mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-05 03:25:10 +08:00
207bd9387e07853025df2c272efefebc8bd838e2
11208 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
207bd9387e | fix(docs): redirect links | ||
|
|
78a9942f19 | fix: ci | ||
|
|
0ccfacbc29 | feat(docs): migrate bs docs | ||
|
|
bf6fc66943 |
chore: bump up postcss version to v8.5.10 [SECURITY] (#14877)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.6` → `8.5.10`](https://renovatebot.com/diffs/npm/postcss/8.5.6/8.5.10) |  |  | --- ### PostCSS has XSS via Unescaped </style> in its CSS Stringify Output [CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) / [GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) <details> <summary>More information</summary> #### Details ##### PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output ##### Summary PostCSS v8.5.5 (latest) does not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. ##### Proof of Concept ```javascript const postcss = require('postcss'); // Parse user CSS and re-stringify for page embedding const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }'; const ast = postcss.parse(userCSS); const output = ast.toResult().css; const html = `<style>${output}</style>`; console.log(html); // <style>body { content: "</style><script>alert(1)</script><style>"; }</style> // // Browser: </style> closes the style tag, <script> executes ``` **Tested output** (Node.js v22, postcss v8.5.5): ``` Input: body { content: "</style><script>alert(1)</script><style>"; } Output: body { content: "</style><script>alert(1)</script><style>"; } Contains </style>: true ``` ##### Impact Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website. ##### Suggested Fix Escape `</style` in all stringified output values: ```javascript output = output.replace(/<\/(style)/gi, '<\\/$1'); ``` ##### Credits Discovered and reported by [Sunil Kumar](https://tharvid.in) ([@​TharVid](https://redirect.github.com/TharVid)) #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93) - [https://nvd.nist.gov/vuln/detail/CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) - [https://github.com/postcss/postcss/releases/tag/8.5.10](https://redirect.github.com/postcss/postcss/releases/tag/8.5.10) - [https://github.com/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.10`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.9...8.5.10) - Fixed XSS via unescaped `</style>` in non-bundler cases (by [@​TharVid](https://redirect.github.com/TharVid)). ### [`v8.5.9`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.8...8.5.9) - Speed up source map encoding paring in case of the error. ### [`v8.5.8`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#858) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.7...8.5.8) - Fixed `Processor#version`. ### [`v8.5.7`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#857) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.6...8.5.7) - Improved source map annotation cleaning performance (by CodeAnt AI). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
df482c9cf2 |
chore: bump up uuid version to v14 [SECURITY] (#14870)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` → `^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |  |  | --- ### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided [GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) <details> <summary>More information</summary> #### Details ##### Summary `v3`, `v5`, and `v6` accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`). By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on invalid bounds. This inconsistency allows **silent partial writes** into caller-provided buffers. ##### Affected code - `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds validation. - `src/v6.ts` writes `buf[offset + i]` without bounds validation. ##### Reproducible PoC ```bash cd /home/StrawHat/uuid npm ci npm run build node --input-type=module -e " import {v4,v5,v6} from './dist-node/index.js'; const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8'; for (const [name,fn] of [ ['v4',()=>v4({},new Uint8Array(8),4)], ['v5',()=>v5('x',ns,new Uint8Array(8),4)], ['v6',()=>v6({},new Uint8Array(8),4)], ]) { try { fn(); console.log(name,'NO_THROW'); } catch(e){ console.log(name,'THREW',e.name); } }" ``` Observed: - `v4 THREW RangeError` - `v5 NO_THROW` - `v6 NO_THROW` Example partial overwrite evidence captured during audit: ```text same true buf [ 170, 170, 170, 170, 75, 224, 100, 63 ] v6 [ 187, 187, 187, 187, 31, 19, 185, 64 ] ``` ##### Security impact - **Primary**: integrity/robustness issue (silent partial output). - If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error. - In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw. ##### Suggested fix Add the same guard used by `v4`/`v1`/`v7`: ```ts if (offset < 0 || offset + 16 > buf.length) { throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`); } ``` Apply to: - `src/v35.ts` (covers `v3` and `v5`) - `src/v6.ts` #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq) - [https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34) - [https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0) - [https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>uuidjs/uuid (uuid)</summary> ### [`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19) [Compare Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0) ##### Security - Fixes [GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq): `v3()`, `v5()`, and `v6()` did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid `offset` was provided. A `RangeError` is now thrown if `offset < 0` or `offset + 16 > buf.length`. ##### ⚠ BREAKING CHANGES - `crypto` is now expected to be globally defined (requires node\@​20+) ([#​935](https://redirect.github.com/uuidjs/uuid/issues/935)) - drop node\@​18 support ([#​934](https://redirect.github.com/uuidjs/uuid/issues/934)) - upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
2caf3c86f8 |
fix(editor): prevent popMenu overflow on constrained viewports (#14827)
Fixes #14722 ## Summary `popMenu()` in `blocksuite/affine/components/src/context-menu/menu-renderer.ts` uses `autoPlacement` + `offset` in its default middleware, but no `shift()` — so when `autoPlacement` picks a placement that would overflow the viewport (e.g. database column menu opening near the top of a short viewport), the menu stays overflowing and top items get clipped above the viewport. ## Fix Add `shift({ padding: 8 })` to the default middleware chain. This matches the behavior of the sibling helper `createPopup()` in the same file, which already includes `shift()` in its defaults. ## Reproducing (as reported in #14722) Viewport ~879×461 (Chrome, macOS). Create a database block near the top of the viewport → click a column name → menu opens upward and the top items ("Rename", "Filter") get clipped above the viewport. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Enhanced context menu positioning on desktop to provide better alignment and spacing adjustments near screen boundaries. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
557b1e4dfc |
chore: bump up eslint-plugin-oxlint version to v1.60.0 (#14853)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint-plugin-oxlint](https://redirect.github.com/oxc-project/eslint-plugin-oxlint) | [`1.58.0` → `1.60.0`](https://renovatebot.com/diffs/npm/eslint-plugin-oxlint/1.58.0/1.60.0) |  |  | --- ### Release Notes <details> <summary>oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)</summary> ### [`v1.60.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.60.0) [Compare Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.59.0...v1.60.0) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.59.0...v1.60.0) ### [`v1.59.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.59.0) [Compare Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.58.0...v1.59.0) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.58.0...v1.59.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
cc79fa3c6d |
chore: bump up opentelemetry (#14844)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/api](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/api) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`1.9.0` → `1.9.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fapi/1.9.0/1.9.1) |  |  | | [@opentelemetry/core](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-core) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fcore/2.6.0/2.7.0) |  |  | | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.213.0/0.215.0) |  |  | | [@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.6.0/2.7.0) |  |  | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.213.0/0.215.0) |  |  | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.61.0` → `^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.61.0/0.63.0) |  |  | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.213.0/0.215.0) |  |  | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.61.0` → `^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.61.0/0.63.0) |  |  | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.59.0` → `^0.61.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.59.0/0.61.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.60.0` → `^0.62.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.60.0/0.62.0) |  |  | | [@opentelemetry/resources](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-resources) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fresources/2.6.0/2.7.0) |  |  | | [@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.6.0/2.7.0) |  |  | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.213.0/0.215.0) |  |  | | [@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.6.0/2.7.0) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/api)</summary> ### [`v1.9.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#191) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v1.9.0...v1.9.1) ##### 🐛 (Bug Fix) - fix: avoid grpc types dependency [#​3551](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3551) [@​flarna](https://redirect.github.com/flarna) - fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter [#​3562](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3562) [@​scheler](https://redirect.github.com/scheler) - fix: include tracestate in export [#​3569](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3569) [@​flarna](https://redirect.github.com/flarna) ##### 🏠 (Internal) - chore: fix cross project links and missing implicitly exported types [#​3533](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3533) [@​legendecas](https://redirect.github.com/legendecas) - feat(sdk-metrics): add exponential histogram mapping functions [#​3504](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3504) [@​mwear](https://redirect.github.com/mwear) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-graphql)</summary> ### [`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0630-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0620-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0630-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ##### Bug Fixes - **redis-common:** expand redaction to include ACL, CONFIG, PSETEX, GETSET ([#​3472](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3472)) ([39193ca](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/39193cac4124eedc9e8fa5ae16ba960b5ab7a36b)) ##### Dependencies - The following workspace dependencies were updated - dependencies - [@​opentelemetry/redis-common](https://redirect.github.com/opentelemetry/redis-common) bumped from ^0.38.2 to ^0.38.3 - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.61.0 to ^0.62.0 ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0620-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.60.0 to ^0.61.0 </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-nestjs-core)</summary> ### [`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0610-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ### [`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0600-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-socket.io)</summary> ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0620-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.61.0 to ^0.62.0 ### [`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0610-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.60.0 to ^0.61.0 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
3428ac478e |
chore: split i18n and bs-docs dirty checks in typecheck workflow (#14849)
## Summary Split generated-file validation in the `typecheck` workflow so i18n outputs and BS docs outputs are checked separately. This fixes a misleading CI failure message: previously, CI could fail due to i18n-generated changes like `packages/frontend/i18n/src/i18n.gen.ts`, but only suggested running `yarn typecheck && yarn affine bs-docs build`, which does not regenerate those files. ## Changes - validate i18n-generated changes immediately after `yarn affine @affine/i18n build` - keep ignoring `packages/frontend/i18n/src/i18n-completenesses.json` in CI as before - leave `yarn typecheck` as a separate step - make the BS docs step only check for changes introduced by `yarn affine bs-docs build` ## Result CI now gives the correct remediation command depending on which generated files are out of date: - i18n issues: `yarn affine @affine/i18n build` - docs/typecheck issues: `yarn typecheck && yarn affine bs-docs build` ## Testing - verified the updated workflow YAML parses successfully <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced build validation for internationalization code generation to ensure generated changes are properly committed before proceeding. The validation now occurs immediately after code generation runs, providing faster feedback during the build process. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0009f91d2a |
feat(editor): add "Copy as Markdown" option in context & export menus (#14705)
- Allow users to select text and copy it as Markdown via the context menu - Add "Copy as Markdown" under Export menu to copy entire document to clipboard Fixes #12983 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added "Copy as Markdown" to the toolbar clipboard More menu for selected content. * Added "Copy as Markdown" to the page export menu to copy entire pages as Markdown. * **Behavior** * Export flow now returns success/failure so the UI shows a dedicated success or error notification for clipboard exports. * **Localization** * Added strings for "Copy as Markdown" and "Copied as Markdown". <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Whitewater <me@waterwater.moe> Co-authored-by: lawvs <18554747+lawvs@users.noreply.github.com> |
||
|
|
f7d0f1d5ae |
chore: bump up Node.js to v22.22.2 (#14836)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://redirect.github.com/nodejs/node)) | patch | `22.22.1` → `22.22.2` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v22.22.2`](https://redirect.github.com/nodejs/node/compare/v22.22.1...v22.22.2) [Compare Source](https://redirect.github.com/nodejs/node/compare/v22.22.1...v22.22.2) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
0849b342fa |
chore: bump up dompurify version to v3.4.0 [SECURITY] (#14833)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.3` → `3.4.0`](https://renovatebot.com/diffs/npm/dompurify/3.3.3/3.4.0) |  |  | ### GitHub Vulnerability Alerts #### [GHSA-39q2-94rc-95cp](https://redirect.github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp) ## Summary In `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to short-circuit evaluation. The condition: ``` !(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) ``` When `tagCheck(tagName)` returns `true`, the entire condition is `false` and the element is kept — `FORBID_TAGS[tagName]` is never evaluated. ## Inconsistency This contradicts the attribute-side pattern at line 1214 where `FORBID_ATTR` explicitly wins first: ``` if (FORBID_ATTR[lcName]) { continue; } ``` For tags, FORBID should also take precedence over ADD. ## Impact Applications using both `ADD_TAGS` as a function and `FORBID_TAGS` simultaneously get unexpected behavior — forbidden tags are allowed through. Config-dependent but a genuine logic inconsistency. ## Suggested Fix Check `FORBID_TAGS` before `tagCheck`: ``` if (FORBID_TAGS[tagName]) { /* remove */ } else if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ } ``` ## Affected Version v3.3.3 (commit 883ac15) ##### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` --- ### Release Notes <details> <summary>cure53/DOMPurify (dompurify)</summary> ### [`v3.4.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.4.0): DOMPurify 3.4.0 [Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.3...3.4.0) **Most relevant changes:** - Fixed a problem with `FORBID_TAGS` not winning over `ADD_TAGS`, thanks [@​kodareef5](https://redirect.github.com/kodareef5) - Fixed several minor problems and typos regarding MathML attributes, thanks [@​DavidOliver](https://redirect.github.com/DavidOliver) - Fixed `ADD_ATTR`/`ADD_TAGS` function leaking into subsequent array-based calls, thanks [@​1Jesper1](https://redirect.github.com/1Jesper1) - Fixed a missing `SAFE_FOR_TEMPLATES` scrub in `RETURN_DOM` path, thanks [@​bencalif](https://redirect.github.com/bencalif) - Fixed a prototype pollution via `CUSTOM_ELEMENT_HANDLING`, thanks [@​trace37labs](https://redirect.github.com/trace37labs) - Fixed an issue with `ADD_TAGS` function form bypassing `FORBID_TAGS`, thanks [@​eddieran](https://redirect.github.com/eddieran) - Fixed an issue with `ADD_ATTR` predicates skipping URI validation, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Fixed an issue with `USE_PROFILES` prototype pollution, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Fixed an issue leading to possible mXSS via Re-Contextualization, thanks [@​researchatfluidattacks](https://redirect.github.com/researchatfluidattacks) and others - Fixed a problem with the type dentition patcher after Node version bump - Fixed freezing BS runs by reducing the tested browsers array - Bumped several dependencies where possible - Added needed files for OpenSSF scorecard checks **Published Advisories are here:** <https://github.com/cure53/DOMPurify/security/advisories?state=published> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMC4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
dc3b95c886 |
chore: bump up Rust crate rand to v0.9.3 [SECURITY] (#14832)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [rand](https://rust-random.github.io/book) ([source](https://redirect.github.com/rust-random/rand)) | dependencies | patch | `0.9.1` → `0.9.3` | | [rand](https://rust-random.github.io/book) ([source](https://redirect.github.com/rust-random/rand)) | workspace.dependencies | patch | `0.9.2` → `0.9.3` | ### GitHub Vulnerability Alerts #### [GHSA-cq8v-f236-94qc](https://redirect.github.com/rust-random/rand/pull/1763) It has been reported (by @​lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met: - The `log` and `thread_rng` features are enabled - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng` - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data) - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict. Affected versions of `rand` are `>= 0.7, < 0.9.3` and `0.10.0`. ##### Severity Low --- ### Release Notes <details> <summary>rust-random/rand (rand)</summary> ### [`v0.9.3`](https://redirect.github.com/rust-random/rand/compare/0.9.2...0.9.3) [Compare Source](https://redirect.github.com/rust-random/rand/compare/0.9.2...0.9.3) ### [`v0.9.2`](https://redirect.github.com/rust-random/rand/blob/HEAD/CHANGELOG.md#092---2025-07-20) [Compare Source](https://redirect.github.com/rust-random/rand/compare/0.9.1...0.9.2) ##### Deprecated - Deprecate `rand::rngs::mock` module and `StepRng` generator ([#​1634](https://redirect.github.com/rust-random/rand/issues/1634)) ##### Additions - Enable `WeightedIndex<usize>` (de)serialization ([#​1646](https://redirect.github.com/rust-random/rand/issues/1646)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMC4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
1d66e7e8ca |
fix(editor): allow hyperlink clicks in locked edgeless text blocks (#14829)
Fixes #14673 ## Summary When an edgeless text block is locked, `pointer-events: none` on the inner content div (`edgeless-text-block.ts:308`) blocks all mouse interaction — including clicking hyperlinks. Locking is intended to prevent accidental edits, not to block navigation, so links should remain clickable. ## Fix Apply a `locked-content` class on the inner div when the block is locked and not being edited, and add a targeted CSS rule restoring `pointer-events: auto` on anchor elements within locked content. ## Context Re-implements the fix from PR #14692 (authored by @moktamd, reverted per @darkskygit's comment on #14673 because the original contributor had not signed the CLA). The CLA is signed for this PR. ## Test plan - [ ] On edgeless canvas, create a text block with a hyperlink (e.g. `[link](https://affine.pro)`) - [ ] Lock the block via the shape toolbar - [ ] Hover the link → cursor shows pointer - [ ] Click the link → navigation occurs - [ ] Unlock and confirm editing still works as before <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Links within locked text blocks are now interactive and clickable with proper visual cursor feedback. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
c5b0057778 |
fix(core): resolve remaining untranslated doc title case in detail page header (#14820)
fix #14735 This PR fixes a remaining desktop case related to #14467. The previous fix resolved incorrect translation in navigation panels, but the detail page header tab title was still passing custom document titles through `i18n.t()`, causing user-defined titles to be unexpectedly translated. ### Results https://github.com/user-attachments/assets/4abad3b9-d5d7-442f-b643-6d9ea63fa741 After: <img width="2100" height="1722" alt="After" src="https://github.com/user-attachments/assets/0770eae2-e5c5-4816-8d53-e40a4b52800c" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated page title retrieval mechanism in workspace detail page headers. The title is now sourced directly from the document display metadata service instead of using the previous derivation method. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
a109f069b0 | chore: bump deps | ||
|
|
0b4d25f332 | chore: improve test stability | ||
|
|
c6a99eb9cb |
chore: bump deps (#14810)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated developer tooling dependencies used for local testing to newer patch versions for improved stability. * Bumped backend framework and related packages to newer patch releases to address fixes and maintain compatibility. * No functional or public API changes; updates are non-breaking dependency version bumps. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
77657a697b | feat(mobile): improve notify for login failed | ||
|
|
eb953c0565 |
fix(android): route OAuth deep link to correct server's AuthService (#14809)
Porting over iOS fix for self-hosted SSO to Android from #11563. Fixes #12819 Tested on own instance using Authentik. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Android authentication now supports an optional server parameter in the callback URL, enabling sign-in against different server instances. * If the specified server cannot be found, the authentication attempt is halted and an error is reported. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> |
||
|
|
77c0b2ef47 |
fix: prevent IME preedit overflow in mind map node editor (#14520)
## Summary Update the edgeless shape text editor to resize mind map node text bounds while IME composition is in progress. ## Changes - listen to `compositionupdate` on the inline editor container - trigger `_updateElementWH()` on `compositionupdate` and `compositionend` - keep text box dimensions in sync before composition is committed ## Testing - Not run locally: `pnpm` is not available in this environment, so package build/tests could not be executed here. Fixes #11515 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Editor mounting tolerates missing/null elements and validates input to avoid errors. * Text creation/update consistently targets the refreshed element to prevent mismatches. * Inline editor listens for IME composition events and schedules layout/size recalculation (with proper cleanup) so sizing stays in sync. * **Tests** * Added an integration test verifying layout/size updates during IME composition events. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
|
7138fea9db | fix: test stability | ||
|
|
156cfc7e76 |
fix(core): improve table header sorting logic in processTable function (#14797)
Bug Resolved #14795 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Made row and column sorting deterministic when items share the same order value, reducing unexpected cell shifts. * Adjusted comparator behavior to preserve tied-order grouping, which may change displayed column/row sequence in edge cases. * Improved consistency of table rendering and cell placement across refreshes and edits. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.4.7-canary.925 |
||
|
|
2ca4973167 |
fix(editor): make repeated "Cancel line number" clicks work in code blocks (#14804)
Fixes #13555 https://github.com/user-attachments/assets/12e55c21-080c-4c69-9780-893ccad25b45 ## Summary - make the code block More popup reactive to `wrap` and `lineNumber` prop updates - read the latest toggle state at click time so same-menu double toggles do not reuse stale closures - add e2e coverage for wrap and line number toggling twice without closing the More menu ## Bug Reason - the code block More popup was rendered as a static portal, so it stayed open without re-rendering after the first toggle - the `Cancel line number` and `Wrap` menu actions captured render-time state in their click handlers - after the first click updated the model, a second click in the same open menu reused stale state and wrote the same value again, so nothing changed visually ## Testing - yarn workspace @affine-test/blocksuite test e2e/code/crud.spec.ts <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Menu toggles now read and update the current wrap and line-number states reliably. * **Refactor** * Replaced inline popup rendering with a dedicated more-menu component for the code toolbar. * **Style** * Prevented text selection on menu action elements for smoother interaction. * **Tests** * Added e2e tests for wrap and line-number toggle flows. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
a1ae7d11a3 | feat(core): add integration panel test | ||
|
|
f41bc2d5c3 |
fix(editor): restore grouped manual ordering for kanban and arrange (#14630)
Fixes #14531, where mannual vertical order is broken [Root Cause](https://github.com/toeverything/AFFiNE/issues/14531#issuecomment-4052422436) - Restored manual row/card sorting when building grouped kanban data. - Reapplied `sortRow(...)` to each group before rendering `group.rows`. - Fixed group/board arrange to reorder from the full group list, including hidden or empty groups. - Preserved consistent ordering between the settings panel and persisted `groupProperties`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Consolidated internal grouping and sorting logic to ensure consistent ordering across grouped views; visible behavior unchanged. * Moving groups or cards now uses a single, consistent ordering approach to avoid intermittent ordering differences. * **Tests** * Added tests to verify manual per-group card order is applied and preserved when moving cards between groups. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
|
e3391c0577 |
feat: redirect account click & OAuth to Calendar settings (#14693)
### PR Description * clicking a linked calendar account now switches settings to Workspace Integrations and opens the Calendar settings directly * calendar OAuth returns now land on Workspace Integrations with the Calendar settings opened instead of the homepage * Improves UX by reducing friction when managing calendar integrations https://www.loom.com/share/49fa5c448ce049659877beb42d7bd81a <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Calendar integration settings can now be opened automatically (including from OAuth redirects) and workspace settings support a scroll-to-anchor. * Integration account rows are now clickable for quick access to settings. * **Improvements** * Enhanced visual feedback with interactive hover and focus states for integration controls. * **Tests** * Added tests covering the OAuth redirect behavior and workspace settings scroll/open handling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
|
5806ad8a3a |
fix(server): online and storage statistics (#14792)
#### PR Dependency Tree * **PR #14792** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Admin dashboard returns more accurate sync and storage timelines with carry‑forwarded minute buckets and corrected current totals. * **Bug Fixes** * Active-user flushes are debounced/scheduled to prevent overlapping writes and reduce stale counts. * Snapshot writes now retry and will skip gracefully when lock contention prevents completion, avoiding partial snapshots. * **Tests** * New e2e tests cover carry‑forward behavior, no backfill outside requested windows, and storage history accuracy. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
193ec14ad3 | feat(server): synthetic root doc (#14794) v2026.4.6-canary.929 | ||
|
|
64149d909a | feat: follow publish mode if no params | ||
|
|
f81abe692d |
fix(core): shared page mode syncing (#14756)
### Summary This fixes a few inconsistencies in shared page behavior: fixes https://github.com/toeverything/AFFiNE/issues/14751 - shared pages now open in the correct published mode when the URL does not already include ?mode=... - switching between page and edgeless in shared mode now keeps the URL query param in sync - the default Copy Link action now follows the current editor mode - shared viewers can toggle between page and edgeless mode in readonly share pages --- ### What Changed - updated shared page mode resolution to prefer URL mode, with backend publish mode as fallback - added query-param syncing for shared page mode changes - made the default share link copy use: - page link in page mode - edgeless link in edgeless mode - allowed EditorModeSwitch to toggle both ways in shared mode - extracted shared-mode behavior into small hooks to keep share-page.tsx cleaner --- ### Demo https://www.loom.com/share/a287172321fb4fc5b94f7c67a39298a9 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Mode switching between page and edgeless no longer blocked by shared gating; shared pages initialize and respect the resolved editor mode. * Shared page URLs stay in sync with editor mode and copy-link actions include/preserve the selected mode. * **Tests** * Added tests for publish-mode resolution, query-string mode handling, and default share-mode behavior. * **Bug Fixes** * Updated shared-page “not found” UI text to match new messaging. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
aa48c1c18b |
fix: audio waveform clipping in horizontal card view (#14789)
Fixes #13399 ### Issue When viewing an audio attachment card in horizontal view, the waveform was being clipped and not fully visible. In vertical view it displayed correctly. ### Fix - `audio-waveform` and `progressContainer` flex children were missing `minWidth: 0` and `flex: 1`, causing container overflow - `.affine-attachment-container` had a fixed height with `overflow: hidden` that cut off the waveform row ### Screenshot Verification **Before** <img width="1661" height="935" alt="image" src="https://github.com/user-attachments/assets/b2f0908b-94fe-4869-bdfb-cc6a757e703d" /> **After** <img width="750" height="182" alt="image" src="https://github.com/user-attachments/assets/63caac69-f37b-4894-80de-806b691581c8" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit **New Features** - Introduced audio embed card functionality allowing users to embed and display audio content directly in documents with standardized dimensions and improved responsive layout styling for better visual presentation and integration. **Improvements** - Enhanced styling and layout handling for audio player components to ensure proper display and optimal rendering in various container sizes and space constraints. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.4.5-canary.916 |
||
|
|
3219b82827 |
fix(core): hotkey option+cmd+c for Code Block (#14790)
This PR fixes #14755 bug <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed keyboard shortcut handling to properly distinguish between locale input characters and actual shortcuts when using Alt+Meta key combinations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
b0cc2fd389 |
feat(editor): improve dated doc creation (#14791)
#### PR Dependency Tree * **PR #14791** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
|
558400b7db |
feat: add auto-date titles for new documents (#14716)
## Summary Adds an Editor setting to automatically title blank new documents with the current date. fixes https://github.com/toeverything/AFFiNE/issues/14709 https://www.loom.com/share/953b4eafcfb247839e977dca6f457229 ## What Changed - Added `Auto-title new docs with current date` under Editor settings - Added `New doc date format`, shown only when auto-title is enabled - Supported formats: - `DD-MM-YYYY` - `MM-DD-YYYY` - `YYYY-MM-DD` - `Journal style (localized)` - Kept titles unique by appending duplicate-style suffixes: - `2026-03-24` - `2026-03-24(2)` - `2026-03-24(3)` ## Behavior - Only applies to blank new docs - Does not override explicitly provided titles - Uses the existing journal-style localized formatter for the localized option ## Implementation Notes - Extended editor setting schema with: - `autoTitleNewDocWithCurrentDate` - `newDocDateTitleFormat` - Added a helper for generating unique date-based titles - Wired title generation into doc creation middleware - Synced created titles into doc metadata so uniqueness works consistently ## Tests - Added unit coverage for: - date title formatting - duplicate suffix generation - doc creation middleware behavior - settings UI behavior <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * General settings: toggle to auto-insert current date into new document titles; selectable formats: DD-MM-YYYY, MM-DD-YYYY, YYYY-MM-DD, and localized "journal". Date-format chooser appears only when enabled. * **Behavior** * Blank new-docs are auto-populated per chosen format; user-provided titles are preserved. Auto-generated titles avoid collisions by appending incrementing suffixes. * **Localization** * Added translations for the setting, description, format chooser, and all format labels. * **Tests** * Added UI and unit tests covering formatting, uniqueness, middleware behavior, and interaction. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
fc5329a1be |
fix(server): skip watch for external cal (#14788)
#### PR Dependency Tree * **PR #14788** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Calendar subscriptions now gracefully fall back to polling when push notifications aren’t supported, keeping syncs working. * Affected subscriptions have webhook details cleared and are marked with a long-lived expiration to avoid repeated webhook attempts. * Prevents repeated retries for unsupported push channels, reducing unnecessary errors and retries. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
547ab47a5e | chore: improve ci (#14787) | ||
|
|
fee0cfa3f4 |
chore: bump deps (#14785)
#### PR Dependency Tree * **PR #14785** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated error-tracking SDK versions across frontend packages. * Upgraded Electron build toolchain and front-end build plugins for improved compatibility. * Replaced a SWC-based React plugin with the standard React Vite plugin. * Removed unused development dependencies from CLI tooling. * Bumped a Rust workspace dependency to a patch release. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ffc27af3ba |
fix(server): update version check (#14784)
fix #14780 #### PR Dependency Tree * **PR #14784** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Improved upgrade availability detection to properly compare semantic versions, including support for prerelease and canary versions. The system now accurately identifies when new versions are available, ensuring users receive timely update notifications. * **Tests** * Added comprehensive unit tests for version comparison and upgrade detection functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d975bf46fb |
feat(server): improve calendar sync queue (#14783)
#### PR Dependency Tree * **PR #14783** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable request timeout for calendar integrations. * Calendar polling now enqueues per-subscription sync jobs (larger batch) for improved throughput. * **Bug Fixes / Improvements** * Persisted next-sync timestamps and retry counts for more reliable scheduling and retry behavior. * Exponential backoff and webhook renewal now update scheduling consistently. * **Refactor** * Calendar sync flow moved to a job-queue-driven design for better concurrency and observability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
bfcf7fc2ba |
fix: close docs bulk toolbar after delete (#14711)
### Before https://www.loom.com/share/a626b23f29cb4a48b33d721341d734f8 ### After https://www.loom.com/share/0c88ef4f92ac470fbb76608e2de43fa7 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed floating toolbar remaining visible after deleting multiple documents via the confirmation dialog so it reliably closes when deletion completes. * **Tests** * Added end-to-end checks to verify the floating toolbar is dismissed after multi-item and “select all” deletions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
5a6c65085a |
feat(mobile): adapt new endpoint (#14778)
#### PR Dependency Tree * **PR #14778** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
|
4be0cba9b5 |
chore(server): db health check (#14779)
#### PR Dependency Tree * **PR #14779** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Added conditional init checks to service deployments and jobs to wait for the database proxy before starting * Exposed a new health port (9801) for the database proxy to enable readiness probing * **Tests** * Minor test reordering and formatting changes (no behavioral changes) <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
afea9121cf |
fix: save column header edits when pressing Enter (#14775)
## The Fix Fixes #14744. Updated the menu input Enter key behavior so that pressing Enter now saves the edited database column header name and closes the menu immediately. This reuses the existing `blur()` save flow, keeping the behavior consistent with clicking outside the input. The Tab key behavior remains unchanged and still saves through the existing blur flow. ## Video Demonstration ### After https://github.com/user-attachments/assets/820a7c41-cae5-477c-8b65-b0667e0ce82b <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved keyboard handling in context menu input to properly blur the input field when pressing Enter, ensuring cleaner interaction behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
3912d8d74d | fix: lint | ||
|
|
d3ec008b0c |
chore: bump deps (#14777)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Migration and config commands now feature interactive prompts for required inputs. * **Bug Fixes** * Enhanced error handling in CLI operations. * **Chores** * Updated GraphQL Code Generator toolchain to v6. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d0607b5ce7 |
chore(i18n): improve RU translate (#14718)
improve RU translate <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Improvements** * Enhanced Russian language support across the application. * Updated messaging for self-hosted installations and workspace licensing. * Added Russian text for document analytics UI, including metrics and viewer information. * Added Russian text for workspace sharing controls and calendar integration features. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
8ca3f2d53d |
fix(core): settings i18n refresh (#14760)
replace #14758 #### PR Dependency Tree * **PR #14760** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Enhanced language switching to ensure the settings dialog properly reflects language changes when users update their language preference. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0da32d61ae |
fix(server): race condition for sync (#14770)
#### PR Dependency Tree * **PR #14770** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Implemented batch processing for calendar synchronization to improve performance and resource utilization. * Added distributed locking to prevent concurrent operations in multi-instance environments. * **Bug Fixes** * Improved reliability by preventing duplicate synchronization attempts. * **Tests** * Enhanced test coverage for batch processing and locking mechanisms. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
233004f867 | chore: bump oxlint & enable more supported rules (#14769) |