chore: version bump 2.33.3 (#1351 )

fix(CVE-2025-62725): upgrade github.com/docker/compose/v2 to v2.40.2 BE-12352 (#1344 )
fix(agent): for iamra and ecr login, detect errors and retry [be-12284] (#1309 )
2025-10-30 11:56:33 +13:00 · 2025-10-29 18:17:39 -03:00 · 2025-10-29 17:24:02 +13:00 · 2025-10-22 09:44:46 +13:00 · 2025-10-07 16:23:43 +13:00 · 2025-09-30 19:10:16 -03:00
1432 changed files with 33207 additions and 75352 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -17,7 +17,7 @@ plugins:
  - import

 parserOptions:
-  ecmaVersion: latest
+  ecmaVersion: 2018
  sourceType: module
  project: './tsconfig.json'
  ecmaFeatures:
@@ -114,13 +114,7 @@ overrides:
      '@typescript-eslint/explicit-module-boundary-types': off
      '@typescript-eslint/no-unused-vars': 'error'
      '@typescript-eslint/no-explicit-any': 'error'
-      'jsx-a11y/label-has-associated-control':
-        - error
-        - assert: either
-          controlComponents:
-            - Input
-            - Checkbox
-      'jsx-a11y/control-has-associated-label': off
+      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either', controlComponents: ['Input', 'Checkbox'] }]
      'react/function-component-definition': ['error', { 'namedComponents': 'function-declaration' }]
      'react/jsx-no-bind': off
      'no-await-in-loop': 'off'
@@ -139,19 +133,15 @@ overrides:
          'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.test.*
-    plugins:
-      - '@vitest'
    extends:
-      - 'plugin:@vitest/legacy-recommended'
+      - 'plugin:vitest/recommended'
    env:
-      '@vitest/env': true
+      'vitest/env': true
    rules:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
-      '@vitest/no-conditional-expect': warn
-      'max-classes-per-file': off
  - files:
      - app/**/*.stories.*
    rules:
@@ -159,4 +149,3 @@ overrides:
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
-      'storybook/no-renderer-packages': off
--- a/.github/DISCUSSION_TEMPLATE/ideas.yaml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yaml
@@ -6,7 +6,7 @@ body:
        
        Thanks for suggesting an idea for Portainer!

-        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion category](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.
+        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion cagetory](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.

        Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io) as they may point you toward a solution.
        
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -22,7 +22,7 @@ body:
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/portainer/portainer/issues).
          required: true
-        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io).
+        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io) or [knowledge base](https://portal.portainer.io/knowledge).
          required: true

  - type: markdown
@@ -94,21 +94,6 @@ body:
      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
-        - '2.39.0'
-        - '2.38.1'
-        - '2.38.0'
-        - '2.37.0'
-        - '2.36.0'
-        - '2.35.0'
-        - '2.34.0'
-        - '2.33.7'
-        - '2.33.6'
-        - '2.33.5'
-        - '2.33.4'
-        - '2.33.3'
-        - '2.33.2'
-        - '2.33.1'
-        - '2.33.0'
        - '2.32.0'
        - '2.31.3'
        - '2.31.2'
@@ -143,6 +128,8 @@ body:
        - '2.21.4'
        - '2.21.3'
        - '2.21.2'
+        - '2.21.1'
+        - '2.21.0'
    validations:
      required: true

--- a/.gitignore
+++ b/.gitignore
@@ -18,5 +18,3 @@ api/docs
 .env
 go.work.sum

-.vitest
-
--- a/.golangci-forward.yaml
+++ b/.golangci-forward.yaml
@@ -1,16 +0,0 @@
-version: "2"
-linters:
-  default: none
-  enable:
-    - forbidigo
-  settings:
-    forbidigo:
-      forbid:
-        - pattern: ^dataservices.DataStore.(EdgeGroup|EdgeJob|EdgeStack|EndpointRelation|Endpoint|GitCredential|Registry|ResourceControl|Role|Settings|Snapshot|SSLSettings|Stack|Tag|User)$
-          msg: Use a transaction instead
-      analyze-types: true
-  exclusions:
-    rules:
-      - path: _test\.go
-        linters:
-          - forbidigo
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,14 +1,10 @@
 version: "2"
-
-run:
-  allow-parallel-runners: true
 linters:
  default: none
  enable:
    - bodyclose
    - copyloopvar
    - depguard
-    - errcheck
    - errorlint
    - forbidigo
    - govet
@@ -17,18 +13,6 @@ linters:
    - perfsprint
    - staticcheck
    - unused
-    - mirror
-    - durationcheck
-    - errorlint
-    - govet
-    - usetesting
-    - zerologlint
-    - testifylint
-    - modernize
-    - unconvert
-    - unused
-    - zerologlint
-    - exptostd
  settings:
    staticcheck:
      checks: ["all", "-ST1003", "-ST1005", "-ST1016", "-SA1019", "-QF1003"]
@@ -48,44 +32,12 @@ linters:
              desc: use github.com/portainer/portainer/pkg/libcrypto
            - pkg: github.com/portainer/libhttp
              desc: use github.com/portainer/portainer/pkg/libhttp
-            - pkg: golang.org/x/crypto
-              desc: golang.org/x/crypto is not allowed because of FIPS mode
-            - pkg: github.com/ProtonMail/go-crypto/openpgp
-              desc: github.com/ProtonMail/go-crypto/openpgp is not allowed because of FIPS mode
-            - pkg: github.com/cosi-project/runtime
-              desc: github.com/cosi-project/runtime is not allowed because of FIPS mode
-            - pkg: gopkg.in/yaml.v2
-              desc: use go.yaml.in/yaml/v3 instead
-            - pkg: gopkg.in/yaml.v3
-              desc: use go.yaml.in/yaml/v3 instead
-            - pkg: github.com/golang-jwt/jwt/v4
-              desc: use github.com/golang-jwt/jwt/v5 instead
-            - pkg: github.com/mitchellh/mapstructure
-              desc: use github.com/go-viper/mapstructure/v2 instead
-            - pkg: gopkg.in/alecthomas/kingpin.v2
-              desc: use github.com/alecthomas/kingpin/v2 instead
-            - pkg: github.com/jcmturner/gokrb5$
-              desc: use github.com/jcmturner/gokrb5/v8 instead
-            - pkg: github.com/gofrs/uuid
-              desc: use github.com/google/uuid
-            - pkg: github.com/Masterminds/semver$
-              desc: use github.com/Masterminds/semver/v3
-            - pkg: github.com/blang/semver
-              desc: use github.com/Masterminds/semver/v3
-            - pkg: github.com/coreos/go-semver
-              desc: use github.com/Masterminds/semver/v3
-            - pkg: github.com/hashicorp/go-version
-              desc: use github.com/Masterminds/semver/v3
    forbidigo:
      forbid:
        - pattern: ^tls\.Config$
          msg: Use crypto.CreateTLSConfiguration() instead
        - pattern: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$
          msg: Do not set this field directly, use crypto.CreateTLSConfiguration() instead
-        - pattern: ^object\.(Commit|Tag)\.Verify$
-          msg: "Not allowed because of FIPS mode"
-        - pattern: ^(types\.SystemContext\.)?(DockerDaemonInsecureSkipTLSVerify|DockerInsecureSkipTLSVerify|OCIInsecureSkipTLSVerify)$
-          msg: "Not allowed because of FIPS mode"
      analyze-types: true
  exclusions:
    generated: lax
@@ -93,13 +45,12 @@ linters:
      - comments
      - common-false-positives
      - legacy
+      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$
 formatters:
-  enable:
-    - gofmt
  exclusions:
    generated: lax
    paths:
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-cd $(dirname -- "$0") && pnpm lint-staged
+cd $(dirname -- "$0") && yarn lint-staged
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,3 +1,2 @@
 dist
-api/datastore/test_data
-coverage
+api/datastore/test_data
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@@ -9,38 +9,20 @@ const config: StorybookConfig = {
  addons: [
    '@storybook/addon-links',
    '@storybook/addon-essentials',
-    '@storybook/addon-webpack5-compiler-swc',
-    '@chromatic-com/storybook',
    {
-      name: '@storybook/addon-styling-webpack',
-
+      name: '@storybook/addon-styling',
      options: {
-        rules: [
-          {
-            test: /\.css$/,
-            sideEffects: true,
-            use: [
-              require.resolve('style-loader'),
-              {
-                loader: require.resolve('css-loader'),
-                options: {
-                  importLoaders: 1,
-                  modules: {
-                    localIdentName: '[path][name]__[local]',
-                    auto: true,
-                    exportLocalsConvention: 'camelCaseOnly',
-                  },
-                },
-              },
-              {
-                loader: require.resolve('postcss-loader'),
-                options: {
-                  implementation: postcss,
-                },
-              },
-            ],
+        cssLoaderOptions: {
+          importLoaders: 1,
+          modules: {
+            localIdentName: '[path][name]__[local]',
+            auto: true,
+            exportLocalsConvention: 'camelCaseOnly',
          },
-        ],
+        },
+        postCss: {
+          implementation: postcss,
+        },
      },
    },
  ],
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -1,9 +1,9 @@
 import '../app/assets/css';
+import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
-import { Preview } from '@storybook/react';

 initMSW(
  {
@@ -21,30 +21,31 @@ initMSW(
  handlers
 );

+export const parameters = {
+  actions: { argTypesRegex: '^on[A-Z].*' },
+  controls: {
+    matchers: {
+      color: /(background|color)$/i,
+      date: /Date$/,
+    },
+  },
+  msw: {
+    handlers,
+  },
+};
+
 const testQueryClient = new QueryClient({
  defaultOptions: { queries: { retry: false } },
 });

-const preview: Preview = {
-  decorators: (Story) => (
+export const decorators = [
+  (Story) => (
    <QueryClientProvider client={testQueryClient}>
      <UIRouter plugins={[pushStateLocationPlugin]}>
        <Story />
      </UIRouter>
    </QueryClientProvider>
  ),
-  loaders: [mswLoader],
-  parameters: {
-    controls: {
-      matchers: {
-        color: /(background|color)$/i,
-        date: /Date$/,
-      },
-    },
-    msw: {
-      handlers,
-    },
-  },
-};
+];

-export default preview;
+export const loaders = [mswLoader];
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,44 +0,0 @@
-# Portainer Community Edition
-
-Open-source container management platform with full Docker and Kubernetes support.
-
-see also:
-
- docs/guidelines/server-architecture.md
- docs/guidelines/go-conventions.md
- docs/guidelines/typescript-conventions.md
-
-## Package Manager
-
- **PNPM** 10+ (for frontend)
- **Go** 1.25.7 (for backend)
-
-## Build Commands
-
-```bash
-# Full build
-make build              # Build both client and server
-make build-client       # Build React/AngularJS frontend
-make build-server       # Build Go binary
-make build-image        # Build Docker image
-
-# Development
-make dev                # Run both in dev mode
-make dev-client         # Start webpack-dev-server (port 8999)
-make dev-server         # Run containerized Go server
-
-pnpm run dev            # Webpack dev server
-pnpm run build          # Build frontend with webpack
-pnpm run test           # Run frontend tests
-
-# Testing
-make test               # All tests (backend + frontend)
-make test-server        # Backend tests only
-make lint               # Lint all code
-make format             # Format code
-```
-
-## Development Servers
-
- Frontend: http://localhost:8999
- Backend: http://localhost:9000 (HTTP) / https://localhost:9443 (HTTPS)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -77,7 +77,7 @@ The feature request process is similar to the bug report process but has an extr

 ## Build and run Portainer locally

-Ensure you have Docker, Node.js, pnpm, and Golang installed in the correct versions.
+Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.

 Install dependencies:

--- a/36
+++ b/36
@@ -1,3 +1,9 @@
+# See: https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63
+# For a list of valid GOOS and GOARCH values
+# Note: these can be overriden on the command line e.g. `make PLATFORM=<platform> ARCH=<arch>`
+PLATFORM=$(shell go env GOOS)
+ARCH=$(shell go env GOARCH)
+
 # build target, can be one of "production", "testing", "development"
 ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
@@ -20,7 +26,7 @@ all: tidy deps build-server build-client ## Build the client, server and downloa
 build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
-	export NODE_ENV=$(ENV) && pnpm run build --config $(WEBPACK_CONFIG)
+	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)

 build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"
@@ -29,7 +35,11 @@ build-image: build-all ## Build the Portainer image locally
 	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
-	pnpm run storybook:build
+	yarn storybook:build
+
+devops: clean deps build-client ## Build the everything target specifically for CI
+	echo "Building the devops binary..."
+	@./build/build_binary_azuredevops.sh "$(PLATFORM)" "$(ARCH)"

 ##@ Build dependencies
 .PHONY: deps server-deps client-deps tidy
@@ -39,23 +49,25 @@ server-deps: init-dist ## Download dependant server binaries
 	@./build/download_binaries.sh $(PLATFORM) $(ARCH)

 client-deps: ## Install client dependencies
-	pnpm install
+	yarn

 tidy: ## Tidy up the go.mod file
 	@go mod tidy

+
 ##@ Cleanup
 .PHONY: clean
 clean: ## Remove all build and download artifacts
 	@echo "Clearing the dist directory..."
 	@rm -rf dist/*

+
 ##@ Testing
 .PHONY: test test-client test-server
 test: test-server test-client ## Run all tests

 test-client: ## Run client tests
-	pnpm run test $(ARGS) --coverage
+	yarn test $(ARGS) --coverage

 test-server:	## Run server tests
 	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...
@@ -67,7 +79,7 @@ dev: ## Run both the client and server in development mode
 	make dev-client

 dev-client: ## Run the client in development mode
-	pnpm install && pnpm run dev
+	yarn dev

 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh
@@ -81,7 +93,7 @@ dev-server-podman: build-server ## Run the server in development mode
 format: format-client format-server ## Format all code

 format-client: ## Format client code
-	pnpm run format
+	yarn format

 format-server: ## Format server code
 	go fmt ./...
@@ -91,26 +103,26 @@ format-server: ## Format server code
 lint: lint-client lint-server ## Lint all code

 lint-client: ## Lint client code
-	pnpm run lint
+	yarn lint

-lint-server: tidy ## Lint server code
+lint-server: ## Lint server code
 	golangci-lint run --timeout=10m -c .golangci.yaml
-	golangci-lint run --timeout=10m --new-from-rev=HEAD~ -c .golangci-forward.yaml
+

 ##@ Extension
 .PHONY: dev-extension
 dev-extension: build-server build-client ## Run the extension in development mode
 	make local -f build/docker-extension/Makefile

+
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
-	go mod download -x
 	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
-	pnpm swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
-	pnpm swagger-cli validate dist/docs/openapi.yaml
+	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
+	yarn swagger-cli validate dist/docs/openapi.yaml

 ##@ Helpers
 .PHONY: help
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-

 ## Security

-For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md).
+- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.

 ## Work for us

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,61 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Portainer maintains both Short-Term Support (STS) and Long-Term Support (LTS) versions in accordance with our official [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
-
-| Version Type | Support Status |
-| --- | --- |
-| LTS (Long-Term Support) | Supported for critical security fixes |
-| STS (Short-Term Support) | Supported until the next STS or LTS release |
-| Legacy / EOL | Not supported |
-
-For a detailed breakdown of current versions and their specific End of Life (EOL) dates, 
-please refer to the [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
-
-## Reporting a Vulnerability
-
-The Portainer team takes the security of our products seriously. If you believe you have found a security vulnerability in any Portainer-owned repository, please report it to us responsibly.
-
-**Please do not report security vulnerabilities via public GitHub issues.**
-
-### Disclosure Process
-
-1. **Report**: You can report in one of two ways:
-
-    - **GitHub**: Use the **Report a vulnerability** button on the **Security** tab of this repository.
-
-    - **Email**: Send your findings to security@portainer.io.
-
-2. **Details**: To help us verify the issue, please include:
-
-    - A description of the vulnerability and its potential impact.
-
-    - Step-by-step instructions to reproduce the issue (e.g. proof-of-concept code, scripts, or screenshots).
-
-    - The version of the software and the environment in which it was found.
-
-3. **Acknowledge**: We will acknowledge receipt of your report and provide an initial assessment.
-
-4. **Resolution**: We will work to resolve the issue as quickly as possible. We request that you do not disclose the vulnerability publicly until we have released a fix and notified affected users.
-
-## Our Commitment
-
-If you follow the responsible disclosure process, we will:
-
- Respond to your report in a timely manner.
-
- Provide an estimated timeline for remediation.
-
- Notify you when the vulnerability has been patched.
-
- Give credit for the discovery (if desired) once the fix is public.
-
-
-We will make every effort to promptly address any security weaknesses. Security advisories and fixes will be published through GitHub Security Advisories and other channels as needed.
-
-Thank you for helping keep Portainer and our community secure.
-
-## Resources
-
- [Contributing to Portainer](https://docs.portainer.io/contribute/contribute#contributing-to-the-portainer-ce-codebase)
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -11,18 +11,20 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/url"
-
-	"github.com/rs/zerolog/log"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
 //
 // it sends a ping to the agent and parses the version and platform from the headers
 func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
-	httpCli := &http.Client{Timeout: 3 * time.Second}
+	httpCli := &http.Client{
+		Timeout: 3 * time.Second,
+	}

 	if tlsConfig != nil {
-		httpCli.Transport = &http.Transport{TLSClientConfig: tlsConfig}
+		httpCli.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
 	}

 	parsedURL, err := url.ParseURL(endpointUrl + "/ping")
@@ -42,10 +44,8 @@ func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (port
 		return 0, "", err
 	}

-	_, _ = io.Copy(io.Discard, resp.Body)
-	if err := resp.Body.Close(); err != nil {
-		log.Warn().Err(err).Msg("failed to close response body")
-	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()

 	if resp.StatusCode != http.StatusNoContent {
 		return 0, "", fmt.Errorf("Failed request with status %d", resp.StatusCode)
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -10,31 +10,31 @@ func Test_generateRandomKey(t *testing.T) {
 	is := assert.New(t)

 	tests := []struct {
-		name       string
-		wantLength int
+		name      string
+		wantLenth int
 	}{
 		{
-			name:       "Generate a random key of length 16",
-			wantLength: 16,
+			name:      "Generate a random key of length 16",
+			wantLenth: 16,
 		},
 		{
-			name:       "Generate a random key of length 32",
-			wantLength: 32,
+			name:      "Generate a random key of length 32",
+			wantLenth: 32,
 		},
 		{
-			name:       "Generate a random key of length 64",
-			wantLength: 64,
+			name:      "Generate a random key of length 64",
+			wantLenth: 64,
 		},
 		{
-			name:       "Generate a random key of length 128",
-			wantLength: 128,
+			name:      "Generate a random key of length 128",
+			wantLenth: 128,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := GenerateRandomKey(tt.wantLength)
-			is.Len(got, tt.wantLength)
+			got := GenerateRandomKey(tt.wantLenth)
+			is.Equal(tt.wantLenth, len(got))
 		})
 	}

--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@@ -10,10 +10,9 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/assert"

 	"github.com/rs/zerolog/log"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
@@ -31,7 +30,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully generates API key", func(t *testing.T) {
 		desc := "test-1"
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
-		require.NoError(t, err)
+		is.NoError(err)
 		is.NotEmpty(rawKey)
 		is.NotEmpty(apiKey)
 		is.Equal(desc, apiKey.Description)
@@ -39,7 +38,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
-		require.NoError(t, err)
+		is.NoError(err)

 		is.Equal(rawKey[:7], apiKey.Prefix)
 		is.Len(apiKey.Prefix, 7)
@@ -47,7 +46,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
 		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
-		require.NoError(t, err)
+		is.NoError(err)

 		is.Equal(portainerAPIKeyPrefix, "ptr_")
 		is.True(strings.HasPrefix(rawKey, "ptr_"))
@@ -56,7 +55,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully caches API key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-3")
-		require.NoError(t, err)
+		is.NoError(err)

 		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -66,7 +65,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
-		require.NoError(t, err)
+		is.NoError(err)

 		generatedDigest := sha256.Sum256([]byte(rawKey))

@@ -84,10 +83,10 @@ func Test_GetAPIKey(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
-		require.NoError(t, err)
+		is.NoError(err)

 		is.Equal(apiKey, apiKeyGot)
 	})
@@ -103,12 +102,12 @@ func Test_GetAPIKeys(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, _, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)
 		_, _, err = service.GenerateApiKey(user, "test-2")
-		require.NoError(t, err)
+		is.NoError(err)

 		keys, err := service.GetAPIKeys(user.ID)
-		require.NoError(t, err)
+		is.NoError(err)
 		is.Len(keys, 2)
 	})
 }
@@ -123,10 +122,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		require.NoError(t, err)
+		is.NoError(err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)
 	})
@@ -134,10 +133,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		require.NoError(t, err)
+		is.NoError(err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)

@@ -157,19 +156,16 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
 		user := portainer.User{ID: 1}
-
-		err := store.User().Create(&user)
-		require.NoError(t, err)
-
+		store.User().Create(&user)
 		_, apiKey, err := service.GenerateApiKey(user, "test-x")
-		require.NoError(t, err)
+		is.NoError(err)

 		apiKey.LastUsed = time.Now().UTC().Unix()
 		err = service.UpdateAPIKey(apiKey)
-		require.NoError(t, err)
+		is.NoError(err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		require.NoError(t, err)
+		is.NoError(err)

 		log.Debug().Str("wanted", fmt.Sprintf("%+v", apiKey)).Str("got", fmt.Sprintf("%+v", apiKeyGot)).Msg("")

@@ -178,7 +174,7 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
 		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
-		require.NoError(t, err)
+		is.NoError(err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -188,7 +184,7 @@ func Test_UpdateAPIKey(t *testing.T) {
 		is.NotEqual(*apiKey, apiKeyFromCache)

 		err = service.UpdateAPIKey(apiKey)
-		require.NoError(t, err)
+		is.NoError(err)

 		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -206,30 +202,30 @@ func Test_DeleteAPIKey(t *testing.T) {
 	t.Run("Successfully updates the api-key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		require.NoError(t, err)
+		is.NoError(err)
 		is.Equal(*apiKey, apiKeyGot)

 		err = service.DeleteAPIKey(apiKey.ID)
-		require.NoError(t, err)
+		is.NoError(err)

 		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
-		require.Error(t, err)
+		is.Error(err)
 	})

 	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
 		is.Equal(*apiKey, apiKeyFromCache)

 		err = service.DeleteAPIKey(apiKey.ID)
-		require.NoError(t, err)
+		is.NoError(err)

 		_, _, ok = service.cache.Get(apiKey.Digest)
 		is.False(ok)
@@ -247,10 +243,10 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate api keys
 		user := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
-		require.NoError(t, err)
+		is.NoError(err)

 		// verify api keys are present in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
@@ -277,11 +273,11 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate keys for 2 users
 		user1 := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
-		require.NoError(t, err)
+		is.NoError(err)

 		user2 := portainer.User{ID: 2}
 		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
-		require.NoError(t, err)
+		is.NoError(err)

 		// verify keys in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
--- a/api/archive/tar.go
+++ b/api/archive/tar.go
@@ -17,15 +17,18 @@ func TarFileInBuffer(fileContent []byte, fileName string, mode int64) ([]byte, e
 		Size: int64(len(fileContent)),
 	}

-	if err := tarWriter.WriteHeader(header); err != nil {
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
 		return nil, err
 	}

-	if _, err := tarWriter.Write(fileContent); err != nil {
+	_, err = tarWriter.Write(fileContent)
+	if err != nil {
 		return nil, err
 	}

-	if err := tarWriter.Close(); err != nil {
+	err = tarWriter.Close()
+	if err != nil {
 		return nil, err
 	}

@@ -40,7 +43,10 @@ type tarFileInBuffer struct {

 func NewTarFileInBuffer() *tarFileInBuffer {
 	var b bytes.Buffer
-	return &tarFileInBuffer{b: &b, w: tar.NewWriter(&b)}
+	return &tarFileInBuffer{
+		b: &b,
+		w: tar.NewWriter(&b),
+	}
 }

 // Put puts a single file to tar archive buffer.
@@ -55,9 +61,11 @@ func (t *tarFileInBuffer) Put(fileContent []byte, fileName string, mode int64) e
 		return err
 	}

-	_, err := t.w.Write(fileContent)
+	if _, err := t.w.Write(fileContent); err != nil {
+		return err
+	}

-	return err
+	return nil
 }

 // Bytes returns the archive as a byte array.
--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -9,9 +9,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-
-	"github.com/portainer/portainer/api/filesystem"
-	"github.com/portainer/portainer/api/logs"
 )

 // TarGzDir creates a tar.gz archive and returns it's path.
@@ -23,13 +20,12 @@ func TarGzDir(absolutePath string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer logs.CloseAndLogErr(outFile)
+	defer outFile.Close()

 	zipWriter := gzip.NewWriter(outFile)
-	defer logs.CloseAndLogErr(zipWriter)
-
+	defer zipWriter.Close()
 	tarWriter := tar.NewWriter(zipWriter)
-	defer logs.CloseAndLogErr(tarWriter)
+	defer tarWriter.Close()

 	err = filepath.Walk(absolutePath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -90,7 +86,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 	if err != nil {
 		return err
 	}
-	defer logs.CloseAndLogErr(zipReader)
+	defer zipReader.Close()

 	tarReader := tar.NewReader(zipReader)

@@ -109,7 +105,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 		case tar.TypeDir:
 			// skip, dir will be created with a file
 		case tar.TypeReg:
-			p := filesystem.JoinPaths(outputDirPath, header.Name)
+			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
 			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
@@ -120,7 +116,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			if _, err := io.Copy(outFile, tarReader); err != nil {
 				return fmt.Errorf("Failed to extract file %s", header.Name)
 			}
-			logs.CloseAndLogErr(outFile)
+			outFile.Close()
 		default:
 			return fmt.Errorf("tar: unknown type: %v in %s",
 				header.Typeflag,
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,34 +1,24 @@
 package archive

 import (
-	"archive/tar"
-	"compress/gzip"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"testing"

-	"github.com/portainer/portainer/api/filesystem"
-	"github.com/rs/zerolog/log"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func listFiles(dir string) []string {
 	items := make([]string, 0)
-
-	if err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if path == dir {
 			return nil
 		}
-
 		items = append(items, path)
-
 		return nil
-	}); err != nil {
-		log.Warn().Err(err).Msg("failed to list files in directory")
-	}
+	})

 	return items
 }
@@ -36,21 +26,13 @@ func listFiles(dir string) []string {
 func Test_shouldCreateArchive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-
-	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	require.NoError(t, err)
-
-	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	require.NoError(t, err)
-
-	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	require.NoError(t, err)
-
-	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
-	require.NoError(t, err)
+	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)

 	gzPath, err := TarGzDir(tmpdir)
-	require.NoError(t, err)
+	assert.Nil(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -63,8 +45,7 @@ func Test_shouldCreateArchive(t *testing.T) {
 	wasExtracted := func(p string) {
 		fullpath := path.Join(extractionDir, p)
 		assert.Contains(t, extractedFiles, fullpath)
-		copyContent, err := os.ReadFile(fullpath)
-		require.NoError(t, err)
+		copyContent, _ := os.ReadFile(fullpath)
 		assert.Equal(t, content, copyContent)
 	}

@@ -76,21 +57,13 @@ func Test_shouldCreateArchive(t *testing.T) {
 func Test_shouldCreateArchive2(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-
-	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	require.NoError(t, err)
-
-	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	require.NoError(t, err)
-
-	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	require.NoError(t, err)
-
-	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
-	require.NoError(t, err)
+	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)

 	gzPath, err := TarGzDir(tmpdir)
-	require.NoError(t, err)
+	assert.Nil(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -111,56 +84,3 @@ func Test_shouldCreateArchive2(t *testing.T) {
 	wasExtracted("dir/inner")
 	wasExtracted("dir/.dotfile")
 }
-
-func TestExtractTarGzPathTraversal(t *testing.T) {
-	testDir := t.TempDir()
-
-	// Create an evil file with a path traversal attempt
-	tarPath := filesystem.JoinPaths(testDir, "evil.tar.gz")
-
-	evilFile, err := os.Create(tarPath)
-	require.NoError(t, err)
-
-	gzWriter := gzip.NewWriter(evilFile)
-	tarWriter := tar.NewWriter(gzWriter)
-
-	content := []byte("evil content")
-
-	header := &tar.Header{
-		Name:     "../evil.txt",
-		Mode:     0600,
-		Size:     int64(len(content)),
-		Typeflag: tar.TypeReg,
-	}
-
-	err = tarWriter.WriteHeader(header)
-	require.NoError(t, err)
-
-	_, err = tarWriter.Write(content)
-	require.NoError(t, err)
-
-	err = tarWriter.Close()
-	require.NoError(t, err)
-
-	err = gzWriter.Close()
-	require.NoError(t, err)
-
-	err = evilFile.Close()
-	require.NoError(t, err)
-
-	// Attempt to extract the evil file
-	extractionDir := filesystem.JoinPaths(testDir, "extraction")
-	err = os.Mkdir(extractionDir, 0700)
-	require.NoError(t, err)
-
-	tarFile, err := os.Open(tarPath)
-	require.NoError(t, err)
-
-	// Check that the file didn't escape
-	err = ExtractTarGz(tarFile, extractionDir)
-	require.NoError(t, err)
-	require.NoFileExists(t, filesystem.JoinPaths(testDir, "evil.txt"))
-
-	err = tarFile.Close()
-	require.NoError(t, err)
-}
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -8,8 +8,6 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/portainer/portainer/api/logs"
-
 	"github.com/pkg/errors"
 )

@@ -20,7 +18,7 @@ func UnzipFile(src string, dest string) error {
 	if err != nil {
 		return err
 	}
-	defer logs.CloseAndLogErr(r)
+	defer r.Close()

 	for _, f := range r.File {
 		p := filepath.Join(dest, f.Name)
@@ -32,9 +30,7 @@ func UnzipFile(src string, dest string) error {

 		if f.FileInfo().IsDir() {
 			// Make Folder
-			if err := os.MkdirAll(p, os.ModePerm); err != nil {
-				return err
-			}
+			os.MkdirAll(p, os.ModePerm)

 			continue
 		}
@@ -57,13 +53,13 @@ func unzipFile(f *zip.File, p string) error {
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
-	defer logs.CloseAndLogErr(outFile)
+	defer outFile.Close()

 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
-	defer logs.CloseAndLogErr(rc)
+	defer rc.Close()

 	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
--- a/api/archive/zip_test.go
+++ b/api/archive/zip_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestUnzipFile(t *testing.T) {
@@ -21,7 +20,7 @@ func TestUnzipFile(t *testing.T) {

 	err := UnzipFile("./testdata/sample_archive.zip", dir)

-	require.NoError(t, err)
+	assert.NoError(t, err)
 	archiveDir := dir + "/sample_archive"
 	assert.FileExists(t, filepath.Join(archiveDir, "0.txt"))
 	assert.FileExists(t, filepath.Join(archiveDir, "0", "1.txt"))
--- a/api/aws/ecr/ecr.go
+++ b/api/aws/ecr/ecr.go
@@ -6,15 +6,6 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 )

-// Registry represents an ECR registry endpoint information.
-// This struct is used to parse and validate ECR endpoint URLs.
-type Registry struct {
-	ID     string // AWS account ID (empty for accountless endpoints like "ecr-fips.us-west-1.amazonaws.com")
-	FIPS   bool   // Whether this is a FIPS endpoint (contains "-fips" in the URL)
-	Region string // AWS region (e.g., "us-east-1", "us-gov-west-1")
-	Public bool   // Whether this is ecr-public.aws.com
-}
-
 type (
 	Service struct {
 		accessKey string
--- a/api/aws/ecr/parse_endpoints.go
+++ b/api/aws/ecr/parse_endpoints.go
@@ -1,70 +0,0 @@
-package ecr
-
-import (
-	"fmt"
-	"net/url"
-	"regexp"
-	"strings"
-)
-
-// ecrEndpointPattern matches all valid ECR endpoints including account-prefixed and accountless formats.
-// Based on AWS ECR credential helper regex but extended to support accountless endpoints.
-//
-// Supported formats:
-//   - Account-prefixed: 123456789012.dkr.ecr-fips.us-east-1.amazonaws.com
-//   - Account-prefixed (hyphen): 123456789012.dkr-ecr-fips.us-west-1.on.aws
-//   - Accountless service: ecr-fips.us-west-1.amazonaws.com
-//   - Accountless API: ecr-fips.us-east-1.api.aws
-//   - Non-FIPS variants: All formats above without "-fips"
-//
-// Regex groups:
-//   - Group 1: Full account prefix (optional) - e.g., "123456789012.dkr." or "123456789012.dkr-"
-//   - Group 2: Account ID (optional) - e.g., "123456789012"
-//   - Group 3: FIPS flag (optional) - either "-fips" or empty string
-//   - Group 4: Region - e.g., "us-east-1", "us-gov-west-1"
-//   - Group 5: Domain suffix - e.g., "amazonaws.com", "api.aws"
-var ecrEndpointPattern = regexp.MustCompile(
-	`^((\d{12})\.dkr[\.\-])?ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|api\.aws|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`,
-)
-
-// ParseECREndpoint parses an ECR registry URL and extracts registry information.
-
-// This function replaces the AWS ECR credential helper library's ExtractRegistry function,
-// which only supports account-prefixed endpoints.
-//
-// Reference: https://docs.aws.amazon.com/general/latest/gr/ecr.html
-func ParseECREndpoint(urlStr string) (*Registry, error) {
-	// Normalize URL by adding https:// prefix if not present
-	if !strings.HasPrefix(urlStr, "https://") && !strings.HasPrefix(urlStr, "http://") {
-		urlStr = "https://" + urlStr
-	}
-
-	u, err := url.Parse(urlStr)
-	if err != nil {
-		return nil, fmt.Errorf("invalid URL: %w", err)
-	}
-
-	hostname := u.Hostname()
-
-	// Special case: ECR Public
-	// ECR Public uses a different domain and doesn't have FIPS variant
-	if hostname == "ecr-public.aws.com" {
-		return &Registry{
-			FIPS:   false,
-			Public: true,
-		}, nil
-	}
-
-	// Parse standard ECR endpoints using regex
-	matches := ecrEndpointPattern.FindStringSubmatch(hostname)
-	if len(matches) == 0 {
-		return nil, fmt.Errorf("not a valid ECR endpoint: %s", hostname)
-	}
-
-	return &Registry{
-		ID:     matches[2],            // Account ID (may be empty for accountless endpoints)
-		FIPS:   matches[3] == "-fips", // Check if "-fips" is present
-		Region: matches[4],            // AWS region
-		Public: false,
-	}, nil
-}
--- a/api/aws/ecr/parse_endpoints_test.go
+++ b/api/aws/ecr/parse_endpoints_test.go
@@ -1,253 +0,0 @@
-package ecr
-
-import (
-	"testing"
-)
-
-func TestParseECREndpoint(t *testing.T) {
-	tests := []struct {
-		name      string
-		url       string
-		want      *Registry
-		wantError bool
-	}{
-		// Standard AWS Commercial - Account-prefixed FIPS
-		{
-			name: "account-prefixed FIPS us-east-1",
-			url:  "123456789012.dkr.ecr-fips.us-east-1.amazonaws.com",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-east-1",
-				Public: false,
-			},
-		},
-		{
-			name: "account-prefixed FIPS us-west-2",
-			url:  "123456789012.dkr.ecr-fips.us-west-2.amazonaws.com",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-west-2",
-				Public: false,
-			},
-		},
-
-		// Accountless FIPS service endpoints
-		{
-			name: "accountless FIPS us-west-1",
-			url:  "ecr-fips.us-west-1.amazonaws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless FIPS us-east-2",
-			url:  "ecr-fips.us-east-2.amazonaws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-east-2",
-				Public: false,
-			},
-		},
-
-		// Accountless FIPS API endpoints
-		{
-			name: "accountless FIPS API us-west-1",
-			url:  "ecr-fips.us-west-1.api.aws",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless FIPS API us-east-1",
-			url:  "ecr-fips.us-east-1.api.aws",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-east-1",
-				Public: false,
-			},
-		},
-
-		// on.aws domain with hyphen separator
-		{
-			name: "account-prefixed FIPS hyphen us-west-1",
-			url:  "123456789012.dkr-ecr-fips.us-west-1.on.aws",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "account-prefixed FIPS hyphen us-east-2",
-			url:  "123456789012.dkr-ecr-fips.us-east-2.on.aws",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-east-2",
-				Public: false,
-			},
-		},
-
-		// AWS GovCloud
-		{
-			name: "account-prefixed FIPS us-gov-east-1",
-			url:  "123456789012.dkr.ecr-fips.us-gov-east-1.amazonaws.com",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-gov-east-1",
-				Public: false,
-			},
-		},
-		{
-			name: "account-prefixed FIPS us-gov-west-1",
-			url:  "123456789012.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   true,
-				Region: "us-gov-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless FIPS us-gov-west-1",
-			url:  "ecr-fips.us-gov-west-1.amazonaws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-gov-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless FIPS API us-gov-east-1",
-			url:  "ecr-fips.us-gov-east-1.api.aws",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-gov-east-1",
-				Public: false,
-			},
-		},
-
-		// ECR Public
-		{
-			name: "ecr-public",
-			url:  "ecr-public.aws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   false,
-				Region: "",
-				Public: true,
-			},
-		},
-
-		// Non-FIPS endpoints (valid ECR but FIPS=false)
-		{
-			name: "account-prefixed non-FIPS us-east-1",
-			url:  "123456789012.dkr.ecr.us-east-1.amazonaws.com",
-			want: &Registry{
-				ID:     "123456789012",
-				FIPS:   false,
-				Region: "us-east-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless non-FIPS us-west-1",
-			url:  "ecr.us-west-1.amazonaws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   false,
-				Region: "us-west-1",
-				Public: false,
-			},
-		},
-		{
-			name: "accountless non-FIPS API us-east-2",
-			url:  "ecr.us-east-2.api.aws",
-			want: &Registry{
-				ID:     "",
-				FIPS:   false,
-				Region: "us-east-2",
-				Public: false,
-			},
-		},
-
-		// URLs with https:// prefix
-		{
-			name: "with https prefix",
-			url:  "https://ecr-fips.us-west-1.amazonaws.com",
-			want: &Registry{
-				ID:     "",
-				FIPS:   true,
-				Region: "us-west-1",
-				Public: false,
-			},
-		},
-
-		// Invalid endpoints
-		{
-			name:      "not an ECR URL",
-			url:       "not-an-ecr-url.com",
-			wantError: true,
-		},
-		{
-			name:      "invalid account ID length",
-			url:       "123.dkr.ecr-fips.us-east-1.amazonaws.com",
-			wantError: true,
-		},
-		{
-			name:      "empty string",
-			url:       "",
-			wantError: true,
-		},
-		{
-			name:      "docker hub",
-			url:       "docker.io",
-			wantError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := ParseECREndpoint(tt.url)
-
-			if tt.wantError {
-				if err == nil {
-					t.Errorf("ParseECREndpoint() expected error but got none")
-				}
-				return
-			}
-
-			if err != nil {
-				t.Errorf("ParseECREndpoint() unexpected error: %v", err)
-				return
-			}
-
-			if got.ID != tt.want.ID {
-				t.Errorf("ParseECREndpoint() ID = %v, want %v", got.ID, tt.want.ID)
-			}
-			if got.FIPS != tt.want.FIPS {
-				t.Errorf("ParseECREndpoint() FIPS = %v, want %v", got.FIPS, tt.want.FIPS)
-			}
-			if got.Region != tt.want.Region {
-				t.Errorf("ParseECREndpoint() Region = %v, want %v", got.Region, tt.want.Region)
-			}
-			if got.Public != tt.want.Public {
-				t.Errorf("ParseECREndpoint() Public = %v, want %v", got.Public, tt.want.Public)
-			}
-		})
-	}
-}
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -12,7 +12,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
-	"github.com/portainer/portainer/api/logs"

 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -98,7 +97,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer logs.CloseAndLogErr(in)
+	defer in.Close()

 	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
@@ -106,5 +105,7 @@ func encrypt(path string, passphrase string) (string, error) {
 		return "", err
 	}

-	return outFileName, crypto.AesEncrypt(in, out, []byte(passphrase))
+	err = crypto.AesEncrypt(in, out, []byte(passphrase))
+
+	return outFileName, err
 }
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -16,8 +16,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
-
-	"github.com/rs/zerolog/log"
 )

 var filesToRestore = append(filesToBackup, "portainer.db")
@@ -33,20 +31,17 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 	}

 	restorePath := filepath.Join(filestorePath, "restore", time.Now().Format("20060102150405"))
-	defer func() {
-		if err := os.RemoveAll(filepath.Dir(restorePath)); err != nil {
-			log.Warn().Err(err).Msg("failed to clean up restore files")
-		}
-	}()
+	defer os.RemoveAll(filepath.Dir(restorePath))

-	if err := extractArchive(archive, restorePath); err != nil {
+	err = extractArchive(archive, restorePath)
+	if err != nil {
 		return errors.Wrap(err, "cannot extract files from the archive. Please ensure the password is correct and try again")
 	}

 	unlock := gate.Lock()
 	defer unlock()

-	if err := datastore.Close(); err != nil {
+	if err = datastore.Close(); err != nil {
 		return errors.Wrap(err, "Failed to stop db")
 	}

@@ -56,7 +51,7 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 		return errors.Wrap(err, "failed to restore from backup. Portainer database missing from backup file")
 	}

-	if err := restoreFiles(restorePath, filestorePath); err != nil {
+	if err = restoreFiles(restorePath, filestorePath); err != nil {
 		return errors.Wrap(err, "failed to restore the system state")
 	}

@@ -94,7 +89,8 @@ func getRestoreSourcePath(dir string) (string, error) {

 func restoreFiles(srcDir string, destinationDir string) error {
 	for _, filename := range filesToRestore {
-		if err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir); err != nil {
+		err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir)
+		if err != nil {
 			return err
 		}
 	}
@@ -102,18 +98,14 @@ func restoreFiles(srcDir string, destinationDir string) error {
 	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day

 	// Prevent the possibility of having both databases.  Remove any default new instance
-	if err := os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName)); err != nil && !os.IsNotExist(err) {
-		return err
-	}
-
-	if err := os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName)); err != nil && !os.IsNotExist(err) {
-		return err
-	}
+	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
+	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))

 	// Now copy the database.  It'll be either portainer.db or portainer.edb

 	// Note: CopyPath does not return an error if the source file doesn't exist
-	if err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir); err != nil {
+	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
+	if err != nil {
 		return err
 	}

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -89,8 +89,10 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 		return err
 	}

-	_, _ = io.Copy(io.Discard, resp.Body)
-	return resp.Body.Close()
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	return nil
 }

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -142,9 +142,7 @@ func (s *Service) TunnelAddr(endpoint *portainer.Endpoint) (string, error) {
 			continue
 		}

-		if err := conn.Close(); err != nil {
-			log.Warn().Err(err).Msg("failed to close tcp connection")
-		}
+		conn.Close()

 		break
 	}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -32,7 +32,7 @@ func CLIFlags() *portainer.CLIFlags {
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
-		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Envar(portainer.FeatureFlagEnvVar).Strings(),
+		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
 		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
 		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
@@ -52,6 +52,7 @@ func CLIFlags() *portainer.CLIFlags {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
+		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
@@ -94,11 +95,6 @@ func (Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	flags.TLSKey = tlsKeyFlag.String()
 	flags.TLSCacert = kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String()

-	flags.KubectlShellImage = kingpin.Flag(
-		"kubectl-shell-image",
-		"Kubectl shell image",
-	).Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String()
-
 	kingpin.Parse()

 	if !filepath.IsAbs(*flags.Assets) {
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -1,4 +1,5 @@
 //go:build !windows
+// +build !windows

 package cli

--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -55,7 +55,7 @@ import (
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/validate"

-	"github.com/google/uuid"
+	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog/log"
 )

@@ -119,7 +119,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	if isNew {
-		instanceId, err := uuid.NewRandom()
+		instanceId, err := uuid.NewV4()
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}
@@ -134,16 +134,15 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			InstanceID:    instanceId.String(),
 			MigratorCount: migratorCount,
 		}
-
-		if err := store.VersionService.UpdateVersion(&v); err != nil {
-			log.Fatal().Err(err).Msg("failed to update version")
-		}
+		store.VersionService.UpdateVersion(&v)

 		if err := updateSettingsFromFlags(store, flags); err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
-	} else if err := store.MigrateData(); err != nil {
-		log.Fatal().Err(err).Msg("failed migration")
+	} else {
+		if err := store.MigrateData(); err != nil {
+			log.Fatal().Err(err).Msg("failed migration")
+		}
 	}

 	if err := updateSettingsFromFlags(store, flags); err != nil {
@@ -154,7 +153,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	go func() {
 		<-shutdownCtx.Done()

-		defer logs.CloseAndLogErr(connection)
+		defer connection.Close()
 	}()

 	return store
@@ -348,7 +347,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	trustedOrigins := []string{}
 	if *flags.TrustedOrigins != "" {
 		// validate if the trusted origins are valid urls
-		for origin := range strings.SplitSeq(*flags.TrustedOrigins, ",") {
+		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
 			if !validate.IsTrustedOrigin(origin) {
 				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
 			}
@@ -530,9 +529,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	scheduler := scheduler.NewScheduler(shutdownCtx)
 	stackDeployer := deployments.NewStackDeployer(swarmStackManager, composeStackManager, kubernetesDeployer, dockerClientFactory, dataStore)
-	if err := deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService); err != nil {
-		log.Fatal().Err(err).Msg("failed to start stack scheduler")
-	}
+	deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService)

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
@@ -633,7 +630,7 @@ func main() {
 			Str("build_number", build.BuildNumber).
 			Str("image_tag", build.ImageTag).
 			Str("nodejs_version", build.NodejsVersion).
-			Str("pnpm_version", build.PnpmVersion).
+			Str("yarn_version", build.YarnVersion).
 			Str("webpack_version", build.WebpackVersion).
 			Str("go_version", build.GoVersion).
 			Msg("starting Portainer")
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -15,9 +15,8 @@ import (

 	"github.com/portainer/portainer/pkg/fips"

-	// Not allowed in FIPS mode
-	"golang.org/x/crypto/argon2" //nolint:depguard
-	"golang.org/x/crypto/scrypt" //nolint:depguard
+	"golang.org/x/crypto/argon2"
+	"golang.org/x/crypto/scrypt"
 )

 const (
@@ -164,9 +163,7 @@ func aesEncryptGCM(input io.Reader, output io.Writer, passphrase []byte) error {
 			return err
 		}

-		if err := nonce.Increment(); err != nil {
-			return err
-		}
+		nonce.Increment()
 	}

 	return nil
@@ -237,9 +234,7 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		if err := nonce.Increment(); err != nil {
-			return nil, err
-		}
+		nonce.Increment()
 	}

 	return &buf, nil
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -9,7 +9,6 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/assert"
@@ -48,29 +47,26 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		)

 		content := randBytes(1024*1024*100 + 523)
-		err := os.WriteFile(originFilePath, content, 0600)
-		require.NoError(t, err)
+		os.WriteFile(originFilePath, content, 0600)

 		originFile, _ := os.Open(originFilePath)
-		defer logs.CloseAndLogErr(originFile)
+		defer originFile.Close()

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		require.NoError(t, err, "Failed to encrypt a file")
-		logs.CloseAndLogErr(encryptedFileWriter)
+		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.NoError(t, err, "Couldn't read encrypted file")
+		require.Nil(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, err := os.Open(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileReader)
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()

-		decryptedFileWriter, err := os.Create(decryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(decryptedFileWriter)
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
 		if !decryptShouldSucceed {
@@ -78,11 +74,9 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		} else {
 			require.NoError(t, err, "Failed to decrypt file indicated by decryptShouldSucceed")

-			_, err = io.Copy(decryptedFileWriter, decryptedReader)
-			require.NoError(t, err)
+			io.Copy(decryptedFileWriter, decryptedReader)

-			decryptedContent, err := os.ReadFile(decryptedFilePath)
-			require.NoError(t, err)
+			decryptedContent, _ := os.ReadFile(decryptedFilePath)
 			assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 		}
 	}
@@ -153,40 +147,33 @@ func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
 		)

 		content := randBytes(500)
+		os.WriteFile(originFilePath, content, 0600)

-		err := os.WriteFile(originFilePath, content, 0600)
-		require.NoError(t, err)
-
-		originFile, err := os.Open(originFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(originFile)
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		require.NoError(t, err, "Failed to encrypt a file")
-		logs.CloseAndLogErr(encryptedFileWriter)
+		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.NoError(t, err, "Couldn't read encrypted file")
+		assert.Nil(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, err := os.Open(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileReader)
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()

-		decryptedFileWriter, err := os.Create(decryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(decryptedFileWriter)
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
-		require.NoError(t, err, "Failed to decrypt file")
+		assert.Nil(t, err, "Failed to decrypt file")

-		_, err = io.Copy(decryptedFileWriter, decryptedReader)
-		require.NoError(t, err)
+		io.Copy(decryptedFileWriter, decryptedReader)

-		decryptedContent, err := os.ReadFile(decryptedFilePath)
-		require.NoError(t, err)
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -210,40 +197,33 @@ func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
 		)

 		content := randBytes(500)
-		err := os.WriteFile(originFilePath, content, 0600)
-		require.NoError(t, err)
+		os.WriteFile(originFilePath, content, 0600)

-		originFile, err := os.Open(originFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(originFile)
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()

-		encryptedFileWriter, err := os.Create(encryptedFilePath)
-		require.NoError(t, err)
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		require.NoError(t, err, "Failed to encrypt a file")
-		logs.CloseAndLogErr(encryptedFileWriter)
+		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.NoError(t, err, "Couldn't read encrypted file")
+		assert.Nil(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, err := os.Open(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileReader)
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()

-		decryptedFileWriter, err := os.Create(decryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(decryptedFileWriter)
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()

 		decryptedReader, err := decrypt(encryptedFileReader, []byte("passphrase"))
-		require.NoError(t, err, "Failed to decrypt file")
+		assert.Nil(t, err, "Failed to decrypt file")

-		_, err = io.Copy(decryptedFileWriter, decryptedReader)
-		require.NoError(t, err)
+		io.Copy(decryptedFileWriter, decryptedReader)

-		decryptedContent, err := os.ReadFile(decryptedFilePath)
-		require.NoError(t, err)
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -267,40 +247,32 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 		)

 		content := randBytes(1024 * 50)
-		err := os.WriteFile(originFilePath, content, 0600)
-		require.NoError(t, err)
+		os.WriteFile(originFilePath, content, 0600)

-		originFile, err := os.Open(originFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(originFile)
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()

-		encryptedFileWriter, err := os.Create(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileWriter)
-
-		err = encrypt(originFile, encryptedFileWriter, []byte(""))
-		require.NoError(t, err, "Failed to encrypt a file")
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		defer encryptedFileWriter.Close()

+		err := encrypt(originFile, encryptedFileWriter, []byte(""))
+		assert.Nil(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.NoError(t, err, "Couldn't read encrypted file")
+		assert.Nil(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, err := os.Open(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileReader)
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()

-		decryptedFileWriter, err := os.Create(decryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(decryptedFileWriter)
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(""))
-		require.NoError(t, err, "Failed to decrypt file")
+		assert.Nil(t, err, "Failed to decrypt file")

-		_, err = io.Copy(decryptedFileWriter, decryptedReader)
-		require.NoError(t, err)
+		io.Copy(decryptedFileWriter, decryptedReader)

-		decryptedContent, err := os.ReadFile(decryptedFilePath)
-		require.NoError(t, err)
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -324,33 +296,28 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 		)

 		content := randBytes(1034)
-		err := os.WriteFile(originFilePath, content, 0600)
-		require.NoError(t, err)
+		os.WriteFile(originFilePath, content, 0600)

-		originFile, err := os.Open(originFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(originFile)
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()

-		encryptedFileWriter, err := os.Create(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileWriter)
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		defer encryptedFileWriter.Close()

-		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		require.NoError(t, err, "Failed to encrypt a file")
+		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		assert.Nil(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.NoError(t, err, "Couldn't read encrypted file")
+		assert.Nil(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, err := os.Open(encryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(encryptedFileReader)
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()

-		decryptedFileWriter, err := os.Create(decryptedFilePath)
-		require.NoError(t, err)
-		defer logs.CloseAndLogErr(decryptedFileWriter)
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()

 		_, err = decrypt(encryptedFileReader, []byte("garbage"))
-		require.Error(t, err, "Should not allow decrypt with wrong passphrase")
+		assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
 	}

 	t.Run("fips", func(t *testing.T) {
--- a/api/crypto/ecdsa_test.go
+++ b/api/crypto/ecdsa_test.go
@@ -11,12 +11,12 @@ func TestCreateSignature(t *testing.T) {

 	privKey, pubKey, err := s.GenerateKeyPair()
 	require.NoError(t, err)
-	require.NotEmpty(t, privKey)
-	require.NotEmpty(t, pubKey)
+	require.Greater(t, len(privKey), 0)
+	require.Greater(t, len(pubKey), 0)

 	m := "test message"
 	r, err := s.CreateSignature(m)
 	require.NoError(t, err)
 	require.NotEqual(t, r, m)
-	require.NotEmpty(t, r)
+	require.Greater(t, len(r), 0)
 }
--- a/api/crypto/hash.go
+++ b/api/crypto/hash.go
@@ -1,8 +1,7 @@
 package crypto

 import (
-	// Not allowed in FIPS mode
-	"golang.org/x/crypto/bcrypt" //nolint:depguard
+	"golang.org/x/crypto/bcrypt"
 )

 // Service represents a service for encrypting/hashing data.
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -92,9 +92,7 @@ func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Con
 }

 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	if !config.TLS && fipsEnabled {
-		return nil, fips.ErrTLSRequired
-	} else if !config.TLS {
+	if !config.TLS {
 		return nil, nil
 	}

--- a/api/crypto/tls_test.go
+++ b/api/crypto/tls_test.go
@@ -44,7 +44,7 @@ func TestCreateTLSConfigurationFIPS(t *testing.T) {
 func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromBytes(false, nil, nil, nil, false, false)
-	require.NoError(t, err)
+	require.Nil(t, err)
 	require.Nil(t, config)

 	// Skip TLS client/server verifications
@@ -61,7 +61,7 @@ func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 func TestCreateTLSConfigurationFromDisk(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{})
-	require.NoError(t, err)
+	require.Nil(t, err)
 	require.Nil(t, config)

 	// Skip TLS verifications
--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -98,36 +98,18 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 				// Special case.  If portainer.db and portainer.edb exist.
 				dbFile1 := path.Join(connection.Path, DatabaseFileName)
 				f, _ := os.Create(dbFile1)
-
-				err := f.Close()
-				require.NoError(t, err)
-
-				defer func() {
-					err := os.Remove(dbFile1)
-					require.NoError(t, err)
-				}()
+				f.Close()
+				defer os.Remove(dbFile1)

 				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
 				f, _ = os.Create(dbFile2)
-
-				err = f.Close()
-				require.NoError(t, err)
-
-				defer func() {
-					err := os.Remove(dbFile2)
-					require.NoError(t, err)
-				}()
+				f.Close()
+				defer os.Remove(dbFile2)
 			} else if tc.dbname != "" {
 				dbFile := path.Join(connection.Path, tc.dbname)
 				f, _ := os.Create(dbFile)
-
-				err := f.Close()
-				require.NoError(t, err)
-
-				defer func() {
-					err := os.Remove(dbFile)
-					require.NoError(t, err)
-				}()
+				f.Close()
+				defer os.Remove(dbFile)
 			}

 			if tc.key {
@@ -154,8 +136,7 @@ func TestDBCompaction(t *testing.T) {
 			return err
 		}

-		err = b.Put([]byte("key"), []byte("value"))
-		require.NoError(t, err)
+		b.Put([]byte("key"), []byte("value"))

 		return nil
 	})
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -3,7 +3,6 @@ package boltdb
 import (
 	"time"

-	"github.com/portainer/portainer/api/logs"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 	bolt "go.etcd.io/bbolt"
@@ -38,7 +37,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	if err != nil {
 		return []byte("{}"), err
 	}
-	defer logs.CloseAndLogErr(connection)
+	defer connection.Close()

 	backup := make(map[string]any)
 	if metadata {
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -45,12 +45,12 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 		}
 	}

-	if err := json.Unmarshal(data, object); err != nil {
+	if e := json.Unmarshal(data, object); e != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
 		if !ok {
-			return errors.Wrap(err, "Failed unmarshalling object")
+			return errors.Wrap(err, e.Error())
 		}

 		*s = string(data)
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,14 +10,14 @@ import (
 	"io"
 	"testing"

-	"github.com/google/uuid"
+	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )

@@ -29,7 +29,7 @@ func secretToEncryptionKey(passphrase string) []byte {
 func Test_MarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

-	uuid := uuid.New()
+	uuid := uuid.Must(uuid.NewV4())

 	tests := []struct {
 		object   any
@@ -94,7 +94,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			data, err := conn.MarshalObject(test.object)
-			require.NoError(t, err)
+			is.NoError(err)
 			is.Equal(test.expected, string(data))
 		})
 	}
@@ -135,7 +135,7 @@ func Test_UnMarshalObjectUnencrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			var object string
 			err := conn.UnmarshalObject(test.object, &object)
-			require.NoError(t, err)
+			is.NoError(err)
 			is.Equal(test.expected, object)
 		})
 	}
@@ -172,12 +172,12 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {

 			data, err := conn.MarshalObject(test.object)
-			require.NoError(t, err)
+			is.NoError(err)

 			var object []byte
 			err = conn.UnmarshalObject(data, &object)

-			require.NoError(t, err)
+			is.NoError(err)
 			is.Equal(test.object, object)
 		})
 	}
--- a/api/database/boltdb/tx_test.go
+++ b/api/database/boltdb/tx_test.go
@@ -6,7 +6,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/stretchr/testify/require"
 )

 const testBucketName = "test-bucket"
@@ -18,55 +17,70 @@ type testStruct struct {
 }

 func TestTxs(t *testing.T) {
-	conn := DbConnection{Path: t.TempDir()}
+	conn := DbConnection{
+		Path: t.TempDir(),
+	}

 	err := conn.Open()
-	require.NoError(t, err)
-	defer func() {
-		err := conn.Close()
-		require.NoError(t, err)
-	}()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer conn.Close()

 	// Error propagation
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return errors.New("this is an error")
 	})
-	require.Error(t, err)
+	if err == nil {
+		t.Fatal("an error was expected, got nil instead")
+	}

 	// Create an object
-	newObj := testStruct{Key: "key", Value: "value"}
+	newObj := testStruct{
+		Key:   "key",
+		Value: "value",
+	}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
-		if err := tx.SetServiceName(testBucketName); err != nil {
+		err = tx.SetServiceName(testBucketName)
+		if err != nil {
 			return err
 		}

 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	obj := testStruct{}
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	if obj.Key != newObj.Key || obj.Value != newObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", newObj.Key, newObj.Value, obj.Key, obj.Value)
 	}

 	// Update an object
-	updatedObj := testStruct{Key: "updated-key", Value: "updated-value"}
+	updatedObj := testStruct{
+		Key:   "updated-key",
+		Value: "updated-value",
+	}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(testBucketName, conn.ConvertToKey(testId), &updatedObj)
 	})
-	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	if obj.Key != updatedObj.Key || obj.Value != updatedObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", updatedObj.Key, updatedObj.Value, obj.Key, obj.Value)
@@ -76,12 +90,16 @@ func TestTxs(t *testing.T) {
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteObject(testBucketName, conn.ConvertToKey(testId))
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	require.True(t, dataservices.IsErrObjectNotFound(err))
+	if !dataservices.IsErrObjectNotFound(err) {
+		t.Fatal(err)
+	}

 	// Get next identifier
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
@@ -94,11 +112,15 @@ func TestTxs(t *testing.T) {

 		return nil
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	// Try to write in a read transaction
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	require.Error(t, err)
+	if err == nil {
+		t.Fatal("an error was expected, got nil instead")
+	}
 }
--- a/api/database/database_test.go
+++ b/api/database/database_test.go
@@ -1,24 +0,0 @@
-package database
-
-import (
-	"testing"
-
-	"github.com/portainer/portainer/api/database/boltdb"
-	"github.com/portainer/portainer/api/filesystem"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewDatabase(t *testing.T) {
-	dbPath := filesystem.JoinPaths(t.TempDir(), "test.db")
-	connection, err := NewDatabase("boltdb", dbPath, nil, false)
-	require.NoError(t, err)
-	require.NotNil(t, connection)
-
-	_, ok := connection.(*boltdb.DbConnection)
-	require.True(t, ok)
-
-	connection, err = NewDatabase("unknown", dbPath, nil, false)
-	require.Error(t, err)
-	require.Nil(t, connection)
-}
--- a/api/dataservices/base_test.go
+++ b/api/dataservices/base_test.go
@@ -21,7 +21,7 @@ type mockConnection struct {
 	portainer.Connection
 }

-func (m mockConnection) UpdateObject(bucket string, key []byte, value any) error {
+func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
 	obj := value.(*testObject)

 	m.store[obj.ID] = *obj
@@ -50,6 +50,7 @@ func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
 func (m mockConnection) ConvertToKey(v int) []byte {
 	return []byte(strconv.Itoa(v))
 }
+
 func TestReadAll(t *testing.T) {
 	service := BaseDataService[testObject, int]{
 		Bucket:     "testBucket",
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -72,13 +72,3 @@ func (service BaseDataServiceTx[T, I]) Delete(ID I) error {
 	identifier := service.Connection.ConvertToKey(int(ID))
 	return service.Tx.DeleteObject(service.Bucket, identifier)
 }
-
-func Read[T any](tx portainer.Transaction, bucket string, key []byte) (*T, error) {
-	var element T
-
-	if err := tx.GetObject(bucket, key, &element); err != nil {
-		return nil, err
-	}
-
-	return &element, nil
-}
--- a/api/dataservices/edgestack/edgestack_test.go
+++ b/api/dataservices/edgestack/edgestack_test.go
@@ -5,7 +5,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
-	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -15,7 +14,7 @@ func TestUpdate(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer logs.CloseAndLogErr(conn)
+	defer conn.Close()

 	service, err := NewService(conn, func(portainer.Transaction, portainer.EdgeStackID) {})
 	require.NoError(t, err)
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -119,19 +119,6 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	return endpoints, nil
 }

-// ReadAll retrieves all the elements that satisfy all the provided predicates.
-func (service *Service) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
-	var endpoints []portainer.Endpoint
-	var err error
-
-	err = service.connection.ViewTx(func(tx portainer.Transaction) error {
-		endpoints, err = service.Tx(tx).ReadAll(predicates...)
-		return err
-	})
-
-	return endpoints, err
-}
-
 // EndpointIDByEdgeID returns the EndpointID from the given EdgeID using an in-memory index
 func (service *Service) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	service.mu.RLock()
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -89,11 +89,6 @@ func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	)
 }

-// ReadAll retrieves all the elements that satisfy all the provided predicates.
-func (service ServiceTx) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
-	return dataservices.BaseDataServiceTx[portainer.Endpoint, portainer.EndpointID]{Bucket: BucketName, Connection: service.service.connection, Tx: service.tx}.ReadAll(predicates...)
-}
-
 func (service ServiceTx) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	log.Error().Str("func", "EndpointIDByEdgeID").Msg("cannot be called inside a transaction")

--- a/api/dataservices/endpointrelation/endpointrelation_test.go
+++ b/api/dataservices/endpointrelation/endpointrelation_test.go
@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/internal/edge/cache"
-	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -21,7 +20,7 @@ func TestUpdateRelation(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer logs.CloseAndLogErr(conn)
+	defer conn.Close()

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -110,7 +109,7 @@ func TestAddEndpointRelationsForEdgeStack(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer logs.CloseAndLogErr(conn)
+	defer conn.Close()

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -129,7 +128,7 @@ func TestEndpointRelations(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer logs.CloseAndLogErr(conn)
+	defer conn.Close()

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -137,5 +136,5 @@ func TestEndpointRelations(t *testing.T) {
 	require.NoError(t, service.Create(&portainer.EndpointRelation{EndpointID: 1}))
 	rels, err := service.EndpointRelations()
 	require.NoError(t, err)
-	require.Len(t, rels, 1)
+	require.Equal(t, 1, len(rels))
 }
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -6,7 +6,7 @@ import (

 var (
 	ErrObjectNotFound     = errors.New("object not found inside the database")
-	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")
+	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
 	ErrDBImportFailed     = errors.New("importing backup failed")
 	ErrDatabaseIsUpdating = errors.New("database is currently in updating state. Failed prior upgrade. Please restore from backup or delete the database and restart Portainer")
 )
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -102,9 +102,6 @@ type (

 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
-		// partial dataservices.BaseCRUD[portainer.Endpoint, portainer.EndpointID]
-		ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error)
-
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
 		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
@@ -226,7 +223,6 @@ type (
 	UserService interface {
 		BaseCRUD[portainer.User, portainer.UserID]
 		UserByUsername(username string) (*portainer.User, error)
-		UserIDByUsername(username string) (portainer.UserID, error)
 		UsersByRole(role portainer.UserRole) ([]portainer.User, error)
 	}

--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -3,7 +3,6 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
-	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -65,9 +64,11 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 				return nil, stop
 			}

-			if slices.Contains(rc.SubResourceIDs, resourceID) {
-				resourceControl = rc
-				return nil, stop
+			for _, subResourceID := range rc.SubResourceIDs {
+				if subResourceID == resourceID {
+					resourceControl = rc
+					return nil, stop
+				}
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -3,7 +3,6 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
-	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -36,9 +35,11 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 				return nil, stop
 			}

-			if slices.Contains(rc.SubResourceIDs, resourceID) {
-				resourceControl = rc
-				return nil, stop
+			for _, subResourceID := range rc.SubResourceIDs {
+				if subResourceID == resourceID {
+					resourceControl = rc
+					return nil, stop
+				}
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/ssl/ssl.go
+++ b/api/dataservices/ssl/ssl.go
@@ -31,13 +31,6 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

-func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
-	return ServiceTx{
-		service: service,
-		tx:      tx,
-	}
-}
-
 // Settings retrieve the ssl settings object.
 func (service *Service) Settings() (*portainer.SSLSettings, error) {
 	var settings portainer.SSLSettings
--- a/api/dataservices/ssl/tx.go
+++ b/api/dataservices/ssl/tx.go
@@ -1,31 +0,0 @@
-package ssl
-
-import (
-	portainer "github.com/portainer/portainer/api"
-)
-
-type ServiceTx struct {
-	service *Service
-	tx      portainer.Transaction
-}
-
-func (service ServiceTx) BucketName() string {
-	return BucketName
-}
-
-// Settings retrieve the settings object.
-func (service ServiceTx) Settings() (*portainer.SSLSettings, error) {
-	var settings portainer.SSLSettings
-
-	err := service.tx.GetObject(BucketName, []byte(key), &settings)
-	if err != nil {
-		return nil, err
-	}
-
-	return &settings, nil
-}
-
-// UpdateSettings persists a Settings object.
-func (service ServiceTx) UpdateSettings(settings *portainer.SSLSettings) error {
-	return service.tx.UpdateObject(BucketName, []byte(key), settings)
-}
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -4,18 +4,17 @@ import (
 	"testing"
 	"time"

-	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
-	"github.com/portainer/portainer/api/filesystem"

-	"github.com/google/uuid"
+	"github.com/gofrs/uuid"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/filesystem"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func newGuidString(t *testing.T) string {
-	uuid, err := uuid.NewRandom()
-	require.NoError(t, err)
+	uuid, err := uuid.NewV4()
+	assert.NoError(t, err)

 	return uuid.String()
 }
@@ -42,7 +41,7 @@ func TestService_StackByWebhookID(t *testing.T) {

 	// can find a stack by webhook ID
 	got, err := store.StackService.StackByWebhookID(webhookID)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.Equal(t, stack, *got)

 	// returns nil and object not found error if there's no stack associated with the webhook
@@ -95,10 +94,10 @@ func Test_RefreshableStacks(t *testing.T) {

 	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &refreshableStack} {
 		err := store.Stack().Create(stack)
-		require.NoError(t, err)
+		assert.NoError(t, err)
 	}

 	stacks, err := store.Stack().RefreshableStacks()
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
 }
--- a/api/dataservices/team/tests/team_test.go
+++ b/api/dataservices/team/tests/team_test.go
@@ -5,9 +5,7 @@ import (

 	"github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
-
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func Test_teamByName(t *testing.T) {
@@ -15,7 +13,7 @@ func Test_teamByName(t *testing.T) {
 		_, store := datastore.MustNewTestStore(t, true, true)

 		_, err := store.Team().TeamByName("name")
-		require.ErrorIs(t, err, errors.ErrObjectNotFound)
+		assert.ErrorIs(t, err, errors.ErrObjectNotFound)

 	})

@@ -31,7 +29,7 @@ func Test_teamByName(t *testing.T) {
 		teamBuilder.createNew("name1")

 		_, err := store.Team().TeamByName("name")
-		require.ErrorIs(t, err, errors.ErrObjectNotFound)
+		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
 	})

 	t.Run("When there is an object with the same name should return the object", func(t *testing.T) {
@@ -46,7 +44,7 @@ func Test_teamByName(t *testing.T) {
 		expectedTeam := teamBuilder.createNew("name1")

 		team, err := store.Team().TeamByName("name1")
-		require.NoError(t, err, "TeamByName should succeed")
+		assert.NoError(t, err, "TeamByName should succeed")
 		assert.Equal(t, expectedTeam, team)
 	})
 }
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -36,18 +36,6 @@ func (service ServiceTx) UserByUsername(username string) (*portainer.User, error
 	return nil, err
 }

-func (service ServiceTx) UserIDByUsername(username string) (portainer.UserID, error) {
-	user, err := service.UserByUsername(username)
-	if err != nil {
-		return 0, err
-	}
-
-	if user == nil {
-		return 0, dserrors.ErrObjectNotFound
-	}
-	return user.ID, nil
-}
-
 // UsersByRole return an array containing all the users with the specified role.
 func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -65,18 +65,6 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 	return nil, err
 }

-func (service *Service) UserIDByUsername(username string) (portainer.UserID, error) {
-	user, err := service.UserByUsername(username)
-	if err != nil {
-		return 0, err
-	}
-
-	if user == nil {
-		return 0, dserrors.ErrObjectNotFound
-	}
-	return user.ID, nil
-}
-
 // UsersByRole return an array containing all the users with the specified role.
 func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/version/tx.go
+++ b/api/dataservices/version/tx.go
@@ -1,70 +0,0 @@
-package version
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/database/models"
-	"github.com/portainer/portainer/api/dataservices"
-)
-
-type ServiceTx struct {
-	dataservices.BaseDataServiceTx[models.Version, int] // ID is not used
-}
-
-func (tx ServiceTx) InstanceID() (string, error) {
-	v, err := tx.Version()
-	if err != nil {
-		return "", err
-	}
-
-	return v.InstanceID, nil
-}
-
-func (tx ServiceTx) UpdateInstanceID(ID string) error {
-	v, err := tx.Version()
-	if err != nil {
-		if !dataservices.IsErrObjectNotFound(err) {
-			return err
-		}
-
-		v = &models.Version{}
-	}
-
-	v.InstanceID = ID
-
-	return tx.UpdateVersion(v)
-}
-
-func (tx ServiceTx) Edition() (portainer.SoftwareEdition, error) {
-	v, err := tx.Version()
-	if err != nil {
-		return 0, err
-	}
-
-	return portainer.SoftwareEdition(v.Edition), nil
-}
-
-func (tx ServiceTx) Version() (*models.Version, error) {
-	var v models.Version
-
-	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
-	if err != nil {
-		return nil, err
-	}
-
-	return &v, nil
-}
-
-func (tx ServiceTx) UpdateVersion(version *models.Version) error {
-	return tx.Tx.UpdateObject(BucketName, []byte(versionKey), version)
-}
-
-func (tx ServiceTx) SchemaVersion() (string, error) {
-	var v models.Version
-
-	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
-	if err != nil {
-		return "", err
-	}
-
-	return v.SchemaVersion, nil
-}
--- a/api/dataservices/version/version.go
+++ b/api/dataservices/version/version.go
@@ -33,16 +33,6 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

-func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
-	return ServiceTx{
-		BaseDataServiceTx: dataservices.BaseDataServiceTx[models.Version, int]{
-			Bucket:     BucketName,
-			Connection: service.connection,
-			Tx:         tx,
-		},
-	}
-}
-
 func (service *Service) SchemaVersion() (string, error) {
 	v, err := service.Version()
 	if err != nil {
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -14,40 +14,33 @@ import (
 // corruption and if a path is not given a default is used.
 // The path or an error are returned.
 func (store *Store) Backup(path string) (string, error) {
-	if err := store.Close(); err != nil {
-		return "", fmt.Errorf("failed to close store before backup: %w", err)
-	}
-
-	filename, err := store.backupDBFile(path)
-	if err != nil {
-		return "", err
-	}
-
-	if _, err := store.Open(); err != nil {
-		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
-	}
-
-	return filename, nil
-}
-
-// backupDBFile copies the database file to the backup location.
-// Does not manage connection state - works with the database file directly regardless of connection state.
-func (store *Store) backupDBFile(backupPath string) (string, error) {
 	if err := store.createBackupPath(); err != nil {
 		return "", err
 	}

 	backupFilename := store.backupFilename()
-	if backupPath != "" {
-		backupFilename = backupPath
+	if path != "" {
+		backupFilename = path
+	}
+	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
+
+	// Close the store before backing up
+	err := store.Close()
+	if err != nil {
+		return "", fmt.Errorf("failed to close store before backup: %w", err)
 	}

-	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msg("Backing up database")
-
-	if err := store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true); err != nil {
+	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
+	if err != nil {
 		return "", fmt.Errorf("failed to create backup file: %w", err)
 	}

+	// reopen the store
+	_, err = store.Open()
+	if err != nil {
+		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
+	}
+
 	return backupFilename, nil
 }

@@ -57,17 +50,15 @@ func (store *Store) Restore() error {
 }

 func (store *Store) RestoreFromFile(backupFilename string) error {
-	if err := store.Close(); err != nil {
-		return err
-	}
-
+	store.Close()
 	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
 		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
 	}

 	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")

-	if _, err := store.Open(); err != nil {
+	_, err := store.Open()
+	if err != nil {
 		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
 	}

@@ -89,7 +80,6 @@ func (store *Store) createBackupPath() error {
 			return fmt.Errorf("unable to create backup folder: %w", err)
 		}
 	}
-
 	return nil
 }

--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,20 +1,19 @@
 package datastore

 import (
-	"os"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
-	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )

 func TestStoreCreation(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
-	require.NotNil(t, store)
+	if store == nil {
+		t.Fatal("Expect to create a store")
+	}

 	v, err := store.VersionService.Version()
 	if err != nil {
@@ -38,12 +37,8 @@ func TestBackup(t *testing.T) {
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
-
-		err := store.VersionService.UpdateVersion(&v)
-		require.NoError(t, err)
-
-		_, err = store.Backup("")
-		require.NoError(t, err)
+		store.VersionService.UpdateVersion(&v)
+		store.Backup("")

 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
@@ -59,14 +54,10 @@ func TestRestore(t *testing.T) {
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")

-		_, err := store.Backup("")
-		require.NoError(t, err)
-
+		store.Backup("")
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-
-		err = store.Restore()
-		require.NoError(t, err)
+		store.Restore()

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
@@ -76,65 +67,13 @@ func TestRestore(t *testing.T) {
 		// override and set initial db version and edition
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")
-
-		_, err := store.Backup("")
-		require.NoError(t, err)
-
+		store.Backup("")
 		updateVersion(store, "2.14")
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-
-		err = store.Restore()
-		require.NoError(t, err)
+		store.Restore()

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
 	})
 }
-
-func TestBackupDBFile(t *testing.T) {
-	_, store := MustNewTestStore(t, true, false)
-
-	t.Run("creates backup file without managing connection state", func(t *testing.T) {
-		// Verify connection is usable before
-		_, err := store.VersionService.Version()
-		require.NoError(t, err, "connection should be usable before backupDBFile")
-
-		// backupDBFile should work without closing the connection
-		backupFilename, err := store.backupDBFile("")
-		require.NoError(t, err)
-		require.FileExists(t, backupFilename)
-
-		// Verify connection is still usable after (not closed/reopened)
-		_, err = store.VersionService.Version()
-		require.NoError(t, err, "connection should still be usable after backupDBFile")
-
-		require.NoError(t, os.Remove(backupFilename))
-	})
-
-	t.Run("uses custom path when provided", func(t *testing.T) {
-		customPath := t.TempDir() + "/custom-backup.db"
-		backupFilename, err := store.backupDBFile(customPath)
-		require.NoError(t, err)
-		require.Equal(t, customPath, backupFilename)
-		require.FileExists(t, backupFilename)
-	})
-}
-
-func TestBackupDBFileUsesCorrectPath(t *testing.T) {
-	_, store := MustNewTestStore(t, true, false)
-
-	t.Run("backs up unencrypted db when encrypted flag is false", func(t *testing.T) {
-		store.connection.SetEncrypted(false)
-
-		backupFilename, err := store.backupDBFile("")
-		require.NoError(t, err)
-		require.FileExists(t, backupFilename)
-
-		// Verify it backed up the unencrypted file (portainer.db)
-		require.Contains(t, backupFilename, boltdb.DatabaseFileName)
-		require.NotContains(t, backupFilename, boltdb.EncryptedDatabaseFileName)
-
-		require.NoError(t, os.Remove(backupFilename))
-	})
-}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -32,38 +32,34 @@ func (store *Store) Open() (newStore bool, err error) {
 	}

 	if encryptionReq {
-		// NeedsEncryptionMigration() sets encrypted=true as a side effect when a key exists.
-		// We need to set it back to false so GetDatabaseFilePath() returns the path to the
-		// actual unencrypted file (portainer.db) that we want to back up.
-		store.connection.SetEncrypted(false)
-
-		// Use backupDBFile directly since connection isn't open yet
-		// and we don't want to trigger the close/open cycle of Backup()
-		backupFilename, err := store.backupDBFile("")
+		backupFilename, err := store.Backup("")
 		if err != nil {
 			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
 		}

-		if err := store.encryptDB(); err != nil {
-			innerErr := store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
-			return false, errors.Join(err, innerErr)
+		err = store.encryptDB()
+		if err != nil {
+			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
+			return false, err
 		}
 	}

-	if err := store.connection.Open(); err != nil {
+	err = store.connection.Open()
+	if err != nil {
 		return false, err
 	}

-	if err := store.initServices(); err != nil {
+	err = store.initServices()
+	if err != nil {
 		return false, err
 	}

 	// If no settings object exists then assume we have a new store
-	if _, err := store.SettingsService.Settings(); err != nil {
+	_, err = store.SettingsService.Settings()
+	if err != nil {
 		if store.IsErrObjectNotFound(err) {
 			return true, nil
 		}
-
 		return false, err
 	}

@@ -76,13 +72,19 @@ func (store *Store) Close() error {

 func (store *Store) UpdateTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.UpdateTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{store: store, tx: tx})
+		return fn(&StoreTx{
+			store: store,
+			tx:    tx,
+		})
 	})
 }

 func (store *Store) ViewTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.ViewTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{store: store, tx: tx})
+		return fn(&StoreTx{
+			store: store,
+			tx:    tx,
+		})
 	})
 }

@@ -97,7 +99,6 @@ func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.Edition {
 		return portainerErrors.ErrWrongDBEdition
 	}
-
 	return nil
 }

@@ -106,7 +107,6 @@ func (store *Store) edition() portainer.SoftwareEdition {
 	if store.IsErrObjectNotFound(err) {
 		edition = portainer.PortainerCE
 	}
-
 	return edition
 }

@@ -125,11 +125,13 @@ func (store *Store) Rollback(force bool) error {

 func (store *Store) encryptDB() error {
 	store.connection.SetEncrypted(false)
-	if err := store.connection.Open(); err != nil {
+	err := store.connection.Open()
+	if err != nil {
 		return err
 	}

-	if err := store.initServices(); err != nil {
+	err = store.initServices()
+	if err != nil {
 		return err
 	}

@@ -142,7 +144,8 @@ func (store *Store) encryptDB() error {

 	log.Info().Str("filename", exportFilename).Msg("exporting database backup")

-	if err := store.Export(exportFilename); err != nil {
+	err = store.Export(exportFilename)
+	if err != nil {
 		log.Error().Str("filename", exportFilename).Err(err).Msg("failed to export")

 		return err
@@ -151,33 +154,38 @@ func (store *Store) encryptDB() error {
 	log.Info().Msg("database backup exported")

 	// Close existing un-encrypted db so that we can delete the file later
-	if err := store.connection.Close(); err != nil {
+	store.connection.Close()
+
+	// Tell the db layer to create an encrypted db when opened
+	store.connection.SetEncrypted(true)
+	store.connection.Open()
+
+	// We have to init services before import
+	err = store.initServices()
+	if err != nil {
 		return err
 	}

-	if err := store.Import(exportFilename); err != nil {
-		log.Error().Err(err).Msg("failed to import database backup")
-
+	err = store.Import(exportFilename)
+	if err != nil {
 		// Remove the new encrypted file that we failed to import
-		if err := os.Remove(store.connection.GetDatabaseFilePath()); err != nil {
-			log.Error().Msg("failed to remove the file after import failure")
-		}
+		os.Remove(store.connection.GetDatabaseFilePath())

 		log.Fatal().Err(portainerErrors.ErrDBImportFailed).Msg("")
 	}

-	if err := os.Remove(oldFilename); err != nil {
+	err = os.Remove(oldFilename)
+	if err != nil {
 		log.Error().Msg("failed to remove the un-encrypted db file")
 	}

-	if err := os.Remove(exportFilename); err != nil {
+	err = os.Remove(exportFilename)
+	if err != nil {
 		log.Error().Msg("failed to remove the json backup file")
 	}

 	// Close db connection
-	if err := store.connection.Close(); err != nil {
-		return err
-	}
+	store.connection.Close()

 	log.Info().Msg("database successfully encrypted")

--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@@ -6,14 +6,12 @@ import (
 	"strings"
 	"testing"

+	"github.com/dchest/uniuri"
+	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/crypto"
-
-	"github.com/dchest/uniuri"
-	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 const (
@@ -32,32 +30,56 @@ func TestStoreFull(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)

 	testCases := map[string]func(t *testing.T){
-		"User Accounts":    store.testUserAccounts,
-		"Environments":     store.testEnvironments,
-		"Settings":         store.testSettings,
-		"SSL Settings":     store.testSSLSettings,
-		"Tunnel Server":    store.testTunnelServer,
-		"Custom Templates": store.testCustomTemplates,
-		"Registries":       store.testRegistries,
-		"Resource Control": store.testResourceControl,
-		"Schedules":        store.testSchedules,
-		"Tags":             store.testTags,
+		"User Accounts": func(t *testing.T) {
+			store.testUserAccounts(t)
+		},
+		"Environments": func(t *testing.T) {
+			store.testEnvironments(t)
+		},
+		"Settings": func(t *testing.T) {
+			store.testSettings(t)
+		},
+		"SSL Settings": func(t *testing.T) {
+			store.testSSLSettings(t)
+		},
+		"Tunnel Server": func(t *testing.T) {
+			store.testTunnelServer(t)
+		},
+		"Custom Templates": func(t *testing.T) {
+			store.testCustomTemplates(t)
+		},
+		"Registries": func(t *testing.T) {
+			store.testRegistries(t)
+		},
+		"Resource Control": func(t *testing.T) {
+			store.testResourceControl(t)
+		},
+		"Schedules": func(t *testing.T) {
+			store.testSchedules(t)
+		},
+		"Tags": func(t *testing.T) {
+			store.testTags(t)
+		},
+
+		// "Test Title": func(t *testing.T) {
+		// },
 	}

 	for name, test := range testCases {
 		t.Run(name, test)
 	}
+
 }

 func (store *Store) testEnvironments(t *testing.T) {
 	id := store.CreateEndpoint(t, "local", portainer.KubernetesLocalEnvironment, "", true)
-	store.CreateEndpointRelation(t, id)
+	store.CreateEndpointRelation(id)

 	id = store.CreateEndpoint(t, "agent", portainer.AgentOnDockerEnvironment, agentOnDockerEnvironmentUrl, true)
-	store.CreateEndpointRelation(t, id)
+	store.CreateEndpointRelation(id)

 	id = store.CreateEndpoint(t, "edge", portainer.EdgeAgentOnKubernetesEnvironment, edgeAgentOnKubernetesEnvironmentUrl, true)
-	store.CreateEndpointRelation(t, id)
+	store.CreateEndpointRelation(id)
 }

 func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, name, URL string, TLS bool) *portainer.Endpoint {
@@ -90,7 +112,18 @@ func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, n
 }

 func setEndpointAuthorizations(endpoint *portainer.Endpoint) {
-	endpoint.SecuritySettings = portainer.DefaultEndpointSecuritySettings()
+	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
+		AllowVolumeBrowserForRegularUsers: false,
+		EnableHostManagementFeatures:      false,
+
+		AllowSysctlSettingForRegularUsers:         true,
+		AllowBindMountsForRegularUsers:            true,
+		AllowPrivilegedModeForRegularUsers:        true,
+		AllowHostNamespaceForRegularUsers:         true,
+		AllowContainerCapabilitiesForRegularUsers: true,
+		AllowDeviceMappingForRegularUsers:         true,
+		AllowStackManagementForRegularUsers:       true,
+	}
 }

 func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType portainer.EndpointType, URL string, tls bool) portainer.EndpointID {
@@ -131,25 +164,22 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 	}

 	setEndpointAuthorizations(expectedEndpoint)
-
-	err := store.Endpoint().Create(expectedEndpoint)
-	require.NoError(t, err)
+	store.Endpoint().Create(expectedEndpoint)

 	endpoint, err := store.Endpoint().Endpoint(id)
-	require.NoError(t, err, "Endpoint() should not return an error")
+	is.NoError(err, "Endpoint() should not return an error")
 	is.Equal(expectedEndpoint, endpoint, "endpoint should be the same")

 	return endpoint.ID
 }

-func (store *Store) CreateEndpointRelation(t *testing.T, id portainer.EndpointID) {
+func (store *Store) CreateEndpointRelation(id portainer.EndpointID) {
 	relation := &portainer.EndpointRelation{
 		EndpointID: id,
 		EdgeStacks: map[portainer.EdgeStackID]bool{},
 	}

-	err := store.EndpointRelation().Create(relation)
-	require.NoError(t, err)
+	store.EndpointRelation().Create(relation)
 }

 func (store *Store) testSSLSettings(t *testing.T) {
@@ -161,11 +191,10 @@ func (store *Store) testSSLSettings(t *testing.T) {
 		SelfSigned:  true,
 	}

-	err := store.SSLSettings().UpdateSettings(ssl)
-	require.NoError(t, err)
+	store.SSLSettings().UpdateSettings(ssl)

 	settings, err := store.SSLSettings().Settings()
-	require.NoError(t, err, "Get sslsettings should succeed")
+	is.NoError(err, "Get sslsettings should succeed")
 	is.Equal(ssl, settings, "Stored SSLSettings should be the same as what is read out")
 }

@@ -174,27 +203,27 @@ func (store *Store) testTunnelServer(t *testing.T) {
 	expectPrivateKeySeed := uniuri.NewLen(16)

 	err := store.TunnelServer().UpdateInfo(&portainer.TunnelServerInfo{PrivateKeySeed: expectPrivateKeySeed})
-	require.NoError(t, err, "UpdateInfo should have succeeded")
+	is.NoError(err, "UpdateInfo should have succeeded")

 	serverInfo, err := store.TunnelServer().Info()
-	require.NoError(t, err, "Info should have succeeded")
+	is.NoError(err, "Info should have succeeded")

 	is.Equal(expectPrivateKeySeed, serverInfo.PrivateKeySeed, "hashed passwords should not differ")
 }

 // add users, read them back and check the details are unchanged
 func (store *Store) testUserAccounts(t *testing.T) {
-	err := store.createAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	require.NoError(t, err, "CreateAccount should succeed")
+	is := assert.New(t)

-	err = store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	require.NoError(t, err, "Account failure")
+	err := store.createAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	is.NoError(err, "CreateAccount should succeed")
+	store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	is.NoError(err, "Account failure")

 	err = store.createAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	require.NoError(t, err, "CreateAccount should succeed")
-
-	err = store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	require.NoError(t, err, "Account failure")
+	is.NoError(err, "CreateAccount should succeed")
+	store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
+	is.NoError(err, "Account failure")
 }

 // create an account with the provided details
@@ -209,7 +238,12 @@ func (store *Store) createAccount(username, password string, role portainer.User
 		return err
 	}

-	return store.User().Create(user)
+	err = store.User().Create(user)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

 func (store *Store) checkAccount(username, expectPassword string, expectRole portainer.UserRole) error {
@@ -226,7 +260,12 @@ func (store *Store) checkAccount(username, expectPassword string, expectRole por

 	// Check the password
 	cs := crypto.Service{}
-	if cs.CompareHashAndData(user.Password, expectPassword) != nil {
+	expectPasswordHash, err := cs.Hash(expectPassword)
+	if err != nil {
+		return errors.Wrap(err, "hash failed")
+	}
+
+	if user.Password != expectPasswordHash {
 		return fmt.Errorf("%s user password hash failure", user.Username)
 	}

@@ -238,7 +277,7 @@ func (store *Store) testSettings(t *testing.T) {

 	// since many settings are default and basically nil, I'm going to update some and read them back
 	expectedSettings, err := store.Settings().Settings()
-	require.NoError(t, err, "Settings() should not return an error")
+	is.NoError(err, "Settings() should not return an error")
 	expectedSettings.TemplatesURL = "http://portainer.io/application-templates"
 	expectedSettings.HelmRepositoryURL = "http://portainer.io/helm-repository"
 	expectedSettings.EdgeAgentCheckinInterval = 60
@@ -252,10 +291,10 @@ func (store *Store) testSettings(t *testing.T) {
 	expectedSettings.SnapshotInterval = "10m"

 	err = store.Settings().UpdateSettings(expectedSettings)
-	require.NoError(t, err, "UpdateSettings() should succeed")
+	is.NoError(err, "UpdateSettings() should succeed")

 	settings, err := store.Settings().Settings()
-	require.NoError(t, err, "Settings() should not return an error")
+	is.NoError(err, "Settings() should not return an error")
 	is.Equal(expectedSettings, settings, "stored settings should match")
 }

@@ -275,11 +314,10 @@ func (store *Store) testCustomTemplates(t *testing.T) {
 		CreatedByUserID: 10,
 	}

-	err := customTemplate.Create(expectedTemplate)
-	require.NoError(t, err)
+	customTemplate.Create(expectedTemplate)

 	actualTemplate, err := customTemplate.Read(expectedTemplate.ID)
-	require.NoError(t, err, "CustomTemplate should not return an error")
+	is.NoError(err, "CustomTemplate should not return an error")
 	is.Equal(expectedTemplate, actualTemplate, "expected and actual template do not match")
 }

@@ -307,17 +345,17 @@ func (store *Store) testRegistries(t *testing.T) {
 	}

 	err := regService.Create(reg1)
-	require.NoError(t, err)
+	is.NoError(err)

 	err = regService.Create(reg2)
-	require.NoError(t, err)
+	is.NoError(err)

 	actualReg1, err := regService.Read(reg1.ID)
-	require.NoError(t, err)
+	is.NoError(err)
 	is.Equal(reg1, actualReg1, "registries differ")

 	actualReg2, err := regService.Read(reg2.ID)
-	require.NoError(t, err)
+	is.NoError(err)
 	is.Equal(reg2, actualReg2, "registries differ")
 }

@@ -340,10 +378,10 @@ func (store *Store) testSchedules(t *testing.T) {
 	}

 	err := schedule.CreateSchedule(s)
-	require.NoError(t, err, "CreateSchedule should succeed")
+	is.NoError(err, "CreateSchedule should succeed")

 	actual, err := schedule.Schedule(s.ID)
-	require.NoError(t, err, "schedule should be found")
+	is.NoError(err, "schedule should be found")
 	is.Equal(s, actual, "schedules differ")
 }

@@ -363,16 +401,16 @@ func (store *Store) testTags(t *testing.T) {
 	}

 	err := tags.Create(tag1)
-	require.NoError(t, err, "Tags.Create should succeed")
+	is.NoError(err, "Tags.Create should succeed")

 	err = tags.Create(tag2)
-	require.NoError(t, err, "Tags.Create should succeed")
+	is.NoError(err, "Tags.Create should succeed")

 	actual, err := tags.Read(tag1.ID)
-	require.NoError(t, err, "tag1 should be found")
+	is.NoError(err, "tag1 should be found")
 	is.Equal(tag1, actual, "tags differ")

 	actual, err = tags.Read(tag2.ID)
-	require.NoError(t, err, "tag2 should be found")
+	is.NoError(err, "tag2 should be found")
 	is.Equal(tag2, actual, "tags differ")
 }
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -31,6 +31,7 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
+			EnableTelemetry:      false,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			InternalAuthSettings: portainer.InternalAuthSettings{
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -9,15 +9,14 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/datastore/migrator"

-	"github.com/Masterminds/semver/v3"
 	"github.com/google/go-cmp/cmp"
 	"github.com/rs/zerolog/log"
-	"github.com/stretchr/testify/require"
 )

 func TestMigrateData(t *testing.T) {
@@ -54,11 +53,9 @@ func TestMigrateData(t *testing.T) {
 		}

 		testVersion(store, portainer.APIVersion, t)
-		err := store.Close()
-		require.NoError(t, err)
+		store.Close()

-		newStore, err = store.Open()
-		require.NoError(t, err)
+		newStore, _ = store.Open()
 		if newStore {
 			t.Error("Expect store to NOT be new DB")
 		}
@@ -66,11 +63,8 @@ func TestMigrateData(t *testing.T) {

 	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "2.0", Edition: int(portainer.PortainerCE)})
-		require.NoError(t, err)
-
-		err = store.MigrateData()
-		require.NoError(t, err)
+		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
+		store.MigrateData()

 		backupfilename := store.backupFilename()
 		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
@@ -79,28 +73,21 @@ func TestMigrateData(t *testing.T) {
 	})

 	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
-		t.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
+		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")

 		version := "2.15"
 		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
+		store.MigrateData()

-		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
-		require.NoError(t, err)
-
-		err = store.MigrateData()
-		require.Error(t, err)
-
+		store.Open()
 		testVersion(store, version, t)
 	})

 	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-
-		err := store.VersionService.StoreIsUpdating(true)
-		require.NoError(t, err)
-
-		err = store.MigrateData()
-		require.Error(t, err)
+		store.VersionService.StoreIsUpdating(true)
+		store.MigrateData()

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -128,12 +115,10 @@ func TestMigrateData(t *testing.T) {

 		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
 			v.MigratorCount = len(latestMigrations.MigrationFuncs)
-			err = store.VersionService.UpdateVersion(v)
-			require.NoError(t, err)
+			store.VersionService.UpdateVersion(v)
 		}

-		err = store.MigrateData()
-		require.NoError(t, err)
+		store.MigrateData()

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -156,12 +141,8 @@ func TestMigrateData(t *testing.T) {
 		}

 		v.MigratorCount = 1000
-
-		err = store.VersionService.UpdateVersion(v)
-		require.NoError(t, err)
-
-		err = store.MigrateData()
-		require.NoError(t, err)
+		store.VersionService.UpdateVersion(v)
+		store.MigrateData()

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -177,14 +158,14 @@ func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
 		version := "2.11"

-		v := models.Version{SchemaVersion: version}
+		v := models.Version{
+			SchemaVersion: version,
+		}

 		_, store := MustNewTestStore(t, false, false)
+		store.VersionService.UpdateVersion(&v)

-		err := store.VersionService.UpdateVersion(&v)
-		require.NoError(t, err)
-
-		_, err = store.Backup("")
+		_, err := store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -203,9 +184,7 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		_, err = store.Open()
-		require.NoError(t, err)
-
+		store.Open()
 		testVersion(store, version, t)
 	})

@@ -218,11 +197,9 @@ func TestRollback(t *testing.T) {
 		}

 		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.UpdateVersion(&v)

-		err := store.VersionService.UpdateVersion(&v)
-		require.NoError(t, err)
-
-		_, err = store.Backup("")
+		_, err := store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -241,8 +218,7 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		_, err = store.Open()
-		require.NoError(t, err)
+		store.Open()
 		testVersion(store, version, t)
 	})
 }
@@ -261,17 +237,17 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	_, store := MustNewTestStore(t, true, false)

 	fmt.Println("store.path=", store.GetConnection().GetDatabaseFilePath())
-
-	err = store.connection.DeleteObject("version", []byte("VERSION"))
-	require.NoError(t, err)
+	store.connection.DeleteObject("version", []byte("VERSION"))

 	//	defer teardown()
-	if err := importJSON(t, bytes.NewReader(srcJSON), store); err != nil {
+	err = importJSON(t, bytes.NewReader(srcJSON), store)
+	if err != nil {
 		return err
 	}

 	// Run the actual migrations on our input database.
-	if err := store.MigrateData(); err != nil {
+	err = store.MigrateData()
+	if err != nil {
 		return err
 	}

@@ -284,7 +260,8 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		}

 		v.InstanceID = "463d5c47-0ea5-4aca-85b1-405ceefee254"
-		if err := store.VersionService.UpdateVersion(v); err != nil {
+		err = store.VersionService.UpdateVersion(v)
+		if err != nil {
 			return err
 		}
 	}
@@ -293,10 +270,10 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// exportJson rather than ExportRaw. The exportJson function allows us to
 	// strip out the metadata which we don't want for our tests.
 	// TODO: update connection interface in CE to allow us to use ExportRaw and pass meta false
-	if err := store.connection.Close(); err != nil {
+	err = store.connection.Close()
+	if err != nil {
 		t.Fatalf("err closing bolt connection: %v", err)
 	}
-
 	con, ok := store.connection.(*boltdb.DbConnection)
 	if !ok {
 		t.Fatalf("backing database is not using boltdb, but the migrations test requires it")
@@ -325,15 +302,11 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// Compare the result we got with the one we wanted.
 	if diff := cmp.Diff(wantJSON, gotJSON); diff != "" {
 		gotPath := filepath.Join(os.TempDir(), "portainer-migrator-test-fail.json")
-		err = os.WriteFile(
+		os.WriteFile(
 			gotPath,
 			gotJSON,
 			0o600,
 		)
-		if err != nil {
-			log.Warn().Err(err).Msg("failed writing migrated output to temp file")
-		}
-
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",
 			srcPath,
--- a/api/datastore/migrate_dbversion33_test.go
+++ b/api/datastore/migrate_dbversion33_test.go
@@ -6,9 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore/migrator"
 	gittypes "github.com/portainer/portainer/api/git/types"
-
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestMigrateStackEntryPoint(t *testing.T) {
@@ -30,25 +28,25 @@ func TestMigrateStackEntryPoint(t *testing.T) {

 	for _, s := range stacks {
 		err := stackService.Create(s)
-		require.NoError(t, err, "failed to create stack")
+		assert.NoError(t, err, "failed to create stack")
 	}

 	s, err := stackService.Read(1)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	require.NoError(t, err)
-	assert.Empty(t, s.GitConfig.ConfigFilePath, "not migrated yet migrated")
+	assert.NoError(t, err)
+	assert.Equal(t, "", s.GitConfig.ConfigFilePath, "not migrated yet migrated")

 	err = migrator.MigrateStackEntryPoint(stackService)
-	require.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")
+	assert.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")

 	s, err = stackService.Read(1)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.Equal(t, "dir/sub/compose.yml", s.GitConfig.ConfigFilePath, "second stack should have config file path migrated")
 }
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -105,18 +105,12 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {

 // finishMigrateLegacyVersion writes the new version to the DB and removes the old version keys from the DB
 func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) error {
-	if err := store.VersionService.UpdateVersion(versionToWrite); err != nil {
-		return err
-	}
+	err := store.VersionService.UpdateVersion(versionToWrite)

 	// Remove legacy keys if present
-	if err := store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey)); err != nil {
-		return err
-	}
+	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
+	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
+	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))

-	if err := store.connection.DeleteObject(bucketName, []byte(legacyEditionKey)); err != nil {
-		return err
-	}
-
-	return store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
+	return err
 }
--- a/api/datastore/migrator/migrate_2_33_test.go
+++ b/api/datastore/migrator/migrate_2_33_test.go
@@ -6,7 +6,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
-	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -16,7 +15,7 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer logs.CloseAndLogErr(conn)
+	defer conn.Close()

 	edgeGroupService, err := edgegroup.NewService(conn)
 	require.NoError(t, err)
@@ -40,7 +39,7 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	migratedEdgeGroup, err := edgeGroupService.Read(edgeGroup.ID)
 	require.NoError(t, err)

-	require.Empty(t, migratedEdgeGroup.Endpoints)
+	require.Len(t, migratedEdgeGroup.Endpoints, 0)
 	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())

 	// Run migration again to ensure the results didn't change
@@ -51,6 +50,6 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	migratedEdgeGroup, err = edgeGroupService.Read(edgeGroup.ID)
 	require.NoError(t, err)

-	require.Empty(t, migratedEdgeGroup.Endpoints)
+	require.Len(t, migratedEdgeGroup.Endpoints, 0)
 	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())
 }
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -7,7 +7,7 @@ import (
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"

-	"github.com/Masterminds/semver/v3"
+	"github.com/Masterminds/semver"
 	"github.com/rs/zerolog/log"
 )

@@ -95,7 +95,7 @@ func (m *Migrator) NeedsMigration() bool {

 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
-		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")
+		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")

 		return false
 	}
--- a/api/datastore/migrator/migrate_dbversion24.go
+++ b/api/datastore/migrator/migrate_dbversion24.go
@@ -21,6 +21,7 @@ func (m *Migrator) updateSettingsToDB25() error {
 	}

 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+	legacySettings.EnableTelemetry = true

 	legacySettings.AllowContainerCapabilitiesForRegularUsers = true

--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -77,12 +77,8 @@ func (m *Migrator) updateRegistriesToDB32() error {
 				Namespaces:         []string{},
 			}
 		}
-
-		if err := m.registryService.Update(registry.ID, &registry); err != nil {
-			return err
-		}
+		m.registryService.Update(registry.ID, &registry)
 	}
-
 	return nil
 }

@@ -125,11 +121,10 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			if !migrated {
 				// keep this one entry
 				migrated = true
+			} else {
 				// delete subsequent duplicates
-			} else if err := m.registryService.Delete(r.ID); err != nil {
-				return err
+				m.registryService.Delete(r.ID)
 			}
-
 		}
 	}

@@ -143,6 +138,7 @@ func (m *Migrator) updateDockerhubToDB32() error {
 	}

 	for _, endpoint := range endpoints {
+
 		if endpoint.Type != portainer.KubernetesLocalEnvironment &&
 			endpoint.Type != portainer.AgentOnKubernetesEnvironment &&
 			endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
@@ -150,14 +146,18 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			userAccessPolicies := portainer.UserAccessPolicies{}
 			for userId := range endpoint.UserAccessPolicies {
 				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					userAccessPolicies[userId] = portainer.AccessPolicy{RoleID: 0}
+					userAccessPolicies[userId] = portainer.AccessPolicy{
+						RoleID: 0,
+					}
 				}
 			}

 			teamAccessPolicies := portainer.TeamAccessPolicies{}
 			for teamId := range endpoint.TeamAccessPolicies {
 				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					teamAccessPolicies[teamId] = portainer.AccessPolicy{RoleID: 0}
+					teamAccessPolicies[teamId] = portainer.AccessPolicy{
+						RoleID: 0,
+					}
 				}
 			}

--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -29,7 +29,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"

-	"github.com/Masterminds/semver/v3"
+	"github.com/Masterminds/semver"
 	"github.com/rs/zerolog/log"
 )

@@ -258,8 +258,6 @@ func (m *Migrator) initMigrations() {

 	m.addMigrations("2.33.1", m.migrateEdgeGroupEndpointsToRoars_2_33_0)

-	// WARNING: do not change migrations that have already been released!
-
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -6,7 +6,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/api/pendingactions/handlers"
-	"github.com/stretchr/testify/require"
 )

 type cleanNAPWithOverridePolicies struct {
@@ -17,10 +16,7 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {

 		_, store := MustNewTestStore(t, true, false)
-		defer func() {
-			err := store.Close()
-			require.NoError(t, err)
-		}()
+		defer store.Close()

 		gid := portainer.EndpointGroupID(1)

@@ -96,8 +92,7 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 				})
 			}

-			err = store.PendingActions().Delete(d.PendingAction.ID)
-			require.NoError(t, err)
+			store.PendingActions().Delete(d.PendingAction.ID)
 		}
 	})
 }
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -1,10 +1,8 @@
 package postinit

 import (
-	"cmp"
 	"context"
 	"fmt"
-	"slices"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -13,7 +11,6 @@ import (
 	dockerClient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
-	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/pkg/endpoints"

@@ -46,65 +43,40 @@ func NewPostInitMigrator(

 // PostInitMigrate will run all post-init migrations, which require docker/kube clients for all edge or non-edge environments
 func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
-	var environments []portainer.Endpoint
+	environments, err := postInitMigrator.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		log.Error().Err(err).Msg("Error getting environments")
+		return err
+	}

-	if err := postInitMigrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		var err error
-		if environments, err = tx.Endpoint().ReadAll(func(endpoint portainer.Endpoint) bool {
-			return endpoints.HasDirectConnectivity(&endpoint)
-		}); err != nil {
-			return fmt.Errorf("failed to retrieve environments: %w", err)
-		}
-
-		var pendingActions []portainer.PendingAction
-		if pendingActions, err = tx.PendingActions().ReadAll(func(action portainer.PendingAction) bool {
-			return action.Action == actions.PostInitMigrateEnvironment
-		}); err != nil {
-			return fmt.Errorf("failed to retrieve pending actions: %w", err)
-		}
-
-		// Sort for the binary search in createPostInitMigrationPendingAction()
-		slices.SortFunc(pendingActions, func(a, b portainer.PendingAction) int {
-			return cmp.Compare(a.EndpointID, b.EndpointID)
-		})
-
-		for _, environment := range environments {
-			if !endpoints.IsEdgeEndpoint(&environment) {
+	for _, environment := range environments {
+		// edge environments will run after the server starts, in pending actions
+		if endpoints.IsEdgeEndpoint(&environment) {
+			// Skip edge environments that do not have direct connectivity
+			if !endpoints.HasDirectConnectivity(&environment) {
 				continue
 			}

-			// Edge environments will run after the server starts, in pending actions
 			log.Info().
 				Int("endpoint_id", int(environment.ID)).
 				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")

-			if err := postInitMigrator.createPostInitMigrationPendingAction(tx, environment.ID, pendingActions); err != nil {
+			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
 				log.Error().
 					Err(err).
 					Int("endpoint_id", int(environment.ID)).
 					Msg("error creating pending action for environment")
 			}
+		} else {
+			// Non-edge environments will run before the server starts.
+			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+				log.Error().
+					Err(err).
+					Int("endpoint_id", int(environment.ID)).
+					Msg("error running post-init migrations for non-edge environment")
+			}
 		}

-		return err
-	}); err != nil {
-		log.Error().Err(err).Msg("error running post-init migrations")
-
-		return err
-	}
-
-	for _, environment := range environments {
-		if endpoints.IsEdgeEndpoint(&environment) {
-			continue
-		}
-
-		// Non-edge environments will run before the server starts.
-		if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("error running post-init migrations for non-edge environment")
-		}
 	}

 	return nil
@@ -112,73 +84,56 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 // try to create a post init migration pending action. If it already exists, do nothing
 // this function exists for readability, not reusability
-// pending actions must be passed in ascending order by endpoint ID
-func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(tx dataservices.DataStoreTx, environmentID portainer.EndpointID, pendingActions []portainer.PendingAction) error {
+func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
 	action := portainer.PendingAction{
 		EndpointID: environmentID,
 		Action:     actions.PostInitMigrateEnvironment,
 	}
-
-	if _, found := slices.BinarySearchFunc(pendingActions, environmentID, func(e portainer.PendingAction, id portainer.EndpointID) int {
-		return cmp.Compare(e.EndpointID, id)
-	}); found {
-		log.Debug().
-			Str("action", action.Action).
-			Int("endpoint_id", int(action.EndpointID)).
-			Msg("pending action already exists for environment, skipping...")
-
-		return nil
+	pendingActions, err := postInitMigrator.dataStore.PendingActions().ReadAll()
+	if err != nil {
+		return fmt.Errorf("failed to retrieve pending actions: %w", err)
 	}

-	return tx.PendingActions().Create(&action)
+	for _, dba := range pendingActions {
+		if dba.EndpointID == action.EndpointID && dba.Action == action.Action {
+			log.Debug().
+				Str("action", action.Action).
+				Int("endpoint_id", int(action.EndpointID)).
+				Msg("pending action already exists for environment, skipping...")
+			return nil
+		}
+	}
+
+	return postInitMigrator.dataStore.PendingActions().Create(&action)
 }

 // MigrateEnvironment runs migrations on a single environment
 func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endpoint) error {
-	log.Info().
-		Int("endpoint_id", int(environment.ID)).
-		Msg("executing post init migration for environment")
+	log.Info().Msgf("Executing post init migration for environment %d", environment.ID)

 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
 		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
 		if err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("error creating kubeclient for environment")
-
+			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
 			return err
 		}
-
-		// If one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
-		if err := migrator.MigrateIngresses(*environment, kubeclient); err != nil {
+		// if one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
+		err = migrator.MigrateIngresses(*environment, kubeclient)
+		if err != nil {
 			return err
 		}
-
 		return nil
 	case endpointutils.IsDockerEndpoint(environment):
 		// get the docker client for the environment, and skip all docker migrations if there's an error
 		dockerClient, err := migrator.dockerFactory.CreateClient(environment, "", nil)
 		if err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("error creating docker client for environment")
-
-			return err
-		}
-		defer logs.CloseAndLogErr(dockerClient)
-
-		if err := migrator.MigrateGPUs(*environment, dockerClient); err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("error migrating GPUs for environment")
-
+			log.Error().Err(err).Msgf("Error creating docker client for environment: %d", environment.ID)
 			return err
 		}
+		defer dockerClient.Close()
+		migrator.MigrateGPUs(*environment, dockerClient)
 	}

 	return nil
@@ -189,20 +144,13 @@ func (migrator *PostInitMigrator) MigrateIngresses(environment portainer.Endpoin
 	if !environment.PostInitMigrations.MigrateIngresses {
 		return nil
 	}
+	log.Debug().Msgf("Migrating ingresses for environment %d", environment.ID)

-	log.Debug().
-		Int("endpoint_id", int(environment.ID)).
-		Msg("migrating ingresses for environment")
-
-	if err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient); err != nil {
-		log.Error().
-			Err(err).
-			Int("endpoint_id", int(environment.ID)).
-			Msg("error migrating ingresses for environment")
-
+	err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient)
+	if err != nil {
+		log.Error().Err(err).Msgf("Error migrating ingresses for environment %d", environment.ID)
 		return err
 	}
-
 	return nil
 }

@@ -212,42 +160,29 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 	return migrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		environment, err := tx.Endpoint().Endpoint(e.ID)
 		if err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(e.ID)).
-				Msg("error getting environment")
-
+			log.Error().Err(err).Msgf("Error getting environment %d", e.ID)
 			return err
 		}
-
 		// Early exit if we do not need to migrate!
 		if !environment.PostInitMigrations.MigrateGPUs {
 			return nil
 		}
+		log.Debug().Msgf("Migrating GPUs for environment %d", e.ID)

-		log.Debug().
-			Int("endpoint_id", int(e.ID)).
-			Msg("migrating GPUs for environment")
-
-		// Get all containers
+		// get all containers
 		containers, err := dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
 		if err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("failed to list containers for environment")
-
+			log.Error().Err(err).Msgf("failed to list containers for environment %d", environment.ID)
 			return err
 		}

-		// Check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
+		// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
 	containersLoop:
 		for _, container := range containers {
 			// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
 			containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
 				log.Error().Err(err).Msg("failed to inspect container")
-
 				continue
 			}

@@ -261,14 +196,10 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 			}
 		}

-		// Set the MigrateGPUs flag to false so we don't run this again
+		// set the MigrateGPUs flag to false so we don't run this again
 		environment.PostInitMigrations.MigrateGPUs = false
 		if err := tx.Endpoint().UpdateEndpoint(environment.ID, environment); err != nil {
-			log.Error().
-				Err(err).
-				Int("endpoint_id", int(environment.ID)).
-				Msg("error updating EnableGPUManagement flag for environment")
-
+			log.Error().Err(err).Msgf("Error updating EnableGPUManagement flag for environment %d", environment.ID)
 			return err
 		}

--- a/api/datastore/postinit/migrate_post_init_test.go
+++ b/api/datastore/postinit/migrate_post_init_test.go
@@ -22,9 +22,8 @@ func TestMigrateGPUs(t *testing.T) {
 		if strings.HasSuffix(r.URL.Path, "/containers/json") {
 			containerSummary := []container.Summary{{ID: "container1"}}

-			if err := json.NewEncoder(w).Encode(containerSummary); err != nil {
-				w.WriteHeader(http.StatusInternalServerError)
-			}
+			err := json.NewEncoder(w).Encode(containerSummary)
+			require.NoError(t, err)

 			return
 		}
@@ -42,9 +41,8 @@ func TestMigrateGPUs(t *testing.T) {
 			},
 		}

-		if err := json.NewEncoder(w).Encode(container); err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-		}
+		err := json.NewEncoder(w).Encode(container)
+		require.NoError(t, err)
 	}))
 	defer srv.Close()

@@ -131,12 +129,12 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 				EdgeID: "edgeID",
 			}
 			err := store.Endpoint().Create(endpoint)
-			require.NoError(t, err, "error creating endpoint")
+			is.NoError(err, "error creating endpoint")

 			// Create any existing pending actions
 			for _, action := range tt.existingPendingActions {
 				err = store.PendingActions().Create(action)
-				require.NoError(t, err, "error creating pending action")
+				is.NoError(err, "error creating pending action")
 			}

 			migrator := NewPostInitMigrator(
@@ -148,11 +146,11 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 			)

 			err = migrator.PostInitMigrate()
-			require.NoError(t, err, "PostInitMigrate should not return error")
+			is.NoError(err, "PostInitMigrate should not return error")

 			// Verify the results
 			pendingActions, err := store.PendingActions().ReadAll()
-			require.NoError(t, err, "error reading pending actions")
+			is.NoError(err, "error reading pending actions")
 			is.Len(pendingActions, tt.expectedPendingActions, "unexpected number of pending actions")

 			// If we expect any actions, verify at least one has the expected action type
@@ -162,11 +160,9 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 					if action.Action == tt.expectedAction {
 						hasExpectedAction = true
 						is.Equal(endpoint.ID, action.EndpointID, "action should reference correct endpoint")
-
 						break
 					}
 				}
-
 				is.True(hasExpectedAction, "should have found action of expected type")
 			}
 		})
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -391,16 +391,16 @@ type storeExport struct {
 	ResourceControl    []portainer.ResourceControl    `json:"resource_control,omitempty"`
 	Role               []portainer.Role               `json:"roles,omitempty"`
 	Schedules          []portainer.Schedule           `json:"schedules,omitempty"`
-	Settings           portainer.Settings             `json:"settings,omitzero"`
+	Settings           portainer.Settings             `json:"settings,omitempty"`
 	Snapshot           []portainer.Snapshot           `json:"snapshots,omitempty"`
-	SSLSettings        portainer.SSLSettings          `json:"ssl,omitzero"`
+	SSLSettings        portainer.SSLSettings          `json:"ssl,omitempty"`
 	Stack              []portainer.Stack              `json:"stacks,omitempty"`
 	Tag                []portainer.Tag                `json:"tags,omitempty"`
 	TeamMembership     []portainer.TeamMembership     `json:"team_membership,omitempty"`
 	Team               []portainer.Team               `json:"teams,omitempty"`
-	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitzero"`
+	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitempty"`
 	User               []portainer.User               `json:"users,omitempty"`
-	Version            models.Version                 `json:"version,omitzero"`
+	Version            models.Version                 `json:"version,omitempty"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
 	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }
@@ -625,129 +625,85 @@ func (store *Store) Import(filename string) (err error) {
 		return err
 	}

-	err = store.Version().UpdateVersion(&backup.Version)
-	if err != nil {
-		return err
-	}
+	store.Version().UpdateVersion(&backup.Version)

 	for _, v := range backup.CustomTemplate {
-		if err := store.CustomTemplate().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the custom template in the database")
-		}
+		store.CustomTemplate().Update(v.ID, &v)
 	}

 	for _, v := range backup.EdgeGroup {
-		if err := store.EdgeGroup().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the edge group in the database")
-		}
+		store.EdgeGroup().Update(v.ID, &v)
 	}

 	for _, v := range backup.EdgeJob {
-		if err := store.EdgeJob().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the edge job in the database")
-		}
+		store.EdgeJob().Update(v.ID, &v)
 	}

 	for _, v := range backup.EdgeStack {
-		if err := store.EdgeStack().UpdateEdgeStack(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the edge stack in the database")
-		}
+		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
 	}

 	for _, v := range backup.Endpoint {
-		if err := store.Endpoint().UpdateEndpoint(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the endpoint in the database")
-		}
+		store.Endpoint().UpdateEndpoint(v.ID, &v)
 	}

 	for _, v := range backup.EndpointGroup {
-		if err := store.EndpointGroup().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the endpoint group in the database")
-		}
+		store.EndpointGroup().Update(v.ID, &v)
 	}

 	for _, v := range backup.EndpointRelation {
-		if err := store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the endpoint relation in the database")
-		}
+		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
 	}

 	for _, v := range backup.HelmUserRepository {
-		if err := store.HelmUserRepository().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the helm user repository in the database")
-		}
+		store.HelmUserRepository().Update(v.ID, &v)
 	}

 	for _, v := range backup.Registry {
-		if err := store.Registry().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the registry in the database")
-		}
+		store.Registry().Update(v.ID, &v)
 	}

 	for _, v := range backup.ResourceControl {
-		if err := store.ResourceControl().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the resource control in the database")
-		}
+		store.ResourceControl().Update(v.ID, &v)
 	}

 	for _, v := range backup.Role {
-		if err := store.Role().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the role in the database")
-		}
+		store.Role().Update(v.ID, &v)
 	}

-	if err := store.Settings().UpdateSettings(&backup.Settings); err != nil {
-		log.Warn().Err(err).Msg("failed to update the settings in the database")
-	}
-
-	if err := store.SSLSettings().UpdateSettings(&backup.SSLSettings); err != nil {
-		log.Warn().Err(err).Msg("failed to update the SSL settings in the database")
-	}
+	store.Settings().UpdateSettings(&backup.Settings)
+	store.SSLSettings().UpdateSettings(&backup.SSLSettings)

 	for _, v := range backup.Snapshot {
-		if err := store.Snapshot().Update(v.EndpointID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the snapshot in the database")
-		}
+		store.Snapshot().Update(v.EndpointID, &v)
 	}

 	for _, v := range backup.Stack {
-		if err := store.Stack().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the stack in the database")
-		}
+		store.Stack().Update(v.ID, &v)
 	}

 	for _, v := range backup.Tag {
-		if err := store.Tag().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the tag in the database")
-		}
+		store.Tag().Update(v.ID, &v)
 	}

 	for _, v := range backup.TeamMembership {
-		if err := store.TeamMembership().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the team membership in the database")
-		}
+		store.TeamMembership().Update(v.ID, &v)
 	}

 	for _, v := range backup.Team {
-		if err := store.Team().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the team in the database")
-		}
+		store.Team().Update(v.ID, &v)
 	}

-	if err := store.TunnelServer().UpdateInfo(&backup.TunnelServer); err != nil {
-		log.Warn().Err(err).Msg("failed to update the tunnel server info in the database")
-	}
+	store.TunnelServer().UpdateInfo(&backup.TunnelServer)

 	for _, user := range backup.User {
 		if err := store.User().Update(user.ID, &user); err != nil {
-			log.Warn().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
+			log.Debug().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
 		}
 	}

 	for _, v := range backup.Webhook {
-		if err := store.Webhook().Update(v.ID, &v); err != nil {
-			log.Warn().Err(err).Msg("failed to update the webhook in the database")
-		}
+		store.Webhook().Update(v.ID, &v)
 	}

 	return store.connection.RestoreMetadata(backup.Metadata)
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -74,9 +74,7 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 	return tx.store.SnapshotService.Tx(tx.tx)
 }

-func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService {
-	return tx.store.SSLSettingsService.Tx(tx.tx)
-}
+func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }

 func (tx *StoreTx) Stack() dataservices.StackService {
 	return tx.store.StackService.Tx(tx.tx)
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -83,13 +83,13 @@
        "MigrateIngresses": true
      },
      "PublicURL": "",
+      "QueryDate": 0,
      "SecuritySettings": {
        "allowBindMountsForRegularUsers": true,
        "allowContainerCapabilitiesForRegularUsers": true,
        "allowDeviceMappingForRegularUsers": true,
        "allowHostNamespaceForRegularUsers": true,
        "allowPrivilegedModeForRegularUsers": true,
-        "allowSecurityOptForRegularUsers": false,
        "allowStackManagementForRegularUsers": true,
        "allowSysctlSettingForRegularUsers": false,
        "allowVolumeBrowserForRegularUsers": false,
@@ -604,6 +604,7 @@
    "EdgeAgentCheckinInterval": 5,
    "EdgePortainerUrl": "",
    "EnableEdgeComputeFeatures": false,
+    "EnableTelemetry": true,
    "EnforceEdgeID": false,
    "FeatureFlagSettings": null,
    "GlobalDeploymentOptions": {
@@ -614,7 +615,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.39.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.33.3",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -943,7 +944,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.39.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.33.3\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  },
  "webhooks": null
 }
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -11,7 +11,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
-	"github.com/rs/zerolog/log"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -144,16 +143,11 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)

 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		if err := resp.Body.Close(); err != nil {
-			log.Warn().Err(err).Msg("failed to close response body")
-		}
-
+		resp.Body.Close()
 		return resp, err
 	}

-	if err := resp.Body.Close(); err != nil {
-		log.Warn().Err(err).Msg("failed to close response body")
-	}
+	resp.Body.Close()

 	resp.Body = io.NopCloser(bytes.NewReader(body))

--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -8,9 +8,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/images"
-	"github.com/portainer/portainer/api/logs"

-	"github.com/Masterminds/semver/v3"
+	"github.com/Masterminds/semver"
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -76,7 +75,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	if err != nil {
 		return nil, errors.Wrap(err, "create client error")
 	}
-	defer logs.CloseAndLogErr(cli)
+	defer cli.Close()

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -147,19 +146,13 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", containerId).Str("container", container.Name).Msg("restoring the container")
-		if err := cli.ContainerRename(ctx, containerId, container.Name); err != nil {
-			log.Warn().Err(err).Msg("failure to rename container")
-		}
+		cli.ContainerRename(ctx, containerId, container.Name)

 		for _, network := range container.NetworkSettings.Networks {
-			if err := cli.NetworkConnect(ctx, network.NetworkID, containerId, network); err != nil {
-				log.Warn().Err(err).Msg("failure to connect container to network")
-			}
+			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
 		}

-		if err := cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{}); err != nil {
-			log.Warn().Err(err).Msg("failure to start container")
-		}
+		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
 	})

 	log.Debug().Str("container", strings.Split(container.Name, "/")[1]).Msg("starting to create a new container")
@@ -182,14 +175,8 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", create.ID).Msg("removing the new container")
-
-		if err := cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{}); err != nil {
-			log.Warn().Err(err).Msg("failure to stop container")
-		}
-
-		if err := cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{}); err != nil {
-			log.Warn().Err(err).Msg("failure to remove container")
-		}
+		cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{})
+		cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{})
 	})

 	if err != nil {
--- a/api/docker/container_stats.go
+++ b/api/docker/container_stats.go
@@ -0,0 +1,37 @@
+package docker
+
+import "github.com/docker/docker/api/types"
+
+type ContainerStats struct {
+	Running   int `json:"running"`
+	Stopped   int `json:"stopped"`
+	Healthy   int `json:"healthy"`
+	Unhealthy int `json:"unhealthy"`
+	Total     int `json:"total"`
+}
+
+func CalculateContainerStats(containers []types.Container) ContainerStats {
+	var running, stopped, healthy, unhealthy int
+	for _, container := range containers {
+		switch container.State {
+		case "running":
+			running++
+		case "healthy":
+			running++
+			healthy++
+		case "unhealthy":
+			running++
+			unhealthy++
+		case "exited", "stopped":
+			stopped++
+		}
+	}
+
+	return ContainerStats{
+		Running:   running,
+		Stopped:   stopped,
+		Healthy:   healthy,
+		Unhealthy: unhealthy,
+		Total:     len(containers),
+	}
+}
--- a/api/docker/container_stats_test.go
+++ b/api/docker/container_stats_test.go
@@ -0,0 +1,27 @@
+package docker
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCalculateContainerStats(t *testing.T) {
+	containers := []types.Container{
+		{State: "running"},
+		{State: "running"},
+		{State: "exited"},
+		{State: "stopped"},
+		{State: "healthy"},
+		{State: "unhealthy"},
+	}
+
+	stats := CalculateContainerStats(containers)
+
+	assert.Equal(t, 4, stats.Running)
+	assert.Equal(t, 2, stats.Stopped)
+	assert.Equal(t, 1, stats.Healthy)
+	assert.Equal(t, 1, stats.Unhealthy)
+	assert.Equal(t, 6, stats.Total)
+}
--- a/api/docker/images/digest.go
+++ b/api/docker/images/digest.go
@@ -7,12 +7,12 @@ import (

 	dockerclient "github.com/portainer/portainer/api/docker/client"

+	"github.com/containers/image/v5/docker"
+	imagetypes "github.com/containers/image/v5/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
-	"go.podman.io/image/v5/docker"
-	imagetypes "go.podman.io/image/v5/types"
 )

 // Options holds docker registry object options
--- a/api/docker/images/image.go
+++ b/api/docker/images/image.go
@@ -7,11 +7,11 @@ import (
 	"strings"
 	"text/template"

+	"github.com/containers/image/v5/docker/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
-	"go.podman.io/image/v5/docker/reference"
 )

 type ImageID string
--- a/api/docker/images/image_test.go
+++ b/api/docker/images/image_test.go
@@ -4,7 +4,6 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestImageParser(t *testing.T) {
@@ -15,7 +14,7 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "portainer/portainer-ee",
 		})
-		require.NoError(t, err)
+		is.NoError(err, "")
 		is.Equal("docker.io/portainer/portainer-ee:latest", image.FullName())
 		is.Equal("portainer/portainer-ee", image.Opts.Name)
 		is.Equal("latest", image.Tag)
@@ -31,10 +30,10 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		require.NoError(t, err)
+		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
-		is.Empty(image.Tag)
+		is.Equal("", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
 		is.Equal("https://gcr.io/k8s-minikube/kicbase", image.HubLink)
@@ -48,7 +47,7 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		require.NoError(t, err)
+		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
@@ -69,9 +68,8 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		require.NoError(t, err)
-		err = image.WithTag("v0.0.31")
-		require.NoError(t, err)
+		is.NoError(err, "")
+		_ = image.WithTag("v0.0.31")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.31", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.31", image.Tag)
@@ -88,9 +86,8 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		require.NoError(t, err)
-		err = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
-		require.NoError(t, err)
+		is.NoError(err, "")
+		_ = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
@@ -107,9 +104,8 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		require.NoError(t, err)
-		err = image.TrimDigest()
-		require.NoError(t, err)
+		is.NoError(err, "")
+		_ = image.TrimDigest()
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
--- a/api/docker/images/puller.go
+++ b/api/docker/images/puller.go
@@ -5,7 +5,6 @@ import (
 	"io"

 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/logs"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -43,7 +42,7 @@ func (puller *Puller) Pull(ctx context.Context, img Image) error {
 	if err != nil {
 		return err
 	}
-	defer logs.CloseAndLogErr(out)
+	defer out.Close()

 	_, err = io.ReadAll(out)

--- a/api/docker/images/ref.go
+++ b/api/docker/images/ref.go
@@ -3,8 +3,8 @@ package images
 import (
 	"strings"

-	"go.podman.io/image/v5/docker"
-	"go.podman.io/image/v5/types"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/types"
 )

 func ParseReference(imageStr string) (types.ImageReference, error) {
--- a/api/docker/images/registry_test.go
+++ b/api/docker/images/registry_test.go
@@ -4,9 +4,7 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
-
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
@@ -17,9 +15,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "USERNAME", false),
 			createNewRegistry("hub-mirror.c.163.com", "", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		require.NoError(t, err)
-		is.NotNil(r)
-		is.False(r.Authentication)
+		is.NoError(err, "")
+		is.NotNil(r, "")
+		is.False(r.Authentication, "")
 		is.Equal("docker.io", r.URL)
 	})

@@ -28,9 +26,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "", false),
 			createNewRegistry("hub-mirror.c.163.com", "USERNAME", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		require.NoError(t, err)
-		is.NotNil(r)
-		is.False(r.Authentication)
+		is.NoError(err, "")
+		is.NotNil(r, "")
+		is.False(r.Authentication, "")
 		is.Equal("docker.io", r.URL)
 	})

@@ -39,9 +37,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "USERNAME", true),
 			createNewRegistry("hub-mirror.c.163.com", "", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		require.NoError(t, err)
-		is.NotNil(r)
-		is.True(r.Authentication)
+		is.NoError(err, "")
+		is.NotNil(r, "")
+		is.True(r.Authentication, "")
 		is.Equal("docker.io", r.URL)
 	})

@@ -49,9 +47,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		image := "portainer/portainer-ee:latest"
 		registries := []portainer.Registry{createNewRegistry("docker.io", "", true)}
 		r, err := findBestMatchRegistry(image, registries)
-		require.NoError(t, err)
-		is.NotNil(r)
-		is.True(r.Authentication)
+		is.NoError(err, "")
+		is.NotNil(r, "")
+		is.True(r.Authentication, "")
 		is.Equal("docker.io", r.URL)
 	})
 }
--- a/api/docker/images/status.go
+++ b/api/docker/images/status.go
@@ -280,7 +280,13 @@ func contains(statuses []Status, status Status) bool {
 		return false
 	}

-	return slices.Contains(statuses, status)
+	for _, s := range statuses {
+		if s == status {
+			return true
+		}
+	}
+
+	return false
 }

 func allMatch(statuses []Status, status Status) bool {
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -3,7 +3,6 @@ package docker
 import (
 	portainer "github.com/portainer/portainer/api"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/snapshot"
 )

@@ -25,7 +24,7 @@ func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*p
 	if err != nil {
 		return nil, err
 	}
-	defer logs.CloseAndLogErr(cli)
+	defer cli.Close()

 	return snapshot.CreateDockerSnapshot(cli)
 }
--- a/api/docker/stats/container_stats.go
+++ b/api/docker/stats/container_stats.go
@@ -1,138 +0,0 @@
-package stats
-
-import (
-	"context"
-	"errors"
-	"strings"
-	"sync"
-
-	"github.com/containerd/containerd/errdefs"
-	"github.com/docker/docker/api/types/container"
-)
-
-type ContainerStats struct {
-	Running   int `json:"running"`
-	Stopped   int `json:"stopped"`
-	Healthy   int `json:"healthy"`
-	Unhealthy int `json:"unhealthy"`
-	Total     int `json:"total"`
-}
-
-type DockerClient interface {
-	ContainerInspect(ctx context.Context, containerID string) (container.InspectResponse, error)
-}
-
-func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool, containers []container.Summary) (ContainerStats, error) {
-	if isSwarm {
-		return CalculateContainerStatsForSwarm(containers), nil
-	}
-
-	var running, stopped, healthy, unhealthy int
-
-	var mu sync.Mutex
-	var wg sync.WaitGroup
-	semaphore := make(chan struct{}, 5)
-
-	var aggErr error
-	var aggMu sync.Mutex
-
-	var processedCount int
-	for i := range containers {
-		id := containers[i].ID
-
-		semaphore <- struct{}{}
-		wg.Go(func() {
-			defer func() { <-semaphore }()
-
-			containerInspection, err := cli.ContainerInspect(ctx, id)
-			stat := ContainerStats{}
-			if err != nil {
-				if errdefs.IsNotFound(err) {
-					// An edge case is reported that Docker can list containers with no names,
-					// but when inspecting a container with specific ID and it is not found.
-					// In this case, we can safely ignore the error.
-					// ref@https://linear.app/portainer/issue/BE-12567/500-error-when-loading-docker-dashboard-in-portainer
-					return
-				}
-
-				aggMu.Lock()
-				aggErr = errors.Join(aggErr, err)
-				processedCount++
-				aggMu.Unlock()
-				return
-			}
-			stat = getContainerStatus(containerInspection.State)
-
-			mu.Lock()
-			running += stat.Running
-			stopped += stat.Stopped
-			healthy += stat.Healthy
-			unhealthy += stat.Unhealthy
-			processedCount++
-			mu.Unlock()
-		})
-	}
-
-	wg.Wait()
-
-	return ContainerStats{
-		Running:   running,
-		Stopped:   stopped,
-		Healthy:   healthy,
-		Unhealthy: unhealthy,
-		Total:     processedCount,
-	}, aggErr
-}
-
-func getContainerStatus(state *container.State) ContainerStats {
-	stat := ContainerStats{}
-	if state == nil {
-		return stat
-	}
-
-	switch state.Status {
-	case container.StateRunning:
-		stat.Running++
-	case container.StateExited, container.StateDead:
-		stat.Stopped++
-	}
-
-	if state.Health != nil {
-		switch state.Health.Status {
-		case container.Healthy:
-			stat.Healthy++
-		case container.Unhealthy:
-			stat.Unhealthy++
-		}
-	}
-
-	return stat
-}
-
-// This is a temporary workaround to calculate container stats for Swarm
-// TODO: Remove this once we have a proper way to calculate container stats for Swarm
-func CalculateContainerStatsForSwarm(containers []container.Summary) ContainerStats {
-	var running, stopped, healthy, unhealthy int
-	for _, container := range containers {
-		switch container.State {
-		case "running":
-			running++
-		case "exited", "stopped":
-			stopped++
-		}
-
-		if strings.Contains(container.Status, "(healthy)") {
-			healthy++
-		} else if strings.Contains(container.Status, "(unhealthy)") {
-			unhealthy++
-		}
-	}
-
-	return ContainerStats{
-		Running:   running,
-		Stopped:   stopped,
-		Healthy:   healthy,
-		Unhealthy: unhealthy,
-		Total:     len(containers),
-	}
-}
--- a/api/docker/stats/container_stats_test.go
+++ b/api/docker/stats/container_stats_test.go
@@ -1,251 +0,0 @@
-package stats
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"testing"
-	"time"
-
-	"github.com/containerd/containerd/errdefs"
-	"github.com/docker/docker/api/types/container"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-)
-
-// MockDockerClient implements the DockerClient interface for testing
-type MockDockerClient struct {
-	mock.Mock
-}
-
-func (m *MockDockerClient) ContainerInspect(ctx context.Context, containerID string) (container.InspectResponse, error) {
-	args := m.Called(ctx, containerID)
-	return args.Get(0).(container.InspectResponse), args.Error(1)
-}
-
-func TestCalculateContainerStats(t *testing.T) {
-	mockClient := new(MockDockerClient)
-
-	// Test containers - using enough containers to test concurrent processing
-	containers := []container.Summary{
-		{ID: "container1"},
-		{ID: "container2"},
-		{ID: "container3"},
-		{ID: "container4"},
-		{ID: "container5"},
-		{ID: "container6"},
-		{ID: "container7"},
-		{ID: "container8"},
-		{ID: "container9"},
-		{ID: "container10"},
-		{ID: "container11"},
-	}
-
-	// Setup mock expectations with different container states to test various scenarios
-	containerStates := []struct {
-		id       string
-		status   string
-		health   *container.Health
-		expected ContainerStats
-	}{
-		{"container1", container.StateRunning, &container.Health{Status: container.Healthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 1, Unhealthy: 0}},
-		{"container2", container.StateRunning, &container.Health{Status: container.Unhealthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 1}},
-		{"container3", container.StateRunning, nil, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 0}},
-		{"container4", container.StateExited, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
-		{"container5", container.StateDead, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
-		{"container6", container.StateRunning, &container.Health{Status: container.Healthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 1, Unhealthy: 0}},
-		{"container7", container.StateRunning, &container.Health{Status: container.Unhealthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 1}},
-		{"container8", container.StateExited, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
-		{"container9", container.StateRunning, nil, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 0}},
-		{"container10", container.StateDead, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
-	}
-
-	// Setup mock expectations for all containers with artificial delays to simulate real Docker calls
-	for _, state := range containerStates {
-		mockClient.On("ContainerInspect", mock.Anything, state.id).Return(container.InspectResponse{
-			ContainerJSONBase: &container.ContainerJSONBase{
-				State: &container.State{
-					Status: state.status,
-					Health: state.health,
-				},
-			},
-		}, nil).After(30 * time.Millisecond) // Simulate 30ms Docker API call
-	}
-
-	// Setup mock expectation for a container that returns NotFound error
-	mockClient.On("ContainerInspect", mock.Anything, "container11").Return(container.InspectResponse{}, fmt.Errorf("No such container: %w", errdefs.ErrNotFound)).After(50 * time.Millisecond)
-
-	// Call the function and measure time
-	startTime := time.Now()
-	stats, err := CalculateContainerStats(context.Background(), mockClient, false, containers)
-	require.NoError(t, err, "failed to calculate container stats")
-	duration := time.Since(startTime)
-
-	// Assert results
-	assert.Equal(t, 6, stats.Running)
-	assert.Equal(t, 4, stats.Stopped)
-	assert.Equal(t, 2, stats.Healthy)
-	assert.Equal(t, 2, stats.Unhealthy)
-	assert.Equal(t, 10, stats.Total)
-
-	// Verify concurrent processing by checking that all mock calls were made
-	mockClient.AssertExpectations(t)
-
-	// Test concurrency: With 5 workers and 10 containers taking 50ms each:
-	// Sequential would take: 10 * 50ms = 500ms
-	sequentialTime := 10 * 50 * time.Millisecond
-
-	// Verify that concurrent processing is actually faster than sequential
-	// Allow some overhead for goroutine scheduling
-	assert.Less(t, duration, sequentialTime, "Concurrent processing should be faster than sequential")
-	// Concurrent should take: ~100-150ms (depending on scheduling)
-	assert.Less(t, duration, 150*time.Millisecond, "Concurrent processing should be significantly faster")
-	assert.Greater(t, duration, 100*time.Millisecond, "Concurrent processing should be longer than 100ms")
-}
-
-func TestCalculateContainerStatsAllErrors(t *testing.T) {
-	mockClient := new(MockDockerClient)
-
-	// Test containers
-	containers := []container.Summary{
-		{ID: "container1"},
-		{ID: "container2"},
-	}
-
-	// Setup mock expectations with all calls returning errors
-	mockClient.On("ContainerInspect", mock.Anything, "container1").Return(container.InspectResponse{}, errors.New("network error"))
-	mockClient.On("ContainerInspect", mock.Anything, "container2").Return(container.InspectResponse{}, errors.New("permission denied"))
-
-	// Call the function
-	stats, err := CalculateContainerStats(context.Background(), mockClient, false, containers)
-
-	// Assert that an error was returned
-	require.Error(t, err, "should return error when all containers fail to inspect")
-	assert.Contains(t, err.Error(), "network error", "error should contain one of the original error messages")
-	assert.Contains(t, err.Error(), "permission denied", "error should contain the other original error message")
-
-	// Assert that stats are zero since no containers were successfully processed
-	expectedStats := ContainerStats{
-		Running:   0,
-		Stopped:   0,
-		Healthy:   0,
-		Unhealthy: 0,
-		Total:     2, // total containers processed
-	}
-	assert.Equal(t, expectedStats, stats)
-
-	// Verify all mock calls were made
-	mockClient.AssertExpectations(t)
-}
-
-func TestGetContainerStatus(t *testing.T) {
-	testCases := []struct {
-		name     string
-		state    *container.State
-		expected ContainerStats
-	}{
-		{
-			name: "running healthy container",
-			state: &container.State{
-				Status: container.StateRunning,
-				Health: &container.Health{
-					Status: container.Healthy,
-				},
-			},
-			expected: ContainerStats{
-				Running:   1,
-				Stopped:   0,
-				Healthy:   1,
-				Unhealthy: 0,
-			},
-		},
-		{
-			name: "running unhealthy container",
-			state: &container.State{
-				Status: container.StateRunning,
-				Health: &container.Health{
-					Status: container.Unhealthy,
-				},
-			},
-			expected: ContainerStats{
-				Running:   1,
-				Stopped:   0,
-				Healthy:   0,
-				Unhealthy: 1,
-			},
-		},
-		{
-			name: "running container without health check",
-			state: &container.State{
-				Status: container.StateRunning,
-			},
-			expected: ContainerStats{
-				Running:   1,
-				Stopped:   0,
-				Healthy:   0,
-				Unhealthy: 0,
-			},
-		},
-		{
-			name: "exited container",
-			state: &container.State{
-				Status: container.StateExited,
-			},
-			expected: ContainerStats{
-				Running:   0,
-				Stopped:   1,
-				Healthy:   0,
-				Unhealthy: 0,
-			},
-		},
-		{
-			name: "dead container",
-			state: &container.State{
-				Status: container.StateDead,
-			},
-			expected: ContainerStats{
-				Running:   0,
-				Stopped:   1,
-				Healthy:   0,
-				Unhealthy: 0,
-			},
-		},
-		{
-			name:  "nil state",
-			state: nil,
-			expected: ContainerStats{
-				Running:   0,
-				Stopped:   0,
-				Healthy:   0,
-				Unhealthy: 0,
-			},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			stat := getContainerStatus(testCase.state)
-			assert.Equal(t, testCase.expected, stat)
-		})
-	}
-}
-
-func TestCalculateContainerStatsForSwarm(t *testing.T) {
-	containers := []container.Summary{
-		{State: "running"},
-		{State: "running", Status: "Up 5 minutes (healthy)"},
-		{State: "exited"},
-		{State: "stopped"},
-		{State: "running", Status: "Up 10 minutes"},
-		{State: "running", Status: "Up about an hour (unhealthy)"},
-	}
-
-	stats := CalculateContainerStatsForSwarm(containers)
-
-	assert.Equal(t, 4, stats.Running)
-	assert.Equal(t, 2, stats.Stopped)
-	assert.Equal(t, 1, stats.Healthy)
-	assert.Equal(t, 1, stats.Unhealthy)
-	assert.Equal(t, 6, stats.Total)
-}
--- a/api/edge/edge.go
+++ b/api/edge/edge.go
@@ -60,26 +60,11 @@ type (
 		// EnvVars is a list of environment variables to inject into the stack
 		EnvVars []portainer.Pair

-		// ForceUpdate is a flag indicating if the agent must force the update of the stack.
-		// Used only for EE
-		ForceUpdate bool
-
-		DeployerOptionsPayload DeployerOptionsPayload
-
 		// Used only for EE async edge agent
 		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
-		// Deprecated(2.36): use DeployerOptionsPayload.ForceRecreate instead
 		ReadyRePullImage bool

-		// CreatedBy is the username that created this stack
-		// Used for adding labels to Kubernetes manifests
-		CreatedBy string
-		// CreatedByUserId is the user ID that created this stack
-		// Used for adding labels to Kubernetes manifests
-		CreatedByUserId string
-
-		// HelmConfig represents the Helm configuration for an edge stack
-		HelmConfig portainer.HelmConfig
+		DeployerOptionsPayload DeployerOptionsPayload
 	}

 	DeployerOptionsPayload struct {
@@ -92,14 +77,6 @@ type (
 		// This flag drives `docker compose down --volumes` option
 		// Used only for EE
 		RemoveVolumes bool
-
-		// ForceRecreate is a flag indicating if the agent must force the redeployment of the stack.
-		// This field is only used when the Force Redeployment is triggered.
-		// Once the stack is redeployed, this field will be reset to false.
-		// For standard edge agent, this field is used in agent side
-		// For async edge agent, this field is used in both agent side and server side.
-		// This flag drives `docker compose up --force-recreate` option
-		ForceRecreate bool
 	}

 	// RegistryCredentials holds the credentials for a Docker registry.
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -13,7 +13,6 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/internal/registryutils"
-	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	"github.com/portainer/portainer/pkg/libstack"

@@ -181,7 +180,7 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer logs.CloseAndLogErr(envfile)
+	defer envfile.Close()

 	// Copy from default .env file
 	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
@@ -206,14 +205,13 @@ func copyDefaultEnvFile(w io.Writer, defaultEnvFilePath string) error {
 		return nil
 	}

-	defer logs.CloseAndLogErr(defaultEnvFile)
+	defer defaultEnvFile.Close()

 	if _, err = io.Copy(w, defaultEnvFile); err == nil {
 		if _, err = fmt.Fprintf(w, "\n"); err != nil {
 			return fmt.Errorf("failed to copy default env file: %w", err)
 		}
 	}
-
 	return nil
 	// If couldn't copy the .env file, then ignore the error and try to continue
 }
@@ -225,7 +223,6 @@ func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
 			return fmt.Errorf("failed to copy config env vars: %w", err)
 		}
 	}
-
 	return nil
 }

--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -11,7 +11,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/testhelpers"
-	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )
@@ -26,11 +25,8 @@ const composedContainerName = "compose_wrapper_test"
 func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 	dir := t.TempDir()
 	composeFileName := "compose_wrapper_test.yml"
-	f, err := os.Create(filepath.Join(dir, composeFileName))
-	require.NoError(t, err)
-
-	_, err = f.WriteString(composeFile)
-	require.NoError(t, err)
+	f, _ := os.Create(filepath.Join(dir, composeFileName))
+	f.WriteString(composeFile)

 	stack := &portainer.Stack{
 		ProjectPath: dir,
@@ -38,7 +34,11 @@ func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 		Name:        "project-name",
 	}

-	return stack, &portainer.Endpoint{URL: "unix://"}
+	endpoint := &portainer.Endpoint{
+		URL: "unix://",
+	}
+
+	return stack, endpoint
 }

 func Test_UpAndDown(t *testing.T) {
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -8,9 +8,7 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
-
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func Test_createEnvFile(t *testing.T) {
@@ -63,7 +61,7 @@ func Test_createEnvFile(t *testing.T) {

 				assert.Equal(t, tt.expected, string(content))
 			} else {
-				assert.Empty(t, result)
+				assert.Equal(t, "", result)
 			}
 		})
 	}
@@ -71,9 +69,7 @@ func Test_createEnvFile(t *testing.T) {

 func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	dir := t.TempDir()
-	err := os.WriteFile(path.Join(dir, ".env"), []byte("VAR1=VAL1\nVAR2=VAL2\n"), 0600)
-	require.NoError(t, err)
-
+	os.WriteFile(path.Join(dir, ".env"), []byte("VAR1=VAL1\nVAR2=VAL2\n"), 0600)
 	stack := &portainer.Stack{
 		ProjectPath: dir,
 		Env: []portainer.Pair{
@@ -83,14 +79,10 @@ func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	}
 	result, err := createEnvFile(stack)
 	assert.Equal(t, filepath.Join(stack.ProjectPath, "stack.env"), result)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(dir, "stack.env"))
-
-	f, err := os.Open(path.Join(dir, "stack.env"))
-	require.NoError(t, err)
-
-	content, err := io.ReadAll(f)
-	require.NoError(t, err)
+	f, _ := os.Open(path.Join(dir, "stack.env"))
+	content, _ := io.ReadAll(f)

 	assert.Equal(t, []byte("VAR1=VAL1\nVAR2=VAL2\n\nVAR1=NEW_VAL1\nVAR3=VAL3\n"), content)
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Steven Kang	cb84cb73ab	chore: version bump 2.33.3 (#1351 )	2025-10-30 11:56:33 +13:00
andres-portainer	941e86563a	fix(CVE-2025-62725): upgrade github.com/docker/compose/v2 to v2.40.2 BE-12352 (#1344 )	2025-10-29 18:17:39 -03:00
Malcolm Lockyer	f72d6b97d3	fix(agent): for iamra and ecr login, detect errors and retry [be-12284] (#1309 )	2025-10-29 17:24:02 +13:00
Steven Kang	32926aa8bf	fix: add web socket headers for kubeconfig based access - 2.33.3 [r8s-592] (#1329 )	2025-10-22 09:44:46 +13:00
Steven Kang	1849c61c38	fix: display dependency version for kubectl and helm - 2.33.3 [R8S-501] (#1282 )	2025-10-07 16:23:43 +13:00
andres-portainer	fd6d74602c	feat(boltdb): attempt to compact using a read-only database BE-12287 (#1268 )	2025-09-30 19:10:16 -03:00
Oscar Zhou	74b1dd04d1	fix(k8s): memory leak during k8s stack deployment [BE-12281] (#1264 )	2025-09-30 18:00:12 +13:00
Steven Kang	7450501b7a	chore: version bump 2.33.2 (#1257 )	2025-09-25 14:29:28 +12:00
andres-portainer	dcfe2d9809	feat(database): add a flag to compact on startup BE-12283 (#1256 )	2025-09-24 18:43:54 -03:00
Ali	c21c91632f	fix(rbac): redirect on unauthorized namespace [r8s-564] (#1246 ) Merging because this PR doesn't introduce any CI failures, compared to the release 2.33 CI run https://github.com/portainer/portainer-suite/actions/runs/17957775674	2025-09-24 13:22:42 +12:00
andres-portainer	732337615e	fix(edgestacks): add a missing webhook uniqueness check BE-12219 (#1251 )	2025-09-23 17:20:25 -03:00
LP B	6ea16c0060	fix(api/endpoints): edge stack status type filter no longer always include Pending envs (#1230 )	2025-09-22 16:10:46 +02:00
Ali	4e7d4b60a5	fix(cve): fix frontend CVEs [r8s-563] (#1238 )	2025-09-22 10:17:12 +12:00
Oscar Zhou	19e1cc2fbd	fix(activitylog): remove export limit and fix search function [BE-12270] (#1232 )	2025-09-19 14:45:14 +12:00
andres-portainer	68b9fef3f0	fix(kubernetes/cli): fix a data-race BE-12259 (#1227 )	2025-09-18 10:22:29 -03:00
Viktor Pettersson	1e47df6611	chore(go): upgrade Go to 1.24.6 BE-12263 (#1220 )	2025-09-18 11:44:09 +12:00
Oscar Zhou	405ce8f671	feat(edge): add option to allow always clone git repository [BE-12240] (#1207 )	2025-09-17 18:25:47 +12:00
andres-portainer	e9d31b3b7b	fix(csp): update the Content-Security-Policy header BE-12228 (#1202 )	2025-09-15 10:47:57 -03:00
LP B	f97adc94ad	fix(api/custom-templates): UAC-allowed users cannot fetch custom template details (#1199 )	2025-09-12 15:38:58 +02:00
Malcolm Lockyer	11d6341765	fix(encryption): set correct default secret key path release [r8s-555] (#1184 ) Co-authored-by: Gorbasch <57012534+mbegerau@users.noreply.github.com>	2025-09-11 16:32:52 +12:00
andres-portainer	c3cf46b0e0	fix(auth): remove a nil pointer dereference BE-12149 (#1174 )	2025-09-10 21:55:19 -03:00
andres-portainer	ff746beba1	fix(csp): add google.com to the CSP header BE-12228 (#1176 )	2025-09-10 15:01:00 -03:00
LP B	da1672fc17	fix(api): standard users cannot connect or disconnect containers to networks (#1166 )	2025-09-09 22:07:24 +02:00
Ali	7a9376cbaf	fix(helm): update helm repo validation to match helm cli [r8s-531] (#1142 )	2025-09-08 08:55:57 +12:00
Malcolm Lockyer	c0f6410d80	fix(fips): encrypt the chisel private key file for fips [be-12132] (#1149 )	2025-09-05 13:17:23 +12:00
andres-portainer	4b9ab98fd2	fix(git): add a minimum interval validation BE-12220 (#1145 )	2025-09-04 15:11:24 -03:00
andres-portainer	3354ee4e4b	fix(registries): clear sensitive fields in the update handler BE-12215 (#1129 )	2025-09-03 10:41:27 -03:00
Steven Kang	af3c45bea0	chore: version bump 2.33.1 (#1108 )	2025-08-27 10:45:29 +12:00
andres-portainer	816a6f9bef	chore(bbolt): upgrade bbolt to v1.4.3 BE-12193 (#1104 )	2025-08-25 17:59:33 -03:00
Devon Steenberg	e86ea22900	fix(sslflags): Deprecate ssl flags [BE-12168] (#1076 )	2025-08-25 20:25:07 +12:00
Malcolm Lockyer	12b2acbc00	fix(standard): manual endpoint refresh fails to save new status [be-12188] (#1096 )	2025-08-25 13:49:04 +12:00
Ali	4a8b42928e	fix(environments): create k8s specific edge agent before connecting [r8s-438] (#1086 ) Merging because this change is unrelated to the failing kubernetes/tests/helm-oci.spec.ts tests	2025-08-25 09:32:16 +12:00
Oscar Zhou	2e828b39da	fix(autoupdate): update tooltips in edge stack gitops update [BE-12177] (#1080 )	2025-08-23 10:55:57 +12:00
Steven Kang	49c6521c23	fix: GHSA-2464-8j7c-4cjm - release 2.33 [R8S-495] (#1089 )	2025-08-22 14:03:16 +12:00
Steven Kang	debf1a742b	chore: version bump 2.33.0 (#1065 )	2025-08-20 11:28:05 +12:00
James Player	5d3708ec3e	fix(UI): add experimental features back in [r8s-483] (#1060 )	2025-08-19 17:07:27 +12:00
Steven Kang	9320fd4c50	fix: cve-2025-55198 and cve-2025-55199 - release 2.33 [R8S-482] (#1058 )	2025-08-19 16:22:54 +12:00
Steven Kang	974682bd98	chore: version bump to 2.33.0-rc2 (#1054 )	2025-08-19 11:04:56 +12:00
Ali	631f1deb2e	fix(helm): support http and custom tls helm registries, give help when misconfigured [r8s-472] (#1032 ) Co-authored-by: JamesPlayer <james.player@portainer.io>	2025-08-18 12:07:41 +12:00
LP B	4169b045fb	fix(api/edge-stacks): avoid overriding updates with old values (#1048 )	2025-08-16 03:52:21 +02:00
andres-portainer	0a2a786aa3	fix(migrator): rewrite a migration so it is idempotent BE-12053 (#1043 )	2025-08-15 09:18:31 -03:00
James Player	808f87206e	fix(ui): Fixed react-select TooManyResultsSelector filter and improved scrolling (#1028 )	2025-08-15 15:33:43 +12:00
Cara Ryan	ed6fa82904	fix(pending-actions): Small improvements to pending actions (R8S-350) (#1025 )	2025-08-15 10:51:45 +12:00
andres-portainer	9fc301110b	fix(crypto): replace fips140 calls with fips calls BE-11979 (#1035 )	2025-08-14 19:36:05 -03:00
andres-portainer	69101ac89a	feat(openai): remove OpenAI BE-12018 (#1034 )	2025-08-14 19:35:43 -03:00
Malcolm Lockyer	69d33dd432	fix(fips): use standard lib pbkdf2 [be-12164] (#1037 )	2025-08-15 09:45:49 +12:00
Ali	389cbf748c	fix(logs): improve log rendering performance [r8s-437] (#1023 ) Merging because the same tests are failing in CE develop https://github.com/portainer/system-tests/actions/runs/16953578581	2025-08-14 13:53:35 +12:00
LP B	d01b31f707	feat(api): Permissions-Policy header deny all (#1022 )	2025-08-13 22:07:52 +02:00