mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-23 05:42:33 +09:00
f0eb065df7597f4364124f8b62b79b4741d159c4
20852 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
metiftikci
|
f0eb065df7 |
enhance(ui): add gap between file tree and diff on pr changes page (#37798)
### Before <img width="410" height="324" alt="file-tree-before" src="https://github.com/user-attachments/assets/cdc369a4-23b0-4f9c-8580-f87e84cb1400" /> ### After <img width="395" height="323" alt="file-tree-after" src="https://github.com/user-attachments/assets/dd4932a6-f7f6-4b44-82cf-bcfaadadc18c" /> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
techknowlogick
|
12fcd78e8e |
build(snap): publish nightly version to snapcraft via actions (#37814)
The secret is added to the repo already. Right now this only publishes commits to main branch to the "latest/edge" snap channel, but if this is successful we can add more workflows/logic to be able to publish RCs/fully tagged versions too. --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
silverwind
|
f95c210abe |
ci: split pgsql shards into plain jobs, dedupe setup actions (#37802)
1. Split the psql matrix jobs into composite actions. Matrix jobs that can skip do not work with required checks on GitHub because skipped and unskipped emit different job names (GitHub bug https://github.com/orgs/community/discussions/9141). 2. Dedupe node and go setup steps into composite actions Currently test-psql branch protection is disabled, will re-enable when merging this. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
7c12446c1f |
test(e2e): add comment, release, star, PR and fork tests (#37800)
Adds Playwright e2e coverage for five high-value workflows, each driven through semantic locators with API-based setup: - comment on and close an issue - publish a release - star and watch a repository - create a pull request from the compare page - fork a repository Also passes `autoInit: false` in existing tests that only exercise DB-backed units (issues, reactions, milestones, projects, events), skipping an unused initial commit to speed up their setup and reduce parallel git contention. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
Giteabot
|
4c37f4dacb | fix(deps): update module golang.org/x/net to v0.55.0 [security] (#37813) | ||
Alaa Abdelwahab
|
bc9d53a5a8 |
fix(issues): clear stale ReviewTypeRequest when submitting pending re… (#37809)
When SubmitReview updates an existing pending review in-place, it was not deleting the reviewer's ReviewTypeRequest row, unlike the CreateReview path. That leftover row causes AddReviewRequest to bail out silently, making the re-request icon in the PR sidebar a no-op. Fixes #37808 (Claude Opus 4.7) <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
Mohamed Sekour
|
bf1b54c3e3 |
fix(api): handle partial failures in push mirror synchronization gracefully (#37782)
This MR fixes an issue in the sync push mirrors endpoint. Previously, when triggering the synchronization of all push mirrors for a specific repository, the entire operation would stop if a single mirror failed for any reason. As a result, the remaining mirrors were not processed. With this fix, failures on individual push mirrors no longer abort the whole synchronization process. --------- Signed-off-by: Nicolas <bircni@icloud.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
9d737a6400 |
fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (#37806)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.51.0` → `v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0) |  |  | --- ### Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent [CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833) / [GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005) <details> <summary>More information</summary> #### Details The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. #### Severity Unknown #### References - [https://go.dev/issue/79436](https://go.dev/issue/79436) - [https://go.dev/cl/778640](https://go.dev/cl/778640) - [https://go.dev/cl/778641](https://go.dev/cl/778641) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5005) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent [CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832) / [GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006) <details> <summary>More information</summary> #### Details When adding a key to a remote agent constraint extensions such as restrict-destination-v00@​openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. #### Severity Unknown #### References - [https://go.dev/issue/79435](https://go.dev/issue/79435) - [https://go.dev/cl/778642](https://go.dev/cl/778642) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5006) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh [CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597) / [GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013) <details> <summary>More information</summary> #### Details An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. #### Severity Unknown #### References - [https://go.dev/issue/79561](https://go.dev/issue/79561) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781620](https://go.dev/cl/781620) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5013) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh [CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828) / [GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014) <details> <summary>More information</summary> #### Details When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. #### Severity Unknown #### References - [https://go.dev/issue/79562](https://go.dev/issue/79562) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781621](https://go.dev/cl/781621) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5014) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh [CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835) / [GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015) <details> <summary>More information</summary> #### Details SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. #### Severity Unknown #### References - [https://go.dev/issue/79563](https://go.dev/issue/79563) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781660](https://go.dev/cl/781660) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5015) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh [CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827) / [GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016) <details> <summary>More information</summary> #### Details An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. #### Severity Unknown #### References - [https://go.dev/issue/35127](https://go.dev/issue/35127) - [https://go.dev/cl/781320](https://go.dev/cl/781320) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5016) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh [CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830) / [GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017) <details> <summary>More information</summary> #### Details A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. #### Severity Unknown #### References - [https://go.dev/issue/79564](https://go.dev/issue/79564) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781640](https://go.dev/cl/781640) - [https://go.dev/cl/781664](https://go.dev/cl/781664) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5017) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh [CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829) / [GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018) <details> <summary>More information</summary> #### Details The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. #### Severity Unknown #### References - [https://go.dev/issue/79565](https://go.dev/issue/79565) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781641](https://go.dev/cl/781641) - [https://go.dev/cl/781661](https://go.dev/cl/781661) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5018) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh [CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831) / [GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019) <details> <summary>More information</summary> #### Details The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@​openssh.com, sk-ssh-ed25519@​openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. #### Severity Unknown #### References - [https://go.dev/issue/79566](https://go.dev/issue/79566) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781662](https://go.dev/cl/781662) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5019) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh [CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834) / [GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020) <details> <summary>More information</summary> #### Details When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. #### Severity Unknown #### References - [https://go.dev/issue/79567](https://go.dev/issue/79567) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781663](https://go.dev/cl/781663) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5020) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking auth bypass via unenforced @​revoked status in golang.org/x/crypto/ssh/knownhosts [CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508) / [GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021) <details> <summary>More information</summary> #### Details Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @​revoked. #### Severity Unknown #### References - [https://go.dev/issue/79568](https://go.dev/issue/79568) - [https://go.dev/cl/781220](https://go.dev/cl/781220) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5021) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh [CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595) / [GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023) <details> <summary>More information</summary> #### Details Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. #### Severity Unknown #### References - [https://go.dev/issue/79570](https://go.dev/issue/79570) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781642](https://go.dev/cl/781642) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5023) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent [CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598) / [GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033) <details> <summary>More information</summary> #### Details For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. #### Severity Unknown #### References - [https://go.dev/issue/79596](https://go.dev/issue/79596) - [https://go.dev/cl/781360](https://go.dev/cl/781360) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5033) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
Lunny Xiao
|
8874ba739b |
fix(build): swagger css import (#37801)
Snap build failure caused by missed swagger ui css file. ``` :: [plugin vite:css] /build/gitea/parts/gitea/build/web_src/css/swagger-standalone.css:undefined:NaN :: Error: [postcss] ENOENT: no such file or directory, open '../../node_modules/swagger-ui-dist/swagger-ui.css' ``` Co-authored-by: silverwind <me@silverwind.io> |
||
|
silverwind
|
b7e95cc48c |
feat: add copy button to action step header, improve other copy buttons (#37744)
- Adds a copy button to each action step header that copies the step's rendered log output to clipboard. - Extract a shared `copyToClipboard(target, content)` helper in `clipboard.ts` that adds SVG success/failure feedback. - `is-loading` height for the new helper is sourced from `--loading-size`. - Change actions log timestamp format to include seconds. The indented-markdown code-block fix has moved to #37748. <img width="244" height="165" alt="copystep" src="https://github.com/user-attachments/assets/ce286b51-f77b-4d82-b161-ca0aa7ec4fdc" /> <img width="187" height="150" alt="copybt" src="https://github.com/user-attachments/assets/5366b290-b776-496d-8dd4-58d5fa60be92" /> Fixes: https://github.com/go-gitea/gitea/issues/26116 --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
2e96e8227f |
style: misc UI fixes (#37691)
- Action view sidebar: rename `job-brief-item` to `action-view-sidebar-item`, fix trash icon overflow on long artifact names, align artifact and workflow hover styles with the jobs list - Branches: expand new PR button cell to three wide so the button is not clipped on narrow viewports - Dashboard feed: add `tw-max-w-full` so long issue titles truncate - Reactions: tighten label padding <img width="261" height="65" alt="Screenshot 2026-05-13 at 16 18 33" src="https://github.com/user-attachments/assets/ecfe8f37-4a65-4839-b8c0-defccc85482c" /> <img width="154" height="126" alt="Screenshot 2026-05-13 at 16 19 25" src="https://github.com/user-attachments/assets/41302134-d1b7-401a-be2d-79173adb6d17" /> <img width="405" height="378" alt="Screenshot 2026-05-13 at 16 47 18" src="https://github.com/user-attachments/assets/e2c5cdd4-f11d-498c-b17e-c74c80c0ddf7" /> <img width="206" height="149" alt="Screenshot 2026-05-13 at 16 55 53" src="https://github.com/user-attachments/assets/7787125d-04b1-4500-b9b8-2637845509d6" /> <img width="858" height="135" alt="Screenshot 2026-05-13 at 16 58 41" src="https://github.com/user-attachments/assets/cb5bdf56-3891-469d-aa77-ea38855958c1" /> <img width="434" height="128" alt="Screenshot 2026-05-13 at 17 00 43" src="https://github.com/user-attachments/assets/60f2c34d-b345-4813-8f6d-a95bf51021b4" /> --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
93b8fdcd68 |
ci: shard tests and reduce redundant work (#37618)
Critical path ~25:42 → ~19:56 (−22%), ~0% CI minutes. - `test-pgsql` shards 2-way. Branch protection: replace `test-pgsql` with `test-pgsql-shards (1)` + `test-pgsql-shards (2)`; `test-unit`, sqlite/mysql/mssql unchanged — pgsql dominates the critical path. - `test-unit` runs `bindata` then `bindata gogit` sequentially. cache-seeder pre-warms the race-instrumented test compile cache and the integration test binary so PR jobs warm-start. - Cache writes restricted to cache-seeder; PR jobs use `actions/cache/restore`. Defends against PR cache poisoning and frees the 10 GB cap from PR churn. - `go-cache` action: dropped the `cache-name` input. One gobuild cache, one golangci-lint cache. Seeder lint job restores but doesn't save gobuild, so only one writer populates it. - `tools/test-integration.sh` shards the integration binary via `-test.list`; `TestMain` short-circuits DB init in list mode. `TestAPILFSNotStarted` / `TestAPILFSLocksNotStarted` switched to `test.MockVariableValue` — latent `setting.LFS.StartServer` global-state leak uncovered by sharding. --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
33c60ad7b2 | chore: simplify issue and pull request templates (#37799) | ||
Nicolas
|
2fde11dfbb | chore: Update 1.26.2 changelog in main (#37796) | ||
|
Lunny Xiao
|
552c29a259 |
fix(actions): make artifact signature payloads unambiguous (#37707)
This PR hardens artifact URL signing by encoding signature inputs in an unambiguous binary payload before computing the HMAC. What it changes: - replace direct concatenation-style signing inputs with explicit payload builders - encode string fields with a length prefix before appending their bytes - encode integer fields as fixed-width binary values instead of decimal text - apply the same hardening to both: - Actions Artifact V4 signing in `routers/api/actions/artifactsv4.go` - artifact download signing in `routers/api/v1/repo/action.go` - add regression tests that verify distinct field combinations produce distinct payloads and signatures Why: The previous signing logic built HMAC inputs by appending multiple fields without a strongly structured representation. That kind of construction can create ambiguity at field boundaries, where different parameter combinations may serialize into the same byte stream for signing. This change removes that ambiguity by constructing a deterministic payload format with explicit boundaries between fields. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Lunny Xiao
|
304f8a551a | chore: Update giteabot to fix failure when backport (#37789) | ||
|
Giteabot
|
42e167b054 |
fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (#37786)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
Elisei Roca
|
9c8d55daf8 |
fix(pull): handle empty pull request files view to allow reviews (#37783)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
Copilot
|
7e436972f9 |
fix(markup): make RenderString never fail (#37779)
Fix #37778 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
silverwind
|
621aa67e7d |
fix(markup): wrap indented code blocks for the code-copy button (#37748)
Indented (4-space) code blocks were emitted by goldmark's default renderer as plain `<pre><code>` without the `code-block-container` wrapper that the JS `initMarkupCodeCopy` keys on. As a result, only fenced code blocks received the copy button. Register `ast.KindCodeBlock` with a renderer that produces the same wrapper as the highlighting renderer so both syntaxes get the button. Extends `TestMarkdownFencedCodeBlock` to assert the wrapper is emitted for indented blocks (and that HTML inside is escaped). Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Lunny Xiao
|
171df0c9ff | fix(permissions): Fix reading permission (#37769) | ||
Lavamini Inc
|
dbf4828169 |
fix: add natural sort to sortTreeViewNodes (#37772)
Aligns the sorting behavior of view-file-tree with repo-files-table. Attachment below: <img width="427" height="713" alt="fix-bug-sort" src="https://github.com/user-attachments/assets/0da7d7b6-3970-459d-b3c0-f57200dc73b7" /> --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
wxiaoguang
|
5ad70f79ba |
fix: package creation unique conflict (#37774)
fix #30973 |
||
|
Giteabot
|
343eaa8940 |
fix(deps): update npm dependencies (#37768)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.45` → `0.16.46`](https://renovatebot.com/diffs/npm/katex/0.16.45/0.16.46) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.8` → `3.2.9`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.8/3.2.9) |  |  | |
||
|
Giteabot
|
0b7fc8a579 |
fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 (#37771)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.25.0` → `v2.26.0` |  |  | |
||
|
Lunny Xiao
|
a1de9e57c2 |
ci: split giteabot workflow (#37770)
## What This PR updates the giteabot workflows to use the newer action version that supports selecting individual checks, and splits the workflow into two separate jobs: - `giteabot backport` runs only the `backport` check on pushes to `main` - `giteabot` handles the remaining bot tasks on PR-related events, scheduled runs, and manual dispatch ## Why Previously, the single workflow handled both backporting and the other maintenance tasks together. With the new giteabot action supporting configurable checks, splitting the workflow makes the triggers clearer and avoids running non-backport maintenance on every push to `main`. ## Changes - upgrade `go-gitea/giteabot` to a revision that supports the `checks` input - move the `main` branch `push` trigger into a dedicated backport workflow - keep non-backport automation in the existing workflow - add a `workflow_dispatch` input so non-backport checks can be selected manually when needed --- Helped by a coding agent with Codex 5.4 --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
GiteaBot
|
78d744aa01 | [skip ci] Updated translations via Crowdin | ||
|
Lunny Xiao
|
f2a1271f16 |
fix: Unify public-only token filtering in API queries and repo access checks (#37118)
This PR closes remaining `public-only` token gaps in the API by making the restriction apply consistently across repository, organization, activity, notification, and authenticated `/api/v1/user/...` routes. Previously, `public-only` tokens were still able to: - receive private results from some list/search/self endpoints, - access repository data through ID-based lookups, - and reach several authenticated self routes that should remain unavailable for public-only access. This change treats `public-only` as a cross-cutting visibility boundary: - list/search endpoints now filter private resources consistently, - repository lookups enforce the same restriction even when addressed indirectly, - and self routes that inherently expose or mutate private account state now reject `public-only` tokens. --- Generated by a coding agent with Codex 5.2 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
81b544c279 |
fix(deps): update module google.golang.org/grpc to v1.81.1 (#37762)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.81.0` → `v1.81.1` |  |  | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.81.1`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.81.1): Release 1.81.1 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1) ### Security - xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per [gRFC A41](https://redirect.github.com/grpc/proposal/blob/master/A41-xds-rbac.md). ([#​9111](https://redirect.github.com/grpc/grpc-go/issues/9111)) - Special Thanks: [@​al4an444](https://redirect.github.com/al4an444) ### Bug Fixes - otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. ([#​9081](https://redirect.github.com/grpc/grpc-go/issues/9081)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
wxiaoguang
|
ff1b8b2b92 |
chore: make DefaultTitleSource default to auto to match GitHub (#37767)
It is a changed (breaking) behavior introduced in 1.26, no need to have such a breaking change. |
||
|
silverwind
|
985ca76db0 |
ci: fix cache-related issues (#37761)
Fixes two recurring CI failures: 1. `cache-seeder.yml` lint-backend missing a `make generate-go` before linting with `TAGS=bindata`, and `pull-compliance.yml` lint-on-demand failing its post-step pnpm cache save when no pnpm-using conditional step runs. 2. Drops `cache: pnpm` from lint-on-demand and adds `make generate-go` to cache-seeder's lint job. --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
wxiaoguang
|
c37b5241d7 |
chore: fix tests (#37760)
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Copilot
|
912afcaa51 |
refactor(waitgroup): replace Add/Done goroutines with WaitGroup.Go (#37764)
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com> |
||
|
Giteabot
|
e60ca35d52 |
fix(deps): update go dependencies (#37752)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | Pending | |---|---|---|---|---|---|---| | code.gitea.io/sdk/gitea | `v0.25.0` → `v0.25.1` |  |  | require | patch | | | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.0` → `v1.0.3` |  |  | require | patch | `v1.0.4` | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.137.0` → `v0.138.0` |  |  | require | minor | | | [github.com/go-co-op/gocron/v2](https://redirect.github.com/go-co-op/gocron) | `v2.21.1` → `v2.21.2` |  |  | require | patch | | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.2` → `v0.17.3` |  |  | require | patch | | | [github.com/google/pprof](https://redirect.github.com/google/pprof) | `545e8a4` → `92041b7` |  |  | require | digest | | | [github.com/wneessen/go-mail](https://redirect.github.com/wneessen/go-mail) | `v0.7.2` → `v0.7.3` |  |  | require | patch | | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.24.1` → `v2.25.0` |  |  | require | minor | `v2.27.0` (+2) | | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.50.0` → `v0.51.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.50.0...refs/tags/v0.51.0) |  |  | require | minor | | | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.39.0` → `v0.40.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.39.0...refs/tags/v0.40.0) |  |  | require | minor | | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.53.0` → `v0.54.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.53.0...refs/tags/v0.54.0) |  |  | require | minor | | | [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) | [`v0.36.0` → `v0.37.0`](https://cs.opensource.google/go/x/text/+/refs/tags/v0.36.0...refs/tags/v0.37.0) |  |  | require | minor | | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.50.0` → `v1.50.1` |  |  | require | patch | | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.3`](https://gitea.com/gitea/runner/releases/tag/v1.0.3) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.2...v1.0.3) #### Changelog - fix: isolate per-task runner envs ([#​959](https://redirect.github.com/gitea/runner/issues/959)) - fix(deps): update module github.com/opencontainers/selinux to v1.14.1 ([#​955](https://redirect.github.com/gitea/runner/issues/955)) - fix(deps): update mergo to v1.0.2 (now `dario.cat/mergo`) ([#​954](https://redirect.github.com/gitea/runner/issues/954)) - fix: ensure `dbfs_data` is cleaned up after task completion ([#​952](https://redirect.github.com/gitea/runner/issues/952)) - fix(artifactcache): preserve cache key case to stop redundant uploads ([#​947](https://redirect.github.com/gitea/runner/issues/947)) - fix(deps): update module golang.org/x/term to v0.43.0 ([#​948](https://redirect.github.com/gitea/runner/issues/948)) ### [`v1.0.2`](https://gitea.com/gitea/runner/releases/tag/v1.0.2) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.1...v1.0.2) #### Changelog - fix: overwrite read-only files when copying action directories ([#​942](https://redirect.github.com/gitea/runner/issues/942)) - docs: add apparmor=rootlesskit in security\_opt ([#​937](https://redirect.github.com/gitea/runner/issues/937)) - fix: serialize action-cache reads to prevent worktree race ([#​938](https://redirect.github.com/gitea/runner/issues/938)) - feat: remove emojis from runner logging, add `Starting job container` group ([#​940](https://redirect.github.com/gitea/runner/issues/940)) ### [`v1.0.1`](https://gitea.com/gitea/runner/releases/tag/v1.0.1) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.0...v1.0.1) #### Changelog - [`dff63b3`]( |
||
|
Giteabot
|
4ee8266519 |
chore(deps): update action dependencies (#37751)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pnpm/action-setup](https://redirect.github.com/pnpm/action-setup) | action | patch | `v6.0.5` → `v6.0.8` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.13` → `v46.1.14` | --- ### Release Notes <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6.0.8`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.8) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.7...v6.0.8) ##### What's Changed - docs(README): fix `cache_dependency_path` type by [@​haines](https://redirect.github.com/haines) in [#​257](https://redirect.github.com/pnpm/action-setup/pull/257) - fix: drop patchPnpmEnv so standalone+self-update works on Windows by [@​zkochan](https://redirect.github.com/zkochan) in [#​258](https://redirect.github.com/pnpm/action-setup/pull/258) - fix: update pnpm to 11.1.1 by [@​mungodewar](https://redirect.github.com/mungodewar) in [#​248](https://redirect.github.com/pnpm/action-setup/pull/248) ##### New Contributors - [@​mungodewar](https://redirect.github.com/mungodewar) made their first contribution in [#​248](https://redirect.github.com/pnpm/action-setup/pull/248) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.7...v6.0.8> ### [`v6.0.7`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.7) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.6...v6.0.7) ##### What's Changed - fix: honor devEngines.packageManager.onFail=error ([#​252](https://redirect.github.com/pnpm/action-setup/issues/252)) by [@​zkochan](https://redirect.github.com/zkochan) in [#​254](https://redirect.github.com/pnpm/action-setup/pull/254) - fix: restore inputs from state in post by [@​haines](https://redirect.github.com/haines) in [#​255](https://redirect.github.com/pnpm/action-setup/pull/255) - fix: self-update bootstrap to packageManager-pinned version ([#​233](https://redirect.github.com/pnpm/action-setup/issues/233)) by [@​zkochan](https://redirect.github.com/zkochan) in [#​256](https://redirect.github.com/pnpm/action-setup/pull/256) ##### New Contributors - [@​haines](https://redirect.github.com/haines) made their first contribution in [#​255](https://redirect.github.com/pnpm/action-setup/pull/255) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.6...v6.0.7> ### [`v6.0.6`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.6) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.5...v6.0.6) ##### What's Changed - fix: bin\_dest output points to self-updated pnpm, not bootstrap by [@​zkochan](https://redirect.github.com/zkochan) in [#​249](https://redirect.github.com/pnpm/action-setup/pull/249) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.5...v6.0.6> </details> <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.14`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.14) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.13...v46.1.14) ##### Documentation - Revise Fine-grained Personal Access Tokens section ([#​1030](https://redirect.github.com/renovatebot/github-action/issues/1030)) ([fef7882]( |
||
|
Giteabot
|
3d95a2f028 |
fix(deps): update module github.com/google/go-github/v85 to v86 (#37754)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/google/go-github/v85](https://redirect.github.com/google/go-github) | `v85.0.0` → `v86.0.0` |  |  | --- ### Release Notes <details> <summary>google/go-github (github.com/google/go-github/v85)</summary> ### [`v86.0.0`](https://redirect.github.com/google/go-github/releases/tag/v86.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v85.0.0...v86.0.0) This release contains the following breaking API changes: - feat!: Refactor request context ([#​4151](https://redirect.github.com/google/go-github/issues/4151)) BREAKING CHANGE: All internal calls now provide `Context` via the `Request` itself. - feat!: Add OIDC authentication support to `PrivateRegistries` ([#​4159](https://redirect.github.com/google/go-github/issues/4159)) BREAKING CHANGE: `PrivateRegistriesService` is updated to API version `2026-03-10` with struct and response changes. ...and the following additional changes: - chore: Bump version of `go-github` to `v86.0.0` ([#​4198](https://redirect.github.com/google/go-github/issues/4198)) - test: Fix invalid JSON payloads in actions workflow runs tests ([#​4197](https://redirect.github.com/google/go-github/issues/4197)) - feat: Add repo download contents sentinel errors ([#​4192](https://redirect.github.com/google/go-github/issues/4192)) - chore: Fix `otel` module name ([#​4187](https://redirect.github.com/google/go-github/issues/4187)) - feat: Add typed Copilot metrics download helpers ([#​4177](https://redirect.github.com/google/go-github/issues/4177)) - feat: Add `deploy_keys_enabled_for_repositories` and secret scanning custom link fields to `Organization` struct ([#​4188](https://redirect.github.com/google/go-github/issues/4188)) - refactor: Use `testJSONBody` helper for request body assertions in tests ([#​4183](https://redirect.github.com/google/go-github/issues/4183)) - build(deps): Bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 in /tools ([#​4184](https://redirect.github.com/google/go-github/issues/4184)) - fix: Include `RetryAfter` in `AbuseRateLimitError.Error` output ([#​4181](https://redirect.github.com/google/go-github/issues/4181)) - fix: Handle string-typed reviewer `ID` in Ruleset API responses ([#​4178](https://redirect.github.com/google/go-github/issues/4178)) - feat: Add `ArchivedAt` field to `Organization` struct ([#​4179](https://redirect.github.com/google/go-github/issues/4179)) - feat: Add Copilot coding agent and content exclusion org endpoints ([#​4176](https://redirect.github.com/google/go-github/issues/4176)) - chore: Bump go-github from v84 to v85 in /scrape ([#​4174](https://redirect.github.com/google/go-github/issues/4174)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
silverwind
|
83151e98cc |
ci: narrow files-changed frontend filter (#37749)
Drop the broad `tools/*.{js,ts}` globs from the `frontend` filter so
edits to CI-only or backend helper scripts in `tools/` stop triggering
frontend and e2e jobs. Only `tools/generate-svg.ts` is kept.
Also renames `tools/lint-pr-title.js` to `.ts` for consistency, drops
the empty root `*.js` glob, fixes stray indentation in the `dockerfile`
filter and adds missing `setup-node`.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
|
||
|
Giteabot
|
aecb2585f0 |
fix(deps): update npm dependencies (#37753)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/view | [`6.42.0` → `6.42.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.0/6.42.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.59.1` → `1.60.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.59.1/1.60.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.6.0` → `25.7.0`](https://renovatebot.com/diffs/npm/@types%2fnode/25.6.0/25.7.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.2/8.59.3) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.16` → `1.6.17`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.16/1.6.17) |  |  | | [eslint-plugin-de-morgan](https://redirect.github.com/azat-io/eslint-plugin-de-morgan) | [`2.1.1` → `2.1.2`](https://renovatebot.com/diffs/npm/eslint-plugin-de-morgan/2.1.1/2.1.2) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.0.0` → `3.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.0.0/3.1.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.0.8` → `11.1.1`](https://renovatebot.com/diffs/npm/pnpm/11.0.8/11.1.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.4` → `3.0.5`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.4/3.0.5) |  |  | | [swagger-ui-dist](https://redirect.github.com/swagger-api/swagger-ui) | [`5.32.5` → `5.32.6`](https://renovatebot.com/diffs/npm/swagger-ui-dist/5.32.5/5.32.6) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.3) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.9` → `17.16.11`](https://renovatebot.com/diffs/npm/updates/17.16.9/17.16.11) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.10` → `8.0.12`](https://renovatebot.com/diffs/npm/vite/8.0.10/8.0.12) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.5` → `4.1.6`](https://renovatebot.com/diffs/npm/vitest/4.1.5/4.1.6) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.60.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.60.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.59.1...v1.60.0) #### 🌐 HAR recording on Tracing [tracing.startHar()](https://playwright.dev/docs/api/class-tracing#tracing-start-har) / [tracing.stopHar()](https://playwright.dev/docs/api/class-tracing#tracing-stop-har) expose HAR recording as a first-class tracing API, with the same `content`, `mode` and `urlFilter` options as `recordHar`. The returned [Disposable](https://playwright.dev/docs/api/class-disposable) makes it easy to scope a recording with `await using`: ```js await using har = await context.tracing.startHar('trace.har'); const page = await context.newPage(); await page.goto('https://playwright.dev'); // HAR is finalized when `har` goes out of scope. ``` #### 🪝 Drop API New [locator.drop()](https://playwright.dev/docs/api/class-locator#locator-drop) simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches `dragenter`, `dragover`, and `drop` with a synthetic \[DataTransfer] in the page context — works cross-browser and is great for testing upload zones: ```js await page.locator('#dropzone').drop({ files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') }, }); await page.locator('#dropzone').drop({ data: { 'text/plain': 'hello world', 'text/uri-list': 'https://example.com', }, }); ``` #### 🎯 Aria snapshots - [expect(page).toMatchAriaSnapshot()](https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-match-aria-snapshot) now works on a [Page](https://playwright.dev/docs/api/class-page), in addition to a [Locator](https://playwright.dev/docs/api/class-locator) — equivalent to asserting against `page.locator('body')`. - New `boxes` option on [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) / [page.ariaSnapshot()](https://playwright.dev/docs/api/class-page#page-aria-snapshot) appends each element's bounding box as `[box=x,y,width,height]`, useful for AI consumption. #### 🛑 test.abort() New [test.abort()](https://playwright.dev/docs/api/class-test#test-abort) aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away: ```js test('does not publish to the shared page', async ({ page }) => { await page.route('**/publish', route => { test.abort('Tests must not publish to the shared page. Use the `clone` option.'); return route.abort(); }); // ... }); ``` #### New APIs ##### Browser, Context and Page - Event [browser.on('context')](https://playwright.dev/docs/api/class-browser#browser-event-context) — fired when a new context is created on the browser. - [BrowserContext](https://playwright.dev/docs/api/class-browsercontext) now mirrors lifecycle events from its pages: [browserContext.on('download')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-download), [browserContext.on('frameattached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-attached), [browserContext.on('framedetached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-detached), [browserContext.on('framenavigated')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-navigated), [browserContext.on('pageclose')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-close), [browserContext.on('pageload')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-load). ##### Locators and Assertions - New option `description` in [page.getByRole()](https://playwright.dev/docs/api/class-page#page-get-by-role) / [locator.getByRole()](https://playwright.dev/docs/api/class-locator#locator-get-by-role) / [frame.getByRole()](https://playwright.dev/docs/api/class-frame#frame-get-by-role) / [frameLocator.getByRole()](https://playwright.dev/docs/api/class-framelocator#frame-locator-get-by-role) for matching the [accessible description](https://www.w3.org/TR/wai-aria-1.2/#dfn-accessible-description). - New option `pseudo` in [expect(locator).toHaveCSS()](https://playwright.dev/docs/api/class-locatorassertions#locator-assertions-to-have-css) reads computed styles from `::before` or `::after`. - New option `style` in [locator.highlight()](https://playwright.dev/docs/api/class-locator#locator-highlight) applies extra inline CSS to the highlight overlay, plus new [page.hideHighlight()](https://playwright.dev/docs/api/class-page#page-hide-highlight) to clear all highlights. ##### Network - [webSocketRoute.protocols()](https://playwright.dev/docs/api/class-websocketroute#web-socket-route-protocols) returns the WebSocket subprotocols requested by the page. - New option `noDefaults` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state. ##### Errors and Reporting - New [webError.location()](https://playwright.dev/docs/api/class-weberror#web-error-location) mirrors [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location). - [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location) now exposes `line` / `column` properties (`lineNumber` / `columnNumber` are deprecated). - New [testInfoError.errorContext](https://playwright.dev/docs/api/class-testinfoerror#test-info-error-error-context) surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an `expect(...)` matcher failure. - [reporter.onError()](https://playwright.dev/docs/api/class-reporter#reporter-on-error) now receives a `workerInfo` argument with details about the worker for fixture teardown errors. ##### Test runner - New `{testFileBaseName}` token in [testProject.snapshotPathTemplate](https://playwright.dev/docs/api/class-testproject#test-project-snapshot-path-template) — file name without extension. - Test runner now errors when a config tries to override a non-option fixture, and rejects `workers: 0` or negative values. #### 🛠️ Other improvements - HTML reporter: - `npx playwright show-report` accepts `.zip` files directly — no need to unzip first. - Steps that contain attachments inside nested children show an indicator on the parent step. - The `repeatEachIndex` is shown in the test header when non-zero. - Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel. #### Breaking Changes ⚠️ - Removed long-deprecated APIs: - `Locator.ariaRef()` — use the standard [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) pipeline. - `handle` option on `BrowserContext.exposeBinding` and `Page.exposeBinding`. - `logger` option on `BrowserType.connect` and `BrowserType.connectOverCDP` — use [tracing](https://playwright.dev/docs/trace-viewer) instead. - Context options `videosPath` / `videoSize` — use `recordVideo` instead. #### Browser Versions - Chromium 148.0.7778.96 - Mozilla Firefox 150.0.2 - WebKit 26.4 This version was also tested against the following stable channels: - Google Chrome 147 - Microsoft Edge 147 </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.17`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.17) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) ##### 🐞 Bug Fixes - Recommend `toBeTypeOf` instead of `expectTypeOf` in `prefer-expect-type-of` - by [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​896](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/896) [<samp>(a4bcd)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/a4bcdf5) - **no-standalone-expect**: Allow expect inside vi.defineHelper callbacks - by [@​nami8824](https://redirect.github.com/nami8824) in [#​894](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/894) [<samp>(fd8eb)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/fd8eb3c) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) </details> <details> <summary>azat-io/eslint-plugin-de-morgan (eslint-plugin-de-morgan)</summary> ### [`v2.1.2`](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/blob/HEAD/changelog.md#v212) [Compare Source](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) [compare changes](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) ##### 🐞 Bug Fixes - Avoid invalid autofixes for grouped boolean expressions ([1173aaa](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/commit/1173aaa)) ##### ❤️ Contributors - Azat S. ([@​azat-io](https://redirect.github.com/azat-io)) </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.0`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#310) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.0.0...v3.1.0) ##### Minor Changes - refactor: replace lodash with es-toolkit and vanilla js ([#​492](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/492)) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1111) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.0...v11.1.1) ##### Patch Changes - Skip installability validation when scanning workspace projects in `checkDepsStatus` (run by `verifyDepsBeforeRun`). Previously the status check called `findWorkspaceProjects`, which validates each project's `engines` and `os`/`cpu`/`libc` and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no `nodeVersion` threaded through, the engine check also fell back to the system Node from `PATH` and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use `findWorkspaceProjectsNoCheck`; install paths continue to validate. - Fixed `pnpm add <alias>:@​scope/pkg` for [named registries](https://redirect.github.com/pnpm/pnpm/pull/11324). The local resolver was claiming any specifier containing `/` as a local directory, so `pnpm add bit:@​teambit/bit` (with `bit` configured under `namedRegistries`) installed a bogus link to `bit:@​teambit/bit/` instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain. - Updated `@zkochan/cmd-shim` to 9.0.3. The sh shim it writes for `.cmd` / `.bat` targets now escapes the `/C` switch as `//C`, so it survives the path translation Git Bash applies when launching `cmd.exe`. Without this, a bare `/C` was rewritten to `C:\` before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See [pnpm/cmd-shim#55](https://redirect.github.com/pnpm/cmd-shim/pull/55). ### [`v11.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1110) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.9...v11.1.0) ##### Minor Changes - Added `pnpm audit signatures` to verify ECDSA registry signatures for installed packages against keys from `/-/npm/v1/keys` [#​7909](https://redirect.github.com/pnpm/pnpm/issues/7909). Scoped registries are respected, and registries without signing keys are skipped. - Added support for installing packages from the [GitHub Packages npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) via a built-in `gh:` prefix (e.g. `pnpm add gh:@​acme/private`), and, more broadly, for arbitrary named registries in the style of [vlt's named-registry aliases](https://docs.vlt.sh/cli/registries). Authentication is picked up from the existing per-URL `.npmrc` entries (e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth mechanism is required. Additional aliases — or an override for the built-in `gh` alias, for GitHub Enterprise Server — can be configured under `namedRegistries` in `pnpm-workspace.yaml`: ```yaml namedRegistries: gh: https://npm.pkg.github.example.com/ work: https://npm.work.example.com/ ``` With this, `work:@​corp/lib@^2.0.0` resolves against `https://npm.work.example.com/`. [#​11324](https://redirect.github.com/pnpm/pnpm/issues/11324). - Allow setting sbom spec version using `--sbom-spec-version` [#​11389](https://redirect.github.com/pnpm/pnpm/pull/11389). - Add `--no-runtime` flag (config: `runtime=false`) to skip installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and `.bin` linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via `pnpm runtime -g set node <version>`) before `pnpm install` runs. - Added the `pnpm bugs` command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's `package.json`; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to `<repository>/issues` when the `bugs` field is missing [#​11279](https://redirect.github.com/pnpm/pnpm/pull/11279). - Added `pnpm owner` command to manage package owners on the registry. ##### Patch Changes - Added "published X ago by Y" information to the `pnpm view` command output, similar to `npm view`. This is useful when comparing against `minimumReleaseAge`. For example, `pnpm view pnpm` now shows: ``` published 17 hours ago by GitHub Actions ``` - `pnpm publish` now honors the configured HTTP/HTTPS proxy (including `https_proxy`/`http_proxy`/`no_proxy` environment variables) when polling the registry's `doneUrl` during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond `403` from a different source IP and the login to never complete [#​11561](https://redirect.github.com/pnpm/pnpm/issues/11561). - `pnpm add -g` now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example: - `pnpm add -g foo bar` installs `foo` and `bar` as two independent globals — removing one does not affect the other. - `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single isolated install while `qar` is installed on its own. Related: [#​11587](https://redirect.github.com/pnpm/pnpm/issues/11587). - `pnpm runtime set <name> <version>` no longer fails in the root of a multi-package workspace with the `ADDING_TO_ROOT` error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check. - Fix `pnpm --version` hanging for the lifetime of the worker pool after the version was printed. `main.ts`'s `--version` short-circuit returned before reaching the command-handler `finally` that calls `finishWorkers()`, so the worker pool that `switchCliVersion` had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs `finishWorkers()` from its own `finally`, so every exit path tears the pool down. Repro: `pnpm --version` in a workspace whose `devEngines.packageManager` version already matches the running pnpm + `onFail: "download"`. `switchCliVersion` resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs. ### [`v11.0.9`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1109) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.8...v11.0.9) ##### Patch Changes - Fixed installation of GitLab-hosted dependencies. pnpm now downloads the tarball from `https://gitlab.com/<user>/<project>/-/archive/<sha>/<project>-<sha>.tar.gz` instead of the GitLab API endpoint that contained an encoded slash (`%2F`) between user and project. The encoded slash both triggered `406 Not Acceptable` responses from GitLab and produced virtual store directory names that Node refused to import (`ERR_INVALID_MODULE_SPECIFIER`) [#​11533](https://redirect.github.com/pnpm/pnpm/issues/11533). - Honor `NPM_CONFIG_USERCONFIG` (and its lowercase `npm_config_userconfig` form) as a low-priority fallback when locating the user-level `.npmrc`. This restores compatibility with environments that point npm at a custom auth file via that env var — most notably `actions/setup-node`, which writes registry credentials to `${runner.temp}/.npmrc` and exports `NPM_CONFIG_USERCONFIG` to reference it. Without this, GitHub Actions workflows using `actions/setup-node` to authenticate to private registries broke after upgrading to pnpm v11. PNPM-prefixed env vars and `npmrcAuthFile` from the global `config.yaml` continue to take precedence [#​11539](https://redirect.github.com/pnpm/pnpm/issues/11539). - Fix `pnpm pack` not bundling dependencies listed in `bundleDependencies` (or `bundledDependencies`). The npm-packlist upgrade in pnpm 11 changed its API to require the caller to pre-populate the dependency tree, which the wrapper was not doing — `bundleDependencies` were silently dropped from the tarball [#​11519](https://redirect.github.com/pnpm/pnpm/issues/11519). - Fixed the pnpm CLI crashing with a confusing `SyntaxError: Invalid regular expression flags` instead of printing a clear "requires Node.js v22.13" error when launched on an unsupported Node.js version. The Node.js version check in `bin/pnpm.mjs` was effectively dead code because the static `import` of the bundled `dist/pnpm.mjs` was hoisted by the ES module loader and parsed before the check could run [#​11546](https://redirect.github.com/pnpm/pnpm/issues/11546). - Fixed `pnpm --prefix=<dir> install` overwriting the existing `pnpm-workspace.yaml` in `<dir>` with `set this to true or false` placeholders. The renamed `--prefix` option (which maps to `dir`) was not honored when locating the workspace root, so the workspace manifest's `allowBuilds` settings were not loaded into config and got clobbered when ignored builds were auto-populated [#​11535](https://redirect.github.com/pnpm/pnpm/issues/11535). - Fixed `pnpm publish --provenance` failing with a 422 from the registry when the package version contained semver build metadata (e.g. `1.0.0-canary.0+abc1234`). The `+<build>` segment is now stripped before packing so that the version embedded in the tarball, the metadata sent to the registry, and the sigstore provenance subject all agree [#​11518](https://redirect.github.com/pnpm/pnpm/issues/11518). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.5`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.5) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.4...3.0.5) - update deps, bump rolldown to 1.0.0 (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) </details> <details> <summary>swagger-api/swagger-ui (swagger-ui-dist)</summary> ### [`v5.32.6`](https://redirect.github.com/swagger-api/swagger-ui/releases/tag/v5.32.6) [Compare Source](https://redirect.github.com/swagger-api/swagger-ui/compare/v5.32.5...v5.32.6) ##### Bug Fixes - **deps-dev:** address undici vulnerability ([#​10870](https://redirect.github.com/swagger-api/swagger-ui/issues/10870)) ([35f5a6a]( |
||
|
Lunny Xiao
|
c3d9d07702 |
fix: Add missed token scope checking (#37735)
Follow #37698 |
||
|
Lunny Xiao
|
2d1eb28083 |
chore: Use giteabot instead of backporter (#37422)
This PR use a backporter wrap action https://github.com/go-gitea/giteabot to do backport, adding labels and etc. The test repository https://github.com/go-gitea/test-giteabot could confirm backporting works. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: techknowlogick <techknowlogick@gitea.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Nicolas
|
9648716f63 |
fix: Allow direct commits for unprotected files with push restrictions (#37657)
Fixes an issue where users could not commit changes on a file which is unprotected. Fixes: #37655 Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Nicolas
|
0dd8429cc6 |
chore: Conventional adjustments (#37677)
Add enhancement to possible tags --------- Signed-off-by: Nicolas <bircni@icloud.com> |
||
|
Copilot
|
94e3482d1a |
chore(db): introduce db.Session and db.EngineMigration interfaces (#37746)
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
d9149d8a0a |
fix(migrations): preserve unique constraints in v334 sync (#37743)
The truncated `ActionRunner` struct in `AddCancellingSupportToActionRunner` declares only the new `HasCancellingSupport` column. When xorm's `SyncWithOptions` compares it against the live `action_runner` table, every index/constraint absent from the local struct is a candidate for removal. Walking [xorm v1.3.11 sync.go:250-266](https://gitea.com/xorm/xorm/src/tag/v1.3.11/sync.go#L250-L266): - `IndexType` indices skip the drop when `IgnoreIndices || IgnoreDropIndices` — already covered. - `UniqueType` indices skip the drop only when `IgnoreConstrains` — **not** set in #37275, so the existing `UNIQUE` on `token_hash` (and any other uniques) would be dropped on upgrade. Adding `IgnoreConstrains: true` matches v333's pattern and preserves the existing unique constraints. Spotted by @wxiaoguang in https://github.com/go-gitea/gitea/pull/37275#discussion_r3254168680. --- This PR was written with the help of Claude Opus 4.7 Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
Gary Wang
|
6c04140137 |
feat(web): also display PR counts in repo list (#37739)
This is a follow-up PR of https://github.com/go-gitea/gitea/pull/37731 This patch adds PR count in repo list page, following screenshots are after the patch: <img width="760" height="450" alt="image" src="https://github.com/user-attachments/assets/376a06d3-7d1c-43b3-8866-9457d1ab0904" /> <img width="782" height="283" alt="image" src="https://github.com/user-attachments/assets/3e4a7b7e-1f1d-47d2-a89c-bb9b66493559" /> Co-authored-by: Nicolas <bircni@icloud.com> |
||
Kalash Thakare ☯︎
|
e7af84df72 |
feat: execute post run cleanup when workflow is cancelled (#37275)
## Fixes #36983 ## Summary 1. Add transitional `Cancelling` status (between `Running` and `Cancelled`); cancel flow marks active tasks `Cancelling`, runner finalizes to `Cancelled` on terminal result. 2. Taskless jobs cancel directly (no runner to finalize). 3. Runner-protocol responses map `Cancelling` → `RESULT_CANCELLED`. 4. Run/job aggregation treats `Cancelling` as active. 5. Status mapping/aggregation tests + en-US locale added. **Problem** When a workflow was cancelled from the UI, jobs were marked cancelled immediately, which could skip post-run cleanup behavior. ## Solution Use a transitional status path: Running → Cancelling → Cancelled This allows runner finalization and cleanup path execution before final terminal state. **Testing** > 1. go test -tags "sqlite sqlite_unlock_notify" ./models/actions -run "TestAggregateJobStatus|TestStatusAsResult|TestStatusFromResult" > 2. go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run ./models/actions/... ./routers/api/actions/runner/... ## Related - act_runner: https://gitea.com/gitea/act_runner/pulls/825 — independent; this PR's capability gate keeps legacy runners on the immediate-cancel path. The new flow activates only for runners that advertise the `cancelling` capability. Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
Zettat123
|
ae9b34897f |
fix(actions): wrong assumption that run id always >= job id (#37737)
Fix #37734 Follow up #37008 The `jobNum >= runNum` check is useless. Removed it to support `job_id < run_id` |
||
|
Gary Wang
|
edf0dfd1df |
fix(icon): use repo-forked icon to display forks count (#37731)
This could avoid confusion about what the icon means. It can be considered as for Pull Requests count by mistaken if we use that icon. |
||
|
Lunny Xiao
|
ae69aec295 |
fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706)
This PR tightens several OAuth validation paths related to PKCE handling, redirect URI normalization, and refresh-token replay safety. What it changes: - switch redirect URI comparison to ASCII-only normalization for exact-match checks, avoiding Unicode case-folding surprises - harden PKCE verification by: - allowing PKCE omission only when no challenge data was stored - rejecting exchanges with a missing verifier when PKCE was used - rejecting malformed challenge state where a challenge exists without a valid method - comparing derived challenges with constant-time string matching - make refresh-token invalidation counter updates conditional on the previously observed counter value, so stale refresh state cannot be accepted after the grant changes Why: These checks close gaps where: - redirect URI comparisons could rely on broader Unicode normalization than intended - malformed or incomplete PKCE state could be treated too permissively - concurrent or stale refresh-token use could advance the same grant more than once --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Lunny Xiao
|
33923a4d7c |
fix(web): enforce token scopes on raw, media, and attachment downloads (#37698)
This PR tightens token-scope enforcement for non-API download endpoints in the web layer. What it changes: - require `read:repository` for repository content downloads served from web routes such as: - `/raw/...` - `/media/...` - enforce attachment-specific scopes in `ServeAttachment`: - issue / pull request attachments require `read:issue` - release attachments require `read:repository` - centralize token-scope checks for web handlers with a shared context helper - add matrix-style integration coverage for: - public and private repository content downloads - `blob`, `branch`, `tag`, and `commit` download routes - global and repo-scoped attachment routes - `public-only` token behavior on public vs private resources Why: API tokens and OAuth access tokens can be used on some non-API web endpoints. Before this change, those endpoints relied on repository visibility and unit permissions, but did not consistently enforce the token’s declared scope. That allowed scoped tokens to access resources beyond their intended category through web download routes. --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |