Vikunja vs Asana
Side-by-side trajectory, velocity, and editorial themes.
Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.
Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.
The arc moves from feature-completion (S3 storage, drag-and-drop project moves, hover previews in late 2025) toward platform credibility — closing security gaps a self-hosted task tool needs to clear before serious team adoption. The rapid version-number jump from v1.0.0-rc4 to v2.2.1 in two months suggests v1.0 shipped and the team tagged a v2 line aimed at addressing accumulated authz debt. Expect the next several releases to keep the security-first posture rather than return to a feature push.
The next release will likely continue closing remaining authz edges (more IDOR audits, additional credential-stripping in API responses) and bundle a translations and dependency sweep. A user-facing feature push probably waits until the security work plateaus.
Asana keeps maturing AI Studio while hardening enterprise governance and cross-app integrations.
Asana is shipping steadily across three fronts: its AI Studio automation layer, enterprise governance, and integrations with the tools work already lives in. Recent releases add credit-usage visibility for AI Studio rule builders, role-based access control for create permissions, and deeper HubSpot and Slack connections. The cadence is incremental but consistently user-visible — real features, not just maintenance.
Two threads stand out. First, AI Studio is moving from capability to operations: surfacing when automation rules consume credits is the kind of metering-transparency work that shows the AI layer is now something customers budget for, not just try. Second, Asana is shoring up the enterprise wedge — RBAC, admin controls — while making sure inbound work from HubSpot and notifications to Slack carry full context. The product is being shaped for larger, governed deployments.
Expect continued AI Studio depth tied to credit/consumption controls, more granular RBAC reaching general availability, and further two-way enrichment of high-traffic integrations. The credit-visibility move suggests consumption-based AI pricing mechanics will keep surfacing in the product.
See more alternatives to Vikunja →
See more alternatives to Asana →