Admin diagnostics reports wrong web-vault version (shows latest instead of compiled version)

Hello,

I’ve encountered a mismatch between the web-vault version shown in the admin diagnostics page and the version actually built and deployed.

Setup details:
Vaultwarden deployment type: Docker Compose
Web-vault source: Built manually from dani-garcia/bw_web_builds
Vaultwarden version: vaultwarden/server:1.34.3
Web-vault version targeted: v2025.7.0

Steps to reproduce:
Clone and build the web-vault:
git clone GitHub - dani-garcia/bw_web_builds: Web vault builds for vaultwarden
cd bw_web_builds
git checkout v2025.7.0
make checkout # (when prompted, entered: v2025.7.0)
make build
make tar

Update the Docker Compose volume mapping to use the built vault:
volumes:

• ./bw_web_builds/builds/bw_web_v2025.7.0.1:/web-vault:ro

Restart Vaultwarden:

docker compose -f /opt/vaultwarden/compose.yaml up -d

Observed behavior

Accessing myvaultdomain.tld/admin/diagnostics
→ Version reported: 2025.9.1 (latest available)

Accessing myvaultdomain.tld
→ Footer shows v2025.7.0, which matches the version built

Expected behavior
Both the admin diagnostics page and the web-vault footer should report the same version (v2025.7.0).

Additional notes
No cache or CDN is involved.
Containers were rebuilt from scratch.
The mismatch appears to come from the scripts/build_web_vault.sh which query GitHub upstream version reference rather than the locally served web vault.

vw-version-json1334×105 14.5 KB

Questions
Is the “Web Installed” version in /admin/diagnostics expected to always show the latest available web vault version (from upstream), regardless of what’s locally deployed?
Or is this a bug / misconfiguration when using a custom-built web vault?

Thanks in advance for clarifying how this version reporting is intended to work!

The footer probably shows the version in /web-vault/version.json while the admin shows the one from /web-vault/vw-version.json(if it exists). I think the assumption with the latter is that you only build the latest web-vault and not earlier versions.
The easiest fix for you would be to remove the vw-version.json file from your web-vault. So yes, you could consider that behavior a bug in our build script that should have used the git tag instead. (But even if we changed that now it would not work for older versions of the build script. You’d would have to build it with VAULT_VERSION=v2025.7.0 make full instead.)

I think it would be fine to not get the latest releases and just use the version string that’s using the package.json. The proper fix (for future versions) could be to update the web-vault’s package.json to match Vaultwarden’s release but I can’t from the top of my head say if that would break anything where a version check is used by the web-vault expecting the upstream CalVer format without any additional letters (e.g. v2024.6.2c).

Personally I think that we could probably get rid of this separate repository with the build scripts entirely and move the build logic for the web-vault to the main vaultwarden repository so that it can keep track of the version of the vw_web_builds repo instead of having to rely on a built web-vault that’s stored in a docker image. But no idea what the best approach to that would be. (I mean ideally I’d also like the web-vault to be able to be built reproducibly so that you can check that the one that is shipped in the vaultwarden container image was not altered but that’s a bit off topic.)

Thanks for the detailed explanation! Removing vw-version.json solved the issue.