mirror of
https://github.com/go-gitea/gitea
synced 2026-06-11 05:03:08 +00:00
main
20964
Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
  wxiaoguangandGitHub
|
442f5e7d06 | chore: fine tune pull request merge box and commit status item (#38060) | ||
|
988f0ea54a |
fix: validate gem name in rubygems parseMetadataFile (#38061)
The registry writes the stored gem name straight into its line-based
compact index, both the shared `/versions` listing (one `GEMNAME
versions md5` line per gem) and the per-package `info/{name}` file. The
parser only rejected an empty name or one containing a slash, so a
`.gem` whose gemspec `name` carries a newline was accepted and persisted
as the package name, letting an authenticated uploader forge extra lines
in the shared index and so spoof additional gem names, versions and
checksums to clients. The name is now checked against the upstream
RubyGems name pattern in the parser, which is the layer that already
validates the version.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
|
||
|
fa89785d33 |
feat(api): add Link header in ListForks (#38052)
Fixes #38051. Disclosure: writing of the integration test was AI assisted. --------- Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
   
|
19d1e1d334 |
test: enable WAL for sqlite integration tests (#37861)
Enable `SQLITE_JOURNAL_MODE = WAL` for the sqlite integration test config. With modernc as the default driver, concurrent writers serialize on SQLite's single write lock and the tail of the queue can exceed the 20s busy timeout under CI load. WAL drains the queue fast enough to stay inside the timeout (removes rollback's fsync-per-commit and reader-vs-commit blocking) and covers all sqlite integration tests in one change. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
 bircniandGitHub
|
920b3f8cb6 | fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) | ||
|
wxiaoguangandGitHub
|
4ba0a545f2 |
chore: js html (#38056)
remove unnecessary "eslint-disable-line" rules |
||
|
wxiaoguangandGitHub
|
a51781527b |
fix: commit display name (#38057)
fix #38054 |
||
|
|
7134c1f845 |
fix: bound debian ParseControlFile to a single control stanza (#38044)
**Packages-index stanza injection via Debian control file** A `.deb` whose `control` file appends extra paragraphs after a blank line was still accepted, and `ParseControlFile` stored the whole multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into the generated `Packages` index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen `Filename` into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircniandGitHub
|
7b4a1a1a11 | fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006) | ||
|
|
63df886ba8 |
fix(actions): keep distinct commit statuses for workflows sharing a name (#37834)
## Summary Two Gitea Actions workflow files that share the same `name:` and same job name produced identical commit-status `Context` strings. Because `GetLatestCommitStatus` groups by `context_hash` (derived from `Context`), only one row was shown on the PR page — see #35699. GitHub displays both rows even though they look identical. This change does the same: the displayed `Context` is unchanged, but `ContextHash` now mixes in the workflow file path so the two statuses remain distinct in the dedupe query. ## Notes - Workflows that omit `name:` now use the workflow file name in the `Context` (e.g. `ci.yaml / build (push)`) instead of an empty `/ build (push)`. This changes the `Context` string for unnamed workflows, so any required-status-check rule that referenced the old string must be updated after upgrade. - For statuses created before this change (hashed from `Context` alone), `createCommitStatus` reuses that legacy hash when a matching row is still present, so in-flight pending statuses are superseded rather than orphaned on upgrade. Fixes #35699 --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
|
5fe77ad309 |
fix(deps): update go dependencies (#37967)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` → `v1.0.6` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.16` → `v1.19.17` |  |  | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.138.0` → `v0.139.0` |  |  | | [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) | `v5.2.5` → `v5.3.0` |  |  | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.3` → `v0.17.4` |  |  | | [github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go) | `v7.1.0` → `v7.2.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.30.0` → `v2.34.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6) #### Changelog - fix(deps): update module github.com/opencontainers/selinux to v1.15.0 ([#​990](https://redirect.github.com/gitea/runner/issues/990)) - chore: pin Docker base images to explicit versions ([#​992](https://redirect.github.com/gitea/runner/issues/992)) - chore(deps): update actions/setup-node action to v6 ([#​991](https://redirect.github.com/gitea/runner/issues/991)) - test: make TestRunEvent integration suite runnable locally ([#​987](https://redirect.github.com/gitea/runner/issues/987)) - ci: add PR title linting against Conventional Commits ([#​988](https://redirect.github.com/gitea/runner/issues/988)) - fix: clean up job network and container when container start fails ([#​986](https://redirect.github.com/gitea/runner/issues/986)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0) #### What's Changed - feat(openapi3): batch-convert long-tail RequiredFieldError sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170) - feat(openapi3): typed validation error clusters (combined: [#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179)) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180) - openapi3gen: skip component export for anonymous types by [@​0-don](https://redirect.github.com/0-don) in [#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163) - feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181) - openapi3: typed context errors for Validate() wrapper chain by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183) - openapi3: track Origin on the document root (T) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184) - openapi3: tests flakiness corrected by [@​fenollp](https://redirect.github.com/fenollp) in [#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159) - openapi3: aggregate independent validation errors via EnableMultiError by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185) - openapi3: fix validation of duplicated path templates by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189) - openapi3: type the remaining bare-error validation sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0> </details> <details> <summary>go-chi/chi (github.com/go-chi/chi/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0) #### What's Changed - Use strings.ReplaceAll where applicable by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1046](https://redirect.github.com/go-chi/chi/pull/1046) - Propagate inline middlewares across mounted subrouters by [@​LukasJenicek](https://redirect.github.com/LukasJenicek) in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - add go 1.26 to ci by [@​pkieltyka](https://redirect.github.com/pkieltyka) in [#​1052](https://redirect.github.com/go-chi/chi/pull/1052) - Remove last uses of io/ioutil by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1054](https://redirect.github.com/go-chi/chi/pull/1054) - Simplify chi.walk with slices.Concat by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1053](https://redirect.github.com/go-chi/chi/pull/1053) - Apply the stringscutprefix modernizer by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1051](https://redirect.github.com/go-chi/chi/pull/1051) - Bump minimum Go to 1.23, always use request.Pattern by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1048](https://redirect.github.com/go-chi/chi/pull/1048) - middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - Fix typo in Route doc comment by [@​gouwazi](https://redirect.github.com/gouwazi) in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - fix: set Request.Pattern from RoutePattern() by [@​leno23](https://redirect.github.com/leno23) in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) - feat: middleware.ClientIP, a replacement for middleware.RealIP by [@​VojtechVitek](https://redirect.github.com/VojtechVitek) in [#​967](https://redirect.github.com/go-chi/chi/pull/967) #### New Contributors - [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made their first contribution in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - [@​alliasgher](https://redirect.github.com/alliasgher) made their first contribution in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - [@​gouwazi](https://redirect.github.com/gouwazi) made their first contribution in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - [@​leno23](https://redirect.github.com/leno23) made their first contribution in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) #### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP [@​VojtechVitek](https://redirect.github.com/VojtechVitek) submitted PR [#​967](https://redirect.github.com/go-chi/chi/issues/967), which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories: - [GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf) — IP spoofing via XFF in `RemoteAddr` resolution (convto) - [GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp) — RealIP allows IP spoofing via unvalidated XFF (rezmoss) - [GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx) — IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3) It also addresses issues outlined at: - [#​708](https://redirect.github.com/go-chi/chi/issues/708) - <https://adam-p.ca/blog/2022/03/x-forwarded-for/> - [#​711](https://redirect.github.com/go-chi/chi/issues/711) - [#​453](https://redirect.github.com/go-chi/chi/issues/453) - [#​908](https://redirect.github.com/go-chi/chi/pull/908) `middleware.RealIP` is deprecated in this PR with pointers to the new API. The deprecation only adds a `// Deprecated:` doc comment; the function keeps working for backward compatibility. ##### Why a new middleware (not "fix RealIP in place") `RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per [adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly. ##### The new API Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors: ```go // One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler func ClientIPFromRemoteAddr(h http.Handler) http.Handler // Read the result. func GetClientIP(ctx context.Context) string // for logs, rate-limit keys func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work ``` #### Example usage: ```go // Pick a single ClientIP middleware based on your deployment // Cloudflare. r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) // Nginx with ngx_http_realip_module. r.Use(middleware.ClientIPFromHeader("X-Real-IP")) // Apache with mod_remoteip. r.Use(middleware.ClientIPFromHeader("X-Client-IP")) // AWS CloudFront, or any proxy fleet with known CIDRs. r.Use(middleware.ClientIPFromXFF( "13.32.0.0/15", // CloudFront IPv4 "52.46.0.0/18", // CloudFront IPv4 "2600:9000::/28", // CloudFront IPv6 )) // Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools, // ephemeral containers, dynamic CDN edges). r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) // Server directly on the public internet, no proxy in front. r.Use(middleware.ClientIPFromRemoteAddr) ``` And in your handler or downstream middleware: ```go clientIP := middleware.GetClientIP(r.Context()) // log it, use it as a rate-limit key, etc. ``` *** Thanks to [@​adam-p](https://redirect.github.com/adam-p), [@​c2h5oh](https://redirect.github.com/c2h5oh), [@​rezmoss](https://redirect.github.com/rezmoss), [@​Saku0512](https://redirect.github.com/Saku0512), [@​convto](https://redirect.github.com/convto), [@​Dirbaio](https://redirect.github.com/Dirbaio), [@​jawnsy](https://redirect.github.com/jawnsy), [@​lrstanley](https://redirect.github.com/lrstanley), [@​mfridman](https://redirect.github.com/mfridman), [@​n33pm](https://redirect.github.com/n33pm), [@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR. **Full Changelog**: <https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>minio/minio-go (github.com/minio/minio-go/v7)</summary> ### [`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0) #### What's Changed - Use go tool for ci-lint check by [@​klauspost](https://redirect.github.com/klauspost) in [#​2229](https://redirect.github.com/minio/minio-go/pull/2229) - Rename github.com/go-ini/ini to gopkg.in/ini.v1 by [@​ramondeklein](https://redirect.github.com/ramondeklein) in [#​2232](https://redirect.github.com/minio/minio-go/pull/2232) - Add RDMA / NVIDIA GPU Direct Storage support by [@​harshavardhana](https://redirect.github.com/harshavardhana) in [#​2233](https://redirect.github.com/minio/minio-go/pull/2233) **Full Changelog**: <https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) #### 2.34.0 ##### 🚀 Features - Extend DeploymentDeployablePipeline with web_url ([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902)) by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.1 ([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) (2026-05-27) ### [`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) #### 2.33.0 ##### 🚀 Features - feat(work-items): add ListWorkItemTypes to WorkItemsService ([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.2 ([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) (2026-05-27) ##### Features * **work-items:** add ListWorkItemTypes to WorkItemsService ([e71cb99](https://gitlab.com/gitlab-org/api/client-go/commit/e71cb994482aa882eb8eb9fc4140ca1e4aac25ab)) ### [`v2.32.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.32.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) #### 2.32.0 ##### 🚀 Features - feat(ci-job-cancel): force cancel ([!2872](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2872)) by [Filip Aleksic](https://gitlab.com/faleksic) ### [2.32.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) (2026-05-23) ##### Features * **ci-job-cancel:** force cancel ([aa46bd1](https://gitlab.com/gitlab-org/api/client-go/commit/aa46bd18428834eebdb42622f2523c64686021e8)) ### [`v2.31.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.31.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) #### 2.31.0 ##### 🚀 Features - Adds project service accounts API ([!2899](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2899)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) - feat(gitlaboauth2): support ephemeral ports in CallbackServer ([!2877](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2877)) by [Raphael Rösch](https://gitlab.com/raphael.roesch) ### [2.31.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) (2026-05-22) ##### Features * **gitlaboauth2:** support ephemeral ports in CallbackServer ([c8c388d](https://gitlab.com/gitlab-org/api/client-go/commit/c8c388d56663a8f2e27b4c74f1323d3671a6bbaf)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
GiteabotandGitHub
|
a91c88428b |
chore(deps): update dependency happy-dom to v20.10.1 (#38043)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.9.0` → `20.10.1`](https://renovatebot.com/diffs/npm/happy-dom/20.9.0/20.10.1) |  |  | --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.1`](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) ### [`v20.10.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.9.0...v20.10.0) ##### 🎨 Features - Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting [canvasAdapter](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds new package [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) is a pluggable canvas adapter for Happy DOM using [node-canvas](https://redirect.github.com/Automattic/node-canvas). - Adds support for loading image files when enabling the browser setting [enableImageFileLoading](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for loading image data URLs - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageData](https://developer.mozilla.org/en-US/docs/Web/API/ImageData) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageBitmap](https://developer.mozilla.org/en-US/docs/Web/API/ImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [Window.createImageBitmap()](https://developer.mozilla.org/en-US/docs/Web/API/Window/createImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
 
|
49a0d19fa3 |
feat(api): Add assignees APIs (#37330)
Follow https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28 Fix #33576 And it also fixed some possible dead-lock problem. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Zettat123 <zettat123@gmail.com> |
||
|
Lunny XiaoandGitHub
|
611dfc9496 | fix: Fix some wrong code and follow 37347 (#37987) | ||
|
bircniandGitHub
|
72c1e4c621 | docs: update community governance document (#38038) | ||
|
|
60abea17a2 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.33.2` → `v0.34.0` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0) go-swagger release 0.34.0 *** Released on 2026 May 29 ##### [0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0) - 2026-05-28 Major refactoring. Focus on improving runtime (e.g.generated client) and codescan (e.g. generated spec). **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0> 42 commits in this release. *** ##### <!-- 00 -->Implemented enhancements - feat(client): added method to configure client-side custom producers/consumers by [@​fredbi](https://redirect.github.com/fredbi) in [#​3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4068f65b0403f90092e78269f89ef7cb26d6eb2f) ##### <!-- 01 -->Fixed bugs - fix(client): moved internal fields in generated Params (timeout, Context) to their own struct. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3349](https://redirect.github.com/go-swagger/go-swagger/pull/3349) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a81068f5d52d4b560654f8e17748b6a79ec1425e) - fix(client): added operation with context to client interface. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3348](https://redirect.github.com/go-swagger/go-swagger/pull/3348) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d5e5d3020b83f4a9b895ae31a93cb121f989e4a6) - fix(codescan): upgraded codescan for swagger generate spec. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3347](https://redirect.github.com/go-swagger/go-swagger/pull/3347) [...](https://redirect.github.com/go-swagger/go-swagger/commit/971f2aa56ad48d927ab9d21de794edf1c43d22b7) - fix(client): generated client uses more idiomatic SubmitContext by [@​fredbi](https://redirect.github.com/fredbi) in [#​3342](https://redirect.github.com/go-swagger/go-swagger/pull/3342) [...](https://redirect.github.com/go-swagger/go-swagger/commit/01d8f1358f8ab94c4b7c3a1caf50e1d0b11b26c6) - fix: adapted to runtime v0.32.x by [@​fredbi](https://redirect.github.com/fredbi) in [#​3341](https://redirect.github.com/go-swagger/go-swagger/pull/3341) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba25bfa2cc0822973d9f48f5976721ffc8c499fc) - fix: handle operator characters in enum constants (fixes [#​1047](https://redirect.github.com/go-swagger/go-swagger/issues/1047)) by [@​Abzaek](https://redirect.github.com/Abzaek) in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4856feb230eba01352d2bb310f03b26827d34a5e) ##### <!-- 02 -->Refactor - refact(codegen): more concise server binding of form parameters. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3339](https://redirect.github.com/go-swagger/go-swagger/pull/3339) [...](https://redirect.github.com/go-swagger/go-swagger/commit/036e31515a687b8a237bcf2d938a7ae36dc55fd1) - refact(generator): split template repository, funcmaps and langage by [@​fredbi](https://redirect.github.com/fredbi) in [#​3316](https://redirect.github.com/go-swagger/go-swagger/pull/3316) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4d659c0b5e0724cb78b413a564619792fe4dd23e) ##### <!-- 03 -->Documentation - doc: announcements before cutting v0.34.0 by [@​fredbi](https://redirect.github.com/fredbi) in [#​3352](https://redirect.github.com/go-swagger/go-swagger/pull/3352) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9b15dfe858b6b20747fb24b672707ee817481f11) - doc(faq): added explanations about why mixin can't support yaml anchors by [@​fredbi](https://redirect.github.com/fredbi) in [#​3340](https://redirect.github.com/go-swagger/go-swagger/pull/3340) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0dd20f7852a35f3ebf4ea552cef66ae7296801a2) - codegen(cli): fixed missing dependencies in CLI doc template by [@​fredbi](https://redirect.github.com/fredbi) in [#​3309](https://redirect.github.com/go-swagger/go-swagger/pull/3309) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b1cc87b266a8351b4fc4534d5116c11a1daadbc1) ##### <!-- 05 -->Code quality - chore: move generated code to use the new swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3336](https://redirect.github.com/go-swagger/go-swagger/pull/3336) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba47cff06d55b38579a1f2e34a2e4e8691dd90b0) - chore(generator): migrated to the new go-openapi/swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3335](https://redirect.github.com/go-swagger/go-swagger/pull/3335) [...](https://redirect.github.com/go-swagger/go-swagger/commit/83bced44f9c028141dd698838da0e5409d0ed49b) - chore(lint): relint code base (pass 1) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3331](https://redirect.github.com/go-swagger/go-swagger/pull/3331) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8a020f05985758bcb2535e36984ab03c62109fed) - ci: reenact linting (was temporarily disabled to swallow large diffs) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3304](https://redirect.github.com/go-swagger/go-swagger/pull/3304) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8cd187ba00b80a021c0493e55906b6835a985458) - doc: post-release by [@​fredbi](https://redirect.github.com/fredbi) in [#​3302](https://redirect.github.com/go-swagger/go-swagger/pull/3302) [...](https://redirect.github.com/go-swagger/go-swagger/commit/746308f71fe2d5e722b151a0ede49f84ecfaa3ea) ##### <!-- 07 -->Miscellaneous tasks - test: fix fake flaky test reporting by [@​fredbi](https://redirect.github.com/fredbi) in [#​3350](https://redirect.github.com/go-swagger/go-swagger/pull/3350) [...](https://redirect.github.com/go-swagger/go-swagger/commit/747db03403e881e53baecd5c2f40a074e15697bf) - ci: drop peter-evans sign-commits to avoid per-file API uploads by [@​fredbi](https://redirect.github.com/fredbi) in [#​3346](https://redirect.github.com/go-swagger/go-swagger/pull/3346) [...](https://redirect.github.com/go-swagger/go-swagger/commit/480a0bdbf54484562cef642132b929a9e5c03d4a) - ci: checkout examples before configuring bot credentials by [@​fredbi](https://redirect.github.com/fredbi) in [#​3345](https://redirect.github.com/go-swagger/go-swagger/pull/3345) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6dda1280feee830fadbed93e6c896000fe92acdf) - ci: fix cross-workflow artifact download permission by [@​fredbi](https://redirect.github.com/fredbi) in [#​3344](https://redirect.github.com/go-swagger/go-swagger/pull/3344) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5981d75858c489b8f82974c47f7fa7089deb66d2) - ci: fix examples regeneration auto-PR by [@​fredbi](https://redirect.github.com/fredbi) in [#​3343](https://redirect.github.com/go-swagger/go-swagger/pull/3343) [...](https://redirect.github.com/go-swagger/go-swagger/commit/f50d895b3a304b8a0657a4e8612fc53e6ff370dc) - chore(diff): moved cmd/swagger/commands/diff to its own package by [@​fredbi](https://redirect.github.com/fredbi) in [#​3308](https://redirect.github.com/go-swagger/go-swagger/pull/3308) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6e059188a45c84e64591b7cb915f4205d6f7a8a1) - chore(codescan): moved the codescan package in a separate repo by [@​fredbi](https://redirect.github.com/fredbi) in [#​3307](https://redirect.github.com/go-swagger/go-swagger/pull/3307) [...](https://redirect.github.com/go-swagger/go-swagger/commit/eeca5fc9ff118d7be5d76d52855a082b04f13d91) - ci: added workflow to regen examples and push the changes to the exam… by [@​fredbi](https://redirect.github.com/fredbi) in [#​3305](https://redirect.github.com/go-swagger/go-swagger/pull/3305) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9203e37e731b131c5d89a78209d549960b7c0a1c) ##### <!-- 08 -->Security - docs: add comprehensive documentation for API Browser (issue [#​2401](https://redirect.github.com/go-swagger/go-swagger/issues/2401)) by [@​dashitongzhi](https://redirect.github.com/dashitongzhi) in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b594d144ef999cb830cc9cb32d1c3617d5d93a36) - ci: enhanced regen examples workflow by [@​fredbi](https://redirect.github.com/fredbi) in [#​3306](https://redirect.github.com/go-swagger/go-swagger/pull/3306) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e1c611ed9e0739d0395b8e08922ddfb48a6e257d) - doc: move examples by [@​fredbi](https://redirect.github.com/fredbi) in [#​3303](https://redirect.github.com/go-swagger/go-swagger/pull/3303) [...](https://redirect.github.com/go-swagger/go-swagger/commit/c32e2d574a1272c97c18aaddbeed294f62fdca31) ##### <!-- 0A -->Updates - chore(deps): bump the development-dependencies group with 10 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3337](https://redirect.github.com/go-swagger/go-swagger/pull/3337) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9f68bcccf8a6ab943fa954764e749bd8e3b67684) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3329](https://redirect.github.com/go-swagger/go-swagger/pull/3329) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9286ac262e487f54fbeea64798790b463f27a7cc) - chore(deps): bump golang from `f853308` to `91eda97` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3328](https://redirect.github.com/go-swagger/go-swagger/pull/3328) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a4f355cfded251a4d9fc4a3f06b0aed72314c2a4) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3327](https://redirect.github.com/go-swagger/go-swagger/pull/3327) [...](https://redirect.github.com/go-swagger/go-swagger/commit/1078819e42db2fdf56b7fd724f911b5b32f0ed42) - chore(deps): bump the development-dependencies group with 3 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3326](https://redirect.github.com/go-swagger/go-swagger/pull/3326) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e4b5c8fe1fe5869e2da495e9e363032cfee9b85f) - chore(deps): bump the development-dependencies group with 5 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3325](https://redirect.github.com/go-swagger/go-swagger/pull/3325) [...](https://redirect.github.com/go-swagger/go-swagger/commit/30da59f48a8baf6a04a667191355c5aacbb1f6f1) - chore(deps): bump golang from `27f8293` to `f853308` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3324](https://redirect.github.com/go-swagger/go-swagger/pull/3324) [...](https://redirect.github.com/go-swagger/go-swagger/commit/faffaccee8fc0843fa35ce757b19643b15b20551) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3323](https://redirect.github.com/go-swagger/go-swagger/pull/3323) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5bbf90b257203d40a28d40d68f38411b0b0ab06e) - chore(deps): bump golang from `c2a1f7b` to `27f8293` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3322](https://redirect.github.com/go-swagger/go-swagger/pull/3322) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d25d6f2da06f02c38565d2bed1a4c45c41b4b539) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3321](https://redirect.github.com/go-swagger/go-swagger/pull/3321) [...](https://redirect.github.com/go-swagger/go-swagger/commit/cedb38213dc4bfeb6c6f2fccb0211e596c777faf) - chore(deps): bump golang from `2389ebf` to `c2a1f7b` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3320](https://redirect.github.com/go-swagger/go-swagger/pull/3320) [...](https://redirect.github.com/go-swagger/go-swagger/commit/3815953bf63523fd72c9f9dad337f3d7990fd7bd) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3318](https://redirect.github.com/go-swagger/go-swagger/pull/3318) [...](https://redirect.github.com/go-swagger/go-swagger/commit/126ceeb6180966caba0429435d94b0fb1a1e8c14) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3317](https://redirect.github.com/go-swagger/go-swagger/pull/3317) [...](https://redirect.github.com/go-swagger/go-swagger/commit/af43211eec84e29e817f3e990cf8084fb45ebec0) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3315](https://redirect.github.com/go-swagger/go-swagger/pull/3315) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0f32c03e4982ed564cfd9d9593a4cfa1c1304d40) *** ##### People who contributed to this release - [@​Abzaek](https://redirect.github.com/Abzaek) - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) - [@​fredbi](https://redirect.github.com/fredbi) *** ##### New Contributors - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) made their first contribution in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) - [@​Abzaek](https://redirect.github.com/Abzaek) made their first contribution in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) *** **[go-swagger](https://redirect.github.com/go-swagger/go-swagger) license terms** [![License][license-badge]][license-url] [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg [license-url]: https://redirect.github.com/go-swagger/go-swagger/?tab=Apache-2.0-1-ov-file#readme *** Released by [GoReleaser](https://redirect.github.com/goreleaser/goreleaser). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
bircniandGitHub
|
699fe2ef43 |
fix(actions)!: require merged PR to bypass fork PR approval gate (#38010)
`ifNeedApproval` in `services/actions/notifier_helper.go` decided whether a fork PR's workflow run had to wait for maintainer approval. The bypass clause counted any prior `approved_by > 0` run for `(repo_id, trigger_user_id)`, so the very first Approve-and-run click on a contributor's fork PR permanently trusted that user for every future fork PR in the same repository — including PRs whose only change is the workflow YAML itself. Approving a workflow *run* is not the same as merging *code*. This change aligns the gate with GitHub Actions' first-time-contributor model: trust is granted only after the user has had a pull request merged in the repo. ## Behavior change - **Before**: one approval = permanent trust for that user in that repo. - **After**: every fork PR is gated until the contributor has at least one merged PR in the repo. Existing already-approved runs and merged PRs continue to work; only the trust criterion for *future* fork PRs changes. Maintainers who rely on the implicit "approve once" trust will see the approval banner reappear until they merge a PR from that contributor. |
||
|
GiteabotandGitHub
|
ee9f31e9c9 |
chore(deps): update dependency @eslint/json to v2 (#38030)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@eslint/json](https://redirect.github.com/eslint/json) | [`1.2.0` →
`2.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjson/1.2.0/2.0.0) |
|
|
---
### Release Notes
<details>
<summary>eslint/json (@​eslint/json)</summary>
###
[`v2.0.0`](https://redirect.github.com/eslint/json/blob/HEAD/CHANGELOG.md#200-2026-05-28)
[Compare
Source](https://redirect.github.com/eslint/json/compare/72eb947ec708d1326047977c165670582ce58a26...804ffc4911bf489cea025a829f65ee98c975b7ee)
##### ⚠ BREAKING CHANGES
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
##### Features
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
([
|
||
|
|
3b1e75764e |
feat(actions): add job summaries (GITHUB_STEP_SUMMARY) (#37500)
- Add GitHub-style Actions **job summaries** support
(`GITHUB_STEP_SUMMARY` / `workflow/SUMMARY.md`) and render them on the
run Summary view.
- Store uploaded summaries internally in the DB (not as downloadable
artifacts).
- Add runtime-token endpoint for runners to upload summaries:
- `PUT
/api/actions_pipeline/_apis/pipelines/workflows/{run_id}/jobs/{job_id}/summary`
- Advertise support to runners via `RunnerService.Declare` response
header:
- `X-Gitea-Actions-Capabilities: job-summary`
- Devtest: extend `/devtest/repo-action-view/...` to include mock
`jobSummaries` for previewing UI rendering.
## Compatibility
- New Gitea + old runner: no summary upload → UI shows nothing (no
behavior change)
- New runner + old Gitea: capability not advertised → runner skips
upload (no behavior change)
## Screenshot:
<img width="2017" height="729"
src="https://github.com/user-attachments/assets/31f8b945-50c4-40e1-9f40-382901a53013"
/>
Fixes #23721
PR on gitea-runner https://gitea.com/gitea/runner/pulls/917
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
|
||
|
|
b1c088e9cf |
enhance(actions): Make Summary UI more beautiful with more infos (#37824)
## Summary - Redesign the Actions run summary header to follow GitHub Actions layout: trigger info on the left, Status / Total duration / Artifacts columns inline on the right - Expose trigger user avatar, pull request link, and PR head branch info from the run view API - Update the workflow graph header to show the workflow filename (linked to the run workflow file) and `on: <event>`, while keeping the jobs/dependencies/success stats line - Remove the redundant commit/workflow metadata row below the run title; that information now lives in the summary bar New: <img width="1564" height="639" src="https://github.com/user-attachments/assets/e6bc1623-c5fc-4e97-abc9-fde7f3c6aef9" /> Old: <img width="2038" height="1038" src="https://github.com/user-attachments/assets/0857f19a-8d3a-4da2-82fd-e9ebeb200062" /> Replaces https://github.com/go-gitea/gitea/pull/36721 --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
GiteabotandGitHub
|
e01af366e2 |
fix(deps): update npm dependencies (#38035)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.2` → `6.20.3`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.2/6.20.3) |  |  | | [eslint-plugin-vue](https://eslint.vuejs.org) ([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) | [`10.9.1` → `10.9.2`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.1/10.9.2) |  |  | --- ### Release Notes <details> <summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary> ### [`v10.9.2`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1092) [Compare Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.1...v10.9.2) ##### Patch Changes - Fixed [`vue/custom-event-name-casing`](https://eslint.vuejs.org/rules/custom-event-name-casing.html) to check segments of colon-separated event names like `update:foo-bar` ([#​3079](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3079)) - Fixed [`vue/one-component-per-file`](https://eslint.vuejs.org/rules/one-component-per-file.html) to not report functions not imported from Vue ([#​3063](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3063)) - Fixed [`vue/prefer-import-from-vue`](https://eslint.vuejs.org/rules/prefer-import-from-vue.html) to not report imports/exports of names that are not re-exported by `vue` ([#​3081](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3081)) - Fixed [`vue/return-in-computed-property`](https://eslint.vuejs.org/rules/return-in-computed-property.html) and [`vue/require-render-return`](https://eslint.vuejs.org/rules/require-render-return.html) to not report exhaustive switch statements when TypeScript type information is available ([#​3067](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3067)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
d76a974b24 |
feat(ssh): auto generate additional ssh keys (#33974)
adds capabilities for gitea to generate ecdsa and ed25519 keys by default adds cli for built-in ssh key generation helpers closes: https://github.com/go-gitea/gitea/issues/33783 --------- Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
ade76fe838 |
enhance: allow MathML core elements (#38034)
Fixes #36352. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
54916f708e |
feat: Add avatar stacks (#37594)
Parse `Co-authored-by:` trailers from commit messages and surface contributors as an avatar stack across the commit page, commits list, PR commits tab, latest-commit row, blame, graph, and dashboard feed. - Up to 10 visible 20px avatars, GitHub-style overlap (6px first stride, 4px between subsequent), `+N` chip for the rest. - Label: 1 → name; 2 → `<a> and <b>`; 3+ → `<N> people` opens a Tippy popup with all participants. - Names and avatars link to the repo's commits-by-author search; fall back to profile or `mailto:`. - Trailer parsing uses `net/mail.ParseAddress`, scans only the trailing paragraph, filters out the commit's own author/committer. - Drops the non-standard `Co-committed-by:` emission on squash merge and web edits. Devtest: `/devtest/coauthor-avatars`. Fixes #25521 ---- <img width="353" height="277" alt="image" src="https://github.com/user-attachments/assets/72092ceb-97ca-4b09-9557-0b72d3c5458e" /> <img width="533" height="328" src="https://github.com/user-attachments/assets/11d0c8f8-8b3f-4f2e-9993-879f1c06bcc5" /> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
GiteabotandGitHub
|
2a84831400 |
chore(deps): update astral-sh/setup-uv action to v8.2.0 (#38036)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | minor | `v8.1.0` → `v8.2.0` | --- ### Release Notes <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v8.2.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.2.0): 🌈 New inputs `quiet` and `download-from-astral-mirror` [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0) #### Changes This release brings two new inputs and a few bug fixes. ##### New inputs Lets talk about the new inputs first. ##### quiet Pretty simple. It turns of all `info` loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise" > \[!NOTE]\ > Warnings and errors are always logged. ##### download-from-astral-mirror In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting `download-from-astral-mirror: false` allows you to do that. ##### Bugfixes When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults. We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down. #### 🐛 Bug fixes - fix: report unexpected cache save failures [@​eifinger](https://redirect.github.com/eifinger) ([#​896](https://redirect.github.com/astral-sh/setup-uv/issues/896)) - fix: report unexpected setup failures [@​eifinger](https://redirect.github.com/eifinger) ([#​895](https://redirect.github.com/astral-sh/setup-uv/issues/895)) - fix: add timeout to fetch to prevent silent hangs [@​eifinger-bot](https://redirect.github.com/eifinger-bot) ([#​883](https://redirect.github.com/astral-sh/setup-uv/issues/883)) - Limit GitHub tokens to github.com download URLs [@​zsol](https://redirect.github.com/zsol) ([#​878](https://redirect.github.com/astral-sh/setup-uv/issues/878)) - increase libuv-workaround timeout to 100ms [@​eifinger](https://redirect.github.com/eifinger) ([#​880](https://redirect.github.com/astral-sh/setup-uv/issues/880)) #### 🚀 Enhancements - Add quiet input to suppress info-level log output [@​eifinger](https://redirect.github.com/eifinger) ([#​898](https://redirect.github.com/astral-sh/setup-uv/issues/898)) - feat: add `download-from-astral-mirror` input [@​eifinger](https://redirect.github.com/eifinger) ([#​897](https://redirect.github.com/astral-sh/setup-uv/issues/897)) #### 🧰 Maintenance - docs: update dependabot rollup biome guidance [@​eifinger](https://redirect.github.com/eifinger) ([#​902](https://redirect.github.com/astral-sh/setup-uv/issues/902)) - chore: update known checksums for 0.11.18 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​899](https://redirect.github.com/astral-sh/setup-uv/issues/899)) - chore: update known checksums for 0.11.17 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​892](https://redirect.github.com/astral-sh/setup-uv/issues/892)) - chore: update known checksums for 0.11.16 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​889](https://redirect.github.com/astral-sh/setup-uv/issues/889)) - chore: update known checksums for 0.11.15 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​885](https://redirect.github.com/astral-sh/setup-uv/issues/885)) - chore: update known checksums for 0.11.14 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​879](https://redirect.github.com/astral-sh/setup-uv/issues/879)) - chore: update known checksums for 0.11.13 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​877](https://redirect.github.com/astral-sh/setup-uv/issues/877)) - chore: update known checksums for 0.11.12 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​876](https://redirect.github.com/astral-sh/setup-uv/issues/876)) - chore: update known checksums for 0.11.11 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​873](https://redirect.github.com/astral-sh/setup-uv/issues/873)) - chore: update known checksums for 0.11.9/0.11.10 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​871](https://redirect.github.com/astral-sh/setup-uv/issues/871)) - chore: update known checksums for 0.11.8 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​867](https://redirect.github.com/astral-sh/setup-uv/issues/867)) - Bump setup-uv references to v8.1.0 SHA in docs [@​eifinger](https://redirect.github.com/eifinger) ([#​862](https://redirect.github.com/astral-sh/setup-uv/issues/862)) - Add update-docs.yml workflow [@​eifinger](https://redirect.github.com/eifinger) ([#​861](https://redirect.github.com/astral-sh/setup-uv/issues/861)) #### ⬆️ Dependency updates - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​903](https://redirect.github.com/astral-sh/setup-uv/issues/903)) - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​901](https://redirect.github.com/astral-sh/setup-uv/issues/901)) - chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​900](https://redirect.github.com/astral-sh/setup-uv/issues/900)) - chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​842](https://redirect.github.com/astral-sh/setup-uv/issues/842)) - chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​893](https://redirect.github.com/astral-sh/setup-uv/issues/893)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​891](https://redirect.github.com/astral-sh/setup-uv/issues/891)) - chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​884](https://redirect.github.com/astral-sh/setup-uv/issues/884)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​888](https://redirect.github.com/astral-sh/setup-uv/issues/888)) - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​881](https://redirect.github.com/astral-sh/setup-uv/issues/881)) - chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​875](https://redirect.github.com/astral-sh/setup-uv/issues/875)) - chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​866](https://redirect.github.com/astral-sh/setup-uv/issues/866)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​864](https://redirect.github.com/astral-sh/setup-uv/issues/864)) - chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​863](https://redirect.github.com/astral-sh/setup-uv/issues/863)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
wxiaoguangandGitHub
|
136f7d18aa |
fix: api error message (#38031)
Fix various abuses and mistakes |
||
|
|
60f66a9bfd |
enhance(actions): improve reusable workflow uses handling and cancellation (#37991)
Follow up #37478 ## Changes 1. #37478 doesn't support absolute URL in `uses`. This PR provides partial support for URL-style reusable workflow references. A reusable workflow can now be referenced by an absolute URL, as long as it points to the local Gitea instance: ```yaml jobs: call: uses: https://your-gitea.example.com/OWNER/REPO/.gitea/workflows/ci.yaml@v1 ``` 2. Show an error message in the UI for invalid `uses`. <img width="1600" alt="image" src="https://github.com/user-attachments/assets/21b34e61-bf10-4af1-b9fd-4ee4e9fde049" /> 3. Fix reusable caller cancellation issue. A reusable caller's status is aggregated from its children, so cancellation should processes a caller's descendants deepest-first. --------- Signed-off-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: bircni <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
|
1e9ea9c8f5 |
fix(deps): update npm dependencies (#38029)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.27.0` → `19.28.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.27.0/19.28.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.0/8.60.1) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.18` → `1.6.19`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.18/1.6.19) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` → `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |  |  | | [eslint-import-resolver-typescript](https://redirect.github.com/import-js/eslint-import-resolver-typescript) | [`4.4.4` → `4.4.5`](https://renovatebot.com/diffs/npm/eslint-import-resolver-typescript/4.4.4/4.4.5) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.1.0` → `3.1.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1) |  |  | | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` → `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.4.0` → `11.5.1`](https://renovatebot.com/diffs/npm/pnpm/11.4.0/11.5.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.8` → `3.0.9`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.8/3.0.9) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.2` → `17.17.3`](https://renovatebot.com/diffs/npm/updates/17.17.2/17.17.3) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.14` → `8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.7` → `4.1.8`](https://renovatebot.com/diffs/npm/vitest/4.1.7/4.1.8) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.2` → `3.3.3`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.2/3.3.3) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19280) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.27.0...v19.28.0) ##### Minor Changes - [#​1208](https://redirect.github.com/primer/octicons/pull/1208) [`eddab3ff`](https://redirect.github.com/primer/octicons/commit/eddab3ff19f1450eb1d60c78b1d20c2c4bc3fd15) Thanks [@​dylanatsmith](https://redirect.github.com/dylanatsmith)! - Fix vscode icon: update 16px, add 24px, remove 32px and 48px </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.19`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.19) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1) #### Bug Fixes - [`e557467`](https://redirect.github.com/eslint/eslint/commit/e557467db7496220eebcbe2ac5ea6d38c12bb1ec) fix: update `@eslint/plugin-kit` version to 0.7.2 ([#​20930](https://redirect.github.com/eslint/eslint/issues/20930)) (Francesco Trotta) - [`d4ce898`](https://redirect.github.com/eslint/eslint/commit/d4ce898796ca22c3b96aa70d3014cb85f4bac1cd) fix: propagate failures from delegated commands ([#​20917](https://redirect.github.com/eslint/eslint/issues/20917)) (Minh Vu) - [`f4f3507`](https://redirect.github.com/eslint/eslint/commit/f4f3507460bc016b5be979c05d2969793f570cbf) fix: prefer-arrow-callback invalid autofix with newline after `async` ([#​20916](https://redirect.github.com/eslint/eslint/issues/20916)) (kuldeep kumar) - [`c5bc78b`](https://redirect.github.com/eslint/eslint/commit/c5bc78b37e08b9054a11f0cc2d81808bb24acb85) fix: false positive for reference in `finally` block ([#​20655](https://redirect.github.com/eslint/eslint/issues/20655)) (Tanuj Kanti) - [`27538c0`](https://redirect.github.com/eslint/eslint/commit/27538c01f5df4e9306f6f4ba867b2dd6307fae59) fix: add missing CodePath and CodePathSegment types ([#​20853](https://redirect.github.com/eslint/eslint/issues/20853)) (Pixel998) #### Documentation - [`61b0add`](https://redirect.github.com/eslint/eslint/commit/61b0add61ffc52665562be7bb96f526690a78b30) docs: remove deprecated rule from related rules of `max-params` ([#​20921](https://redirect.github.com/eslint/eslint/issues/20921)) (Tanuj Kanti) - [`305d5b9`](https://redirect.github.com/eslint/eslint/commit/305d5b91aeac24d36fde42f75625a8f183d4ce43) docs: remove deprecated rules from related rules section ([#​20911](https://redirect.github.com/eslint/eslint/issues/20911)) (Tanuj Kanti) - [`49b0202`](https://redirect.github.com/eslint/eslint/commit/49b0202d01918b8061720d586dffd7c68047090c) docs: fix `display: none` of ad ([#​20901](https://redirect.github.com/eslint/eslint/issues/20901)) (Tanuj Kanti) - [`9067f94`](https://redirect.github.com/eslint/eslint/commit/9067f9492ec998afc5b4f057a477ecf6ebd45e44) docs: switch build to Node.js 24 ([#​20893](https://redirect.github.com/eslint/eslint/issues/20893)) (Milos Djermanovic) - [`c91b041`](https://redirect.github.com/eslint/eslint/commit/c91b0417e3420c76807ce1fa2aea76e2de87ab86) docs: Update README (GitHub Actions Bot) - [`e349265`](https://redirect.github.com/eslint/eslint/commit/e349265cb37f3ebc837e178e48a725bb782bd870) docs: clarify semver strings in rule deprecation objects ([#​20885](https://redirect.github.com/eslint/eslint/issues/20885)) (Milos Djermanovic) #### Chores - [`b0e466b`](https://redirect.github.com/eslint/eslint/commit/b0e466b6ab47bfc7de43d8de0c315d8ee83aa584) test: add `data` property to invalid tests cases for rules ([#​20924](https://redirect.github.com/eslint/eslint/issues/20924)) (Tanuj Kanti) - [`f78838b`](https://redirect.github.com/eslint/eslint/commit/f78838bc4c86d487e1bcc7cede260c4467721c46) test: add CodePath type coverage ([#​20904](https://redirect.github.com/eslint/eslint/issues/20904)) (Pixel998) - [`1daa4bd`](https://redirect.github.com/eslint/eslint/commit/1daa4bd734b79a62e317d0394394a6b38cff49f9) chore: update `eslint-plugin-eslint-comments` test data to latest commit ([#​20922](https://redirect.github.com/eslint/eslint/issues/20922)) (Francesco Trotta) - [`002942c`](https://redirect.github.com/eslint/eslint/commit/002942ce988ea28b78e0a2f3b074081e638b552c) ci: declare contents:read on update-readme workflow ([#​20919](https://redirect.github.com/eslint/eslint/issues/20919)) (Arpit Jain) - [`64bca24`](https://redirect.github.com/eslint/eslint/commit/64bca24e7bed35bc3c864fc625cb2d89eca87d5b) chore: update ecosystem plugins ([#​20912](https://redirect.github.com/eslint/eslint/issues/20912)) (ESLint Bot) - [`6d7c832`](https://redirect.github.com/eslint/eslint/commit/6d7c832950d5e92499d88e504080661f888f8f56) chore: ignore fflate updates in renovate ([#​20908](https://redirect.github.com/eslint/eslint/issues/20908)) (Pixel998) - [`b2c8638`](https://redirect.github.com/eslint/eslint/commit/b2c86382164d87c6203b78d52068cd6a2a6ffe30) ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 ([#​20889](https://redirect.github.com/eslint/eslint/issues/20889)) (dependabot\[bot]) - [`a9b8d7f`](https://redirect.github.com/eslint/eslint/commit/a9b8d7f74c50211701cfc49710fa541fd91b2aa5) chore: increase maxBuffer for ecosystem tests ([#​20881](https://redirect.github.com/eslint/eslint/issues/20881)) (sethamus) - [`b702ead`](https://redirect.github.com/eslint/eslint/commit/b702ead5e1ed7cb9f28238a454797662efb37396) chore: update ecosystem update PR settings ([#​20884](https://redirect.github.com/eslint/eslint/issues/20884)) (Pixel998) - [`507f60e`](https://redirect.github.com/eslint/eslint/commit/507f60e9a78c9a902bc8759f066ae17a1ea6cd81) chore: update ecosystem plugins ([#​20882](https://redirect.github.com/eslint/eslint/issues/20882)) (ESLint Bot) - [`92f5c5b`](https://redirect.github.com/eslint/eslint/commit/92f5c5bb6bf3a5d167c8ee53a430833410295c6d) test: add unit test for message-count ([#​20878](https://redirect.github.com/eslint/eslint/issues/20878)) (kuldeep kumar) - [`df32108`](https://redirect.github.com/eslint/eslint/commit/df321080af5758b1fa25e4b9a40e26135642dd6e) chore: add [@​eslint/markdown](https://redirect.github.com/eslint/markdown) and typescript-eslint ecosystem tests ([#​20837](https://redirect.github.com/eslint/eslint/issues/20837)) (sethamus) - [`327f91d`](https://redirect.github.com/eslint/eslint/commit/327f91d36aa49f2a50ded931d841a16374fd875f) chore: use includeIgnoreFile internally ([#​20876](https://redirect.github.com/eslint/eslint/issues/20876)) (Kirk Waiblinger) - [`f0dc4bd`](https://redirect.github.com/eslint/eslint/commit/f0dc4bd893fb3a9f44e4ddc3ad7063ffb0beacd3) chore: pin fflate\@​0.8.2 ([#​20877](https://redirect.github.com/eslint/eslint/issues/20877)) (Milos Djermanovic) - [`0f4bd25`](https://redirect.github.com/eslint/eslint/commit/0f4bd257a67a082b756de746d9e0c4842ab764ca) ci: run Discord alert for ecosystem test failures ([#​20873](https://redirect.github.com/eslint/eslint/issues/20873)) (Copilot) </details> <details> <summary>import-js/eslint-import-resolver-typescript (eslint-import-resolver-typescript)</summary> ### [`v4.4.5`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/blob/HEAD/CHANGELOG.md#445) [Compare Source](https://redirect.github.com/import-js/eslint-import-resolver-typescript/compare/v4.4.4...v4.4.5) ##### Patch Changes - [#​473](https://redirect.github.com/import-js/eslint-import-resolver-typescript/pull/473) [`32c61ab`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/commit/32c61abccf26bd2a2267f2e0e67d82e6f88d149a) Thanks [@​leey0818](https://redirect.github.com/leey0818)! - fix: check tsconfig matching before using resolver </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.1`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#311) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.1.0...v3.1.1) ##### Patch Changes - Fix false positives in `vue-scoped-css/require-selector-used-inside` for selectors that start with ignored pseudo-classes such as `:has(...)`. ([#​496](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/496)) </details> <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9) ##### Added - Added `docs/safety.md` with notes about processing untrusted YAML. - Added `maxDepth` (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow. - Added `maxMergeSeqLength` (20) loader option. Not a problem after `merge` fix, but an additional restriction for safety. - Added sourcemaps to `dist/` builds. ##### Changed - Stop resolving numbers with underscores as numeric scalars, [#​627](https://redirect.github.com/nodeca/js-yaml/issues/627). - Switched dev toolchains to Vite / neostandard. - Updated demo. - Reorganized tests. - `dist/` files are no longer kept in the repository. ##### Fixed - Fix parsing of properties on the first implicit block mapping key, [#​62](https://redirect.github.com/nodeca/js-yaml/issues/62). - Fix trailing whitespace handling when folding flow scalar lines, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Reject top-level block scalars without content indentation, [#​280](https://redirect.github.com/nodeca/js-yaml/issues/280). - Ensure numbers survive round-trip, [#​737](https://redirect.github.com/nodeca/js-yaml/issues/737). - Fix test coverage for issue [#​221](https://redirect.github.com/nodeca/js-yaml/issues/221). - Fix flow scalar trailing whitespace folding, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Fix digits in YAML named tag handles. ##### Security - Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K). </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.5.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1151) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.0...v11.5.1) ##### Patch Changes - Improve `pnpm audit` performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap. - Avoid crashing when the workspace state cache is partially written or malformed. - Set `npm_config_user_agent` for root lifecycle scripts during headless installs. - Preserve the `integrity` field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via `pnpm update`, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` [#​12067](https://redirect.github.com/pnpm/pnpm/issues/12067). - Normalize a string `repository` field into the `{ type, url }` object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string `repository` with a 500 Internal Server Error during `pnpm publish` [#​12099](https://redirect.github.com/pnpm/pnpm/issues/12099). - Preserve compatible optional peer versions already present in the lockfile when resolving dependencies. - Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example `@typescript-eslint/eslint-plugin` peer-depends on both `@typescript-eslint/parser` and `typescript`, and `@typescript-eslint/parser` peer-depends on `typescript`), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version [#​12079](https://redirect.github.com/pnpm/pnpm/issues/12079). ### [`v11.5.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1150) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.4.0...v11.5.0) ##### Minor Changes - Added a new `hoistingLimits` setting for `nodeLinker: hoisted` installs, mirroring yarn's `nmHoistingLimits`. It accepts `none` (the default — hoist as far as possible), `workspaces` (hoist only as far as each workspace package), or `dependencies` (hoist only up to each workspace package's direct dependencies). Originally proposed in [#​6468](https://redirect.github.com/pnpm/pnpm/pull/6468), closing [#​6457](https://redirect.github.com/pnpm/pnpm/issues/6457). - Replaced `enquirer` with `@inquirer/prompts` for all interactive prompts. Fixes the `update -i` scrolling overflow bug where long choice lists were clipped in the terminal [#​6643](https://redirect.github.com/pnpm/pnpm/issues/6643). **User-facing changes:** - `pnpm update -i` / `pnpm update -i --latest`: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via `usePagination` - `pnpm audit --fix -i`: Same scrolling fix for vulnerability selection - `pnpm approve-builds`: Interactive build approval prompts updated - `pnpm patch`: Version selection and "apply to all" prompts updated - `pnpm patch-remove`: Patch removal selection updated - `pnpm publish`: Branch confirmation prompt updated - `pnpm login`: Credential prompts updated - `pnpm run` / `pnpm exec` (with `verifyDepsBeforeRun=prompt`): Confirmation prompt updated Vim-style `j`/`k` keys still work for up/down navigation in all interactive prompts. **Internal:** The `OtpEnquirer` and `LoginEnquirer` DI interfaces changed from `{ prompt }` to `{ input }` / `{ input, password }` respectively. Plugins or custom builds that inject their own enquirer mock will need to update. - Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an `approver` field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level [#​11887](https://redirect.github.com/pnpm/pnpm/issues/11887). ##### Patch Changes - Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, `pnpm i nuxt@npm:nuxt-nightly@5x`). Cycles whose members hit the `findHit` cache instead of running their own `calculateDepPath` are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. [#​11999](https://redirect.github.com/pnpm/pnpm/issues/11999). - Fix `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org failing without `--otp` with `[ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA."`. pnpm now sends `npm-auth-type: web` on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same `withOtpHandling` helper used by `pnpm publish`), so the browser opens, the user authenticates, and the dist-tag is set on retry. `--otp=<code>` continues to work via the classic flow. - Fix `minimumReleaseAgeExclude` handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during `publishedBy` metadata selection and cache-mtime shortcuts. - Fix the `integrity` field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent `--frozen-lockfile` installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. [#​12001](https://redirect.github.com/pnpm/pnpm/issues/12001). - Skip dependency re-resolution when `pnpm-lock.yaml` is missing but `node_modules/.pnpm/lock.yaml` exists and still satisfies the manifest. `pnpm install` now reuses the materialized snapshot to regenerate `pnpm-lock.yaml` instead of walking the registry to rebuild it from scratch, turning the cache+node\_modules variation into a near-no-op for users who deleted the lockfile but kept the install [#​11993](https://redirect.github.com/pnpm/pnpm/issues/11993). `--frozen-lockfile` still refuses to proceed when `pnpm-lock.yaml` is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI. </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.9`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.9) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.8...3.0.9) - update deps (silverwind) - make: collapse patch/minor/major into one rule (silverwind) - simplify generateBundle: pair dir+raw, rename shadow, inline single-use const (silverwind) - make update a combination target, split out update-js (silverwind) - add update-actions make target (silverwind) - remove authorship attribution rule from AGENTS.md (silverwind) - docs: use defineConfig in README usage example (silverwind) </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.17.3`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.3) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.17.2...17.17.3) - fix prerelease drop in updateVersionRange and scope regex (silverwind) - fix 1.2.x ranges, docker tag corruption, and per-file cooldown (silverwind) - fix go +incompatible, cargo inline-table, and prerelease selection (silverwind) - fix --pin range parsing, url tag deps, and -s flag docs (silverwind) - make update a combination target, split out update-js (silverwind) - add update-actions make target (silverwind) - remove authorship attribution rule from AGENTS.md (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.16`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.15...v8.0.16) ##### Bug Fixes - **deps:** reject UNC paths for launch-editor-middleware ([#​22571](https://redirect.github.com/vitejs/vite/issues/22571)) ([50b9512](https://redirect.github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9)) - reject windows alternate paths ([#​22572](https://redirect.github.com/vitejs/vite/issues/22572)) ([dc245c7](https://redirect.github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546)) ### [`v8.0.15`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.14...v8.0.15) ##### Features - send 408 on request timeout ([#​22476](https://redirect.github.com/vitejs/vite/issues/22476)) ([c85c9ee](https://redirect.github.com/vitejs/vite/commit/c85c9eeb9aaf41f477b48b057146887bd5620797)) - update rolldown to 1.0.3 ([#​22538](https://redirect.github.com/vitejs/vite/issues/22538)) ([646dbed](https://redirect.github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575)) ##### Bug Fixes - capitalize error messages and remove spurious space in parse error ([#​22488](https://redirect.github.com/vitejs/vite/issues/22488)) ([85a0eff](https://redirect.github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3)) - **deps:** update all non-major dependencies ([#​22511](https://redirect.github.com/vitejs/vite/issues/22511)) ([2686d7d](https://redirect.github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa)) - **dev:** fix html-proxy cache key mismatch for /@​fs/ HTML paths ([#​21762](https://redirect.github.com/vitejs/vite/issues/21762)) ([47c4213](https://redirect.github.com/vitejs/vite/commit/47c4213f134f562c41ed7c031e4788510cf7e31e)) - **glob:** error on relative glob in virtual module when no files match ([#​22497](https://redirect.github.com/vitejs/vite/issues/22497)) ([5c8e98f](https://redirect.github.com/vitejs/vite/commit/5c8e98f8b584ac5d42f0f9b8580c49792213b13c)) - **optimizer:** close the rolldown bundle when write() rejects ([#​22528](https://redirect.github.com/vitejs/vite/issues/22528)) ([e3cfb9d](https://redirect.github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815)) - **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#​22509](https://redirect.github.com/vitejs/vite/issues/22509)) ([40985f1](https://redirect.github.com/vitejs/vite/commit/40985f1c09b7696e594e6c5695fbc315d2da2c83)) ##### Miscellaneous Chores - **deps:** update rolldown-related dependencies ([#​22566](https://redirect.github.com/vitejs/vite/issues/22566)) ([3052a67](https://redirect.github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd)) ##### Code Refactoring - correct logic in `collectAllModules` function ([#​22562](https://redirect.github.com/vitejs/vite/issues/22562)) ([6978a9c](https://redirect.github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.8`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.8) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) ##### 🐞 Bug Fixes - **browser**: - Disable client `cdp` API when `allowWrite/allowExec: false` \[backport to v4] - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa) and **Codex** in [#​10450](https://redirect.github.com/vitest-dev/vitest/issues/10450) [<samp>(e4067)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e4067b3b1) - Remove orphaned Playwright route when same module is mocked via multiple ids \[backport to v4] - by [@​toxik](https://redirect.github.com/toxik) and [@​Zelys-DFKH](https://redirect.github.com/Zelys-DFKH) in [#​10474](https://redirect.github.com/vitest-dev/vitest/issues/10474) [<samp>(675b4)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/675b4343f) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.3`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#333-2026-05-30) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.2...v3.3.3) ##### vscode - **fix:** prevent grammar scopes leakage in capitalized tags ([#​6073](https://redirect.github.com/vuejs/language-tools/issues/6073)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** preserve TS auto imports behavior in Vue files ([#​6072](https://redirect.github.com/vuejs/language-tools/issues/6072)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### workspace - **fix:** read PR title from env in `auto-version` workflow to prevent injection ([#​6074](https://redirect.github.com/vuejs/language-tools/issues/6074)) - Thanks to [@​arpitjain099](https://redirect.github.com/arpitjain099)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
GiteabotandGitHub
|
6dcae57b54 | chore(deps): update action dependencies (#38027) | ||
|
|
1c289df6eb |
enhance: Adjust Workflow Graph styling (#37497)
- Fix workflow dependency graph overflow by making the graph container scrollable (no more clipped DAGs; addresses #37493). - Improve Actions job list readability by keeping durations fixed-width/right-aligned so long times don’t squeeze job names. - Make workflow graph layout more intuitive by vertically centering shorter columns to reduce misleading “looks like it depends on” alignments (addresses #37395). ### Screenshot <img width="966" height="439" src="https://github.com/user-attachments/assets/c180c5a2-4f56-4287-bcaa-f2735ba72949" /> <img width="949" height="559" src="https://github.com/user-attachments/assets/a383511d-a962-4920-b792-69f556847eff" /> Fixes #37493 Fixes #37395 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
ea35af1b68 |
fix: bound CODEOWNERS regex match time (#38011)
User-supplied CODEOWNERS patterns were compiled without a match timeout, so a crafted pattern (e.g. (a+)+) against a crafted file path could backtrack for tens of seconds inside the PR creation transaction and exhaust the database connection pool. Set MatchTimeout on each compiled rule; the caller already treats match errors as non-matches. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
wxiaoguangandGitHub
|
e2fbfc8730 |
fix: various dropdown problems (#38020)
1. remove legacy onResponseKeepSelectedItem, refactor the code to
dropdown.js
2. make dropdown correctly handle "single selection + remote query + filter"
* fix #38018
3. fix incorrect "transition" class usage for the dropdown dividers
|
||
|
wxiaoguangandGitHub
|
9bbea90bfe | fix: pgsql lint (#38022) | ||
|
5fe4f962e8 |
refactor(api): clarify APIError message usage and fix legacy lint error (#38012)
Avoid unclear & fragile "any" tricks, fix various abuses Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
c43eb7c33a |
fix(auth): do not auto-reactivate disabled users on OAuth2 callback (#38009)
The OAuth2 sign-in callback unconditionally set IsActive=true on the local user row whenever the IdP authenticated them, silently undoing an administrator's "Disable Account" action and granting the user a fresh session in the same response. Treat the local IsActive flag as an authoritative admin override: inactive users get a session and are routed through the existing activate / prohibit-login pages by verifyAuthWithOptions, matching the local-credentials sign-in path. Adds an integration regression test that disables a linked local user and asserts the row stays IsActive=false after a full OIDC callback. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircniandGitHub
|
42513398c0 |
fix(lfs): reject unknown SSH LFS sub-verbs to prevent auth bypass (#38008)
An authenticated SSH user could pass a malformed sub-verb (e.g. `git-lfs-authenticate <repo> badverb`) so getAccessMode falls through to AccessModeNone (0). The permission check in routers/private/serv.go then evaluates `userMode < 0` which is always false, granting a valid LFS JWT for any private repository. The HTTP LFS handler only validates the Op claim on writes, so the token works for downloads. Validate the sub-verb in runServ before calling getAccessMode and fail fast for anything other than upload/download. |
||
|
743bbaa9c2 |
fix: refactor git error handling and make archive streaming handle non-existing commit id (#38007)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
wxiaoguangandGitHub
|
e88650cfcf |
chore: fix various layout problems (#37983)
Fix various misaligments, fix space between list item bar items, remove deadcode (milestone dashboard) |
||
|
bircniandGitHub
|
4088d7e241 | fix(ui): keep actions run title intact when subject contains an issue ref (#38005) | ||
|
bircniandGitHub
|
3659b5acc2 |
ci(workflows): add AgentScan workflow to flag possible AI-assisted PRs (#37962)
This PR adds an automated AgentScan workflow to help detect and handle pull requests that appear to be created or authored primarily by automated agents. - If a PR is classified as `automation` or community-flagged, the workflow: - Adds the `possible bot` label, - Posts a policy comment linking to the repository AI Contribution Policy (`CONTRIBUTING.md#ai-contribution-policy`) and listing required disclosures and checks, - Optionally closes the PR if classification indicates an automated/unwelcome submission. |
||
|
bircniandGitHub
|
aa63d1583d |
fix(actions): return 404 when job log blob is missing (#38003)
- When the `action_task` row exists but the underlying dbfs/storage blob is gone, `OpenLogs` returns a wrapped `os.ErrNotExist` which surfaces as a 500 on the job logs endpoints. - Translate it to the same `util.NewNotExistErrorf` shape already used for unknown job ids / expired logs, so both the API (`/api/v1/repos/.../actions/jobs/<id>/logs`) and the web download handler return a clean 404 instead. Fixes #37990. |
||
|
GiteaBot
|
7a26d5a2ae | [skip ci] Updated translations via Crowdin | ||
|
|
dac41a124f |
fix!: raise git required version to 2.13 (#37996)
format `lstrip=2` is only supported in git >= 2.13 https://git-scm.com/docs/git-for-each-ref/2.13.7 ref: #37994 Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
aaf4b149fa |
chore(deps): upgrade zstd seekable package (#37988)
Upgrade `github.com/SaveTheRbtz/zstd-seekable-format-go/pkg` from `v0.8.3` to `v0.10.0`: https://github.com/SaveTheRbtz/zstd-seekable-format-go/releases/tag/pkg%2Fv0.10.0 This keeps Gitea's seekable zstd wrapper on the stable v0.10 API while preserving the existing public `modules/zstd` API. API migration: - update `SeekableWriter` and `SeekableReader` internals for the concrete `*seekable.Writer` and `*seekable.Reader` types introduced by SaveTheRbtz/zstd-seekable-format-go#264 - update generated dependency metadata after `go mod tidy` removed the now-unused `github.com/google/btree` transitive dependency - no Gitea call sites needed changes because `modules/zstd` still exposes the same constructors and interfaces Validation: - `go test ./modules/zstd` - `make --always-make checks-backend` --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
792fa5eeba |
feat(api): add q parameter to list branches API for server-side filtering (#37982)
The GET /repos/{owner}/{repo}/branches endpoint currently has no way to
filter branches by name server-side, forcing API consumers to paginate
through all branches and filter client-side.
The UI already supports branch search (added in
[#27055](https://github.com/go-gitea/gitea/pull/27055)). The underlying
DB layer has a Keyword field on FindBranchOptions in
models/git/branch_list.go that does a LIKE %keyword% SQL filter, it just
wasn't wired up to the API handler.
This PR exposes a ?q= query parameter on the endpoint that maps to
FindBranchOptions.Keyword.
Example:
```GET /repos/owner/repo/branches?q=feature ```
Closes #37981
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
|
||
|
b2748d7654 |
feat(ui): add "follow rename" to file commit history list (#34994)
Fix #28253 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
TheFox0x7andGitHub
|
735e940a61 |
fix(oauth2): not respecting claims before second login (#37874)
fixes defect where claims where only applies on login but not during account linking making only the second login take them into account fixes: https://github.com/go-gitea/gitea/issues/32566 |
||
 Dawid GóraandGitHub
|
623bb81bb9 |
fix(releases): generate notes for initial tag (#37697)
Fixes https://github.com/go-gitea/gitea/issues/37286 Automatic release notes for the first release in a repository were empty when there was no previous tag. Before this change, the release notes generator used the tag name to build the changelog link, but reused that state for pull request collection. When `PreviousTag` was empty, the PR collection logic did not scan a useful commit range, so merged pull requests were omitted from the generated notes. This pull request fixes that by decoupling the internal PR collection range from the rendered changelog link: - when a previous tag exists, behavior stays unchanged - when no previous tag exists, release notes collect merged pull requests from the full reachable history up to the target tag - the displayed full changelog link for the first release still uses the existing `/commits/tag/{tag}` format Tests were updated to cover: - generating notes for a repository with no previous tags - including merged pull requests before the first tag - preserving existing behavior when a previous tag exists |
||
|
wxiaoguangandGitHub
|
fbaaac9c14 |
fix: remove "no-transfrom" from the cache-control header (#37985)
Cloudflare has officially removed the "auto-minify" feature https://community.cloudflare.com/t/655677, so we don't need such option anymore. Fix #34521 |
||
|
79810ba2e3 |
fix: use committer time where ever possible as default (#37969)
Fix https://github.com/go-gitea/gitea/issues/37857 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
