Close
[BS-3610](https://linear.app/affine-design/issue/BS-3610/bug-每次按空格会出现重复单词-,特定输入法,比如swiftkey)
#### PR Dependency Tree
* **PR #13591**
* **PR #13590** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Android: More reliable Backspace/delete handling, preventing missed
inputs and double-deletions.
- Android: Cursor/selection is correctly restored after merging a
paragraph with the previous block.
- Android: Smoother IME composition input; captures correct composition
range.
- Deletion across lines and around embeds/empty lines is more
consistent.
- Chores
- Internal event handling updated to improve Android compatibility and
stability (no user-facing changes).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13591**
* **PR #13590** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
#### PR Dependency Tree
* **PR #13591** 👈
* **PR #13590**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Improved drag-and-drop stability: draggables, drop targets, and
monitors now respond when option sources or external data change.
- Improved async actions and permission checks to always use the latest
callbacks and error handlers.
- Chores
- Lint/Prettier configs updated to ignore the Git directory.
- Upgraded oxlint dev dependency.
- Tests
- Updated several end-to-end tests for more reliable text selection,
focus handling, and timing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.3.5` ->
`6.3.6`](https://renovatebot.com/diffs/npm/vite/6.3.5/6.3.6) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-58751](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c)
### Summary
Files starting with the same name with the public directory were served
bypassing the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- uses [the public directory
feature](https://vite.dev/guide/assets.html#the-public-directory)
(enabled by default)
- a symlink exists in the public directory
### Details
The
[servePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L79))
function is in charge of serving public files from the server. It
returns the
[viteServePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L106))
function which runs the needed tests and serves the page. The
viteServePublicMiddleware function [checks if the publicFiles variable
is
defined](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L111)),
and then uses it to determine if the requested page is public. In the
case that the publicFiles is undefined, the code will treat the
requested page as a public page, and go on with the serving function.
[publicFiles may be undefined if there is a symbolic link anywhere
inside the public
directory](9719497ade/packages/vite/src/node/publicDir.ts (L21)).
In that case, every requested page will be passed to the public serving
function. The serving function is based on the
[sirv](https://redirect.github.com/lukeed/sirv) library. Vite patches
the library to add the possibility to test loading access to pages, but
when the public page middleware [disables this
functionality](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L89))
since public pages are meant to be available always, regardless of
whether they are in the allow or deny list.
In the case of public pages, the serving function is [provided with the
path to the public
directory](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L85))
as a root directory. The code of the sirv library [uses the join
function to get the full path to the requested
file](d061616827/packages/sirv/index.mjs (L42)).
For example, if the public directory is "/www/public", and the requested
file is "myfile", the code will join them to the string
"/www/public/myfile". The code will then pass this string to the
normalize function. Afterwards, the code will [use the string's
startsWith
function](d061616827/packages/sirv/index.mjs (L43))
to determine whether the created path is within the given directory or
not. Only if it is, it will be served.
Since [sirv trims the trailing slash of the public
directory](d061616827/packages/sirv/index.mjs (L119)),
the string's startsWith function may return true even if the created
path is not within the public directory. For example, if the server's
root is at "/www", and the public directory is at "/www/p", if the
created path will be "/www/private.txt", the startsWith function will
still return true, because the string "/www/private.txt" starts with
"/www/p". To achieve this, the attacker will use ".." to ask for the
file "../private.txt". The code will then join it to the "/www/p"
string, and will receive "/www/p/../private.txt". Then, the normalize
function will return "/www/private.txt", which will then be passed to
the startsWith function, which will return true, and the processing of
the page will continue without checking the deny list (since this is the
public directory middleware which doesn't check that).
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo "secret" > private.txt
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/private.txt'`
You will receive a 403 HTTP Response, because private.txt is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/../private.txt'`
You will receive the contents of private.txt.
### Related links
-
f0113f3f82
####
[CVE-2025-58752](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3)
### Summary
Any HTML files on the machine were served regardless of the `server.fs`
settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[server.host config
option](https://vitejs.dev/config/server-options.html#server-host))
- `appType: 'spa'` (default) or `appType: 'mpa'` is used
This vulnerability also affects the preview server. The preview server
allowed HTML files not under the output directory to be served.
### Details
The
[serveStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L123))
function is in charge of serving static files from the server. It
returns the
[viteServeStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L136))
function which runs the needed tests and serves the page. The
viteServeStaticMiddleware function [checks if the extension of the
requested file is
".html"](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L144)).
If so, it doesn't serve the page. Instead, the server will go on to the
next middlewares, in this case
[htmlFallbackMiddleware](9719497ade/packages/vite/src/node/server/middlewares/htmlFallback.ts (L14)),
and then to
[indexHtmlMiddleware](9719497ade/packages/vite/src/node/server/middlewares/indexHtml.ts (L438)).
These middlewares don't perform any test against allow or deny rules,
and they don't make sure that the accessed file is in the root directory
of the server. They just find the file and send back its contents to the
client.
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
echo "secret" > /tmp/secret.html
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is
'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`
The contents of /tmp/secret.html will be returned.
This will also work for HTML files that are in the root directory of the
project, but are in the deny list (or not in the allow list). Test that
by stopping the running server (CTRL+C), and running the following
commands in the server's shell:
```
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})' > [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`
You will receive a 403 HTTP Response, because everything in the
secret_files directory is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`
You will receive the contents of secret_files/secret.html.
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v6.3.6`](https://redirect.github.com/vitejs/vite/releases/tag/v6.3.6)
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v6.3.5...v6.3.6)
Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md)
for details.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11
to 2.4.12.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/browserify/sha.js/blob/master/CHANGELOG.md">sha.js's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/browserify/sha.js/compare/v2.4.11...v2.4.12">v2.4.12</a>
- 2025-07-01</h2>
<h3>Commits</h3>
<ul>
<li>[eslint] switch to eslint <a
href="7acadfbd3a"><code>7acadfb</code></a></li>
<li>[meta] add <code>auto-changelog</code> <a
href="b46e7116eb"><code>b46e711</code></a></li>
<li>[eslint] fix package.json indentation <a
href="df9d521e16"><code>df9d521</code></a></li>
<li>[Tests] migrate from travis to GHA <a
href="c43c64adc6"><code>c43c64a</code></a></li>
<li>[Fix] support multi-byte wide typed arrays <a
href="f2a258e9f2"><code>f2a258e</code></a></li>
<li>[meta] reorder package.json <a
href="d8d77c0a72"><code>d8d77c0</code></a></li>
<li>[meta] add <code>npmignore</code> <a
href="35aec35c66"><code>35aec35</code></a></li>
<li>[Tests] avoid console logs <a
href="73e33ae0ca"><code>73e33ae</code></a></li>
<li>[Tests] fix tests run in batch <a
href="262913006e"><code>2629130</code></a></li>
<li>[Tests] drop node requirement to 0.10 <a
href="00c7f234aa"><code>00c7f23</code></a></li>
<li>[Dev Deps] update <code>buffer</code>,
<code>hash-test-vectors</code>, <code>standard</code>,
<code>tape</code>, <code>typedarray</code> <a
href="92b5de5f67"><code>92b5de5</code></a></li>
<li>[Tests] drop node requirement to v3 <a
href="9b5eca80fd"><code>9b5eca8</code></a></li>
<li>[meta] set engines to <code>&gt;= 4</code> <a
href="807084c5c0"><code>807084c</code></a></li>
<li>Only apps should have lockfiles <a
href="c72789c7a1"><code>c72789c</code></a></li>
<li>[Deps] update <code>inherits</code>, <code>safe-buffer</code> <a
href="5428cfc6f7"><code>5428cfc</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code> <a
href="2dbe0aab41"><code>2dbe0aa</code></a></li>
<li>update README to reflect LICENSE <a
href="8938256dbb"><code>8938256</code></a></li>
<li>[Dev Deps] add missing peer dep <a
href="d52889688c"><code>d528896</code></a></li>
<li>[Dev Deps] remove unused <code>buffer</code> dep <a
href="94ca7247f4"><code>94ca724</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="eb4ea2fd3d"><code>eb4ea2f</code></a>
v2.4.12</li>
<li><a
href="d8d77c0a72"><code>d8d77c0</code></a>
[meta] reorder package.json</li>
<li><a
href="df9d521e16"><code>df9d521</code></a>
[eslint] fix package.json indentation</li>
<li><a
href="35aec35c66"><code>35aec35</code></a>
[meta] add <code>npmignore</code></li>
<li><a
href="d52889688c"><code>d528896</code></a>
[Dev Deps] add missing peer dep</li>
<li><a
href="b46e7116eb"><code>b46e711</code></a>
[meta] add <code>auto-changelog</code></li>
<li><a
href="94ca7247f4"><code>94ca724</code></a>
[Dev Deps] remove unused <code>buffer</code> dep</li>
<li><a
href="2dbe0aab41"><code>2dbe0aa</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li><a
href="73e33ae0ca"><code>73e33ae</code></a>
[Tests] avoid console logs</li>
<li><a
href="f2a258e9f2"><code>f2a258e</code></a>
[Fix] support multi-byte wide typed arrays</li>
<li>Additional commits viewable in <a
href="https://github.com/crypto-browserify/sha.js/compare/v2.4.11...v2.4.12">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ljharb">ljharb</a>, a new releaser for
sha.js since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/toeverything/AFFiNE/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Close
[BS-3625](https://linear.app/affine-design/issue/BS-3625/移动端database-table-view无法横向滚动)
#### PR Dependency Tree
* **PR #13494** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved iOS mobile table view scrolling: horizontal overflow is no
longer forcibly hidden, preventing clipped content and enabling smoother
horizontal navigation.
* Users can now access columns that previously appeared truncated on
narrow screens.
* Vertical scrolling behavior remains unchanged.
* No impact on non‑iOS devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close
[AF-2789](https://linear.app/affine-design/issue/AF-2789/安卓客户端日期没了)
#### PR Dependency Tree
* **PR #13493** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved editing mode stability in mobile Kanban cells by preventing
redundant enter/exit transitions, resulting in smoother interactions and
reduced flicker.
* Enhanced mobile Table cells to avoid duplicate editing state changes,
minimizing unnecessary updates and improving responsiveness.
* Overall, editing transitions are now idempotent across affected mobile
views, reducing visual jitter and improving performance during edit
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix AI-417
#### PR Dependency Tree
* **PR #13492** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Copying code snippets now uses a rich format for improved paste
fidelity in compatible editors.
* Preserves code block formatting and language when pasted, reducing
manual cleanup.
* Continues to support plain text and HTML paste for broad
compatibility.
* Works more reliably when moving content within the app.
* Existing copy confirmation remains unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close
[AI-415](https://linear.app/affine-design/issue/AI-415/code-artifact-复制更好的支持code-block和插入正文)
#### PR Dependency Tree
* **PR #13490** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Editor now deactivates when text selection moves outside the app,
preventing unintended interactions.
* Better handling when selection changes to external content, reducing
cases where the editor stayed active incorrectly.
* **Stability**
* Improved reliability around selection, focus, and visibility changes
to avoid accidental edits or actions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13490** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
#### PR Dependency Tree
* **PR #13464**
* **PR #13465**
* **PR #13471** 👈
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* DOM rendering added for groups, mind maps and connectors so group
titles/outlines and mindmap connectors are visible on canvas.
* Shapes now support right-to-left text with proper vertical alignment.
* **Improvements**
* Connector labels scale with viewport zoom for crisper display.
* Group-related selections (including nested groups) now update visuals
consistently.
* **Performance**
* Reduced DOM churn and fewer redraws during rendering and selection
changes.
* **Refactor**
* Renderer import/export surfaces consolidated with no user-facing
behavior changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix AI-415
#### PR Dependency Tree
* **PR #13489** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved code block stability to prevent layout shifts and overlapping
during syntax highlighting.
* Ensured consistent height and alignment for code snippets.
* **Style**
* Refined code block appearance for clearer, more polished presentation.
* **Chores**
* Internal adjustments to support more reliable rendering of highlighted
code.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13485** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Improved mobile toast notification layout for better responsiveness
across screen sizes.
* Replaced fixed left alignment with dynamic edge offsets, ensuring
consistent spacing near screen edges.
* Removed forced centering and rigid width constraints to reduce
clipping and overlap on narrow viewports.
* Visual behavior only; no changes to interaction or functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> CLOSE PD-2697
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Removing an attachment chip now also removes duplicate attachments
with the same source, preventing duplicate attachments in the AI chat
chip list.
* Removing a selected context chip now also removes duplicate selected
contexts with the same identifier, preventing duplicate context chips.
* Attachments from different sources and chips of other types (document,
file, tag, collection) remain unaffected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464**
* **PR #13465** 👈
* **PR #13471**
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved stacking order across canvas elements (shapes, connectors,
brush, highlighter), reducing unexpected overlap.
* Corrected z-index application for placeholders and fully rendered
elements to ensure consistent layering during edits.
* **Refactor**
* Centralized z-index handling for canvas elements to provide
predictable, uniform layering behavior across the app.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464** 👈
* **PR #13465**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* DOM-based SVG rendering for Brush and Highlighter with zoom, rotation,
layering and improved visualization.
* **Refactor**
* Consolidated renderer exports into a single entry point for simpler
integration.
* **Chores**
* Updated view registrations to include the new DOM renderer extensions.
* Improved highlighter sizing consistency based on serialized bounds.
* **Revert**
* Removed highlighter renderer registration from the shape module.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464** 👈
* **PR #13465**
* **PR #13471**
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
Close [AI-413](https://linear.app/affine-design/issue/AI-413)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Chat messages now scroll vertically, preventing content from being cut
off.
* Chat actions are no longer displayed or fetched, reducing unnecessary
loading.
* Peek view chat composer behavior is aligned with the main chat,
ensuring consistent feature availability across views.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Enforced a consistent step limit for AI responses across providers,
preventing excessively long generations in both text and streaming modes
for more predictable results.
- Refactor
- Centralized step limit configuration into a shared provider, ensuring
uniform behavior across providers and simplifying future maintenance.
- Standardized application of step limits in text generation and
streaming flows to align provider behavior and improve overall
reliability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
In recent versions of Android (or maybe webview), the
`KeyboardEvent.key` for the backspace key now has the correct value.
This PR remove the patch since it will trigger two delete actions when
press backspace at the first character of paragraph"
Related PR https://github.com/toeverything/AFFiNE/issues/10523
#### PR Dependency Tree
* **PR #13483** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Streamlined keyboard shortcut handling for greater consistency across
platforms.
* Reduced overhead by consolidating event bindings; no change to
expected shortcut behavior for end-users.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13484** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Reduced repeated mobile editing notifications; the notice now appears
once and only reappears after you dismiss it.
- More consistent notification behavior on mobile for a less disruptive
editing experience.
- Refactor
- Streamlined internal event handling to improve reliability and reduce
potential listener leaks, resulting in smoother interactions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13481** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- The “Update payment method” prompt now appears only when your
subscription is past due.
- Payment Method section now shows whenever a paid plan record exists
(loading placeholders unchanged).
- Action button styling adjusts for past-due subscriptions (uses the
alternate/secondary style).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added GPT-5 family and made GPT-5/-mini the new defaults for Copilot
scenarios and prompts.
- Bug Fixes
- Improved streaming chunk formats and reasoning/text semantics,
consistent attachment mediaType handling, and more reliable reranking
via log-prob handling.
- Refactor
- Unified maxOutputTokens usage; removed per-call step caps and migrated
several tools to a unified inputSchema shape.
- Chores
- Upgraded AI SDK dependencies and bumped an internal dependency
version.
- Tests
- Updated mocks and tests to reference GPT-5 variants and new stream
formats.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix CLOUD-238, CLOUD-239
#### PR Dependency Tree
* **PR #13477** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Payment method management is now always available directly within AI
and Pro plan cards.
* **Bug Fixes**
* Past-due subscriptions are now included in subscription status
results, ensuring they appear in billing views.
* **Style**
* Plan actions are moved inline within each plan’s description for a
cleaner, more compact layout.
* Actions are grouped horizontally with improved spacing.
* Minor class name and spacing tweaks for consistent styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="971" height="681" alt="iShot_2025-08-10_14 29 01"
src="https://github.com/user-attachments/assets/eff3e6d5-3129-42ac-aceb-994c18f675ab"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Mermaid diagram previews for code blocks with interactive zoom, pan,
and reset controls.
* Improved rendering feedback with loading, error states, retry
behavior, and fallback messaging.
* **Chores**
* Added Mermaid as a frontend dependency to enable diagram rendering.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: L-Sun <zover.v@gmail.com>
fix#12721
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved handling of non‑ASCII filenames when unzipping archives: the
extractor now tries alternative encodings and validates results so
filenames are preserved and displayed correctly after extraction. This
change reduces corrupt or garbled names while keeping existing
extraction behavior otherwise unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Smarter embedding pipeline skips re-embedding when content hasn’t
changed; added content sanitization for embeddings and workspace content
retrieval.
- Bug Fixes
- Re-embedding now requires both a document update and the last
embedding being older than 10 minutes, reducing unnecessary work.
- Refactor
- Consolidated embedding preprocessing and moved sanitization utilities
into shared models; upserts now refresh stored content.
- Tests
- Expanded snapshot-based tests covering multiple time/age scenarios for
embedding decision logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Prevents accidental deletion of placeholder documents during embedding
cleanup.
* Improves accuracy when identifying documents to remove, using multiple
data sources.
* Skips unnecessary cleanup when no embeddings or snapshots exist,
reducing noise and overhead.
* **Chores**
* Streamlined and centralized document filtering logic to ensure
consistent cleanup behavior.
* Parallelized data checks to make cleanup more efficient without
changing user workflows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close [AI-410](https://linear.app/affine-design/issue/AI-410)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- None
- Bug Fixes
- Middle-click panning now reliably returns to the previously active
tool, including after using Copilot or frame navigation.
- Smoother, more responsive transition into panning to reduce accidental
selections.
- Refactor
- Simplified AI panel click-outside handling with no change to
user-visible behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> CLOSE PD-2698
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **Refactor**
- Optimized context chip handling in the AI chat composer to process
additions concurrently.
- Improves responsiveness when adding multiple documents or attachments
as context, reducing wait times and making the composing experience
smoother.
- No changes to visible functionality; users should notice faster
updates when selecting several items at once.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close [AI-411](https://linear.app/affine-design/issue/AI-411)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Releasing the mouse now always ends panning, preventing stuck states.
- Actions cancel correctly when you release without dragging.
- Refactor
- More consistent Copilot activation: use right-click or Ctrl (⌘ on Mac)
+ left-click.
- Smoother switching to Copilot with improved drag-state reset and
cleanup.
- Removed automatic restoration of previous selection when activating
Copilot.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13462** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated default configuration: The DOM-based renderer is now disabled
by default on all platforms. Previously, it was enabled by default on
iOS. This change standardizes the out-of-the-box experience across
devices. If you rely on the DOM renderer, you can still enable it via
feature flags in your environment or settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- None
- Bug Fixes
- Ensures a placeholder embedding is always created when content is
empty or after deletion, reducing errors and improving Copilot
stability.
- Refactor
- Centralized empty-embedding handling for consistent behavior across
workflows.
- Standardized embedding dimension configuration to a single source for
reliability.
- Chores
- Simplified internal embedding module surface and imports for
maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
oxlint-tsgolint install fails had been fixed
see https://github.com/oxc-project/oxc/issues/12892
#### PR Dependency Tree
* **PR #13457** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated the version range for a development dependency to allow for
newer compatible releases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13460** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- The DOM renderer setting is now configurable across all builds, not
just beta/canary. This expands access to the feature flag for all users,
enabling broader experimentation and customization.
- Users on stable releases can now enable or disable the DOM renderer
through standard configuration, ensuring consistent behavior across
release channels.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13449** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Expanded the list of approvers for the manual approval step in the
release workflow.
* Added more keywords that can be used to deny approval during the
release process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Crash report:
```
Thread 0 Crashed:
0 Electron Framework 0x113462de8 logging::LogMessage::HandleFatal(unsigned long, std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char>> const&) const
1 Electron Framework 0x113462d20 logging::LogMessage::HandleFatal(unsigned long, std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char>> const&) const
2 Electron Framework 0x10f04d7c8 logging::LogMessage::Flush()
3 Electron Framework 0x113462ea0 logging::LogMessageFatal::~LogMessageFatal()
4 Electron Framework 0x10fd28f44 std::__Cr::basic_ostream<char, std::__Cr::char_traits<char>>& std::__Cr::operator<<<std::__Cr::char_traits<char>>(std::__Cr::basic_ostream<char, std::__Cr::char_traits<char>>&, char const*)
5 Electron Framework 0x11082e900 gin::V8Initializer::LoadV8SnapshotFromFile(base::File, base::MemoryMappedFile::Region*, gin::V8SnapshotFileType)
6 Electron Framework 0x114451da0 gin::V8Initializer::LoadV8SnapshotFromFileName(std::__Cr::basic_string_view<char, std::__Cr::char_traits<char>>, gin::V8SnapshotFileType)
7 Electron Framework 0x110f03e0c content::ContentMainRunnerImpl::Initialize(content::ContentMainParams)
8 Electron Framework 0x1100ae594 content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*)
9 Electron Framework 0x1100ae1f8 content::ContentMain(content::ContentMainParams)
10 Electron Framework 0x110911c10 ElectronMain
11 dyld 0x19b5d5924 start + 6400
```
#### PR Dependency Tree
* **PR #13450** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Electron Forge configuration to remove a specific setting
related to browser process snapshots. No impact on visible features or
functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
close AF-2787
<img width="2424" height="412" alt="image"
src="https://github.com/user-attachments/assets/d6dedff5-1904-48b1-8a36-c3189104e45b"
/>
#### PR Dependency Tree
* **PR #13448** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced an automated system that regularly detects and repairs
documents with missing summaries in all workspaces.
* Added background processing to ensure document summaries are kept
up-to-date without manual intervention.
* **Tests**
* Added new tests to verify detection of documents with empty or
non-empty summaries.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Attachments (files) are now included in the conversation context,
allowing users to reference files during chat sessions.
* Added a new "blobRead" tool enabling secure, permission-checked
reading of attachment content in chat sessions.
* **Improvements**
* Enhanced chat session preparation to always include relevant context
files.
* System messages now clearly display attached files and selected
content only when available, improving context clarity for users.
* Updated tool-calling guidelines to ensure user workspace is searched
even when attachment content suffices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close [AI-409](https://linear.app/affine-design/issue/AI-409)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved the behavior when continuing in AI Chat by ensuring the
copilot panel is properly hidden before switching panels for a smoother
user experience.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="1275" height="997" alt="截屏2025-08-08 15 13 59"
src="https://github.com/user-attachments/assets/b429239d-84dc-490d-ad1e-957652e3caba"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced support for attachment chips in AI chat, allowing
individual attachments to be displayed, added, and removed as separate
chips.
* Added a new visual component for displaying attachment chips in the
chat interface.
* **Improvements**
* Enhanced chat composer to handle attachments and document chips
separately, improving clarity and control over shared content.
* Expanded criteria for triggering chat actions to include both document
and attachment selections.
* **Refactor**
* Updated context management to process attachments individually rather
than in batches, streamlining the addition and removal of context items.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR replaces the MailHog Docker container with Mailpit.
Reasons for this change:
- MailHog is no longer maintained.
- Mailpit is an actively developed, open-source alternative.
- Fully compatible as a drop-in replacement.
- Lightweight and Fast: Built with Go, the official Docker image is only
12.5MB.
This change improves performance and ensures we are using a maintained
tool for local email testing.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Replaced the email testing service with a new one that offers a
similar web interface and SMTP port.
* Updated configuration to enhance message storage and persistence for
email testing in development environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Battery save mode is now enabled by default on mobile devices.
* Users will see an updated, more detailed description for battery save
mode.
* Battery save mode can now be configured by all users, not just in
certain builds.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Electron app configuration to enhance security and integrity
with additional runtime protection options.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Improved test reliability by automatically cleaning up workspace
snapshots during embedding status checks in end-to-end tests.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> CLOSE AF-2786
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for including HTML content from the "make it real"
action in AI chat context and prompts.
* Users can now continue AI responses in chat with richer context,
including HTML, for certain AI actions.
* **Improvements**
* Enhanced token counting and context handling in chat to account for
HTML content.
* Refined chat continuation logic for smoother user experience across
various AI actions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved click event handling on reference elements to prevent
unintended behavior from right-clicks.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved WebView configuration to allow loading mixed content (HTTP
and HTTPS) in the Android app.
* Enhanced robustness when retrieving upload timestamps, preventing
potential errors if data is missing or undefined.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
close AF-2766
<img width="2082" height="654" alt="image"
src="https://github.com/user-attachments/assets/efba776c-91cd-4d59-a2a6-e00f68c61be1"
/>
#### PR Dependency Tree
* **PR #13428** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Configuration descriptions for the copilot plugin now include direct
links to relevant documentation for easier access to more information.
* **Style**
* Improved display of configuration descriptions to support and render
HTML content.
* **Refactor**
* The AI navigation item in the admin panel has been disabled and is no
longer visible.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
