Commit Graph

4090 Commits

Author SHA1 Message Date
DarkSky e145d87d56 feat(server): cleanup legacy compatibility (#15239) 2026-07-15 03:01:51 +08:00
DarkSky 00d4ab10a1 chore: bump version 2026-07-14 19:43:42 +08:00
Rodman 9d1570a703 fix(i18n): learn more typo (#15230) 2026-07-14 17:08:15 +08:00
DarkSky cfd1b67d8c fix(core): version guard (#15226)
fix #15225



#### PR Dependency Tree


* **PR #15226** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
  * Improved self-hosted server version validation.
  * Correctly supports compatible beta and release-candidate versions.
  * Rejects outdated pre-release versions consistently.
* Provides the appropriate unsupported-version guidance when
compatibility requirements are not met.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-13 19:04:12 +08:00
DarkSky 0c16d7110d feat: improve native preview (#15223)
#### PR Dependency Tree


* **PR #15223** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Improvements**
* Updated Mermaid and Typst preview rendering in native/mobile apps to
use a shared preview implementation.
* Improved production Release builds with additional Rust release tuning
and enhanced iOS Release stripping/symbol settings.
* Enabled stronger release output optimization for the native package
build.
* **Bug Fixes**
* Strengthened handling of unsupported self-hosted server versions
during login preflight.
* Refreshed unsupported-version messaging with localized text and a
direct upgrade link.
* **Tests**
* Added coverage for login preflight behavior when the server version is
unsupported.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-13 03:23:08 +08:00
DarkSky 9b81c6debd feat(core): improve mcp management (#15221)
#### PR Dependency Tree


* **PR #15221** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added MCP credential management (create/reveal, list, rotate, revoke)
with expiration and status tracking.
* Introduced read-only vs read/write access modes, with read/write
tooling enabled only when permitted.
* Added workspace MCP credential configuration UI, including token
reveal and setup generation.
  * Added MCP credential GraphQL APIs to back the UI.
* **Changes**
* Replaced legacy access-token support with MCP credentials across
authentication and realtime updates.
* **Bug Fixes**
* MCP authentication now reliably rejects revoked, rotated, expired, or
disabled-user credentials.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-12 19:30:44 +08:00
DarkSky abf37d3dfa feat(core): improve login flow (#15219)
#### PR Dependency Tree


* **PR #15219** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added secure, automatic auth session token refresh and request replay
for expired-token responses across Android, iOS, and Electron.
* Updated sign-in flows to manage sessions without returning tokens to
the app layer.
* Added “Devices” management UI with sign out per device and sign out
all.
  * Enabled support for both Hashcash and Turnstile captcha providers.
* **Bug Fixes**
* Improved refresh de-duplication, inflight cancellation/clear behavior,
and recovery from corrupted/invalid sessions.
* **Tests**
* Expanded auth-session, refresh/revoke, and replay coverage (Electron
unit tests, Android instrumentation tests, iOS auth date parser tests).
* **Chores**
* Removed CAPTCHA site key from build-time configuration and adjusted CI
test execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-12 18:11:02 +08:00
DarkSky 02b25e05d8 feat(server): support refresh token (#15218) 2026-07-12 02:39:42 +08:00
keepClamDown a868f54eeb fix(ios): stabilize keyboard toolbar, image picker, and scrolling (#15182)
## Summary
- keep the editor active when iOS keyboard toolbar interactions move
focus into range-sync excluded widgets
- use the native iOS image picker/source sheet and sync native
presentation with the app theme
- pin `ListViewKit` to `1.1.6` so the iOS workspace resolves with Xcode
16.3
- restore vertical scrolling in the iOS `WKWebView` by removing the
global `contentOffset` reset while preserving zoom prevention

## Test plan
- [x] `yarn vitest --run --config \"vitest.config.ts\"
--browser.enabled=false \"src/__tests__/inline/active.unit.spec.ts\"`
- [x] `LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 xcodebuild
-resolvePackageDependencies -workspace
\"packages/frontend/apps/ios/App/App.xcworkspace\" -scheme \"App\"`
- [x] `xcodebuild -workspace \"App.xcworkspace\" -scheme \"App\"
-destination \"generic/platform=iOS Simulator\" build
CODE_SIGNING_ALLOWED=NO ONLY_ACTIVE_ARCH=YES ARCHS=arm64`
- [x] Xcode build validation for the updated PR branch
2026-07-09 11:11:55 +08:00
DarkSky fe2a4db76b feat(core): improve dashboard style (#15205) 2026-07-07 12:13:11 +08:00
DarkSky 631e4af9b9 fix(i18n): outdated entries 2026-07-07 08:40:02 +08:00
steffenrapp 19b770bddf feat(i18n): update German translation (#15201)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Added German translations for new import options, including Notion
Markdown ZIP and OneNote.
- Included localized helper text for import tips and availability notes,
such as desktop-only guidance.

- **Copy Updates**
  - Updated the Notion import label to indicate it is experimental.
- Expanded the German wording for import-related tooltips and
descriptions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-07 08:38:36 +08:00
DarkSky 998b255afd feat(server): refactor mail queue (#15204) 2026-07-07 08:38:16 +08:00
DarkSky 9581432d21 feat(core): onenote importer (#15198)
#### PR Dependency Tree


* **PR #15198** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added OneNote import support for `.one`, `.onetoc2`, and `.onepkg`,
including OneNote-to-markdown content conversion.
* OneNote now appears in the import flow with a dedicated label and
format tooltip, and file pickers recognize the new OneNote type.

* **Bug Fixes**
* Import options that are desktop-only are now disabled when not running
in the desktop app, with clear messaging.
* Improved imported asset handling by converting non-image embedded
assets into attachments for more consistent results.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-06 06:20:52 +08:00
DarkSky 8d72e4dc29 feat(core): import progress & perf (#15197)
#### PR Dependency Tree


* **PR #15197** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a new import pipeline with “plan then commit” batch handling for
Markdown, Notion HTML, Obsidian, and Bear backups.
* Enabled native import sessions with progress, cancellation, and
batch-by-batch committing (including assets, folders, icons, and tags).
  * Added web preflight limits for ZIP and multi-file imports.
* **Bug Fixes**
* Improved import error/warning reporting and continued processing when
some items fail.
* Strengthened snapshot-based file/directory picking to preserve paths.
* **Chores**
  * Updated project packaging/configuration for the new import workflow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-06 01:29:24 +08:00
Jachin 477015f064 feat(core): support Notion markdown zip imports (#14910)
## What changed
- Markdown zip imports now resolve local `.md` links like `./test/2.md`
into AFFiNE linked-page references when the target document exists in
the same archive.
- Added Notion Markdown `.zip` import support in the desktop import
dialog, including nested zip traversal, Notion title extraction,
hash-stripped folder names, attachments, and folder hierarchy
integration.
- Added i18n entries and adapter coverage for standard Markdown zip
links and Notion Markdown zip imports.

## Why
Markdown and Notion exports often contain links between notes using
relative `.md` paths. Keeping those as plain URLs makes imported
workspaces harder to navigate, so the importer now preassigns document
ids and rewrites resolvable archive-local markdown links into linked
pages.

## Notes
The markdown zip folder hierarchy implementation now comes from latest
`origin/canary`, so this PR only layers relative-link resolution and
Notion Markdown zip support on top of that upstream behavior.

## Validation
- `yarn vitest --run
blocksuite/affine/all/src/__tests__/adapters/markdown.unit.spec.ts`
- `yarn tsc -b blocksuite/affine/all/tsconfig.json --verbose`
- `git diff --check`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added support for importing Notion Markdown exports in `.zip` format,
including subpages, attachments, and nested folders.
* Internal links inside imported Markdown now resolve correctly between
pages, preserving link text when available.
* The import dialog now includes a dedicated “Notion (Markdown, .zip)”
option.

* **Bug Fixes**
* Improved filename handling so non-Latin characters in ZIP imports are
preserved correctly.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
Co-authored-by: DarkSky <darksky2048@gmail.com>
2026-07-05 04:42:48 +08:00
steffenrapp 8063af2da8 feat(i18n): update German translation (#15159)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a German invite notification title with a `{{count}}`
placeholder.
* **Bug Fixes**
* Improved German messaging for unsupported server/client version
mismatches, including a `{{requiredVersion}}` placeholder.
* **Updates**
* Refreshed German UI wording to consistently use “AFFiNE Sync” across
sign-in/onboarding, publishing/sharing, collaboration tips,
storage/autodelete guidance, and related confirmations (including
password reset and sign-out).
  * Updated the workspace chat sub-path label to “KI-Chat”.
* **Chores**
  * Updated German localization completeness score (99 → 100).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-05 04:00:13 +08:00
DarkSky 296a4c2f81 fix(server): dashboard query (#15195)
#### PR Dependency Tree


* **PR #15195** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Admin dashboard storage history now returns a continuous day-by-day
trend, carrying forward the last known workspace and blob storage values
for days without samples.
* Active member counts for workspace analytics were corrected to reflect
active workspace members.
* **New Features**
* Admin workspace member roles are now returned via a dedicated role
enum, serialized as enum name strings (e.g., `Owner`).
* **UI Improvements**
* Renamed key labels to “Active Members” and “Members and Invitations”;
member roles use pill badges and non-accepted statuses are shown.
* **Tests**
* Added E2E coverage for role enum serialization and strengthened
storage history assertions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-05 03:04:05 +08:00
DarkSky c36b5b201e chore(i18n): update i18n (#15191)
#### PR Dependency Tree


* **PR #15191** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Updated sign-in, sign-up, and email content to show the correct server
name for cloud and self-hosted setups.
* Added clearer workspace status messages for syncing, local workspaces,
and server-connected workspaces.
* Introduced localized text updates for more languages, including new
locale coverage.

* **Bug Fixes**
* Replaced outdated “Cloud” wording throughout the app with more
accurate “Sync” and self-hosted terminology.
* Improved account deletion, password reset, sharing, and storage
prompts for clearer user guidance.
* Updated workspace status labels and tooltips to better reflect the
current server connection.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-03 18:37:20 +08:00
keepClamDown cebd7296b1 fix(ios): restore simulator Rust build outputs (#15190)
- sync the iOS ATT pod lockfile with the Capacitor plugin version
already referenced by the repo
- make `xc-universal-binary.sh` produce a real universal simulator Rust
archive for `arm64` and `x86_64`
- run `uniffi-bindgen` against a single-slice archive before assembling
the fat simulator output

- [x] `bash -n packages/frontend/apps/ios/App/xc-universal-binary.sh`
- [x] `xcodebuild -workspace \"App.xcworkspace\" -scheme App
-destination 'generic/platform=iOS Simulator' -derivedDataPath
\".derivedData-rebuild\" build`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

* **Bug Fixes**
* Improved the iOS build process so universal binaries are generated
from consistent output locations, reducing build path issues.
* Made device and simulator library handling more reliable during
packaging and code generation, helping produce the expected app binaries
more consistently.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-03 18:11:08 +08:00
DarkSky 1b9e21f2de fix(core): handle unsupported server error (#15164)
fix #15160
fix #15161
fix #15158
fix #15166


#### PR Dependency Tree


* **PR #15164** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a “server version too old” message for self-hosted servers,
including the required upgrade version.
* Sign-in and OAuth-related preflight steps now verify server
compatibility before proceeding.
* **Bug Fixes**
* Improved error handling for missing/invalid server version responses
and schema/type mismatches, mapping them to the upgrade instruction.
* **Tests**
* Added coverage for server version guarding and the resulting
user-friendly error payload.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-29 00:03:02 +08:00
DarkSky 0a422aa158 feat(server): blob reconciliation (#15165)
#### PR Dependency Tree


* **PR #15165** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added automated backend maintenance for missing blob metadata
backfill, document-to-blob reference rebuilding, and unreferenced blob
cleanup planning/execution.
* Introduced scheduled batch processing (workspace-paged) and paginated
object-storage listing.
* **Bug Fixes**
* Improved reliability of object-storage reads by treating expected “not
found” results as non-errors.
* Strengthened blob/expired cleanup flows with runtime-driven batching
and reduced coupling to metadata synchronization.
* **Tests**
* Expanded unit and e2e coverage for partial blob metadata and updated
runtime/job cleanup test assertions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-29 00:02:38 +08:00
DarkSky 4a7c931eca fix(server): member loading (#15156)
#### PR Dependency Tree


* **PR #15156** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Fixed Stripe subscription syncing for Team plans to update the correct
existing local subscription (avoiding duplicates) while refreshing
quantity and billing/trial period details.
* **UI/UX Improvements**
* Improved workspace member list loading/error states with shared UI
components and steadier pagination behavior.
  * Refined fallback styling for cleaner, more stable layout.
* **Tests**
* Expanded subscription and projection coverage and adjusted
seat-allocation/e2e assertions to be more robust.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-26 21:29:15 +08:00
DarkSky 57c5bac456 fix: ci 2026-06-25 02:43:41 +08:00
DarkSky 11db127772 chore: bump deps (#15151) 2026-06-24 23:55:19 +08:00
renovate[bot] fa488aee64 chore: bump up apple/swift-collections version to from: "1.6.0" (#15136)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[apple/swift-collections](https://redirect.github.com/apple/swift-collections)
| minor | `from: "1.5.1"` → `from: "1.6.0"` |

---

### Release Notes

<details>
<summary>apple/swift-collections (apple/swift-collections)</summary>

###
[`v1.6.0`](https://redirect.github.com/apple/swift-collections/releases/tag/1.6.0):
Swift Collections 1.6.0

[Compare
Source](https://redirect.github.com/apple/swift-collections/compare/1.5.1...1.6.0)

This is a feature release adding several useful operations to ordered
collections, as well as shipping bug fixes that landed since 1.5.1.

The list of supported Swift toolchain versions remains 6.0, 6.1, 6.2,
and 6.3 for now. Note that we intend to retire support for Swift 6.0 and
6.1 in a subsequent release later this year.

#### New `OrderedCollections` operations

We now have several new operations that move existing elements in an
`OrderedSet` or `OrderedDictionary` to a new position within the same
collection:

- `OrderedSet.moveSubrange(_:to:)` and
`OrderedDictionary.moveSubrange(_:to:)` move items at a range of indices
to just before the item at the specified destination index.
- `OrderedSet.move(members:to:)` and `OrderedDictionary.move(keys:to:)`
relocate elements identified by value (or key), preserving the order in
which they're listed.
- `OrderedSet.move(indices:to:)` and
`OrderedDictionary.move(indices:to:)` relocate items at an arbitrary
sequence of indices, preserving their listed order.

#### Bugfixes

- `SortedCollections` \[with the `UnstableSortedCollections` trait]: The
default capacity of B-tree nodes is no longer clamped at 16, improving
performance.
([#&#8203;257](https://redirect.github.com/apple/swift-collections/issues/257))
- `DequeModule`: The ownership-aware `RigidDeque` and `UniqueDeque`
types no longer hand out invalid spans to clients
([#&#8203;659](https://redirect.github.com/apple/swift-collections/issues/659))
- `ContainersPreview` \[with the `UnstableContainersPreview` trait]: The
deprecated `Borrow` type alias is now declared with correct
availability.
([#&#8203;655](https://redirect.github.com/apple/swift-collections/issues/655))

#### What's Changed

- Add missing availability to Borrow by
[@&#8203;guoye-zhang](https://redirect.github.com/guoye-zhang) in
[#&#8203;655](https://redirect.github.com/apple/swift-collections/pull/655)
- \[InternalCollectionsUtilities] Fix \_trim returning the wrong buffer
region by
[@&#8203;adityasingh2400](https://redirect.github.com/adityasingh2400)
in
[#&#8203;659](https://redirect.github.com/apple/swift-collections/pull/659)
- \[SortedCollections] Fix \_BTree default node capacity capping at 16
by
[@&#8203;adityasingh2400](https://redirect.github.com/adityasingh2400)
in
[#&#8203;661](https://redirect.github.com/apple/swift-collections/pull/661)
- Small benchmarking improvements by
[@&#8203;lorentey](https://redirect.github.com/lorentey) in
[#&#8203;664](https://redirect.github.com/apple/swift-collections/pull/664)
- \[OrderedCollections] Add move operations by
[@&#8203;dnadoba](https://redirect.github.com/dnadoba) in
[#&#8203;660](https://redirect.github.com/apple/swift-collections/pull/660)
- 1.6.0 prerelease cleanups by
[@&#8203;lorentey](https://redirect.github.com/lorentey) in
[#&#8203;665](https://redirect.github.com/apple/swift-collections/pull/665)

#### New Contributors

- [@&#8203;guoye-zhang](https://redirect.github.com/guoye-zhang) made
their first contribution in
[#&#8203;655](https://redirect.github.com/apple/swift-collections/pull/655)
- [@&#8203;adityasingh2400](https://redirect.github.com/adityasingh2400)
made their first contribution in
[#&#8203;659](https://redirect.github.com/apple/swift-collections/pull/659)

**Full Changelog**:
<https://github.com/apple/swift-collections/compare/1.5.1...1.6.0>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-22 11:49:09 +08:00
Tines Valen e2624d93c7 fix(core): filters emojipicker on label in addition to tags (#15129)
Fixes #15116 
# Issue
Emojipicker keyword filtering only filtered on `tags`, and not `label`.
So searching for an emoji's name would not result in said emoji ending
up in the result. E.G. searching "sunflower" does not make 🌻 appear

# Solution
Adding an extra condition to the filter function to check if the keyword
is a substring of an emoji's label

# Result
Search results now include emojis with that `label`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Improved emoji picker search to include matches on both emoji labels
and tags (case-insensitive), enabling broader search results for better
discoverability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-18 22:07:27 +08:00
renovate[bot] 01d7ef88e3 chore: bump up esbuild version to ^0.28.0 [SECURITY] (#15128)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [esbuild](https://redirect.github.com/evanw/esbuild) | [`^0.25.12` →
`^0.28.0`](https://renovatebot.com/diffs/npm/esbuild/0.25.12/0.28.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/esbuild/0.28.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/esbuild/0.25.12/0.28.1?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/5188) for more information.

---

### esbuild enables any website to send any requests to the development
server and read the response

[GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)

<details>
<summary>More information</summary>

#### Details
##### Summary

esbuild allows any websites to send any request to the development
server and read the response due to default CORS settings.

##### Details

esbuild sets `Access-Control-Allow-Origin: *` header to all requests,
including the SSE connection, which allows any websites to send any
request to the development server and read the response.


https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

**Attack scenario**:

1. The attacker serves a malicious web page
(`http://malicious.example.com`).
1. The user accesses the malicious web page.
1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request
by JS in that malicious web page. This request is normally blocked by
same-origin policy, but that's not the case for the reasons above.
1. The attacker gets the content of `http://127.0.0.1:8000/main.js`.

In this scenario, I assumed that the attacker knows the URL of the
bundle output file name. But the attacker can also get that information
by

- Fetching `/index.html`: normally you have a script tag here
- Fetching `/assets`: it's common to have a `assets` directory when you
have JS files and CSS files in a different directory and the directory
listing feature tells the attacker the list of files
- Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL
path of the changed files when the file is changed (`new
EventSource('/esbuild').addEventListener('change', e =>
console.log(e.type, e.data))`)
- Fetching URLs in the known file: once the attacker knows one file, the
attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has
the source map option enabled, the attacker can also get the
non-compiled content by fetching the source map file.

##### PoC

1. Download
[reproduction.zip](https://redirect.github.com/user-attachments/files/18561484/reproduction.zip)
2. Extract it and move to that directory
1. Run `npm i`
1. Run `npm run watch`
1. Run `fetch('http://127.0.0.1:8000/app.js').then(r =>
r.text()).then(content => console.log(content))` in a different
website's dev tools.


![image](https://redirect.github.com/user-attachments/assets/08fc2e4d-e1ec-44ca-b0ea-78a73c3c40e9)

##### Impact

Users using the serve feature may get the source code stolen by
malicious websites.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
-
[https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99)
-
[https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d](https://redirect.github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d)
-
[https://github.com/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### esbuild allows arbitrary file read when running the development
server on Windows

[GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)

<details>
<summary>More information</summary>

#### Details
##### Summary

The development server contains a path traversal vulnerability on
Windows when serving files from `servedir`.

Due to the use of `path.Clean()` (which only normalizes forward-slash
`/` separators) instead of a Windows-aware path normalization function,
it is possible to craft requests using backslashes (`\`) that bypass the
intended directory containment logic. An attacker can escape the
configured `servedir` root and access arbitrary files on the filesystem.
This issue affects Windows environments only.

##### Details

The request path is sanitized using:
```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
queryPath := path.Clean(req.URL.Path)[1:]
```

However:
- `path.Clean()` is POSIX-style and only understands `/` (docs:
`https://pkg.go.dev/path#Clean`)
- On Windows, `\` is a valid path separator
- `path.Clean()` does not treat `\` as a separator

Later, the server constructs the absolute path:
```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L221
absPath := h.fs.Join(h.servedir, queryPath)
```

If `queryPath` contains sequences such as:
```
..\..\..\..\..\..\..\Windows\system.ini
```

`path.Clean()` will not normalize them, but the Windows filesystem will
interpret `\` as directory separators when resolving `absPath`.
Because the implementation does not verify that the final resolved path
remains within `servedir`, it allows directory traversal outside the
intended root directory.

##### Vulnerable Code

```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
	queryPath := path.Clean(req.URL.Path)[1:]
	....
	// Check for a file in the "servedir" directory
	if h.servedir != "" && kind != fs.FileEntry {
		absPath := h.fs.Join(h.servedir, queryPath)
		if absDir := h.fs.Dir(absPath); absDir != absPath {
			if entries, err, _ := h.fs.ReadDirectory(absDir); err == nil {
				if entry, _ := entries.Get(h.fs.Base(absPath)); entry != nil && entry.Kind(h.fs) == fs.FileEntry {
	....				
```

##### Steps to reproduce

```
npm install --save-exact --save-dev esbuild

echo "console.log(1)" > app.js

.\node_modules\.bin\esbuild --version
0.27.3

.\node_modules\.bin\esbuild app.js --bundle --outdir=www --servedir=www --watch

curl -i --path-as-is "http://localhost:8000/..\..\..\..\..\..\..\Windows\system.ini"
<content of Windows\system.ini>
```

##### Impact

- Arbitrary file read on Windows
- Exposure of sensitive files

#### Severity
- CVSS Score: 2.5 / 10 (Low)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N`

#### References
-
[https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr)
-
[https://github.com/evanw/esbuild/releases/tag/v0.28.1](https://redirect.github.com/evanw/esbuild/releases/tag/v0.28.1)
-
[https://github.com/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>evanw/esbuild (esbuild)</summary>

###
[`v0.28.1`](https://redirect.github.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0281)

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.28.0...v0.28.1)

- Disallow `\\` in local development server HTTP requests
([GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr))

This release fixes a security issue where HTTP requests to esbuild's
local development server could traverse outside of the serve directory
on Windows using a `\\` backslash character. It happened due to the use
of Go's `path.Clean()` function, which only handles Unix-style `/`
characters. HTTP requests with paths containing `\\` are no longer
allowed.

Thanks to [@&#8203;dellalibera](https://redirect.github.com/dellalibera)
for reporting this issue.

- Add integrity checks to the Deno API
([GHSA-gv7w-rqvm-qjhr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr))

The previous release of esbuild added integrity checks to esbuild's npm
install script. This release also adds integrity checks to esbuild's
Deno install script. Now esbuild's Deno API will also fail with an error
if the downloaded esbuild binary contains something other than the
expected content.

Note that esbuild's Deno API installs from `registry.npmjs.org` by
default, but allows the `NPM_CONFIG_REGISTRY` environment variable to
override this with a custom package registry. This change means that the
esbuild executable served by `NPM_CONFIG_REGISTRY` must now match the
expected content.

Thanks to [@&#8203;sondt99](https://redirect.github.com/sondt99) for
reporting this issue.

- Avoid inlining `using` and `await using` declarations
([#&#8203;4482](https://redirect.github.com/evanw/esbuild/issues/4482))

Previously esbuild's minifier sometimes incorrectly inlined `using` and
`await using` declarations into subsequent uses of that declaration,
which then fails to dispose of the resource correctly. This bug happened
because inlining was done for `let` and `const` declarations by avoiding
doing it for `var` declarations, which no longer worked when more
declaration types were added. Here's an example:

  ```js
  // Original code
  {
    using x = new Resource()
    x.activate()
  }

  // Old output (with --minify)
  new Resource().activate();

  // New output (with --minify)
  {using e=new Resource;e.activate()}
  ```

- Fix module evaluation when an error is thrown
([#&#8203;4461](https://redirect.github.com/evanw/esbuild/issues/4461),
[#&#8203;4467](https://redirect.github.com/evanw/esbuild/pull/4467))

If an error is thrown during module evaluation, esbuild previously
didn't preserve the state of the module for subsequent module
references. This was observable if `import()` or `require()` is used to
import a module multiple times. The thrown error is supposed to be
thrown by every call to `import()` or `require()`, not just the first.
With this release, esbuild will now throw the same error every time you
call `import()` or `require()` on a module that throws during its
evaluation.

- Fix some edge cases around the `new` operator
([#&#8203;4477](https://redirect.github.com/evanw/esbuild/issues/4477))

Previously esbuild incorrectly printed certain edge cases involving
complex expressions inside the target of a `new` expression
(specifically an optional chain and/or a tagged template literal). The
generated code for the `new` target was not correctly wrapped with
parentheses, and either contained a syntax error or had different
semantics. These edge cases have been fixed so that they now correctly
wrap the `new` target in parentheses. Here is an example of some
affected code:

  ```js
  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()

  // Old output
  new foo()`bar`();
  new (foo())?.bar();

  // New output
  new (foo())`bar`();
  new (foo()?.bar)();
  ```

- Fix renaming of nested `var` declarations
([#&#8203;4471](https://redirect.github.com/evanw/esbuild/issues/4471))

This release fixes a bug where `var` declarations in nested scopes that
are hoisted up to module scope were not correctly being renamed during
bundling. That could previously lead to name collisions when
minification was disabled, which could potentially cause a behavior
change. The bug has been fixed so that these hoisted declarations are
now considered to be module-level symbols during the name collision
avoidance pass.

- Emit `var` instead of `const` for certain TypeScript-only constructs
for ES5
([#&#8203;4448](https://redirect.github.com/evanw/esbuild/issues/4448))

While esbuild doesn't generally support converting `const` to `var` for
ES5 due to nested scoping rules (which is currently a build-time error),
esbuild previously incorrectly converted TypeScript-only `import`
assignment constructs into a `const` declaration even when targeting
ES5. With this release, esbuild will now use `var` for this case
instead:

  ```js
  // Original code
  import x = require('y')

  // Old output (with --target=es5)
  const x = require("y");

  // New output (with --target=es5)
  var x = require("y");
  ```

### [`v0.28.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.7...v0.28.0)

### [`v0.27.7`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.5...v0.27.7)

### [`v0.27.5`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.4...v0.27.5)

### [`v0.27.4`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.3...v0.27.4)

### [`v0.27.3`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.2...v0.27.3)

### [`v0.27.2`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.1...v0.27.2)

### [`v0.27.1`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.0...v0.27.1)

### [`v0.27.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.26.0...v0.27.0)

### [`v0.26.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.25.12...v0.26.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-18 17:41:44 +08:00
DarkSky 154d9e975d fix: deps & config (#15126) 2026-06-18 14:41:48 +08:00
renovate[bot] 24e07f73bb chore: bump up capacitor-plugin-app-tracking-transparency version to v3 (#15079)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[capacitor-plugin-app-tracking-transparency](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency)
| [`^2.0.5` →
`^3.0.0`](https://renovatebot.com/diffs/npm/capacitor-plugin-app-tracking-transparency/2.0.5/3.0.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/capacitor-plugin-app-tracking-transparency/3.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/capacitor-plugin-app-tracking-transparency/2.0.5/3.0.0?slim=true)
|

---

### Release Notes

<details>
<summary>mahnuh/capacitor-plugin-app-tracking-transparency
(capacitor-plugin-app-tracking-transparency)</summary>

###
[`v3.0.0`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/releases/tag/v3.0.0)

[Compare
Source](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/compare/v2.0.5...v3.0.0)

- Add support for Swift Package Manager
([#&#8203;29](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/issues/29))
[`40051d6`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/40051d6)
- Update README.md
[`d8c4d27`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/d8c4d27)

***

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
2026-06-18 13:00:42 +08:00
DarkSky d500e472f0 chore: bump deps (#15124) 2026-06-18 12:55:18 +08:00
DarkSky da7781a751 feat(mobile): improve android edgeless & ci (#15118)
#### PR Dependency Tree


* **PR #15118** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Improved mobile CI workflow with change-aware Android/iOS build jobs
and updated completion dependencies so tests wait for the relevant
mobile builds.
* **Performance / App Behavior**
* Enhanced Android WebView behavior: improved viewport/WebView tuning,
disabled zoom and scrollbars, and made mixed-content allowance
environment-aware (debug vs non-debug).
* Adjusted Android cleartext traffic handling based on build/debug
settings and Capacitor server URL configuration.
* **Tests**
* Strengthened Electron BYOK storage tests with per-test temporary
directories, mock control, and added coverage for when secure storage is
unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-17 02:08:15 +08:00
keepClamDown a77d89bb1a fix(editor): edgeless can't slider with finger (#15091)
fix bug edgeless can't slider with finger 

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added mobile immersive edgeless mode with dynamic chrome auto-hide and
tap-gesture controls.
  * Added a mobile zoom ruler UI for edgeless.
* **Bug Fixes**
* Improved iOS rendering/zoom by applying low-zoom survival behavior,
gesture-aware refresh deferral, and effective-DPR canvas scaling.
* Fixed iOS webview zoom/bounce and process-termination reload behavior.
  * Improved placeholder styling with theme-aware colors.
* **Chores**
  * Updated local ignore rules and iOS app build/version configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: DarkSky <darksky2048@gmail.com>
2026-06-16 21:19:31 +08:00
DarkSky 07a08e6d4d fix(editor): import & save logic (#15098)
fix #15080
fix #15085
fix #15031
fix #15094


#### PR Dependency Tree


* **PR #15098** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
  * Improved code-block paste behavior for plain-text insertion
  * Fixed block selection ordering to reflect document model
  * Made table cell formatting resilient to conversion errors
  * Ensured user feature list is consistently returned as an array

* **Refactor**
  * Streamlined authentication session fetch and profile enrichment flow

* **Tests**
  * Added tests for markdown blockquote list preservation
  * Added authentication session validation tests
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-10 22:43:31 +08:00
Talha Mujahid 6faebcabd3 fix(editor): prevent backspace in icon picker search from deleting editor content (#15089)
## Problem
When the callout block's icon picker is open and the user types in the
search input, pressing backspace deletes content in the main editor
instead of the search text.

## Root Cause
The callout icon picker is mounted via `createPopup` inside
`editor-host`. `PageKeyboardManager` registers a global `Backspace`
handler on the editor host (`keyboard-manager.ts`) with `{ global: true
}`, which fires on every backspace keydown regardless of what element is
focused. Without `stopPropagation`, the backspace event from the search
input bubbles up through the DOM and triggers block deletion.

Other keys are unaffected because the editor handles character input
through `contenteditable` focus, those handlers only act when a
contenteditable node is active.

## Fix
Add `onKeyDown` with `e.stopPropagation()` to the search inputs in both
`EmojiPicker` and `AffineIconPicker`. This matches the existing pattern
already used by `MenuComponent` (`menu-renderer.ts:107`) and all other
interactive components (`date-picker`, `inline-edit`, `prompt-modal`).

## Why not affected elsewhere
`DocIconPicker` uses the same pickers but wraps them in a Radix UI
`Menu` with `modal: true`, which portals outside `editor-host` — so
backspace events never reach the editor's global handler there.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved keyboard event handling in search inputs for icon and emoji
pickers

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-10 16:13:04 +08:00
DarkSky d10dd12663 fix(core): transport may not available (#15087)
fix #15086


#### PR Dependency Tree


* **PR #15087** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Console logging is now disabled in production builds to reduce
unnecessary log output, while remaining enabled in development for
debugging purposes.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-06 18:32:54 +08:00
renovate[bot] edc87e38df chore: bump up RevenueCat/purchases-ios-spm version to from: "5.76.0" (#15077)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm)
| minor | `from: "5.75.0"` → `from: "5.76.0"` |

---

### Release Notes

<details>
<summary>RevenueCat/purchases-ios-spm
(RevenueCat/purchases-ios-spm)</summary>

###
[`v5.76.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0)

[Compare
Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-04 16:39:11 +08:00
Ahsan Khaleeq 37ffef76a4 fix(core): restore Mermaid preview labels and theme-aware contrast (#15073)
fix #14979 
[Bug]: mermaid transparent text in light theme

## Summary

Mermaid diagram preview in code blocks showed shapes and connectors but
no node or edge labels, with poor contrast in dark mode. This change
fixes rendering, sanitization, and display so labels are visible in both
light and dark themes.

## Root cause

1. **Mermaid 11 config** — `flowchart.htmlLabels: false` is ignored;
only root-level `htmlLabels` applies. Labels were still emitted in
`<foreignObject>`.
2. **SVG sanitization** — `sanitizeSvg()` removed all `foreignObject`
elements (and did not allow `<use>`), stripping most label content.
3. **Theme mismatch** — Preview always used Mermaid’s light `default`
theme while the preview panel follows AFFiNE light/dark, causing dark
text on dark backgrounds for edge and title text.
4. **Embedded CSS** — Mermaid’s inline SVG styles often do not apply
after sanitization, leaving text without a visible `fill`.

## Changes

### Classic renderer (`classic-mermaid.ts`)

- Set root-level `htmlLabels: false` (Mermaid 11+).
- Map `dark` theme to Mermaid’s built-in `dark` palette.

### Sanitization (`bridge.ts`)

- Allow `<use>` and `xlink:href` / `href` for label references.
- Allow `class`, `style`, and `id` on SVG nodes.
- **Sanitize** `foreignObject` inner HTML with DOMPurify instead of
deleting it.

### Preview UI (`mermaid-preview.ts`)

- Sync render theme with app `data-theme` (`default` / `dark`) and
re-render on theme change.
- Add CSS overrides so `text` / `tspan` and HTML inside `foreignObject`
use AFFiNE `text/primary`.

### Native / mobile (`preview.rs`)

- Map `dark` and `modern` themes to the modern renderer options (light
uses `default`).

### Types & tests

- Extend `MermaidRenderTheme` with `'dark'`.
- Update unit tests for sanitization and classic config.
- Add integration test (skips when the test environment cannot lay out
Mermaid).

## Test plan

- [ ] Hard refresh or restart `yarn dev`.
- [ ] Create a `mermaid` code block: `graph TD; A-->B` → enable
**Preview**.
- [ ] Confirm labels **A** and **B** appear inside nodes and on the
edge.
- [ ] Toggle AFFiNE **light** / **dark** theme; confirm preview updates
and text stays readable.
- [ ] Run unit tests:
  ```bash
yarn vitest run
packages/frontend/core/src/modules/code-block-preview-renderer/
  ```
- [ ] (Optional) With **Enable Native Mermaid Renderer** enabled in
experimental settings, repeat the manual check.

## Notes for reviewers

- Security: `foreignObject` content is sanitized with the HTML profile;
scripts are stripped.
- The integration test intentionally skips when Mermaid produces an
empty diagram (e.g. happy-dom without full browser layout).


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Mermaid diagrams now adapt to the app's dark or light theme and update
in real time.

* **Improvements**
* SVG sanitization now preserves diagram labels and foreignObject text
while removing unsafe content.
* Classic Mermaid rendering adjusted to keep text labels intact for
previews.

* **Tests**
* Added unit and integration tests covering Mermaid rendering and SVG
sanitization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-03 16:20:34 +08:00
DarkSky 81760fd45c chore: cleanup legacy logic (#15072) 2026-06-03 16:20:15 +08:00
DarkSky aca47445aa feat(client): migration old package to rspack (#15068)
#### PR Dependency Tree


* **PR #15068** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Vitest across packages to 4.1.8 and bumped Tailwind PostCSS
to 4.3.0
* CLI/tooling updated to support the media-capture-playground package
and adjust build/dev server behavior

* **Bug Fixes**
  * Improved workspace deletion reliability in the Electron app

* **Refactor**
* Simplified media capture playground build setup (build/config
adjustments)

* **Tests**
* Made tests more robust by preserving/restoring environment state
during runs
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-02 12:00:50 +08:00
DarkSky 38110de134 fix(core): desktop e2e (#15062)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Sign-in flows now reliably propagate richer authentication results
(user data and session type), improving persistence and reducing
intermittent sign-in issues.
* Native token handling gains a fallback for environments without
encrypted storage, improving session reliability.

* **New Features**
* User-visible warning when sign-in is session-only because encrypted
storage is unavailable.

* **Chores**
  * Tooling ignore patterns updated to exclude .codex.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 23:54:41 +08:00
DarkSky 7123595831 chore: bump deps (#15059)
#### PR Dependency Tree


* **PR #15059** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Configurable minimum account age before new accounts can invite
members or create share links (default: 24 hours).
* Sign-in now returns and caches user info for improved session
handling.

* **Bug Fixes**
  * Queue handling accepts and resolves job IDs with special characters.
* Improved clipboard/rich-text caret handling and nested-list paste
reliability.
  * Calendar tests use dynamic current-month dates.
  * AI search returns explicit "No matching documents" when none found.
  * Auth session responses are explicitly non-cacheable.

* **Chores**
* Dependency and toolchain bumps; admin UI config/schema exposes the new
account-age setting.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 20:13:59 +08:00
DarkSky ce9841df9d feat(server): passkey pre-refactor (#15060)
#### PR Dependency Tree


* **PR #15060** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* OpenApp native sign-in and native session exchange (JWT) for mobile &
desktop.
  * Centralized short-lived auth challenge store for one-time tokens.
* Encrypted per-endpoint token storage and native token handlers
(Android, iOS, Electron).

* **Improvements**
* Richer auth-method reporting (password, magic link, OAuth, passkey)
and improved sign-in flows.
* Hardened magic-link, OAuth, and session issuance; JWT-backed sessions
and websocket JWT support.
* UX tweaks: form-based password submit, OTP autocomplete, adjusted
captcha flow.

* **Bug Fixes**
  * Expanded tests and auth-state resets to avoid cross-test leakage.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 17:11:15 +08:00
renovate[bot] 5b9d51b41b chore: bump up RevenueCat/purchases-ios-spm version to from: "5.75.0" (#15048)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm)
| minor | `from: "5.74.0"` → `from: "5.75.0"` |

---

### Release Notes

<details>
<summary>RevenueCat/purchases-ios-spm
(RevenueCat/purchases-ios-spm)</summary>

###
[`v5.75.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0)

[Compare
Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-31 04:07:47 +08:00
steffenrapp 7a575a4a5b fix: hide experimental settings for doc and folder icons (#15021)
should fix #13955
The emoji doc and folder icons have been officially released with v0.25
but the experimental settings were still available with no effect if
switched.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Feature flags for emoji folder and document icons are no longer
user-configurable.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15021?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-31 04:06:49 +08:00
xuzhi 66a6a5fffc feat(i18n): add missing zh-Hans translations (#15032)
## Summary

This PR completes the missing Simplified Chinese (`zh-Hans`) i18n
resource coverage.

The current i18n completeness calculation is based on key coverage
between `en.json` and each locale resource file. Before this change,
`zh-Hans.json` contained 2331 keys while `en.json` contained 2406 keys,
resulting in a displayed completeness of 97%.

This change adds the 75 missing `zh-Hans` translation entries and
updates the generated completeness value for `zh-Hans` from 97% to 100%.

## Changes

- Added 75 missing Simplified Chinese translations to
`packages/frontend/i18n/src/resources/zh-Hans.json`.
- Updated `packages/frontend/i18n/src/i18n-completenesses.json` so
`zh-Hans` now reports 100% completeness.
- Kept the scope limited to missing i18n resource keys only.

## Notes

This PR does not modify existing `zh-Hans` translations, terminology
choices, or hardcoded English UI strings outside the i18n resource
files.

## Verification

- Confirmed `zh-Hans.json` parses successfully.
- Confirmed `zh-Hans.json` now has full key coverage against `en.json`.
- Confirmed missing key count is 0.
- Confirmed computed `zh-Hans` completeness is 100%.
- Ran pre-commit checks:
  - `yarn lint-staged`
  - `yarn lint:ox`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Completed Chinese (Simplified) translations with 100% coverage for the
application.
* Added new translations across multiple areas: appearance and image
settings, export functionality, document import from Bear and Obsidian,
analytics and viewer information, editor settings including auto-date
titles and icon options, workspace sharing controls, calendar
integration with CalDAV support, share menu tooltips, and comprehensive
error messages.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15032?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-28 05:15:13 +08:00
renovate[bot] 4f14e8840c chore: bump up RevenueCat/purchases-ios-spm version to from: "5.74.0" (#15024)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm)
| minor | `from: "5.73.0"` → `from: "5.74.0"` |

---

### Release Notes

<details>
<summary>RevenueCat/purchases-ios-spm
(RevenueCat/purchases-ios-spm)</summary>

###
[`v5.74.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.1...5.74.0)

[Compare
Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.1...5.74.0)

###
[`v5.73.1`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5731)

[Compare
Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.0...5.73.1)

#### 5.73.1

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-24 19:28:25 +08:00
DarkSky 6d1172ba44 chore: bump deps 2026-05-24 07:13:16 +08:00
DarkSky 2aa56cbccd chore: bump toolchain & fix lint 2026-05-24 06:47:17 +08:00
SkyLostTR eecd0a2169 feat(i18n): add Turkish translation (#15000)
This pull request introduces support for the Turkish language to the
frontend internationalization system and adds a new pull request
template to standardize PR descriptions. The main changes are grouped
below:

**Internationalization: Turkish Language Support**
* Added `'tr'` (Turkish) to the `Language` type and
`SUPPORTED_LANGUAGES` object in `index.ts`, including its display name,
native name, flag emoji, and resource loader.
[[1]](diffhunk://#diff-ba5f665c3490d0f5acb2cb70f08314c5373137fa8085ab05175047f10cb7fdf8L26-R27)
[[2]](diffhunk://#diff-ba5f665c3490d0f5acb2cb70f08314c5373137fa8085ab05175047f10cb7fdf8R183-R188)
* Updated `i18n-completenesses.json` to include Turkish (`"tr": 6`).

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Turkish language can now be selected in the app.

* **Localization**
* Initial Turkish translations added and translation completeness set to
100%.
* Locale metadata added (display name, original name, flag) for Turkish.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15000?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-24 06:19:06 +08:00