commonjs": "^0.10.4",
-    "vitest": "^3.0.7"
+    "vitest": "^4.0.0"
  },
  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e",
  "resolutions": {
--- a/frontend/vitest.config.js
+++ b/frontend/vitest.config.js
@@ -1,11 +1,26 @@
 import path from "path";
 import vue from "@vitejs/plugin-vue";
+import AutoImport from "unplugin-auto-import/vite";

 export default {
-  plugins: [vue()],
+  plugins: [
+    vue(),
+    AutoImport({
+      imports: ["vue", "@vueuse/core", "vue-i18n"],
+      dts: false,
+    }),
+  ],
  test: {
    globals: true,
    environment: "jsdom",
+    setupFiles: ["./app/tests/setup.ts"],
+    coverage: {
+      provider: "v8",
+      include: ["app/{lib,components,composables,layouts,pages}/**/*.{ts,tsx,vue}"],
+      exclude: ["**/*.test.*", "node_modules/**", "dist/**", "coverage/**", "**/__tests__/**"],
+      reporter: ["html", "text-summary"],
+      all: true,
+    },
  },
  resolve: {
    alias: {
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
--- a/mealie/core/dependencies/dependencies.py
+++ b/mealie/core/dependencies/dependencies.py
@@ -179,7 +179,7 @@ def validate_file_token(token: str | None = None) -> Path:
@contextmanager
 def get_temporary_zip_path(auto_unlink=True) -> Generator[Path, None, None]:
    app_dirs.TEMP_DIR.mkdir(exist_ok=True, parents=True)
-    temp_path = app_dirs.TEMP_DIR.joinpath("my_zip_archive.zip")
+    temp_path = app_dirs.TEMP_DIR / f"{uuid4().hex}.zip"
    try:
        yield temp_path
    finally:
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -33,6 +33,16 @@ class FeatureDetails(NamedTuple):
        return s


+DEFAULT_ALLOWED_IFRAME_HOSTS = [
+    "youtube.com",
+    "youtube-nocookie.com",
+    "vimeo.com",
+    "player.vimeo.com",
+]
+"""Secure-by-default hostnames permitted as `<iframe>` sources in user content. Limited to
+well-known video providers. Subdomains of these hosts are also allowed (e.g. `www.youtube.com`)."""
+
+
 MaskedNoneString = Annotated[
    str | None,
    PlainSerializer(lambda x: None if x is None else "*****", return_type=str | None),
@@ -50,13 +60,19 @@ def determine_secrets(data_dir: Path, secret: str, production: bool) -> str:
    secrets_file = data_dir.joinpath(secret)
    if secrets_file.is_file():
        with open(secrets_file) as f:
-            return f.read()
-    else:
-        data_dir.mkdir(parents=True, exist_ok=True)
-        with open(secrets_file, "w") as f:
-            new_secret = secrets.token_hex(32)
-            f.write(new_secret)
-        return new_secret
+            existing_secret = f.read().strip()
+        if existing_secret:
+            return existing_secret
+
+    data_dir.mkdir(parents=True, exist_ok=True)
+    new_secret = secrets.token_hex(32)
+    tmp_file = secrets_file.with_suffix(".tmp")
+    with open(tmp_file, "w") as f:
+        f.write(new_secret)
+        f.flush()
+        os.fsync(f.fileno())
+    tmp_file.replace(secrets_file)
+    return new_secret


 def get_secrets_dir() -> str | None:
@@ -144,6 +160,19 @@ class AppSettings(AppLoggingSettings):
    ALLOW_SIGNUP: bool = False
    ALLOW_PASSWORD_LOGIN: bool = True

+    ALLOWED_IFRAME_HOSTS: str = ""
+    """Comma-separated list of additional hostnames allowed as `<iframe>` sources in user content
+    (recipe instructions, notes, descriptions). Extends `DEFAULT_ALLOWED_IFRAME_HOSTS`. Subdomains of
+    a listed host are also allowed. Adding hosts is opt-in to riskier behavior; the defaults are
+    limited to well-known video providers."""
+
+    @property
+    def allowed_iframe_hosts(self) -> list[str]:
+        """The full set of hostnames permitted as `<iframe>` sources, secure defaults plus any
+        admin-configured additions via `ALLOWED_IFRAME_HOSTS`."""
+        extra = [host.strip().lower() for host in self.ALLOWED_IFRAME_HOSTS.split(",") if host.strip()]
+        return list(dict.fromkeys(DEFAULT_ALLOWED_IFRAME_HOSTS + extra))
+
    DAILY_SCHEDULE_TIME: str = "23:45"
    """Local server time, in HH:MM format. See `DAILY_SCHEDULE_TIME_UTC` for the parsed UTC equivalent"""

--- a/mealie/routes/app/app_about.py
+++ b/mealie/routes/app/app_about.py
@@ -43,6 +43,7 @@ def get_app_info(session: Session = Depends(generate_session)):
        oidc_provider_name=settings.OIDC_PROVIDER_NAME,
        allow_password_login=settings.ALLOW_PASSWORD_LOGIN,
        token_time=settings.TOKEN_TIME,
+        allowed_iframe_hosts=settings.allowed_iframe_hosts,
    )


--- a/mealie/routes/media/media_recipe.py
+++ b/mealie/routes/media/media_recipe.py
@@ -58,6 +58,13 @@ async def get_recipe_asset(recipe_id: UUID4, file_name: str):
        raise HTTPException(status.HTTP_400_BAD_REQUEST)

    if file.exists():
-        return FileResponse(file, filename=file.name, content_disposition_type="attachment")
+        # Force download and disable MIME sniffing so uploaded assets cannot be
+        # served as active content in Mealie's origin.
+        return FileResponse(
+            file,
+            filename=file.name,
+            content_disposition_type="attachment",
+            headers={"X-Content-Type-Options": "nosniff"},
+        )
    else:
        raise HTTPException(status.HTTP_404_NOT_FOUND)
--- a/mealie/schema/admin/about.py
+++ b/mealie/schema/admin/about.py
@@ -22,6 +22,7 @@ class AppInfo(MealieModel):
    oidc_redirect: bool
    oidc_provider_name: str
    token_time: int
+    allowed_iframe_hosts: list[str] = []


 class AppTheme(MealieModel):
--- a/mealie/services/backups_v2/backup_v2.py
+++ b/mealie/services/backups_v2/backup_v2.py
@@ -6,6 +6,7 @@ from pathlib import Path
 from zipfile import ZipFile

 from mealie.core.config import get_app_settings
+from mealie.core.settings.static import APP_VERSION
 from mealie.services._base_service import BaseService
 from mealie.services.backups_v2.alchemy_exporter import AlchemyExporter
 from mealie.services.backups_v2.backup_file import BackupFile
@@ -43,8 +44,15 @@ class BackupV2(BaseService):
    def backup(self) -> Path:
        # sourcery skip: merge-nested-ifs, reintroduce-else, remove-redundant-continue
        timestamp = datetime.datetime.now(datetime.UTC).strftime("%Y.%m.%d.%H.%M.%S")
+        short_hash = self.settings.GIT_COMMIT_HASH[:7]
+
+        if APP_VERSION == "develop":
+            backup_name = f"mealie_dev-{short_hash}_{timestamp}.zip"
+        elif APP_VERSION == "nightly":
+            backup_name = f"mealie_nightly-{short_hash}_{timestamp}.zip"
+        else:
+            backup_name = f"mealie_{APP_VERSION}_{timestamp}.zip"

-        backup_name = f"mealie_{timestamp}.zip"
        backup_file = self.directories.BACKUP_DIR / backup_name

        database_json = self.db_exporter.dump()
--- a/mealie/services/migrations/plantoeat.py
+++ b/mealie/services/migrations/plantoeat.py
@@ -7,6 +7,7 @@ from pathlib import Path
 from slugify import slugify

 from mealie.pkgs.cache import cache_key
+from mealie.schema.reports.reports import ReportEntryCreate
 from mealie.services.scraper import cleaner

 from ._migration_base import BaseMigrator
@@ -15,15 +16,23 @@ from .utils.migration_helpers import scrape_image, split_by_comma


 def plantoeat_recipes(file: Path):
-    """Yields all recipes inside the export file as dict"""
-    with tempfile.TemporaryDirectory() as tmpdir:
-        with zipfile.ZipFile(file) as zip_file:
-            zip_file.extractall(tmpdir)
+    """Yields all recipes inside the export file as dict.

-        for name in Path(tmpdir).glob("**/[!.]*.csv"):
-            with open(name, newline="") as csvfile:
-                reader = csv.DictReader(csvfile)
-                yield from reader
+    Accepts a ZIP archive containing a CSV, or a raw CSV/TXT file.
+    """
+    if zipfile.is_zipfile(file):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            with zipfile.ZipFile(file) as zip_file:
+                zip_file.extractall(tmpdir)
+
+            for name in Path(tmpdir).glob("**/[!.]*.csv"):
+                with open(name, newline="") as csvfile:
+                    reader = csv.DictReader(csvfile)
+                    yield from reader
+    else:
+        with open(file, newline="", encoding="utf-8", errors="ignore") as csvfile:
+            reader = csv.DictReader(csvfile)
+            yield from reader


 def get_value_as_string_or_none(dictionary: dict, key: str):
@@ -112,7 +121,32 @@ class PlanToEatMigrator(BaseMigrator):

        return recipe_dict

+    def _validate_archive(self) -> bool:
+        """Returns False and appends a failure report entry if the file is not a ZIP, CSV, or TXT."""
+        if zipfile.is_zipfile(self.archive):
+            return True
+
+        try:
+            with open(self.archive, encoding="utf-8", errors="strict") as f:
+                f.read(512)
+            return True
+        except UnicodeDecodeError:
+            pass
+
+        self.report_entries.append(
+            ReportEntryCreate(
+                report_id=self.report_id,
+                success=False,
+                message="Unsupported file format. Please upload a ZIP archive, CSV file, or TXT file.",
+                exception="",
+            )
+        )
+        return False
+
    def _migrate(self) -> None:
+        if not self._validate_archive():
+            return
+
        recipe_image_urls = {}

        recipes = []
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "mealie"
-version = "3.19.1"
+version = "3.19.2"
 description = "A Recipe Manager"
 authors = [{ name = "Hayden", email = "hay-kot@pm.me" }]
 license = "AGPL-3.0-only"
@@ -9,15 +9,13 @@ dependencies = [
    "Jinja2==3.1.6",
    "Pillow==12.2.0",
    "PyYAML==6.0.3",
-    "SQLAlchemy==2.0.49",
+    "SQLAlchemy==2.0.50",
    "aiofiles==25.1.0",
    "alembic==1.18.4",
-    "aniso8601==10.0.1",
-    "appdirs==1.4.4",
    "apprise==1.10.0",
    "bcrypt==5.0.0",
    "extruct==0.18.0",
-    "fastapi==0.136.1",
+    "fastapi==0.136.3",
    "httpx==0.28.1",
    "lxml==6.1.1",
    "orjson==3.11.9",
@@ -31,7 +29,7 @@ dependencies = [
    "recipe-scrapers==15.11.0",
    "requests==2.34.2",
    "tzdata==2026.2",
-    "uvicorn[standard]==0.47.0",
+    "uvicorn[standard]==0.48.0",
    "beautifulsoup4==4.14.3",
    "isodate==0.7.2",
    "text-unidecode==1.3",
@@ -46,7 +44,7 @@ dependencies = [
    "typing-extensions==4.15.0",
    "itsdangerous==2.2.0",
    "yt-dlp==2026.3.17",
-    "ingredient-parser-nlp==2.6.0",
+    "ingredient-parser-nlp==2.7.0",
    "pint==0.25.3",
    "httpx-curl-cffi==0.1.5",
 ]
@@ -64,14 +62,14 @@ docs = [
    "mkdocs-material==9.7.6",
 ]
 dev = [
-    "coverage==7.14.0",
+    "coverage==7.14.1",
    "coveragepy-lcov==0.1.2",
    "mkdocs-material==9.7.6",
    "mypy==2.1.0",
    "pre-commit==4.6.0",
    "pylint==4.0.5",
    "pytest==9.0.3",
-    "pytest-asyncio==1.3.0",
+    "pytest-asyncio==1.4.0",
    "rich==15.0.0",
    "ruff==0.15.14",
    "types-PyYAML==6.0.12.20260518",
@@ -178,3 +176,7 @@ max-complexity = 24  # Default is 10.

 [tool.uv]
 add-bounds = "exact"
+# Cooling period: ignore package releases newer than 5 days to mitigate
+# supply-chain attacks (compromised releases are usually caught and yanked
+# within days). Evaluated at resolve time as a rolling window.
+exclude-newer = "5 days"
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,6 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "prCreation": "immediate",
  "lockFileMaintenance": {
    "enabled": true
  },
@@ -11,6 +12,8 @@
  "extends": [
    "config:recommended"
  ],
+  "minimumReleaseAge": "5 days",
+  "internalChecksFilter": "strict",
  "addLabels": [
    "dependencies"
  ],
@@ -50,8 +53,7 @@
      ],
      "automerge": true,
      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "5 days"
+      "automergeStrategy": "squash"
    },
    {
      "description": "Auto-merge Docker digest and patch updates",
@@ -65,8 +67,7 @@
      ],
      "automerge": true,
      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "5 days"
+      "automergeStrategy": "squash"
    }
  ]
 }
--- a/tests/data/init.py
+++ b/tests/data/init.py
@@ -45,6 +45,8 @@ migrations_tandoor = CWD / "migrations/tandoor.zip"

 migrations_plantoeat = CWD / "migrations/plantoeat.zip"

+migrations_plantoeat_csv = CWD / "migrations/plantoeat.csv"
+
 migrations_myrecipebox = CWD / "migrations/myrecipebox.csv"

 migrations_recipekeeper = CWD / "migrations/recipekeeper.zip"
--- a/tests/data/migrations/plantoeat.csv
+++ b/tests/data/migrations/plantoeat.csv
@@ -0,0 +1,13 @@
+Title,Course,Cuisine,Main Ingredient,Description,Source,Url,Url Host,Prep Time,Cook Time,Total Time,Servings,Yield,Ingredients,Directions,Tags,Rating,Public Url,Photo Url,Private,Nutritional Score (generic),Calories,Fat,Saturated Fat,Cholesterol,Sodium,Sugar,Carbohydrate,Fiber,Protein,Cost,Created At,Updated At
+Test Recipe,Main Course,American,Beans,"This is a description.
+Here is new line.",Manually entered source,https://eatwithclarity.com/sushi-bowl-with-sesame-tofu/,,75,75,150,7,1 loaf,", Heading
+2 itm Test, note
+, Heading2
+3 pkg Two, note2
+
+","Directions.
+Will go here.","Allergen-Friendly, Cheap, Test",3,https://app.plantoeat.com/recipes/38843883,https://plantoeat.s3.amazonaws.com/recipes/29516709/470292506c8d9b71582487a7879ab7b197d06490-large.jpg?1628205591,yes,,13,16,17,18,19,22,20,21,23,,2023-10-13 20:29:29,2023-10-13 20:32:48
+Test Recipe2,,,,,,,,,,,,,"2 itm Test, note
+3 pkg Two, note2
+","Directions.
+Will go here.",,,,,,,,,,,,,,,,,2023-10-13 20:29:29,2023-10-13 20:32:48
--- a/tests/integration_tests/recipe_migration_tests/test_recipe_migrations.py
+++ b/tests/integration_tests/recipe_migration_tests/test_recipe_migrations.py
@@ -94,6 +94,15 @@ test_cases = [
            "transFatContent",
        },
    ),
+    MigrationTestData(
+        typ=SupportedMigrations.plantoeat,
+        archive=test_data.migrations_plantoeat_csv,
+        search_slug="test-recipe",
+        nutrition_filter={
+            "unsaturatedFatContent",
+            "transFatContent",
+        },
+    ),
    MigrationTestData(
        typ=SupportedMigrations.myrecipebox,
        archive=test_data.migrations_myrecipebox,
@@ -124,6 +133,7 @@ test_ids = [
    "mealie_alpha_archive",
    "tandoor_archive",
    "plantoeat_archive",
+    "plantoeat_csv",
    "myrecipebox_csv",
    "recipekeeper_archive",
    "cookn_archive",
@@ -190,6 +200,30 @@ def test_recipe_migration(api_client: TestClient, unique_user_fn_scoped: TestUse
    # TODO: validate other types of content


+def test_plantoeat_rejects_invalid_file_type(api_client: TestClient, unique_user: TestUser) -> None:
+    # Simulate uploading a binary file (e.g. PDF) that is neither ZIP nor CSV/TXT
+    binary_content = bytes(range(256)) * 4  # arbitrary binary data that is not valid UTF-8
+    payload = {"migration_type": SupportedMigrations.plantoeat.value}
+    file_payload = {"archive": binary_content}
+
+    response = api_client.post(
+        api_routes.groups_migrations,
+        data=payload,
+        files=file_payload,
+        headers=unique_user.token,
+    )
+
+    assert response.status_code == 200
+    report_id = response.json()["id"]
+
+    response = api_client.get(api_routes.groups_reports_item_id(report_id), headers=unique_user.token)
+    assert response.status_code == 200
+    report = response.json()
+    assert report["entries"]
+    assert not report["entries"][0]["success"]
+    assert "ZIP" in report["entries"][0]["message"] or "CSV" in report["entries"][0]["message"]
+
+
 def test_bad_mealie_alpha_data_is_ignored(api_client: TestClient, unique_user: TestUser):
    with TemporaryDirectory() as tmpdir:
        with ZipFile(test_data.migrations_mealie) as zf:
--- a/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
@@ -104,6 +104,33 @@ def test_recipe_asset_dangerous_extension_blocked(
        assert response.status_code == 400, f"expected 400 for extension={ext}, got {response.status_code}"


+def test_recipe_asset_served_as_attachment(
+    api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe
+):
+    """Assets must be served as downloads with MIME sniffing disabled so uploaded files cannot
+    execute as active content in Mealie's origin."""
+    recipe = recipe_ingredient_only
+    payload = {"name": random_string(10), "icon": "mdi-file", "extension": "txt"}
+    file_payload = {"file": b"<script>alert(1)</script>"}
+
+    response = api_client.post(
+        f"/api/recipes/{recipe.slug}/assets",
+        data=payload,
+        files=file_payload,
+        headers=unique_user.token,
+    )
+    assert response.status_code == 200
+
+    recipe_response = api_client.get(f"/api/recipes/{recipe.slug}", headers=unique_user.token).json()
+    recipe_id = recipe_response["id"]
+    file_name = recipe_response["assets"][0]["fileName"]
+
+    media_response = api_client.get(f"/api/media/recipes/{recipe_id}/assets/{file_name}")
+    assert media_response.status_code == 200
+    assert "attachment" in media_response.headers["content-disposition"].lower()
+    assert media_response.headers["x-content-type-options"] == "nosniff"
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
    data_payload = {"extension": "jpg"}
    file_payload = {"image": data.images_test_image_1.read_bytes()}
--- a/tests/unit_tests/test_config.py
+++ b/tests/unit_tests/test_config.py
@@ -1,12 +1,13 @@
 import json
 import re
 from dataclasses import dataclass
+from pathlib import Path
 from typing import Any

 import pytest

 from mealie.core.config import get_app_settings
-from mealie.core.settings.settings import AppSettings
+from mealie.core.settings.settings import AppSettings, determine_secrets


 def test_non_default_settings(monkeypatch):
@@ -26,6 +27,31 @@ def test_non_default_settings(monkeypatch):
    assert app_settings.DOCS_URL is None


+def test_allowed_iframe_hosts_defaults(monkeypatch):
+    monkeypatch.delenv("ALLOWED_IFRAME_HOSTS", raising=False)
+    get_app_settings.cache_clear()
+    app_settings = get_app_settings()
+
+    # Secure defaults are always present and never empty (empty would disable iframe embeds).
+    assert "youtube.com" in app_settings.allowed_iframe_hosts
+    assert "vimeo.com" in app_settings.allowed_iframe_hosts
+
+
+def test_allowed_iframe_hosts_extends_defaults(monkeypatch):
+    monkeypatch.setenv("ALLOWED_IFRAME_HOSTS", " Example.com , trusted.tld ,, ")
+    get_app_settings.cache_clear()
+    app_settings = get_app_settings()
+
+    hosts = app_settings.allowed_iframe_hosts
+    # Configured hosts are normalized, blanks dropped, and defaults retained.
+    assert "example.com" in hosts
+    assert "trusted.tld" in hosts
+    assert "youtube.com" in hosts
+    assert "" not in hosts
+    # No duplicates.
+    assert len(hosts) == len(set(hosts))
+
+
 def test_default_connection_args(monkeypatch):
    monkeypatch.setenv("DB_ENGINE", "sqlite")
    get_app_settings.cache_clear()
@@ -367,3 +393,42 @@ def test_sensitive_settings_mask(monkeypatch: pytest.MonkeyPatch):
    for setting in sensitive_settings:
        assert settings[setting] == "*****"
        assert settings_json[setting] == "*****"
+
+
+class DetermineSecretsTests:
+    def test_non_production_returns_fixed_key(self, tmp_path: Path):
+        result = determine_secrets(tmp_path, ".secret", production=False)
+        assert result == "shh-secret-test-key"
+
+    def test_generates_secret_when_file_missing(self, tmp_path: Path):
+        result = determine_secrets(tmp_path, ".secret", production=True)
+        assert result
+        assert (tmp_path / ".secret").read_text() == result
+
+    def test_reuses_existing_secret(self, tmp_path: Path):
+        (tmp_path / ".secret").write_text("existing-secret")
+        result = determine_secrets(tmp_path, ".secret", production=True)
+        assert result == "existing-secret"
+
+    def test_regenerates_when_file_is_empty(self, tmp_path: Path):
+        (tmp_path / ".secret").write_text("")
+        result = determine_secrets(tmp_path, ".secret", production=True)
+        assert result
+        assert (tmp_path / ".secret").read_text() == result
+
+    def test_regenerates_when_file_is_whitespace_only(self, tmp_path: Path):
+        (tmp_path / ".secret").write_text("   \n  ")
+        result = determine_secrets(tmp_path, ".secret", production=True)
+        assert result
+        assert (tmp_path / ".secret").read_text() == result
+
+    def test_generates_unique_secrets(self, tmp_path: Path):
+        dir_a = tmp_path / "a"
+        dir_b = tmp_path / "b"
+        result_a = determine_secrets(dir_a, ".secret", production=True)
+        result_b = determine_secrets(dir_b, ".secret", production=True)
+        assert result_a != result_b
+
+    def test_no_tmp_file_left_after_write(self, tmp_path: Path):
+        determine_secrets(tmp_path, ".secret", production=True)
+        assert not (tmp_path / ".tmp").exists()
--- a/uv.lock
+++ b/uv.lock
@@ -25,15 +25,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/d2/29/6533c317b74f707ea28f8d633734dbda2119bbadfc61b2f3640ba835d0f7/alembic-1.18.4-py3-none-any.whl", hash = "sha256:a5ed4adcf6d8a4cb575f3d759f071b03cd6e5c7618eb796cb52497be25bfe19a", size = 263893, upload-time = "2026-02-10T16:00:49.997Z" },
 ]

-[[package]]
-name = "aniso8601"
-version = "10.0.1"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/8b/8d/52179c4e3f1978d3d9a285f98c706642522750ef343e9738286130423730/aniso8601-10.0.1.tar.gz", hash = "sha256:25488f8663dd1528ae1f54f94ac1ea51ae25b4d531539b8bc707fed184d16845", size = 47190, upload-time = "2025-04-18T17:29:42.995Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/59/75/e0e10dc7ed1408c28e03a6cb2d7a407f99320eb953f229d008a7a6d05546/aniso8601-10.0.1-py2.py3-none-any.whl", hash = "sha256:eb19717fd4e0db6de1aab06f12450ab92144246b257423fe020af5748c0cb89e", size = 52848, upload-time = "2025-04-18T17:29:41.492Z" },
-]
-
 [[package]]
 name = "annotated-doc"
 version = "0.0.4"
@@ -65,15 +56,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/da/42/e921fccf5015463e32a3cf6ee7f980a6ed0f395ceeaa45060b61d86486c2/anyio-4.13.0-py3-none-any.whl", hash = "sha256:08b310f9e24a9594186fd75b4f73f4a4152069e3853f1ed8bfbf58369f4ad708", size = 114353, upload-time = "2026-03-24T12:59:08.246Z" },
 ]

-[[package]]
-name = "appdirs"
-version = "1.4.4"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/d7/d8/05696357e0311f5b5c316d7b95f46c669dd9c15aaeecbb48c7d0aeb88c40/appdirs-1.4.4.tar.gz", hash = "sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41", size = 13470, upload-time = "2020-05-11T07:59:51.037Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/3b/00/2344469e2084fb287c2e0b57b72910309874c3245463acd6cf5e3db69324/appdirs-1.4.4-py2.py3-none-any.whl", hash = "sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128", size = 9566, upload-time = "2020-05-11T07:59:49.499Z" },
-]
-
 [[package]]
 name = "apprise"
 version = "1.10.0"
@@ -298,26 +280,26 @@ wheels = [

 [[package]]
 name = "coverage"
-version = "7.14.0"
+version = "7.14.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/23/7f/d0720730a397a999ffc0fd3f5bebef347338e3a47b727da66fbb228e2ff2/coverage-7.14.0.tar.gz", hash = "sha256:057a6af2f160a85384cde4ab36f0d2777bae1057bae255f95413cdd382aa5c74", size = 919489, upload-time = "2026-05-10T18:02:31.397Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/54/fd/0ab2772530e946e1be1abd0bc09e647ec9b02e88f0867857601fefca8953/coverage-7.14.1.tar.gz", hash = "sha256:30c08f7d90415aa98b3c990385dea2939b0da55f38515e5b369b83655f8523be", size = 920132, upload-time = "2026-05-26T20:41:36.783Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/09/1e/2f996b2c8415cbb6f54b0f5ec1ee850c96d7911961afb4fc05f4a89d8c58/coverage-7.14.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7ffd19fc8aed057fd686a17a4935eef5f9859d69208f96310e893e64b9b6ccf5", size = 219967, upload-time = "2026-05-10T18:00:13.756Z" },
-    { url = "https://files.pythonhosted.org/packages/34/23/35c7aea1274aef7525bdd2dc92f710bdde6d11652239d71d1ec450067939/coverage-7.14.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:829994cfe1aeb773ca27bf246d4badc1e764893e3bfb98fff820fcecd1ca4662", size = 220329, upload-time = "2026-05-10T18:00:15.264Z" },
-    { url = "https://files.pythonhosted.org/packages/75/cf/a8f4b43a16e194b0261257ad28ded5853ec052570afef4a84e1d81189f3b/coverage-7.14.0-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:b4f07cf7edcb7ec39431a5074d7ea83b29a9f71fcfc494f0f40af4e65180420f", size = 251839, upload-time = "2026-05-10T18:00:17.16Z" },
-    { url = "https://files.pythonhosted.org/packages/69/ff/6699e7b71e60d3049eb2bdcbc95ee3f35707b2b0e48f32e9e63d3ce30c08/coverage-7.14.0-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:ca3d9cf2c32b521bd9518385608787fa86f38daf993695307531822c3430ed67", size = 254576, upload-time = "2026-05-10T18:00:18.829Z" },
-    { url = "https://files.pythonhosted.org/packages/22/ec/c936d495fcd67f48f03a9c4ad3297ff80d1f222a5df3980f15b34c186c21/coverage-7.14.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:92af52828e7f29d827346b0294e5a0853fa206db77db0395b282918d41e28db9", size = 255690, upload-time = "2026-05-10T18:00:20.648Z" },
-    { url = "https://files.pythonhosted.org/packages/5c/42/5af63f636cc62a4a2b1b3ba9146f6ee6f53a35a50d5cefc54d5670f60999/coverage-7.14.0-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:7b2bb6c9d7e769360d0f20a0f219603fd64f0c8f97de17ab25853261602be0fb", size = 257949, upload-time = "2026-05-10T18:00:22.28Z" },
-    { url = "https://files.pythonhosted.org/packages/26/d3/a225317bd2012132a27e1176d51660b826f99bb975876463c44ea0d7ee5a/coverage-7.14.0-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:1c9ed6ef99f88fb8c14aa8e2bf8eb0fe55fa2edfea68f8675d78741df1a5ac0e", size = 252242, upload-time = "2026-05-10T18:00:24.076Z" },
-    { url = "https://files.pythonhosted.org/packages/f1/7f/9e65495298c3ea414742998539c37d048b5e81cc818fb1828cc6b51d10bf/coverage-7.14.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8231ade007f37959fbf58acc677f26b922c02eda6f0428ea307da0fd39681bf3", size = 253608, upload-time = "2026-05-10T18:00:25.588Z" },
-    { url = "https://files.pythonhosted.org/packages/94/46/1522b524a35bdad22b2b8c4f9d32d0a104b524726ec380b2db68db1746f5/coverage-7.14.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:d8b013632cc1ce1d09dbe4f32667b4d320ec2f54fc326ebeffcd0b0bcc2bb6c4", size = 251753, upload-time = "2026-05-10T18:00:27.104Z" },
-    { url = "https://files.pythonhosted.org/packages/f3/e9/cdf00d38817742c541ade405e115a3f7bf36e6f2a8b99d4f209861b85a2d/coverage-7.14.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:1733198802d71ec4c524f322e2867ee05c62e9e75df86bdca545407a221827d1", size = 255823, upload-time = "2026-05-10T18:00:29.038Z" },
-    { url = "https://files.pythonhosted.org/packages/38/fc/5e7877cf5f902d08a17ff1c532511476d87e1bea355bd5028cb97f902e79/coverage-7.14.0-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:72a305291fa8ee01332f1aaf38b348ca34097f6aa0b0ef627eef2837e57bbba5", size = 251323, upload-time = "2026-05-10T18:00:30.647Z" },
-    { url = "https://files.pythonhosted.org/packages/18/9d/50f05a72dff8487464fdd4178dda5daed642a060e60afb644e3d45123559/coverage-7.14.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:fcaba850dd317c65423a9d63d88f9573c53b00354d6dd95724576cc98a131595", size = 253197, upload-time = "2026-05-10T18:00:32.211Z" },
-    { url = "https://files.pythonhosted.org/packages/00/3f/6f61ffe6439df266c3cf60f5c99cfaa21103d0210d706a42fc6c30683ff8/coverage-7.14.0-cp312-cp312-win32.whl", hash = "sha256:5ac83957a80d0701310e96d8bec68cdcf4f90a7674b7d13f15a344315b41ab27", size = 222515, upload-time = "2026-05-10T18:00:33.717Z" },
-    { url = "https://files.pythonhosted.org/packages/85/19/93853133df2cb371083285ef6a93982a0173e7a233b0f61373ba9fd30eb2/coverage-7.14.0-cp312-cp312-win_amd64.whl", hash = "sha256:70390b0da32cb90b501953716302906e8bcce087cb283e70d8c97729f22e92b2", size = 223324, upload-time = "2026-05-10T18:00:35.172Z" },
-    { url = "https://files.pythonhosted.org/packages/74/18/9f7fe62f659f24b7a82a0be56bf94c1bd0a89e0ae7ab4c668f6e82404294/coverage-7.14.0-cp312-cp312-win_arm64.whl", hash = "sha256:91b993743d959b8be85b4abf9d5478216a69329c321efe5be0433c1a841d691d", size = 221944, upload-time = "2026-05-10T18:00:37.014Z" },
-    { url = "https://files.pythonhosted.org/packages/61/e8/cb8e80d6f9f55b99588625062822bf946cf03ed06315df4bd8397f5632a1/coverage-7.14.0-py3-none-any.whl", hash = "sha256:8de5b61163aee3d05c8a2beab6f47913df7981dad1baf82c414d99158c286ab1", size = 211764, upload-time = "2026-05-10T18:02:29.538Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/b7/bdbb725ba02c5b42825b200c940f38b7a54fcad24627b7192f78f8110d76/coverage-7.14.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:a06c76364a9360e33d6d23769aefdf7f66f38e2ffb60ceb1baaa4989d83b695c", size = 220022, upload-time = "2026-05-26T20:39:03.702Z" },
+    { url = "https://files.pythonhosted.org/packages/72/81/fdc0898a55c6219223291ec1a1fe89966ef212ce82276aa0899df84b5de0/coverage-7.14.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fad54e871165f6ec2f536063ac74c3104508a12963e64072ba44bd822de52b0c", size = 220379, upload-time = "2026-05-26T20:39:05.381Z" },
+    { url = "https://files.pythonhosted.org/packages/de/72/de048c4a25e13bce59ac6a339351c10bdf2515e07459afcdaf04dc3143a2/coverage-7.14.1-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:84b535f00655ecafe1d929d1fb00ed5d6fa3051ea643ab2c161a3887b86f294b", size = 251888, upload-time = "2026-05-26T20:39:07.367Z" },
+    { url = "https://files.pythonhosted.org/packages/28/30/300c343f68beb9d4cbb64ec81e58c5b6b80b56927f72d2b38654ac26e013/coverage-7.14.1-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:6b6b0853b895fe0e98cbfc580d1ec3393d9302b4b1e96a77b3f5c91fdab899e6", size = 254624, upload-time = "2026-05-26T20:39:09.037Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/ed/7b25642496e8170b6bac14adce00537c6e5fa2d586159401a4de3e8b49e6/coverage-7.14.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:442cc9c952b2df400cda54bb04ab87330cf2cd08a8692cbbea36773531eb6f37", size = 255739, upload-time = "2026-05-26T20:39:10.889Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/a2/abd210b8c4e29c24e4624916db97bb519097a91034aaeb767f937e7da794/coverage-7.14.1-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:8270544c361ed405a27a060dbc9ed2c124b084d96dfdc2d9a2510482aef981ad", size = 257998, upload-time = "2026-05-26T20:39:12.722Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/24/7c50beed3792fe62f6ce0545c6686ce83379719e2c0276179333d97eae92/coverage-7.14.1-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:48b283b1dd6372e8de2a7a9a4c4d5dc06f4d4fd209b876f3c88a7a205a0c8f84", size = 252296, upload-time = "2026-05-26T20:39:14.259Z" },
+    { url = "https://files.pythonhosted.org/packages/15/05/0f874628ebcbfc77ead559ff210281ef06a97db08481832e7dd39274a135/coverage-7.14.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:5b0c99ba93a07d56f6df340bb79be53202a082b2fdb81bfe6190b741a3470d54", size = 253658, upload-time = "2026-05-26T20:39:15.923Z" },
+    { url = "https://files.pythonhosted.org/packages/99/6f/ca6ad067364b337ef997802115e7ecad2abd2248b05471464b0dea02b4d4/coverage-7.14.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:e471bc5769ff073b058cfadb0d736b56ce067c8560eabeb0da88462df98c23e7", size = 251803, upload-time = "2026-05-26T20:39:17.537Z" },
+    { url = "https://files.pythonhosted.org/packages/c0/30/b9b4d377cd9f40baf228068f5a81faf8450c6228503011bd499708483a50/coverage-7.14.1-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:f497a1ea81d4cd7c10ddcaa685135b9aabd291af3d55775a9ddf3cb7a364cdd9", size = 255873, upload-time = "2026-05-26T20:39:19.414Z" },
+    { url = "https://files.pythonhosted.org/packages/3c/21/7c721a9e5e6bb88547d30a787aefb97512d3f54c1324c7488d9b3743f7f9/coverage-7.14.1-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:2222be86d0b54f5dd5a38f45f17f315f737245e857bf0bdedc70734f84a13c02", size = 251372, upload-time = "2026-05-26T20:39:21.169Z" },
+    { url = "https://files.pythonhosted.org/packages/9d/8c/f8ae5a2200130e1503cd7661a6cd3b2b7bacef98277fbf3571fb13f8b766/coverage-7.14.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:85e85586565842f6932abebd4c18bcb1074223dc0b3576e7d173ca710622813a", size = 253245, upload-time = "2026-05-26T20:39:23.097Z" },
+    { url = "https://files.pythonhosted.org/packages/34/62/70a9024672a5f6910517d9628c52c9afbdd3cf8f46426af52bb148a56fff/coverage-7.14.1-cp312-cp312-win32.whl", hash = "sha256:4a28fd227808366b196a75476dced2eb35b351d6766ba9c858dc93319e87f4f1", size = 222567, upload-time = "2026-05-26T20:39:24.868Z" },
+    { url = "https://files.pythonhosted.org/packages/f6/81/8b7cd386839b039ebe1855733b9f9449a8dec5d79564018234f185a7fa70/coverage-7.14.1-cp312-cp312-win_amd64.whl", hash = "sha256:54acdb6674a4661768d7bf7db32dfb9f46ab1d764f8aba6df75ce1a6a088724e", size = 223372, upload-time = "2026-05-26T20:39:26.603Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/ba/b44d472022f620d289d95fa830143235c0c36461c6f2437ea8d51e5481ed/coverage-7.14.1-cp312-cp312-win_arm64.whl", hash = "sha256:99cd41ff91afd94896fea3bc002706b6ae4ce95727d06e4a0f39c0a8d8bd8b1a", size = 221989, upload-time = "2026-05-26T20:39:28.242Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/3c/1a983b9a745d7f83d53f057bcc5bf79ba6a2bbc08266b3f0c7d6fe630c9b/coverage-7.14.1-py3-none-any.whl", hash = "sha256:a252f21c27e38347e60111a3266b03827422a7d5525951aceee313aa68bab1d2", size = 211815, upload-time = "2026-05-26T20:41:34.078Z" },
 ]

 [[package]]
@@ -445,7 +427,7 @@ wheels = [

 [[package]]
 name = "fastapi"
-version = "0.136.1"
+version = "0.136.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "annotated-doc" },
@@ -454,9 +436,9 @@ dependencies = [
    { name = "typing-extensions" },
    { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5d/45/c130091c2dfa061bbfe3150f2a5091ef1adf149f2a8d2ae769ecaf6e99a2/fastapi-0.136.1.tar.gz", hash = "sha256:7af665ad7acfa0a3baf8983d393b6b471b9da10ede59c60045f49fbc89a0fa7f", size = 397448, upload-time = "2026-04-23T16:49:44.046Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/81/2d/ff8d91d7b564d464629a0fd50a4489c97fcb836ac230bf3a7269232a9b1f/fastapi-0.136.3.tar.gz", hash = "sha256:e487fae93ad408e6f47641ee4dfe389864fd7bec92e547ea8498fc13f43e83ab", size = 396410, upload-time = "2026-05-23T18:53:15.192Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5a/ff/2e4eca3ade2c22fe1dea7043b8ee9dabe47753349eb1b56a202de8af6349/fastapi-0.136.1-py3-none-any.whl", hash = "sha256:a6e9d7eeada96c93a4d69cb03836b44fa34e2854accb7244a1ece36cd4781c3f", size = 117683, upload-time = "2026-04-23T16:49:42.437Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/82/45359b62a067409bd929ae8a56b8ed13e5a8c8a61194b3c236920999ab83/fastapi-0.136.3-py3-none-any.whl", hash = "sha256:3d2a69bdf04b7e9f3afa292c3bc7a98816bbfafa10bc9b45f3f3700d2f761620", size = 117481, upload-time = "2026-05-23T18:53:16.924Z" },
 ]

 [[package]]
@@ -653,17 +635,16 @@ wheels = [

 [[package]]
 name = "ingredient-parser-nlp"
-version = "2.6.0"
+version = "2.7.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "nltk" },
    { name = "numpy" },
    { name = "pint" },
-    { name = "python-crfsuite" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a9/3e/4b13bcd97b6ab8f8089f3dd1f8b992e1a5b22d13d3504ebca339087463f8/ingredient_parser_nlp-2.6.0.tar.gz", hash = "sha256:4159fa7b59e8fe29cc6c1af339209bc6608efa2e085dab6be9402417a1657881", size = 4310819, upload-time = "2026-03-20T15:30:28.293Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/a4/4c/a1a7a8d724b2e12da6e32ca56f40142cc367b15bb9c9342743e9c701cfec/ingredient_parser_nlp-2.7.0.tar.gz", hash = "sha256:1ea3b8f95aae7e1b82542aa91c482fb2edff713e06bf4045dac78d3f7513e030", size = 3957689, upload-time = "2026-05-25T15:13:52.725Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ac/19/c727195de7d8fbcc83a1f8092cc4a0c1bdcd4813397c6146dacd6820f4ab/ingredient_parser_nlp-2.6.0-py3-none-any.whl", hash = "sha256:fdcf13534545a0df36f68fddd44cfd407f567504fde610bc6eaa8cd440bad70e", size = 4316441, upload-time = "2026-03-20T15:30:24.652Z" },
+    { url = "https://files.pythonhosted.org/packages/8c/3f/1f9bc3da4c266b43c7b50dff0ac1885700fd1556cb136d2cc972be02d0b6/ingredient_parser_nlp-2.7.0-py3-none-any.whl", hash = "sha256:cdb287a1e43ab7429ea96c98638c094fd99fcd8d124dd2d485debf2b328d7b5b", size = 3964058, upload-time = "2026-05-25T15:13:50.225Z" },
 ]

 [[package]]
@@ -751,14 +732,14 @@ wheels = [

 [[package]]
 name = "joserfc"
-version = "1.6.7"
+version = "1.6.8"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "cryptography" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/1b/cb/52e479f20804904f5df20ac4539d292dcecd1287aaa33cba1d1def1d9d8e/joserfc-1.6.7.tar.gz", hash = "sha256:6999fe89457069ecacd8cc797c88a805f83054dd883333fa0409f74b46479fd7", size = 232158, upload-time = "2026-05-23T01:46:44.069Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5d/ac/d4fd5b30f82900eac60d765f179f0ba005825ac462cc8ced6e13ec685ab3/joserfc-1.6.8.tar.gz", hash = "sha256:878620c553a6ebdd76ccdc356782fee3f735f21a356d079a546b42a4670ace5f", size = 232930, upload-time = "2026-05-27T03:22:37.819Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c5/e4/bcf6718b5662894c6831f46296b73cd4b1a2e90c20b6d437e20c4997388c/joserfc-1.6.7-py3-none-any.whl", hash = "sha256:9e51e4a64840aa1734a058258e80a4480e2ff2d5686e480e7c92c954a92fbe05", size = 70603, upload-time = "2026-05-23T01:46:42.129Z" },
+    { url = "https://files.pythonhosted.org/packages/98/8c/5cdce2cf3ce8155849baf9a5e2ce77e89dc87ec3bdb38259e5d85fbc45bd/joserfc-1.6.8-py3-none-any.whl", hash = "sha256:22fb31a69094a5e6f44632002a9df2c30c941fc6c8ce1b037e92c03de954cf9f", size = 70927, upload-time = "2026-05-27T03:22:35.796Z" },
 ]

 [[package]]
@@ -898,13 +879,11 @@ wheels = [

 [[package]]
 name = "mealie"
-version = "3.19.1"
+version = "3.19.2"
 source = { editable = "." }
 dependencies = [
    { name = "aiofiles" },
    { name = "alembic" },
-    { name = "aniso8601" },
-    { name = "appdirs" },
    { name = "apprise" },
    { name = "authlib" },
    { name = "bcrypt" },
@@ -979,18 +958,16 @@ docs = [
 requires-dist = [
    { name = "aiofiles", specifier = "==25.1.0" },
    { name = "alembic", specifier = "==1.18.4" },
-    { name = "aniso8601", specifier = "==10.0.1" },
-    { name = "appdirs", specifier = "==1.4.4" },
    { name = "apprise", specifier = "==1.10.0" },
    { name = "authlib", specifier = "==1.7.2" },
    { name = "bcrypt", specifier = "==5.0.0" },
    { name = "beautifulsoup4", specifier = "==4.14.3" },
    { name = "extruct", specifier = "==0.18.0" },
-    { name = "fastapi", specifier = "==0.136.1" },
+    { name = "fastapi", specifier = "==0.136.3" },
    { name = "html2text", specifier = "==2025.4.15" },
    { name = "httpx", specifier = "==0.28.1" },
    { name = "httpx-curl-cffi", specifier = "==0.1.5" },
-    { name = "ingredient-parser-nlp", specifier = "==2.6.0" },
+    { name = "ingredient-parser-nlp", specifier = "==2.7.0" },
    { name = "isodate", specifier = "==0.7.2" },
    { name = "itsdangerous", specifier = "==2.2.0" },
    { name = "jinja2", specifier = "==3.1.6" },
@@ -1015,18 +992,18 @@ requires-dist = [
    { name = "rapidfuzz", specifier = "==3.14.5" },
    { name = "recipe-scrapers", specifier = "==15.11.0" },
    { name = "requests", specifier = "==2.34.2" },
-    { name = "sqlalchemy", specifier = "==2.0.49" },
+    { name = "sqlalchemy", specifier = "==2.0.50" },
    { name = "text-unidecode", specifier = "==1.3" },
    { name = "typing-extensions", specifier = "==4.15.0" },
    { name = "tzdata", specifier = "==2026.2" },
-    { name = "uvicorn", extras = ["standard"], specifier = "==0.47.0" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.48.0" },
    { name = "yt-dlp", specifier = "==2026.3.17" },
 ]
 provides-extras = ["pgsql"]

 [package.metadata.requires-dev]
 dev = [
-    { name = "coverage", specifier = "==7.14.0" },
+    { name = "coverage", specifier = "==7.14.1" },
    { name = "coveragepy-lcov", specifier = "==0.1.2" },
    { name = "freezegun", specifier = "==1.5.5" },
    { name = "mkdocs-material", specifier = "==9.7.6" },
@@ -1613,21 +1590,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/e5/35/f8b19922b6a25bc0880171a2f1a003eaeb93657475193ab516fd87cac9da/pytest_asyncio-1.3.0-py3-none-any.whl", hash = "sha256:611e26147c7f77640e6d0a92a38ed17c3e9848063698d5c93d5aa7aa11cebff5", size = 15075, upload-time = "2025-11-10T16:07:45.537Z" },
 ]

-[[package]]
-name = "python-crfsuite"
-version = "0.9.12"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/bb/946c0f96b4d3f7916f0558e19245d2248caebb3f470bcffae8fbf8d862e9/python_crfsuite-0.9.12.tar.gz", hash = "sha256:db37fccc3bd8f0c49c28a7697ca79c89d67b3fd5bf119122866169240ac4c480", size = 488298, upload-time = "2025-12-23T19:07:21.423Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/2a/be/c388376c4ca05b383dd17f0e1024b85c726a009543afd21e145a5fafff97/python_crfsuite-0.9.12-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:e68009911b28ff899da5a6be3ec1efc3c24886c92318d02d39ec29d329b08b90", size = 319352, upload-time = "2025-12-23T19:06:41.26Z" },
-    { url = "https://files.pythonhosted.org/packages/7a/0c/9725b097738f4a6aac9ac4e5a5fc6494eca69f17663d3d6ba8d0ea3858d2/python_crfsuite-0.9.12-cp312-cp312-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7118a3b267c437a9701362f5eacd6d1ff2360305a9c872cc20a716cd005c13eb", size = 1207132, upload-time = "2025-12-23T19:06:43.035Z" },
-    { url = "https://files.pythonhosted.org/packages/63/3f/da9732ccb24b71a7539470dcdfcd16c923692788f39553f37238f208ca55/python_crfsuite-0.9.12-cp312-cp312-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:891bf2a5f410f17c5f9d76ab7330178a10142d48ed12f5c15b84f4c23fee80c7", size = 1245808, upload-time = "2025-12-23T19:06:44.293Z" },
-    { url = "https://files.pythonhosted.org/packages/45/6f/a0186566f7480725ec4027ed63a11a38c9cbbad53f7cd6ece4e0ec4961f9/python_crfsuite-0.9.12-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:812f963fb61cfa5bfbc91b92e058cee41808a9ce813c84ecab6691848cc3b51c", size = 2164442, upload-time = "2025-12-23T19:06:45.57Z" },
-    { url = "https://files.pythonhosted.org/packages/57/81/4c82aad97851431ec70c1cf46fdd2a58d2f79f68fa36bf4b7b4b8ed7ea6e/python_crfsuite-0.9.12-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:a696ef90c77344ba88e5d241ace35fd21ad31e43f878fc734668741db18ed186", size = 2266336, upload-time = "2025-12-23T19:06:47.123Z" },
-    { url = "https://files.pythonhosted.org/packages/d6/0f/19a46db879e400b0b82e6760d5c19e106a74870b5c0ce744da2efc32b143/python_crfsuite-0.9.12-cp312-cp312-win32.whl", hash = "sha256:e32c826e43fe8ac5c3b436bbddd8483f735a5638ea5dc07778d505cde78dc875", size = 282261, upload-time = "2025-12-23T19:06:48.81Z" },
-    { url = "https://files.pythonhosted.org/packages/36/ae/9a7bceadbc962871819b1752f8aa53f60e657579fb94520bfa9b0495acf3/python_crfsuite-0.9.12-cp312-cp312-win_amd64.whl", hash = "sha256:fa6258bf10d8185262dee8fe2ca8d3de3c7aecb990846329043fc895344cc939", size = 303081, upload-time = "2025-12-23T19:06:49.933Z" },
-]
-
 [[package]]
 name = "python-dateutil"
 version = "2.9.0.post0"
@@ -1887,22 +1849,22 @@ wheels = [

 [[package]]
 name = "sqlalchemy"
-version = "2.0.49"
+version = "2.0.50"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "greenlet", marker = "platform_machine == 'AMD64' or platform_machine == 'WIN32' or platform_machine == 'aarch64' or platform_machine == 'amd64' or platform_machine == 'ppc64le' or platform_machine == 'win32' or platform_machine == 'x86_64'" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/09/45/461788f35e0364a8da7bda51a1fe1b09762d0c32f12f63727998d85a873b/sqlalchemy-2.0.49.tar.gz", hash = "sha256:d15950a57a210e36dd4cec1aac22787e2a4d57ba9318233e2ef8b2daf9ff2d5f", size = 9898221, upload-time = "2026-04-03T16:38:11.704Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/57/da/6fbf010c8ebb347679d0d100b22fe9ba5e13fd04046c5df7280d2f0bf706/sqlalchemy-2.0.50.tar.gz", hash = "sha256:af5607d11ef90fd6a5c0549fe0045dce1663d427426bcfb506dcb5346a85a3b9", size = 9907424, upload-time = "2026-05-24T19:20:04.018Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/49/b3/2de412451330756aaaa72d27131db6dde23995efe62c941184e15242a5fa/sqlalchemy-2.0.49-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4bbccb45260e4ff1b7db0be80a9025bb1e6698bdb808b83fff0000f7a90b2c0b", size = 2157681, upload-time = "2026-04-03T16:53:07.132Z" },
-    { url = "https://files.pythonhosted.org/packages/50/84/b2a56e2105bd11ebf9f0b93abddd748e1a78d592819099359aa98134a8bf/sqlalchemy-2.0.49-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:fb37f15714ec2652d574f021d479e78cd4eb9d04396dca36568fdfffb3487982", size = 3338976, upload-time = "2026-04-03T17:07:40Z" },
-    { url = "https://files.pythonhosted.org/packages/2c/fa/65fcae2ed62f84ab72cf89536c7c3217a156e71a2c111b1305ab6f0690e2/sqlalchemy-2.0.49-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:3bb9ec6436a820a4c006aad1ac351f12de2f2dbdaad171692ee457a02429b672", size = 3351937, upload-time = "2026-04-03T17:12:23.374Z" },
-    { url = "https://files.pythonhosted.org/packages/f8/2f/6fd118563572a7fe475925742eb6b3443b2250e346a0cc27d8d408e73773/sqlalchemy-2.0.49-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8d6efc136f44a7e8bc8088507eaabbb8c2b55b3dbb63fe102c690da0ddebe55e", size = 3281646, upload-time = "2026-04-03T17:07:41.949Z" },
-    { url = "https://files.pythonhosted.org/packages/c5/d7/410f4a007c65275b9cf82354adb4bb8ba587b176d0a6ee99caa16fe638f8/sqlalchemy-2.0.49-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e06e617e3d4fd9e51d385dfe45b077a41e9d1b033a7702551e3278ac597dc750", size = 3316695, upload-time = "2026-04-03T17:12:25.642Z" },
-    { url = "https://files.pythonhosted.org/packages/d9/95/81f594aa60ded13273a844539041ccf1e66c5a7bed0a8e27810a3b52d522/sqlalchemy-2.0.49-cp312-cp312-win32.whl", hash = "sha256:83101a6930332b87653886c01d1ee7e294b1fe46a07dd9a2d2b4f91bcc88eec0", size = 2117483, upload-time = "2026-04-03T17:05:40.896Z" },
-    { url = "https://files.pythonhosted.org/packages/47/9e/fd90114059175cac64e4fafa9bf3ac20584384d66de40793ae2e2f26f3bb/sqlalchemy-2.0.49-cp312-cp312-win_amd64.whl", hash = "sha256:618a308215b6cececb6240b9abde545e3acdabac7ae3e1d4e666896bf5ba44b4", size = 2144494, upload-time = "2026-04-03T17:05:42.282Z" },
-    { url = "https://files.pythonhosted.org/packages/e5/30/8519fdde58a7bdf155b714359791ad1dc018b47d60269d5d160d311fdc36/sqlalchemy-2.0.49-py3-none-any.whl", hash = "sha256:ec44cfa7ef1a728e88ad41674de50f6db8cfdb3e2af84af86e0041aaf02d43d0", size = 1942158, upload-time = "2026-04-03T16:53:44.135Z" },
+    { url = "https://files.pythonhosted.org/packages/be/b0/a9d19b43f38f878b1278bca5b00b909f7540d41494396dd2561f9ad0956d/sqlalchemy-2.0.50-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:23ae23d8b9d344d30d0a92f06d45825024a5790f1c1dd4cf452636a50d3e58cb", size = 2159807, upload-time = "2026-05-24T19:27:53.086Z" },
+    { url = "https://files.pythonhosted.org/packages/f5/2c/191dd58a248fd2cfd4780fa82c375c505e4ad98c8b522fa69ec492130d77/sqlalchemy-2.0.50-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:47b71b933e7b4ebad407c8fdfd70d2c4f08b78b3238bb30eebdd6eb32ca51b89", size = 3343358, upload-time = "2026-05-24T20:09:29.279Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/2b/514fce8a7df81cf5bad7ff7865de7ac0c5776a38cc043475c4703eb7fe8b/sqlalchemy-2.0.50-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:110fdac56ace278949f00de805edacbd6141e382d992f9ba28238b3a0827a600", size = 3357994, upload-time = "2026-05-24T20:17:13.495Z" },
+    { url = "https://files.pythonhosted.org/packages/35/a6/a0e283f5494f92b0d77e319ff77e437b1ffe4a051ba67c81d53234825475/sqlalchemy-2.0.50-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:0f5e4ac70e9e757f6b3e87c0491ff034442ecd8dfd36d041a50564c322dafc0e", size = 3289399, upload-time = "2026-05-24T20:09:32.239Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/96/1b07325ba71752d6a028b77d07bed1483ad545f794e8b1dc89b3ba3b3c68/sqlalchemy-2.0.50-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:724f3dcbe53dd0151e3cb5e7ec4ba4c620bede579caacd16275dc35ce06e8615", size = 3321216, upload-time = "2026-05-24T20:17:15.581Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/8e/bad6ed253e8a99edfc99af02f7173ec48a1d3ed1b9b35a1b8bc1700900cc/sqlalchemy-2.0.50-cp312-cp312-win32.whl", hash = "sha256:1208050441471d003b7c8cb4054fb084f185cf35ac3f0ea270803865bca9939a", size = 2119194, upload-time = "2026-05-24T19:50:04.943Z" },
+    { url = "https://files.pythonhosted.org/packages/b6/2d/314a6690dda4b9cfc571eab1a63cf6fe6e1470aa3759ccda6aa016ee0f5a/sqlalchemy-2.0.50-cp312-cp312-win_amd64.whl", hash = "sha256:9d1af51558029a156a70986b7df88f042b3d158d7c8d8fb5072912d4b32d89c7", size = 2146186, upload-time = "2026-05-24T19:50:06.74Z" },
+    { url = "https://files.pythonhosted.org/packages/d0/10/f7220e9b784d295d241c86ed99aeb537f92afcd469a64861f2717e9bb077/sqlalchemy-2.0.50-py3-none-any.whl", hash = "sha256:92064363517a3ff8212b5a93b8c62876579d8dfd1ca5b561335f30152d884fa9", size = 1943861, upload-time = "2026-05-24T19:59:01.119Z" },
 ]

 [[package]]
@@ -2037,15 +1999,15 @@ wheels = [

 [[package]]
 name = "uvicorn"
-version = "0.47.0"
+version = "0.48.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "click" },
    { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/f6/b1/8e7077a8641086aea449e1b5752a570f1b5906c64e0a33cd6d93b63a066b/uvicorn-0.47.0.tar.gz", hash = "sha256:7c9a0ea1a9414106bbab7324609c162d8fa0cdcdcb703060987269d77c7bb533", size = 90582, upload-time = "2026-05-14T18:16:54.455Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e6/bf/f6544ba992ddb9a6077343a576f9844f7f8f06ab819aefd00206e9255f18/uvicorn-0.48.0.tar.gz", hash = "sha256:a5504207195d08c2511bf9125ede5ac4a4b71725d519e758d01dcf0bc2d31c37", size = 91074, upload-time = "2026-05-24T12:08:41.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/15/41/ac2dfdbc1f60c7af4f994c7a335cfa7040c01642b605d65f611cecc2a1e4/uvicorn-0.47.0-py3-none-any.whl", hash = "sha256:2c5715bc12d1892d84752049f400cd1c3cb018514967fdfeb97640443a6a9432", size = 71301, upload-time = "2026-05-14T18:16:51.762Z" },
+    { url = "https://files.pythonhosted.org/packages/01/be/72532be3da7acc5fdfbccdb95215cd04f995a0886532a5b423f929cda4cc/uvicorn-0.48.0-py3-none-any.whl", hash = "sha256:48097851328b87ec36117d3d575234519eb58c2b22d79666e9bbc6c49a761dad", size = 71410, upload-time = "2026-05-24T12:08:40.258Z" },
 ]

 [package.optional-dependencies]
Author	SHA1	Message	Date
renovate[bot]	47c6d01617	chore(deps): update dependency vitest to v4 [security] (#7723 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-01 21:38:46 +00:00
renovate[bot]	653be9a604	chore(deps): update dependency pytest-asyncio to v1.4.0 (#7694 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-31 16:24:28 +00:00
Hayden	2d8b74282a	fix: harden recipe content against stored XSS (chips, instructions, asset media) (#7719 )	2026-05-31 16:14:16 +00:00
Hayden	48752bcd06	fix: support CSV/TXT upload and add validation for Plan to Eat import (#6360 ) (#7622 )	2026-05-31 15:59:50 +00:00
Hayden	a46620d236	chore: drop unused python dependencies aniso8601 and appdirs (#7717 )	2026-05-31 15:59:10 +00:00
Hayden	3bde6df958	chore: add 5-day dependency cooling period for supply-chain hardening (#7718 )	2026-05-31 15:55:15 +00:00
Brian Choromanski	e1ddc06eff	feat: Added version info to backup file (#7416 ) Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>	2026-05-31 15:35:52 +00:00
Zachary Schaffter	262b531add	feat: warn when deleting foods used in recipes (#7117 ) Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>	2026-05-31 10:42:13 -05:00
miah	364af97060	dev: Improve support for front end unit tests (#7163 )	2026-05-31 10:41:52 -05:00
Brian Choromanski	7b0d1fde64	feat: Enhanced PR Lint/Validation (#7329 ) Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>	2026-05-31 10:41:43 -05:00
Arsène Reymond	0af9633193	fix: add missing dependencies in package.json (#7709 ) Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>	2026-05-31 14:25:00 +00:00
mealie-actions[bot]	b5987f5a46	chore(l10n): Crowdin locale sync (#7713 ) Co-authored-by: GitHub Action <action@github.com>	2026-05-31 03:13:02 +00:00
mealie-commit-bot[bot]	e24187fefb	chore: bump version to v3.19.2	2026-05-29 04:11:50 +00:00
Michael Genson	396fcd5ee4	fix: Ensure secret key is not empty (#7701 )	2026-05-28 23:09:31 -05:00
renovate[bot]	5a3d202879	chore(deps): lock file maintenance (#7697 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 20:09:07 +00:00
renovate[bot]	62377ae7ad	fix(deps): update dependency ingredient-parser-nlp to v2.7.0 (#7695 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 19:34:54 +00:00
renovate[bot]	7498e22278	fix(deps): update dependency sqlalchemy to v2.0.50 (#7693 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 19:34:00 +00:00
renovate[bot]	af6c9e074e	fix(deps): update dependency uvicorn to v0.48.0 (#7696 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 19:33:15 +00:00
renovate[bot]	71dba654b8	chore(deps): update dependency coverage to v7.14.1 (#7691 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 19:31:38 +00:00
renovate[bot]	ba69fcf824	fix(deps): update dependency fastapi to v0.136.3 (#7692 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-27 19:31:05 +00:00
Michael Genson	8219ac0168	dev: Set renovarte bot PRs to "immediate" (#7690 )	2026-05-27 14:11:10 -05:00