chore(deps): update bunkerity/bunkerweb-ui docker tag to v1.6.9

[renovate]

This PR contains the following updates:

Package	Update	Change
bunkerity/bunkerweb-ui	patch	1.6.8 → 1.6.9

---

Release Notes

bunkerity/bunkerweb (bunkerity/bunkerweb-ui)

v1.6.9

Compare Source

• [SECURITY] Implement SafeFileSystemCache for Web UI session storage with token regeneration on privilege changes, preventing session fixation attacks.
• [SECURITY] Sanitize uploaded filenames in the Web UI to strip path separators, null bytes, and control characters, preventing path traversal attacks.
• [SECURITY] Add tar extraction path filtering in Let's Encrypt certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables.
• [SECURITY] Validate IP addresses and service names across all ban management endpoints (API, Lua, UI, CLI) to prevent invalid data injection. Fix Redis key parsing for service names containing underscores.
• [BUGFIX] Close local database connections before forking worker processes to prevent file descriptor leaks and connection pool corruption.
• [BUGFIX] Fix race condition in instance update logic by using direct SQL UPDATE statements instead of ORM session operations.
• [BUGFIX] Ensure thread safety when managing the session factory by moving instance update operations outside the synchronization lock.
• [BUGFIX] Handle empty or unreadable certificates gracefully in Let's Encrypt retrieve_certificates and retrieve_certificates_info functions to prevent crashes during certificate enumeration.
• [BUGFIX] Enhance error handling for missing server name in SSL certificate functions to avoid crashes when the server name is not yet configured.
• [BUGFIX] Improve backup cleanup logic when replacing destination files to correctly remove leftover backups after a successful replacement.
• [BUGFIX] Mark the Flask session as modified when adding flash messages to ensure session data is correctly persisted across redirects.
• [BUGFIX] Fix Domeneshop DNS provider in the Let's Encrypt plugin to use the correct credential keys and ensure proper certificate generation.
• [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data.
• [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications.
• [BUGFIX] Validate gRPC host setting to only accept empty values or properly prefixed grpc:// / grpcs:// URIs.
• [BUGFIX] Properly close the database connection when the scheduler stops, and fix configuration generation flag to only reset after a successful reload.
• [BUGFIX] Add backup and rollback mechanism when deploying new configurations to BunkerWeb instances, preventing data loss if the file copy operation fails.
• [BUGFIX] Generate and deploy initial configuration on first start before running plugin jobs, ensuring API endpoints are available when jobs execute.
• [BUGFIX] Skip Content-Security-Policy header override in the antibot plugin when nonces are not available (e.g., HEAD requests), preventing malformed CSP headers.
• [UI] Add confetti animation and visual unlock effect when activating a PRO License Key in the Web UI.
• [UI] Fix service cloning to correctly strip the source service prefix from configuration keys, preventing settings from being ignored during import.
• [UI] Rate-limit worker restarts to prevent excessive restarts when multiple plugin reload triggers fire in quick succession.
• [UI] Fix crashes when CSRF validation or request teardown occurs outside a valid user context, improving stability during edge-case scenarios.
• [API] Add lifespan handler to properly close database connections on shutdown, preventing connection leaks.
• [DOCS] Update documentation and default configurations to remove the deprecated nightly CRS version and ensure full compatibility with CRS v4.
• [DOCS] Update Domeneshop DNS provider credential key names in documentation to match the corrected client_token/client_secret keys.
• [DOCS] Add documentation for the Cache PRO plugin covering response caching configuration and settings.
• [DEPS] Update coreruleset-v4 version to v4.24.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[autonomous-bancey]

Plan Result (test_vpn_gateway)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (generate_ansible_inventory)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (prod_twingate)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (prod_vpn_gateway)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (test_gameserver)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (prod_gameserver)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (wanda_virtual_machines)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (prod_dns)

No changes. Your infrastructure matches the configuration.

[autonomous-bancey]

Plan Result (tiny_virtual_machines)

No changes. Your infrastructure matches the configuration.

[mergify]

🤖 LGTM! beep boop