mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-03-22 23:30:36 +08:00
0d2d4bb6a1f5e02a82a1db8bd16a7431589fcb0c
11134 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
congzhou09
|
0d2d4bb6a1 |
fix(editor): note-edgeless-block loses edit state during shift-click range selection (#14675)
### Problem ●In edgeless mode, when using Shift + click to perform range selection inside an editing `note-edgeless-block` (click at the starting point, then hold Shift and click at the end point), the block will unexpectedly lose its editing and selection state. As a result, subsequent operations on the selection - such as deleting and moving - no longer work. ●The following video demonstrates this issue: https://github.com/user-attachments/assets/82c68683-e002-4a58-b011-fe59f7fc9f02 ### Solution ●The reason is that this "Shift + click" behavior is being handled by the default multi-selection logic, which toggles selection mode and exits the editing state. So I added an `else-if` branch to match this case. ### After ●The video below shows the behavior after this fix. https://github.com/user-attachments/assets/18d61108-2089-4def-b2dc-ae13fc5ac333 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved selection behavior during note editing in multi-select mode to provide more intuitive interaction when using range selection during active editing. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Mohad
|
cb9897d493 |
fix(i18n): support Arabic comma separator in date-picker weekDays and monthNames (#14663)
## Problem
The Arabic locale strings in `ar.json` use the Arabic comma `،` (U+060C)
as separator:
```json
"com.affine.calendar-date-picker.week-days": "أ،إث،ث،أر،خ،ج،س"
```
But `day-picker.tsx` splits on ASCII comma only — causing all
weekday/month names to render as a single unsplit string in Arabic
locale.
## Fix
Change `.split(',')` to `.split(/[,،]/)` in two call sites — matches
both ASCII and Arabic comma.
## Impact
One-line fix per call site. No other functionality affected. All
non-Arabic locales unchanged.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Date picker rendering updated to correctly handle both ASCII and
Arabic/Persian comma formats when determining month and weekday labels.
This fixes inconsistent header and month-name displays in locales using
different comma characters while preserving existing interactions and
behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
Ishan Goswami
|
8ca8333cd6 |
chore(server): update exa search tool description (#14682)
Updated the Exa search tool description to better reflect what Exa does. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Clarified the web search tool description to state it uses Exa, a web search API optimized for AI applications to improve labeling and user understanding. * No functional or behavioral changes to the tool; this update affects only the displayed description users see. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: ishan <ishan@exa.ai> |
||
|
George Kapetanakis
|
3bf2503f55 |
fix(tools): improve sed error handling in set-version script (#14684)
## Summary Replace post-command status checks with inline failure handling around `sed` calls. In the stream update path, ensure the two `sed` operations are treated as one success/failure unit. Keep behavior and file outputs the same on success, while making failure handling explicit. ## Why When `set -e` is enabled (which the script itself enables) command failures cause the script to exit, making error handling by checking `$?` not work. ## Files affected - `set-version.sh` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Enhanced error handling in version management script with improved failure reporting and context information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
59fd942f40 |
fix(editor): database detail style (#14680)
fix #13923 #### PR Dependency Tree * **PR #14680** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Refined styling and alignment for number field displays in the database view component. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.3.18-canary.918 |
||
|
DarkSky
|
d6d5ae6182 | fix(electron): create doc shortcut should follow default type in settings (#14678) | ||
|
renovate[bot]
|
c1a09b951f |
chore: bump up fast-xml-parser version to v5.5.6 [SECURITY] (#14676)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [fast-xml-parser](https://redirect.github.com/NaturalIntelligence/fast-xml-parser) | [`5.4.1` → `5.5.6`](https://renovatebot.com/diffs/npm/fast-xml-parser/5.4.1/5.5.6) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-33036](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r) ## Summary The fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`&#NNN;` and `&#xHH;`) and standard XML entities (`<`, `>`, etc.) are processed through a separate code path that does NOT enforce any expansion limits. An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption. ## Affected Versions fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm) ## Root Cause In `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops: 1. **Lines 638-670**: DOCTYPE entities — expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix. 2. **Lines 674-677**: `lastEntities` loop — replaces standard entities including `num_dec` (`/&#([0-9]{1,7});/g`) and `num_hex` (`/&#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.** The numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix. ## Proof of Concept ```javascript const { XMLParser } = require('fast-xml-parser'); // Even with strict explicit limits, numeric entities bypass them const parser = new XMLParser({ processEntities: { enabled: true, maxTotalExpansions: 10, maxExpandedLength: 100, maxEntityCount: 1, maxEntitySize: 10 } }); // 100K numeric entity references — should be blocked by maxTotalExpansions=10 const xml = `<root>${'&#​65;'.repeat(100000)}</root>`; const result = parser.parse(xml); // Output: 500,000 chars — bypasses maxExpandedLength=100 completely console.log('Output length:', result.root.length); // 500000 console.log('Expected max:', 100); // limit was 100 ``` **Results:** - 100K `&#​65;` references → 500,000 char output (5x default maxExpandedLength of 100,000) - 1M references → 5,000,000 char output, ~147MB memory consumed - Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars - Hex entities (`A`) exhibit the same bypass ## Impact **Denial of Service** — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them. ## Suggested Fix Apply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670. ## Workaround Set `htmlEntities:false` --- ### Release Notes <details> <summary>NaturalIntelligence/fast-xml-parser (fast-xml-parser)</summary> ### [`v5.5.6`]( |
||
|
DarkSky
|
4ce68d74f1 |
fix(editor): chat cannot scroll on windows (#14677)
fix #14529 fix #14612 replace #14614 #14657 #### PR Dependency Tree * **PR #14677** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added test coverage for scroll position tracking and pinned scroll behavior in AI chat * Added test suite verifying scroll-to-end and scroll-to-position functionality * **New Features** * Introduced configurable scrollable option for text rendering in AI chat components, allowing control over scroll behavior <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
chauhan_s
|
fbfcc01d14 |
fix(core): reserve space for auth input error to avoid layout shift (#14670)
Prevents layout shift when showing auth input errors by reserving space for the error message. Improves visual stability and avoids UI jumps when validation errors appear. ### Before https://github.com/user-attachments/assets/7439aa5e-069d-42ac-8963-e5cdee341ad9 ### After https://github.com/user-attachments/assets/8e758452-5323-4807-8a0d-38913303020d <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved error message display mechanism in authentication components for more consistent rendering. * **Style** * Enhanced vertical spacing for error messages in form inputs to ensure better visual consistency and readability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
1112a06623 | fix: ci | ||
|
chauhan_s
|
bbcb7e69fe |
fix: correct "has accept" to "has accepted" (#14669)
fixes #14407 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Corrected grammar in the notification message displayed when an invitation is accepted. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
steffenrapp
|
cc2f23339e |
feat(i18n): update German translation (#14674)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Enhanced German language support with new translations for Obsidian import, MCP server integration, and Copilot features. Improved error message translations for better clarity and consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
chauhan_s
|
31101a69e7 |
fix: Refine verify email dialog for verify and change email flows (#14671)
### Summary This PR improves the verify email dialog by giving the verify-email and change-email flows distinct messaging instead of reusing the same generic copy. ### What changed * Use flow-specific body copy in the verify email dialog * Keep the existing action-specific subtitle behavior for: * Verify email * Change email * Update the English i18n strings so each flow explains the correct intent: * Verify email focuses on confirming email ownership * Change email focuses on securely starting the email-change process ### Why The previous dialog message was shared across both flows, which made the change-email experience feel ambiguous. This update makes the intent clearer for users and better matches the action they are taking. https://www.loom.com/share/c64c20570a8242358bd178a2ac50e413 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved clarity in email verification and email change dialog messages to better explain the confirmation process and link purpose. * Enhanced distinction between email verification and email change workflows with context-specific messaging. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Francisco Jiménez
|
0b1a44863f |
feat(editor): add obsidian vault import support (#14593)
fix #14592 ### Description > 🤖 **Note:** The code in this Pull Request were developed with the assistance of AI, but have been thoroughly reviewed and manually tested. > I noticed there's a check when opening an issue that asks _"Is your content generated by AI?"_, so I mention it here in case it's a deal breaker. If so I understand, you can close the PR, just wanted to share this in case it's useful anyways. This PR introduces **Obsidian Vault Import Support** to AFFiNE. Previously, users migrating from Obsidian had to rely on the generic Markdown importer, which often resulted in broken cross-links, missing directory structures, and metadata conflicts because Obsidian relies heavily on proprietary structures not supported by standard Markdown. This completely new feature makes migrating to AFFiNE easy. **Key Features & Implementations:** 1. **Vault (Directory) Selection** - Utilizes the `openDirectory` blocksuite utility in the import modal to allow users to select an entire folder directly from their filesystem, maintaining file context rather than forcing `.zip` uploads. 2. **Wikilink Resolution (Two-Pass Import)** - Restructured the `importObsidianVault` process into a two-pass architecture. - **Pass 1:** Discovers all files, assigns new AFFiNE document IDs, and maps them efficiently (by title, alias, and filename) into a high-performance hash map. - **Pass 2:** Processes the generic markdown AST and correctly maps custom `[[wikilinks]]` to the actual pre-registered AFFiNE blocksuite document IDs via `obsidianWikilinkToDeltaMatcher`. - Safely strips leading emojis from wikilink aliases to prevent duplicated page icons rendering mid-sentence. 3. **Emoji Metadata & State Fixes** - Implemented an aggressive, single-pass RegExp to extract multiple leading/combining emojis (`Emoji_Presentation` / `\ufe0f`) from H1 headers and Frontmatter. Emojis are assigned specifically to the page icon metadata property and cleanly stripped from the visual document title. - Fixed a core mutation bug where the loop iterating over existing `docMetas` was aggressively overwriting newly minted IDs for the current import batch. This fully resolves the issue where imported pages (especially re-imports) were incorrectly flagged as `trashed`. - Enforces explicit `trash: false` patch instructions. 4. **Syntax Conversion** - Implemented conversion of Obsidian-style Callouts (`> [!NOTE] Title`) into native AFFiNE block formats (`> 💡 **Title**`). - Hardened the `blockquote` parser so that nested structures (like `> - list items`) are fully preserved instead of discarded. ### UI Changes - Updated the Import Modal to include the "Import Obsidian Vault" flow utilizing the native filesystem directory picker. - Regenerated and synced `i18n-completenesses.json` correctly up to 100% across all supported locales for the new modal string additions. ### Testing Instructions 1. Navigate to the Workspace sidebar and click "Import". 2. Select "Obsidian" and use the directory picker to define a comprehensive Vault folder. 3. Validate that cross-links between documents automatically resolve to their specific AFFiNE instances. 4. Validate documents containing leading Emojis display exactly one Emoji (in the page icon area), and none duplicated in the actual title header. 5. Validate Callouts are rendered cleanly and correctly, and no documents are incorrectly marked as "Trash". <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Import Obsidian vaults with wikilink resolution, emoji/title preservation, asset handling, and automatic document creation. * Folder-based imports via a Directory Picker (with hidden-input fallback) integrated into the import dialog. * **Localization** * Added Obsidian import label and tooltip translations. * **Tests** * Added end-to-end tests validating Obsidian vault import and asset handling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
DarkSky
|
8406f9656e |
perf(editor): improve bounding box calc caching (#14668)
#### PR Dependency Tree * **PR #14668** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
DarkSky
|
121c0d172d |
feat(server): improve doc tools error handle (#14662)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Centralized sync/status messages for cloud document sync and explicit user-facing error types. * Frontend helpers to detect and display tool errors with friendly names. * **Bug Fixes** * Consistent, actionable error reporting for document and attachment reads instead of silent failures. * Search and semantic tools now validate workspace sync and permissions and return clear responses. * **Tests** * Added comprehensive tests covering document/blob reads, search tools, and sync/error paths. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.3.16-canary.924 |
||
|
renovate[bot]
|
8f03090780 |
chore: bump up Lakr233/MarkdownView version to from: "3.8.2" (#14658)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Lakr233/MarkdownView](https://redirect.github.com/Lakr233/MarkdownView) | minor | `from: "3.6.3"` → `from: "3.8.2"` | --- ### Release Notes <details> <summary>Lakr233/MarkdownView (Lakr233/MarkdownView)</summary> ### [`v3.8.2`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.1...3.8.2) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.1...3.8.2) ### [`v3.8.1`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.0...3.8.1) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.0...3.8.1) ### [`v3.8.0`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.7.0...3.8.0) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.7.0...3.8.0) ### [`v3.7.0`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.6.3...3.7.0) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.6.3...3.7.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8125cc0e75 |
chore: bump up Lakr233/ListViewKit version to from: "1.2.0" (#14617)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Lakr233/ListViewKit](https://redirect.github.com/Lakr233/ListViewKit) | minor | `from: "1.1.8"` → `from: "1.2.0"` | --- ### Release Notes <details> <summary>Lakr233/ListViewKit (Lakr233/ListViewKit)</summary> ### [`v1.2.0`](https://redirect.github.com/Lakr233/ListViewKit/compare/1.1.8...1.2.0) [Compare Source](https://redirect.github.com/Lakr233/ListViewKit/compare/1.1.8...1.2.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.3.15-canary.910 |
||
|
renovate[bot]
|
f537a75f01 |
chore: bump up file-type version to v21.3.2 [SECURITY] (#14655)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [file-type](https://redirect.github.com/sindresorhus/file-type) | [`21.3.1` → `21.3.2`](https://renovatebot.com/diffs/npm/file-type/21.3.1/21.3.2) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-31808](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473) ### Impact A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a `size` field of zero, the parser enters an infinite loop. The `payload` value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses `file-type` to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. ### Patches Fixed in version 21.3.1. Users should upgrade to >= 21.3.1. ### Workarounds Validate or limit the size of input buffers before passing them to `file-type`, or run file type detection in a worker thread with a timeout. ### References - Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f ### Reporter crnkovic@lokvica.com #### [CVE-2026-32630](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v) ## Summary A crafted ZIP file can trigger excessive memory growth during type detection in `file-type` when using `fileTypeFromBuffer()`, `fileTypeFromBlob()`, or `fileTypeFromFile()`. In affected versions, the ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause `file-type` to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. In testing on `file-type` `21.3.1`, a ZIP of about `255 KB` caused about `257 MB` of RSS growth during `fileTypeFromBuffer()`. This is an availability issue. Applications that use these APIs on untrusted uploads can be forced to consume large amounts of memory and may become slow or crash. ## Root Cause The ZIP detection logic applied different limits depending on whether the tokenizer had a known file size. For stream inputs, ZIP probing was bounded by `maximumZipEntrySizeInBytes` (`1 MiB`). For known-size inputs such as buffers, blobs, and files, the code instead used `Number.MAX_SAFE_INTEGER` in two relevant places: ```js const maximumContentTypesEntrySize = hasUnknownFileSize(tokenizer) ? maximumZipEntrySizeInBytes : Number.MAX_SAFE_INTEGER; ``` and: ```js const maximumLength = hasUnknownFileSize(this.tokenizer) ? maximumZipEntrySizeInBytes : Number.MAX_SAFE_INTEGER; ``` Together, these checks allowed a crafted ZIP to bypass the intended inflate limit for known-size APIs and force large decompression during detection of entries such as `[Content_Types].xml`. ## Proof of Concept ```js import {fileTypeFromBuffer} from 'file-type'; import archiver from 'archiver'; import {Writable} from 'node:stream'; async function createZipBomb(sizeInMegabytes) { return new Promise((resolve, reject) => { const chunks = []; const writable = new Writable({ write(chunk, encoding, callback) { chunks.push(chunk); callback(); }, }); const archive = archiver('zip', {zlib: {level: 9}}); archive.pipe(writable); writable.on('finish', () => { resolve(Buffer.concat(chunks)); }); archive.on('error', reject); const xmlPrefix = '<?xml version="1.0"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">'; const padding = Buffer.alloc(sizeInMegabytes * 1024 * 1024 - xmlPrefix.length, 0x20); archive.append(Buffer.concat([Buffer.from(xmlPrefix), padding]), {name: '[Content_Types].xml'}); archive.finalize(); }); } const zip = await createZipBomb(256); console.log('ZIP size (KB):', (zip.length / 1024).toFixed(0)); const before = process.memoryUsage().rss; await fileTypeFromBuffer(zip); const after = process.memoryUsage().rss; console.log('RSS growth (MB):', ((after - before) / 1024 / 1024).toFixed(0)); ``` Observed on `file-type` `21.3.1`: - ZIP size: about `255 KB` - RSS growth during detection: about `257 MB` ## Affected APIs Affected: - `fileTypeFromBuffer()` - `fileTypeFromBlob()` - `fileTypeFromFile()` Not affected: - `fileTypeFromStream()`, which already enforced the ZIP inflate limit for unknown-size inputs ## Impact Applications that inspect untrusted uploads with `fileTypeFromBuffer()`, `fileTypeFromBlob()`, or `fileTypeFromFile()` can be forced to consume excessive memory during ZIP-based type detection. This can degrade service or lead to process termination in memory-constrained environments. ## Cause The issue was introduced in 399b0f1 --- ### Release Notes <details> <summary>sindresorhus/file-type (file-type)</summary> ### [`v21.3.2`](https://redirect.github.com/sindresorhus/file-type/releases/tag/v21.3.2) [Compare Source](https://redirect.github.com/sindresorhus/file-type/compare/v21.3.1...v21.3.2) - Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) [`a155cd7`](https://redirect.github.com/sindresorhus/file-type/commit/a155cd7) - Fix bound recursive BOM and ID3 detection [`370ed91`](https://redirect.github.com/sindresorhus/file-type/commit/370ed91) *** </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
9456a07889 |
chore: migrate Renovate config (#14656)
The Renovate config in this repository needs migrating. Typically this is because one or more configuration options you are using have been renamed. You don't need to merge this PR right away, because Renovate will continue to migrate these fields internally each time it runs. But later some of these fields may be fully deprecated and the migrations removed. So it's a good idea to merge this migration PR soon. 🔕 **Ignore**: Close this PR and you won't be reminded about config migration again, but one day your current config may no longer be valid. ❓ Got questions? Does something look wrong to you? Please don't hesitate to [request help here](https://redirect.github.com/renovatebot/renovate/discussions). --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
sahilkhan09k
|
8f571ddc30 |
fix: ensure images load correctly when printing to PDF (#14618)
Fixes #14304 ## Summary This PR resolves an issue where images sometimes fail to appear when exporting or printing AFFiNE pages to PDF. The issue occurs because images may not finish loading inside the hidden print iframe before `window.print()` is triggered. ## Changes - Avoid using `display: none` for the print iframe and instead keep it hidden while remaining in the rendering tree to ensure resources load correctly. - Remove `loading="lazy"` from all images before printing to prevent viewport-based lazy loading from blocking image fetches. - Force image reload by reassigning the `src` attribute after removing lazy loading. - Add a `waitForImages` helper to ensure all images (including those inside Shadow DOM) finish loading before calling `window.print()`. - Improve reliability by checking both `img.complete` and `img.naturalWidth` to confirm successful image loading. - Wait for fonts using `document.fonts.ready` before triggering the print dialog. ## Verification 1. Run AFFiNE in development mode: npm run dev 2. Open a page containing multiple images. 3. Click **Print** and select **Save as PDF** (or any PDF printer). 4. Verify that all images appear correctly in the generated PDF. ## Notes This change focuses only on improving the reliability of the existing print-to-PDF workflow without altering any feature flags or export behavior. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved PDF export reliability by waiting for all images (including inside shadow content) and fonts to load before printing. * Removed lazy-loading interference so images reliably appear in exports. * Ensured styles and light-theme attributes are consistently applied to the print document. * **Improvements** * More robust print preparation using a hidden-but-rendering iframe document, deep-cloning content (flattening shadow DOM), and preserved canvas mapping for accurate renders. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.3.13-canary.913 |
||
|
Mohad
|
13ad1beb10 |
feat(i18n): automatic RTL layout for Arabic, Persian, and Urdu + complete Arabic translations (#14624)
## Changes ### RTL Support (automatic, locale-driven) - Add `rtl?: boolean` metadata to locale definitions in `SUPPORTED_LANGUAGES` - Set `rtl: true` for Arabic (`ar`), Persian (`fa`), and Urdu (`ur`) - Automatically set `document.documentElement.dir` based on locale RTL metadata on language change - Remove hardcoded `lang="en"` from HTML template — JS now controls both `lang` and `dir` ### Arabic Translations - Add 100 missing keys to `ar.json` (Calendar integration, Doc Analytics, MCP Server, AI Chat, and more) - Arabic locale now has 2,313/2,313 keys (100% coverage, matches `en.json` exactly) ## Testing Switching to Arabic/Persian/Urdu now automatically flips the entire UI layout to RTL without any manual feature flag. Fixes #7099 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Right-to-Left (RTL) support for Arabic, Persian, and Urdu with automatic document direction and language attributes when a language is selected. * **Refactor** * Centralized and reordered internal language handling so document language and direction are applied earlier and consistently. * **Chore** * Set a default text direction attribute on the base HTML template. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
sahilkhan09k
|
9844ca4d54 |
fix(editor): ensure code and quote blocks render correctly in print (#14613)
Fixes #14608 ## Summary Fix printing issues when exporting documents while using the dark theme. Previously, when printing or saving a document as PDF in dark mode, text color was forced to black while some block containers (such as code blocks and quotes) retained their dark backgrounds. This resulted in **black text on dark backgrounds**, making the content unreadable in the exported PDF. ## Changes * Reset relevant CSS variables in the `@media print` section of `print-to-pdf.ts`. * Ensure block containers such as **code blocks and quotes** render with light backgrounds during printing. * Maintain readable text colors by forcing text color to black for print output. This approach updates the **CSS variables used by BlockSuite components**, ensuring that elements relying on variables like `--affine-background-code-block` and `--affine-quote-color` correctly switch to light backgrounds in print mode. ## Result Documents printed or exported as PDF from dark mode now render correctly with: * readable text * proper light backgrounds for code blocks and quotes * consistent formatting in print output <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Enhanced print-to-PDF styling for improved visual presentation of code blocks, quotes, and borders when exporting or printing documents to maintain better readability and consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: sahilkhan09k <sahilkhan392005@gmail.com>v2026.3.11-canary.915 |
||
|
renovate[bot]
|
d7d67841b8 |
chore: bump up file-type version to v21.3.1 [SECURITY] (#14625)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [file-type](https://redirect.github.com/sindresorhus/file-type) | [`21.3.0` → `21.3.1`](https://renovatebot.com/diffs/npm/file-type/21.3.0/21.3.1) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-31808](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473) ### Impact A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a `size` field of zero, the parser enters an infinite loop. The `payload` value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses `file-type` to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. ### Patches Fixed in version 21.3.1. Users should upgrade to >= 21.3.1. ### Workarounds Validate or limit the size of input buffers before passing them to `file-type`, or run file type detection in a worker thread with a timeout. ### References - Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f ### Reporter crnkovic@lokvica.com --- ### Release Notes <details> <summary>sindresorhus/file-type (file-type)</summary> ### [`v21.3.1`](https://redirect.github.com/sindresorhus/file-type/releases/tag/v21.3.1) [Compare Source](https://redirect.github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1) - Fix infinite loop in ASF parser on malformed input [`319abf8`](https://redirect.github.com/sindresorhus/file-type/commit/319abf8) *** </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
DarkSky
|
29a27b561b |
feat(server): migrate copilot to native (#14620)
#### PR Dependency Tree * **PR #14620** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Native LLM workflows: structured outputs, embeddings, and reranking plus richer multimodal attachments (images, audio, files) and improved remote-attachment inlining. * **Refactor** * Tooling API unified behind a local tool-definition helper; provider/adapters reorganized to route through native dispatch paths. * **Chores** * Dependency updates, removed legacy Google SDK integrations, and increased front memory allocation. * **Tests** * Expanded end-to-end and streaming tests exercising native provider flows, attachments, and rerank/structured scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
02744cec00 |
chore: bump up apple/swift-collections version to from: "1.4.0" (#14616)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [apple/swift-collections](https://redirect.github.com/apple/swift-collections) | minor | `from: "1.3.0"` → `from: "1.4.0"` | --- ### Release Notes <details> <summary>apple/swift-collections (apple/swift-collections)</summary> ### [`v1.4.0`](https://redirect.github.com/apple/swift-collections/releases/tag/1.4.0): Swift Collections 1.4.0 [Compare Source](https://redirect.github.com/apple/swift-collections/compare/1.3.0...1.4.0) This feature release supports Swift toolchain versions 6.0, 6.1 and 6.2. It includes a variety of bug fixes, and ships the following new features: ##### New ownership-aware ring buffer and hashed container implementations In the `DequeModule` module, we have two new source-stable types that provide ownership-aware ring buffer implementations: - [`struct UniqueDeque<Element>`][UniqueDeque] is a uniquely held, dynamically resizing, noncopyable deque. - [`struct RigidDeque<Element>`][RigidDeque] is a fixed-capacity deque implementation. `RigidDeque`/`UniqueDeque` are to `Deque` like `RigidArray`/`UniqueArray` are to `Array` -- they provide noncopyable embodiments of the same basic data structure, with many of the same operations. [UniqueDeque]: https://swiftpackageindex.com/apple/swift-collections/documentation/dequemodule/uniquedeque [RigidDeque]: https://swiftpackageindex.com/apple/swift-collections/documentation/dequemodule/rigiddeque In the `BasicContainers` module, this release adds previews of four new types, implementing ownership-aware hashed containers: - [`struct UniqueSet<Element>`][UniqueSet] is a uniquely held, dynamically resizing set. - [`struct RigidSet<Element>`][RigidSet] is a fixed-capacity set. - [`struct UniqueDictionary<Key, Value>`][UniqueDictionary] is a uniquely held, dynamically resizing dictionary. - [`struct RigidDictionary<Key, Value>`][RigidDictionary] is a fixed-capacity dictionary. [RigidSet]: https://redirect.github.com/apple/swift-collections/tree/main/Sources/BasicContainers/RigidSet [UniqueSet]: https://redirect.github.com/apple/swift-collections/tree/main/Sources/BasicContainers/UniqueSet [RigidDictionary]: https://redirect.github.com/apple/swift-collections/tree/main/Sources/BasicContainers/RigidDictionary [UniqueDictionary]: https://redirect.github.com/apple/swift-collections/tree/main/Sources/BasicContainers/UniqueDictionary These are direct analogues of the standard `Set` and `Dictionary` types. These types are built on top of the `Equatable` and `Hashable` protocol generalizations that were proposed in [SE-0499]; as that proposal is not yet implemented in any shipping toolchain, these new types are shipping as source-unstable previews, conditional on a new `UnstableHashedContainers` package trait. The final API of these types will also deeply depend on the `struct Borrow` and `struct Inout` proposals (and potentially other language/stdlib improvements) that are currently working their way through the Swift Evolution process. Accordingly, we may need to make source-breaking changes to the interfaces of these types -- they are not ready to be blessed as Public API. However, we encourage intrepid engineers to try them on for size, and report pain points. (Of which we expect there will be many in this first preview.) [SE-0499]: https://redirect.github.com/swiftlang/swift-evolution/blob/main/proposals/0499-support-non-copyable-simple-protocols.md We continue the pattern of `Rigid-` and `Unique-` naming prefixes with these new types: - The `Unique` types (`UniqueArray`, `UniqueDeque`, `UniqueSet`, `UniqueDictionary` etc.) are dynamically self-sizing containers that automatically reallocate their storage as needed to best accommodate their contents; the `Unique` prefix was chosen to highlight that these types are always uniquely held, avoiding the complications of mutating shared copies. - The `Rigid` types remove dynamic sizing, and they operate strictly within an explicitly configured capacity. Dynamic sizing is not always appropriate -- when targeting space- or time-constrained environments (think embedded use cases or real-time work), it is preferable to avoid implicit reallocations, and to instead choose to have explicit control over when (and if) storage is reallocated, and to what size. This is where the `Rigid` types come in: their instances are created with a specific capacity and it is a runtime error to exceed that. This makes them quite inflexible (hence the "rigid" qualifier), but in exchange, their operations provide far stricter complexity guarantees: they exhibit no random runtime latency spikes, and they can trivially fit in strict memory budgets. ##### Early drafts of borrowing sequence, generative iteration and container protocols This release includes highly experimental but *working* implementations of new protocols supplying ownership-aware alternatives to the classic `Sequence`/`Collection` protocol hierarchy. These protocols and the generic operations built on top of them can be turned on by enabling the `UnstableContainersPreview` package trait. - [`protocol BorrowingSequence<Element>`][BorrowingSequence] models borrowing sequences with ephemeral lifetimes. (This is already progressing through Swift Evolution.) - [`protocol Container<Element>`][Container] models constructs that physically store their contents, and can expose stable spans over them. - [`protocol Producer<Element, ProducerError>`][Producer] models a generative iterator -- a construct that generates items demand. - [`protocol Drain<Element>`][Drain] refines `Producer` to model an in-place consumable elements -- primarily for use around container types. [BorrowingSequence]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Protocols/BorrowingSequence.swift [BorrowingIteratorProtocol]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Protocols/BorrowingIteratorProtocol.swift [Container]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Protocols/Container.swift [Producer]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Protocols/Producer.swift [Drain]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Protocols/Drain.swift In this version, the package has developed these protocols just enough to implement basic generic operations for moving data between containers like `UniqueArray` and `RigidDeque`. As we gain experience using these, future releases may start adding basic generic algorithms, more protocols (bidirectional, random-access, (per)mutable, range-replaceable containers etc.) convenience adapters, and other features -- or we may end up entirely overhauling or simply discarding some/all of them. Accordingly, the experimental interfaces enabled by `UnstableContainersPreview` are not source stable, and they are not intended for production use. We expect the eventual production version of these (or whatever designs they evolve into) to ship in the Swift Standard Library. We do highly recommend interested folks to try playing with these, to get a feel for the strange problems of Ownership. Besides these protocols, the package also defines rudimentary substitutes of some basic primitives that belong in the Standard Library: - [`struct InputSpan<Element>`][InputSpan] the dual of `OutputSpan` -- while `OutputSpan` is primarily for moving items *into* somebody else's storage, `InputSpan` enables safely moving items *out of* storage. - [`struct Borrow<Target>`][Borrow] represents a borrowing reference to an item. (This package models this with a pointer, which is an ill-fitting substitute for the real implementation in the stdlib.) - [`struct Inout<Target>`][Inout] represents a mutating reference to an item. [InputSpan]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Types/InputSpan.swift [Borrow]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Types/Borrow.swift [Inout]: https://redirect.github.com/apple/swift-collections/blob/main/Sources/ContainersPreview/Types/Inout.swift ##### A formal way to access `SortedSet` and `SortedDictionary` types The `SortedCollections` module contains (preexisting) early drafts of two sorted collection types `SortedSet` and `SortedDictionary`, built on top of an in-memory B-tree implementation. This release defines an `UnstableSortedCollections` package trait that can be used to enable building these types for experimentation without manually modifying the package. Like in previous releases, these implementations remain unfinished in this release, with known API issues; accordingly, these types remain unstable. (Issue [#​1](https://redirect.github.com/apple/swift-collections/issues/1) remains open.) Future package releases may change their interface in ways that break source compatibility, or they may remove these types altogether. ##### Minor interface-level changes - The `Collections` module no longer uses the unstable `@_exported import` feature. Instead, it publishes public typealiases of every type that it previously reexported from `DequeModule`, `OrderedCollections`, `BitCollections`, `HeapModule` and `HashTreeCollections`. - We renamed some `RigidArray`/`UniqueArray` operations to improve their clarity at the point of use. The old names are still available, but deprecated. | Old name | New name | | ----------------------------------------------- | ------------------------------------------------- | | `append(count:initializingWith:)` | `append(addingCount:initializingWith:)` | | `insert(count:at:initializingWith:)` | `insert(addingCount:at:initializingWith:)` | | `replaceSubrange(_:newCount:initializingWith:)` | `replace(removing:addingCount:initializingWith:)` | | `replaceSubrange(_:moving:)` | `replace(removing:moving:)` | | `replaceSubrange(_:copying:)` | `replace(removing:copying:)` | | `copy()` | `clone()` | | `copy(capacity:)` | `clone(capacity:)` | - We have now defined a complete set of `OutputSpan`/`InputSpan`-based `append`/`insert`/`replace`/`consume` primitives, fully generalized to be implementable by piecewise contiguous containers. These operations pave the way for a `Container`-based analogue of the classic `RangeReplaceableCollection` protocol, with most of the user-facing operations becoming standard generic algorithms built on top of these primitives: ``` mutating func append<E: Error>( addingCount newItemCount: Int, initializingWith initializer: (inout OutputSpan<Element>) throws(E) -> Void ) mutating func insert<E: Error>( addingCount newItemCount: Int, at index: Int, initializingWith initializer: (inout OutputSpan<Element>) throws(E) -> Void ) throws(E) mutating func replace<E: Error>( removing subrange: Range<Int>, consumingWith consumer: (inout InputSpan<Element>) -> Void, addingCount newItemCount: Int, initializingWith initializer: (inout OutputSpan<Element>) throws(E) -> Void ) throws(E) mutating func consume( _ subrange: Range<Int>, consumingWith consumer: (inout InputSpan<Element>) -> Void ) ``` - The package no longer uses the code generation tool `gyb`. #### What's Changed - Fix links in GitHub templates by [@​lorentey](https://redirect.github.com/lorentey) in [#​527](https://redirect.github.com/apple/swift-collections/pull/527) - Adopt `package` access modifier and get rid of gybbing by [@​lorentey](https://redirect.github.com/lorentey) in [#​526](https://redirect.github.com/apple/swift-collections/pull/526) - \[Doc] Fix links in landing page by [@​Azoy](https://redirect.github.com/Azoy) in [#​531](https://redirect.github.com/apple/swift-collections/pull/531) - \[BigString] Refactor \_Chunk to be its own managed buffer of UTF8 by [@​Azoy](https://redirect.github.com/Azoy) in [#​488](https://redirect.github.com/apple/swift-collections/pull/488) - Add new package trait UnstableSortedCollections by [@​lorentey](https://redirect.github.com/lorentey) in [#​533](https://redirect.github.com/apple/swift-collections/pull/533) - \[RopeModule] Fix warnings by [@​lorentey](https://redirect.github.com/lorentey) in [#​534](https://redirect.github.com/apple/swift-collections/pull/534) - Fix ability to build & test BigString with Xcode & CMake by [@​lorentey](https://redirect.github.com/lorentey) in [#​537](https://redirect.github.com/apple/swift-collections/pull/537) - \[BigString] Bring back Index.\_isUTF16TrailingSurrogate by [@​Azoy](https://redirect.github.com/Azoy) in [#​539](https://redirect.github.com/apple/swift-collections/pull/539) - chore: restrict GitHub workflow permissions - future-proof by [@​incertum](https://redirect.github.com/incertum) in [#​540](https://redirect.github.com/apple/swift-collections/pull/540) - \[BitCollections] Add missing imports for InternalCollectionsUtilities by [@​lorentey](https://redirect.github.com/lorentey) in [#​554](https://redirect.github.com/apple/swift-collections/pull/554) - Compare self.value to other, not itself by [@​SiliconA-Z](https://redirect.github.com/SiliconA-Z) in [#​553](https://redirect.github.com/apple/swift-collections/pull/553) - Change useFloyd heuristic to match comment by [@​SiliconA-Z](https://redirect.github.com/SiliconA-Z) in [#​551](https://redirect.github.com/apple/swift-collections/pull/551) - Typo: symmetric difference should be the xor, not intersection by [@​SiliconA-Z](https://redirect.github.com/SiliconA-Z) in [#​550](https://redirect.github.com/apple/swift-collections/pull/550) - first should get the Initialized elements by [@​SiliconA-Z](https://redirect.github.com/SiliconA-Z) in [#​549](https://redirect.github.com/apple/swift-collections/pull/549) - Replace Container with a far less powerful (but more universal) Iterable construct by [@​lorentey](https://redirect.github.com/lorentey) in [#​543](https://redirect.github.com/apple/swift-collections/pull/543) - Temporarily stop testing RigidArray & UniqueArray on release/6.3 snapshots on Linux by [@​lorentey](https://redirect.github.com/lorentey) in [#​562](https://redirect.github.com/apple/swift-collections/pull/562) - \[RigidArray, HashTrees] Mark deinitializers inlinable by [@​lorentey](https://redirect.github.com/lorentey) in [#​560](https://redirect.github.com/apple/swift-collections/pull/560) - GHA: Add weekly dependabot by [@​bkhouri](https://redirect.github.com/bkhouri) in [#​563](https://redirect.github.com/apple/swift-collections/pull/563) - Work around temporary issue with current 6.3 snapshots by [@​lorentey](https://redirect.github.com/lorentey) in [#​565](https://redirect.github.com/apple/swift-collections/pull/565) - Add `RigidDeque` and `UniqueDeque` by [@​lorentey](https://redirect.github.com/lorentey) in [#​557](https://redirect.github.com/apple/swift-collections/pull/557) - \[Collections module] Stop using `@_exported import` by [@​lorentey](https://redirect.github.com/lorentey) in [#​566](https://redirect.github.com/apple/swift-collections/pull/566) - Delete stray benchmark results files by [@​lorentey](https://redirect.github.com/lorentey) in [#​567](https://redirect.github.com/apple/swift-collections/pull/567) - Assorted `RigidArray`/`UniqueArray` updates by [@​lorentey](https://redirect.github.com/lorentey) in [#​569](https://redirect.github.com/apple/swift-collections/pull/569) - `RigidArray`/`UniqueArray`: Add new copying span initializers by [@​Azoy](https://redirect.github.com/Azoy) in [#​572](https://redirect.github.com/apple/swift-collections/pull/572) - `RigidDeque`/`UniqueDeque`: Add some top-level documentation by [@​lorentey](https://redirect.github.com/lorentey) in [#​571](https://redirect.github.com/apple/swift-collections/pull/571) - Update docs for Container.nextSpan(after:maximumCount:) by [@​lorentey](https://redirect.github.com/lorentey) in [#​574](https://redirect.github.com/apple/swift-collections/pull/574) - Remove workaround for bug in OutputSpan.wUMBP by [@​lorentey](https://redirect.github.com/lorentey) in [#​570](https://redirect.github.com/apple/swift-collections/pull/570) - \[RigidArray, RigidDeque].nextSpan: Validate `maximumCount` by [@​lorentey](https://redirect.github.com/lorentey) in [#​575](https://redirect.github.com/apple/swift-collections/pull/575) - Bump swiftlang/github-workflows/.github/workflows/soundness.yml from 0.0.6 to 0.0.7 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​577](https://redirect.github.com/apple/swift-collections/pull/577) - give constant folding an opportunity to select a much faster code path for empty dictionary (and set) literals by [@​tayloraswift](https://redirect.github.com/tayloraswift) in [#​578](https://redirect.github.com/apple/swift-collections/pull/578) - Bump swiftlang/github-workflows/.github/workflows/swift\_package\_test.yml from 0.0.6 to 0.0.7 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​576](https://redirect.github.com/apple/swift-collections/pull/576) - Ownership-aware Set and Dictionary variants by [@​lorentey](https://redirect.github.com/lorentey) in [#​573](https://redirect.github.com/apple/swift-collections/pull/573) - \[Prerelease] Check API for consistency, fill holes, patch incoherencies by [@​lorentey](https://redirect.github.com/lorentey) in [#​581](https://redirect.github.com/apple/swift-collections/pull/581) - \[BitSet] Amend return value of `update(with:)` method by [@​benrimmington](https://redirect.github.com/benrimmington) in [#​538](https://redirect.github.com/apple/swift-collections/pull/538) - \[BasicContainers] Fix spelling of a source file by [@​lorentey](https://redirect.github.com/lorentey) in [#​585](https://redirect.github.com/apple/swift-collections/pull/585) - Include notes about index mutation in `span(after/before:)` (+ other doc fixes) by [@​natecook1000](https://redirect.github.com/natecook1000) in [#​541](https://redirect.github.com/apple/swift-collections/pull/541) - \[BasicContainers] Finalize requirements for hashed containers by [@​lorentey](https://redirect.github.com/lorentey) in [#​586](https://redirect.github.com/apple/swift-collections/pull/586) - Update README for 1.4.0 by [@​lorentey](https://redirect.github.com/lorentey) in [#​587](https://redirect.github.com/apple/swift-collections/pull/587) - Working towards the 1.4.0 tag by [@​lorentey](https://redirect.github.com/lorentey) in [#​588](https://redirect.github.com/apple/swift-collections/pull/588) - \[BasicContainers] Avoid defining set/dictionary types unless UnstableHashedContainers is enabled by [@​lorentey](https://redirect.github.com/lorentey) in [#​589](https://redirect.github.com/apple/swift-collections/pull/589) - \[BasicContainers] RigidArray: Correct spelling of replacement for deprecated method by [@​lorentey](https://redirect.github.com/lorentey) in [#​590](https://redirect.github.com/apple/swift-collections/pull/590) #### New Contributors - [@​incertum](https://redirect.github.com/incertum) made their first contribution in [#​540](https://redirect.github.com/apple/swift-collections/pull/540) - [@​SiliconA-Z](https://redirect.github.com/SiliconA-Z) made their first contribution in [#​553](https://redirect.github.com/apple/swift-collections/pull/553) - [@​bkhouri](https://redirect.github.com/bkhouri) made their first contribution in [#​563](https://redirect.github.com/apple/swift-collections/pull/563) - [@​dependabot](https://redirect.github.com/dependabot)\[bot] made their first contribution in [#​577](https://redirect.github.com/apple/swift-collections/pull/577) - [@​tayloraswift](https://redirect.github.com/tayloraswift) made their first contribution in [#​578](https://redirect.github.com/apple/swift-collections/pull/578) - [@​benrimmington](https://redirect.github.com/benrimmington) made their first contribution in [#​538](https://redirect.github.com/apple/swift-collections/pull/538) **Full Changelog**: <https://github.com/apple/swift-collections/compare/1.3.0...1.4.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.3.9-canary.917 |
||
|
renovate[bot]
|
6d710f3bdc |
chore: bump up Node.js to v22.22.1 (#14598)
> ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://redirect.github.com/nodejs/node)) | patch | `22.22.0` → `22.22.1` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v22.22.1`](https://redirect.github.com/nodejs/node/releases/tag/v22.22.1): 2026-03-05, Version 22.22.1 'Jod' (LTS) [Compare Source](https://redirect.github.com/nodejs/node/compare/v22.22.0...v22.22.1) ##### Notable Changes - \[[`7b93a65f27`](https://redirect.github.com/nodejs/node/commit/7b93a65f27)] - **build**: test on Python 3.14 (Christian Clauss) [#​59983](https://redirect.github.com/nodejs/node/pull/59983) - \[[`6063d888fe`](https://redirect.github.com/nodejs/node/commit/6063d888fe)] - **cli**: mark `--heapsnapshot-near-heap-limit` as stable (Joyee Cheung) [#​60956](https://redirect.github.com/nodejs/node/pull/60956) - \[[`d950b151a2`](https://redirect.github.com/nodejs/node/commit/d950b151a2)] - **crypto**: update root certificates to NSS 3.119 (Node.js GitHub Bot) [#​61419](https://redirect.github.com/nodejs/node/pull/61419) - \[[`4f42f8c428`](https://redirect.github.com/nodejs/node/commit/4f42f8c428)] - **crypto**: update root certificates to NSS 3.117 (Node.js GitHub Bot) [#​60741](https://redirect.github.com/nodejs/node/pull/60741) - \[[`b6ebf2cd53`](https://redirect.github.com/nodejs/node/commit/b6ebf2cd53)] - **doc**: add avivkeller to collaborators (Aviv Keller) [#​61115](https://redirect.github.com/nodejs/node/pull/61115) - \[[`35854f424d`](https://redirect.github.com/nodejs/node/commit/35854f424d)] - **doc**: add gurgunday to collaborators (Gürgün Dayıoğlu) [#​61094](https://redirect.github.com/nodejs/node/pull/61094) - \[[`5c6a076e5d`](https://redirect.github.com/nodejs/node/commit/5c6a076e5d)] - **meta**: add Renegade334 to collaborators (Renegade334) [#​60714](https://redirect.github.com/nodejs/node/pull/60714) ##### Commits - \[[`5f773488c2`](https://redirect.github.com/nodejs/node/commit/5f773488c2)] - **assert**: use a set instead of an array for faster lookup (Ruben Bridgewater) [#​61076](https://redirect.github.com/nodejs/node/pull/61076) - \[[`feecbb0eab`](https://redirect.github.com/nodejs/node/commit/feecbb0eab)] - **assert,util**: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) [#​61388](https://redirect.github.com/nodejs/node/pull/61388) - \[[`096095b127`](https://redirect.github.com/nodejs/node/commit/096095b127)] - **benchmark**: add SQLite benchmarks (Guilherme Araújo) [#​61401](https://redirect.github.com/nodejs/node/pull/61401) - \[[`b5fe481415`](https://redirect.github.com/nodejs/node/commit/b5fe481415)] - **benchmark**: use boolean options in benchmark tests (SeokhunEom) [#​60129](https://redirect.github.com/nodejs/node/pull/60129) - \[[`fa9faacacb`](https://redirect.github.com/nodejs/node/commit/fa9faacacb)] - **benchmark**: allow boolean option values (SeokhunEom) [#​60129](https://redirect.github.com/nodejs/node/pull/60129) - \[[`ba8714ac21`](https://redirect.github.com/nodejs/node/commit/ba8714ac21)] - **benchmark**: fix incorrect base64 input in byteLength benchmark (semimikoh) [#​60841](https://redirect.github.com/nodejs/node/pull/60841) - \[[`53596de876`](https://redirect.github.com/nodejs/node/commit/53596de876)] - **benchmark**: use typescript for import cjs benchmark (Joyee Cheung) [#​60663](https://redirect.github.com/nodejs/node/pull/60663) - \[[`e8930e9d7c`](https://redirect.github.com/nodejs/node/commit/e8930e9d7c)] - **benchmark**: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) [#​60603](https://redirect.github.com/nodejs/node/pull/60603) - \[[`1155e412b1`](https://redirect.github.com/nodejs/node/commit/1155e412b1)] - **benchmark**: add per-suite setup option (Joyee Cheung) [#​60574](https://redirect.github.com/nodejs/node/pull/60574) - \[[`e01903d304`](https://redirect.github.com/nodejs/node/commit/e01903d304)] - **benchmark**: improve cpu.sh for safety and usability (Nam Yooseong) [#​60162](https://redirect.github.com/nodejs/node/pull/60162) - \[[`623a405747`](https://redirect.github.com/nodejs/node/commit/623a405747)] - **benchmark**: add benchmark for leaf source text modules (Joyee Cheung) [#​60205](https://redirect.github.com/nodejs/node/pull/60205) - \[[`7f5e7b9f7f`](https://redirect.github.com/nodejs/node/commit/7f5e7b9f7f)] - **benchmark**: add microbench on isInsideNodeModules (Chengzhong Wu) [#​60991](https://redirect.github.com/nodejs/node/pull/60991) - \[[`db132b85a8`](https://redirect.github.com/nodejs/node/commit/db132b85a8)] - **bootstrap**: initialize http proxy after user module loader setup (Joyee Cheung) [#​58938](https://redirect.github.com/nodejs/node/pull/58938) - \[[`66aab9f987`](https://redirect.github.com/nodejs/node/commit/66aab9f987)] - **buffer**: let Buffer.of use heap (Сковорода Никита Андреевич) [#​60503](https://redirect.github.com/nodejs/node/pull/60503) - \[[`c3cf00c671`](https://redirect.github.com/nodejs/node/commit/c3cf00c671)] - **buffer**: speed up concat via TypedArray#set (Gürgün Dayıoğlu) [#​60399](https://redirect.github.com/nodejs/node/pull/60399) - \[[`f6fad231e9`](https://redirect.github.com/nodejs/node/commit/f6fad231e9)] - **build**: skip sscache action on non-main branches (Joyee Cheung) [#​61790](https://redirect.github.com/nodejs/node/pull/61790) - \[[`2145f91f6b`](https://redirect.github.com/nodejs/node/commit/2145f91f6b)] - **build**: update android-patches/trap-handler.h.patch (Mo Luo) [#​60369](https://redirect.github.com/nodejs/node/pull/60369) - \[[`5b49759dd8`](https://redirect.github.com/nodejs/node/commit/5b49759dd8)] - **build**: update devcontainer.json to use paired nix env (Joyee Cheung) [#​61414](https://redirect.github.com/nodejs/node/pull/61414) - \[[`24724cde40`](https://redirect.github.com/nodejs/node/commit/24724cde40)] - **build**: fix misplaced comma in ldflags (hqzing) [#​61294](https://redirect.github.com/nodejs/node/pull/61294) - \[[`c57a19934e`](https://redirect.github.com/nodejs/node/commit/c57a19934e)] - **build**: fix crate vendor file checksums on windows (Chengzhong Wu) [#​61329](https://redirect.github.com/nodejs/node/pull/61329) - \[[`8659d7cd07`](https://redirect.github.com/nodejs/node/commit/8659d7cd07)] - **build**: fix inconsistent quoting in `Makefile` (Antoine du Hamel) [#​60511](https://redirect.github.com/nodejs/node/pull/60511) - \[[`44f339b315`](https://redirect.github.com/nodejs/node/commit/44f339b315)] - **build**: remove temporal updater (Chengzhong Wu) [#​61151](https://redirect.github.com/nodejs/node/pull/61151) - \[[`d60a6cebd5`](https://redirect.github.com/nodejs/node/commit/d60a6cebd5)] - **build**: update test-wpt-report to use NODE instead of OUT\_NODE (Filip Skokan) [#​61024](https://redirect.github.com/nodejs/node/pull/61024) - \[[`34ccf187f5`](https://redirect.github.com/nodejs/node/commit/34ccf187f5)] - **build**: skip build-ci on actions with a separate test step (Chengzhong Wu) [#​61073](https://redirect.github.com/nodejs/node/pull/61073) - \[[`7b19e101a2`](https://redirect.github.com/nodejs/node/commit/7b19e101a2)] - **build**: run embedtest with node\_g when BUILDTYPE=Debug (Chengzhong Wu) [#​60850](https://redirect.github.com/nodejs/node/pull/60850) - \[[`9408c4459f`](https://redirect.github.com/nodejs/node/commit/9408c4459f)] - **build**: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) [#​59984](https://redirect.github.com/nodejs/node/pull/59984) - \[[`2166ec7f0f`](https://redirect.github.com/nodejs/node/commit/2166ec7f0f)] - **build**: use call command when calling python configure (Jacob Nichols) [#​60098](https://redirect.github.com/nodejs/node/pull/60098) - \[[`73ef70145d`](https://redirect.github.com/nodejs/node/commit/73ef70145d)] - **build**: remove V8\_COMPRESS\_POINTERS\_IN\_ISOLATE\_CAGE defs (Joyee Cheung) [#​60296](https://redirect.github.com/nodejs/node/pull/60296) - \[[`7b93a65f27`](https://redirect.github.com/nodejs/node/commit/7b93a65f27)] - **build**: test on Python 3.14 (Christian Clauss) [#​59983](https://redirect.github.com/nodejs/node/pull/59983) - \[[`508ce6ec6c`](https://redirect.github.com/nodejs/node/commit/508ce6ec6c)] - **build, src**: fix include paths for vtune files (Rahul) [#​59999](https://redirect.github.com/nodejs/node/pull/59999) - \[[`c89d3cd570`](https://redirect.github.com/nodejs/node/commit/c89d3cd570)] - **build,tools**: fix addon build deadlock on errors (Vladimir Morozov) [#​61321](https://redirect.github.com/nodejs/node/pull/61321) - \[[`40904a0591`](https://redirect.github.com/nodejs/node/commit/40904a0591)] - **build,win**: update WinGet configurations to Python 3.14 (Mike McCready) [#​61431](https://redirect.github.com/nodejs/node/pull/61431) - \[[`6d6742e7db`](https://redirect.github.com/nodejs/node/commit/6d6742e7db)] - **child\_process**: treat ipc length header as unsigned uint32 (Ryuhei Shima) [#​61344](https://redirect.github.com/nodejs/node/pull/61344) - \[[`6063d888fe`](https://redirect.github.com/nodejs/node/commit/6063d888fe)] - **cli**: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) [#​60956](https://redirect.github.com/nodejs/node/pull/60956) - \[[`3d324a0f88`](https://redirect.github.com/nodejs/node/commit/3d324a0f88)] - **cluster**: fix port reuse between cluster (Ryuhei Shima) [#​60141](https://redirect.github.com/nodejs/node/pull/60141) - \[[`40a58709b4`](https://redirect.github.com/nodejs/node/commit/40a58709b4)] - **console**: optimize single-string logging (Gürgün Dayıoğlu) [#​60422](https://redirect.github.com/nodejs/node/pull/60422) - \[[`d950b151a2`](https://redirect.github.com/nodejs/node/commit/d950b151a2)] - **crypto**: update root certificates to NSS 3.119 (Node.js GitHub Bot) [#​61419](https://redirect.github.com/nodejs/node/pull/61419) - \[[`4f42f8c428`](https://redirect.github.com/nodejs/node/commit/4f42f8c428)] - **crypto**: update root certificates to NSS 3.117 (Node.js GitHub Bot) [#​60741](https://redirect.github.com/nodejs/node/pull/60741) - \[[`a87499ae25`](https://redirect.github.com/nodejs/node/commit/a87499ae25)] - **crypto**: ensure documented RSA-PSS saltLength default is used (Filip Skokan) [#​60662](https://redirect.github.com/nodejs/node/pull/60662) - \[[`8c65cc11e2`](https://redirect.github.com/nodejs/node/commit/8c65cc11e2)] - **crypto**: update root certificates to NSS 3.116 (Node.js GitHub Bot) [#​59956](https://redirect.github.com/nodejs/node/pull/59956) - \[[`91dc00a2c1`](https://redirect.github.com/nodejs/node/commit/91dc00a2c1)] - **debugger**: fix event listener leak in the run command (Joyee Cheung) [#​60464](https://redirect.github.com/nodejs/node/pull/60464) - \[[`0781bd3764`](https://redirect.github.com/nodejs/node/commit/0781bd3764)] - **deps**: V8: backport [`6a0a25a`](https://redirect.github.com/nodejs/node/commit/6a0a25abaed3) (Vivian Wang) [#​61688](https://redirect.github.com/nodejs/node/pull/61688) - \[[`0cf1f9c3e9`](https://redirect.github.com/nodejs/node/commit/0cf1f9c3e9)] - **deps**: update googletest to [`8508785`]( |
||
|
Kenneth Wußmann
|
0b47f92134 |
fix(oidc): allow string boolean in email_verified userinfo schema (#14609)
## Why
When using AWS Cognito as OIDC provider, AFFiNE returns a zod parsing
error because AWS returns `email_verified` as a string in the userinfo
response.
```json
{
"sub": "[UUID]",
"email_verified": "true",
"custom:mycustom1": "CustomValue",
"phone_number_verified": "true",
"phone_number": "+12065551212",
"email": "bob@example.com",
"username": "bob"
}
```
Reference:
https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html#get-userinfo-response-sample
Error returned in AFFiNE frontend:
```
Validation error, errors: [ { "code": "invalid_type", "expected": "boolean", "received": "string", "path": [ "email_verified" ], "message": "Expected boolean, received string" } ]
```
## What
I'm adjusting the existing `OIDCUserInfoSchema` to allow `z.boolean()`
and `z.enum(['true', 'false', '0', '1', 'yes', 'no'])`.
This matches with [our `extractBoolean` function in the
`OIDCProvider`](
|
||
|
DarkSky
|
9c55edeb62 |
feat(server): adapt gemini3.1 preview (#14583)
#### PR Dependency Tree * **PR #14583** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Gemini 3.1 Pro Preview support (text, image, audio) and new GPT‑5 variants as defaults; centralized persistent telemetry state for more reliable client identity. * **UX** * Improved model submenu placement in chat preferences. * More robust mindmap parsing, preview, regeneration and replace behavior. * **Chores** * Bumped AI SDK and related dependencies. * **Tests** * Expanded/updated tests and increased timeouts for flaky flows. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
9742e9735e |
feat(editor): improve edgeless perf & memory usage (#14591)
#### PR Dependency Tree * **PR #14591** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * New canvas renderer debug metrics and controls for runtime inspection. * Mindmap/group reordering now normalizes group targets, improving reorder consistency. * **Bug Fixes** * Fixed connector behavior for empty/degenerate paths. * More aggressive viewport invalidation so structural changes display correctly. * Improved z-index synchronization during transforms and layer updates. * **Performance** * Retained DOM caching for brushes, shapes, and connectors to reduce DOM churn. * Targeted canvas refreshes, pooling, and reuse to lower redraw and memory overhead. * **Tests** * Added canvas renderer performance benchmarks and curve edge-case unit tests. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
86d65b2f64 |
feat(server): add image resize support (#14588)
fix #13842 #### PR Dependency Tree * **PR #14588** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Images are now processed natively and converted to WebP for smaller, optimized files; Copilot and avatar attachments use the processed WebP output. * Avatar uploads accept BMP, GIF, JPEG, PNG, WebP (5MB max) and are downscaled to a standard edge. * **Error Messages / i18n** * Added localized error "Image format not supported: {format}". * **Tests** * Added end-to-end and unit tests for conversion, EXIF preservation, and upload limits. * **Chores** * Added native image-processing dependencies. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.3.6-canary.912 |
||
|
DarkSky
|
f34e25e122 |
test: migrate test & utils (#14569)
#### PR Dependency Tree * **PR #14569** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded development test tooling to Vitest v4 and added Playwright browser test integration; normalized test configurations and CI shard matrix. * **Tests** * Added a large suite of new integration tests covering editor flows (edgeless, database, embeds, images, latex, code, clipboard, multi-editor, presentation, undo/redo, etc.). * Removed numerous end-to-end Playwright test suites across the same feature areas. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
b5d5b71f95 |
feat(server): improve markdown parse (#14580)
#### PR Dependency Tree * **PR #14580** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Markdown conversion now reports lists of known-unsupported and unknown block identifiers encountered during parsing, and separates them from the main markdown output. * **Bug Fixes** * Improved error handling and logging around markdown parsing. * **Tests** * Updated tests and snapshots to reflect the new block-list fields and the adjusted markdown output. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
09fa1a8e4e |
chore: bump up dompurify version to v3.3.2 [SECURITY] (#14581)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.0` → `3.3.2`](https://renovatebot.com/diffs/npm/dompurify/3.3.0/3.3.2) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-0540](https://nvd.nist.gov/vuln/detail/CVE-2026-0540) DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. --- ### Release Notes <details> <summary>cure53/DOMPurify (dompurify)</summary> ### [`v3.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.2): DOMPurify 3.3.2 [Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.1...3.3.2) - Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters - Fixed a prototype pollution issue when working with custom elements, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Fixed a lenient config parsing in `_isValidAttribute`, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Bumped and removed several dependencies, thanks [@​Rotzbua](https://redirect.github.com/Rotzbua) - Fixed the test suite after bumping dependencies, thanks [@​Rotzbua](https://redirect.github.com/Rotzbua) ### [`v3.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.1): DOMPurify 3.3.1 [Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.0...3.3.1) - Updated `ADD_FORBID_CONTENTS` setting to extend default list, thanks [@​MariusRumpf](https://redirect.github.com/MariusRumpf) - Updated the ESM import syntax to be more correct, thanks [@​binhpv](https://redirect.github.com/binhpv) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
congzhou09
|
c249011238 |
fix(editor): note-edgeless-block dimensions mismatch content at non-100% scale (#14577)
### Problem ●In edgeless mode, when the `note-edgeless-block` is scaled below 100%, its outer dimension becomes larger than its content region. This extra invisible region will block some user interactions such as clicks and hovers on editing elements underneath. <img width="1060" height="541" alt="note-elem-block-click" src="https://github.com/user-attachments/assets/860d7a4f-d159-437b-bbe8-4560e2463e3d" /> ●The following video demonstrates this issue: https://github.com/user-attachments/assets/3b719b25-0d7e-496b-9507-6aa65ed0a797 ### Solution ●The root cause is that `transform: scale(...)` CSS property (which implements the scale) is currently applyed to its **inner root element** instead of itself, and the solution is to move this CSS property to the proper place. ### After ●The video below shows the behavior after this fix. https://github.com/user-attachments/assets/e2dbd75d-c2ea-460d-90a1-5cc13e12d5b8 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Centralized CSS scaling for graphics and edgeless note blocks into dedicated public methods; rendering now uses these methods instead of inline transform calculations. * **Tests** * Updated end-to-end checks to read scale directly from the edgeless note element and use a more flexible transform-matching pattern. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
7f5f7e79df |
feat(server): refactor mcp (#14579)
#### PR Dependency Tree * **PR #14579** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Full JSON-RPC MCP endpoint with batch requests, per-message validation, method dispatch (initialize, ping, tools/list, tools/call) and request cancellation * Tool listing and execution with input validation, standardized results, and improved error responses * **Chores** * Removed an external protocol dependency * Bumped MCP server version to 1.0.1 <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
fff04395bc | chore: update docs | ||
|
renovate[bot]
|
bbc01533d7 |
chore: bump up multer version to v2.1.1 [SECURITY] (#14576)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [multer](https://redirect.github.com/expressjs/multer) | [`2.1.0` →
`2.1.1`](https://renovatebot.com/diffs/npm/multer/2.1.0/2.1.1) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-2359](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc)
### Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by dropping connection during file upload,
potentially causing resource exhaustion.
### Patches
Users should upgrade to `2.1.0`
### Workarounds
None
####
[CVE-2026-3304](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p)
### Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by sending malformed requests, potentially
causing resource exhaustion.
### Patches
Users should upgrade to `2.1.0`
### Workarounds
None
####
[CVE-2026-3520](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2)
### Impact
A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger
a Denial of Service (DoS) by sending malformed requests, potentially
causing stack overflow.
### Patches
Users should upgrade to `2.1.1`
### Workarounds
None
### Resources
-
https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2
- https://www.cve.org/CVERecord?id=CVE-2026-3520
-
|
||
|
congzhou09
|
e31cca3354 |
fix(editor): non-canvas block size/position in embed-edgeless-doc at non-1 zoom (#14074)
### Problem ●Similar to [PR#14015](https://github.com/toeverything/AFFiNE/pull/14015), the container's own scaling factor (`viewScale`) was not taken into account. This time the issue affects **non-canvas blocks** (e.g. `edgeless-note`, `edgeless-image`, and any component extending `GfxBlockComponent`). ●The follwing image and video show the case when zoom is 0.5. <img width="822" height="414" alt="图片" src="https://github.com/user-attachments/assets/cee1cb88-2764-443c-aa7a-0443308b0e29" /> https://github.com/user-attachments/assets/3c744579-16c4-4f10-b421-e0606da1269f ### Solution ●Incorporated `viewScale` into the CSS `translate` calculation for all `GfxBlockComponent` instances. ### Additional Improvement ●Minor refactor: the class returned by `toGfxBlockComponent()` now reuses the original `getCSSTransform()` implementation from `GfxBlockComponent.prototype` via `.call(this)`, eliminating duplicated code. ### After ●The refined is as follows. https://github.com/user-attachments/assets/24de0429-63a3-45a7-9b31-d91a4279e233 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved viewport scaling so visual transforms (translation and zoom) correctly account for view scale, yielding more consistent rendering during zoom and pan. * Centralized transform calculation to a shared implementation, reducing duplication and ensuring uniform behavior across views. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
DarkSky
|
11bc333714 | Merge commit '99b07c2ee14dea1383ca6cd63633c3df542f2955' into canary | ||
|
DarkSky
|
99b07c2ee1 | fix: ios marketing version v0.26.4 | ||
|
renovate[bot]
|
fc9b99cd17 |
chore: bump up ava version to v7 (#14563)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [ava](https://avajs.dev) ([source](https://redirect.github.com/avajs/ava)) | [`^6.4.1` → `^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |  |  | | [ava](https://avajs.dev) ([source](https://redirect.github.com/avajs/ava)) | [`^6.4.0` → `^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |  |  | --- ### Release Notes <details> <summary>avajs/ava (ava)</summary> ### [`v7.0.0`](https://redirect.github.com/avajs/ava/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/avajs/ava/compare/v6.4.1...v7.0.0) ##### What's Changed - Replace `strip-ansi` with `node:util.stripVTControlCharacters` by [@​fisker](https://redirect.github.com/fisker) in [#​3403](https://redirect.github.com/avajs/ava/pull/3403) - Remove support for Node.js 18 and 23; require 20.19 or newer, 22.20 or newer or 24,12 or newer; update dependencies including transitive `glob` by [@​novemberborn](https://redirect.github.com/novemberborn) in [#​3416](https://redirect.github.com/avajs/ava/pull/3416) **Full Changelog**: <https://github.com/avajs/ava/compare/v6.4.1...v7.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
DarkSky
|
2137f68871 |
fix(server): normalize mail server name (#14564)
fix #14562 fix #14226 fix #14192 #### PR Dependency Tree * **PR #14564** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * SMTP and fallback SMTP name now default to empty and will use the system hostname when not set. * HELO hostname resolution includes stricter normalization/validation for more reliable mail handshakes. * **Documentation** * Updated admin and config descriptions to explain hostname/HELO behavior and fallback. * **Tests** * Added tests covering hostname normalization and rejection of invalid HELO values. * **Chores** * Updated example env and ignore rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
75efa854bf |
chore: bump up apple-actions/import-codesign-certs action to v6 (#14561)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [apple-actions/import-codesign-certs](https://redirect.github.com/apple-actions/import-codesign-certs) | action | major | `v5` → `v6` | --- ### Release Notes <details> <summary>apple-actions/import-codesign-certs (apple-actions/import-codesign-certs)</summary> ### [`v6`](https://redirect.github.com/apple-actions/import-codesign-certs/compare/v5...v6) [Compare Source](https://redirect.github.com/apple-actions/import-codesign-certs/compare/v5...v6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c0139abf79 |
chore: bump up actions/setup-java action to v5 (#14554)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-java](https://redirect.github.com/actions/setup-java) | action | major | `v4` → `v5` | --- ### Release Notes <details> <summary>actions/setup-java (actions/setup-java)</summary> ### [`v5`](https://redirect.github.com/actions/setup-java/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.3.2-canary.1225 |
||
|
renovate[bot]
|
5a38e765bd |
chore: bump up actions/setup-node action to v6 (#14555)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | major | `v4` → `v6` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v6`](https://redirect.github.com/actions/setup-node/compare/v5...v6) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v5...v6) ### [`v5`](https://redirect.github.com/actions/setup-node/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d3dcdd47ee |
chore: bump up actions/setup-python action to v6 (#14556)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | major | `v5` → `v6` | --- ### Release Notes <details> <summary>actions/setup-python (actions/setup-python)</summary> ### [`v6`](https://redirect.github.com/actions/setup-python/compare/v5...v6) [Compare Source](https://redirect.github.com/actions/setup-python/compare/v5...v6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
DarkSky
|
727c9d6d71 | fix: server build env | ||
|
DarkSky
|
274f491e49 | fix: aarch64 build | ||
|
congzhou09
|
478138493a |
fix(editor): invalid caret in note-edgeless-block on focus (#14229)
### Problem ●In edgeless mode, when starting to edit, `note-block` exhibits two types of invalid caret behavior: (1)**Title Region Misalignment**: Clicking on the title region incorrectly generates the caret in the first line of the note content, rather than in the title itself. (2)**Vanishing Caret at Line End**: When clicking in the empty space beyond the end of a text section, the caret appears momentarily at the line's end but disappears immediately. ●The following video demonstrates these issues: https://github.com/user-attachments/assets/db9c2c50-709f-4d32-912c-0f01841d2024 ### Solution ●**Title Click Interception**: Added a check to determine if the click coordinates fall in the title region. If so, the caret positioning is now handled by a dedicated logic path. Otherwise, it falls back to the existing note-content logic as before. ●**Range Normalization**: When the generated `range.startContainer` is not a `TextNode`, try to find a most appropriate `TextNode` and update the `range` accordingly. ### After ●The video below shows the behavior after this fix. https://github.com/user-attachments/assets/b2f70b64-1fc6-4049-8379-8bcf3a488a05 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Clicking a page block title no longer creates unwanted paragraphs and reliably focuses the title. * Paragraph creation now occurs only when needed and focus is applied only after successful creation. * Click coordinates are clamped to container bounds to prevent misplaced cursors or focus. * **Improvements** * Caret normalization: clicks place the caret at the last meaningful text position for consistent single-cursor behavior. * **Tests** * Added end-to-end coverage for caret placement and focus transitions. * New ratio-based click/double-click test utilities and a helper for double-clicking note bodies. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |