mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-28 02:38:44 +09:00
a03e0364ebd89204a8d6ee41a1bf4949e1c56b98
20877 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Nicolas
|
a03e0364eb |
feat(actions): add branch filters to run list (#37826)
## Summary - Add a Branch filter dropdown to the repo Actions run list web UI - Wire `?branch=` query param through the web handler, matching the existing REST API filter behavior - Source the Branch dropdown from the indexed `branch` table (filtering out deleted branches) instead of scanning `action_run.ref`, addressing review feedback about unindexed columns The Event filter was dropped after review: a static list of supported events was noisy as UX, and querying distinct values from `action_run.trigger_event` is slow because the column is not indexed. `FindRunOptions.TriggerEvent` is kept for the REST API. Closes #25042 --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> |
||
 wxiaoguang
|
4a6db5a7c2 |
fix: http content file render (#37850)
Fix #37849 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> |
||
 silverwind
|
3223d919b0 |
test: fix flaky TestResourceIndex and reduce its runtime (#37847)
The modernc SQLite driver (default since https://github.com/go-gitea/gitea/pull/37562) returns `SQLITE_BUSY` once the busy timeout is reached, unlike mattn which waited indefinitely. `TestResourceIndex` fires many concurrent `NewIssue` writers, but SQLite serializes all writers, so they queue on a single `BEGIN IMMEDIATE` write lock. Under `-race` (modernc is much slower) the goroutines at the back of the queue exceeded the hardcoded 5s test timeout, producing `database is locked (5) (SQLITE_BUSY)`. Changes: - Reduce the concurrent inserts from 25 to 10. Since SQLite serializes writers, the extra goroutines only deepen the busy-lock queue without adding coverage. 10 still exercises concurrent index allocation while cutting the test's `-race` runtime ~3x (2.76s to 0.86s locally). - Share the busy-timeout constant: export `DefaultSQLiteBusyTimeout` (20s, the production default) and reference it from the test engine instead of the hardcoded `5000`. Observed flake: https://github.com/go-gitea/gitea/actions/runs/26394082930/job/77690496092 --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
 Giteabot
|
5badd1bdee |
fix(deps): update go dependencies (#37851)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [connectrpc.com/connect](https://redirect.github.com/connectrpc/connect-go) | `v1.19.2` → `v1.20.0` |  |  | | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.4` → `v1.0.5` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.29.0` → `v2.30.0` |  |  | --- ### Release Notes <details> <summary>connectrpc/connect-go (connectrpc.com/connect)</summary> ### [`v1.20.0`](https://redirect.github.com/connectrpc/connect-go/releases/tag/v1.20.0) [Compare Source](https://redirect.github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0) #### What's Changed ##### Other changes - Bump minimum supported Go version to 1.25 by [@​jonbodner-buf](https://redirect.github.com/jonbodner-buf) in [#​922](https://redirect.github.com/connectrpc/connect-go/issues/922) - Update Unary-Get query parameter order to match spec recommendation by [@​oliversun9](https://redirect.github.com/oliversun9) in [#​926](https://redirect.github.com/connectrpc/connect-go/issues/926) #### New Contributors - [@​jonbodner-buf](https://redirect.github.com/jonbodner-buf) made their first contribution in [#​922](https://redirect.github.com/connectrpc/connect-go/issues/922) **Full Changelog**: <https://github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0> </details> <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.5`](https://gitea.com/gitea/runner/releases/tag/v1.0.5) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.4...v1.0.5) #### Changelog - fix(deps): update module connectrpc.com/connect to v1.20.0 ([#​985](https://redirect.github.com/gitea/runner/issues/985)) - update docker cli to v29.5.2 ([#​984](https://redirect.github.com/gitea/runner/issues/984)) - feat: add cache.offline\_mode to reuse cached actions ([#​966](https://redirect.github.com/gitea/runner/issues/966)) - Remove stale Gitea 1.20 compatibility shims ([#​978](https://redirect.github.com/gitea/runner/issues/978)) - fix(deps): update module github.com/docker/cli to v29.5.1+incompatible ([#​979](https://redirect.github.com/gitea/runner/issues/979)) - fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 ([#​980](https://redirect.github.com/gitea/runner/issues/980)) </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.30.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.30.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0) #### 2.30.0 ##### 🚀 Features - feat(orbit): add GetDsl for /api/v4/orbit/schema/dsl ([!2901](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2901)) by [Michael Angelo Rivera](https://gitlab.com/michaelangeloio) ### [2.30.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0) (2026-05-20) ##### Features * **orbit:** add GetDsl for /api/v4/orbit/schema/dsl ([530031c](https://gitlab.com/gitlab-org/api/client-go/commit/530031c2854b05d05f69815ea3a7ca8fb65341a5)) </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
326db5c932 |
chore(deps): update dependency @stylistic/stylelint-plugin to v5.2.0 (#37852)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@stylistic/stylelint-plugin](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic) | [`5.1.0` → `5.2.0`](https://renovatebot.com/diffs/npm/@stylistic%2fstylelint-plugin/5.1.0/5.2.0) |  |  | --- ### Release Notes <details> <summary>stylelint-stylistic/stylelint-stylistic (@​stylistic/stylelint-plugin)</summary> ### [`v5.2.0`](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/blob/HEAD/CHANGELOG.md#520--20260520) [Compare Source](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/compare/v5.1.0...v5.2.0) ##### Added - The `declaration-block-semicolon-newline-before` rule is now autofixable. ##### Fixed - An exception for an empty custom property value has been added to the `declaration-block-semicolon-newline-before` and `declaration-colon-space-after` rules: the `--custom-prop: ;` and `--custom-prop:;` variants are now considered valid (see [#​50](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/issues/50)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
1c130d2eb6 |
chore(deps): update npm dependencies (#37848)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.3` → `11.2.1`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.2.1) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.1` → `17.12.0`](https://renovatebot.com/diffs/npm/stylelint/17.11.1/17.12.0) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1) ##### Patch Changes - Mark optional subdependency snapshots of config dependencies with `optional: true` in the env lockfile, matching how optional dependencies are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's `optionalDependencies` were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required. - Fix `pickRegistryForPackage` returning the wrong registry for an unscoped `npm:` alias under a scoped local name. A manifest entry like `"@​private/foo": "npm:lodash@^1"` was routing the `lodash` fetch through `registries["@​private"]`, even though `lodash` is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or `null` for an unscoped target, falling through to `registries.default`) instead of leaking into the local key's scope. - Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed. ### [`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0) ##### Minor Changes - **Experimental:** Adding [`@pnpm/pacquet`](https://npmx.dev/package/@​pnpm/pacquet) (the Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now delegates the materialization phase of `pnpm install` to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine [#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723). To configure pacquet in a project, run: ``` pnpm add @​pnpm/pacquet --config ``` You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create. - `configDependencies` now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os`/`cpu`/`libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly. The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version — ranges and tags are rejected to keep installs reproducible. - Implement the documented `pnpm login --scope <scope>` flag. The scope is normalized (a leading `@` is added if missing; blank values are ignored) and an `@<scope>:registry=<registry>` mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of `@<scope>/*` packages then route to the chosen registry. Previously `pnpm login --scope foo` errored with `Unknown option: 'scope'` despite the flag being listed in the online documentation [#​11716](https://redirect.github.com/pnpm/pnpm/issues/11716). - `pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes installed as project dependencies (`runtime:` specifiers). Previously these were silently skipped. ##### Patch Changes - Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir <project> install` from a CI wrapper or monorepo script). The path is now resolved against the directory of the `.npmrc` that declared it, not `process.cwd()`. Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path [#​11624](https://redirect.github.com/pnpm/pnpm/issues/11624). - Fix `config.registry` getting a trailing slash appended when `registry` is set in `.npmrc` and no `registries.default` is provided by `pnpm-workspace.yaml`. The sync from `registries.default` to `config.registry` introduced in [#​11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now only fires when the workspace manifest actually contributes a different default. - Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error. - Fix two crashes with `injectWorkspacePackages: true` when the lockfile has been pruned (e.g. by `turbo prune --docker`): - `Cannot use 'in' operator to search for 'directory' in undefined`: a peer-dependency-variant injected snapshot inherits its `resolution` from the base `packages:` entry; when a pruner drops that base entry the readers crash. `convertToLockfileObject` now reconstructs the directory resolution from the `file:` depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot. - `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after `prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported each injected workspace package; the `scanDir`-into-`filesMap` workaround fed target-internal paths to the importer, which the `makeEmptyDir` fast path ([#​11088](https://redirect.github.com/pnpm/pnpm/issues/11088)) then wiped. Drop the workaround and pass `keepModulesDir: true` so the importer preserves the target's existing `node_modules` (bin links + transitive deps) and source files keep their hardlinks. - Fixed `pnpm login` and `pnpm logout` ignoring `registries.default` from `pnpm-workspace.yaml` [#​10099](https://redirect.github.com/pnpm/pnpm/issues/10099). - Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose `modified` field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full metadata wasn't permitted). Since `modified` is an upper bound on every version's publish time, `modified == publishedBy` already implies every version passes the per-version `<=` filter in `filterPkgMetadataByPublishDate`, so the shortcut now accepts the boundary case directly. Strictly `>` (was `>=`) at the rejection branch. - Honor `publishConfig.access` when publishing packages. </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.12.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17120---2026-05-20) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.1...17.12.0) It fixes 3 bugs, including a false negative one. - Fixed: `block-no-empty` reported range when using comments ([#​9294](https://redirect.github.com/stylelint/stylelint/pull/9294)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `declaration-property-value-no-unknown` false negatives for custom properties defined in reference files ([#​9292](https://redirect.github.com/stylelint/stylelint/pull/9292)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `value-keyword-layout-mappings` false positives for `caption-side` ([#​9293](https://redirect.github.com/stylelint/stylelint/pull/9293)) ([@​romainmenke](https://redirect.github.com/romainmenke)). </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
821d3c4672 | fix(deps): update module github.com/google/go-github/v86 to v87 (#37845) | ||
|
Nicolas
|
d93bbcc0a6 | feat(actions): List workflows that were executed once but got removed from the default branch (#37835) | ||
|
Giteabot
|
2775158024 |
chore(deps): update module github.com/air-verse/air to v1.65.2 (#37840)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/air-verse/air](https://redirect.github.com/air-verse/air) | `v1.65.1` → `v1.65.2` |  |  | --- ### Release Notes <details> <summary>air-verse/air (github.com/air-verse/air)</summary> ### [`v1.65.2`](https://redirect.github.com/air-verse/air/releases/tag/v1.65.2) [Compare Source](https://redirect.github.com/air-verse/air/compare/v1.65.1...v1.65.2) ##### What's Changed - docs: clarify Go install binary path by [@​xiantang](https://redirect.github.com/xiantang) in [#​900](https://redirect.github.com/air-verse/air/pull/900) - fix: keep app running until rebuild succeeds by [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) in [#​897](https://redirect.github.com/air-verse/air/pull/897) - docs: add Scoop install instructions by [@​xiantang](https://redirect.github.com/xiantang) in [#​901](https://redirect.github.com/air-verse/air/pull/901) - Resolve root directory if symlinked by [@​caleb-fringer](https://redirect.github.com/caleb-fringer) in [#​742](https://redirect.github.com/air-verse/air/pull/742) - Add stale issue workflow by [@​xiantang](https://redirect.github.com/xiantang) in [#​902](https://redirect.github.com/air-verse/air/pull/902) ##### New Contributors - [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) made their first contribution in [#​897](https://redirect.github.com/air-verse/air/pull/897) - [@​caleb-fringer](https://redirect.github.com/caleb-fringer) made their first contribution in [#​742](https://redirect.github.com/air-verse/air/pull/742) **Full Changelog**: <https://github.com/air-verse/air/compare/v1.65.1...v1.65.2> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
 Chongyi Zheng
|
0b3d7e2ba3 |
chore(deps): use maintained html2text package directly (#37842)
Currently unmaintained package `github.com/jaytaylor/html2text` is replaced using `replace` directive. Instead, the correct package `github.com/Necoro/html2text` should be referenced directly in code. --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Giteabot
|
7daab82344 |
chore(deps): update redis:latest docker digest to 48e78eb (#37838)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | redis | service | digest | `94ea4f5` → `48e78eb` | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
1b1113b509 |
fix(deps): update go dependencies (#37841)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.3` → `v1.0.4` |  |  | | [github.com/SaveTheRbtz/zstd-seekable-format-go/pkg](https://redirect.github.com/SaveTheRbtz/zstd-seekable-format-go) | `v0.8.0` → `v0.8.3` |  |  | | [github.com/jhillyerd/enmime/v2](https://redirect.github.com/jhillyerd/enmime) | `v2.3.0` → `v2.4.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.26.0` → `v2.29.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.4`](https://gitea.com/gitea/runner/releases/tag/v1.0.4) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.3...v1.0.4) #### Changelog - Fix token use with schemaless Gitea instance ([#​977](https://redirect.github.com/gitea/runner/issues/977)) - Add OCI `source` and `version` labels to images ([#​975](https://redirect.github.com/gitea/runner/issues/975)) - fix(parse\_env\_file): support env-file lines larger than 64 KiB ([#​974](https://redirect.github.com/gitea/runner/issues/974)) - Fix host cleanup, volume allowlist, cache upload, and action host edge cases ([#​970](https://redirect.github.com/gitea/runner/issues/970)) - Remove dead code from `act/` ([#​971](https://redirect.github.com/gitea/runner/issues/971)) - fix: Return if executors length is zero in ParallelExecutor ([#​960](https://redirect.github.com/gitea/runner/issues/960)) - feat: make pseudo-TTY allocation opt-in ([#​961](https://redirect.github.com/gitea/runner/issues/961)) - fix(deps): update module github.com/docker/cli to v29.5.0+incompatible ([#​969](https://redirect.github.com/gitea/runner/issues/969)) - Simplify kubernetes dind example allowing for default docker config in workflows ([#​709](https://redirect.github.com/gitea/runner/issues/709)) - chore(deps): bump `retry-go`, `golangci-lint`, `govulncheck` ([#​965](https://redirect.github.com/gitea/runner/issues/965)) - fix(deps): bump `docker` deps, switch to `moby/moby` ([#​943](https://redirect.github.com/gitea/runner/issues/943)) - fix: respect proxy env vars in runner client ([#​962](https://redirect.github.com/gitea/runner/issues/962)) </details> <details> <summary>jhillyerd/enmime (github.com/jhillyerd/enmime/v2)</summary> ### [`v2.4.0`](https://redirect.github.com/jhillyerd/enmime/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0) #### What's Changed - feat!: Refactor EnvelopeFromPart()'s scope by [@​bgedney](https://redirect.github.com/bgedney) in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - chore: rm unused func by [@​aleksandr4842](https://redirect.github.com/aleksandr4842) in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) - chore: bump Go (1.25.x) & deps by [@​jhillyerd](https://redirect.github.com/jhillyerd) in [#​394](https://redirect.github.com/jhillyerd/enmime/pull/394) #### New Contributors - [@​bgedney](https://redirect.github.com/bgedney) made their first contribution in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - [@​aleksandr4842](https://redirect.github.com/aleksandr4842) made their first contribution in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) **Full Changelog**: <https://github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.29.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.29.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) #### 2.29.0 ##### 🚀 Features - Add support for project setting `protect_merge_request_pipelines` ([!2896](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2896)) by [Gatla Vishweshwar Reddy](https://gitlab.com/gatlavishweshwarreddy26) ##### 🐛 Bug Fixes - fix(orbit): add QueryRaw for streaming llm/GOON response body verbatim ([!2897](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2897)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) ### [2.29.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) (2026-05-19) ##### Bug Fixes * **orbit:** add QueryRaw for streaming llm/GOON response body verbatim ([a849302](https://gitlab.com/gitlab-org/api/client-go/commit/a8493022225b928aaa340df86fc4d09c2d22c1f4)) ### [`v2.28.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.28.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.1...v2.28.0) #### 2.28.0 ##### 🚀 Features - Add signing_token and related fields to group_hook and project_hook ([!2891](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2891)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ##### 🔄 Other Changes - WithPath already escapes, escaping again causes bad requests ([!2898](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2898)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ### [2.28.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.1...v2.28.0) (2026-05-18) ### [`v2.27.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.27.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.0...v2.27.1) #### 2.27.1 ##### 🐛 Bug Fixes - fix: handle string-encoded and null durations in webhooks that happen when Sidekiq runs in compress mode with large payloads ([!2862](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2862)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module buf.build/go/protoyaml to v0.7.0 ([!2894](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2894)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) #### [2.27.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.0...v2.27.1) (2026-05-18) ##### Bug Fixes * handle string-encoded and null durations in webhooks that happen when Sidekiq runs in compress mode with large payloads ([8bfe7d3](https://gitlab.com/gitlab-org/api/client-go/commit/8bfe7d3effc77dc370ceee9939b13d81c6d383d0)) ### [`v2.27.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.27.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.1...v2.27.0) #### 2.27.0 ##### 🚀 Features - feat(users): add SCIMIdentities field to User type ([!2888](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2888)) by [dragonrider.](https://gitlab.com/junevm) ##### 🔄 Other Changes - chore(deps): update node docker tag to v26 ([!2890](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2890)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update docker docker tag to v29.4.3 ([!2892](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2892)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.27.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.1...v2.27.0) (2026-05-18) ##### Features * **users:** add SCIMIdentities field to User type ([ccb318d](https://gitlab.com/gitlab-org/api/client-go/commit/ccb318dc531df3a2d3bf641bb273eb1a777555a4)) ### [`v2.26.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.26.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.0...v2.26.1) #### 2.26.1 ##### 🐛 Bug Fixes - Use a sentinel ErrorResponse for 404 errors, so both `Is()` and `HasStatusCode` work properly ([!2884](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2884)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) #### [2.26.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.0...v2.26.1) (2026-05-15) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
953090fda4 |
fix(deps): update npm dependencies (#37844)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/legacy-modes | [`6.5.2` → `6.5.3`](https://renovatebot.com/diffs/npm/@codemirror%2flegacy-modes/6.5.2/6.5.3) |  |  | | @​codemirror/view | [`6.42.1` → `6.43.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.1/6.43.0) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.25.0` → `19.26.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.25.0/19.26.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.7.0` → `25.9.1`](https://renovatebot.com/diffs/npm/@types%2fnode/25.7.0/25.9.1) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.3/8.59.4) |  |  | | [@vitejs/plugin-vue](https://redirect.github.com/vitejs/vite-plugin-vue/tree/main/packages/plugin-vue#readme) ([source](https://redirect.github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue)) | [`6.0.6` → `6.0.7`](https://renovatebot.com/diffs/npm/@vitejs%2fplugin-vue/6.0.6/6.0.7) |  |  | | [clippie](https://redirect.github.com/silverwind/clippie) | [`4.1.15` → `4.2.0`](https://renovatebot.com/diffs/npm/clippie/4.1.15/4.2.0) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` → `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | | [eslint-plugin-playwright](https://redirect.github.com/mskelton/eslint-plugin-playwright) | [`2.10.2` → `2.10.4`](https://renovatebot.com/diffs/npm/eslint-plugin-playwright/2.10.2/2.10.4) |  |  | | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.46` → `0.16.47`](https://renovatebot.com/diffs/npm/katex/0.16.46/0.16.47) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.1` → `11.1.3`](https://renovatebot.com/diffs/npm/pnpm/11.1.1/11.1.3) |  |  | | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.14` → `8.5.15`](https://renovatebot.com/diffs/npm/postcss/8.5.14/8.5.15) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.5/3.0.7) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.0` → `17.11.1`](https://renovatebot.com/diffs/npm/stylelint/17.11.0/17.11.1) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.3/8.59.4) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.11` → `17.16.13`](https://renovatebot.com/diffs/npm/updates/17.16.11/17.16.13) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.12` → `8.0.13`](https://renovatebot.com/diffs/npm/vite/8.0.12/8.0.13) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.6` → `4.1.7`](https://renovatebot.com/diffs/npm/vitest/4.1.6/4.1.7) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.9` → `3.3.1`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.9/3.3.1) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.26.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19260) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.25.0...v19.26.0) ##### Minor Changes - [#​1197](https://redirect.github.com/primer/octicons/pull/1197) [`b45f1d35`](https://redirect.github.com/primer/octicons/commit/b45f1d35477402da4df64ae3a38dae8e95477dc4) Thanks [@​lukasoppermann](https://redirect.github.com/lukasoppermann)! - Add repo-forked-locked icon ##### Patch Changes - [#​1209](https://redirect.github.com/primer/octicons/pull/1209) [`9a7e2146`](https://redirect.github.com/primer/octicons/commit/9a7e2146907d2b0bf06d2dd65d2d17d4c3959108) Thanks [@​siddharthkp](https://redirect.github.com/siddharthkp)! - fix: remove hardcoded fill from sandbox icon </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitejs/vite-plugin-vue (@​vitejs/plugin-vue)</summary> ### [`v6.0.7`](https://redirect.github.com/vitejs/vite-plugin-vue/blob/HEAD/packages/plugin-vue/CHANGELOG.md#small-607-2026-05-15-small) ##### Features - use carets for `@rolldown/pluginutils` version ([#​776](https://redirect.github.com/vitejs/vite-plugin-vue/issues/776)) ([941b651](https://redirect.github.com/vitejs/vite-plugin-vue/commit/941b651d8329559fce9231aad4e178f54cccb013)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#​762](https://redirect.github.com/vitejs/vite-plugin-vue/issues/762)) ([9e825b8](https://redirect.github.com/vitejs/vite-plugin-vue/commit/9e825b85ebe9b6006dc5927aaa8aabc0bcc7eceb)) - **deps:** update all non-major dependencies ([#​774](https://redirect.github.com/vitejs/vite-plugin-vue/issues/774)) ([77dc8bc](https://redirect.github.com/vitejs/vite-plugin-vue/commit/77dc8bc935216bb7ed13f1c2653a80ffdc99fd45)) </details> <details> <summary>silverwind/clippie (clippie)</summary> ### [`v4.2.0`](https://redirect.github.com/silverwind/clippie/releases/tag/4.2.0) [Compare Source](https://redirect.github.com/silverwind/clippie/compare/4.1.15...4.2.0) - tests: make fallback block concurrent-safe (silverwind) - add ClippieCopyable type (silverwind) - fallback: use el.value.length for setSelectionRange end (silverwind) - update deps, replace describe.sequential with concurrent: false (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) - simplify and fix minor issues (silverwind) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.0`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.0) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.3.0...v10.4.0) #### Features - [`1a45ec5`](https://redirect.github.com/eslint/eslint/commit/1a45ec596af1dd5f880e6874cb8f24dafb6a7ecf) feat: check sequence expressions in `for-direction` ([#​20701](https://redirect.github.com/eslint/eslint/issues/20701)) (kuldeep kumar) - [`450040b`](https://redirect.github.com/eslint/eslint/commit/450040bd89b989b3531824c6be45feb5fe3d936b) feat: add `includeIgnoreFile()` to `eslint/config` ([#​20735](https://redirect.github.com/eslint/eslint/issues/20735)) (Kirk Waiblinger) #### Bug Fixes - [`544c0c3`](https://redirect.github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be) fix: escape code path DOT labels in debug output ([#​20866](https://redirect.github.com/eslint/eslint/issues/20866)) (Pixel998) - [`6799431`](https://redirect.github.com/eslint/eslint/commit/6799431203f2579632d0870f98ba132067f4040c) fix: update dependency [@​eslint/config-helpers](https://redirect.github.com/eslint/config-helpers) to ^0.6.0 ([#​20850](https://redirect.github.com/eslint/eslint/issues/20850)) (renovate\[bot]) - [`f078fef`](https://redirect.github.com/eslint/eslint/commit/f078fef5005dceb14fc162aab7c7200e027688dd) fix: handle non-array deprecated rule replacements ([#​20825](https://redirect.github.com/eslint/eslint/issues/20825)) (xbinaryx) #### Documentation - [`7e52a71`](https://redirect.github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f) docs: add mention of `@eslint-react/eslint-plugin` ([#​20869](https://redirect.github.com/eslint/eslint/issues/20869)) (Pavel) - [`db3468b`](https://redirect.github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08) docs: tweak wording around ambiguous CJS-vs-ESM config ([#​20865](https://redirect.github.com/eslint/eslint/issues/20865)) (Kirk Waiblinger) - [`9084664`](https://redirect.github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a) docs: Update README (GitHub Actions Bot) - [`9cc7387`](https://redirect.github.com/eslint/eslint/commit/9cc73875046e3c4b8313644cbb1e99e26b36bd3f) docs: Update README (GitHub Actions Bot) - [`3d7b548`](https://redirect.github.com/eslint/eslint/commit/3d7b5484407403817aa9071a394d336d8ea96eb5) docs: Update README (GitHub Actions Bot) - [`191ec3c`](https://redirect.github.com/eslint/eslint/commit/191ec3c0a3f94ce0f110df761f0b2b8949011ccb) docs: Update README (GitHub Actions Bot) #### Chores - [`6616856`](https://redirect.github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf) chore: upgrade knip to v6 ([#​20875](https://redirect.github.com/eslint/eslint/issues/20875)) (Pixel998) - [`d13b084`](https://redirect.github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554) ci: ensure auto-created PRs run CI ([#​20860](https://redirect.github.com/eslint/eslint/issues/20860)) (lumir) - [`e71c7af`](https://redirect.github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594) ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 ([#​20862](https://redirect.github.com/eslint/eslint/issues/20862)) (dependabot\[bot]) - [`d84393d`](https://redirect.github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99) test: add unit tests for SuppressionsService.applySuppressions() ([#​20863](https://redirect.github.com/eslint/eslint/issues/20863)) (kuldeep kumar) - [`24db8cb`](https://redirect.github.com/eslint/eslint/commit/24db8cb8e6f07fba667121777a15b1785486be94) test: add tests for SuppressionsService.save() ([#​20802](https://redirect.github.com/eslint/eslint/issues/20802)) (kuldeep kumar) - [`2ef0549`](https://redirect.github.com/eslint/eslint/commit/2ef0549cac4a9537e4c3a26b9f3edd4c99476bf6) chore: update ecosystem plugins ([#​20857](https://redirect.github.com/eslint/eslint/issues/20857)) (github-actions\[bot]) - [`a429791`](https://redirect.github.com/eslint/eslint/commit/a4297918d264d229a06cd96051ef9b91c7b86732) ci: remove `eslint-webpack-plugin` types integration test ([#​20668](https://redirect.github.com/eslint/eslint/issues/20668)) (Milos Djermanovic) - [`9e37386`](https://redirect.github.com/eslint/eslint/commit/9e37386aa7f2ce220b2ef74a6afbac5f6b3527c5) chore: replace `recast` with range approach in code-sample-minimizer ([#​20682](https://redirect.github.com/eslint/eslint/issues/20682)) (Copilot) - [`0dd1f9f`](https://redirect.github.com/eslint/eslint/commit/0dd1f9ffc9a07704d46e2a4c8d4ccc0d0908b0c0) test: disable warning for `vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` ([#​20845](https://redirect.github.com/eslint/eslint/issues/20845)) (Francesco Trotta) - [`9da3c7b`](https://redirect.github.com/eslint/eslint/commit/9da3c7bc92d9579f8db19ecb56e718538d09db2b) refactor: remove deprecated `meta.language` and migrate `meta.dialects` ([#​20716](https://redirect.github.com/eslint/eslint/issues/20716)) (Pixel998) - [`2099ed1`](https://redirect.github.com/eslint/eslint/commit/2099ed12a0a74c3d7f0808514362af2499b4fe2b) refactor: add `meta.defaultOptions` to more rules, enable linting ([#​20800](https://redirect.github.com/eslint/eslint/issues/20800)) (xbinaryx) - [`f1dfbc9`](https://redirect.github.com/eslint/eslint/commit/f1dfbc9ca57196de7092e1888cc99427bd6fe06e) chore: update ecosystem plugins ([#​20836](https://redirect.github.com/eslint/eslint/issues/20836)) (github-actions\[bot]) - [`c759413`](https://redirect.github.com/eslint/eslint/commit/c75941390c14728806cd4baef4f6072f6de78318) ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 ([#​20843](https://redirect.github.com/eslint/eslint/issues/20843)) (dependabot\[bot]) - [`5b817d6`](https://redirect.github.com/eslint/eslint/commit/5b817d6fdc9ae2c35b528dc662b2eca8f40f64aa) test: add unit tests for lib/shared/ast-utils ([#​20838](https://redirect.github.com/eslint/eslint/issues/20838)) (kuldeep kumar) - [`1c13ae3`](https://redirect.github.com/eslint/eslint/commit/1c13ae3934c198c494e5958fa3a68b33244ff06a) test: add unit tests for lib/shared/severity ([#​20835](https://redirect.github.com/eslint/eslint/issues/20835)) (kuldeep kumar) </details> <details> <summary>mskelton/eslint-plugin-playwright (eslint-plugin-playwright)</summary> ### [`v2.10.4`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.4) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.3...v2.10.4) ##### Bug Fixes - **valid-title:** Skip title checks for anonymous describe blocks ([894c0ec](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/894c0ec261763bb1e073b276c70bbf88b4ebad39)) ### [`v2.10.3`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.3) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.2...v2.10.3) ##### Bug Fixes - **missing-playwright-await:** Fix false positive when not assigning awaited variable ([#​464](https://redirect.github.com/mskelton/eslint-plugin-playwright/issues/464)) ([801f01a](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/801f01aa8a5e279b65939e06d63f7e0d2b638f93)) </details> <details> <summary>KaTeX/KaTeX (katex)</summary> ### [`v0.16.47`](https://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01647-2026-05-16) [Compare Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.46...v0.16.47) ##### Bug Fixes - correct size of `[` big delimiter ([#​4217](https://redirect.github.com/KaTeX/KaTeX/issues/4217)) ([7ba0027](https://redirect.github.com/KaTeX/KaTeX/commit/7ba0027d2f04abddd3b215362f867ab8260b09d7)), closes [#​4215](https://redirect.github.com/KaTeX/KaTeX/issues/4215) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1113) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.2...v11.1.3) ##### Patch Changes - `pnpm install` now re-validates `pnpm-lock.yaml` entries against the active `minimumReleaseAge` and `trustPolicy: 'no-downgrade'` policies before any tarball is fetched. Lockfiles resolved elsewhere (committed to the repo, restored from a CI cache, produced by an older pnpm) under a weaker or absent policy can no longer install a freshly-published or trust-downgraded version silently. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`, `ERR_PNPM_TRUST_DOWNGRADE`, or the generic `ERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATION` when both policies trip in the same batch; `minimumReleaseAgeExclude` and `trustPolicyExclude` are honored. Verification results are cached so repeat installs against an unchanged lockfile take a fast path, and pnpm shows a transient progress line while the registry round-trip runs. When fresh resolution picks an immature version, the behavior depends on `minimumReleaseAgeStrict`: - **Loose mode** — the default, in effect whenever `minimumReleaseAge` keeps its built-in 24-hour value — auto-adds the immature picks to `minimumReleaseAgeExclude` in `pnpm-workspace.yaml` and lets the install proceed. A single info message lists what was persisted. - **Strict mode** in an interactive terminal collects every immature direct AND transitive pick in one pass and prompts once with the full list. Approving adds them to `minimumReleaseAgeExclude` and the install continues; declining aborts before the lockfile, `package.json`, or `node_modules` is touched. - **Strict mode** in CI (or any non-TTY context) aborts with `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing every offending entry, instead of failing on the first one the resolver hit. `minimumReleaseAgeStrict` auto-enables whenever the user explicitly sets `minimumReleaseAge` (CLI flag, env var, global `config.yaml`, or `pnpm-workspace.yaml`); set `minimumReleaseAgeStrict: false` to keep loose-mode auto-collect even with an explicit `minimumReleaseAge` value. Closes [#​10438](https://redirect.github.com/pnpm/pnpm/issues/10438), [#​10488](https://redirect.github.com/pnpm/pnpm/issues/10488), [#​11687](https://redirect.github.com/pnpm/pnpm/issues/11687). - Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. - Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. - Global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#​9249](https://redirect.github.com/pnpm/pnpm/issues/9249). The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: 1. Workspace manifest `allowBuilds` takes precedence (if present) 2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) 3. Empty `{}` is only applied as a last resort when no policy is configured anywhere - Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#​11636](https://redirect.github.com/pnpm/pnpm/issues/11636). - Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#​11612](https://redirect.github.com/pnpm/pnpm/issues/11612). - Anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. Three changes: - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. On upgrade, two one-time GVS slot churns are possible: - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. In both cases the old slots become prune-eligible. - Resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:<version>'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `<pkgDir>/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `<platform>;<arch>;node<major>` triple disagreed with the Node the build actually ran on. Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#​11690](https://redirect.github.com/pnpm/pnpm/issues/11690). - Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#​11513](https://redirect.github.com/pnpm/pnpm/issues/11513). - Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#​11676](https://redirect.github.com/pnpm/pnpm/issues/11676). The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. - Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#​11674](https://redirect.github.com/pnpm/pnpm/issues/11674). - Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#​11677](https://redirect.github.com/pnpm/pnpm/issues/11677). ### [`v11.1.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1112) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.1...v11.1.2) ##### Patch Changes - `convertEnginesRuntimeToDependencies`: switch the runtime-dependency write to `Object.defineProperty` so the CodeQL `js/prototype-polluting-assignment` rule treats the assignment as safe regardless of the property name (follow-up to [#​11609](https://redirect.github.com/pnpm/pnpm/pull/11609)). - Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (`__proto__`, `constructor`, `prototype`), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser. - Strip `sec-fetch-*` headers from outgoing HTTP requests. These headers are automatically added by undici's `fetch()` implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests [#​11572](https://redirect.github.com/pnpm/pnpm/issues/11572). - Fix `minimumReleaseAge` handling for cached abbreviated metadata. The version-spec cache fast path no longer rethrows `ERR_PNPM_MISSING_TIME` under `strictPublishedByCheck`; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block. When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version `time`), pnpm now re-fetches with `fullMetadata: true` if `minimumReleaseAge` is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning. Closes [#​11619](https://redirect.github.com/pnpm/pnpm/issues/11619). - Fix `pnpm upgrade --interactive --latest -r` not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. `"catalog:foo"`) would incorrectly rewrite `package.json` to `"catalog:"` and place the updated version in the default catalog instead of the named one [#​10115](https://redirect.github.com/pnpm/pnpm/issues/10115). - Fixed `optimisticRepeatInstall` skipping `pnpm-lock.yaml` merge conflict resolution when the existing `node_modules` state appears up to date. - Fix `minimumReleaseAge` / `resolutionMode: time-based` installs failing on lockfiles whose `time:` block is missing entries. The npm-resolver's peek-from-store fast path now surfaces `publishedAt` from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand. </details> <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.15`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8515) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.14...8.5.15) - Fixed declaration parsing performance (by [@​homanp](https://redirect.github.com/homanp)). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.7`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.7) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.6...3.0.7) - update deps (silverwind) - skip readdir when package has a "LICENSE" file (silverwind) - clarify dedup comment: package.json reads are not deduped, only readdir/readFile (silverwind) - skip readdir/readFile for duplicate package paths (silverwind) ### [`v3.0.6`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.6) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.5...3.0.6) - update deps (silverwind) - skip duplicate license reads, preserve wrap indentation (silverwind) - batch generateBundle IO into two phases for \~11% speedup (silverwind) </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.11.1`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17111---2026-05-14) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.0...17.11.1) It fixes 2 bugs. - Fixed: `node_modules` ignore for `codeFilename` paths containing a dot-prefixed directory ([#​9282](https://redirect.github.com/stylelint/stylelint/pull/9282)) ([@​tuhtah](https://redirect.github.com/tuhtah)). - Fixed: `declaration-block-no-redundant-longhand-properties` range for contiguous redundant longhand properties ([#​9273](https://redirect.github.com/stylelint/stylelint/pull/9273)) ([@​pamelalozano16](https://redirect.github.com/pamelalozano16)). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### 🩹 Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#​12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### ❤️ Thank You - Kirk Waiblinger [@​kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.13`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.13) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.12...17.16.13) - Speed up findVersion hot loop (silverwind) - Minor simplifications (silverwind) - Fix Go pseudo-version write corruption and selectTag tag ordering (silverwind) - Fix parser/replace edge cases across modes (silverwind) ### [`v17.16.12`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.12) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.11...17.16.12) - Fix several parser/URL edge cases across modes (silverwind) - bump vitest-config-silverwind to 11.3.5 (silverwind) - speed up tests (silverwind) - perf: reduce redundant work in hot paths (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.13`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8013-2026-05-14-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.12...v8.0.13) ##### Features - **bundled-dev:** add lazy bundling support ([#​21406](https://redirect.github.com/vitejs/vite/issues/21406)) ([4f0949f](https://redirect.github.com/vitejs/vite/commit/4f0949f3f13e4b2b34d32bf7b2b4de5f26bea192)) - **optimizer:** improve the esbuild plugin converter to pass some properties of build result to `onEnd` ([#​22357](https://redirect.github.com/vitejs/vite/issues/22357)) ([47071ce](https://redirect.github.com/vitejs/vite/commit/47071ce53f21726cf39e999c4407c4828ecbe957)) - update rolldown to 1.0.1 ([#​22444](https://redirect.github.com/vitejs/vite/issues/22444)) ([8c766a6](https://redirect.github.com/vitejs/vite/commit/8c766a6c5ee014969c4e32f29cc265e8e2c96e18)) ##### Bug Fixes - **build:** copy public directory after building same environment with `write=false` ([#​22328](https://redirect.github.com/vitejs/vite/issues/22328)) ([158e8ae](https://redirect.github.com/vitejs/vite/commit/158e8ae8efdf7075ab295727e36b5ff68da3243e)) - **css:** await sass/less/styl worker disposal on teardown (fix [#​22274](https://redirect.github.com/vitejs/vite/issues/22274)) ([#​22275](https://redirect.github.com/vitejs/vite/issues/22275)) ([b7edcb7](https://redirect.github.com/vitejs/vite/commit/b7edcb7d0dd17ddfeef4ace78d610c099216dade)) - **css:** keep deprecated `name`/`originalFileName` in synthetic `assetFileNames` call ([#​22439](https://redirect.github.com/vitejs/vite/issues/22439)) ([8e59c97](https://redirect.github.com/vitejs/vite/commit/8e59c97a44d923c4c06f67287a793c9aa5a4ebaa)) - make `isBundled` per environment ([#​22257](https://redirect.github.com/vitejs/vite/issues/22257)) ([a576326](https://redirect.github.com/vitejs/vite/commit/a5763266170f8606836da5c6f987b4b2fd6ddc55)) - **ssr:** avoid rewriting labels that collide with imports ([#​22451](https://redirect.github.com/vitejs/vite/issues/22451)) ([d9b18e0](https://redirect.github.com/vitejs/vite/commit/d9b18e0387a253628d3d834288e79c5f7e85d566)) ##### Miscellaneous Chores - remove irrelevant commits from changelog ([#​22430](https://redirect.github.com/vitejs/vite/issues/22430)) ([6ea3838](https://redirect.github.com/vitejs/vite/commit/6ea383859aaf0ef8e673b458f164e84aeb6ff51d)) - update changelog ([#​22413](https://redirect.github.com/vitejs/vite/issues/22413)) ([fcdc87c](https://redirect.github.com/vitejs/vite/commit/fcdc87cc6799857e2bab0f44f333a681694fff74)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.7`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.7) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) ##### 🐞 Bug Fixes - **runner**: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa) in [#​10384](https://redirect.github.com/vitest-dev/vitest/issues/10384) [<samp>(4f0f2)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/4f0f2a1ee) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.1`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#331-2026-05-19) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.0...v3.3.1) ##### language-core - **fix:** avoid extraneous children error for conditional slots ([#​6056](https://redirect.github.com/vuejs/language-tools/issues/6056)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **refactor:** replace scanner-based missing props hints detection with AST traversal - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **fix:** get component prop details from symbols - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** skip unchecked JS identifiers in component props ([#​6055](https://redirect.github.com/vuejs/language-tools/issues/6055)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** resolve typescript plugin path from resolved server path ([#​6058](https://redirect.github.com/vuejs/language-tools/issues/6058)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ### [`v3.3.0`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#330-2026-05-18) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.2.9...v3.3.0) ##### language-core - **feat:** check required fallthrough attributes ([#​6049](https://redirect.github.com/vuejs/language-tools/issues/6049)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** penetrate `v-if` branch fragments when collecting single root nodes - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **refactor:** rename `Sfc` APIs to `IR` - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **fix:** reuse ASTs for define assignment suggestions - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** re-support `html.customData` ([#​5910](https://redirect.github.com/vuejs/language-tools/issues/5910)) - Thanks to [@​Bomberus](https://redirect.github.com/Bomberus)! - **fix:** strip `=""` only for plain boolean props completion edits - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** reset to default data provider after running with vue data provider - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **feat:** refine props completion logic to follow TS behavior ([#​5709](https://redirect.github.com/vuejs/language-tools/issues/5709)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** include `extraFileExtensions` in tsserver `configure` request payload ([#​6048](https://redirect.github.com/vuejs/language-tools/issues/6048)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** write typescript plugins at build time ([#​6050](https://redirect.github.com/vuejs/language-tools/issues/6050)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** avoid infinite diagnostics on Vue files when project diagnostics is enabled ([#​6051](https://redirect.github.com/vuejs/language-tools/issues/6051)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
420a6eb5ab |
chore(deps): update dependency zizmor to v1.25.2 (#37839)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [zizmor](https://docs.zizmor.sh) ([source](https://redirect.github.com/zizmorcore/zizmor)) | `==1.25.1` → `==1.25.2` |  |  | --- ### Release Notes <details> <summary>zizmorcore/zizmor (zizmor)</summary> ### [`v1.25.2`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.25.2) [Compare Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.25.1...v1.25.2) #### Bug Fixes 🐛[🔗](https://docs.zizmor.sh/release-notes/#bug-fixes) - Fixed a bug where the [unpinned-tools](https://docs.zizmor.sh/audits/#unpinned-tools) audit would incorrectly flag the [aquasecurity/trivy-action](https://redirect.github.com/aquasecurity/trivy-action) action as installing an unpinned tool version, rather than [aquasecurity/setup-trivy](https://redirect.github.com/aquasecurity/setup-trivy) ([#​2018](https://redirect.github.com/zizmorcore/zizmor/issues/2018)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Nicolas
|
bc6054b56d |
enhance(actions): show workflow name from YAML instead of filename (#37833)
Use the workflow's YAML `name:` field for display in the workflow sidebar and run list, falling back to the filename when no name is set. Closes https://github.com/go-gitea/gitea/issues/31458 Closes https://github.com/go-gitea/gitea/issues/25912 Closes https://github.com/go-gitea/gitea/pull/31474 |
||
 Thomas Hallock
|
6f4027a6be |
fix(packages): render markdown links relative to linked repo (#37676)
Package-page markdown (READMEs, descriptions, release notes) was rendered as a plain document, so relative links and images resolved against the site root and 404'd. This renders it in the context of the package's linked repository instead, falling back to plain rendering when the package has no linked repo. For a README link `[usage](docs/usage.md)` in a package linked to `user/repo` (default branch `main`): | | Resolved link | |---|---| | Before | `/docs/usage.md` | | After | `/user/repo/src/branch/main/docs/usage.md` | For an npm monorepo package with `repository.directory: packages/foo`, an image `` resolves to `/user/repo/src/branch/main/packages/foo/logo.png`. Applied to every package content template that renders markdown: `cargo`, `chef`, `composer`, `npm`, `nuget`, `pub`, `pypi`. Links resolve against the repository default branch (metadata records no publish commit). Only the web package detail page is affected; registry API responses are unchanged. Note: as part of restructuring `npm.tmpl`, the package description and README now render as separate sections instead of the README replacing the description, matching the existing `cargo`/`composer`/`pub` layout. Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
748d4a8040 | [skip ci] Updated translations via Crowdin | ||
|
silverwind
|
7d8bfb8dc6 |
test: run TestAPIRepoMigrate offline via a local clone source (#37817)
`TestAPIRepoMigrate` migrated from `https://github.com/go-gitea/test_repo.git`, so it required internet access, was slow, and could hit GitHub rate limits. It now clones a local fixture repo (`user2/repo1`) served by the `onGiteaRun` test server, split into two subtests: - `Permitted` (`AllowLocalNetworks=true`) — the success/permission cases, cloning the local repo. - `DisallowedHost` (`AllowLocalNetworks=false`) — the private-IP rejection cases. The split is needed because those two settings are mutually exclusive. The clone address is built from the live listener (`u`) so it can't drift from the bound host/port. The permission matrix and disallowed-host assertions are unchanged. Test is now roughly 2.5 times as fast with while asserting the same as before without a GitHub dependency. --- This PR was written with the help of Claude Opus 4.7 Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Nicolas
|
8d6124a68a |
ci: FIX sync PR labels from the conventional-commit title (#37784) (#37825)
If this also doesnt work we need to revert it ig --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Nicolas
|
c9ce7e447c |
feat(actions): add before/after to PR synchronize event payload (#37827)
## Summary - Add `before` and `after` fields to `PullRequestPayload` for `synchronize` events - Thread push old/new commit SHAs through the PR synchronize notifier path (regular and Agit flows) - Populate the fields in webhook and Actions event payloads so workflows can access them via `github.event.before` and `github.event.after` Fixes #33395 --------- Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
Nicolas
|
cdee9f5e10 |
ci: sync PR labels from the conventional-commit title (#37784)
Syncs `type/*` and `pr/breaking` labels from the PR title (Conventional Commits) and folds the existing title lint into the same workflow so labeling only runs once the title is valid. - `tools/pr-title.ts`: shared title parser and label mapping. - `tools/set-pr-labels.ts`: adds/removes labels via the GitHub API. `type/*` and `pr/breaking` are fully synced (added and removed); `skip-changelog` (chore/ci) and `topic/build` (build) are only added, never auto-removed, so manual labeling is preserved. - `pull-labeler.yml` now hosts `lint-pr-title` and `set-pr-labels` (`needs: lint-pr-title`) under `pull_request_target`, required so fork PRs get a writable token. Base-branch checkout only; no PR-head code runs in the elevated context. - Removes the superseded `pull-pr-title.yml` and the CI-only `lint-pr-title` Makefile target. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> |
||
|
GiteaBot
|
d8a45db3dd | [skip ci] Updated translations via Crowdin | ||
|
silverwind
|
502d3c1f9d |
ci: tweak files-changed, add free-disk-space (#37819)
Reduces CI minutes consumption by narrowing the `files-changed` filters. - DB matrix (`pgsql`/`mysql`/`mssql`/`unit`) now runs only on real backend changes. `test-sqlite` stays gated on `actions`, so it remains the smoke check that validates CI-infra changes (composite-action edits, workflow edits, renovate action-pin bumps) without spinning up the full matrix. - Fix the `templates` filter: the SVG template linter is `tools/lint-templates-svg.ts`, so the `tools/lint-templates-*.js` glob matched nothing. - Add missed paths: `tsconfig.json` and `tools/generate-svg-vscode-extensions.json` to `frontend`, `eslint.json.config.ts` to `json`, and `.github/actions/docker-dryrun/**` to `docker`. --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
a290d81eab |
ci: cap Elasticsearch heap in db-tests (#37816)
Elasticsearch JVM heap defaults to ~50% of detected host RAM, typically way too much for our little tests and it starved the other runner processes from memory. Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
570173b409 |
ci: add shellcheck linter (#37682)
- Adds `make lint-shell`. uses local `shellcheck` if its version matches, otherwise runs the pinned image via docker or podman - `.shellcheckrc` disables the most annoying rules - Fixes findings across existing scripts Fixes: #37648 Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
 metiftikci
|
f0eb065df7 |
enhance(ui): add gap between file tree and diff on pr changes page (#37798)
### Before <img width="410" height="324" alt="file-tree-before" src="https://github.com/user-attachments/assets/cdc369a4-23b0-4f9c-8580-f87e84cb1400" /> ### After <img width="395" height="323" alt="file-tree-after" src="https://github.com/user-attachments/assets/dd4932a6-f7f6-4b44-82cf-bcfaadadc18c" /> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
 techknowlogick
|
12fcd78e8e |
build(snap): publish nightly version to snapcraft via actions (#37814)
The secret is added to the repo already. Right now this only publishes commits to main branch to the "latest/edge" snap channel, but if this is successful we can add more workflows/logic to be able to publish RCs/fully tagged versions too. --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
f95c210abe |
ci: split pgsql shards into plain jobs, dedupe setup actions (#37802)
1. Split the psql matrix jobs into composite actions. Matrix jobs that can skip do not work with required checks on GitHub because skipped and unskipped emit different job names (GitHub bug https://github.com/orgs/community/discussions/9141). 2. Dedupe node and go setup steps into composite actions Currently test-psql branch protection is disabled, will re-enable when merging this. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
7c12446c1f |
test(e2e): add comment, release, star, PR and fork tests (#37800)
Adds Playwright e2e coverage for five high-value workflows, each driven through semantic locators with API-based setup: - comment on and close an issue - publish a release - star and watch a repository - create a pull request from the compare page - fork a repository Also passes `autoInit: false` in existing tests that only exercise DB-backed units (issues, reactions, milestones, projects, events), skipping an unused initial commit to speed up their setup and reduce parallel git contention. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Giteabot
|
4c37f4dacb | fix(deps): update module golang.org/x/net to v0.55.0 [security] (#37813) | ||
 Alaa Abdelwahab
|
bc9d53a5a8 |
fix(issues): clear stale ReviewTypeRequest when submitting pending re… (#37809)
When SubmitReview updates an existing pending review in-place, it was not deleting the reviewer's ReviewTypeRequest row, unlike the CreateReview path. That leftover row causes AddReviewRequest to bail out silently, making the re-request icon in the PR sidebar a no-op. Fixes #37808 (Claude Opus 4.7) <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
 Mohamed Sekour
|
bf1b54c3e3 |
fix(api): handle partial failures in push mirror synchronization gracefully (#37782)
This MR fixes an issue in the sync push mirrors endpoint. Previously, when triggering the synchronization of all push mirrors for a specific repository, the entire operation would stop if a single mirror failed for any reason. As a result, the remaining mirrors were not processed. With this fix, failures on individual push mirrors no longer abort the whole synchronization process. --------- Signed-off-by: Nicolas <bircni@icloud.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
9d737a6400 |
fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (#37806)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.51.0` → `v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0) |  |  | --- ### Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent [CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833) / [GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005) <details> <summary>More information</summary> #### Details The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. #### Severity Unknown #### References - [https://go.dev/issue/79436](https://go.dev/issue/79436) - [https://go.dev/cl/778640](https://go.dev/cl/778640) - [https://go.dev/cl/778641](https://go.dev/cl/778641) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5005) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent [CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832) / [GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006) <details> <summary>More information</summary> #### Details When adding a key to a remote agent constraint extensions such as restrict-destination-v00@​openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. #### Severity Unknown #### References - [https://go.dev/issue/79435](https://go.dev/issue/79435) - [https://go.dev/cl/778642](https://go.dev/cl/778642) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5006) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh [CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597) / [GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013) <details> <summary>More information</summary> #### Details An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. #### Severity Unknown #### References - [https://go.dev/issue/79561](https://go.dev/issue/79561) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781620](https://go.dev/cl/781620) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5013) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh [CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828) / [GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014) <details> <summary>More information</summary> #### Details When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. #### Severity Unknown #### References - [https://go.dev/issue/79562](https://go.dev/issue/79562) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781621](https://go.dev/cl/781621) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5014) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh [CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835) / [GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015) <details> <summary>More information</summary> #### Details SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. #### Severity Unknown #### References - [https://go.dev/issue/79563](https://go.dev/issue/79563) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781660](https://go.dev/cl/781660) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5015) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh [CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827) / [GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016) <details> <summary>More information</summary> #### Details An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. #### Severity Unknown #### References - [https://go.dev/issue/35127](https://go.dev/issue/35127) - [https://go.dev/cl/781320](https://go.dev/cl/781320) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5016) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh [CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830) / [GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017) <details> <summary>More information</summary> #### Details A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. #### Severity Unknown #### References - [https://go.dev/issue/79564](https://go.dev/issue/79564) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781640](https://go.dev/cl/781640) - [https://go.dev/cl/781664](https://go.dev/cl/781664) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5017) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh [CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829) / [GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018) <details> <summary>More information</summary> #### Details The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. #### Severity Unknown #### References - [https://go.dev/issue/79565](https://go.dev/issue/79565) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781641](https://go.dev/cl/781641) - [https://go.dev/cl/781661](https://go.dev/cl/781661) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5018) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh [CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831) / [GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019) <details> <summary>More information</summary> #### Details The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@​openssh.com, sk-ssh-ed25519@​openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. #### Severity Unknown #### References - [https://go.dev/issue/79566](https://go.dev/issue/79566) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781662](https://go.dev/cl/781662) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5019) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh [CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834) / [GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020) <details> <summary>More information</summary> #### Details When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. #### Severity Unknown #### References - [https://go.dev/issue/79567](https://go.dev/issue/79567) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781663](https://go.dev/cl/781663) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5020) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking auth bypass via unenforced @​revoked status in golang.org/x/crypto/ssh/knownhosts [CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508) / [GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021) <details> <summary>More information</summary> #### Details Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @​revoked. #### Severity Unknown #### References - [https://go.dev/issue/79568](https://go.dev/issue/79568) - [https://go.dev/cl/781220](https://go.dev/cl/781220) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5021) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh [CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595) / [GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023) <details> <summary>More information</summary> #### Details Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. #### Severity Unknown #### References - [https://go.dev/issue/79570](https://go.dev/issue/79570) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781642](https://go.dev/cl/781642) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5023) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent [CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598) / [GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033) <details> <summary>More information</summary> #### Details For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. #### Severity Unknown #### References - [https://go.dev/issue/79596](https://go.dev/issue/79596) - [https://go.dev/cl/781360](https://go.dev/cl/781360) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5033) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
 Lunny Xiao
|
8874ba739b |
fix(build): swagger css import (#37801)
Snap build failure caused by missed swagger ui css file. ``` :: [plugin vite:css] /build/gitea/parts/gitea/build/web_src/css/swagger-standalone.css:undefined:NaN :: Error: [postcss] ENOENT: no such file or directory, open '../../node_modules/swagger-ui-dist/swagger-ui.css' ``` Co-authored-by: silverwind <me@silverwind.io> |
||
|
silverwind
|
b7e95cc48c |
feat: add copy button to action step header, improve other copy buttons (#37744)
- Adds a copy button to each action step header that copies the step's rendered log output to clipboard. - Extract a shared `copyToClipboard(target, content)` helper in `clipboard.ts` that adds SVG success/failure feedback. - `is-loading` height for the new helper is sourced from `--loading-size`. - Change actions log timestamp format to include seconds. The indented-markdown code-block fix has moved to #37748. <img width="244" height="165" alt="copystep" src="https://github.com/user-attachments/assets/ce286b51-f77b-4d82-b161-ca0aa7ec4fdc" /> <img width="187" height="150" alt="copybt" src="https://github.com/user-attachments/assets/5366b290-b776-496d-8dd4-58d5fa60be92" /> Fixes: https://github.com/go-gitea/gitea/issues/26116 --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
2e96e8227f |
style: misc UI fixes (#37691)
- Action view sidebar: rename `job-brief-item` to `action-view-sidebar-item`, fix trash icon overflow on long artifact names, align artifact and workflow hover styles with the jobs list - Branches: expand new PR button cell to three wide so the button is not clipped on narrow viewports - Dashboard feed: add `tw-max-w-full` so long issue titles truncate - Reactions: tighten label padding <img width="261" height="65" alt="Screenshot 2026-05-13 at 16 18 33" src="https://github.com/user-attachments/assets/ecfe8f37-4a65-4839-b8c0-defccc85482c" /> <img width="154" height="126" alt="Screenshot 2026-05-13 at 16 19 25" src="https://github.com/user-attachments/assets/41302134-d1b7-401a-be2d-79173adb6d17" /> <img width="405" height="378" alt="Screenshot 2026-05-13 at 16 47 18" src="https://github.com/user-attachments/assets/e2c5cdd4-f11d-498c-b17e-c74c80c0ddf7" /> <img width="206" height="149" alt="Screenshot 2026-05-13 at 16 55 53" src="https://github.com/user-attachments/assets/7787125d-04b1-4500-b9b8-2637845509d6" /> <img width="858" height="135" alt="Screenshot 2026-05-13 at 16 58 41" src="https://github.com/user-attachments/assets/cb5bdf56-3891-469d-aa77-ea38855958c1" /> <img width="434" height="128" alt="Screenshot 2026-05-13 at 17 00 43" src="https://github.com/user-attachments/assets/60f2c34d-b345-4813-8f6d-a95bf51021b4" /> --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
93b8fdcd68 |
ci: shard tests and reduce redundant work (#37618)
Critical path ~25:42 → ~19:56 (−22%), ~0% CI minutes. - `test-pgsql` shards 2-way. Branch protection: replace `test-pgsql` with `test-pgsql-shards (1)` + `test-pgsql-shards (2)`; `test-unit`, sqlite/mysql/mssql unchanged — pgsql dominates the critical path. - `test-unit` runs `bindata` then `bindata gogit` sequentially. cache-seeder pre-warms the race-instrumented test compile cache and the integration test binary so PR jobs warm-start. - Cache writes restricted to cache-seeder; PR jobs use `actions/cache/restore`. Defends against PR cache poisoning and frees the 10 GB cap from PR churn. - `go-cache` action: dropped the `cache-name` input. One gobuild cache, one golangci-lint cache. Seeder lint job restores but doesn't save gobuild, so only one writer populates it. - `tools/test-integration.sh` shards the integration binary via `-test.list`; `TestMain` short-circuits DB init in list mode. `TestAPILFSNotStarted` / `TestAPILFSLocksNotStarted` switched to `test.MockVariableValue` — latent `setting.LFS.StartServer` global-state leak uncovered by sharding. --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
33c60ad7b2 | chore: simplify issue and pull request templates (#37799) | ||
|
Nicolas
|
2fde11dfbb | chore: Update 1.26.2 changelog in main (#37796) | ||
|
Lunny Xiao
|
552c29a259 |
fix(actions): make artifact signature payloads unambiguous (#37707)
This PR hardens artifact URL signing by encoding signature inputs in an unambiguous binary payload before computing the HMAC. What it changes: - replace direct concatenation-style signing inputs with explicit payload builders - encode string fields with a length prefix before appending their bytes - encode integer fields as fixed-width binary values instead of decimal text - apply the same hardening to both: - Actions Artifact V4 signing in `routers/api/actions/artifactsv4.go` - artifact download signing in `routers/api/v1/repo/action.go` - add regression tests that verify distinct field combinations produce distinct payloads and signatures Why: The previous signing logic built HMAC inputs by appending multiple fields without a strongly structured representation. That kind of construction can create ambiguity at field boundaries, where different parameter combinations may serialize into the same byte stream for signing. This change removes that ambiguity by constructing a deterministic payload format with explicit boundaries between fields. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Lunny Xiao
|
304f8a551a | chore: Update giteabot to fix failure when backport (#37789) | ||
|
Giteabot
|
42e167b054 |
fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (#37786)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
 Elisei Roca
|
9c8d55daf8 |
fix(pull): handle empty pull request files view to allow reviews (#37783)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
 Copilot
|
7e436972f9 |
fix(markup): make RenderString never fail (#37779)
Fix #37778 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
621aa67e7d |
fix(markup): wrap indented code blocks for the code-copy button (#37748)
Indented (4-space) code blocks were emitted by goldmark's default renderer as plain `<pre><code>` without the `code-block-container` wrapper that the JS `initMarkupCodeCopy` keys on. As a result, only fenced code blocks received the copy button. Register `ast.KindCodeBlock` with a renderer that produces the same wrapper as the highlighting renderer so both syntaxes get the button. Extends `TestMarkdownFencedCodeBlock` to assert the wrapper is emitted for indented blocks (and that HTML inside is escaped). Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Lunny Xiao
|
171df0c9ff | fix(permissions): Fix reading permission (#37769) | ||
 Lavamini Inc
|
dbf4828169 |
fix: add natural sort to sortTreeViewNodes (#37772)
Aligns the sorting behavior of view-file-tree with repo-files-table. Attachment below: <img width="427" height="713" alt="fix-bug-sort" src="https://github.com/user-attachments/assets/0da7d7b6-3970-459d-b3c0-f57200dc73b7" /> --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
wxiaoguang
|
5ad70f79ba |
fix: package creation unique conflict (#37774)
fix #30973 |
||
|
Giteabot
|
343eaa8940 |
fix(deps): update npm dependencies (#37768)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.45` → `0.16.46`](https://renovatebot.com/diffs/npm/katex/0.16.45/0.16.46) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.8` → `3.2.9`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.8/3.2.9) |  |  | |
||
|
Giteabot
|
0b7fc8a579 |
fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 (#37771)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.25.0` → `v2.26.0` |  |  | |