mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-23 05:42:33 +09:00
9d737a6400d34e4df2212f75109bef1abec7ddaf
494 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Giteabot
|
9d737a6400 |
fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (#37806)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.51.0` → `v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0) |  |  | --- ### Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent [CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833) / [GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005) <details> <summary>More information</summary> #### Details The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. #### Severity Unknown #### References - [https://go.dev/issue/79436](https://go.dev/issue/79436) - [https://go.dev/cl/778640](https://go.dev/cl/778640) - [https://go.dev/cl/778641](https://go.dev/cl/778641) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5005) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent [CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832) / [GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006) <details> <summary>More information</summary> #### Details When adding a key to a remote agent constraint extensions such as restrict-destination-v00@​openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. #### Severity Unknown #### References - [https://go.dev/issue/79435](https://go.dev/issue/79435) - [https://go.dev/cl/778642](https://go.dev/cl/778642) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5006) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh [CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597) / [GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013) <details> <summary>More information</summary> #### Details An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. #### Severity Unknown #### References - [https://go.dev/issue/79561](https://go.dev/issue/79561) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781620](https://go.dev/cl/781620) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5013) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh [CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828) / [GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014) <details> <summary>More information</summary> #### Details When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. #### Severity Unknown #### References - [https://go.dev/issue/79562](https://go.dev/issue/79562) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781621](https://go.dev/cl/781621) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5014) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh [CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835) / [GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015) <details> <summary>More information</summary> #### Details SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. #### Severity Unknown #### References - [https://go.dev/issue/79563](https://go.dev/issue/79563) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781660](https://go.dev/cl/781660) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5015) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh [CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827) / [GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016) <details> <summary>More information</summary> #### Details An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. #### Severity Unknown #### References - [https://go.dev/issue/35127](https://go.dev/issue/35127) - [https://go.dev/cl/781320](https://go.dev/cl/781320) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5016) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh [CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830) / [GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017) <details> <summary>More information</summary> #### Details A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. #### Severity Unknown #### References - [https://go.dev/issue/79564](https://go.dev/issue/79564) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781640](https://go.dev/cl/781640) - [https://go.dev/cl/781664](https://go.dev/cl/781664) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5017) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh [CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829) / [GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018) <details> <summary>More information</summary> #### Details The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. #### Severity Unknown #### References - [https://go.dev/issue/79565](https://go.dev/issue/79565) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781641](https://go.dev/cl/781641) - [https://go.dev/cl/781661](https://go.dev/cl/781661) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5018) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh [CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831) / [GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019) <details> <summary>More information</summary> #### Details The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@​openssh.com, sk-ssh-ed25519@​openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. #### Severity Unknown #### References - [https://go.dev/issue/79566](https://go.dev/issue/79566) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781662](https://go.dev/cl/781662) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5019) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh [CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834) / [GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020) <details> <summary>More information</summary> #### Details When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. #### Severity Unknown #### References - [https://go.dev/issue/79567](https://go.dev/issue/79567) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781663](https://go.dev/cl/781663) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5020) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking auth bypass via unenforced @​revoked status in golang.org/x/crypto/ssh/knownhosts [CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508) / [GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021) <details> <summary>More information</summary> #### Details Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @​revoked. #### Severity Unknown #### References - [https://go.dev/issue/79568](https://go.dev/issue/79568) - [https://go.dev/cl/781220](https://go.dev/cl/781220) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5021) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh [CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595) / [GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023) <details> <summary>More information</summary> #### Details Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. #### Severity Unknown #### References - [https://go.dev/issue/79570](https://go.dev/issue/79570) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781642](https://go.dev/cl/781642) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5023) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent [CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598) / [GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033) <details> <summary>More information</summary> #### Details For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. #### Severity Unknown #### References - [https://go.dev/issue/79596](https://go.dev/issue/79596) - [https://go.dev/cl/781360](https://go.dev/cl/781360) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5033) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
42e167b054 |
fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (#37786)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
0b7fc8a579 |
fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 (#37771)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.25.0` → `v2.26.0` |  |  | |
||
|
Giteabot
|
81b544c279 |
fix(deps): update module google.golang.org/grpc to v1.81.1 (#37762)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.81.0` → `v1.81.1` |  |  | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.81.1`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.81.1): Release 1.81.1 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1) ### Security - xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per [gRFC A41](https://redirect.github.com/grpc/proposal/blob/master/A41-xds-rbac.md). ([#​9111](https://redirect.github.com/grpc/grpc-go/issues/9111)) - Special Thanks: [@​al4an444](https://redirect.github.com/al4an444) ### Bug Fixes - otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. ([#​9081](https://redirect.github.com/grpc/grpc-go/issues/9081)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
wxiaoguang
|
c37b5241d7 |
chore: fix tests (#37760)
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Giteabot
|
e60ca35d52 |
fix(deps): update go dependencies (#37752)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | Pending | |---|---|---|---|---|---|---| | code.gitea.io/sdk/gitea | `v0.25.0` → `v0.25.1` |  |  | require | patch | | | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.0` → `v1.0.3` |  |  | require | patch | `v1.0.4` | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.137.0` → `v0.138.0` |  |  | require | minor | | | [github.com/go-co-op/gocron/v2](https://redirect.github.com/go-co-op/gocron) | `v2.21.1` → `v2.21.2` |  |  | require | patch | | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.2` → `v0.17.3` |  |  | require | patch | | | [github.com/google/pprof](https://redirect.github.com/google/pprof) | `545e8a4` → `92041b7` |  |  | require | digest | | | [github.com/wneessen/go-mail](https://redirect.github.com/wneessen/go-mail) | `v0.7.2` → `v0.7.3` |  |  | require | patch | | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.24.1` → `v2.25.0` |  |  | require | minor | `v2.27.0` (+2) | | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.50.0` → `v0.51.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.50.0...refs/tags/v0.51.0) |  |  | require | minor | | | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.39.0` → `v0.40.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.39.0...refs/tags/v0.40.0) |  |  | require | minor | | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.53.0` → `v0.54.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.53.0...refs/tags/v0.54.0) |  |  | require | minor | | | [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) | [`v0.36.0` → `v0.37.0`](https://cs.opensource.google/go/x/text/+/refs/tags/v0.36.0...refs/tags/v0.37.0) |  |  | require | minor | | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.50.0` → `v1.50.1` |  |  | require | patch | | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.3`](https://gitea.com/gitea/runner/releases/tag/v1.0.3) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.2...v1.0.3) #### Changelog - fix: isolate per-task runner envs ([#​959](https://redirect.github.com/gitea/runner/issues/959)) - fix(deps): update module github.com/opencontainers/selinux to v1.14.1 ([#​955](https://redirect.github.com/gitea/runner/issues/955)) - fix(deps): update mergo to v1.0.2 (now `dario.cat/mergo`) ([#​954](https://redirect.github.com/gitea/runner/issues/954)) - fix: ensure `dbfs_data` is cleaned up after task completion ([#​952](https://redirect.github.com/gitea/runner/issues/952)) - fix(artifactcache): preserve cache key case to stop redundant uploads ([#​947](https://redirect.github.com/gitea/runner/issues/947)) - fix(deps): update module golang.org/x/term to v0.43.0 ([#​948](https://redirect.github.com/gitea/runner/issues/948)) ### [`v1.0.2`](https://gitea.com/gitea/runner/releases/tag/v1.0.2) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.1...v1.0.2) #### Changelog - fix: overwrite read-only files when copying action directories ([#​942](https://redirect.github.com/gitea/runner/issues/942)) - docs: add apparmor=rootlesskit in security\_opt ([#​937](https://redirect.github.com/gitea/runner/issues/937)) - fix: serialize action-cache reads to prevent worktree race ([#​938](https://redirect.github.com/gitea/runner/issues/938)) - feat: remove emojis from runner logging, add `Starting job container` group ([#​940](https://redirect.github.com/gitea/runner/issues/940)) ### [`v1.0.1`](https://gitea.com/gitea/runner/releases/tag/v1.0.1) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.0...v1.0.1) #### Changelog - [`dff63b3`]( |
||
|
Giteabot
|
3d95a2f028 |
fix(deps): update module github.com/google/go-github/v85 to v86 (#37754)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/google/go-github/v85](https://redirect.github.com/google/go-github) | `v85.0.0` → `v86.0.0` |  |  | --- ### Release Notes <details> <summary>google/go-github (github.com/google/go-github/v85)</summary> ### [`v86.0.0`](https://redirect.github.com/google/go-github/releases/tag/v86.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v85.0.0...v86.0.0) This release contains the following breaking API changes: - feat!: Refactor request context ([#​4151](https://redirect.github.com/google/go-github/issues/4151)) BREAKING CHANGE: All internal calls now provide `Context` via the `Request` itself. - feat!: Add OIDC authentication support to `PrivateRegistries` ([#​4159](https://redirect.github.com/google/go-github/issues/4159)) BREAKING CHANGE: `PrivateRegistriesService` is updated to API version `2026-03-10` with struct and response changes. ...and the following additional changes: - chore: Bump version of `go-github` to `v86.0.0` ([#​4198](https://redirect.github.com/google/go-github/issues/4198)) - test: Fix invalid JSON payloads in actions workflow runs tests ([#​4197](https://redirect.github.com/google/go-github/issues/4197)) - feat: Add repo download contents sentinel errors ([#​4192](https://redirect.github.com/google/go-github/issues/4192)) - chore: Fix `otel` module name ([#​4187](https://redirect.github.com/google/go-github/issues/4187)) - feat: Add typed Copilot metrics download helpers ([#​4177](https://redirect.github.com/google/go-github/issues/4177)) - feat: Add `deploy_keys_enabled_for_repositories` and secret scanning custom link fields to `Organization` struct ([#​4188](https://redirect.github.com/google/go-github/issues/4188)) - refactor: Use `testJSONBody` helper for request body assertions in tests ([#​4183](https://redirect.github.com/google/go-github/issues/4183)) - build(deps): Bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 in /tools ([#​4184](https://redirect.github.com/google/go-github/issues/4184)) - fix: Include `RetryAfter` in `AbuseRateLimitError.Error` output ([#​4181](https://redirect.github.com/google/go-github/issues/4181)) - fix: Handle string-typed reviewer `ID` in Ruleset API responses ([#​4178](https://redirect.github.com/google/go-github/issues/4178)) - feat: Add `ArchivedAt` field to `Organization` struct ([#​4179](https://redirect.github.com/google/go-github/issues/4179)) - feat: Add Copilot coding agent and content exclusion org endpoints ([#​4176](https://redirect.github.com/google/go-github/issues/4176)) - chore: Bump go-github from v84 to v85 in /scrape ([#​4174](https://redirect.github.com/google/go-github/issues/4174)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
510b729212 |
fix(deps): update go dependencies (major) (#37639)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/dlclark/regexp2](https://redirect.github.com/dlclark/regexp2) | `v1.12.0` → `v2.0.1` |  |  | | [github.com/google/go-github/v84](https://redirect.github.com/google/go-github) | `v84.0.0` → `v85.0.0` |  |  | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `v1.46.0` → `v2.24.1` |  |  | --- ### Release Notes <details> <summary>dlclark/regexp2 (github.com/dlclark/regexp2)</summary> ### [`v2.0.1`](https://redirect.github.com/dlclark/regexp2/compare/v2.0.0...v2.0.1) [Compare Source](https://redirect.github.com/dlclark/regexp2/compare/v2.0.0...v2.0.1) ### [`v2.0.0`](https://redirect.github.com/dlclark/regexp2/compare/v1.12.0...v2.0.0) [Compare Source](https://redirect.github.com/dlclark/regexp2/compare/v1.12.0...v2.0.0) </details> <details> <summary>google/go-github (github.com/google/go-github/v84)</summary> ### [`v85.0.0`](https://redirect.github.com/google/go-github/releases/tag/v85.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v84.0.0...v85.0.0) This release contains the following breaking API changes: - fix!: Resolve inconsistent options for `create` and `update` on custom org role ([#​4075](https://redirect.github.com/google/go-github/issues/4075)) BREAKING CHANGE: `GetOrgRole`, `CreateCustomOrgRole`, and `UpdateCustomOrgRole` have new params and return values. - fix!: Change `id` from `int64` to `string` in `ActivityService.MarkThreadDone` ([#​4056](https://redirect.github.com/google/go-github/issues/4056)) BREAKING CHANGE: `ActivityService.MarkThreadDone` accepts `string` `id` instead of `int64`. ...and the following additional changes: - chore: Bump version of go-github to v85.0.0 ([#​4173](https://redirect.github.com/google/go-github/issues/4173)) - chore: Update `openapi_operations.yaml` ([#​4172](https://redirect.github.com/google/go-github/issues/4172)) - security: Reject cross-host redirects to prevent Authorization leak ([#​4171](https://redirect.github.com/google/go-github/issues/4171)) - chore: Improve GitHub Actions workflows lint and testing ([#​4169](https://redirect.github.com/google/go-github/issues/4169)) - chore: Switch legacy redirect handling to new pattern ([#​4161](https://redirect.github.com/google/go-github/issues/4161)) - feat: Add `CodeSecurity` to `SecurityAndAnalysis` ([#​4155](https://redirect.github.com/google/go-github/issues/4155)) - fix: Reject URL path segments containing ".." in all request methods ([#​4150](https://redirect.github.com/google/go-github/issues/4150)) - feat: Refactor repositories download contents ([#​4153](https://redirect.github.com/google/go-github/issues/4153)) - chore: Bump google.org/x/tools to v0.44.0 in /tools ([#​4168](https://redirect.github.com/google/go-github/issues/4168)) - docs: Fix broken blog post link ([#​4160](https://redirect.github.com/google/go-github/issues/4160)) - build(deps): Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 in /example ([#​4156](https://redirect.github.com/google/go-github/issues/4156)) - chore: Update openapi\_operations.yaml ([#​4157](https://redirect.github.com/google/go-github/issues/4157)) - feat: Remove Google App Engine standard support ([#​4152](https://redirect.github.com/google/go-github/issues/4152)) - feat: Add `DownloadCopilotMetrics` helper method ([#​4149](https://redirect.github.com/google/go-github/issues/4149)) - docs: Add `apiVersion` to GitHub API link ([#​4147](https://redirect.github.com/google/go-github/issues/4147)) - chore: Simplify `redundantptr` custom linter ([#​4148](https://redirect.github.com/google/go-github/issues/4148)) - docs: Deprecate old Copilot metrics endpoints closed on April 2, 2026 ([#​4137](https://redirect.github.com/google/go-github/issues/4137)) - refactor: Remove redundant `github.Ptr` calls ([#​4145](https://redirect.github.com/google/go-github/issues/4145)) - fix: Add missing `User` fields ([#​4146](https://redirect.github.com/google/go-github/issues/4146)) - fix: Preserve `Marketplace.Stubbed` during client copy ([#​4144](https://redirect.github.com/google/go-github/issues/4144)) - refactor: Simplify array copying ([#​4143](https://redirect.github.com/google/go-github/issues/4143)) - build(deps): Bump golang.org/x/crypto from 0.49.0 to 0.50.0 in /example ([#​4141](https://redirect.github.com/google/go-github/issues/4141)) - build(deps): Bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 in /tools ([#​4142](https://redirect.github.com/google/go-github/issues/4142)) - build(deps): Bump golang.org/x/term from 0.41.0 to 0.42.0 in /example ([#​4140](https://redirect.github.com/google/go-github/issues/4140)) - build(deps): Bump golang.org/x/net from 0.52.0 to 0.53.0 in /scrape ([#​4139](https://redirect.github.com/google/go-github/issues/4139)) - build(deps): Bump go.opentelemetry.io/otel to v1.43.0 ([#​4135](https://redirect.github.com/google/go-github/issues/4135)) - fix: Expand `sanitizeURL` secrets redactions ([#​4126](https://redirect.github.com/google/go-github/issues/4126)) - build(deps): Bump github.com/alecthomas/kong from 1.14.0 to 1.15.0 in /tools ([#​4132](https://redirect.github.com/google/go-github/issues/4132)) - build(deps): Bump actions/setup-go from 6.3.0 to 6.4.0 in the actions group ([#​4131](https://redirect.github.com/google/go-github/issues/4131)) - feat: Add support for custom names and methods that return structs with multiple `[]*T` fields in `gen-iterators.go` ([#​4128](https://redirect.github.com/google/go-github/issues/4128)) - fix: Limit webhook payload size in `ValidatePayloadFromBody` ([#​4125](https://redirect.github.com/google/go-github/issues/4125)) - build(deps): Bump codecov/codecov-action from 5.5.3 to 6.0.0 ([#​4123](https://redirect.github.com/google/go-github/issues/4123)) - fix: Synchronize `requestCount` in rate limit tests ([#​4124](https://redirect.github.com/google/go-github/issues/4124)) - chore: Simplify `generate.sh` by removing `git worktree` and using generator-based check ([#​4120](https://redirect.github.com/google/go-github/issues/4120)) - docs: Improve comments in /examples ([#​4122](https://redirect.github.com/google/go-github/issues/4122)) - chore: Use `golangci-lint-action`; remove `newreposecretwithlibsodium` ([#​4119](https://redirect.github.com/google/go-github/issues/4119)) - feat: Add custom image endpoints for GitHub-hosted runners ([#​4101](https://redirect.github.com/google/go-github/issues/4101)) - chore: Cache custom golangci-lint binaries in GHA workflow ([#​4116](https://redirect.github.com/google/go-github/issues/4116)) - build(deps): Bump github.com/ProtonMail/go-crypto from 1.4.0 to 1.4.1 in /example ([#​4115](https://redirect.github.com/google/go-github/issues/4115)) - build(deps): Bump golang.org/x/tools from 0.29.0 to 0.43.0 in /tools/extraneous-new ([#​4114](https://redirect.github.com/google/go-github/issues/4114)) - build(deps): Bump codecov/codecov-action from 5.5.2 to 5.5.3 ([#​4112](https://redirect.github.com/google/go-github/issues/4112)) - build(deps): Bump github.com/golangci/plugin-module-register from 0.1.1 to 0.1.2 in /tools/extraneous-new ([#​4113](https://redirect.github.com/google/go-github/issues/4113)) - build(deps): Bump github.com/getkin/kin-openapi from 0.133.0 to 0.134.0 in /tools ([#​4111](https://redirect.github.com/google/go-github/issues/4111)) - build(deps): Bump github.com/PuerkitoBio/goquery from 1.11.0 to 1.12.0 in /scrape ([#​4110](https://redirect.github.com/google/go-github/issues/4110)) - chore: Upgrade deps for linters using dependabot ([#​4107](https://redirect.github.com/google/go-github/issues/4107)) - chore: Use `structfield.Settings` in `check-structfield-settings` ([#​4108](https://redirect.github.com/google/go-github/issues/4108)) - build(deps): Bump google.golang.org/grpc from 1.78.0 to 1.79.3 in /example ([#​4109](https://redirect.github.com/google/go-github/issues/4109)) - chore: Remove unnecessary use of `new` and `&SomeStruct{}` and add new `extraneousnew` custom linter ([#​4106](https://redirect.github.com/google/go-github/issues/4106)) - feat: Add `NetworkConfigurationID` and `HostedRunnersURL` to enterprise runner group types ([#​4099](https://redirect.github.com/google/go-github/issues/4099)) - feat: Generate accessors for all fields ([#​4105](https://redirect.github.com/google/go-github/issues/4105)) - feat: Add `ListRunnerGroupHostedRunners` for org runner groups ([#​4100](https://redirect.github.com/google/go-github/issues/4100)) - chore: Enable `default: none` linters; remove duplicated ([#​4097](https://redirect.github.com/google/go-github/issues/4097)) - fix: Use `Cursor` pagination for `*.ListHookDeliveriesIter` ([#​4096](https://redirect.github.com/google/go-github/issues/4096)) - chore: Remove duplicated formatters ([#​4094](https://redirect.github.com/google/go-github/issues/4094)) - chore: Fix typos in comments and tests ([#​4093](https://redirect.github.com/google/go-github/issues/4093)) - chore: Fix typo in CONTRIBUTING.md ([#​4092](https://redirect.github.com/google/go-github/issues/4092)) - chore: Update openapi\_operations.yaml ([#​4091](https://redirect.github.com/google/go-github/issues/4091)) - build(deps): Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.17.0 to 2.18.0 in /example ([#​4084](https://redirect.github.com/google/go-github/issues/4084)) - chore: Bump go.opentelemetry.io/otel to v1.42.0 ([#​4090](https://redirect.github.com/google/go-github/issues/4090)) - build(deps): Bump golang.org/x/crypto from 0.48.0 to 0.49.0 in /example ([#​4081](https://redirect.github.com/google/go-github/issues/4081)) - build(deps): Bump golang.org/x/sync from 0.19.0 to 0.20.0 in /tools ([#​4078](https://redirect.github.com/google/go-github/issues/4078)) - build(deps): Bump golang.org/x/net from 0.51.0 to 0.52.0 in /scrape ([#​4079](https://redirect.github.com/google/go-github/issues/4079)) - test: Add fuzz test for `ParseWebHook` ([#​4076](https://redirect.github.com/google/go-github/issues/4076)) - feat: Add enterprise budgets API ([#​4069](https://redirect.github.com/google/go-github/issues/4069)) - feat: Add list organization fine-grained permissions ([#​4072](https://redirect.github.com/google/go-github/issues/4072)) - feat: Make `script/lint.sh` output simpler to read ([#​4073](https://redirect.github.com/google/go-github/issues/4073)) - chore: Speed up linting ([#​4071](https://redirect.github.com/google/go-github/issues/4071)) - build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.41.0 in /otel ([#​4065](https://redirect.github.com/google/go-github/issues/4065)) - build(deps): Bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /otel ([#​4068](https://redirect.github.com/google/go-github/issues/4068)) - build(deps): Bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.40.0 to 1.41.0 in /example ([#​4062](https://redirect.github.com/google/go-github/issues/4062)) - build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.41.0 in /example ([#​4064](https://redirect.github.com/google/go-github/issues/4064)) - build(deps): Bump github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.0 in /example ([#​4063](https://redirect.github.com/google/go-github/issues/4063)) - feat: Add `client_id` field to `App` ([#​4060](https://redirect.github.com/google/go-github/issues/4060)) - test: Simplify `CopilotService` tests ([#​4058](https://redirect.github.com/google/go-github/issues/4058)) - test: Fix flaky `TestDo_rateLimit_abuseRateLimitError_xRateLimitReset` ([#​4057](https://redirect.github.com/google/go-github/issues/4057)) - feat: Add support for enterprise audit log streaming API ([#​4035](https://redirect.github.com/google/go-github/issues/4035)) - feat: Add repository-level immutable releases settings ([#​4039](https://redirect.github.com/google/go-github/issues/4039)) - chore: Add `SAS` as a common initialism to `structfield` ([#​4054](https://redirect.github.com/google/go-github/issues/4054)) - fix: Fix data race on Windows ([#​4051](https://redirect.github.com/google/go-github/issues/4051)) - docs: Fix grammar in `README.md` ([#​4053](https://redirect.github.com/google/go-github/issues/4053)) - chore: Simplify form value assertions in tests ([#​4048](https://redirect.github.com/google/go-github/issues/4048)) - chore: Bump go-github from v83 to v84 in /scrape ([#​4050](https://redirect.github.com/google/go-github/issues/4050)) </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go)</summary> ### [`v2.24.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.24.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.0...v2.24.1) #### 2.24.1 ##### 🐛 Bug Fixes - fix: add FormattedText field to OrbitGraphStatus and OrbitStatus ([!2876](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2876)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) #### [2.24.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.0...v2.24.1) (2026-05-05) ##### Bug Fixes * add FormattedText field to OrbitGraphStatus and OrbitStatus ([9457ddc]( |
||
|
Giteabot
|
e1f0f9e896 |
fix(deps): update module code.gitea.io/sdk/gitea to v0.25.0 (#37637)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | code.gitea.io/sdk/gitea | `v0.24.1` → `v0.25.0` |  |  | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
techknowlogick
|
ef040c5fc4 |
chore(deps): bump go-git/go-git/v5 to 5.19.0 (#37608)
Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Giteabot
|
243c2d7146 |
chore(deps): update dependency go to v1.26.3 (#37601)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | `1.26.2` → `1.26.3` | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
wxiaoguang
|
a39af1a829 |
refactor: use modernc sqlite driver as default (#37562)
The mattn driver is still kept, can be enabled by TAGS="sqlite_mattn sqlite_unlock_notify" --------- Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> |
||
|
Giteabot
|
35dfc6b9e1 |
fix(deps): update go dependencies (#37541)
Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
silverwind
|
97211bf0c5 |
refactor(deps): migrate from nektos/act fork to gitea/runner (#37557)
Migrate to https://gitea.com/gitea/runner/releases/tag/v1.0.0 which includes the `act` package directory previously referenced by `nektos/act`. Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
Sebastian Ertz
|
89a49de0fd |
Update go js py dependencies (#37525)
| go | from | to | | --- | --- | --- | | connectrpc.com/connect | `1.19.1 ` | `1.19.2` | | github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` | | github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` | `1.33.14` | | github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` | | github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` | | github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` | | github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` | | github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` | | github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` | | github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` | | github.com/klauspost/compress | `1.18.5` | `1.18.6` | | github.com/mattn/go-isatty | `0.0.21` | `0.0.22` | | github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` | | github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` | | github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` | | google.golang.org/grpc | `1.80.0` | `1.81.0` | | gopkg.in/ini.v1 | `1.67.1` | `1.67.2` | | js | from | to | | --- | --- | --- | | @codemirror/search | `6.6.0` | `6.7.0` | | @primer/octicons | `19.24.1` | `19.25.0` | | clippie | `4.1.14` | `4.1.15` | | easymde | `2.20.0` | `2.21.0` | | postcss | `8.5.10` | `8.5.13` | | rolldown-license-plugin | `3.0.1` | `3.0.4` | | swagger-ui-dist | `5.32.4` | `5.32.5` | | vite | `8.0.9` | `8.0.10` | | vite-string-plugin | `2.0.2` | `2.0.4` | | vue | `3.5.32` | `3.5.33` | | @typescript-eslint/parser | `8.59.0` | `8.59.1` | | eslint | `10.2.1` | `10.3.0` | | eslint-plugin-vue | `10.8.0` | `10.9.0` | | globals | `17.5.0` | `17.6.0` | | material-icon-theme | `5.33.1` | `5.34.0` | | spectral-cli-bundle | `1.0.7` | `1.0.8` | | stylelint | `17.8.0` | `17.10.0` | | typescript-eslint | `8.59.0` | `8.59.1` | | updates | `17.16.3` | `17.16.8` | | vitest | `4.1.4` | `4.1.5` | | vue-tsc | `3.2.7` | `3.2.8` | | pnpm | `10.33.0` | `10.33.2` | | py | from | to | | --- | --- | --- | | click | `8.3.2` | `8.3.3` | | pathspec | `1.0.4` | `1.1.1` | --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
abcfa53040 |
Replace olivere/elastic with REST API client, add OpenSearch support (#37411)
Drops `github.com/olivere/elastic/v7` (unmaintained) and replaces it
with a small in-house wrapper that speaks the Elasticsearch REST API
directly via `net/http`. The subset used by Gitea (`_cluster/health`,
`_bulk`, `_doc`, `_delete_by_query`, `_refresh`, `_search`, `HEAD`/`PUT`
index) is stable across the targeted servers, so no client library is
needed.
**Targets tested**
- Elasticsearch 7, 8, 9
- OpenSearch 1, 2, 3
**Why not `go-elasticsearch`?**
The official client enforces an `X-Elastic-Product` server-identity
check that OpenSearch deliberately fails, which would force shipping a
transport shim to defeat it. Going direct over `net/http` removes that
fight along with several MB of transitive deps (`elastic-transport-go`,
`go.opentelemetry.io/otel{,/metric,/trace}`, `auto/sdk`, `easyjson`,
`intern`, `logr`, `stdr`).
Replaces: #30755
Fixes: https://github.com/go-gitea/gitea/issues/30752
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
|
||
Myers Carpenter
|
9e031eb3df |
Serve OpenAPI 3.0 spec at /openapi.v1.json (#37038)
Add a build-time conversion step that transforms the existing Swagger 2.0 spec into an OpenAPI 3.0 spec. The OAS3 spec is served alongside the existing Swagger 2.0 spec, enabling API clients that require OAS3 to generate code directly from Gitea's API. This is not to be an answer to how gitea handles OAS3 long term, but a way to use what we have to move a step forward. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Sebastian Ertz
|
3f3bebda0d |
Update go js dependencies (#37312)
| go | from | to | | --- | --- | --- | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.14` | `1.19.15` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.12` | `1.33.13` | | github.com/dlclark/regexp2 | `1.11.5` | `1.12.0` | | github.com/go-co-op/gocron/v2 | `2.20.0` | `2.21.0` | | github.com/go-webauthn/webauthn | `0.16.4` | `0.16.5` | | js | from | to | | --- | --- | --- | | @codemirror/view | `6.41.0` | `6.41.1` | | @primer/octicons | `19.24.0` | `19.24.1` | | clippie | `4.1.10` | `4.1.14` | | postcss | `8.5.9` | `8.5.10` | | rolldown-license-plugin | `2.2.5` | `3.0.1` | | swagger-ui-dist | `5.32.2` | `5.32.4` | | vite | `8.0.8` | `8.0.9` | | @typescript-eslint/parser | `8.58.2` | `8.59.0` | | @vitest/eslint-plugin | `1.6.15` | `1.6.16` | | eslint | `10.2.0` | `10.2.1` | | eslint-plugin-playwright | `2.10.1` | `2.10.2` | | eslint-plugin-sonarjs | `4.0.2` | `4.0.3` | | happy-dom | `20.8.9` | `20.9.0` | | stylelint | `17.7.0` | `17.8.0` | | typescript | `6.0.2` | `6.0.3` | | typescript-eslint | `8.58.2` | `8.59.0` | | updates | `17.15.3` | `17.15.5` | | vue-tsc | `3.2.6` | `3.2.7` | Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <silv3rwind@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
98202110be |
Upgrade go-git to v5.18.0 (#37268)
Fixes GHSA-3xc5-wrhm-f963 (credential exposure on HTTP redirects). --- This PR was written with the help of Claude Opus 4.6 Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
silverwind
|
a9108ab6aa |
Replace custom Go formatter with golangci-lint fmt (#37194)
Use `golangci-lint fmt` to format code, replacing the previous custom formatter tool. https://github.com/daixiang0/gci is used to order the imports. `make fmt` performs ~13% faster while consuming ~57% less cpu while formatting for me. `GOFUMPT_PACKAGE` is gone because it's using the builtin package from golangci-lint. Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
wxiaoguang
|
b9961e193d |
Fix corrupted JSON caused by goccy library (#37214)
Fix #37211 |
||
|
Sebastian Ertz
|
b55528b1a2 |
Update go js py dependencies (#37204)
| go | from | to | | --- | --- | --- | | github.com/go-webauthn/webauthn | `0.16.3` | `0.16.4` | | github.com/meilisearch/meilisearch-go | `0.36.1` | `0.36.2` | | golang.org/x/crypto | `0.49.0` | `0.50.0` | | golang.org/x/image | `0.38.0` | `0.39.0` | | golang.org/x/net | `0.52.0` | `0.53.0` | | golang.org/x/text | `0.35.0` | `0.36.0` | | js | from | to | | --- | --- | --- | | @primer/octicons | `19.23.1` | `19.24.0` | | @vitejs/plugin-vue | `6.0.5` | `6.0.6` | | rolldown-license-plugin | `2.2.0` | `2.2.5` | | vite | `8.0.7` | `8.0.8` | | @types/node | `25.5.2` | `25.6.0` | | @typescript-eslint/parser | `8.58.1` | `8.58.2` | | @vitest/eslint-plugin | `1.6.14` | `1.6.15` | | globals | `17.4.0` | `17.5.0` | | stylelint | `17.6.0` | `17.7.0` | | typescript-eslint | `8.58.1` | `8.58.2` | | updates | `17.13.5` | `17.15.3` | | vitest | `4.1.3` | `4.1.4` | | py | from | to | | --- | --- | --- | | click | `8.3.1` | `8.3.2` | | json5 | `0.13.0` | `0.14.0` | | regex | `2026.2.19` | `2026.4.4` | | tomli | `2.4.0` | `2.4.1` | |
||
|
Sebastian Ertz
|
dfd495f823 |
Update go dependencies (#37141)
| | from | to | | --- | ---- | --- | | github.com/aws/aws-sdk-go-v2/credentials | `v1.19.13` | `v1.19.14` | | github.com/go-co-op/gocron/v2 | `v2.19.1` | `v2.20.0` | | github.com/go-enry/go-enry/v2 | `v2.9.5` | `v2.9.6` | | github.com/go-webauthn/webauthn | `v0.16.1` | `v0.16.3` | | github.com/google/pprof | `v0.0.0-20260302011040-a15ffb7f9dcc` | `v0.0.0-20260402051712-545e8a4df936` | | github.com/lib/pq | `v1.12.1` | `v1.12.3` | | github.com/mattn/go-isatty | `v0.0.20` | `v0.0.21` | | github.com/mattn/go-sqlite3 | `v1.14.38` | `v1.14.42` | | github.com/minio/minio-go/v7 | `v7.0.99` | `v7.0.100` | | golang.org/x/sys | `v0.42.0` | `v0.43.0` | | google.golang.org/grpc | `v1.79.3` | `v1.80.0` | |
||
|
silverwind
|
d600968aaf |
Bump min go version to 1.26.2 (#37139)
Update Go from 1.26.1 to 1.26.2 to fix 6 stdlib vulnerabilities: - GO-2026-4947: `crypto/x509` chain building - GO-2026-4946: `crypto/x509` policy validation - GO-2026-4870: `crypto/tls` KeyUpdate DoS - GO-2026-4869: `archive/tar` unbounded allocation - GO-2026-4866: `crypto/x509` name constraints bypass - GO-2026-4865: `html/template` XSS Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
wxiaoguang
|
74060bb849 |
Fix various legacy problems (#37092)
1. Fix #36439 2. Fix #37089 3. Fix incorrect layout of admin auth oidc page 4. Fix #35866 5. Fix #35800 6. Fix #36243 |
||
|
silverwind
|
a20e182067 |
Update Go dependencies (#36781)
Update all non-locked Go dependencies and pin incompatible ones. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
0df3213766 |
Upgrade go-git to v5.17.2 (#37060)
Upgrades `github.com/go-git/go-git/v5` from v5.16.5 to v5.17.2. Fixes https://github.com/go-gitea/gitea/security/dependabot/188 Fixes https://github.com/go-gitea/gitea/security/dependabot/187 --- This PR was written with the help of Claude Opus 4.6 Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
silverwind
|
b20b0ed372 |
Upgrade golang.org/x/image to v0.38.0 (#37054)
Result of `go get -u golang.org/x/image && make tidy`. Fixes https://github.com/go-gitea/gitea/security/dependabot/186 |
||
Lunny Xiao
|
6288c87181 |
Upgrade yaml (#37015)
Upgrade go.yaml.in/yaml/v4 v4.0.0-rc.2 to go.yaml.in/yaml/v4 v4.0.0-rc.4. Fix some workflow yaml files parse problems. --------- Co-authored-by: silverwind <me@silverwind.io> |
||
|
wxiaoguang
|
18c65965ab |
Fix various trivial problems (#36921)
* Fix #36915 * Fix #36919 * Close #36600 * Close #36601 * Fix incorrect oauth2 error message display |
||
Nicolas
|
8d06a9425e |
Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (#36876)
Hey, I bumped Go to 1.26.1 and fixed a couple of things I ran into while poking around. ### Changes - Bump go.mod from 1.26.0 to 1.26.1 (security patch) - Bump golangci-lint from v2.10.1 to v2.11.2 - Run make tidy, fmt, lint-go --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
Lunny Xiao
|
9c2c9c5a00 | upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36837) | ||
|
wxiaoguang
|
1592576fa5 |
Mark unused&immature activitypub as "not implemented" (#36789)
After many years, "activitypub" is still "in progress" and no real progress for end users. So it is not mature. Temporarily mark the endpoints as "501 not implemented", and wait until the whole design is stable and usable. |
||
|
Lunny Xiao
|
ad9850391d |
Move jobparser from act repository to Gitea (#36699)
The jobparser sub package in act is only used by Gitea. Move it to Gitea to make it more easier to maintain. --------- Co-authored-by: Christopher Homberger <christopher.homberger@web.de> |
||
|
Lunny Xiao
|
d59df34a7d | Upgrade gogit to 5.16.5 (#36680) | ||
|
silverwind
|
45ee571693 | Update to go 1.26.0 and golangci-lint 2.9.0 (#36588) | ||
|
Sebastian Ertz
|
36ced5dc8c |
Enable pagination on GiteaDownloader.getIssueReactions() (#36549)
And update code.gitea.io/sdk/gitea to v0.23.2 --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
wxiaoguang
|
08b7a30867 |
Fix various version parsing problems (#36553)
1. handle non-release git verions (not semver) 2. fix rubygems version "0" handling (only ">=" can be omitted) 3. lazy compile the regexp to improve performance 4. make test data maintainable, use origin source code instead of compressed binary |
||
|
Sebastian Ertz
|
daf0483ef2 | Update go dependencies (#36548) | ||
Pascal Zimmermann
|
50fdd2d49a |
[SECURITY] fix: Adjust the toolchain version (#36537)
# Summary: - Adjust the toolchain version to fix the security issues ```log Vulnerability #1: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: crypto/tls@go1.25.6 Fixed in: crypto/tls@go1.25.7 Example traces found: ``` Signed-off-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com> |
||
|
silverwind
|
de829c7821 |
Update some go dependencies (#36489)
I verified the `.env.local` syntax added in https://github.com/alecthomas/chroma/pull/1197 works as expected. |
||
|
Pascal Zimmermann
|
1adf8b3773 |
[SECURITY] Toolchain Update to Go 1.25.6 (#36480)
## Overview This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for the Gitea project. ## Changes ### Toolchain Update - **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6` This is a minor toolchain version bump that ensures the project uses the latest patch release of Go 1.25. ## Security Improvements While this PR primarily addresses the toolchain update, the project maintains a strong security posture through: ### Current Security Measures ```log Vulnerability #1: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.25.5 Fixed in: archive/zip@go1.25.6 Example traces found: #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open Vulnerability #2: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query Vulnerability #3: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext ``` ## Breaking Changes None expected. This is a minor toolchain patch update. |
||
|
wxiaoguang
|
3a09d7aa8d |
Refactor git command stdio pipe (#36422)
Most potential deadlock problems should have been fixed, and new code is unlikely to cause new problems with the new design. Also raise the minimum Git version required to 2.6.0 (released in 2015) |
||
|
Sebastian Ertz
|
111c822a30 | Update chroma to v2.23.0 (#36423) | ||
TheFox0x7
|
69c5921d71 |
Add ability to download subpath archive (#36371)
closes: https://github.com/go-gitea/gitea/issues/4478 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Sebastian Ertz
|
8319d8f381 |
Update chroma to v2.22.0 (#36342)
https://github.com/alecthomas/chroma/releases/tag/v2.22.0 |
||
|
Sebastian Ertz
|
18c393419f |
Update goldmark to v1.7.16 (#36343)
https://github.com/yuin/goldmark/releases/tag/v1.7.16 |
||
|
Sebastian Ertz
|
a9a4457dc3 |
Update chroma to v2.21.1 (#36201)
https://github.com/alecthomas/chroma/releases/tag/v2.21.1 |
||
|
Sebastian Ertz
|
14911d4293 |
Update chroma to v2.21.0 (#36171)
https://github.com/alecthomas/chroma/releases/tag/v2.21.0 |
||
|
silverwind
|
9f268edd2f |
Update go toolchain to 1.25.5 (#36074)
Fixes: https://pkg.go.dev/vuln/GO-2025-4155 |